def __validate_signature(self, data, saml_type, raise_exceptions=False):
"""
Validate Signature
:param data: The Request data
:type data: dict
:param cert: The certificate to check signature
:type cert: str
:param saml_type: The target URL the user should be redirected to
:type saml_type: string SAMLRequest | SAMLResponse
:param raise_exceptions: Whether to return false on failure or raise an exception
:type raise_exceptions: Boolean
"""
try:
signature = data.get('Signature', None)
if signature is None:
if self.__settings.is_strict(
) and self.__settings.get_security_data().get(
'wantMessagesSigned', False):
raise OneLogin_Saml2_ValidationError(
'The %s is not signed. Rejected.' % saml_type,
OneLogin_Saml2_ValidationError.NO_SIGNED_MESSAGE)
return True
x509cert = self.get_settings().get_idp_cert()
if not x509cert:
error_msg = "In order to validate the sign on the %s, the x509cert of the IdP is required" % saml_type
self.__errors.append(error_msg)
raise OneLogin_Saml2_Error(error_msg,
OneLogin_Saml2_Error.CERT_NOT_FOUND)
sign_alg = data.get('SigAlg', OneLogin_Saml2_Constants.RSA_SHA1)
if isinstance(sign_alg, bytes):
sign_alg = sign_alg.decode('utf8')
lowercase_urlencoding = False
if 'lowercase_urlencoding' in self.__request_data.keys():
lowercase_urlencoding = self.__request_data[
'lowercase_urlencoding']
signed_query = self.__build_sign_query(
data[saml_type], data.get('RelayState', None), sign_alg,
saml_type, lowercase_urlencoding)
if not OneLogin_Saml2_Utils.validate_binary_sign(
signed_query, OneLogin_Saml2_Utils.b64decode(signature),
x509cert, sign_alg, self.__settings.is_debug_active()):
raise OneLogin_Saml2_ValidationError(
'Signature validation failed. %s rejected.' % saml_type,
OneLogin_Saml2_ValidationError.INVALID_SIGNATURE)
return True
except Exception as e:
self.__error_reason = str(e)
if raise_exceptions:
raise e
return False
def __validate_signature(self, data, saml_type):
"""
Validate Signature
:param data: The Request data
:type data: dict
:param cert: The certificate to check signature
:type cert: str
:param saml_type: The target URL the user should be redirected to
:type saml_type: string SAMLRequest | SAMLResponse
"""
signature = data.get('Signature', None)
if signature is None:
if self.__settings.is_strict() and self.__settings.get_security_data().get('wantMessagesSigned', False):
self.__error_reason = 'The %s is not signed. Rejected.' % saml_type
return False
return True
x509cert = self.get_settings().get_idp_cert()
if x509cert is None:
self.__errors.append("In order to validate the sign on the %s, the x509cert of the IdP is required" % saml_type)
return False
try:
sign_alg = data.get('SigAlg', OneLogin_Saml2_Constants.RSA_SHA1)
if isinstance(sign_alg, bytes):
sign_alg = sign_alg.decode('utf8')
lowercase_urlencoding = False
if 'lowercase_urlencoding' in self.__request_data.keys():
lowercase_urlencoding = self.__request_data['lowercase_urlencoding']
signed_query = self.__build_sign_query(data[saml_type],
data.get('RelayState', None),
sign_alg,
saml_type,
lowercase_urlencoding
)
if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query,
OneLogin_Saml2_Utils.b64decode(signature),
x509cert,
sign_alg,
self.__settings.is_debug_active()):
raise Exception('Signature validation failed. %s rejected.' % saml_type)
return True
except Exception as e:
self.__error_reason = str(e)
return False
def __validate_signature(self, data, saml_type):
"""
Validate Signature
:param data: The Request data
:type data: dict
:param cert: The certificate to check signature
:type cert: str
:param saml_type: The target URL the user should be redirected to
:type saml_type: string SAMLRequest | SAMLResponse
"""
signature = data.get('Signature', None)
if signature is None:
if self.__settings.is_strict(
) and self.__settings.get_security_data().get(
'wantMessagesSigned', False):
self.__error_reason = 'The %s is not signed. Rejected.' % saml_type
return False
return True
x509cert = self.get_settings().get_idp_cert()
if x509cert is None:
self.__errors.append(
"In order to validate the sign on the %s, the x509cert of the IdP is required"
% saml_type)
return False
try:
sign_alg = data.get('SigAlg', OneLogin_Saml2_Constants.RSA_SHA1)
if isinstance(sign_alg, bytes):
sign_alg = sign_alg.decode('utf8')
if sign_alg != OneLogin_Saml2_Constants.RSA_SHA1:
raise Exception('Invalid SigAlg, the %s rejected.' % saml_type)
signed_query = self.__build_sign_query(
data[saml_type], data.get('RelayState', None), sign_alg,
saml_type)
if not OneLogin_Saml2_Utils.validate_binary_sign(
signed_query, OneLogin_Saml2_Utils.b64decode(signature),
x509cert, sign_alg, self.__settings.is_debug_active()):
raise Exception('Signature validation failed. %s rejected.' %
saml_type)
return True
except Exception as e:
self.__error_reason = str(e)
return False
def is_valid(self, request_data):
"""
Checks if the Logout Request received is valid
:param request_data: Request Data
:type request_data: dict
:return: If the Logout Request is or not valid
:rtype: boolean
"""
self.__error = None
lowercase_urlencoding = False
try:
dom = fromstring(self.__logout_request)
idp_data = self.__settings.get_idp_data()
idp_entity_id = idp_data['entityId']
if 'get_data' in request_data.keys():
get_data = request_data['get_data']
else:
get_data = {}
if 'lowercase_urlencoding' in request_data.keys():
lowercase_urlencoding = request_data['lowercase_urlencoding']
if self.__settings.is_strict():
res = OneLogin_Saml2_Utils.validate_xml(dom, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active())
if not isinstance(res, Document):
raise Exception('Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd')
security = self.__settings.get_security_data()
current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
# Check NotOnOrAfter
if dom.get('NotOnOrAfter', None):
na = OneLogin_Saml2_Utils.parse_SAML_to_time(dom.get('NotOnOrAfter'))
if na <= OneLogin_Saml2_Utils.now():
raise Exception('Timing issues (please check your clock settings)')
# Check destination
if dom.get('Destination', None):
destination = dom.get('Destination')
if destination != '':
if current_url not in destination:
raise Exception(
'The LogoutRequest was received at '
'%(currentURL)s instead of %(destination)s' %
{
'currentURL': current_url,
'destination': destination,
}
)
# Check issuer
issuer = OneLogin_Saml2_Logout_Request.get_issuer(dom)
if issuer is not None and issuer != idp_entity_id:
raise Exception('Invalid issuer in the Logout Request')
if security['wantMessagesSigned']:
if 'Signature' not in get_data:
raise Exception('The Message of the Logout Request is not signed and the SP require it')
if 'Signature' in get_data:
if 'SigAlg' not in get_data:
sign_alg = OneLogin_Saml2_Constants.RSA_SHA1
else:
sign_alg = get_data['SigAlg']
signed_query = 'SAMLRequest=%s' % OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SAMLRequest', lowercase_urlencoding=lowercase_urlencoding)
if 'RelayState' in get_data:
signed_query = '%s&RelayState=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'RelayState', lowercase_urlencoding=lowercase_urlencoding))
signed_query = '%s&SigAlg=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SigAlg', OneLogin_Saml2_Constants.RSA_SHA1, lowercase_urlencoding=lowercase_urlencoding))
if 'x509cert' not in idp_data or idp_data['x509cert'] is None:
raise Exception('In order to validate the sign on the Logout Request, the x509cert of the IdP is required')
cert = idp_data['x509cert']
if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query, b64decode(get_data['Signature']), cert, sign_alg):
raise Exception('Signature validation failed. Logout Request rejected')
return True
except Exception as err:
# pylint: disable=R0801sign_alg
self.__error = err.__str__()
debug = self.__settings.is_debug_active()
if debug:
print err.__str__()
return False
def is_valid(self, request_data):
"""
Checks if the Logout Request recieved is valid
:param request_data: Request Data
:type request_data: dict
:return: If the Logout Request is or not valid
:rtype: boolean
"""
self.__error = None
try:
dom = fromstring(self.__logout_request)
idp_data = self.__settings.get_idp_data()
idp_entity_id = idp_data['entityId']
if 'get_data' in request_data.keys():
get_data = request_data['get_data']
else:
get_data = {}
if self.__settings.is_strict():
res = OneLogin_Saml2_Utils.validate_xml(
dom, 'saml-schema-protocol-2.0.xsd',
self.__settings.is_debug_active())
if not isinstance(res, Document):
raise Exception(
'Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd'
)
security = self.__settings.get_security_data()
current_url = OneLogin_Saml2_Utils.get_self_url_no_query(
request_data)
# Check NotOnOrAfter
if dom.get('NotOnOrAfter', None):
na = OneLogin_Saml2_Utils.parse_SAML_to_time(
dom.get('NotOnOrAfter'))
if na <= OneLogin_Saml2_Utils.now():
raise Exception(
'Timing issues (please check your clock settings)')
# Check destination
if dom.get('Destination', None):
destination = dom.get('Destination')
if destination != '':
if current_url not in destination:
raise Exception(
'The LogoutRequest was received at '
'%(currentURL)s instead of %(destination)s' % {
'currentURL': current_url,
'destination': destination,
})
# Check issuer
issuer = OneLogin_Saml2_Logout_Request.get_issuer(dom)
if issuer is not None and issuer != idp_entity_id:
raise Exception('Invalid issuer in the Logout Request')
if security['wantMessagesSigned']:
if 'Signature' not in get_data:
raise Exception(
'The Message of the Logout Request is not signed and the SP require it'
)
if 'Signature' in get_data:
if 'SigAlg' not in get_data:
sign_alg = OneLogin_Saml2_Constants.RSA_SHA1
else:
sign_alg = get_data['SigAlg']
signed_query = 'SAMLRequest=%s' % quote_plus(
get_data['SAMLRequest'])
if 'RelayState' in get_data:
signed_query = '%s&RelayState=%s' % (
signed_query, quote_plus(get_data['RelayState']))
signed_query = '%s&SigAlg=%s' % (signed_query,
quote_plus(sign_alg))
if 'x509cert' not in idp_data or idp_data['x509cert'] is None:
raise Exception(
'In order to validate the sign on the Logout Request, the x509cert of the IdP is required'
)
cert = idp_data['x509cert']
if not OneLogin_Saml2_Utils.validate_binary_sign(
signed_query, b64decode(get_data['Signature']), cert,
sign_alg):
raise Exception(
'Signature validation failed. Logout Request rejected')
return True
except Exception as err:
# pylint: disable=R0801sign_alg
self.__error = err.__str__()
debug = self.__settings.is_debug_active()
if debug:
print err.__str__()
return False
def _validate_signature(self, data, saml_type, raise_exceptions=False):
"""
Validate Signature
:param data: The Request data
:type data: dict
:param cert: The certificate to check signature
:type cert: str
:param saml_type: The target URL the user should be redirected to
:type saml_type: string SAMLRequest | SAMLResponse
:param raise_exceptions: Whether to return false on failure or raise an exception
:type raise_exceptions: Boolean
"""
try:
signature = data.get('Signature', None)
if signature is None:
if self._settings.is_strict(
) and self._settings.get_security_data().get(
'wantMessagesSigned', False):
raise OneLogin_Saml2_ValidationError(
'The %s is not signed. Rejected.' % saml_type,
OneLogin_Saml2_ValidationError.NO_SIGNED_MESSAGE)
return True
idp_data = self.get_settings().get_idp_data()
exists_x509cert = self.get_settings().get_idp_cert() is not None
exists_multix509sign = 'x509certMulti' in idp_data and \
'signing' in idp_data['x509certMulti'] and \
idp_data['x509certMulti']['signing']
if not (exists_x509cert or exists_multix509sign):
error_msg = 'In order to validate the sign on the %s, the x509cert of the IdP is required' % saml_type
self._errors.append(error_msg)
raise OneLogin_Saml2_Error(error_msg,
OneLogin_Saml2_Error.CERT_NOT_FOUND)
sign_alg = data.get('SigAlg', OneLogin_Saml2_Constants.RSA_SHA1)
if isinstance(sign_alg, bytes):
sign_alg = sign_alg.decode('utf8')
security = self._settings.get_security_data()
reject_deprecated_alg = security.get('rejectDeprecatedAlgorithm',
False)
if reject_deprecated_alg:
if sign_alg in OneLogin_Saml2_Constants.DEPRECATED_ALGORITHMS:
raise OneLogin_Saml2_ValidationError(
'Deprecated signature algorithm found: %s' % sign_alg,
OneLogin_Saml2_ValidationError.
DEPRECATED_SIGNATURE_METHOD)
query_string = self._request_data.get('query_string')
if query_string and self._request_data.get(
'validate_signature_from_qs'):
signed_query = self._build_sign_query_from_qs(
query_string, saml_type)
else:
lowercase_urlencoding = self._request_data.get(
'lowercase_urlencoding', False)
signed_query = self._build_sign_query(data[saml_type],
data.get('RelayState'),
sign_alg, saml_type,
lowercase_urlencoding)
if exists_multix509sign:
for cert in idp_data['x509certMulti']['signing']:
if OneLogin_Saml2_Utils.validate_binary_sign(
signed_query,
OneLogin_Saml2_Utils.b64decode(signature), cert,
sign_alg):
return True
raise OneLogin_Saml2_ValidationError(
'Signature validation failed. %s rejected' % saml_type,
OneLogin_Saml2_ValidationError.INVALID_SIGNATURE)
else:
cert = self.get_settings().get_idp_cert()
if not OneLogin_Saml2_Utils.validate_binary_sign(
signed_query,
OneLogin_Saml2_Utils.b64decode(signature), cert,
sign_alg, self._settings.is_debug_active()):
raise OneLogin_Saml2_ValidationError(
'Signature validation failed. %s rejected' % saml_type,
OneLogin_Saml2_ValidationError.INVALID_SIGNATURE)
return True
except Exception as e:
self._error_reason = str(e)
if raise_exceptions:
raise e
return False
def is_valid(self, request_data, request_id=None, raise_exceptions=False):
"""
Determines if the SAML LogoutResponse is valid
:param request_id: The ID of the LogoutRequest sent by this SP to the IdP
:type request_id: string
:param raise_exceptions: Whether to return false on failure or raise an exception
:type raise_exceptions: Boolean
:return: Returns if the SAML LogoutResponse is or not valid
:rtype: boolean
"""
self.__error = None
lowercase_urlencoding = False
try:
idp_data = self.__settings.get_idp_data()
idp_entity_id = idp_data['entityId']
get_data = request_data['get_data']
if 'lowercase_urlencoding' in request_data.keys():
lowercase_urlencoding = request_data['lowercase_urlencoding']
if self.__settings.is_strict():
res = OneLogin_Saml2_Utils.validate_xml(self.document, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active())
if not isinstance(res, Document):
raise OneLogin_Saml2_ValidationError(
'Invalid SAML Logout Response. Not match the saml-schema-protocol-2.0.xsd',
OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT
)
security = self.__settings.get_security_data()
# Check if the InResponseTo of the Logout Response matches the ID of the Logout Request (requestId) if provided
if request_id is not None and self.document.documentElement.hasAttribute('InResponseTo'):
in_response_to = self.document.documentElement.getAttribute('InResponseTo')
if request_id != in_response_to:
raise OneLogin_Saml2_ValidationError(
'The InResponseTo of the Logout Response: %s, does not match the ID of the Logout request sent by the SP: %s' % (in_response_to, request_id),
OneLogin_Saml2_ValidationError.WRONG_INRESPONSETO
)
# Check issuer
issuer = self.get_issuer()
if issuer is not None and issuer != idp_entity_id:
raise OneLogin_Saml2_ValidationError(
'Invalid issuer in the Logout Request',
OneLogin_Saml2_ValidationError.WRONG_ISSUER
)
current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
# Check destination
if self.document.documentElement.hasAttribute('Destination'):
destination = self.document.documentElement.getAttribute('Destination')
if destination != '':
if current_url not in destination:
raise OneLogin_Saml2_ValidationError(
'The LogoutResponse was received at %s instead of %s' % (current_url, destination),
OneLogin_Saml2_ValidationError.WRONG_DESTINATION
)
if security['wantMessagesSigned']:
if security['wantValidMessageSignature']:
if 'Signature' not in get_data:
raise OneLogin_Saml2_ValidationError(
'The Message of the Logout Response is not signed and the SP require it',
OneLogin_Saml2_ValidationError.NO_SIGNED_MESSAGE
)
if 'Signature' in get_data:
if 'SigAlg' not in get_data:
sign_alg = OneLogin_Saml2_Constants.RSA_SHA1
else:
sign_alg = get_data['SigAlg']
signed_query = 'SAMLResponse=%s' % OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SAMLResponse', lowercase_urlencoding=lowercase_urlencoding)
if 'RelayState' in get_data:
signed_query = '%s&RelayState=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'RelayState', lowercase_urlencoding=lowercase_urlencoding))
signed_query = '%s&SigAlg=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SigAlg', OneLogin_Saml2_Constants.RSA_SHA1, lowercase_urlencoding=lowercase_urlencoding))
exists_x509cert = 'x509cert' in idp_data and idp_data['x509cert']
exists_multix509sign = 'x509certMulti' in idp_data and \
'signing' in idp_data['x509certMulti'] and \
idp_data['x509certMulti']['signing']
if not (exists_x509cert or exists_multix509sign):
raise OneLogin_Saml2_Error(
'In order to validate the sign on the Logout Response, the x509cert of the IdP is required',
OneLogin_Saml2_Error.CERT_NOT_FOUND
)
if exists_multix509sign:
for cert in idp_data['x509certMulti']['signing']:
if OneLogin_Saml2_Utils.validate_binary_sign(signed_query, b64decode(get_data['Signature']), cert, sign_alg):
return True
raise OneLogin_Saml2_ValidationError(
'Signature validation failed. Logout Response rejected',
OneLogin_Saml2_ValidationError.INVALID_SIGNATURE
)
else:
cert = idp_data['x509cert']
if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query, b64decode(get_data['Signature']), cert, sign_alg):
raise OneLogin_Saml2_ValidationError(
'Signature validation failed. Logout Response rejected',
OneLogin_Saml2_ValidationError.INVALID_SIGNATURE
)
return True
# pylint: disable=R0801
except Exception as err:
self.__error = err.__str__()
debug = self.__settings.is_debug_active()
if debug:
print err.__str__()
if raise_exceptions:
raise err
return False
def is_valid(self, request_data, request_id=None):
"""
Determines if the SAML LogoutResponse is valid
:param request_id: The ID of the LogoutRequest sent by this SP to the IdP
:type request_id: string
:return: Returns if the SAML LogoutResponse is or not valid
:rtype: boolean
"""
self.__error = None
lowercase_urlencoding = False
try:
idp_data = self.__settings.get_idp_data()
idp_entity_id = idp_data['entityId']
get_data = request_data['get_data']
if 'lowercase_urlencoding' in request_data.keys():
lowercase_urlencoding = request_data['lowercase_urlencoding']
if self.__settings.is_strict():
res = OneLogin_Saml2_Utils.validate_xml(
self.document, 'saml-schema-protocol-2.0.xsd',
self.__settings.is_debug_active())
if not isinstance(res, Document):
raise Exception(
'Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd'
)
security = self.__settings.get_security_data()
# Check if the InResponseTo of the Logout Response matches the ID of the Logout Request (requestId) if provided
if request_id is not None and self.document.documentElement.hasAttribute(
'InResponseTo'):
in_response_to = self.document.documentElement.getAttribute(
'InResponseTo')
if request_id != in_response_to:
raise Exception(
'The InResponseTo of the Logout Response: %s, does not match the ID of the Logout request sent by the SP: %s'
% (in_response_to, request_id))
# Check issuer
issuer = self.get_issuer()
if issuer is not None and issuer != idp_entity_id:
raise Exception('Invalid issuer in the Logout Request')
current_url = OneLogin_Saml2_Utils.get_self_url_no_query(
request_data)
# Check destination
if self.document.documentElement.hasAttribute('Destination'):
destination = self.document.documentElement.getAttribute(
'Destination')
if destination != '':
if current_url not in destination:
raise Exception(
'The LogoutRequest was received at $currentURL instead of $destination'
)
if security['wantMessagesSigned']:
if 'Signature' not in get_data:
raise Exception(
'The Message of the Logout Response is not signed and the SP require it'
)
if 'Signature' in get_data:
if 'SigAlg' not in get_data:
sign_alg = OneLogin_Saml2_Constants.RSA_SHA1
else:
sign_alg = get_data['SigAlg']
signed_query = 'SAMLResponse=%s' % OneLogin_Saml2_Utils.get_encoded_parameter(
get_data,
'SAMLResponse',
lowercase_urlencoding=lowercase_urlencoding)
if 'RelayState' in get_data:
signed_query = '%s&RelayState=%s' % (
signed_query,
OneLogin_Saml2_Utils.get_encoded_parameter(
get_data,
'RelayState',
lowercase_urlencoding=lowercase_urlencoding))
signed_query = '%s&SigAlg=%s' % (
signed_query,
OneLogin_Saml2_Utils.get_encoded_parameter(
get_data,
'SigAlg',
OneLogin_Saml2_Constants.RSA_SHA1,
lowercase_urlencoding=lowercase_urlencoding))
if 'x509cert' not in idp_data or idp_data['x509cert'] is None:
raise Exception(
'In order to validate the sign on the Logout Response, the x509cert of the IdP is required'
)
cert = idp_data['x509cert']
if not OneLogin_Saml2_Utils.validate_binary_sign(
signed_query, b64decode(get_data['Signature']), cert,
sign_alg):
raise Exception(
'Signature validation failed. Logout Response rejected'
)
return True
# pylint: disable=R0801
except Exception as err:
self.__error = err.__str__()
debug = self.__settings.is_debug_active()
if debug:
print err.__str__()
return False
def is_valid(self, request_data, request_id=None):
"""
Determines if the SAML LogoutResponse is valid
:param request_id: The ID of the LogoutRequest sent by this SP to the IdP
:type request_id: string
:return: Returns if the SAML LogoutResponse is or not valid
:rtype: boolean
"""
self.__error = None
try:
idp_data = self.__settings.get_idp_data()
idp_entity_id = idp_data["entityId"]
get_data = request_data["get_data"]
if self.__settings.is_strict():
res = OneLogin_Saml2_Utils.validate_xml(
self.document, "saml-schema-protocol-2.0.xsd", self.__settings.is_debug_active()
)
if not isinstance(res, Document):
raise Exception("Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd")
security = self.__settings.get_security_data()
# Check if the InResponseTo of the Logout Response matchs the ID of the Logout Request (requestId) if provided
if request_id is not None and self.document.documentElement.hasAttribute("InResponseTo"):
in_response_to = self.document.documentElement.getAttribute("InResponseTo")
if request_id != in_response_to:
raise Exception(
"The InResponseTo of the Logout Response: %s, does not match the ID of the Logout request sent by the SP: %s"
% (in_response_to, request_id)
)
# Check issuer
issuer = self.get_issuer()
if issuer is not None and issuer != idp_entity_id:
raise Exception("Invalid issuer in the Logout Request")
current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
# Check destination
if self.document.documentElement.hasAttribute("Destination"):
destination = self.document.documentElement.getAttribute("Destination")
if destination != "":
if current_url not in destination:
raise Exception("The LogoutRequest was received at $currentURL instead of $destination")
if security["wantMessagesSigned"]:
if "Signature" not in get_data:
raise Exception("The Message of the Logout Response is not signed and the SP require it")
if "Signature" in get_data:
if "SigAlg" not in get_data:
sign_alg = OneLogin_Saml2_Constants.RSA_SHA1
else:
sign_alg = get_data["SigAlg"]
signed_query = "SAMLResponse=%s" % quote_plus(get_data["SAMLResponse"])
if "RelayState" in get_data:
signed_query = "%s&RelayState=%s" % (signed_query, quote_plus(get_data["RelayState"]))
signed_query = "%s&SigAlg=%s" % (signed_query, quote_plus(sign_alg))
if "x509cert" not in idp_data or idp_data["x509cert"] is None:
raise Exception(
"In order to validate the sign on the Logout Response, the x509cert of the IdP is required"
)
cert = idp_data["x509cert"]
if not OneLogin_Saml2_Utils.validate_binary_sign(
signed_query, b64decode(get_data["Signature"]), cert, sign_alg
):
raise Exception("Signature validation failed. Logout Response rejected")
return True
# pylint: disable=R0801
except Exception as err:
self.__error = err.__str__()
debug = self.__settings.is_debug_active()
if debug:
print err.__str__()
return False
def is_valid(self, request_data, raise_exceptions=False):
"""
Checks if the Logout Request received is valid
:param request_data: Request Data
:type request_data: dict
:param raise_exceptions: Whether to return false on failure or raise an exception
:type raise_exceptions: Boolean
:return: If the Logout Request is or not valid
:rtype: boolean
"""
self.__error = None
lowercase_urlencoding = False
try:
dom = fromstring(self.__logout_request, forbid_dtd=True)
idp_data = self.__settings.get_idp_data()
idp_entity_id = idp_data['entityId']
if 'get_data' in request_data.keys():
get_data = request_data['get_data']
else:
get_data = {}
if 'lowercase_urlencoding' in request_data.keys():
lowercase_urlencoding = request_data['lowercase_urlencoding']
if self.__settings.is_strict():
res = OneLogin_Saml2_Utils.validate_xml(
dom, 'saml-schema-protocol-2.0.xsd',
self.__settings.is_debug_active())
if not isinstance(res, Document):
raise OneLogin_Saml2_ValidationError(
'Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd',
OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT)
security = self.__settings.get_security_data()
current_url = OneLogin_Saml2_Utils.get_self_url_no_query(
request_data)
# Check NotOnOrAfter
if dom.get('NotOnOrAfter', None):
na = OneLogin_Saml2_Utils.parse_SAML_to_time(
dom.get('NotOnOrAfter'))
if na <= OneLogin_Saml2_Utils.now():
raise OneLogin_Saml2_ValidationError(
'Could not validate timestamp: expired. Check system clock.',
OneLogin_Saml2_ValidationError.RESPONSE_EXPIRED)
# Check destination
destination = dom.get('Destination')
if destination:
if not OneLogin_Saml2_Utils.normalize_url(
url=destination).startswith(
OneLogin_Saml2_Utils.normalize_url(
url=current_url)):
raise Exception(
'The LogoutRequest was received at '
'%(currentURL)s instead of %(destination)s' % {
'currentURL': current_url,
'destination': destination,
},
OneLogin_Saml2_ValidationError.WRONG_DESTINATION)
# Check issuer
issuer = OneLogin_Saml2_Logout_Request.get_issuer(dom)
if issuer is not None and issuer != idp_entity_id:
raise OneLogin_Saml2_ValidationError(
'Invalid issuer in the Logout Request (expected %(idpEntityId)s, got %(issuer)s)'
% {
'idpEntityId': idp_entity_id,
'issuer': issuer
}, OneLogin_Saml2_ValidationError.WRONG_ISSUER)
if security['wantMessagesSigned']:
if 'Signature' not in get_data:
raise OneLogin_Saml2_ValidationError(
'The Message of the Logout Request is not signed and the SP require it',
OneLogin_Saml2_ValidationError.NO_SIGNED_MESSAGE)
if 'Signature' in get_data:
if 'SigAlg' not in get_data:
sign_alg = OneLogin_Saml2_Constants.RSA_SHA1
else:
sign_alg = get_data['SigAlg']
signed_query = 'SAMLRequest=%s' % OneLogin_Saml2_Utils.get_encoded_parameter(
get_data,
'SAMLRequest',
lowercase_urlencoding=lowercase_urlencoding)
if 'RelayState' in get_data:
signed_query = '%s&RelayState=%s' % (
signed_query,
OneLogin_Saml2_Utils.get_encoded_parameter(
get_data,
'RelayState',
lowercase_urlencoding=lowercase_urlencoding))
signed_query = '%s&SigAlg=%s' % (
signed_query,
OneLogin_Saml2_Utils.get_encoded_parameter(
get_data,
'SigAlg',
OneLogin_Saml2_Constants.RSA_SHA1,
lowercase_urlencoding=lowercase_urlencoding))
exists_x509cert = 'x509cert' in idp_data and idp_data[
'x509cert']
exists_multix509sign = 'x509certMulti' in idp_data and \
'signing' in idp_data['x509certMulti'] and \
idp_data['x509certMulti']['signing']
if not (exists_x509cert or exists_multix509sign):
raise OneLogin_Saml2_Error(
'In order to validate the sign on the Logout Request, the x509cert of the IdP is required',
OneLogin_Saml2_Error.CERT_NOT_FOUND)
if exists_multix509sign:
for cert in idp_data['x509certMulti']['signing']:
if OneLogin_Saml2_Utils.validate_binary_sign(
signed_query, b64decode(get_data['Signature']),
cert, sign_alg):
return True
raise OneLogin_Saml2_ValidationError(
'Signature validation failed. Logout Request rejected',
OneLogin_Saml2_ValidationError.INVALID_SIGNATURE)
else:
cert = idp_data['x509cert']
if not OneLogin_Saml2_Utils.validate_binary_sign(
signed_query, b64decode(get_data['Signature']),
cert, sign_alg):
raise OneLogin_Saml2_ValidationError(
'Signature validation failed. Logout Request rejected',
OneLogin_Saml2_ValidationError.INVALID_SIGNATURE)
return True
except Exception as err:
# pylint: disable=R0801sign_alg
self.__error = err.__str__()
debug = self.__settings.is_debug_active()
if debug:
print(err.__str__())
if raise_exceptions:
raise err
return False
def is_valid(settings, request, get_data, debug=False):
"""
Checks if the Logout Request recieved is valid
:param settings: Settings
:type settings: OneLogin_Saml2_Settings
:param request: Logout Request Message
:type request: string|DOMDocument
:return: If the Logout Request is or not valid
:rtype: boolean
"""
try:
if isinstance(request, Document):
dom = request
else:
dom = parseString(request)
idp_data = settings.get_idp_data()
idp_entity_id = idp_data['entityId']
if settings.is_strict():
res = OneLogin_Saml2_Utils.validate_xml(dom, 'saml-schema-protocol-2.0.xsd', debug)
if not isinstance(res, Document):
raise Exception('Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd')
security = settings.get_security_data()
current_url = OneLogin_Saml2_Utils.get_self_url_no_query(get_data)
# Check NotOnOrAfter
if dom.documentElement.hasAttribute('NotOnOrAfter'):
na = OneLogin_Saml2_Utils.parse_SAML_to_time(dom.documentElement.getAttribute('NotOnOrAfter'))
if na <= OneLogin_Saml2_Utils.now():
raise Exception('Timing issues (please check your clock settings)')
# Check destination
if dom.documentElement.hasAttribute('Destination'):
destination = dom.documentElement.getAttribute('Destination')
if destination != '':
if current_url not in destination:
raise Exception('The LogoutRequest was received at $currentURL instead of $destination')
# Check issuer
issuer = OneLogin_Saml2_Logout_Request.get_issuer(dom)
if issuer is not None and issuer != idp_entity_id:
raise Exception('Invalid issuer in the Logout Request')
if security['wantMessagesSigned']:
if 'Signature' not in get_data:
raise Exception('The Message of the Logout Request is not signed and the SP require it')
if 'Signature' in get_data:
if 'SigAlg' not in get_data:
sign_alg = OneLogin_Saml2_Constants.RSA_SHA1
else:
sign_alg = get_data['SigAlg']
if sign_alg != OneLogin_Saml2_Constants.RSA_SHA1:
raise Exception('Invalid signAlg in the recieved Logout Request')
signed_query = 'SAMLRequest=%s' % quote_plus(get_data['SAMLRequest'])
if 'RelayState' in get_data:
signed_query = '%s&RelayState=%s' % (signed_query, quote_plus(get_data['RelayState']))
signed_query = '%s&SigAlg=%s' % (signed_query, quote_plus(sign_alg))
if 'x509cert' not in idp_data or idp_data['x509cert'] is None:
raise Exception('In order to validate the sign on the Logout Request, the x509cert of the IdP is required')
cert = idp_data['x509cert']
if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query, b64decode(get_data['Signature']), cert):
raise Exception('Signature validation failed. Logout Request rejected')
return True
except Exception as err:
debug = settings.is_debug_active()
if debug:
print err
return False
def is_valid(self, request_data, request_id=None):
"""
Determines if the SAML LogoutResponse is valid
:param request_id: The ID of the LogoutRequest sent by this SP to the IdP
:type request_id: string
:return: Returns if the SAML LogoutResponse is or not valid
:rtype: boolean
"""
self.__error = None
lowercase_urlencoding = False
try:
idp_data = self.__settings.get_idp_data()
idp_entity_id = idp_data['entityId']
get_data = request_data['get_data']
if 'lowercase_urlencoding' in request_data.keys():
lowercase_urlencoding = request_data['lowercase_urlencoding']
if self.__settings.is_strict():
res = OneLogin_Saml2_Utils.validate_xml(self.document, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active())
if not isinstance(res, Document):
raise Exception('Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd')
security = self.__settings.get_security_data()
# Check if the InResponseTo of the Logout Response matchs the ID of the Logout Request (requestId) if provided
if request_id is not None and self.document.documentElement.hasAttribute('InResponseTo'):
in_response_to = self.document.documentElement.getAttribute('InResponseTo')
if request_id != in_response_to:
raise Exception('The InResponseTo of the Logout Response: %s, does not match the ID of the Logout request sent by the SP: %s' % (in_response_to, request_id))
# Check issuer
issuer = self.get_issuer()
if issuer is not None and issuer != idp_entity_id:
raise Exception('Invalid issuer in the Logout Request')
current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
# Check destination
if self.document.documentElement.hasAttribute('Destination'):
destination = self.document.documentElement.getAttribute('Destination')
if destination != '':
if current_url not in destination:
raise Exception('The LogoutRequest was received at $currentURL instead of $destination')
if security['wantMessagesSigned']:
if 'Signature' not in get_data:
raise Exception('The Message of the Logout Response is not signed and the SP require it')
if 'Signature' in get_data:
if 'SigAlg' not in get_data:
sign_alg = OneLogin_Saml2_Constants.RSA_SHA1
else:
sign_alg = get_data['SigAlg']
signed_query = 'SAMLResponse=%s' % OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SAMLResponse', lowercase_urlencoding=lowercase_urlencoding)
if 'RelayState' in get_data:
signed_query = '%s&RelayState=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'RelayState', lowercase_urlencoding=lowercase_urlencoding))
signed_query = '%s&SigAlg=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SigAlg', OneLogin_Saml2_Constants.RSA_SHA1, lowercase_urlencoding=lowercase_urlencoding))
if 'x509cert' not in idp_data or idp_data['x509cert'] is None:
raise Exception('In order to validate the sign on the Logout Response, the x509cert of the IdP is required')
cert = idp_data['x509cert']
if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query, b64decode(get_data['Signature']), cert, sign_alg):
raise Exception('Signature validation failed. Logout Response rejected')
return True
# pylint: disable=R0801
except Exception as err:
self.__error = err.__str__()
debug = self.__settings.is_debug_active()
if debug:
print err.__str__()
return False
def is_valid(self, request_data, raise_exceptions=False):
"""
Checks if the Logout Request received is valid
:param request_data: Request Data
:type request_data: dict
:param raise_exceptions: Whether to return false on failure or raise an exception
:type raise_exceptions: Boolean
:return: If the Logout Request is or not valid
:rtype: boolean
"""
self.__error = None
lowercase_urlencoding = False
try:
dom = fromstring(self.__logout_request, forbid_dtd=True)
idp_data = self.__settings.get_idp_data()
idp_entity_id = idp_data['entityId']
if 'get_data' in request_data.keys():
get_data = request_data['get_data']
else:
get_data = {}
if 'lowercase_urlencoding' in request_data.keys():
lowercase_urlencoding = request_data['lowercase_urlencoding']
if self.__settings.is_strict():
res = OneLogin_Saml2_Utils.validate_xml(dom, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active())
if not isinstance(res, Document):
raise OneLogin_Saml2_ValidationError(
'Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd',
OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT
)
security = self.__settings.get_security_data()
current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
# Check NotOnOrAfter
if dom.get('NotOnOrAfter', None):
na = OneLogin_Saml2_Utils.parse_SAML_to_time(dom.get('NotOnOrAfter'))
if na <= OneLogin_Saml2_Utils.now():
raise OneLogin_Saml2_ValidationError(
'Could not validate timestamp: expired. Check system clock.',
OneLogin_Saml2_ValidationError.RESPONSE_EXPIRED
)
# Check destination
if dom.get('Destination', None):
destination = dom.get('Destination')
if destination != '':
if current_url not in destination:
raise Exception(
'The LogoutRequest was received at '
'%(currentURL)s instead of %(destination)s' %
{
'currentURL': current_url,
'destination': destination,
},
OneLogin_Saml2_ValidationError.WRONG_DESTINATION
)
# Check issuer
issuer = OneLogin_Saml2_Logout_Request.get_issuer(dom)
if issuer is not None and issuer != idp_entity_id:
raise OneLogin_Saml2_ValidationError(
'Invalid issuer in the Logout Request (expected %(idpEntityId)s, got %(issuer)s)' %
{
'idpEntityId': idp_entity_id,
'issuer': issuer
},
OneLogin_Saml2_ValidationError.WRONG_ISSUER
)
if security['wantMessagesSigned']:
if 'Signature' not in get_data:
raise OneLogin_Saml2_ValidationError(
'The Message of the Logout Request is not signed and the SP require it',
OneLogin_Saml2_ValidationError.NO_SIGNED_MESSAGE
)
if 'Signature' in get_data:
if 'SigAlg' not in get_data:
sign_alg = OneLogin_Saml2_Constants.RSA_SHA1
else:
sign_alg = get_data['SigAlg']
signed_query = 'SAMLRequest=%s' % OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SAMLRequest', lowercase_urlencoding=lowercase_urlencoding)
if 'RelayState' in get_data:
signed_query = '%s&RelayState=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'RelayState', lowercase_urlencoding=lowercase_urlencoding))
signed_query = '%s&SigAlg=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SigAlg', OneLogin_Saml2_Constants.RSA_SHA1, lowercase_urlencoding=lowercase_urlencoding))
exists_x509cert = 'x509cert' in idp_data and idp_data['x509cert']
exists_multix509sign = 'x509certMulti' in idp_data and \
'signing' in idp_data['x509certMulti'] and \
idp_data['x509certMulti']['signing']
if not (exists_x509cert or exists_multix509sign):
raise OneLogin_Saml2_Error(
'In order to validate the sign on the Logout Request, the x509cert of the IdP is required',
OneLogin_Saml2_Error.CERT_NOT_FOUND
)
if exists_multix509sign:
for cert in idp_data['x509certMulti']['signing']:
if OneLogin_Saml2_Utils.validate_binary_sign(signed_query, b64decode(get_data['Signature']), cert, sign_alg):
return True
raise OneLogin_Saml2_ValidationError(
'Signature validation failed. Logout Request rejected',
OneLogin_Saml2_ValidationError.INVALID_SIGNATURE
)
else:
cert = idp_data['x509cert']
if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query, b64decode(get_data['Signature']), cert, sign_alg):
raise OneLogin_Saml2_ValidationError(
'Signature validation failed. Logout Request rejected',
OneLogin_Saml2_ValidationError.INVALID_SIGNATURE
)
return True
except Exception as err:
# pylint: disable=R0801sign_alg
self.__error = err.__str__()
debug = self.__settings.is_debug_active()
if debug:
print(err.__str__())
if raise_exceptions:
raise err
return False
def is_valid(settings, request, get_data, debug=False):
"""
Checks if the Logout Request recieved is valid
:param settings: Settings
:type settings: OneLogin_Saml2_Settings
:param request: Logout Request Message
:type request: string|DOMDocument
:return: If the Logout Request is or not valid
:rtype: boolean
"""
try:
if isinstance(request, Document):
dom = request
else:
dom = parseString(request)
idp_data = settings.get_idp_data()
idp_entity_id = idp_data['entityId']
if settings.is_strict():
res = OneLogin_Saml2_Utils.validate_xml(
dom, 'saml-schema-protocol-2.0.xsd', debug)
if not isinstance(res, Document):
raise Exception(
'Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd'
)
security = settings.get_security_data()
current_url = OneLogin_Saml2_Utils.get_self_url_no_query(
get_data)
# Check NotOnOrAfter
if dom.documentElement.hasAttribute('NotOnOrAfter'):
na = OneLogin_Saml2_Utils.parse_SAML_to_time(
dom.documentElement.getAttribute('NotOnOrAfter'))
if na <= OneLogin_Saml2_Utils.now():
raise Exception(
'Timing issues (please check your clock settings)')
# Check destination
if dom.documentElement.hasAttribute('Destination'):
destination = dom.documentElement.getAttribute(
'Destination')
if destination != '':
if current_url not in destination:
raise Exception(
'The LogoutRequest was received at $currentURL instead of $destination'
)
# Check issuer
issuer = OneLogin_Saml2_Logout_Request.get_issuer(dom)
if issuer is not None and issuer != idp_entity_id:
raise Exception('Invalid issuer in the Logout Request')
if security['wantMessagesSigned']:
if 'Signature' not in get_data:
raise Exception(
'The Message of the Logout Request is not signed and the SP require it'
)
if 'Signature' in get_data:
if 'SigAlg' not in get_data:
sign_alg = OneLogin_Saml2_Constants.RSA_SHA1
else:
sign_alg = get_data['SigAlg']
if sign_alg != OneLogin_Saml2_Constants.RSA_SHA1:
raise Exception(
'Invalid signAlg in the recieved Logout Request')
signed_query = 'SAMLRequest=%s' % quote_plus(
get_data['SAMLRequest'])
if 'RelayState' in get_data:
signed_query = '%s&RelayState=%s' % (
signed_query, quote_plus(get_data['RelayState']))
signed_query = '%s&SigAlg=%s' % (signed_query,
quote_plus(sign_alg))
if 'x509cert' not in idp_data or idp_data['x509cert'] is None:
raise Exception(
'In order to validate the sign on the Logout Request, the x509cert of the IdP is required'
)
cert = idp_data['x509cert']
if not OneLogin_Saml2_Utils.validate_binary_sign(
signed_query, b64decode(get_data['Signature']), cert):
raise Exception(
'Signature validation failed. Logout Request rejected')
return True
except Exception as err:
debug = settings.is_debug_active()
if debug:
print err
return False
