def __init__(self, config_file, entityid=None, debug=False):
self.urls = []
self.cache = {}
self.debug = debug
sp_conf = config_factory("sp", config_file)
idp_conf = config_factory("idp", config_file)
self.config = {
"SP": sp_conf,
"IDP": idp_conf
}
sys.path.insert(0, os.path.dirname(config_file))
conf = importlib.import_module(os.path.basename(config_file))
self.attribute_module = conf.ATTRIBUTE_MODULE
# If entityID is set it means this is a proxy in front of one IdP.
if entityid:
self.entity_id = entityid
self.sp_args = {}
else:
self.entity_id = None
self.sp_args = {"discosrv": conf.DISCO_SRV}
sp = SamlSP(None, None, self.config["SP"], self.cache, **self.sp_args)
self.urls.extend(sp.register_endpoints())
idp = SamlIDP(None, None, self.config["IDP"], self.cache, None)
self.urls.extend(idp.register_endpoints())
def __init__(self, config_file, entityid=None, debug=False):
self.urls = []
self.cache = {}
self.debug = debug
sp_conf = config_factory("sp", config_file)
idp_conf = config_factory("idp", config_file)
self.config = {"SP": sp_conf, "IDP": idp_conf}
sys.path.insert(0, os.path.dirname(config_file))
conf = importlib.import_module(os.path.basename(config_file))
self.attribute_module = conf.ATTRIBUTE_MODULE
# If entityID is set it means this is a proxy in front of one IdP.
if entityid:
self.entity_id = entityid
self.sp_args = {}
else:
self.entity_id = None
self.sp_args = {"discosrv": conf.DISCO_SRV}
sp = SamlSP(None, None, self.config["SP"], self.cache, **self.sp_args)
self.urls.extend(sp.register_endpoints())
idp = SamlIDP(None, None, self.config["IDP"], self.cache, None)
self.urls.extend(idp.register_endpoints())
def load_config(self, config_file, stype="idp"):
""" Load the server configuration
:param config_file: The name of the configuration file
:param stype: The type of Server ("idp"/"aa")
"""
self.conf = config_factory(stype, config_file)
if stype == "aa":
return
try:
# subject information is stored in a database
# default database is a shelve database which is OK in some setups
dbspec = self.conf.getattr("subject_data", "idp")
idb = None
if isinstance(dbspec, basestring):
idb = shelve.open(dbspec, writeback=True)
else: # database spec is a a 2-tuple (type, address)
print >> sys.stderr, "DBSPEC: %s" % dbspec
(typ, addr) = dbspec
if typ == "shelve":
idb = shelve.open(addr, writeback=True)
elif typ == "memcached":
idb = memcache.Client(addr)
elif typ == "dict": # in-memory dictionary
idb = addr
if idb is not None:
self.ident = Identifier(idb, self.conf.virtual_organization)
else:
raise Exception("Couldn't open identity database: %s" %
(dbspec,))
except AttributeError:
self.ident = None
def setup_class(self):
server = Server("idp_conf")
name_id = server.ident.transient_nameid(
"urn:mace:example.com:saml:roland:sp", "id12")
self._resp_ = server.do_response(
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
{"eduPersonEntitlement": "Jeter"},
name_id=name_id)
self._sign_resp_ = server.do_response(
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
{"eduPersonEntitlement": "Jeter"},
name_id=name_id,
sign=True)
self._resp_authn = server.do_response(
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
{"eduPersonEntitlement": "Jeter"},
name_id=name_id,
authn=(saml.AUTHN_PASSWORD, "http://www.example.com/login"))
self.conf = config_factory("sp", "server_conf")
self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
def setup_class(self):
server = Server("idp_conf")
name_id = server.ident.transient_nameid(
"urn:mace:example.com:saml:roland:sp","id12")
self._resp_ = server.do_response(
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
{"eduPersonEntitlement":"Jeter"},
name_id = name_id
)
self._sign_resp_ = server.do_response(
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
{"eduPersonEntitlement":"Jeter"},
name_id = name_id,
sign=True
)
self._resp_authn = server.do_response(
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
{"eduPersonEntitlement":"Jeter"},
name_id = name_id,
authn=(saml.AUTHN_PASSWORD, "http://www.example.com/login")
)
self.conf = config_factory("sp", "server_conf")
self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
def __init__(self, entity_type, config=None, config_file="",
virtual_organization=""):
self.entity_type = entity_type
self.users = None
if config:
self.config = config
elif config_file:
self.config = config_factory(entity_type, config_file)
else:
raise SAMLError("Missing configuration")
for item in ["cert_file", "key_file", "ca_certs"]:
_val = getattr(self.config, item, None)
if not _val:
continue
if _val.startswith("http"):
r = requests.request("GET", _val)
if r.status_code == 200:
_, filename = make_temp(r.text, ".pem", False)
setattr(self.config, item, filename)
else:
raise Exception(
"Could not fetch certificate from %s" % _val)
try:
self.signkey = RSA.importKey(
open(self.config.getattr("key_file", ""), 'r').read(),
passphrase=self.config.key_file_passphrase)
except (KeyError, TypeError):
self.signkey = None
HTTPBase.__init__(self, self.config.verify_ssl_cert,
self.config.ca_certs, self.config.key_file,
self.config.cert_file)
if self.config.vorg:
for vo in self.config.vorg.values():
vo.sp = self
self.metadata = self.config.metadata
self.config.setup_logger()
self.debug = self.config.debug
self.sec = security_context(self.config)
if virtual_organization:
if isinstance(virtual_organization, basestring):
self.vorg = self.config.vorg[virtual_organization]
elif isinstance(virtual_organization, VirtualOrg):
self.vorg = virtual_organization
else:
self.vorg = None
self.artifact = {}
if self.metadata:
self.sourceid = self.metadata.construct_source_id()
else:
self.sourceid = {}
def setup_class(self):
server = Server("idp_conf")
name_id = server.ident.transient_nameid(
"urn:mace:example.com:saml:roland:sp","id12")
policy = server.conf.getattr("policy", "idp")
self._resp_ = server.create_response(
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
IDENTITY, name_id = name_id, policy=policy)
self._sign_resp_ = server.create_response(
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
IDENTITY,
name_id = name_id, sign_assertion=True, policy=policy)
self._resp_authn = server.create_response(
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
IDENTITY,
name_id = name_id,
authn=(saml.AUTHN_PASSWORD, "http://www.example.com/login"),
policy=policy)
self.conf = config_factory("sp", "server_conf")
self.conf.only_use_keys_in_metadata = False
self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
def make_plugin(rememberer_name=None, # plugin for remember
cache= "", # cache
# Which virtual organization to support
virtual_organization="",
saml_conf="",
wayf="",
sid_store="",
identity_cache="",
discovery="",
):
if saml_conf is "":
raise ValueError(
'must include saml_conf in configuration')
if rememberer_name is None:
raise ValueError(
'must include rememberer_name in configuration')
if identity_cache == "memcached":
identity_cache = mcache.Cache(['127.0.0.1:11211'], debug=0)
conf = config_factory("sp", saml_conf)
scl = Saml2Client(config=conf, identity_cache=identity_cache,
virtual_organization=virtual_organization)
plugin = SAML2Plugin(rememberer_name, conf, scl, wayf, cache, sid_store,
discovery)
return plugin
def setup_class(self):
with closing(Server(dotname("idp_conf"))) as server:
name_id = server.ident.transient_nameid(
"urn:mace:example.com:saml:roland:sp","id12")
self._resp_ = server.create_authn_response(
IDENTITY,
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
name_id=name_id,
authn=AUTHN)
self._sign_resp_ = server.create_authn_response(
IDENTITY,
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
name_id=name_id, sign_assertion=True,
authn=AUTHN)
self._resp_authn = server.create_authn_response(
IDENTITY,
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
name_id=name_id,
authn=AUTHN)
self.conf = config_factory("sp", dotname("server_conf"))
self.conf.only_use_keys_in_metadata = False
self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
def setup_class(self):
with closing(Server(dotname("idp_conf"))) as server:
name_id = server.ident.transient_nameid(
"urn:mace:example.com:saml:roland:sp", "id12")
self._resp_ = server.create_authn_response(
IDENTITY,
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
name_id=name_id,
authn=AUTHN)
self._sign_resp_ = server.create_authn_response(
IDENTITY,
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
name_id=name_id,
sign_assertion=True,
authn=AUTHN)
self._resp_authn = server.create_authn_response(
IDENTITY,
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
name_id=name_id,
authn=AUTHN)
self.conf = config_factory("sp", dotname("server_conf"))
self.conf.only_use_keys_in_metadata = False
self.ar = authn_response(self.conf,
"http://lingon.catalogix.se:8087/")
def make_plugin(remember_name=None, # plugin for remember
cache="", # cache
# Which virtual organization to support
virtual_organization="",
saml_conf="",
wayf="",
sid_store="",
identity_cache="",
discovery="",
idp_query_param=""
):
if saml_conf is "":
raise ValueError(
'must include saml_conf in configuration')
if remember_name is None:
raise ValueError('must include remember_name in configuration')
conf = config_factory("sp", saml_conf)
scl = Saml2Client(config=conf, identity_cache=identity_cache,
virtual_organization=virtual_organization)
plugin = SAML2Plugin(remember_name, conf, scl, wayf, cache, sid_store,
discovery, idp_query_param)
return plugin
def __init__(self, config=None,
identity_cache=None, state_cache=None,
virtual_organization=None, config_file="", logger=None):
"""
:param config: A saml2.config.Config instance
:param identity_cache: Where the class should store identity information
:param state_cache: Where the class should keep state information
:param virtual_organization: Which if any virtual organization this
SP belongs to
"""
self.users = Population(identity_cache)
# for server state storage
if state_cache is None:
self.state = {} # in memory storage
else:
self.state = state_cache
if config:
self.config = config
elif config_file:
self.config = config_factory("sp", config_file)
else:
raise Exception("Missing configuration")
self.metadata = self.config.metadata
if logger is None:
self.logger = self.config.setup_logger()
else:
self.logger = logger
# we copy the config.debug variable in an internal
# field for convenience and because we may need to
# change it during the tests
self.debug = self.config.debug
self.sec = security_context(self.config, log=self.logger,
debug=self.debug)
if virtual_organization:
self.vorg = VirtualOrg(self, virtual_organization)
else:
self.vorg = None
if "allow_unsolicited" in self.config:
self.allow_unsolicited = self.config.allow_unsolicited
else:
self.allow_unsolicited = False
if getattr(self.config, 'authn_requests_signed', 'false') == 'true':
self.authn_requests_signed_default = True
else:
self.authn_requests_signed_default = False
if getattr(self.config, 'logout_requests_signed', 'false') == 'true':
self.logout_requests_signed_default = True
else:
self.logout_requests_signed_default = False
def make_plugin(remember_name=None, # plugin for remember
cache="", # cache
# Which virtual organization to support
virtual_organization="",
saml_conf="",
wayf="",
sid_store="",
identity_cache="",
discovery="",
idp_query_param=""
):
if saml_conf is "":
raise ValueError(
'must include saml_conf in configuration')
if remember_name is None:
raise ValueError('must include remember_name in configuration')
conf = config_factory("sp", saml_conf)
scl = Saml2Client(config=conf, identity_cache=identity_cache,
virtual_organization=virtual_organization)
plugin = SAML2Plugin(remember_name, conf, scl, wayf, cache, sid_store,
discovery, idp_query_param)
return plugin
def __init__(self, entity_type, config=None, config_file="",
virtual_organization=""):
self.entity_type = entity_type
self.users = None
if config:
self.config = config
elif config_file:
self.config = config_factory(entity_type, config_file)
else:
raise SAMLError("Missing configuration")
for item in ["cert_file", "key_file", "ca_certs"]:
_val = getattr(self.config, item, None)
if not _val:
continue
if _val.startswith("http"):
r = requests.request("GET", _val)
if r.status_code == 200:
_, filename = make_temp(r.text, ".pem", False)
setattr(self.config, item, filename)
else:
raise Exception(
"Could not fetch certificate from %s" % _val)
try:
self.signkey = RSA.importKey(
open(self.config.getattr("key_file", ""), 'r').read())
except (KeyError, TypeError):
self.signkey = None
HTTPBase.__init__(self, self.config.verify_ssl_cert,
self.config.ca_certs, self.config.key_file,
self.config.cert_file)
if self.config.vorg:
for vo in self.config.vorg.values():
vo.sp = self
self.metadata = self.config.metadata
self.config.setup_logger()
self.debug = self.config.debug
self.sec = security_context(self.config)
if virtual_organization:
if isinstance(virtual_organization, six.string_types):
self.vorg = self.config.vorg[virtual_organization]
elif isinstance(virtual_organization, VirtualOrg):
self.vorg = virtual_organization
else:
self.vorg = None
self.artifact = {}
if self.metadata:
self.sourceid = self.metadata.construct_source_id()
else:
self.sourceid = {}
def __init__(self,
config=None,
identity_cache=None,
state_cache=None,
virtual_organization=None,
config_file=""):
"""
:param config: A saml2.config.Config instance
:param identity_cache: Where the class should store identity information
:param state_cache: Where the class should keep state information
:param virtual_organization: Which if any virtual organization this
SP belongs to
"""
self.users = Population(identity_cache)
# for server state storage
if state_cache is None:
self.state = {} # in memory storage
else:
self.state = state_cache
if config:
self.config = config
elif config_file:
self.config = config_factory("sp", config_file)
else:
raise Exception("Missing configuration")
self.metadata = self.config.metadata
self.config.setup_logger()
# we copy the config.debug variable in an internal
# field for convenience and because we may need to
# change it during the tests
self.debug = self.config.debug
self.sec = security_context(self.config)
if virtual_organization:
self.vorg = VirtualOrg(self, virtual_organization)
else:
self.vorg = None
if "allow_unsolicited" in self.config:
self.allow_unsolicited = self.config.allow_unsolicited
else:
self.allow_unsolicited = False
if getattr(self.config, 'authn_requests_signed', 'false') == 'true':
self.authn_requests_signed_default = True
else:
self.authn_requests_signed_default = False
if getattr(self.config, 'logout_requests_signed', 'false') == 'true':
self.logout_requests_signed_default = True
else:
self.logout_requests_signed_default = False
def __init__(self, config=None, identity_cache=None, state_cache=None,
virtual_organization="",config_file=""):
"""
:param config: A saml2.config.Config instance
:param identity_cache: Where the class should store identity information
:param state_cache: Where the class should keep state information
:param virtual_organization: A specific virtual organization
"""
self.users = Population(identity_cache)
# for server state storage
if state_cache is None:
self.state = {} # in memory storage
else:
self.state = state_cache
if config:
self.config = config
elif config_file:
self.config = config_factory("sp", config_file)
else:
raise Exception("Missing configuration")
if self.config.vorg:
for vo in self.config.vorg.values():
vo.sp = self
self.metadata = self.config.metadata
self.config.setup_logger()
# we copy the config.debug variable in an internal
# field for convenience and because we may need to
# change it during the tests
self.debug = self.config.debug
self.sec = security_context(self.config)
if virtual_organization:
if isinstance(virtual_organization, basestring):
self.vorg = self.config.vorg[virtual_organization]
elif isinstance(virtual_organization, VirtualOrg):
self.vorg = virtual_organization
else:
self.vorg = {}
for foo in ["allow_unsolicited", "authn_requests_signed",
"logout_requests_signed"]:
if self.config.getattr("sp", foo) == 'true':
setattr(self, foo, True)
else:
setattr(self, foo, False)
# extra randomness
self.seed = rndstr(32)
self.logout_requests_signed_default = True
self.allow_unsolicited = self.config.getattr("allow_unsolicited", "sp")
def __init__(self, config_module, config=None):
"""
:type config_module: str
:type config: {dict}
:param config_module: Path to a file containing the SP SAML configuration.
:param config: SP SAML configuration.
"""
if config is None:
config = config_factory('sp', config_module)
Saml2Client.__init__(self, config)
def test():
# The needed key is the private key, not for encryption but for decryption
_key = import_rsa_key_from_file("mykey.pem")
idp_conf = config_factory("idp", "idp_conf")
generate_metadata = MetadataGeneration(idp_proxy_conf.SERVICE, _key,
idp_conf, idp_conf.xmlsec_path)
sps = idp_conf.metadata.service_providers()
qs = {
"entityId": sps[0],
"secret": {
"Google": {
"key": "lingon",
"secret": "aaaaa"
},
"Facebook": {
"key": "hallon",
"secret": "bbbbb"
},
"Twitter": {
"key": "jordgubb",
"secret": "ccccc"
}
}
}
res = generate_metadata.handle_metadata_save(
{
'wsgi.url_scheme': "https",
'HTTP_HOST': "example.com"
}, None, qs)
s = res[0].index("<mdattr:EntityAttributes")
e = res[0].index("</mdattr:EntityAttributes>")
snippet = res[0][s:e + len("</mdattr:EntityAttributes>")]
entity_attributes = mdattr.entity_attributes_from_string(snippet)
entdescr = idp_conf.metadata.metadata["./sp/sp.xml"].entity_descr
ext = element_to_extension_element(entity_attributes)
entdescr.spsso_descriptor[0].extensions.extension_elements.append(ext)
print entity_attributes
qs = {secret.CONST_BODY: json.dumps({"xml": "%s" % entdescr})}
generate_metadata.handle_metadata_verify_json(
{
'wsgi.url_scheme': "https",
'HTTP_HOST': "example.com"
}, None, qs)
def _get_test_response(self, path):
conf = config_factory("idp", dotname("server_conf"))
resp = authn_response(
conf,
"https://sp:443/.auth/saml/login",
asynchop=False,
allow_unsolicited=True,
)
with open(path, "r") as fp:
authn_response_xml = fp.read()
resp.loads(authn_response_xml, False)
return resp
def test():
# The needed key is the private key, not for encryption but for decryption
_key = import_rsa_key_from_file("mykey.pem")
idp_conf = config_factory("idp", "idp_conf")
generate_metadata = MetadataGeneration(
idp_proxy_conf.SERVICE, _key, idp_conf,
idp_conf.xmlsec_path)
sps = idp_conf.metadata.service_providers()
qs = {
"entityId": sps[0],
"secret": {
"Google": {
"key": "lingon",
"secret": "aaaaa"},
"Facebook": {
"key": "hallon",
"secret": "bbbbb"},
"Twitter": {
"key": "jordgubb",
"secret": "ccccc"}
}
}
res = generate_metadata.handle_metadata_save({'wsgi.url_scheme': "https",
'HTTP_HOST': "example.com"},
None, qs)
s = res[0].index("<mdattr:EntityAttributes")
e = res[0].index("</mdattr:EntityAttributes>")
snippet = res[0][s:e+len("</mdattr:EntityAttributes>")]
entity_attributes = mdattr.entity_attributes_from_string(snippet)
entdescr = idp_conf.metadata.metadata["./sp/sp.xml"].entity_descr
ext = element_to_extension_element(entity_attributes)
entdescr.spsso_descriptor[0].extensions.extension_elements.append(ext)
print entity_attributes
qs = {secret.CONST_BODY: json.dumps({"xml": "%s" % entdescr})}
generate_metadata.handle_metadata_verify_json({'wsgi.url_scheme':"https",
'HTTP_HOST': "example.com"},
None, qs)
def chooseIdp(environ, start_response, startText):
query = environ.get("QUERY_STRING")
try:
_idp_entity_id = dict(parse_qs(query))["IdPEntityId"][0]
except KeyError:
conf = config_factory("sp", "sp_conf")
idps = conf.metadata.with_descriptor("idpsso")
if len(idps) > 1:
response = ["<H3>You have configured multiple IdP's for this SP.</H3><br />Please choose the IdP to use and click on login.<br /><br />"]
response.insert(0,startText)
response.append("<form><select name='IdPEntityId'>")
for tmp_idp_entity_id in idps.keys():
response.append("<option value='"+tmp_idp_entity_id+"'>"+tmp_idp_entity_id+"</option>")
response.append("</select><input type='submit' value='Login'/></form>")
resp = Response(response)
return resp(environ, start_response)
return None
def test_signed_response_with_hmac_should_fail(self,
mock_validate_on_or_after):
conf = config_factory("sp", dotname("server_conf"))
ar = authn_response(conf, return_addrs="https://example.org/acs/post")
ar.issue_instant_ok = Mock(return_value=True)
with open(SIGNED_RESPONSE_HMAC) as fp:
xml_response = fp.read()
ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"}
ar.timeslack = 10000
# .loads checks the response signature
with raises(SignatureError):
ar.loads(xml_response, decode=False)
assert ar.ava is None
assert ar.name_id is None
def __init__(self,
entity_type,
config=None,
config_file="",
virtual_organization=""):
self.entity_type = entity_type
self.users = None
if config:
self.config = config
elif config_file:
self.config = config_factory(entity_type, config_file)
else:
raise SAMLError("Missing configuration")
HTTPBase.__init__(self, self.config.verify_ssl_cert,
self.config.ca_certs, self.config.key_file,
self.config.cert_file)
if self.config.vorg:
for vo in list(self.config.vorg.values()):
vo.sp = self
self.metadata = self.config.metadata
self.config.setup_logger()
self.debug = self.config.debug
self.seed = rndbytes(32)
self.sec = security_context(self.config)
if virtual_organization:
if isinstance(virtual_organization, str):
self.vorg = self.config.vorg[virtual_organization]
elif isinstance(virtual_organization, VirtualOrg):
self.vorg = virtual_organization
else:
self.vorg = None
self.artifact = {}
if self.metadata:
self.sourceid = self.metadata.construct_source_id()
else:
self.sourceid = {}
def test_signed_assertion_with_random_embedded_cert_should_be_ignored(
self, mock_validate_on_or_after):
"""
if the embedded cert is not ignored then verification will fail
"""
conf = config_factory("sp", dotname("server_conf"))
ar = authn_response(
conf, return_addrs="https://51.15.251.81.xip.io/acs/post")
ar.issue_instant_ok = Mock(return_value=True)
with open(SIGNED_ASSERTION_RANDOM_EMBEDDED_CERT) as fp:
xml_response = fp.read()
ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"}
ar.timeslack = 10000
# .loads does not check the assertion, only the response signature
# use .verify to verify the contents of the response
assert ar.loads(xml_response, decode=False)
assert ar.verify()
def __init__(self, entity_type, config=None, config_file="",
virtual_organization=""):
self.entity_type = entity_type
self.users = None
if config:
self.config = config
elif config_file:
self.config = config_factory(entity_type, config_file)
else:
raise SAMLError("Missing configuration")
HTTPBase.__init__(self, self.config.verify_ssl_cert,
self.config.ca_certs, self.config.key_file,
self.config.cert_file)
if self.config.vorg:
for vo in self.config.vorg.values():
vo.sp = self
self.metadata = self.config.metadata
self.config.setup_logger()
self.debug = self.config.debug
self.seed = rndstr(32)
self.sec = security_context(self.config)
if virtual_organization:
if isinstance(virtual_organization, basestring):
self.vorg = self.config.vorg[virtual_organization]
elif isinstance(virtual_organization, VirtualOrg):
self.vorg = virtual_organization
else:
self.vorg = None
self.artifact = {}
if self.metadata:
self.sourceid = self.metadata.construct_source_id()
else:
self.sourceid = {}
def register_endpoints(self):
"""
Given the configuration, return a set of URL to function mappings.
"""
url_map = []
sp_endpoints = self.sp.config.getattr("endpoints", "sp")
for endp, binding in sp_endpoints["assertion_consumer_service"]:
p = urlparse(endp)
url_map.append(("^%s?(.*)$" % p.path[1:], ("SP", "authn_response",
BINDING_MAP[binding])))
url_map.append(("^%s$" % p.path[1:], ("SP", "authn_response",
BINDING_MAP[binding])))
if self.discosrv:
for endp, binding in sp_endpoints["discovery_response"]:
p = urlparse(endp)
url_map.append(("^%s$" % p.path[1:], ("SP", "disco_response",
BINDING_MAP[binding])))
return url_map
if __name__ == "__main__":
import sys
from saml2.config import config_factory
_config = config_factory("sp", sys.argv[1])
sp = SamlSP(None, None, _config)
maps = sp.register_endpoints()
print(maps)
def __init__(self,
config=None,
identity_cache=None,
state_cache=None,
virtual_organization="",
config_file=""):
"""
:param config: A saml2.config.Config instance
:param identity_cache: Where the class should store identity information
:param state_cache: Where the class should keep state information
:param virtual_organization: A specific virtual organization
"""
self.users = Population(identity_cache)
# for server state storage
if state_cache is None:
self.state = {} # in memory storage
else:
self.state = state_cache
if config:
self.config = config
elif config_file:
self.config = config_factory("sp", config_file)
else:
raise Exception("Missing configuration")
HTTPBase.__init__(self, self.config.verify_ssl_cert,
self.config.ca_certs, self.config.key_file,
self.config.cert_file)
if self.config.vorg:
for vo in self.config.vorg.values():
vo.sp = self
self.metadata = self.config.metadata
self.config.setup_logger()
# we copy the config.debug variable in an internal
# field for convenience and because we may need to
# change it during the tests
self.debug = self.config.debug
self.sec = security_context(self.config)
if virtual_organization:
if isinstance(virtual_organization, basestring):
self.vorg = self.config.vorg[virtual_organization]
elif isinstance(virtual_organization, VirtualOrg):
self.vorg = virtual_organization
else:
self.vorg = None
for foo in [
"allow_unsolicited", "authn_requests_signed",
"logout_requests_signed"
]:
if self.config.getattr("sp", foo) == 'true':
setattr(self, foo, True)
else:
setattr(self, foo, False)
# extra randomness
self.seed = rndstr(32)
self.logout_requests_signed_default = True
self.allow_unsolicited = self.config.getattr("allow_unsolicited", "sp")
def setup_class(self):
self.conf = config_factory("sp", dotname("server_conf"))
self.ar = authn_response(self.conf,
return_addrs="https://example.org/acs/post")
def __init__(self, args, base_dir):
self.idp_server = None
sys.path.insert(0, os.getcwd())
server_conf = importlib.import_module(args.server_config)
e_alg = None
if "e_alg" in args:
e_alg = args.e_alg
key = None
if "key" in args:
key = args.key
h_alg = None
if "h_alg" in args:
h_alg = args.h_alg
iv = None
if "iv" in args:
iv = args.iv
self.tid_handler = TargetIdHandler(e_alg=e_alg, key=key, h_alg=h_alg, iv=iv)
self.cache = {}
self.urls = [(r'.+\.css$', WsgiApplication.css), ]
self.sp_args = None
self.base_dir = base_dir
if os.path.isdir(self.base_dir + "/static"):
self.static_dir = self.base_dir
else:
self.static_dir = "/opt/pefimproxy/"
self.logger = WsgiApplication.create_logger(server_conf.LOG_FILE, self.base_dir)
# read the configuration file
config = importlib.import_module(args.config)
# deal with metadata only once
_metadata_conf = config.CONFIG["metadata"]
_spc = config_factory("sp", args.config)
mds = _spc.load_metadata(_metadata_conf)
idp_conf, sp_confs = get_configurations(args.config, metadata_construction=False, metadata=mds,
cache=self.cache)
self.config = {
"SP": sp_confs,
"IDP": idp_conf}
# If entityID is set it means this is a proxy in front of one IdP
if args.entityid:
self.entity_id = args.entityid
self.sp_args = {}
else:
self.entity_id = None
self.sp_args = {"discosrv": config.DISCO_SRV}
sp = SamlSP(None, None, self.config["SP"], self.cache)
self.urls.extend(sp.register_endpoints())
try:
self.tid1_to_tid2 = server_conf.TID1_TO_TID2
except:
self.tid1_to_tid2 = None
try:
self.tid2_to_tid1 = server_conf.TID2_TO_TID1
except:
self.tid2_to_tid1 = None
try:
self.encmsg_to_iv = server_conf.ENCMSG_TO_IV
except:
self.encmsg_to_iv = None
try:
self.force_persistant_nameid = server_conf.FORCE_PRESISTENT_NAMEID
except:
self.force_persistant_nameid = False
try:
self.force_no_userid_subject_cacheing = server_conf.FORCE_NO_USERID_SUBJECT_CACHEING
except:
self.force_no_userid_subject_cacheing = False
samlidp = self.create_SamlIDP(None, None, None)
self.urls.extend(samlidp.register_endpoints())
self.issuer = server_conf.ISSUER
def __init__(self, config_module):
Saml2Client.__init__(self, config_factory('sp', config_module))
parser = argparse.ArgumentParser()
parser.add_argument('-d', dest='debug', action='store_true')
parser.add_argument('-e', dest="entityid")
parser.add_argument(dest="config")
args = parser.parse_args()
# read the configuration file
sys.path.insert(0, ".")
Config = importlib.import_module(args.config)
# deal with metadata only once
_metadata_conf = Config.CONFIG["metadata"]
Config.CONFIG["metadata"] = {}
CONFIG = {
"SP": config_factory("sp", args.config),
"IDP": config_factory("idp", args.config)
}
_spc = CONFIG["SP"]
mds = _spc.load_metadata(_metadata_conf)
CONFIG["SP"].metadata = mds
CONFIG["IDP"].metadata = mds
# If entityID is set it means this is a proxy in front of one IdP
if args.entityid:
EntityID = args.entityid
SP_ARGS = {}
else:
EntityID = None
def setup_class(self):
self.conf = config_factory("sp", dotname("server_conf"))
self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
def register_endpoints(self):
"""
Given the configuration, return a set of URL to function mappings.
"""
url_map = []
for endp, binding in self.sp.config.getattr(
"endpoints", "sp")["assertion_consumer_service"]:
p = urlparse(endp)
url_map.append(("^%s?(.*)$" % p.path[1:], ("SP", "authn_response",
BINDING_MAP[binding])))
url_map.append(("^%s$" % p.path[1:], ("SP", "authn_response",
BINDING_MAP[binding])))
for endp, binding in self.sp.config.getattr(
"endpoints", "sp")["discovery_response"]:
p = urlparse(endp)
url_map.append(("^%s\?(.*)$" % p.path[1:], ("SP", "disco_response",
BINDING_MAP[binding])))
return url_map
if __name__ == "__main__":
import sys
from saml2.config import config_factory
_config = config_factory("sp", sys.argv[1])
sp = SamlSP(None, None, _config)
maps = sp.register_endpoints()
print maps
def __init__(self, config_module):
Saml2Client.__init__(self, config_factory('sp', config_module))
parser = argparse.ArgumentParser()
parser.add_argument('-d', dest='debug', action='store_true')
parser.add_argument('-e', dest="entityid")
parser.add_argument(dest="config")
args = parser.parse_args()
# read the configuration file
sys.path.insert(0, ".")
Config = importlib.import_module(args.config)
# deal with metadata only once
_metadata_conf = Config.CONFIG["metadata"]
Config.CONFIG["metadata"] = {}
CONFIG = {
"SP": config_factory("sp", args.config),
"IDP": config_factory("idp", args.config)}
_spc = CONFIG["SP"]
mds = _spc.load_metadata(_metadata_conf)
CONFIG["SP"].metadata = mds
CONFIG["IDP"].metadata = mds
# If entityID is set it means this is a proxy in front of one IdP
if args.entityid:
EntityID = args.entityid
SP_ARGS = {}
else:
EntityID = None
SP_ARGS = {"discosrv": Config.DISCO_SRV}
def __init__(
self,
config=None,
debug=0,
identity_cache=None,
state_cache=None,
virtual_organization=None,
config_file="",
logger=None,
):
"""
:param config: A saml2.config.Config instance
:param debug: Whether debugging should be done even if the
configuration says otherwise
:param identity_cache: Where the class should store identity information
:param state_cache: Where the class should keep state information
:param virtual_organization: Which if any virtual organization this
SP belongs to
"""
self.users = Population(identity_cache)
# for server state storage
if state_cache is None:
self.state = {} # in memory storage
else:
self.state = state_cache
self.sec = None
if config:
self.config = config
elif config_file:
self.config = config_factory("sp", config_file)
else:
raise Exception("Missing configuration")
self.metadata = self.config.metadata
if logger is None:
self.logger = self.config.setup_logger()
else:
self.logger = logger
if not debug and self.config:
self.debug = self.config.debug
else:
self.debug = debug
self.sec = security_context(self.config, log=self.logger, debug=self.debug)
if virtual_organization:
self.vorg = VirtualOrg(self, virtual_organization)
else:
self.vorg = None
if "allow_unsolicited" in self.config:
self.allow_unsolicited = self.config.allow_unsolicited
else:
self.allow_unsolicited = False
if "verify_signatures" in self.config:
self.verify_signatures = self.config.verify_signatures
else:
self.verify_signatures = True
if getattr(self.config, "authn_requests_signed", "false") == "true":
self.authn_requests_signed_default = True
else:
self.authn_requests_signed_default = False
if getattr(self.config, "logout_requests_signed", "false") == "true":
self.logout_requests_signed_default = True
else:
self.logout_requests_signed_default = False
