def check_id_and_issue_instant(request_response_or_assertion, now=None):
'''
Check that issue instant is not older than a timeout and also checks
that the id has never been seen before.
Nonce are cached for two times the relative timeout length of the issue
instant.
'''
if now is None:
now = datetime.datetime.utcnow()
try:
issue_instant = request_response_or_assertion.issueInstant
issue_instant = saml2utils.iso8601_to_datetime(issue_instant)
delta = datetime.timedelta(seconds=NONCE_TIMEOUT)
if not (now - delta <= issue_instant < now + delta):
logger.warning('IssueInstant %s not in the interval [%s, %s[',
issue_instant, now - delta, now + delta)
return False
except ValueError:
logger.error('Unable to parse an IssueInstant: %r', issue_instant)
return False
if CHECKS_ID:
_id = request_response_or_assertion.id
if _id is None:
logger.warning('missing ID')
return False
if not nonce.accept_nonce(_id, 'SAML', 2 * NONCE_TIMEOUT):
logger.warning(
"ID '%r' already used, request/response/assertion "
"refused", _id)
return False
return True
def check_id_and_issue_instant(request_response_or_assertion, now=None):
'''
Check that issue instant is not older than a timeout and also checks
that the id has never been seen before.
Nonce are cached for two times the relative timeout length of the issue
instant.
'''
if now is None:
now = datetime.datetime.utcnow()
try:
issue_instant = request_response_or_assertion.issueInstant
issue_instant = saml2utils.iso8601_to_datetime(issue_instant)
delta = datetime.timedelta(seconds=NONCE_TIMEOUT)
if not (now - delta <= issue_instant < now + delta):
logger.warning('IssueInstant %s not in the interval [%s, %s[',
issue_instant, now-delta, now+delta)
return False
except ValueError:
logger.error('Unable to parse an IssueInstant: %r', issue_instant)
return False
if CHECKS_ID:
_id = request_response_or_assertion.id
if _id is None:
logger.warning('missing ID')
return False
if not nonce.accept_nonce(_id, 'SAML', 2*NONCE_TIMEOUT):
logger.warning("ID '%r' already used, request/response/assertion "
"refused", _id)
return False
return True
def get_session_not_on_or_after(assertion):
'''Extract the minimal value for the SessionNotOnOrAfter found in the given
assertion AuthenticationStatement(s).
'''
session_not_on_or_afters = []
if hasattr(assertion, 'authnStatement'):
for authn_statement in assertion.authnStatement:
if authn_statement.sessionNotOnOrAfter:
value = authn_statement.sessionNotOnOrAfter
try:
session_not_on_or_afters.append(saml2utils.iso8601_to_datetime(value))
except ValueError:
logging.getLogger(__name__).error('unable to parse SessionNotOnOrAfter value %s, will use default value for session length.', value)
if session_not_on_or_afters:
return reduce(min, session_not_on_or_afters)
return None
def get_session_not_on_or_after(assertion):
'''Extract the minimal value for the SessionNotOnOrAfter found in the given
assertion AuthenticationStatement(s).
'''
session_not_on_or_afters = []
if hasattr(assertion, 'authnStatement'):
for authn_statement in assertion.authnStatement:
if authn_statement.sessionNotOnOrAfter:
value = authn_statement.sessionNotOnOrAfter
try:
session_not_on_or_afters.append(
saml2utils.iso8601_to_datetime(value))
except ValueError:
logging.getLogger(__name__).error(
'unable to parse SessionNotOnOrAfter value %s, will '
'use default value for session length.', value)
if session_not_on_or_afters:
return reduce(min, session_not_on_or_afters)
return None