def get_provider_config(req):
final_cfg = {}
base_cfg = None
try:
providers = settings.SAML_PROVIDERS
except AttributeError:
raise SAMLSettingsError('SAML_PROVIDERS is not defined in settings')
try:
provider = req['get_data']['provider']
except KeyError:
provider = list(providers[0].keys())[0]
req['get_data']['provider'] = provider
for index, provider_obj in enumerate(providers):
if list(provider_obj.keys())[0] == provider:
base_cfg = settings.SAML_PROVIDERS[index][provider]
break
if not base_cfg:
raise SAMLSettingsError("Provider %s was not found in settings" % provider)
final_cfg = base_cfg
try:
final_cfg['sp']['x509cert'] = OneLogin_Saml2_Utils.format_cert(final_cfg['sp']['x509cert'])
final_cfg['sp']['privateKey'] = OneLogin_Saml2_Utils.format_private_key(final_cfg['sp']['privateKey'])
final_cfg['idp']['x509cert'] = OneLogin_Saml2_Utils.format_cert(final_cfg['idp']['x509cert'])
except KeyError:
pass
return final_cfg
def testGetIdPData(self):
"""
Tests the getIdPData method of the OneLogin_Saml2_Settings
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
idp_data = settings.get_idp_data()
self.assertNotEqual(len(idp_data), 0)
self.assertIn('entityId', idp_data)
self.assertIn('singleSignOnService', idp_data)
self.assertIn('singleLogoutService', idp_data)
self.assertIn('x509cert', idp_data)
self.assertEqual('http://idp.example.com/', idp_data['entityId'])
self.assertEqual('http://idp.example.com/SSOService.php', idp_data['singleSignOnService']['url'])
self.assertEqual('http://idp.example.com/SingleLogoutService.php', idp_data['singleLogoutService']['url'])
x509cert = 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo'
formated_x509_cert = OneLogin_Saml2_Utils.format_cert(x509cert)
self.assertEqual(formated_x509_cert, idp_data['x509cert'])
settings2 = OneLogin_Saml2_Settings(self.loadSettingsJSON('settings8.json'))
idp_data2 = settings2.get_idp_data()
self.assertNotEqual(len(idp_data2), 0)
self.assertIn('x509certMulti', idp_data2)
self.assertIn('signing', idp_data2['x509certMulti'])
self.assertIn('encryption', idp_data2['x509certMulti'])
x509cert2 = 'MIICbDCCAdWgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wHhcNMTQwOTIzMTIyNDA4WhcNNDIwMjA4MTIyNDA4WjBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOWA+YHU7cvPOrBOfxCscsYTJB+kH3MaA9BFrSHFS+KcR6cw7oPSktIJxUgvDpQbtfNcOkE/tuOPBDoech7AXfvH6d7Bw7xtW8PPJ2mB5Hn/HGW2roYhxmfh3tR5SdwN6i4ERVF8eLkvwCHsNQyK2Ref0DAJvpBNZMHCpS24916/AgMBAAGjUDBOMB0GA1UdDgQWBBQ77/qVeiigfhYDITplCNtJKZTM8DAfBgNVHSMEGDAWgBQ77/qVeiigfhYDITplCNtJKZTM8DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAJO2j/1uO80E5C2PM6Fk9mzerrbkxl7AZ/mvlbOn+sNZE+VZ1AntYuG8ekbJpJtG1YfRfc7EA9mEtqvv4dhv7zBy4nK49OR+KpIBjItWB5kYvrqMLKBa32sMbgqqUqeF1ENXKjpvLSuPdfGJZA3dNa/+Dyb8GGqWe707zLyc5F8m'
formated_x509_cert2 = OneLogin_Saml2_Utils.format_cert(x509cert2)
self.assertEqual(formated_x509_cert2, idp_data2['x509certMulti']['signing'][0])
self.assertEqual(formated_x509_cert, idp_data2['x509certMulti']['signing'][1])
self.assertEqual(formated_x509_cert, idp_data2['x509certMulti']['encryption'][0])
def get_provider_config(req):
final_cfg = {}
base_cfg = None
try:
provider = req['get_data']['provider']
except KeyError:
raise SAMLError("No provider specified in request")
for index, provider_obj in enumerate(settings.SAML_PROVIDERS):
if list(provider_obj.keys())[0] == provider:
base_cfg = settings.SAML_PROVIDERS[index][provider]
break
if not base_cfg:
raise SAMLSettingsError("Provider %s was not found in settings" %
provider)
final_cfg = base_cfg
final_cfg['sp']['x509cert'] = OneLogin_Saml2_Utils.format_cert(
final_cfg['sp']['x509cert'])
final_cfg['sp']['privateKey'] = OneLogin_Saml2_Utils.format_private_key(
final_cfg['sp']['privateKey'])
final_cfg['idp']['x509cert'] = OneLogin_Saml2_Utils.format_cert(
final_cfg['idp']['x509cert'])
return final_cfg
def format_idp_cert_multi(self):
"""
Formats the Multple IdP certs.
"""
if 'x509certMulti' in self.__idp:
if 'signing' in self.__idp['x509certMulti']:
for idx in range(len(self.__idp['x509certMulti']['signing'])):
self.__idp['x509certMulti']['signing'][idx] = OneLogin_Saml2_Utils.format_cert(self.__idp['x509certMulti']['signing'][idx])
if 'encryption' in self.__idp['x509certMulti']:
for idx in range(len(self.__idp['x509certMulti']['encryption'])):
self.__idp['x509certMulti']['encryption'][idx] = OneLogin_Saml2_Utils.format_cert(self.__idp['x509certMulti']['encryption'][idx])
def format_idp_cert_multi(self):
"""
Formats the Multple IdP certs.
"""
if 'x509certMulti' in self.__idp:
if 'signing' in self.__idp['x509certMulti']:
for idx in range(len(self.__idp['x509certMulti']['signing'])):
self.__idp['x509certMulti']['signing'][idx] = OneLogin_Saml2_Utils.format_cert(self.__idp['x509certMulti']['signing'][idx])
if 'encryption' in self.__idp['x509certMulti']:
for idx in range(len(self.__idp['x509certMulti']['encryption'])):
self.__idp['x509certMulti']['encryption'][idx] = OneLogin_Saml2_Utils.format_cert(self.__idp['x509certMulti']['encryption'][idx])
def add_x509_key_descriptors(metadata, cert=None):
"""
Adds the x509 descriptors (sign/encriptation) to the metadata
The same cert will be used for sign/encrypt
:param metadata: SAML Metadata XML
:type metadata: string
:param cert: x509 cert
:type cert: string
:returns: Metadata with KeyDescriptors
:rtype: string
"""
if cert is None or cert == '':
return metadata
try:
xml = parseString(metadata)
except Exception as e:
raise Exception('Error parsing metadata. ' + e.message)
formated_cert = OneLogin_Saml2_Utils.format_cert(cert, False)
x509_certificate = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS,
'ds:X509Certificate')
content = xml.createTextNode(formated_cert)
x509_certificate.appendChild(content)
key_data = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS,
'ds:X509Data')
key_data.appendChild(x509_certificate)
key_info = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS,
'ds:KeyInfo')
key_info.appendChild(key_data)
key_descriptor = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS,
'md:KeyDescriptor')
entity_descriptor = xml.getElementsByTagName('md:EntityDescriptor')[0]
sp_sso_descriptor = entity_descriptor.getElementsByTagName(
'md:SPSSODescriptor')[0]
sp_sso_descriptor.insertBefore(key_descriptor.cloneNode(True),
sp_sso_descriptor.firstChild)
sp_sso_descriptor.insertBefore(key_descriptor.cloneNode(True),
sp_sso_descriptor.firstChild)
signing = xml.getElementsByTagName('md:KeyDescriptor')[0]
signing.setAttribute('use', 'signing')
encryption = xml.getElementsByTagName('md:KeyDescriptor')[1]
encryption.setAttribute('use', 'encryption')
signing.appendChild(key_info)
encryption.appendChild(key_info.cloneNode(True))
signing.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS)
encryption.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS)
return xml.toxml()
def add_x509_key_descriptors(metadata, cert=None, add_encryption=True):
"""
Adds the x509 descriptors (sign/encryption) to the metadata
The same cert will be used for sign/encrypt
:param metadata: SAML Metadata XML
:type metadata: string
:param cert: x509 cert
:type cert: string
:param add_encryption: Determines if the KeyDescriptor[use="encryption"] should be added.
:type add_encryption: boolean
:returns: Metadata with KeyDescriptors
:rtype: string
"""
if cert is None or cert == '':
return metadata
try:
xml = parseString(metadata.encode('utf-8'), forbid_dtd=True)
except Exception as e:
raise Exception('Error parsing metadata. ' + e.message)
formated_cert = OneLogin_Saml2_Utils.format_cert(cert, False)
x509_certificate = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS, 'ds:X509Certificate')
content = xml.createTextNode(formated_cert)
x509_certificate.appendChild(content)
key_data = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS, 'ds:X509Data')
key_data.appendChild(x509_certificate)
key_info = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS, 'ds:KeyInfo')
key_info.appendChild(key_data)
key_descriptor = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS, 'md:KeyDescriptor')
entity_descriptor = xml.getElementsByTagName('md:EntityDescriptor')[0]
sp_sso_descriptor = entity_descriptor.getElementsByTagName('md:SPSSODescriptor')[0]
sp_sso_descriptor.insertBefore(key_descriptor.cloneNode(True), sp_sso_descriptor.firstChild)
if add_encryption:
sp_sso_descriptor.insertBefore(key_descriptor.cloneNode(True), sp_sso_descriptor.firstChild)
signing = xml.getElementsByTagName('md:KeyDescriptor')[0]
signing.setAttribute('use', 'signing')
signing.appendChild(key_info)
signing.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS)
if add_encryption:
encryption = xml.getElementsByTagName('md:KeyDescriptor')[1]
encryption.setAttribute('use', 'encryption')
encryption.appendChild(key_info.cloneNode(True))
encryption.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS)
return xml.toxml()
def __add_x509_key_descriptors(root, cert, signing):
key_descriptor = OneLogin_Saml2_XML.make_child(root, '{%s}KeyDescriptor' % OneLogin_Saml2_Constants.NS_MD)
root.remove(key_descriptor)
root.insert(0, key_descriptor)
key_info = OneLogin_Saml2_XML.make_child(key_descriptor, '{%s}KeyInfo' % OneLogin_Saml2_Constants.NS_DS)
key_data = OneLogin_Saml2_XML.make_child(key_info, '{%s}X509Data' % OneLogin_Saml2_Constants.NS_DS)
x509_certificate = OneLogin_Saml2_XML.make_child(key_data, '{%s}X509Certificate' % OneLogin_Saml2_Constants.NS_DS)
x509_certificate.text = OneLogin_Saml2_Utils.format_cert(cert, False)
key_descriptor.set('use', ('encryption', 'signing')[signing])
def __add_x509_key_descriptors(root, cert, signing):
key_descriptor = OneLogin_Saml2_XML.make_child(root, '{%s}KeyDescriptor' % OneLogin_Saml2_Constants.NS_MD)
root.remove(key_descriptor)
root.insert(0, key_descriptor)
key_info = OneLogin_Saml2_XML.make_child(key_descriptor, '{%s}KeyInfo' % OneLogin_Saml2_Constants.NS_DS)
key_data = OneLogin_Saml2_XML.make_child(key_info, '{%s}X509Data' % OneLogin_Saml2_Constants.NS_DS)
x509_certificate = OneLogin_Saml2_XML.make_child(key_data, '{%s}X509Certificate' % OneLogin_Saml2_Constants.NS_DS)
x509_certificate.text = OneLogin_Saml2_Utils.format_cert(cert, False)
key_descriptor.set('use', ('encryption', 'signing')[signing])
def testFormatCert(self):
"""
Tests the format_cert method of the OneLogin_Saml2_Utils
"""
settings_info = self.loadSettingsJSON()
cert = settings_info['idp']['x509cert']
self.assertNotIn('-----BEGIN CERTIFICATE-----', cert)
self.assertNotIn('-----END CERTIFICATE-----', cert)
self.assertEqual(len(cert), 860)
formated_cert1 = OneLogin_Saml2_Utils.format_cert(cert)
self.assertIn('-----BEGIN CERTIFICATE-----', formated_cert1)
self.assertIn('-----END CERTIFICATE-----', formated_cert1)
formated_cert2 = OneLogin_Saml2_Utils.format_cert(cert, True)
self.assertEqual(formated_cert1, formated_cert2)
formated_cert3 = OneLogin_Saml2_Utils.format_cert(cert, False)
self.assertNotIn('-----BEGIN CERTIFICATE-----', formated_cert3)
self.assertNotIn('-----END CERTIFICATE-----', formated_cert3)
self.assertEqual(len(formated_cert3), 860)
def testFormatCert(self):
"""
Tests the format_cert method of the OneLogin_Saml2_Utils
"""
settings_info = self.loadSettingsJSON()
cert = settings_info['idp']['x509cert']
self.assertNotIn('-----BEGIN CERTIFICATE-----', cert)
self.assertNotIn('-----END CERTIFICATE-----', cert)
self.assertEqual(len(cert), 860)
formated_cert1 = OneLogin_Saml2_Utils.format_cert(cert)
self.assertIn('-----BEGIN CERTIFICATE-----', formated_cert1)
self.assertIn('-----END CERTIFICATE-----', formated_cert1)
formated_cert2 = OneLogin_Saml2_Utils.format_cert(cert, True)
self.assertEqual(formated_cert1, formated_cert2)
formated_cert3 = OneLogin_Saml2_Utils.format_cert(cert, False)
self.assertNotIn('-----BEGIN CERTIFICATE-----', formated_cert3)
self.assertNotIn('-----END CERTIFICATE-----', formated_cert3)
self.assertEqual(len(formated_cert3), 860)
def testGenerateNameIdWithoutSPNameQualifier(self):
"""
Tests the generateNameId method of the OneLogin_Saml2_Utils
"""
name_id_value = 'ONELOGIN_ce998811003f4e60f8b07a311dc641621379cfde'
name_id_format = 'urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified'
name_id = OneLogin_Saml2_Utils.generate_name_id(name_id_value, None, name_id_format)
expected_name_id = '<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified">ONELOGIN_ce998811003f4e60f8b07a311dc641621379cfde</saml:NameID>'
self.assertEqual(name_id, expected_name_id)
settings_info = self.loadSettingsJSON()
x509cert = settings_info['idp']['x509cert']
key = OneLogin_Saml2_Utils.format_cert(x509cert)
name_id_enc = OneLogin_Saml2_Utils.generate_name_id(name_id_value, None, name_id_format, key)
expected_name_id_enc = '<saml:EncryptedID><xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><xenc:CipherData><xenc:CipherValue>'
self.assertIn(expected_name_id_enc, name_id_enc)
def testGenerateNameIdWithoutSPNameQualifier(self):
"""
Tests the generateNameId method of the OneLogin_Saml2_Utils
"""
name_id_value = 'ONELOGIN_ce998811003f4e60f8b07a311dc641621379cfde'
name_id_format = 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
name_id = OneLogin_Saml2_Utils.generate_name_id(name_id_value, None, name_id_format)
expected_name_id = '<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">ONELOGIN_ce998811003f4e60f8b07a311dc641621379cfde</saml:NameID>'
self.assertEqual(expected_name_id, name_id)
settings_info = self.loadSettingsJSON()
x509cert = settings_info['idp']['x509cert']
key = OneLogin_Saml2_Utils.format_cert(x509cert)
name_id_enc = OneLogin_Saml2_Utils.generate_name_id(name_id_value, None, name_id_format, key)
expected_name_id_enc = '<saml:EncryptedID><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Type="http://www.w3.org/2001/04/xmlenc#Element">\n<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>\n<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">\n<xenc:EncryptedKey>\n<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>\n<xenc:CipherData>\n<xenc:CipherValue>'
self.assertIn(expected_name_id_enc, name_id_enc)
def testGetIdPData(self):
"""
Tests the getIdPData method of the OneLogin_Saml2_Settings
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
idp_data = settings.get_idp_data()
self.assertNotEqual(len(idp_data), 0)
self.assertIn('entityId', idp_data)
self.assertIn('singleSignOnService', idp_data)
self.assertIn('singleLogoutService', idp_data)
self.assertIn('x509cert', idp_data)
self.assertEqual('http://idp.example.com/', idp_data['entityId'])
self.assertEqual('http://idp.example.com/SSOService.php', idp_data['singleSignOnService']['url'])
self.assertEqual('http://idp.example.com/SingleLogoutService.php', idp_data['singleLogoutService']['url'])
x509cert = 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo'
formated_x509_cert = OneLogin_Saml2_Utils.format_cert(x509cert)
self.assertEqual(formated_x509_cert, idp_data['x509cert'])
def testGetIdPData(self):
"""
Tests the getIdPData method of the OneLogin_Saml2_Settings
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
idp_data = settings.get_idp_data()
self.assertNotEqual(len(idp_data), 0)
self.assertIn('entityId', idp_data)
self.assertIn('singleSignOnService', idp_data)
self.assertIn('singleLogoutService', idp_data)
self.assertIn('x509cert', idp_data)
self.assertEqual('http://idp.example.com/', idp_data['entityId'])
self.assertEqual('http://idp.example.com/SSOService.php', idp_data['singleSignOnService']['url'])
self.assertEqual('http://idp.example.com/SingleLogoutService.php', idp_data['singleLogoutService']['url'])
x509cert = 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo'
formated_x509_cert = OneLogin_Saml2_Utils.format_cert(x509cert)
self.assertEqual(formated_x509_cert, idp_data['x509cert'])
def format_sp_cert_new(self):
"""
Formats the SP cert.
"""
self.__sp['x509certNew'] = OneLogin_Saml2_Utils.format_cert(
self.__sp['x509certNew'])
def format_idp_cert(self):
"""
Formats the IdP cert.
"""
self.__idp['x509cert'] = OneLogin_Saml2_Utils.format_cert(
self.__idp['x509cert'])
def parse(
idp_metadata,
required_sso_binding=OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT,
required_slo_binding=OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT,
index=0):
"""
Parses the Identity Provider metadata and return a dict with extracted data.
If there are multiple <IDPSSODescriptor> tags, parse only the first.
Parses only those SSO endpoints with the same binding as given by
the `required_sso_binding` parameter.
Parses only those SLO endpoints with the same binding as given by
the `required_slo_binding` parameter.
If the metadata specifies multiple SSO endpoints with the required
binding, extract only the first (the same holds true for SLO
endpoints).
:param idp_metadata: XML of the Identity Provider Metadata.
:type idp_metadata: string
:param required_sso_binding: Parse only POST or REDIRECT SSO endpoints.
:type required_sso_binding: one of OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT
or OneLogin_Saml2_Constants.BINDING_HTTP_POST
:param required_slo_binding: Parse only POST or REDIRECT SLO endpoints.
:type required_slo_binding: one of OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT
or OneLogin_Saml2_Constants.BINDING_HTTP_POST
:param index: If the metadata contains more than 1 certificate, use index to get the right certificate.
:type index: number
:returns: settings dict with extracted data
:rtype: dict
"""
data = {}
dom = OneLogin_Saml2_XML.to_etree(idp_metadata)
entity_descriptor_nodes = OneLogin_Saml2_XML.query(dom, '//md:EntityDescriptor')
idp_entity_id = want_authn_requests_signed = idp_name_id_format = idp_sso_url = idp_slo_url = idp_x509_cert = None
if len(entity_descriptor_nodes) > 0:
for entity_descriptor_node in entity_descriptor_nodes:
idp_descriptor_nodes = OneLogin_Saml2_XML.query(entity_descriptor_node, './md:IDPSSODescriptor')
if len(idp_descriptor_nodes) > 0:
idp_descriptor_node = idp_descriptor_nodes[0]
idp_entity_id = entity_descriptor_node.get('entityID', None)
want_authn_requests_signed = entity_descriptor_node.get('WantAuthnRequestsSigned', None)
name_id_format_nodes = OneLogin_Saml2_XML.query(idp_descriptor_node, './md:NameIDFormat')
if len(name_id_format_nodes) > 0:
idp_name_id_format = name_id_format_nodes[0].text
sso_nodes = OneLogin_Saml2_XML.query(
idp_descriptor_node,
"./md:SingleSignOnService[@Binding='%s']" % required_sso_binding
)
if len(sso_nodes) > 0:
idp_sso_url = sso_nodes[0].get('Location', None)
slo_nodes = OneLogin_Saml2_XML.query(
idp_descriptor_node,
"./md:SingleLogoutService[@Binding='%s']" % required_slo_binding
)
if len(slo_nodes) > 0:
idp_slo_url = slo_nodes[0].get('Location', None)
# Attempt to extract the cert/public key to be used for
# verifying signatures (as opposed to extracing a key to be
# used for encryption), by specifying `use=signing` in the
# XPath expression. If that does not yield a cert, retry
# using a more relaxed XPath expression (the `use` attribute
# is optional according to the saml-metadata-2.0-os spec).
cert_nodes = OneLogin_Saml2_XML.query(
idp_descriptor_node,
"./md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate"
)
if not cert_nodes:
cert_nodes = OneLogin_Saml2_XML.query(
idp_descriptor_node,
"./md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate"
)
if len(cert_nodes) > 0:
idp_x509_cert = OneLogin_Saml2_Utils.format_cert(cert_nodes[index].text, False)
data['idp'] = {}
if idp_entity_id is not None:
data['idp']['entityId'] = idp_entity_id
if idp_sso_url is not None:
data['idp']['singleSignOnService'] = {}
data['idp']['singleSignOnService']['url'] = idp_sso_url
data['idp']['singleSignOnService']['binding'] = required_sso_binding
if idp_slo_url is not None:
data['idp']['singleLogoutService'] = {}
data['idp']['singleLogoutService']['url'] = idp_slo_url
data['idp']['singleLogoutService']['binding'] = required_slo_binding
if idp_x509_cert is not None:
data['idp']['x509cert'] = idp_x509_cert
if want_authn_requests_signed is not None:
data['security'] = {}
data['security']['authnRequestsSigned'] = want_authn_requests_signed
if idp_name_id_format:
data['sp'] = {}
data['sp']['NameIDFormat'] = idp_name_id_format
break
return data
def parse(idp_metadata,
required_sso_binding=OneLogin_Saml2_Constants.
BINDING_HTTP_REDIRECT,
required_slo_binding=OneLogin_Saml2_Constants.
BINDING_HTTP_REDIRECT,
index=0):
"""
Parses the Identity Provider metadata and return a dict with extracted data.
If there are multiple <IDPSSODescriptor> tags, parse only the first.
Parses only those SSO endpoints with the same binding as given by
the `required_sso_binding` parameter.
Parses only those SLO endpoints with the same binding as given by
the `required_slo_binding` parameter.
If the metadata specifies multiple SSO endpoints with the required
binding, extract only the first (the same holds true for SLO
endpoints).
:param idp_metadata: XML of the Identity Provider Metadata.
:type idp_metadata: string
:param required_sso_binding: Parse only POST or REDIRECT SSO endpoints.
:type required_sso_binding: one of OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT
or OneLogin_Saml2_Constants.BINDING_HTTP_POST
:param required_slo_binding: Parse only POST or REDIRECT SLO endpoints.
:type required_slo_binding: one of OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT
or OneLogin_Saml2_Constants.BINDING_HTTP_POST
:param index: If the metadata contains more than 1 certificate, use index to get the right certificate.
:type index: number
:returns: settings dict with extracted data
:rtype: dict
"""
data = {}
dom = OneLogin_Saml2_XML.to_etree(idp_metadata)
entity_descriptor_nodes = OneLogin_Saml2_XML.query(
dom, '//md:EntityDescriptor')
idp_entity_id = want_authn_requests_signed = idp_name_id_format = idp_sso_url = idp_slo_url = idp_x509_cert = None
if len(entity_descriptor_nodes) > 0:
for entity_descriptor_node in entity_descriptor_nodes:
idp_descriptor_nodes = OneLogin_Saml2_XML.query(
entity_descriptor_node, './md:IDPSSODescriptor')
if len(idp_descriptor_nodes) > 0:
idp_descriptor_node = idp_descriptor_nodes[0]
idp_entity_id = entity_descriptor_node.get(
'entityID', None)
want_authn_requests_signed = entity_descriptor_node.get(
'WantAuthnRequestsSigned', None)
name_id_format_nodes = OneLogin_Saml2_XML.query(
idp_descriptor_node, './md:NameIDFormat')
if len(name_id_format_nodes) > 0:
idp_name_id_format = name_id_format_nodes[0].text
sso_nodes = OneLogin_Saml2_XML.query(
idp_descriptor_node,
"./md:SingleSignOnService[@Binding='%s']" %
required_sso_binding)
if len(sso_nodes) > 0:
idp_sso_url = sso_nodes[0].get('Location', None)
slo_nodes = OneLogin_Saml2_XML.query(
idp_descriptor_node,
"./md:SingleLogoutService[@Binding='%s']" %
required_slo_binding)
if len(slo_nodes) > 0:
idp_slo_url = slo_nodes[0].get('Location', None)
# Attempt to extract the cert/public key to be used for
# verifying signatures (as opposed to extracing a key to be
# used for encryption), by specifying `use=signing` in the
# XPath expression. If that does not yield a cert, retry
# using a more relaxed XPath expression (the `use` attribute
# is optional according to the saml-metadata-2.0-os spec).
cert_nodes = OneLogin_Saml2_XML.query(
idp_descriptor_node,
"./md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate"
)
if not cert_nodes:
cert_nodes = OneLogin_Saml2_XML.query(
idp_descriptor_node,
"./md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate"
)
if len(cert_nodes) > 0:
idp_x509_cert = OneLogin_Saml2_Utils.format_cert(
cert_nodes[index].text, False)
data['idp'] = {}
if idp_entity_id is not None:
data['idp']['entityId'] = idp_entity_id
if idp_sso_url is not None:
data['idp']['singleSignOnService'] = {}
data['idp']['singleSignOnService']['url'] = idp_sso_url
data['idp']['singleSignOnService'][
'binding'] = required_sso_binding
if idp_slo_url is not None:
data['idp']['singleLogoutService'] = {}
data['idp']['singleLogoutService']['url'] = idp_slo_url
data['idp']['singleLogoutService'][
'binding'] = required_slo_binding
if idp_x509_cert is not None:
data['idp']['x509cert'] = idp_x509_cert
if want_authn_requests_signed is not None:
data['security'] = {}
data['security'][
'authnRequestsSigned'] = want_authn_requests_signed
if idp_name_id_format:
data['sp'] = {}
data['sp']['NameIDFormat'] = idp_name_id_format
break
return data
def format_sp_cert(self):
"""
Formats the SP cert.
"""
self.__sp['x509cert'] = OneLogin_Saml2_Utils.format_cert(self.__sp['x509cert'])
def format_idp_certs(self):
"""
Formats the IdP cert.
"""
self.__idp['x509certs'] = [OneLogin_Saml2_Utils.format_cert(cert)
for cert in self.__idp['x509certs']]
def format_idp_cert(self):
"""
Formats the IdP cert.
"""
self.__idp["x509cert"] = OneLogin_Saml2_Utils.format_cert(self.__idp["x509cert"])
