def error_response(self, in_response_to, destination, spid, info,
name_id=None, sign=False, issuer=None):
""" Create a error response.
:param in_response_to: The identifier of the message this is a response
to.
:param destination: The intended recipient of this message
:param spid: The entitiy ID of the SP that will get this.
:param info: Either an Exception instance or a 2-tuple consisting of
error code and descriptive text
:param name_id:
:param sign: Whether the message should be signed or not
:param issuer: The issuer of the response
:return: A Response instance
"""
status = error_status_factory(info)
return self._response(
in_response_to, # in_response_to
destination, # consumer_url
spid, # sp_entity_id
name_id=name_id,
status=status,
sign=sign,
issuer=issuer
)
def test_parse_faulty_request_to_err_status(self):
req_id, authn_request = self.client.create_authn_request(
destination="http://www.example.com")
binding = BINDING_HTTP_REDIRECT
htargs = self.client.apply_binding(binding, "%s" % authn_request,
"http://www.example.com", "abcd")
_dict = parse_qs(htargs["headers"][0][1].split('?')[1])
print(_dict)
try:
self.server.parse_authn_request(_dict["SAMLRequest"][0], binding)
status = None
except OtherError as oe:
print(oe.args)
status = s_utils.error_status_factory(oe)
assert status
print(status)
assert _eq(status.keyswv(), ["status_code", "status_message"])
assert status.status_message.text == 'Not destined for me!'
status_code = status.status_code
assert _eq(status_code.keyswv(), ["status_code", "value"])
assert status_code.value == samlp.STATUS_RESPONDER
assert status_code.status_code.value == samlp.STATUS_UNKNOWN_PRINCIPAL
def error_response(self, in_response_to, destination, spid, info, name_id=None, sign=False, issuer=None):
""" Create a error response.
:param in_response_to: The identifier of the message this is a response
to.
:param destination: The intended recipient of this message
:param spid: The entitiy ID of the SP that will get this.
:param info: Either an Exception instance or a 2-tuple consisting of
error code and descriptive text
:param name_id:
:param sign: Whether the message should be signed or not
:param issuer: The issuer of the response
:return: A Response instance
"""
status = error_status_factory(info)
return self._response(
in_response_to, # in_response_to
destination, # consumer_url
spid, # sp_entity_id
name_id=name_id,
status=status,
sign=sign,
issuer=issuer,
)
def test_parse_faulty_request_to_err_status(self):
req_id, authn_request = self.client.create_authn_request(
destination="http://www.example.com")
binding = BINDING_HTTP_REDIRECT
htargs = self.client.apply_binding(binding, "%s" % authn_request,
"http://www.example.com", "abcd")
_dict = parse_qs(htargs["headers"][0][1].split('?')[1])
print(_dict)
try:
self.server.parse_authn_request(_dict["SAMLRequest"][0], binding)
status = None
except OtherError as oe:
print(oe.args)
status = s_utils.error_status_factory(oe)
assert status
print(status)
assert _eq(status.keyswv(), ["status_code", "status_message"])
assert status.status_message.text == 'Not destined for me!'
status_code = status.status_code
assert _eq(status_code.keyswv(), ["status_code", "value"])
assert status_code.value == samlp.STATUS_RESPONDER
assert status_code.status_code.value == samlp.STATUS_UNKNOWN_PRINCIPAL
def _logout_response(self, req_info, status_code, req_key, sign_response=True):
"""
Create logout response.
:param req_info: Logout request
:param status_code: logout result (e.g. 'urn:oasis:names:tc:SAML:2.0:status:Success')
:param req_key: SAML request id
:param sign_response: cryptographically sign response or not
:return: HTML response
:type req_info: saml2.request.LogoutRequest
:type status_code: string
:type req_key: string
:type sign_response: bool
:rtype: string
"""
self.logger.debug("LOGOUT of '{!s}' by '{!s}', success={!r}".format(req_info.subject_id(),
req_info.sender(),
status_code))
if req_info.binding != BINDING_SOAP:
bindings = [BINDING_HTTP_REDIRECT, BINDING_HTTP_POST]
binding, destination = self.context.idp.pick_binding("single_logout_service", bindings,
entity_id = req_info.sender())
bindings = [binding]
else:
bindings = [BINDING_SOAP]
destination = ""
status = None # None == success in create_logout_response()
if status_code != saml2.samlp.STATUS_SUCCESS:
status = error_status_factory((status_code, "Logout failed"))
self.logger.debug("Created 'logout failed' status based on {!r} : {!r}".format(status_code, status))
issuer = self.context.idp._issuer(self.context.idp.config.entityid)
response = self.context.idp.create_logout_response(req_info.message, bindings, status, sign = sign_response,
issuer = issuer)
# Only perform expensive parse/pretty-print if debugging
if self.config.debug:
xmlstr = eduid_idp.util.maybe_xml_to_string(response, logger=self.logger)
self.logger.debug("Logout SAMLResponse :\n\n{!s}\n\n".format(xmlstr))
ht_args = self.context.idp.apply_binding(bindings[0], str(response), destination, req_info.relay_state,
response = True)
# self.logger.debug("Apply bindings result :\n{!s}\n\n".format(pprint.pformat(ht_args)))
# Delete the SSO session cookie in the browser
eduid_idp.mischttp.delete_cookie('idpauthn', self.logger, self.config)
# INFO-Log the SAML request ID, result of logout and destination
self.logger.info("{!s}: logout status={!r}, dst={!s}".format(req_key, status_code, destination))
# XXX old code checked 'if req_info.binding == BINDING_HTTP_REDIRECT:', but it looks like
# it would be more correct to look at bindings[0] here, since `bindings' is what was used
# with create_logout_response() and apply_binding().
if req_info.binding != bindings[0]:
self.logger.debug("Creating response with binding {!r] instead of {!r} used before".format(
bindings[0], req_info.binding))
return eduid_idp.mischttp.create_html_response(bindings[0], ht_args, self.start_response, self.logger)
def _logout_response(self, req_info, status_code, req_key, sign_response=True):
"""
Create logout response.
:param req_info: Logout request
:param status_code: logout result (e.g. 'urn:oasis:names:tc:SAML:2.0:status:Success')
:param req_key: SAML request id
:param sign_response: cryptographically sign response or not
:return: HTML response
:type req_info: saml2.request.LogoutRequest
:type status_code: string
:type req_key: string
:type sign_response: bool
:rtype: string
"""
self.logger.debug("LOGOUT of '{!s}' by '{!s}', success={!r}".format(req_info.subject_id(),
req_info.sender(),
status_code))
if req_info.binding != BINDING_SOAP:
bindings = [BINDING_HTTP_REDIRECT, BINDING_HTTP_POST]
binding, destination = self.IDP.pick_binding("single_logout_service", bindings,
entity_id = req_info.sender())
bindings = [binding]
else:
bindings = [BINDING_SOAP]
destination = ""
status = None # None == success in create_logout_response()
if status_code != saml2.samlp.STATUS_SUCCESS:
status = error_status_factory((status_code, "Logout failed"))
self.logger.debug("Created 'logout failed' status based on {!r} : {!r}".format(status_code, status))
issuer = self.IDP._issuer(self.IDP.config.entityid)
response = self.IDP.create_logout_response(req_info.message, bindings, status, sign = sign_response,
issuer = issuer)
# Only perform expensive parse/pretty-print if debugging
if self.config.debug:
xmlstr = eduid_idp.util.maybe_xml_to_string(response, logger=self.logger)
self.logger.debug("Logout SAMLResponse :\n\n{!s}\n\n".format(xmlstr))
ht_args = self.IDP.apply_binding(bindings[0], str(response), destination, req_info.relay_state,
response = True)
# self.logger.debug("Apply bindings result :\n{!s}\n\n".format(pprint.pformat(ht_args)))
# Delete the SSO session cookie in the browser
eduid_idp.mischttp.delete_cookie('idpauthn', self.logger, self.config)
# INFO-Log the SAML request ID, result of logout and destination
self.logger.info("{!s}: logout status={!r}, dst={!s}".format(req_key, status_code, destination))
# XXX old code checked 'if req_info.binding == BINDING_HTTP_REDIRECT:', but it looks like
# it would be more correct to look at bindings[0] here, since `bindings' is what was used
# with create_logout_response() and apply_binding().
if req_info.binding != bindings[0]:
self.logger.debug("Creating response with binding {!r] instead of {!r} used before".format(
bindings[0], req_info.binding))
return eduid_idp.mischttp.create_html_response(bindings[0], ht_args, self.start_response, self.logger)
def test_parse_faulty_request_to_err_status(self):
req_id, authn_request = self.client.create_authn_request(destination="http://www.example.com")
binding = BINDING_HTTP_REDIRECT
htargs = self.client.apply_binding(binding, "%s" % authn_request, "http://www.example.com", "abcd")
_dict = parse_qs(htargs["headers"][0][1].split("?")[1])
print _dict
try:
self.server.parse_authn_request(_dict["SAMLRequest"][0], binding)
status = None
except OtherError, oe:
print oe.args
status = s_utils.error_status_factory(oe)
def test_parse_faulty_request_to_err_status(self):
authn_request = self.client.authn_request(
query_id = "id1",
destination = "http://www.example.com",
service_url = "http://www.example.org",
spentityid = "urn:mace:example.com:saml:roland:sp",
my_name = "My real name",
)
intermed = s_utils.deflate_and_base64_encode("%s" % authn_request)
try:
self.server.parse_authn_request(intermed)
status = None
except OtherError, oe:
print oe.args
status = s_utils.error_status_factory(oe)
def test_parse_faulty_request_to_err_status(self):
req_id, authn_request = self.client.create_authn_request(
destination="http://www.example.com")
binding = BINDING_HTTP_REDIRECT
htargs = self.client.apply_binding(binding, "%s" % authn_request,
"http://www.example.com", "abcd")
_dict = parse_qs(htargs["headers"][0][1].split('?')[1])
print _dict
try:
self.server.parse_authn_request(_dict["SAMLRequest"][0], binding)
status = None
except OtherError, oe:
print oe.args
status = s_utils.error_status_factory(oe)
def create_error_response(self, in_response_to, destination, info,
sign=False, issuer=None):
""" Create a error response.
:param in_response_to: The identifier of the message this is a response
to.
:param destination: The intended recipient of this message
:param info: Either an Exception instance or a 2-tuple consisting of
error code and descriptive text
:param sign: Whether the response should be signed or not
:param issuer: The issuer of the response
:return: A response instance
"""
status = error_status_factory(info)
return self._response(in_response_to, destination, status, issuer,
sign)
def create_error_response(self, in_response_to, destination, info,
sign=False, issuer=None, sign_alg=None, digest_alg=None, **kwargs):
""" Create a error response.
:param in_response_to: The identifier of the message this is a response
to.
:param destination: The intended recipient of this message
:param info: Either an Exception instance or a 2-tuple consisting of
error code and descriptive text
:param sign: Whether the response should be signed or not
:param issuer: The issuer of the response
:param kwargs: To capture key,value pairs I don't care about
:return: A response instance
"""
status = error_status_factory(info)
return self._response(in_response_to, destination, status, issuer,
sign, sign_alg=sign_alg, digest_alg=digest_alg)
def create_error_response(self, in_response_to, destination, info,
sign=False, issuer=None, sign_alg=None,
digest_alg=None, **kwargs):
""" Create a error response.
:param in_response_to: The identifier of the message this is a response
to.
:param destination: The intended recipient of this message
:param info: Either an Exception instance or a 2-tuple consisting of
error code and descriptive text
:param sign: Whether the response should be signed or not
:param issuer: The issuer of the response
:param kwargs: To capture key,value pairs I don't care about
:return: A response instance
"""
status = error_status_factory(info)
return self._response(in_response_to, destination, status, issuer,
sign, sign_alg=sign_alg, digest_alg=digest_alg)
def do_logout_response(req_info, status=None):
if status:
status = s_utils.error_status_factory((status, "Logout failed"))
return logout_response(req_info, status)
def test_status_from_exception():
e = utils.UnknownPrincipal("Error resolving principal")
stat = utils.error_status_factory(e)
status_text = "%s" % stat
print status_text
assert status_text == ERROR_STATUS
def test_status_from_exception():
e = utils.UnknownPrincipal("Error resolving principal")
stat = utils.error_status_factory(e)
status_text = "%s" % stat
print status_text
assert status_text == ERROR_STATUS
def do_logout_response(req_info, status=None):
if status:
status = s_utils.error_status_factory((status, "Logout failed"))
return logout_response(req_info, status)
def test_status_from_tuple():
stat = utils.error_status_factory((samlp.STATUS_UNKNOWN_PRINCIPAL,
'Error resolving principal'))
status_text = "%s" % stat
assert status_text in (ERROR_STATUS_NO_HEADER, ERROR_STATUS)
def test_status_from_tuple_empty_message():
stat = utils.error_status_factory((samlp.STATUS_UNKNOWN_PRINCIPAL, None))
status_text = "%s" % stat
assert status_text in (ERROR_STATUS_EMPTY, ERROR_STATUS_NO_HEADER_EMPTY)
def test_status_from_tuple_empty_message():
stat = utils.error_status_factory((samlp.STATUS_UNKNOWN_PRINCIPAL, None))
status_text = "%s" % stat
assert status_text in (ERROR_STATUS_EMPTY, ERROR_STATUS_NO_HEADER_EMPTY)
def test_status_from_tuple():
stat = utils.error_status_factory(
(samlp.STATUS_UNKNOWN_PRINCIPAL, 'Error resolving principal'))
status_text = "%s" % stat
assert status_text in (ERROR_STATUS_NO_HEADER, ERROR_STATUS)
