def test_filter_values_req_opt_1():
r = to_dict(
Attribute(
name="urn:oid:2.5.4.5",
name_format=NAME_FORMAT_URI,
friendly_name="serialNumber",
attribute_value=[AttributeValue(text="54321")],
),
ONTS,
)
o = to_dict(
Attribute(
name="urn:oid:2.5.4.5",
name_format=NAME_FORMAT_URI,
friendly_name="serialNumber",
attribute_value=[AttributeValue(text="12345"), AttributeValue(text="abcd0")],
),
ONTS,
)
ava = {"serialNumber": ["12345", "54321"]}
ava = filter_on_attributes(ava, [r], [o])
assert ava.keys() == ["serialNumber"]
assert _eq(ava["serialNumber"], ["12345", "54321"])
def test_filter_values_req_opt_2():
r = [
to_dict(
Attribute(
friendly_name="surName",
name="urn:oid:2.5.4.4",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"),
ONTS),
to_dict(
Attribute(
friendly_name="givenName",
name="urn:oid:2.5.4.42",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"),
ONTS),
to_dict(
Attribute(
friendly_name="mail",
name="urn:oid:0.9.2342.19200300.100.1.3",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"),
ONTS)]
o = [
to_dict(
Attribute(
friendly_name="title",
name="urn:oid:2.5.4.12",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"),
ONTS)]
ava = {"surname": ["Hedberg"], "givenName": ["Roland"],
"eduPersonAffiliation": ["staff"], "uid": ["rohe0002"]}
raises(MissingValue, "filter_on_attributes(ava, r, o)")
def test_req_opt():
req = [
to_dict(
md.RequestedAttribute(
friendly_name="surname", name="urn:oid:2.5.4.4",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true"), ONTS),
to_dict(
md.RequestedAttribute(
friendly_name="givenname",
name="urn:oid:2.5.4.42",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true"), ONTS),
to_dict(
md.RequestedAttribute(
friendly_name="edupersonaffiliation",
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true"), ONTS)]
opt = [
to_dict(
md.RequestedAttribute(
friendly_name="title",
name="urn:oid:2.5.4.12",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="false"), ONTS)]
policy = Policy()
ava = {'givenname': 'Roland', 'surname': 'Hedberg',
'uid': 'rohe0002', 'edupersonaffiliation': 'staff'}
sp_entity_id = "urn:mace:example.com:saml:curt:sp"
fava = policy.filter(ava, sp_entity_id, None, req, opt)
assert fava
def test_filter_values_req_2():
a1 = to_dict(Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI, friendly_name="serialNumber"), ONTS)
a2 = to_dict(Attribute(name="urn:oid:2.5.4.4", name_format=NAME_FORMAT_URI, friendly_name="surName"), ONTS)
required = [a1, a2]
ava = {"serialNumber": ["12345"], "givenName": ["Lars"]}
raises(MissingValue, filter_on_attributes, ava, required)
def test_filter_on_attributes_without_friendly_name():
ava = {"eduPersonTargetedID": "*****@*****.**", "eduPersonAffiliation": "test",
"extra": "foo"}
eptid = to_dict(
Attribute(name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10", name_format=NAME_FORMAT_URI), ONTS)
ep_affiliation = to_dict(
Attribute(name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1", name_format=NAME_FORMAT_URI), ONTS)
restricted_ava = filter_on_attributes(ava, required=[eptid], optional=[ep_affiliation],
acs=ac_factory())
assert restricted_ava == {"eduPersonTargetedID": "*****@*****.**",
"eduPersonAffiliation": "test"}
def test_filter_values_req_opt_0():
r = to_dict(
Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI,
friendly_name="serialNumber",
attribute_value=[AttributeValue(text="54321")]), ONTS)
o = to_dict(
Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI,
friendly_name="serialNumber",
attribute_value=[AttributeValue(text="12345")]), ONTS)
ava = {"serialNumber": ["12345", "54321"]}
ava = filter_on_attributes(ava, [r], [o], acs=ac_factory())
assert list(ava.keys()) == ["serialNumber"]
assert _eq(ava["serialNumber"], ["12345", "54321"])
def test_filter_on_attributes_with_missing_required_attribute():
ava = {"extra": "foo"}
eptid = to_dict(Attribute(
friendly_name="eduPersonTargetedID", name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10",
name_format=NAME_FORMAT_URI), ONTS)
with pytest.raises(MissingValue):
filter_on_attributes(ava, required=[eptid])
def test_filter_on_attributes_with_missing_optional_attribute():
ava = {"extra": "foo"}
eptid = to_dict(Attribute(
friendly_name="eduPersonTargetedID",
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10",
name_format=NAME_FORMAT_URI), ONTS)
assert filter_on_attributes(ava, optional=[eptid], acs=ac_factory()) == {}
def test_filter_values_req_4():
a = to_dict(Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI,
friendly_name="serialNumber", attribute_value=[
AttributeValue(text="54321")]), ONTS)
required = [a]
ava = { "serialNumber": ["12345"]}
raises(MissingValue, filter_on_attributes, ava, required)
def test_filter_on_attributes_with_missing_name_format():
ava = {"eduPersonTargetedID": "*****@*****.**",
"eduPersonAffiliation": "test",
"extra": "foo"}
eptid = to_dict(Attribute(friendly_name="eduPersonTargetedID",
name="urn:myown:eptid",
name_format=''), ONTS)
ava = filter_on_attributes(ava, optional=[eptid], acs=ac_factory())
assert ava['eduPersonTargetedID'] == "*****@*****.**"
def test_filter_on_attributes_1():
a = to_dict(Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI, friendly_name="serialNumber"), ONTS)
required = [a]
ava = {"serialNumber": ["12345"], "givenName": ["Lars"]}
ava = filter_on_attributes(ava, required)
assert ava.keys() == ["serialNumber"]
assert ava["serialNumber"] == ["12345"]
def test_filter_on_attributes_0():
a = to_dict(Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI,
friendly_name="serialNumber"), ONTS)
required = [a]
ava = {"serialNumber": ["12345"]}
ava = filter_on_attributes(ava, required, acs=ac_factory())
assert list(ava.keys()) == ["serialNumber"]
assert ava["serialNumber"] == ["12345"]
def test_filter_on_attributes_2():
a = to_dict(Attribute(friendly_name="surName",name="urn:oid:2.5.4.4",
name_format=NAME_FORMAT_URI), ONTS)
required = [a]
ava = {"sn":["kakavas"]}
ava = filter_on_attributes(ava,required,acs=ac_factory())
assert list(ava.keys()) == ['sn']
assert ava["sn"] == ["kakavas"]
def test_filter_values_req_6():
a = to_dict(Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI,
friendly_name="serialNumber", attribute_value=[
AttributeValue(text="54321")]),ONTS)
required = [a]
ava = { "serialNumber": ["12345", "54321"]}
ava = filter_on_attributes(ava, required)
assert ava.keys() == ["serialNumber"]
assert ava["serialNumber"] == ["54321"]
def store_assertion(self, assertion, to_sign):
name_id = assertion.subject.name_id
nkey = sha1(code_binary(name_id)).hexdigest()
doc = {
"name_id_key": nkey,
"assertion_id": assertion.id,
"assertion": to_dict(assertion, ONTS.values(), True),
"to_sign": to_sign
}
_ = self.assertion.insert(doc)
def store_assertion(self, assertion, to_sign):
name_id = assertion.subject.name_id
_id = code(name_id)
nkey = sha1(_id.encode()).hexdigest()
doc = {
"name_id_key": nkey,
"assertion_id": assertion.id,
"assertion": to_dict(assertion, list(ONTS.values()), True),
"to_sign": to_sign
}
_ = self.assertion.insert(doc)
def do_entity_descriptor(self, entity_descr):
if self.check_validity:
try:
if not valid(entity_descr.valid_until):
logger.error("Entity descriptor (entity id:%s) to old",
entity_descr.entity_id)
self.to_old.append(entity_descr.entity_id)
return
except AttributeError:
pass
# have I seen this entity_id before ? If so if log: ignore it
if entity_descr.entity_id in self.entity:
print("Duplicated Entity descriptor (entity id: '%s')" %
entity_descr.entity_id, file=sys.stderr)
return
_ent = to_dict(entity_descr, metadata_modules())
flag = 0
# verify support for SAML2
for descr in ["spsso", "idpsso", "role", "authn_authority",
"attribute_authority", "pdp", "affiliation"]:
_res = []
try:
_items = _ent["%s_descriptor" % descr]
except KeyError:
continue
if descr == "affiliation": # Not protocol specific
flag += 1
continue
for item in _items:
for prot in item["protocol_support_enumeration"].split(" "):
if prot == samlp.NAMESPACE:
item["protocol_support_enumeration"] = prot
_res.append(item)
break
if not _res:
del _ent["%s_descriptor" % descr]
else:
flag += 1
if self.filter:
_ent = self.filter(_ent)
if not _ent:
flag = 0
if flag:
self.entity[entity_descr.entity_id] = _ent
def store_authn_statement(self, authn_statement, name_id):
"""
:param authn_statement:
:param name_id:
:return:
"""
logger.debug("store authn about: %s" % name_id)
nkey = sha1(code(name_id)).hexdigest()
logger.debug("Store authn_statement under key: %s" % nkey)
_as = to_dict(authn_statement, ONTS.values(), True)
try:
self.authn[nkey].append(_as)
except KeyError:
self.authn[nkey] = [_as]
return nkey
from saml2.extension import ui
from saml2 import saml
import xmldsig
import xmlenc
from pathutils import full_path
ONTS = [saml, mdui, mdattr, dri, ui, idpdisc, md, xmldsig, xmlenc]
def _eq(l1, l2):
return set(l1) == set(l2)
gn = to_dict(md.RequestedAttribute(name="urn:oid:2.5.4.42",
friendly_name="givenName",
name_format=NAME_FORMAT_URI), ONTS)
sn = to_dict(md.RequestedAttribute(name="urn:oid:2.5.4.4",
friendly_name="surName",
name_format=NAME_FORMAT_URI), ONTS)
mail = to_dict(md.RequestedAttribute(name="urn:oid:0.9.2342.19200300.100.1.3",
friendly_name="mail",
name_format=NAME_FORMAT_URI), ONTS)
# ---------------------------------------------------------------------------
def test_filter_on_attributes_0():
a = to_dict(Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI,
def remove_remote(self, name_id):
cnid = to_dict(name_id, MMODS, True)
self.mdb.remove(name_id=cnid)
def store(self, ident, name_id):
self.mdb.store(ident, name_id=to_dict(name_id, MMODS, True))
from saml2.extension import ui
from saml2 import saml
from saml2 import xmldsig
from saml2 import xmlenc
from pathutils import full_path
ONTS = [saml, mdui, mdattr, dri, ui, idpdisc, md, xmldsig, xmlenc]
def _eq(l1, l2):
return set(l1) == set(l2)
gn = to_dict(
md.RequestedAttribute(name="urn:oid:2.5.4.42",
friendly_name="givenName",
name_format=NAME_FORMAT_URI), ONTS)
sn = to_dict(
md.RequestedAttribute(name="urn:oid:2.5.4.4",
friendly_name="surName",
name_format=NAME_FORMAT_URI), ONTS)
mail = to_dict(
md.RequestedAttribute(name="urn:oid:0.9.2342.19200300.100.1.3",
friendly_name="mail",
name_format=NAME_FORMAT_URI), ONTS)
# ---------------------------------------------------------------------------
resp = ServiceError("Other error: %s" % (err, ))
return resp(self.environ, self.start_response)
logger.info("parsed OK")
_resp = self.response.response
logger.debug("%s" % _resp)
session_id = rndstr(16)
_info = [
("Client Address", ip_addresses()),
("Identity Provider", _resp.issuer.text),
("SSO Protocol", samlp.NAMESPACE),
]
assertion = simplify(to_dict(_resp, ONTS.values()))
SESSIONDB[session_id] = {"info": _info, "assertion": assertion}
resp = Response(mako_template="result.mako",
template_lookup=LOOKUP,
headers=[])
uinfo = []
for key, val in self.response.ava.items():
if len(val) == 1:
uinfo.append((key, val[0]))
elif len(val) > 1:
uinfo.append((key, ", ".join([v for v in val])))
uinfo.sort()
try:
ac = _resp.assertion[0].authn_statement[0].authn_context
def find_local_id(self, name_id):
cnid = to_dict(name_id, ONTS.values(), True)
for item in self.mdb.get(name_id=cnid):
return item[self.mdb.primary_key]
return None
def store(self, ident, name_id):
self.mdb.store(ident, name_id=to_dict(name_id, ONTS.values(), True))
def remove_remote(self, name_id):
cnid = to_dict(name_id, ONTS.values(), True)
self.mdb.remove(name_id=cnid)
def remove_remote(self, name_id):
cnid = to_dict(name_id, ONTS.values(), True)
self.mdb.remove(name_id=cnid)
def find_local_id(self, name_id):
cnid = to_dict(name_id, ONTS.values(), True)
for item in self.mdb.get(name_id=cnid):
return item[self.mdb.primary_key]
return None
def store(self, ident, name_id):
self.mdb.store(ident, name_id=to_dict(name_id, ONTS.values(), True))
def remove_remote(self, name_id):
cnid = to_dict(name_id, MMODS, True)
self.mdb.remove(name_id=cnid)
resp = ServiceError("Other error: %s" % (err,))
return resp(self.environ, self.start_response)
logger.info("parsed OK")
_resp = self.response.response
logger.debug("%s" % _resp)
# verify that I got the authentication Context Class reference
# I wanted
used = []
astat = []
for assertion in _resp.assertion:
for statement in assertion.authn_statement:
used.append(statement.authn_context.authn_context_class_ref.text)
astat.append(simplify(to_dict(statement, ONTS.values())))
resp = Response(mako_template="result.mako",
template_lookup=LOOKUP,
headers=[])
argv = {"used": used, "wanted": SESSIONDB[_resp.in_response_to]["accr"],
"authn_statement": json.dumps(astat, sort_keys=True,
indent=2,
separators=(',', ': '))}
return resp(self.environ, self.start_response, **argv)
def verify_attributes(self, ava):
rest = POLICY.get_entity_categories_restriction(
self.sp.config.entityid, self.sp.metadata)
resp = ServiceError("Other error: %s" % (err,))
return resp(self.environ, self.start_response)
logger.info("parsed OK")
_resp = self.response.response
logger.debug("%s" % _resp)
session_id = rndstr(16)
_info = [
("Client Address", ip_addresses()),
("Identity Provider", _resp.issuer.text),
("SSO Protocol", samlp.NAMESPACE),
]
assertion = simplify(to_dict(_resp, ONTS.values()))
SESSIONDB[session_id] = {"info": _info, "assertion": assertion}
resp = Response(mako_template="result.mako",
template_lookup=LOOKUP,
headers=[])
uinfo = []
for key, val in self.response.ava.items():
if len(val) == 1:
uinfo.append((key, val[0]))
elif len(val) > 1:
uinfo.append((key, ", ".join([v for v in val])))
uinfo.sort()
argv = {"uinfo": uinfo, "idp": _resp.issuer.text,
"session": "/Session/%s" % session_id}
def store_assertion(self, assertion, to_sign):
self.assertion[assertion.id] = {
"assertion": to_dict(assertion, ONTS.values(), True),
"to_sign": to_sign}
def store(self, ident, name_id):
self.mdb.store(ident, name_id=to_dict(name_id, MMODS, True))