def check_id_and_issue_instant(request_response_or_assertion, now=None): ''' Check that issue instant is not older than a timeout and also checks that the id has never been seen before. Nonce are cached for two times the relative timeout length of the issue instant. ''' if now is None: now = datetime.datetime.utcnow() try: issue_instant = request_response_or_assertion.issueInstant issue_instant = saml2utils.iso8601_to_datetime(issue_instant) delta = datetime.timedelta(seconds=NONCE_TIMEOUT) if not (now - delta <= issue_instant < now + delta): logger.warning('IssueInstant %s not in the interval [%s, %s[', issue_instant, now - delta, now + delta) return False except ValueError: logger.error('Unable to parse an IssueInstant: %r', issue_instant) return False if CHECKS_ID: _id = request_response_or_assertion.id if _id is None: logger.warning('missing ID') return False if not nonce.accept_nonce(_id, 'SAML', 2 * NONCE_TIMEOUT): logger.warning( "ID '%r' already used, request/response/assertion " "refused", _id) return False return True
def check_id_and_issue_instant(request_response_or_assertion, now=None): ''' Check that issue instant is not older than a timeout and also checks that the id has never been seen before. Nonce are cached for two times the relative timeout length of the issue instant. ''' if now is None: now = datetime.datetime.utcnow() try: issue_instant = request_response_or_assertion.issueInstant issue_instant = saml2utils.iso8601_to_datetime(issue_instant) delta = datetime.timedelta(seconds=NONCE_TIMEOUT) if not (now - delta <= issue_instant < now + delta): logger.warning('IssueInstant %s not in the interval [%s, %s[', issue_instant, now-delta, now+delta) return False except ValueError: logger.error('Unable to parse an IssueInstant: %r', issue_instant) return False if CHECKS_ID: _id = request_response_or_assertion.id if _id is None: logger.warning('missing ID') return False if not nonce.accept_nonce(_id, 'SAML', 2*NONCE_TIMEOUT): logger.warning("ID '%r' already used, request/response/assertion " "refused", _id) return False return True
def get_session_not_on_or_after(assertion): '''Extract the minimal value for the SessionNotOnOrAfter found in the given assertion AuthenticationStatement(s). ''' session_not_on_or_afters = [] if hasattr(assertion, 'authnStatement'): for authn_statement in assertion.authnStatement: if authn_statement.sessionNotOnOrAfter: value = authn_statement.sessionNotOnOrAfter try: session_not_on_or_afters.append(saml2utils.iso8601_to_datetime(value)) except ValueError: logging.getLogger(__name__).error('unable to parse SessionNotOnOrAfter value %s, will use default value for session length.', value) if session_not_on_or_afters: return reduce(min, session_not_on_or_afters) return None
def get_session_not_on_or_after(assertion): '''Extract the minimal value for the SessionNotOnOrAfter found in the given assertion AuthenticationStatement(s). ''' session_not_on_or_afters = [] if hasattr(assertion, 'authnStatement'): for authn_statement in assertion.authnStatement: if authn_statement.sessionNotOnOrAfter: value = authn_statement.sessionNotOnOrAfter try: session_not_on_or_afters.append( saml2utils.iso8601_to_datetime(value)) except ValueError: logging.getLogger(__name__).error( 'unable to parse SessionNotOnOrAfter value %s, will ' 'use default value for session length.', value) if session_not_on_or_afters: return reduce(min, session_not_on_or_afters) return None