def _create_subject(self, user, expiration_time, recipient): """Create an object that represents a SAML Subject. <ns0:Subject> <ns0:NameID> [email protected]</ns0:NameID> <ns0:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <ns0:SubjectConfirmationData NotOnOrAfter="2014-08-19T11:53:57.243106Z" Recipient="http://beta.com/Shibboleth.sso/SAML2/POST" /> </ns0:SubjectConfirmation> </ns0:Subject> :returns: XML <Subject> object """ name_id = saml.NameID() name_id.set_text(user) subject_conf_data = saml.SubjectConfirmationData() subject_conf_data.recipient = recipient subject_conf_data.not_on_or_after = expiration_time subject_conf = saml.SubjectConfirmation() subject_conf.method = saml.SCM_BEARER subject_conf.subject_confirmation_data = subject_conf_data subject = saml.Subject() subject.subject_confirmation = subject_conf subject.name_id = name_id return subject
def do_authz_decision_query(self, entity_id, action, subject_id, nameid_format, evidence=None, resource=None, sp_name_qualifier=None, name_qualifier=None, consent=None, extensions=None, sign=False): subject = saml.Subject( name_id=saml.NameID(text=subject_id, format=nameid_format, sp_name_qualifier=sp_name_qualifier, name_qualifier=name_qualifier)) srvs = self.metadata.authz_service(entity_id, BINDING_SOAP) for dest in locations(srvs): resp = self._use_soap(dest, "authz_decision_query", action=action, evidence=evidence, resource=resource, subject=subject) if resp: return resp return None
def create_attribute_query(self, destination, name_id=None, attribute=None, message_id=0, consent=None, extensions=None, sign=False, sign_prepare=False, **kwargs): """ Constructs an AttributeQuery :param destination: To whom the query should be sent :param name_id: The identifier of the subject :param attribute: A dictionary of attributes and values that is asked for. The key are one of 4 variants: 3-tuple of name_format,name and friendly_name, 2-tuple of name_format and name, 1-tuple with name or just the name as a string. :param sp_name_qualifier: The unique identifier of the service provider or affiliation of providers for whom the identifier was generated. :param name_qualifier: The unique identifier of the identity provider that generated the identifier. :param format: The format of the name ID :param message_id: The identifier of the session :param consent: Whether the principal have given her consent :param extensions: Possible extensions :param sign: Whether the query should be signed or not. :param sign_prepare: Whether the Signature element should be added. :return: Tuple of request ID and an AttributeQuery instance """ if name_id is None: if "subject_id" in kwargs: name_id = saml.NameID(text=kwargs["subject_id"]) for key in ["sp_name_qualifier", "name_qualifier", "format"]: try: setattr(name_id, key, kwargs[key]) except KeyError: pass else: raise AttributeError("Missing required parameter") elif isinstance(name_id, six.string_types): name_id = saml.NameID(text=name_id) for key in ["sp_name_qualifier", "name_qualifier", "format"]: try: setattr(name_id, key, kwargs[key]) except KeyError: pass subject = saml.Subject(name_id=name_id) if attribute: attribute = do_attributes(attribute) try: nsprefix = kwargs["nsprefix"] except KeyError: nsprefix = None return self._message(AttributeQuery, destination, message_id, consent, extensions, sign, sign_prepare, subject=subject, attribute=attribute, nsprefix=nsprefix)
def create_attribute_query(self, session_id, subject_id, destination, issuer_id=None, attribute=None, sp_name_qualifier=None, name_qualifier=None, nameid_format=None, sign=False): """ Constructs an AttributeQuery :param session_id: The identifier of the session :param subject_id: The identifier of the subject :param destination: To whom the query should be sent :param issuer_id: Identifier of the issuer :param attribute: A dictionary of attributes and values that is asked for. The key are one of 4 variants: 3-tuple of name_format,name and friendly_name, 2-tuple of name_format and name, 1-tuple with name or just the name as a string. :param sp_name_qualifier: The unique identifier of the service provider or affiliation of providers for whom the identifier was generated. :param name_qualifier: The unique identifier of the identity provider that generated the identifier. :param nameid_format: The format of the name ID :param sign: Whether the query should be signed or not. :return: An AttributeQuery instance """ subject = saml.Subject(name_id=saml.NameID( text=subject_id, format=nameid_format, sp_name_qualifier=sp_name_qualifier, name_qualifier=name_qualifier), ) query = samlp.AttributeQuery( id=session_id, version=VERSION, issue_instant=instant(), destination=destination, issuer=self._issuer(issuer_id), subject=subject, ) if sign: query.signature = pre_signature_part(query.id, self.sec.my_cert, 1) if attribute: query.attribute = do_attributes(attribute) if sign: signed_query = self.sec.sign_attribute_query_using_xmlsec("%s" % query) return samlp.attribute_query_from_string(signed_query) else: return query
def create_attribute_query(self, destination, subject_id, attribute=None, sp_name_qualifier=None, name_qualifier=None, nameid_format=None, id=0, consent=None, extensions=None, sign=False, **kwargs): """ Constructs an AttributeQuery :param destination: To whom the query should be sent :param subject_id: The identifier of the subject :param attribute: A dictionary of attributes and values that is asked for. The key are one of 4 variants: 3-tuple of name_format,name and friendly_name, 2-tuple of name_format and name, 1-tuple with name or just the name as a string. :param sp_name_qualifier: The unique identifier of the service provider or affiliation of providers for whom the identifier was generated. :param name_qualifier: The unique identifier of the identity provider that generated the identifier. :param nameid_format: The format of the name ID :param id: The identifier of the session :param consent: Whether the principal have given her consent :param extensions: Possible extensions :param sign: Whether the query should be signed or not. :return: An AttributeQuery instance """ subject = saml.Subject( name_id=saml.NameID(text=subject_id, format=nameid_format, sp_name_qualifier=sp_name_qualifier, name_qualifier=name_qualifier)) if attribute: attribute = do_attributes(attribute) return self._message(AttributeQuery, destination, id, consent, extensions, sign, subject=subject, attribute=attribute)
def testAccessors(self): """Test for AuthnRequest accessors""" self.ar.id = "request id" self.ar.version = saml2.VERSION self.ar.issue_instant = "2007-09-14T01:05:02Z" self.ar.destination = "http://www.example.com/Destination" self.ar.consent = saml.CONSENT_UNSPECIFIED self.ar.issuer = saml.Issuer() self.ar.signature = ds.Signature() self.ar.extensions = samlp.Extensions() self.ar.subject = saml.Subject() self.ar.name_id_policy = samlp.NameIDPolicy() self.ar.conditions = saml.Conditions() self.ar.requested_authn_context = samlp.RequestedAuthnContext() self.ar.scoping = samlp.Scoping() self.ar.force_authn = 'true' self.ar.is_passive = 'true' self.ar.assertion_consumer_service_index = "1" self.ar.assertion_consumer_service_url = "http://www.example.com/acs" self.ar.protocol_binding = saml2.BINDING_HTTP_POST self.ar.attribute_consuming_service_index = "2" self.ar.provider_name = "provider name" new_ar = samlp.authn_request_from_string(self.ar.to_string()) assert new_ar.id == "request id" assert new_ar.version == saml2.VERSION assert new_ar.issue_instant == "2007-09-14T01:05:02Z" assert new_ar.destination == "http://www.example.com/Destination" assert new_ar.consent == saml.CONSENT_UNSPECIFIED assert isinstance(new_ar.issuer, saml.Issuer) assert isinstance(new_ar.signature, ds.Signature) assert isinstance(new_ar.extensions, samlp.Extensions) assert isinstance(new_ar.subject, saml.Subject) assert isinstance(new_ar.name_id_policy, samlp.NameIDPolicy) assert isinstance(new_ar.conditions, saml.Conditions) assert isinstance(new_ar.requested_authn_context, samlp.RequestedAuthnContext) assert isinstance(new_ar.scoping, samlp.Scoping) assert new_ar.force_authn == 'true' assert new_ar.is_passive == 'true' assert new_ar.assertion_consumer_service_index == '1' assert new_ar.assertion_consumer_service_url == \ 'http://www.example.com/acs' assert new_ar.protocol_binding == saml2.BINDING_HTTP_POST assert new_ar.attribute_consuming_service_index == '2' assert new_ar.provider_name == "provider name"