Пример #1
0
def check_id_and_issue_instant(request_response_or_assertion, now=None):
    '''
       Check that issue instant is not older than a timeout and also checks
       that the id has never been seen before.

       Nonce are cached for two times the relative timeout length of the issue
       instant.
    '''
    if now is None:
        now = datetime.datetime.utcnow()
    try:
        issue_instant = request_response_or_assertion.issueInstant
        issue_instant = saml2utils.iso8601_to_datetime(issue_instant)
        delta = datetime.timedelta(seconds=NONCE_TIMEOUT)
        if not (now - delta <= issue_instant < now + delta):
            logger.warning('IssueInstant %s not in the interval [%s, %s[',
                           issue_instant, now - delta, now + delta)
            return False
    except ValueError:
        logger.error('Unable to parse an IssueInstant: %r', issue_instant)
        return False
    if CHECKS_ID:
        _id = request_response_or_assertion.id
        if _id is None:
            logger.warning('missing ID')
            return False
        if not nonce.accept_nonce(_id, 'SAML', 2 * NONCE_TIMEOUT):
            logger.warning(
                "ID '%r' already used, request/response/assertion "
                "refused", _id)
            return False
    return True
Пример #2
0
def check_id_and_issue_instant(request_response_or_assertion, now=None):
    '''
       Check that issue instant is not older than a timeout and also checks
       that the id has never been seen before.

       Nonce are cached for two times the relative timeout length of the issue
       instant.
    '''
    if now is None:
        now = datetime.datetime.utcnow()
    try:
        issue_instant = request_response_or_assertion.issueInstant
        issue_instant = saml2utils.iso8601_to_datetime(issue_instant)
        delta = datetime.timedelta(seconds=NONCE_TIMEOUT)
        if not (now - delta <= issue_instant < now + delta):
            logger.warning('IssueInstant %s not in the interval [%s, %s[',
                    issue_instant, now-delta, now+delta)
            return False
    except ValueError:
        logger.error('Unable to parse an IssueInstant: %r', issue_instant)
        return False
    if CHECKS_ID:
        _id = request_response_or_assertion.id
        if _id is None:
            logger.warning('missing ID')
            return False
        if not nonce.accept_nonce(_id, 'SAML', 2*NONCE_TIMEOUT):
            logger.warning("ID '%r' already used, request/response/assertion "
                    "refused", _id)
            return False
    return True
Пример #3
0
def get_session_not_on_or_after(assertion):
    '''Extract the minimal value for the SessionNotOnOrAfter found in the given
       assertion AuthenticationStatement(s).
    '''
    session_not_on_or_afters = []
    if hasattr(assertion, 'authnStatement'):
        for authn_statement in assertion.authnStatement:
            if authn_statement.sessionNotOnOrAfter:
                value = authn_statement.sessionNotOnOrAfter
                try:
                    session_not_on_or_afters.append(saml2utils.iso8601_to_datetime(value))
                except ValueError:
                    logging.getLogger(__name__).error('unable to parse SessionNotOnOrAfter value %s, will use default value for session length.', value)
    if session_not_on_or_afters:
        return reduce(min, session_not_on_or_afters)
    return None
Пример #4
0
def get_session_not_on_or_after(assertion):
    '''Extract the minimal value for the SessionNotOnOrAfter found in the given
       assertion AuthenticationStatement(s).
    '''
    session_not_on_or_afters = []
    if hasattr(assertion, 'authnStatement'):
        for authn_statement in assertion.authnStatement:
            if authn_statement.sessionNotOnOrAfter:
                value = authn_statement.sessionNotOnOrAfter
                try:
                    session_not_on_or_afters.append(
                        saml2utils.iso8601_to_datetime(value))
                except ValueError:
                    logging.getLogger(__name__).error(
                        'unable to parse SessionNotOnOrAfter value %s, will '
                        'use default value for session length.', value)
    if session_not_on_or_afters:
        return reduce(min, session_not_on_or_afters)
    return None