def _create_subject(self, user, expiration_time, recipient):
"""Create an object that represents a SAML Subject.
<ns0:Subject>
<ns0:NameID>
[email protected]</ns0:NameID>
<ns0:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<ns0:SubjectConfirmationData
NotOnOrAfter="2014-08-19T11:53:57.243106Z"
Recipient="http://beta.com/Shibboleth.sso/SAML2/POST" />
</ns0:SubjectConfirmation>
</ns0:Subject>
:returns: XML <Subject> object
"""
name_id = saml.NameID()
name_id.set_text(user)
subject_conf_data = saml.SubjectConfirmationData()
subject_conf_data.recipient = recipient
subject_conf_data.not_on_or_after = expiration_time
subject_conf = saml.SubjectConfirmation()
subject_conf.method = saml.SCM_BEARER
subject_conf.subject_confirmation_data = subject_conf_data
subject = saml.Subject()
subject.subject_confirmation = subject_conf
subject.name_id = name_id
return subject
def do_authz_decision_query(self,
entity_id,
action,
subject_id,
nameid_format,
evidence=None,
resource=None,
sp_name_qualifier=None,
name_qualifier=None,
consent=None,
extensions=None,
sign=False):
subject = saml.Subject(
name_id=saml.NameID(text=subject_id,
format=nameid_format,
sp_name_qualifier=sp_name_qualifier,
name_qualifier=name_qualifier))
srvs = self.metadata.authz_service(entity_id, BINDING_SOAP)
for dest in locations(srvs):
resp = self._use_soap(dest,
"authz_decision_query",
action=action,
evidence=evidence,
resource=resource,
subject=subject)
if resp:
return resp
return None
def create_attribute_query(self, destination, name_id=None,
attribute=None, message_id=0, consent=None,
extensions=None, sign=False, sign_prepare=False,
**kwargs):
""" Constructs an AttributeQuery
:param destination: To whom the query should be sent
:param name_id: The identifier of the subject
:param attribute: A dictionary of attributes and values that is
asked for. The key are one of 4 variants:
3-tuple of name_format,name and friendly_name,
2-tuple of name_format and name,
1-tuple with name or
just the name as a string.
:param sp_name_qualifier: The unique identifier of the
service provider or affiliation of providers for whom the
identifier was generated.
:param name_qualifier: The unique identifier of the identity
provider that generated the identifier.
:param format: The format of the name ID
:param message_id: The identifier of the session
:param consent: Whether the principal have given her consent
:param extensions: Possible extensions
:param sign: Whether the query should be signed or not.
:param sign_prepare: Whether the Signature element should be added.
:return: Tuple of request ID and an AttributeQuery instance
"""
if name_id is None:
if "subject_id" in kwargs:
name_id = saml.NameID(text=kwargs["subject_id"])
for key in ["sp_name_qualifier", "name_qualifier",
"format"]:
try:
setattr(name_id, key, kwargs[key])
except KeyError:
pass
else:
raise AttributeError("Missing required parameter")
elif isinstance(name_id, six.string_types):
name_id = saml.NameID(text=name_id)
for key in ["sp_name_qualifier", "name_qualifier", "format"]:
try:
setattr(name_id, key, kwargs[key])
except KeyError:
pass
subject = saml.Subject(name_id=name_id)
if attribute:
attribute = do_attributes(attribute)
try:
nsprefix = kwargs["nsprefix"]
except KeyError:
nsprefix = None
return self._message(AttributeQuery, destination, message_id, consent,
extensions, sign, sign_prepare, subject=subject,
attribute=attribute, nsprefix=nsprefix)
def create_attribute_query(self,
session_id,
subject_id,
destination,
issuer_id=None,
attribute=None,
sp_name_qualifier=None,
name_qualifier=None,
nameid_format=None,
sign=False):
""" Constructs an AttributeQuery
:param session_id: The identifier of the session
:param subject_id: The identifier of the subject
:param destination: To whom the query should be sent
:param issuer_id: Identifier of the issuer
:param attribute: A dictionary of attributes and values that is
asked for. The key are one of 4 variants:
3-tuple of name_format,name and friendly_name,
2-tuple of name_format and name,
1-tuple with name or
just the name as a string.
:param sp_name_qualifier: The unique identifier of the
service provider or affiliation of providers for whom the
identifier was generated.
:param name_qualifier: The unique identifier of the identity
provider that generated the identifier.
:param nameid_format: The format of the name ID
:param sign: Whether the query should be signed or not.
:return: An AttributeQuery instance
"""
subject = saml.Subject(name_id=saml.NameID(
text=subject_id,
format=nameid_format,
sp_name_qualifier=sp_name_qualifier,
name_qualifier=name_qualifier), )
query = samlp.AttributeQuery(
id=session_id,
version=VERSION,
issue_instant=instant(),
destination=destination,
issuer=self._issuer(issuer_id),
subject=subject,
)
if sign:
query.signature = pre_signature_part(query.id, self.sec.my_cert, 1)
if attribute:
query.attribute = do_attributes(attribute)
if sign:
signed_query = self.sec.sign_attribute_query_using_xmlsec("%s" %
query)
return samlp.attribute_query_from_string(signed_query)
else:
return query
def create_attribute_query(self,
destination,
subject_id,
attribute=None,
sp_name_qualifier=None,
name_qualifier=None,
nameid_format=None,
id=0,
consent=None,
extensions=None,
sign=False,
**kwargs):
""" Constructs an AttributeQuery
:param destination: To whom the query should be sent
:param subject_id: The identifier of the subject
:param attribute: A dictionary of attributes and values that is
asked for. The key are one of 4 variants:
3-tuple of name_format,name and friendly_name,
2-tuple of name_format and name,
1-tuple with name or
just the name as a string.
:param sp_name_qualifier: The unique identifier of the
service provider or affiliation of providers for whom the
identifier was generated.
:param name_qualifier: The unique identifier of the identity
provider that generated the identifier.
:param nameid_format: The format of the name ID
:param id: The identifier of the session
:param consent: Whether the principal have given her consent
:param extensions: Possible extensions
:param sign: Whether the query should be signed or not.
:return: An AttributeQuery instance
"""
subject = saml.Subject(
name_id=saml.NameID(text=subject_id,
format=nameid_format,
sp_name_qualifier=sp_name_qualifier,
name_qualifier=name_qualifier))
if attribute:
attribute = do_attributes(attribute)
return self._message(AttributeQuery,
destination,
id,
consent,
extensions,
sign,
subject=subject,
attribute=attribute)
def testAccessors(self):
"""Test for AuthnRequest accessors"""
self.ar.id = "request id"
self.ar.version = saml2.VERSION
self.ar.issue_instant = "2007-09-14T01:05:02Z"
self.ar.destination = "http://www.example.com/Destination"
self.ar.consent = saml.CONSENT_UNSPECIFIED
self.ar.issuer = saml.Issuer()
self.ar.signature = ds.Signature()
self.ar.extensions = samlp.Extensions()
self.ar.subject = saml.Subject()
self.ar.name_id_policy = samlp.NameIDPolicy()
self.ar.conditions = saml.Conditions()
self.ar.requested_authn_context = samlp.RequestedAuthnContext()
self.ar.scoping = samlp.Scoping()
self.ar.force_authn = 'true'
self.ar.is_passive = 'true'
self.ar.assertion_consumer_service_index = "1"
self.ar.assertion_consumer_service_url = "http://www.example.com/acs"
self.ar.protocol_binding = saml2.BINDING_HTTP_POST
self.ar.attribute_consuming_service_index = "2"
self.ar.provider_name = "provider name"
new_ar = samlp.authn_request_from_string(self.ar.to_string())
assert new_ar.id == "request id"
assert new_ar.version == saml2.VERSION
assert new_ar.issue_instant == "2007-09-14T01:05:02Z"
assert new_ar.destination == "http://www.example.com/Destination"
assert new_ar.consent == saml.CONSENT_UNSPECIFIED
assert isinstance(new_ar.issuer, saml.Issuer)
assert isinstance(new_ar.signature, ds.Signature)
assert isinstance(new_ar.extensions, samlp.Extensions)
assert isinstance(new_ar.subject, saml.Subject)
assert isinstance(new_ar.name_id_policy, samlp.NameIDPolicy)
assert isinstance(new_ar.conditions, saml.Conditions)
assert isinstance(new_ar.requested_authn_context,
samlp.RequestedAuthnContext)
assert isinstance(new_ar.scoping, samlp.Scoping)
assert new_ar.force_authn == 'true'
assert new_ar.is_passive == 'true'
assert new_ar.assertion_consumer_service_index == '1'
assert new_ar.assertion_consumer_service_url == \
'http://www.example.com/acs'
assert new_ar.protocol_binding == saml2.BINDING_HTTP_POST
assert new_ar.attribute_consuming_service_index == '2'
assert new_ar.provider_name == "provider name"
