def test_sign_response_2(self):
assertion2 = factory( saml.Assertion,
version= "2.0",
id= "11122",
issue_instant= "2009-10-30T13:20:28Z",
signature= sigver.pre_signature_part("11122", self.sec.my_cert),
attribute_statement=do_attribute_statement({
("","","surName"): ("Fox",""),
("","","givenName") :("Bear",""),
})
)
response = factory(samlp.Response,
assertion=assertion2,
id="22233",
signature=sigver.pre_signature_part("22233", self.sec.my_cert))
to_sign = [(class_name(assertion2), assertion2.id),
(class_name(response), response.id)]
s_response = sigver.signed_instance_factory(response, self.sec, to_sign)
assert s_response is not None
response2 = response_from_string(s_response)
sass = response2.assertion[0]
assert _eq(sass.keyswv(), ['attribute_statement', 'issue_instant',
'version', 'signature', 'id'])
assert sass.version == "2.0"
assert sass.id == "11122"
item = self.sec.check_signature(response2, class_name(response),
s_response)
assert isinstance(item, samlp.Response)
def createIdpResponse(self, authn_request_id='2aaaeb7692471eb4ba00d5546877a7fd'):
from saml2.saml import Issuer, Assertion
from saml2.saml import Subject, NameID, SubjectConfirmation, SubjectConfirmationData
from saml2.saml import Conditions, AudienceRestriction, Audience, OneTimeUse
from saml2.saml import AuthnStatement, AuthnContext, AuthnContextClassRef
from saml2.saml import NAMEID_FORMAT_UNSPECIFIED, SUBJECT_CONFIRMATION_METHOD_BEARER
from saml2.saml import NAMEID_FORMAT_ENTITY
from saml2.samlp import Response, Status, StatusCode
from saml2.samlp import STATUS_SUCCESS
from saml2.utils import make_instance
from saml2.sigver import pre_signature_part
from xmldsig import Signature
issue_instant = datetime.utcnow().isoformat() + 'Z'
not_before = (datetime.utcnow() - timedelta(minutes=5)).isoformat() + 'Z'
not_on_or_after = (datetime.utcnow() + timedelta(minutes=5)).isoformat() + 'Z'
issuer = Issuer(format=NAMEID_FORMAT_ENTITY, text='https://idp.swisssign.net/suisseid/eidp')
signature = make_instance(Signature, pre_signature_part('_ea7f4526-43a3-42d6-a0bc-8f367e95802f'))
status = Status(status_code=StatusCode(value=STATUS_SUCCESS))
subject_confirmation_data = SubjectConfirmationData(not_on_or_after=not_on_or_after,
in_response_to=authn_request_id,
recipient='http://nohost/')
subject_confirmation = SubjectConfirmation(method=SUBJECT_CONFIRMATION_METHOD_BEARER,
subject_confirmation_data=subject_confirmation_data)
subject = Subject(name_id=NameID(text='1234-1234-1234-1234', format=NAMEID_FORMAT_UNSPECIFIED),
subject_confirmation=subject_confirmation)
conditions = Conditions(not_before=not_before,
not_on_or_after=not_on_or_after,
audience_restriction=AudienceRestriction(Audience('http://nohost/')),
one_time_use=OneTimeUse())
authn_context = AuthnContext(authn_context_decl_ref=AuthnContextClassRef('urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI'))
authn_statement = AuthnStatement(authn_instant=issue_instant,
authn_context=authn_context)
assertion_signature = make_instance(Signature, pre_signature_part('_cb8e7dc8-00b3-4655-ad2d-d083cae5168d'))
assertion = Assertion(id='_cb8e7dc8-00b3-4655-ad2d-d083cae5168d',
version='2.0',
issue_instant=issue_instant,
issuer=issuer,
signature=assertion_signature,
subject=subject,
conditions=conditions,
authn_statement=authn_statement,
)
response = Response(id='_ea7f4526-43a3-42d6-a0bc-8f367e95802f',
in_response_to=authn_request_id,
version='2.0',
issue_instant=issue_instant,
destination='http://nohost/',
issuer=issuer,
signature=signature,
status=status,
assertion=assertion,
)
return response
def test_sign_verify_with_cert_from_instance(self):
response = factory(samlp.Response,
assertion=self._assertion,
id="22222",
signature=sigver.pre_signature_part("22222",
self.sec
.my_cert))
to_sign = [(class_name(self._assertion), self._assertion.id),
(class_name(response), response.id)]
s_response = sigver.signed_instance_factory(response, self.sec, to_sign)
response2 = response_from_string(s_response)
ci = "".join(sigver.cert_from_instance(response2)[0].split())
assert ci == self.sec.my_cert
res = self.sec.verify_signature(s_response,
node_name=class_name(samlp.Response()))
assert res
res = self.sec._check_signature(s_response, response2,
class_name(response2), s_response)
assert res == response2
def test_sign_verify_assertion_with_cert_from_instance(self):
assertion = factory(saml.Assertion,
version="2.0",
id="11100",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("11100",
self.sec
.my_cert),
attribute_statement=do_attribute_statement({
("", "", "surName"): ("Fox", ""),
("", "", "givenName"): ("Bear", ""),
})
)
to_sign = [(class_name(assertion), assertion.id)]
s_assertion = sigver.signed_instance_factory(assertion, self.sec,
to_sign)
print(s_assertion)
ass = assertion_from_string(s_assertion)
ci = "".join(sigver.cert_from_instance(ass)[0].split())
assert ci == self.sec.my_cert
res = self.sec.verify_signature(s_assertion,
node_name=class_name(ass))
assert res
res = self.sec._check_signature(s_assertion, ass, class_name(ass))
assert res
def test_exception_sign_verify_with_cert_from_instance(self):
assertion = factory(saml.Assertion,
version="2.0",
id="11100",
issue_instant="2009-10-30T13:20:28Z",
#signature= sigver.pre_signature_part("11100",
# self.sec.my_cert),
attribute_statement=do_attribute_statement({
("", "", "surName"): ("Foo", ""),
("", "", "givenName"): ("Bar", ""),
})
)
response = factory(samlp.Response,
assertion=assertion,
id="22222",
signature=sigver.pre_signature_part("22222",
self.sec
.my_cert))
to_sign = [(class_name(response), response.id)]
s_response = sigver.signed_instance_factory(response, self.sec, to_sign)
response2 = response_from_string(s_response)
# Change something that should make everything fail
response2.id = "23456"
raises(sigver.SignatureError, self.sec._check_signature,
s_response, response2, class_name(response2))
def test_multiple_signatures_response(self):
response = factory(
samlp.Response,
assertion=self._assertion,
id="22222",
signature=sigver.pre_signature_part("22222", self.sec.my_cert),
)
# order is important, we can't validate if the signatures are made
# in the reverse order
to_sign = [(self._assertion, self._assertion.id, ""), (response, response.id, "")]
s_response = self.sec.multiple_signatures("%s" % response, to_sign)
assert s_response is not None
response = response_from_string(s_response)
item = self.sec.check_signature(response, class_name(response), s_response, must=True)
assert item == response
assert item.id == "22222"
s_assertion = item.assertion[0]
assert isinstance(s_assertion, saml.Assertion)
# make sure the assertion was modified when we supposedly signed it
assert s_assertion != self._assertion
ci = "".join(sigver.cert_from_instance(s_assertion)[0].split())
assert ci == self.sec.my_cert
res = self.sec.check_signature(s_assertion, class_name(s_assertion), s_response, must=True)
assert res == s_assertion
assert s_assertion.id == "11111"
assert s_assertion.version == "2.0"
assert _eq(s_assertion.keyswv(), ["attribute_statement", "issue_instant", "version", "signature", "id"])
def do_authz_decision_query(self, entityid, assertion=None, sign=False):
authz_decision_query = self.authz_decision_query(entityid, assertion)
for destination in self.config.authz_services(entityid):
to_sign = []
if sign:
authz_decision_query.signature = pre_signature_part(
authz_decision_query.id, self.sec.my_cert, 1)
to_sign.append((class_name(authz_decision_query),
authz_decision_query.id))
authz_decision_query = signed_instance_factory(
authz_decision_query, self.sec, to_sign)
response = send_using_soap(authz_decision_query,
destination,
self.config.key_file,
self.config.cert_file,
ca_certs=self.config.ca_certs)
if response:
logger.info("Verifying response")
response = self.authz_decision_query_response(response)
if response:
#not_done.remove(entity_id)
logger.info("OK response from %s" % destination)
return response
else:
logger.info("NOT OK response from %s" % destination)
return None
def create_assertion_id_request_response(self,
assertion_id,
sign=False,
sign_alg=None,
digest_alg=None,
**kwargs):
"""
:param assertion_id:
:param sign:
:return:
"""
try:
(assertion, to_sign) = self.session_db.get_assertion(assertion_id)
except KeyError:
raise Unknown
if to_sign:
if assertion.signature is None:
assertion.signature = pre_signature_part(assertion.id,
self.sec.my_cert,
1,
sign_alg=sign_alg,
digest_alg=digest_alg)
return signed_instance_factory(assertion, self.sec, to_sign)
else:
return assertion
def test_sign_response(self):
response = factory(samlp.Response,
assertion=self._assertion,
id="22222",
signature=sigver.pre_signature_part("22222",
self.sec
.my_cert))
to_sign = [(class_name(self._assertion), self._assertion.id),
(class_name(response), response.id)]
s_response = sigver.signed_instance_factory(response, self.sec, to_sign)
assert s_response is not None
print s_response
response = response_from_string(s_response)
sass = response.assertion[0]
print sass
assert _eq(sass.keyswv(), ['attribute_statement', 'issue_instant',
'version', 'signature', 'id'])
assert sass.version == "2.0"
assert sass.id == "11111"
item = self.sec.check_signature(response, class_name(response),
s_response)
assert isinstance(item, samlp.Response)
assert item.id == "22222"
def test_xmlsec_err():
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", full_path("idp_example.xml"))
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
assertion = factory(
saml.Assertion, version="2.0", id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("11111", sec.my_cert, 1),
attribute_statement=do_attribute_statement(
{("", "", "surName"): ("Foo", ""),
("", "", "givenName"): ("Bar", ""), })
)
try:
sec.sign_statement(assertion, class_name(assertion),
key_file=full_path("tes.key"),
node_id=assertion.id)
except (XmlsecError, SigverError) as err: # should throw an exception
pass
else:
assert False
def test_sha256_signing():
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", full_path("idp_example.xml"))
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
assertion = factory(saml.Assertion,
version="2.0",
id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part(
"11111", sec.my_cert, 1, sign_alg=SIG_RSA_SHA256),
attribute_statement=do_attribute_statement({
("", "", "surName"): ("Foo", ""),
("", "", "givenName"): ("Bar", ""),
}))
s = sec.sign_statement(assertion,
class_name(assertion),
key_file=full_path("test.key"),
node_id=assertion.id)
assert s
def test_sign_response(self):
response = factory(samlp.Response,
assertion=self._assertion,
id="22222",
signature=sigver.pre_signature_part("22222",
self.sec
.my_cert))
to_sign = [(class_name(self._assertion), self._assertion.id),
(class_name(response), response.id)]
s_response = sigver.signed_instance_factory(response, self.sec, to_sign)
assert s_response is not None
print(s_response)
response = response_from_string(s_response)
sass = response.assertion[0]
print(sass)
assert _eq(sass.keyswv(), ['attribute_statement', 'issue_instant',
'version', 'signature', 'id'])
assert sass.version == "2.0"
assert sass.id == "11111"
item = self.sec.check_signature(response, class_name(response),
s_response)
assert isinstance(item, samlp.Response)
assert item.id == "22222"
def test_exception_sign_verify_with_cert_from_instance(self):
assertion = factory(
saml.Assertion,
version="2.0",
id="11100",
issue_instant="2009-10-30T13:20:28Z",
#signature= sigver.pre_signature_part("11100",
# self.sec.my_cert),
attribute_statement=do_attribute_statement({
("", "", "surName"): ("Foo", ""),
("", "", "givenName"): ("Bar", ""),
}))
response = factory(samlp.Response,
assertion=assertion,
id="22222",
signature=sigver.pre_signature_part(
"22222", self.sec.my_cert))
to_sign = [(class_name(response), response.id)]
s_response = sigver.signed_instance_factory(response, self.sec,
to_sign)
response2 = response_from_string(s_response)
# Change something that should make everything fail
response2.id = "23456"
raises(sigver.SignatureError, self.sec._check_signature, s_response,
response2, class_name(response2))
def test_xmlsec_err():
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", full_path("idp_example.xml"))
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
assertion = factory(saml.Assertion,
version="2.0",
id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part(
"11111", sec.my_cert, 1),
attribute_statement=do_attribute_statement({
("", "", "surName"): ("Foo", ""),
("", "", "givenName"): ("Bar", ""),
}))
try:
sec.sign_statement(assertion,
class_name(assertion),
key_file=full_path("tes.key"),
node_id=assertion.id)
except (XmlsecError, SigverError) as err: # should throw an exception
pass
else:
assert False
def test_xmlsec_err_non_ascii_ava():
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", IDP_EXAMPLE)
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
assertion = factory(
saml.Assertion, version="2.0", id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("11111", sec.my_cert, 1),
attribute_statement=do_attribute_statement(
{("", "", "surName"): ("Föö", ""),
("", "", "givenName"): ("Bär", ""), })
)
with raises(XmlsecError):
sec.sign_statement(
assertion,
class_name(assertion),
key_file=INVALID_KEY,
node_id=assertion.id,
)
def test_xbox_non_ascii_ava():
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", IDP_EXAMPLE)
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
assertion = factory(
saml.Assertion, version="2.0", id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("11111", sec.my_cert, 1),
attribute_statement=do_attribute_statement(
{
("", "", "surName"): ("Föö", ""),
("", "", "givenName"): ("Bär", ""),
}
)
)
sigass = sec.sign_statement(
assertion,
class_name(assertion),
key_file=PRIV_KEY,
node_id=assertion.id,
)
_ass0 = saml.assertion_from_string(sigass)
encrypted_assertion = EncryptedAssertion()
encrypted_assertion.add_extension_element(_ass0)
_, pre = make_temp(
str(pre_encryption_part()).encode('utf-8'), decode=False
)
enctext = sec.crypto.encrypt(
str(encrypted_assertion),
conf.cert_file,
pre,
"des-192",
'/*[local-name()="EncryptedAssertion"]/*[local-name()="Assertion"]',
)
decr_text = sec.decrypt(enctext, key_file=PRIV_KEY)
_seass = saml.encrypted_assertion_from_string(decr_text)
assertions = []
assers = extension_elements_to_elements(
_seass.extension_elements, [saml, samlp]
)
for ass in assers:
_txt = sec.verify_signature(
str(ass), PUB_KEY, node_name=class_name(assertion)
)
if _txt:
assertions.append(ass)
assert assertions
print(assertions)
def entities_descriptor(eds, valid_for, name, ident, sign, secc):
entities = md.EntitiesDescriptor(entity_descriptor=eds)
if valid_for:
entities.valid_until = in_a_while(hours=valid_for)
if name:
entities.name = name
if ident:
entities.id = ident
if sign:
if not ident:
ident = sid()
if not secc.key_file:
raise SAMLError("If you want to do signing you should define " +
"a key to sign with")
if not secc.my_cert:
raise SAMLError("If you want to do signing you should define " +
"where your public key are")
entities.signature = pre_signature_part(ident, secc.my_cert, 1)
entities.id = ident
xmldoc = secc.sign_statement("%s" % entities, class_name(entities))
entities = md.entities_descriptor_from_string(xmldoc)
return entities
def setup_class(self):
# This would be one way to initialize the security context :
#
# conf = config.SPConfig()
# conf.load_file("server_conf")
# conf.only_use_keys_in_metadata = False
#
# but instead, FakeConfig() is used to really only use the minimal
# set of parameters needed for these test cases. Other test cases
# (TestSecurityMetadata below) excersise the SPConfig() mechanism.
#
conf = FakeConfig()
self.sec = sigver.security_context(FakeConfig())
self._assertion = factory(
saml.Assertion,
version="2.0",
id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("11111", self.sec.my_cert, 1),
attribute_statement=do_attribute_statement({
("", "", "surName"): ("Foo", ""),
("", "", "givenName"): ("Bar", ""),
})
)
def test_sign_verify_assertion_with_cert_from_instance(self):
assertion = factory(saml.Assertion,
version="2.0",
id="11100",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("11100",
self.sec
.my_cert),
attribute_statement=do_attribute_statement({
("", "", "surName"): ("Fox", ""),
("", "", "givenName"): ("Bear", ""),
})
)
to_sign = [(class_name(assertion), assertion.id)]
s_assertion = sigver.signed_instance_factory(assertion, self.sec,
to_sign)
print s_assertion
ass = assertion_from_string(s_assertion)
ci = "".join(sigver.cert_from_instance(ass)[0].split())
assert ci == self.sec.my_cert
res = self.sec.verify_signature("%s" % s_assertion,
node_name=class_name(ass))
assert res
res = self.sec._check_signature(s_assertion, ass, class_name(ass))
assert res
def do_authz_decision_query(self, entityid, assertion=None, log=None, sign=False):
authz_decision_query = self.authz_decision_query(entityid, assertion)
for destination in self.config.authz_services(entityid):
to_sign = []
if sign:
authz_decision_query.signature = pre_signature_part(authz_decision_query.id, self.sec.my_cert, 1)
to_sign.append((class_name(authz_decision_query), authz_decision_query.id))
authz_decision_query = signed_instance_factory(authz_decision_query, self.sec, to_sign)
response = send_using_soap(
authz_decision_query,
destination,
self.config.key_file,
self.config.cert_file,
log=log,
ca_certs=self.config.ca_certs,
)
if response:
if log:
log.info("Verifying response")
response = self.authz_decision_query_response(response, log)
if response:
# not_done.remove(entity_id)
if log:
log.info("OK response from %s" % destination)
return response
else:
if log:
log.info("NOT OK response from %s" % destination)
return None
def create_assertion_id_request_response(self, assertion_id, sign=False,
sign_alg=None,
digest_alg=None, **kwargs):
"""
:param assertion_id:
:param sign:
:return:
"""
try:
(assertion, to_sign) = self.session_db.get_assertion(assertion_id)
except KeyError:
raise Unknown
if to_sign:
if assertion.signature is None:
assertion.signature = pre_signature_part(assertion.id,
self.sec.my_cert, 1,
sign_alg=sign_alg,
digest_alg=digest_alg)
return signed_instance_factory(assertion, self.sec, to_sign)
else:
return assertion
def create_assertion_id_request_response(
self, assertion_id, sign=None, sign_alg=None, digest_alg=None, **kwargs
):
try:
(assertion, to_sign) = self.session_db.get_assertion(assertion_id)
except KeyError:
raise Unknown
if to_sign:
if assertion.signature is None:
# XXX self.signing_algorithm self.digest_algorithm defined by entity
# XXX this should be handled through entity.py
# XXX sig/digest-allowed should be configurable
sign_alg = sign_alg or self.signing_algorithm
digest_alg = digest_alg or self.digest_algorithm
assertion.signature = pre_signature_part(
assertion.id,
self.sec.my_cert,
1,
sign_alg=sign_alg,
digest_alg=digest_alg,
)
return signed_instance_factory(assertion, self.sec, to_sign)
else:
return assertion
def create_attribute_response(self, identity, in_response_to, destination,
sp_entity_id, userid="", name_id=None,
status=None, issuer=None,
sign_assertion=False, sign_response=False,
attributes=None):
""" Create an attribute assertion response.
:param identity: A dictionary with attributes and values that are
expected to be the bases for the assertion in the response.
:param in_response_to: The session identifier of the request
:param destination: The URL which should receive the response
:param sp_entity_id: The entity identifier of the SP
:param userid: A identifier of the user
:param name_id: The identifier of the subject
:param status: The status of the response
:param issuer: The issuer of the response
:param sign_assertion: Whether the assertion should be signed or not
:param sign_response: Whether the whole response should be signed
:param attributes:
:return: A response instance
"""
if not name_id and userid:
try:
name_id = self.ident.construct_nameid(userid,
self.config.policy,
sp_entity_id)
logger.warning("Unspecified NameID format")
except Exception:
pass
to_sign = []
args = {}
if identity:
_issuer = self._issuer(issuer)
ast = Assertion(identity)
policy = self.config.getattr("policy", "aa")
if policy:
ast.apply_policy(sp_entity_id, policy)
else:
policy = Policy()
if attributes:
restr = restriction_from_attribute_spec(attributes)
ast = filter_attribute_value_assertions(ast)
assertion = ast.construct(sp_entity_id, in_response_to,
destination, name_id,
self.config.attribute_converters,
policy, issuer=_issuer)
if sign_assertion:
assertion.signature = pre_signature_part(assertion.id,
self.sec.my_cert, 1)
# Just the assertion or the response and the assertion ?
to_sign = [(class_name(assertion), assertion.id)]
args["assertion"] = assertion
return self._response(in_response_to, destination, status, issuer,
sign_response, to_sign, **args)
def test_xmlsec_err_non_ascii_ava():
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", IDP_EXAMPLE)
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
assertion = factory(saml.Assertion,
version="2.0",
id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part(
"11111", sec.my_cert, 1),
attribute_statement=do_attribute_statement({
("", "", "surName"): ("Föö", ""),
("", "", "givenName"): ("Bär", ""),
}))
with raises(XmlsecError):
sec.sign_statement(
assertion,
class_name(assertion),
key_file=INVALID_KEY,
node_id=assertion.id,
)
def entities_descriptor(eds, valid_for, name, ident, sign, secc):
entities = md.EntitiesDescriptor(entity_descriptor=eds)
if valid_for:
entities.valid_until = in_a_while(hours=valid_for)
if name:
entities.name = name
if ident:
entities.id = ident
if sign:
if not ident:
ident = sid()
if not secc.key_file:
raise SAMLError("If you want to do signing you should define " +
"a key to sign with")
if not secc.my_cert:
raise SAMLError("If you want to do signing you should define " +
"where your public key are")
entities.signature = pre_signature_part(ident, secc.my_cert, 1)
entities.id = ident
xmldoc = secc.sign_statement("%s" % entities, class_name(entities))
entities = md.entities_descriptor_from_string(xmldoc)
else:
xmldoc = None
return entities, xmldoc
def setup_class(self):
# This would be one way to initialize the security context :
#
# conf = config.SPConfig()
# conf.load_file("server_conf")
# conf.only_use_keys_in_metadata = False
#
# but instead, FakeConfig() is used to really only use the minimal
# set of parameters needed for these test cases. Other test cases
# (TestSecurityMetadata below) excersise the SPConfig() mechanism.
#
conf = FakeConfig()
self.sec = sigver.security_context(FakeConfig())
self._assertion = factory(
saml.Assertion,
version="2.0",
id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("11111", self.sec.my_cert, 1),
attribute_statement=do_attribute_statement({
("", "", "surName"): ("Foo", ""),
("", "", "givenName"): ("Bar", ""),
})
)
def test_sign_verify_with_cert_from_instance(self):
response = factory(samlp.Response,
assertion=self._assertion,
id="22222",
signature=sigver.pre_signature_part("22222",
self.sec
.my_cert))
to_sign = [(class_name(self._assertion), self._assertion.id),
(class_name(response), response.id)]
s_response = sigver.signed_instance_factory(response, self.sec, to_sign)
response2 = response_from_string(s_response)
ci = "".join(sigver.cert_from_instance(response2)[0].split())
assert ci == self.sec.my_cert
res = self.sec.verify_signature("%s" % s_response,
node_name=class_name(samlp.Response()))
assert res
res = self.sec._check_signature(s_response, response2,
class_name(response2), s_response)
assert res == response2
def create_attribute_query(self,
session_id,
subject_id,
destination,
issuer_id=None,
attribute=None,
sp_name_qualifier=None,
name_qualifier=None,
nameid_format=None,
sign=False):
""" Constructs an AttributeQuery
:param session_id: The identifier of the session
:param subject_id: The identifier of the subject
:param destination: To whom the query should be sent
:param issuer_id: Identifier of the issuer
:param attribute: A dictionary of attributes and values that is
asked for. The key are one of 4 variants:
3-tuple of name_format,name and friendly_name,
2-tuple of name_format and name,
1-tuple with name or
just the name as a string.
:param sp_name_qualifier: The unique identifier of the
service provider or affiliation of providers for whom the
identifier was generated.
:param name_qualifier: The unique identifier of the identity
provider that generated the identifier.
:param nameid_format: The format of the name ID
:param sign: Whether the query should be signed or not.
:return: An AttributeQuery instance
"""
subject = saml.Subject(name_id=saml.NameID(
text=subject_id,
format=nameid_format,
sp_name_qualifier=sp_name_qualifier,
name_qualifier=name_qualifier), )
query = samlp.AttributeQuery(
id=session_id,
version=VERSION,
issue_instant=instant(),
destination=destination,
issuer=self._issuer(issuer_id),
subject=subject,
)
if sign:
query.signature = pre_signature_part(query.id, self.sec.my_cert, 1)
if attribute:
query.attribute = do_attributes(attribute)
if sign:
signed_query = self.sec.sign_attribute_query_using_xmlsec("%s" %
query)
return samlp.attribute_query_from_string(signed_query)
else:
return query
def sign_entity_descriptor(edesc, ident, secc):
if not ident:
ident = sid()
edesc.signature = pre_signature_part(ident, secc.my_cert, 1)
edesc.id = ident
xmldoc = secc.sign_statement("%s" % edesc, class_name(edesc))
return md.entity_descriptor_from_string(xmldoc)
def sign_entity_descriptor(edesc, ident, secc):
if not ident:
ident = sid()
edesc.signature = pre_signature_part(ident, secc.my_cert, 1)
edesc.id = ident
xmldoc = secc.sign_statement_using_xmlsec("%s" % edesc, class_name(edesc))
return md.entity_descriptor_from_string(xmldoc)
def _response(self,
in_response_to,
consumer_url=None,
status=None,
issuer=None,
sign=False,
to_sign=None,
encrypt_assertion=False,
encrypt_cert=None,
**kwargs):
""" Create a Response.
:param in_response_to: The session identifier of the request
:param consumer_url: The URL which should receive the response
:param status: The status of the response
:param issuer: The issuer of the response
:param sign: Whether the response should be signed or not
:param to_sign: If there are other parts to sign
:param kwargs: Extra key word arguments
:return: A Response instance
"""
if not status:
status = success_status_factory()
_issuer = self._issuer(issuer)
response = response_factory(issuer=_issuer,
in_response_to=in_response_to,
status=status)
if consumer_url:
response.destination = consumer_url
self._add_info(response, **kwargs)
if not sign and to_sign and not encrypt_assertion:
return signed_instance_factory(response, self.sec, to_sign)
if encrypt_assertion:
sign_class = [(class_name(response), response.id)]
if sign:
response.signature = pre_signature_part(
response.id, self.sec.my_cert, 1)
cbxs = CryptoBackendXmlSec1(self.config.xmlsec_binary)
_, cert_file = make_temp("%s" % encrypt_cert, decode=False)
response = cbxs.encrypt_assertion(response, cert_file,
pre_encryption_part())
#template(response.assertion.id))
if sign:
return signed_instance_factory(response, self.sec, sign_class)
else:
return response
if sign:
return self.sign(response, to_sign=to_sign)
else:
return response
def create_aa_response(self, in_response_to, consumer_url, sp_entity_id,
identity=None, userid="", name_id=None, status=None,
issuer=None, sign_assertion=False,
sign_response=False, attributes=None):
""" Create an attribute assertion response.
:param in_response_to: The session identifier of the request
:param consumer_url: The URL which should receive the response
:param sp_entity_id: The entity identifier of the SP
:param identity: A dictionary with attributes and values that are
expected to be the bases for the assertion in the response.
:param userid: A identifier of the user
:param name_id: The identifier of the subject
:param status: The status of the response
:param issuer: The issuer of the response
:param sign_assertion: Whether the assertion should be signed or not
:param sign_response: Whether the whole response should be signed
:return: A response instance
"""
if not name_id and userid:
try:
name_id = self.ident.construct_nameid(self.conf.policy, userid,
sp_entity_id, identity)
logger.warning("Unspecified NameID format")
except Exception:
pass
to_sign = []
args = {}
if identity:
_issuer = self.issuer(issuer)
ast = Assertion(identity)
policy = self.conf.getattr("policy", "aa")
if policy:
ast.apply_policy(sp_entity_id, policy)
else:
policy = Policy()
if attributes:
restr = restriction_from_attribute_spec(attributes)
ast = filter_attribute_value_assertions(ast)
assertion = ast.construct(sp_entity_id, in_response_to,
consumer_url, name_id,
self.conf.attribute_converters,
policy, issuer=_issuer)
if sign_assertion:
assertion.signature = pre_signature_part(assertion.id,
self.sec.my_cert, 1)
# Just the assertion or the response and the assertion ?
to_sign = [(class_name(assertion), assertion.id)]
args["assertion"] = assertion
return self._response(in_response_to, consumer_url, status, issuer,
sign_response, to_sign, **args)
def test_sign_response_2(self):
assertion2 = factory(
saml.Assertion,
version="2.0",
id="id-11122",
issuer=saml.Issuer(text="the-issuer-2"),
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("id-11122", self.sec .my_cert),
attribute_statement=do_attribute_statement({
("name:surName", "nameformat", "surName"): ("Fox", ""),
("name:givenName", "nameformat", "givenName"): ("Bear", ""),
})
)
response = factory(
samlp.Response,
issuer=saml.Issuer(text="the-isser-2"),
status=success_status_factory(),
assertion=assertion2,
version="2.0",
issue_instant="2099-10-30T13:20:28Z",
id="id-22233",
signature=sigver.pre_signature_part("id-22233", self.sec.my_cert),
)
to_sign = [(class_name(assertion2), assertion2.id),
(class_name(response), response.id)]
s_response = sigver.signed_instance_factory(response, self.sec, to_sign)
assert s_response is not None
response2 = response_from_string(s_response)
sass = response2.assertion[0]
['signature', 'attribute_statement', 'version', 'id', 'issue_instant']
['issuer', 'attribute_statement', 'issue_instant', 'version', 'signature', 'id']
assert _eq(sass.keyswv(), ['issuer', 'attribute_statement', 'issue_instant',
'version', 'signature', 'id'])
assert sass.version == "2.0"
assert sass.id == "id-11122"
item = self.sec.check_signature(response2, class_name(response), s_response)
assert isinstance(item, samlp.Response)
def test_xbox_non_ascii_ava():
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", IDP_EXAMPLE)
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
assertion = factory(saml.Assertion,
version="2.0",
id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part(
"11111", sec.my_cert, 1),
attribute_statement=do_attribute_statement({
("", "", "surName"): ("Föö", ""),
("", "", "givenName"): ("Bär", ""),
}))
sigass = sec.sign_statement(
assertion,
class_name(assertion),
key_file=PRIV_KEY,
node_id=assertion.id,
)
_ass0 = saml.assertion_from_string(sigass)
encrypted_assertion = EncryptedAssertion()
encrypted_assertion.add_extension_element(_ass0)
_, pre = make_temp(str(pre_encryption_part()).encode('utf-8'),
decode=False)
enctext = sec.crypto.encrypt(
str(encrypted_assertion),
conf.cert_file,
pre,
"des-192",
'/*[local-name()="EncryptedAssertion"]/*[local-name()="Assertion"]',
)
decr_text = sec.decrypt(enctext, key_file=PRIV_KEY)
_seass = saml.encrypted_assertion_from_string(decr_text)
assertions = []
assers = extension_elements_to_elements(_seass.extension_elements,
[saml, samlp])
for ass in assers:
_txt = sec.verify_signature(str(ass),
PUB_KEY,
node_name=class_name(assertion))
if _txt:
assertions.append(ass)
assert assertions
print(assertions)
def _response(self, in_response_to, consumer_url=None, status=None,
issuer=None, sign=False, to_sign=None,
encrypt_assertion=False, encrypt_cert=None, **kwargs):
""" Create a Response.
:param in_response_to: The session identifier of the request
:param consumer_url: The URL which should receive the response
:param status: The status of the response
:param issuer: The issuer of the response
:param sign: Whether the response should be signed or not
:param to_sign: If there are other parts to sign
:param kwargs: Extra key word arguments
:return: A Response instance
"""
if not status:
status = success_status_factory()
_issuer = self._issuer(issuer)
response = response_factory(issuer=_issuer,
in_response_to=in_response_to,
status=status)
if consumer_url:
response.destination = consumer_url
self._add_info(response, **kwargs)
if not sign and to_sign and not encrypt_assertion:
return signed_instance_factory(response, self.sec, to_sign)
if encrypt_assertion:
if sign:
response.signature = pre_signature_part(response.id,
self.sec.my_cert, 1)
cbxs = CryptoBackendXmlSec1(self.config.xmlsec_binary)
_, cert_file = make_temp("%s" % encrypt_cert, decode=False)
response = cbxs.encrypt_assertion(response, cert_file,
pre_encryption_part())
# template(response.assertion.id))
if sign:
if to_sign:
signed_instance_factory(response, self.sec, to_sign)
else:
# default is to sign the whole response if anything
sign_class = [(class_name(response), response.id)]
return signed_instance_factory(response, self.sec,
sign_class)
else:
return response
if sign:
return self.sign(response, to_sign=to_sign)
else:
return response
def test_xbox():
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", full_path("idp_example.xml"))
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
assertion = factory(saml.Assertion,
version="2.0",
id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part(
"11111", sec.my_cert, 1),
attribute_statement=do_attribute_statement({
("", "", "surName"): ("Foo", ""),
("", "", "givenName"): ("Bar", ""),
}))
sigass = sec.sign_statement(assertion,
class_name(assertion),
key_file=full_path("test.key"),
node_id=assertion.id)
_ass0 = saml.assertion_from_string(sigass)
encrypted_assertion = EncryptedAssertion()
encrypted_assertion.add_extension_element(_ass0)
_, pre = make_temp(str(pre_encryption_part()).encode('utf-8'),
decode=False)
enctext = sec.crypto.encrypt(
str(encrypted_assertion), conf.cert_file, pre, "des-192",
'/*[local-name()="EncryptedAssertion"]/*[local-name()="Assertion"]')
decr_text = sec.decrypt(enctext)
_seass = saml.encrypted_assertion_from_string(decr_text)
assertions = []
assers = extension_elements_to_elements(_seass.extension_elements,
[saml, samlp])
sign_cert_file = full_path("test.pem")
for ass in assers:
_ass = "%s" % ass
#_ass = _ass.replace('xsi:nil="true" ', '')
#assert sigass == _ass
_txt = sec.verify_signature(_ass,
sign_cert_file,
node_name=class_name(assertion))
if _txt:
assertions.append(ass)
print(assertions)
def _create_idp_response(
self,
authn_request_id='2aaaeb7692471eb4ba00d5546877a7fd',
cls=Response):
issue_instant = datetime.utcnow().isoformat() + 'Z'
not_before = (datetime.utcnow() -
timedelta(minutes=5)).isoformat() + 'Z'
not_on_or_after = (datetime.utcnow() +
timedelta(minutes=5)).isoformat() + 'Z'
issuer = Issuer(format=NAMEID_FORMAT_ENTITY, text='http://nohost/auth')
signature = pre_signature_part(
's2998eb2e03b5006acb0a931d0fb558b0e4ec360c7')
status = Status(status_code=StatusCode(value=STATUS_SUCCESS))
subject_confirmation_data = SubjectConfirmationData(
not_on_or_after=not_on_or_after,
in_response_to=authn_request_id,
recipient='http://nohost/')
subject_confirmation = SubjectConfirmation(
method=SCM_BEARER,
subject_confirmation_data=subject_confirmation_data)
subject = Subject(name_id=NameID(text='AABVSVesMLYDiHtowyX4MDu6UopU',
format=NAMEID_FORMAT_TRANSIENT),
subject_confirmation=subject_confirmation)
conditions = Conditions(not_before=not_before,
not_on_or_after=not_on_or_after,
audience_restriction=AudienceRestriction(
Audience('http://nohost/')),
one_time_use=OneTimeUse())
authn_context = AuthnContext(authn_context_decl_ref=AuthnContextClassRef(
'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
))
authn_statement = AuthnStatement(authn_instant=issue_instant,
authn_context=authn_context,
session_index=self.session_index)
attribute_statement = attribute_statement_from_string(
self.attribute_xml)
assertion = Assertion(
id='s2bb879ef893d1b27fb90903e7c7e2779a3e7502c1',
version='2.0',
issue_instant=issue_instant,
issuer=issuer,
subject=subject,
conditions=conditions,
authn_statement=authn_statement,
attribute_statement=attribute_statement,
)
return cls(id='s2998eb2e03b5006acb0a931d0fb558b0e4ec360c7',
in_response_to=authn_request_id,
version='2.0',
issue_instant=issue_instant,
destination='http://nohost/',
issuer=issuer,
signature=signature,
status=status,
assertion=assertion)
def create_attribute_query(self, session_id, subject_id, destination,
issuer_id=None, attribute=None, sp_name_qualifier=None,
name_qualifier=None, nameid_format=None, sign=False):
""" Constructs an AttributeQuery
:param session_id: The identifier of the session
:param subject_id: The identifier of the subject
:param destination: To whom the query should be sent
:param issuer_id: Identifier of the issuer
:param attribute: A dictionary of attributes and values that is
asked for. The key are one of 4 variants:
3-tuple of name_format,name and friendly_name,
2-tuple of name_format and name,
1-tuple with name or
just the name as a string.
:param sp_name_qualifier: The unique identifier of the
service provider or affiliation of providers for whom the
identifier was generated.
:param name_qualifier: The unique identifier of the identity
provider that generated the identifier.
:param nameid_format: The format of the name ID
:param sign: Whether the query should be signed or not.
:return: An AttributeQuery instance
"""
subject = saml.Subject(
name_id = saml.NameID(
text=subject_id,
format=nameid_format,
sp_name_qualifier=sp_name_qualifier,
name_qualifier=name_qualifier),
)
query = samlp.AttributeQuery(
id=session_id,
version=VERSION,
issue_instant=instant(),
destination=destination,
issuer=self._issuer(issuer_id),
subject=subject,
)
if sign:
query.signature = pre_signature_part(query.id, self.sec.my_cert, 1)
if attribute:
query.attribute = do_attributes(attribute)
if sign:
signed_query = self.sec.sign_attribute_query_using_xmlsec(
"%s" % query)
return samlp.attribute_query_from_string(signed_query)
else:
return query
def test_sign_then_encrypt_assertion2(self):
# Begin with the IdPs side
_sec = self.server.sec
nameid_policy = samlp.NameIDPolicy(
allow_create="false", format=saml.NAMEID_FORMAT_PERSISTENT)
asser = Assertion({"givenName": "Derek", "surName": "Jeter"})
assertion = asser.construct(
self.client.config.entityid,
"_012345",
"http://lingon.catalogix.se:8087/",
factory(saml.NameID, format=saml.NAMEID_FORMAT_TRANSIENT),
policy=self.server.config.getattr("policy", "idp"),
issuer=self.server._issuer(),
attrconvs=self.server.config.attribute_converters,
authn_class=INTERNETPROTOCOLPASSWORD,
authn_auth="http://www.example.com/login")
assertion.signature = sigver.pre_signature_part(
assertion.id, _sec.my_cert, 1)
sigass = _sec.sign_statement(assertion,
class_name(assertion),
key_file=self.client.sec.key_file,
node_id=assertion.id)
sigass = rm_xmltag(sigass)
response = sigver.response_factory(
in_response_to="_012345",
destination="http://lingon.catalogix.se:8087/",
status=s_utils.success_status_factory(),
issuer=self.server._issuer(),
encrypted_assertion=EncryptedAssertion())
xmldoc = "%s" % response
# strangely enough I get different tags if I run this test separately
# or as part of a bunch of tests.
xmldoc = add_subelement(xmldoc, "EncryptedAssertion", sigass)
enctext = _sec.crypto.encrypt_assertion(xmldoc, _sec.cert_file,
pre_encryption_part())
#seresp = samlp.response_from_string(enctext)
resp_str = base64.encodestring(enctext)
# Now over to the client side
resp = self.client.parse_authn_request_response(
resp_str, BINDING_HTTP_POST,
{"_012345": "http://foo.example.com/service"})
#assert resp.encrypted_assertion == []
assert resp.assertion
assert resp.ava == {'givenName': ['Derek'], 'sn': ['Jeter']}
def sign_entity_descriptor(edesc, valid_for, ident, secc):
if valid_for:
edesc.valid_until = in_a_while(hours=valid_for)
if not ident:
ident = sid()
edesc.signature = pre_signature_part(ident, secc.my_cert, 1)
edesc.id = ident
xmldoc = secc.sign_statement_using_xmlsec("%s" % edesc, class_name(edesc))
return md.entity_descriptor_from_string(xmldoc)
def sign_entity_descriptor(edesc, valid_for, ident, secc):
if valid_for:
edesc.valid_until = in_a_while(hours=valid_for)
if not ident:
ident = sid()
edesc.signature = pre_signature_part(ident, secc.my_cert, 1)
edesc.id = ident
xmldoc = secc.sign_statement_using_xmlsec("%s" % edesc, class_name(edesc))
return md.entity_descriptor_from_string(xmldoc)
def test_sign_then_encrypt_assertion2(self):
# Begin with the IdPs side
_sec = self.server.sec
nameid_policy = samlp.NameIDPolicy(allow_create="false",
format=saml.NAMEID_FORMAT_PERSISTENT)
asser = Assertion({"givenName": "Derek", "surName": "Jeter"})
assertion = asser.construct(
self.client.config.entityid, "_012345",
"http://lingon.catalogix.se:8087/",
factory(saml.NameID, format=saml.NAMEID_FORMAT_TRANSIENT),
policy=self.server.config.getattr("policy", "idp"),
issuer=self.server._issuer(),
attrconvs=self.server.config.attribute_converters,
authn_class=INTERNETPROTOCOLPASSWORD,
authn_auth="http://www.example.com/login")
assertion.signature = sigver.pre_signature_part(
assertion.id, _sec.my_cert, 1)
sigass = _sec.sign_statement(assertion, class_name(assertion),
key_file=self.client.sec.key_file,
node_id=assertion.id)
sigass = rm_xmltag(sigass)
response = sigver.response_factory(
in_response_to="_012345",
destination="https://www.example.com",
status=s_utils.success_status_factory(),
issuer=self.server._issuer(),
encrypted_assertion=EncryptedAssertion()
)
xmldoc = "%s" % response
# strangely enough I get different tags if I run this test separately
# or as part of a bunch of tests.
xmldoc = add_subelement(xmldoc, "EncryptedAssertion", sigass)
enctext = _sec.crypto.encrypt_assertion(xmldoc, _sec.cert_file,
pre_encryption_part())
#seresp = samlp.response_from_string(enctext)
resp_str = base64.encodestring(enctext)
# Now over to the client side
resp = self.client.parse_authn_request_response(
resp_str, BINDING_HTTP_POST,
{"_012345": "http://foo.example.com/service"})
#assert resp.encrypted_assertion == []
assert resp.assertion
assert resp.ava == {'givenName': ['Derek'], 'sn': ['Jeter']}
def test_xbox():
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", full_path("idp_example.xml"))
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
assertion = factory(
saml.Assertion,
version="2.0",
id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("11111", sec.my_cert, 1),
attribute_statement=do_attribute_statement(
{("", "", "surName"): ("Foo", ""), ("", "", "givenName"): ("Bar", "")}
),
)
sigass = sec.sign_statement(assertion, class_name(assertion), key_file=full_path("test.key"), node_id=assertion.id)
_ass0 = saml.assertion_from_string(sigass)
encrypted_assertion = EncryptedAssertion()
encrypted_assertion.add_extension_element(_ass0)
_, pre = make_temp(str(pre_encryption_part()).encode("utf-8"), decode=False)
enctext = sec.crypto.encrypt(
str(encrypted_assertion),
conf.cert_file,
pre,
"des-192",
'/*[local-name()="EncryptedAssertion"]/*[local-name()="Assertion"]',
)
decr_text = sec.decrypt(enctext)
_seass = saml.encrypted_assertion_from_string(decr_text)
assertions = []
assers = extension_elements_to_elements(_seass.extension_elements, [saml, samlp])
sign_cert_file = full_path("test.pem")
for ass in assers:
_ass = "%s" % ass
# _ass = _ass.replace('xsi:nil="true" ', '')
# assert sigass == _ass
_txt = sec.verify_signature(_ass, sign_cert_file, node_name=class_name(assertion))
if _txt:
assertions.append(ass)
print(assertions)
def attribute_query(cls, subject_id, destination, issuer_id=None,
attribute=None, sp_name_qualifier=None, name_qualifier=None,
nameid_format=None, log=None, sign=False):
""" Does a attribute request to an attribute authority, this is
by default done over SOAP. Other bindings could be used but are not
supported right now.
:param subject_id: The identifier of the subject
:param destination: To whom the query should be sent
:param issuer_id: Who is sending this query
:param attribute: A dictionary of attributes and values that is asked for
:param sp_name_qualifier: The unique identifier of the
service provider or affiliation of providers for whom the
identifier was generated.
:param name_qualifier: The unique identifier of the identity
provider that generated the identifier.
:param nameid_format: The format of the name ID
:param log: Function to use for logging
:param sign: Whether the request should be signed or not
:return: The Assertion
"""
if log is None:
log = cls.logger
session_id = sid()
issuer = cls.issuer(issuer_id)
if not name_qualifier and not sp_name_qualifier:
sp_name_qualifier = cls.config.entityid
request = cls.create_attribute_query(session_id, subject_id,
destination, issuer, attribute,
sp_name_qualifier,
name_qualifier,
nameid_format=nameid_format)
# soapclient = HTTP.send(destination, cls.config.key_file,
# cls.config.cert_file)
if sign:
request.signature= pre_signature_part(request.id, cls.sec.my_cert, 1)
try:
if sign:
response = HTTP.send(request, path=destination, sign=True,
sec=cls.sec)
else:
response = HTTP.send(request, path=destination)
except Exception, exc:
exception_trace("SoapClient exception", exc, log)
return None
def test_sign_then_encrypt_assertion2(self):
# Begin with the IdPs side
_sec = self.server.sec
nameid_policy = samlp.NameIDPolicy(
allow_create="false", format=saml.NAMEID_FORMAT_PERSISTENT)
asser = Assertion({"givenName": "Derek", "surName": "Jeter"})
assertion = asser.construct(
self.client.config.entityid,
"_012345",
"http://lingon.catalogix.se:8087/",
factory(saml.NameID, format=saml.NAMEID_FORMAT_TRANSIENT),
policy=self.server.config.getattr("policy", "idp"),
issuer=self.server._issuer(),
attrconvs=self.server.config.attribute_converters,
authn_class=INTERNETPROTOCOLPASSWORD,
authn_auth="http://www.example.com/login")
assertion.signature = sigver.pre_signature_part(
assertion.id, _sec.my_cert, 1)
sigass = _sec.sign_statement(
assertion,
class_name(assertion),
#key_file="pki/mykey.pem",
key_file="test.key",
node_id=assertion.id)
# Create an Assertion instance from the signed assertion
_ass = saml.assertion_from_string(sigass)
response = sigver.response_factory(
in_response_to="_012345",
destination="https://www.example.com",
status=s_utils.success_status_factory(),
issuer=self.server._issuer(),
assertion=_ass)
enctext = _sec.crypto.encrypt_assertion(response, _sec.cert_file,
pre_encryption_part())
#seresp = samlp.response_from_string(enctext)
resp_str = base64.encodestring(enctext)
# Now over to the client side
resp = self.client.parse_authn_request_response(
resp_str, BINDING_HTTP_POST,
{"_012345": "http://foo.example.com/service"})
#assert resp.encrypted_assertion == []
assert resp.assertion
assert resp.ava == {'givenName': ['Derek'], 'sn': ['Jeter']}
def test_sign_response_2(self):
assertion2 = factory(saml.Assertion,
version="2.0",
id="11122",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part(
"11122", self.sec.my_cert),
attribute_statement=do_attribute_statement({
("", "", "surName"): ("Räv", ""),
("", "", "givenName"): ("Björn", ""),
}))
response = factory(samlp.Response,
assertion=assertion2,
id="22233",
signature=sigver.pre_signature_part(
"22233", self.sec.my_cert))
to_sign = [(class_name(assertion2), assertion2.id),
(class_name(response), response.id)]
s_response = sigver.signed_instance_factory(response, self.sec,
to_sign)
assert s_response is not None
response2 = response_from_string(s_response)
sass = response2.assertion[0]
assert _eq(sass.keyswv(), [
'attribute_statement', 'issue_instant', 'version', 'signature',
'id'
])
assert sass.version == "2.0"
assert sass.id == "11122"
item = self.sec.check_signature(response2, class_name(response),
s_response)
assert isinstance(item, samlp.Response)
def sign(self, msg, mid=None, to_sign=None):
if msg.signature is None:
msg.signature = pre_signature_part(msg.id, self.sec.my_cert, 1)
if mid is None:
mid = msg.id
try:
to_sign.append([(class_name(msg), mid)])
except AttributeError:
to_sign = [(class_name(msg), mid)]
logger.info("REQUEST: %s" % msg)
return signed_instance_factory(msg, self.sec, to_sign)
def setup_class(self):
xmlexec = get_xmlsec_binary()
self.sec = sigver.SecurityContext(xmlexec, key_file=PRIV_KEY,
cert_file=PUB_KEY, debug=1)
self._assertion = factory( saml.Assertion,
version="2.0",
id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("11111", self.sec.my_cert, 1),
attribute_statement=do_attribute_statement({
("","","surName"): ("Foo",""),
("","","givenName") :("Bar",""),
})
)
def test_sign_verify(self):
response = factory(
samlp.Response, assertion=self._assertion, id="22233",
signature=sigver.pre_signature_part("22233", self.sec.my_cert))
to_sign = [(class_name(self._assertion), self._assertion.id),
(class_name(response), response.id)]
s_response = sigver.signed_instance_factory(response, self.sec, to_sign)
print(s_response)
res = self.sec.verify_signature(s_response,
node_name=class_name(samlp.Response()))
print(res)
assert res
def _message(self,
request_cls,
destination=None,
id=0,
consent=None,
extensions=None,
sign=False,
**kwargs):
"""
Some parameters appear in all requests so simplify by doing
it in one place
:param request_cls: The specific request type
:param destination: The recipient
:param id: A message identifier
:param consent: Whether the principal have given her consent
:param extensions: Possible extensions
:param kwargs: Key word arguments specific to one request type
:return: An instance of the request_cls
"""
if not id:
id = sid(self.seed)
req = request_cls(id=id,
version=VERSION,
issue_instant=instant(),
issuer=self._issuer(),
**kwargs)
if destination:
req.destination = destination
if consent:
req.consent = consent
if extensions:
req.extensions = extensions
if sign:
req.signature = pre_signature_part(req.id, self.sec.my_cert, 1)
to_sign = [(class_name(req), req.id)]
else:
to_sign = []
logger.info("REQUEST: %s" % req)
return signed_instance_factory(req, self.sec, to_sign)
def sign(self, msg, mid=None, to_sign=None, sign_prepare=False):
if msg.signature is None:
msg.signature = pre_signature_part(msg.id, self.sec.my_cert, 1)
if sign_prepare:
return msg
if mid is None:
mid = msg.id
try:
to_sign += [(class_name(msg), mid)]
except (AttributeError, TypeError):
to_sign = [(class_name(msg), mid)]
logger.info("REQUEST: %s" % msg)
return signed_instance_factory(msg, self.sec, to_sign)
def setup_class(self):
xmlexec = get_xmlsec_binary()
self.sec = sigver.SecurityContext(xmlexec,
key_file=PRIV_KEY,
cert_file=PUB_KEY,
debug=1)
self._assertion = factory(saml.Assertion,
version="2.0",
id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part(
"11111", self.sec.my_cert, 1),
attribute_statement=do_attribute_statement({
("", "", "surName"): ("Foo", ""),
("", "", "givenName"): ("Bar", ""),
}))
def sign_entity_descriptor(edesc, ident, secc):
"""
:param edesc: EntityDescriptor instance
:param ident: EntityDescriptor identifier
:param secc: Security context
:return: Tuple with EntityDescriptor instance and Signed XML document
"""
if not ident:
ident = sid()
edesc.signature = pre_signature_part(ident, secc.my_cert, 1)
edesc.id = ident
xmldoc = secc.sign_statement("%s" % edesc, class_name(edesc))
edesc = md.entity_descriptor_from_string(xmldoc)
return edesc, xmldoc
def test_sign_verify(self):
response = factory(samlp.Response,
assertion=self._assertion,
id="22233",
signature=sigver.pre_signature_part("22233", self.sec.my_cert))
to_sign = [(class_name(self._assertion), self._assertion.id),
(class_name(response), response.id)]
s_response = sigver.signed_instance_factory(response, self.sec, to_sign)
print s_response
res = self.sec.verify_signature("%s" % s_response,
node_name=class_name(samlp.Response()))
print res
assert res
def sign_entity_descriptor(edesc, ident, secc):
"""
:param edesc: EntityDescriptor instance
:param ident: EntityDescriptor identifier
:param secc: Security context
:return: Tuple with EntityDescriptor instance and Signed XML document
"""
if not ident:
ident = sid()
edesc.signature = pre_signature_part(ident, secc.my_cert, 1)
edesc.id = ident
xmldoc = secc.sign_statement("%s" % edesc, class_name(edesc))
edesc = md.entity_descriptor_from_string(xmldoc)
return edesc, xmldoc
def sign(self, msg, mid=None, to_sign=None, sign_prepare=False):
if msg.signature is None:
msg.signature = pre_signature_part(msg.id, self.sec.my_cert, 1)
if sign_prepare:
return msg
if mid is None:
mid = msg.id
try:
to_sign.append([(class_name(msg), mid)])
except AttributeError:
to_sign = [(class_name(msg), mid)]
logger.info("REQUEST: %s" % msg)
return signed_instance_factory(msg, self.sec, to_sign)
def setup_class(self):
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", full_path("metadata_cert.xml"))
conf.metadata = md
conf.only_use_keys_in_metadata = False
self.sec = sigver.security_context(conf)
assertion = factory(
saml.Assertion, version="2.0", id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("11111", self.sec.my_cert, 1),
attribute_statement=do_attribute_statement(
{("", "", "surName"): ("Foo", ""),
("", "", "givenName"): ("Bar", ""), })
)
def setup_class(self):
xmlexec = get_xmlsec_binary()
md = MetadataStore([saml, samlp], None, xmlexec)
md.load("local", full_path("metadata_cert.xml"))
crypto = get_xmlsec_cryptobackend()
self.sec = sigver.SecurityContext(crypto, key_file=PRIV_KEY,
cert_file=PUB_KEY, debug=1, metadata=md)
self._assertion = factory( saml.Assertion,
version="2.0",
id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("11111", self.sec.my_cert, 1),
attribute_statement=do_attribute_statement({
("","","surName"): ("Foo",""),
("","","givenName") :("Bar",""),
})
)
def _message(self, request_cls, destination=None, id=0,
consent=None, extensions=None, sign=False, **kwargs):
"""
Some parameters appear in all requests so simplify by doing
it in one place
:param request_cls: The specific request type
:param destination: The recipient
:param id: A message identifier
:param consent: Whether the principal have given her consent
:param extensions: Possible extensions
:param kwargs: Key word arguments specific to one request type
:return: An instance of the request_cls
"""
if not id:
id = sid(self.seed)
req = request_cls(id=id, version=VERSION, issue_instant=instant(),
issuer=self._issuer(), **kwargs)
if destination:
req.destination = destination
if consent:
req.consent = consent
if extensions:
req.extensions = extensions
if sign:
req.signature = pre_signature_part(req.id, self.sec.my_cert, 1)
to_sign = [(class_name(req), req.id)]
else:
to_sign = []
logger.info("REQUEST: %s" % req)
return signed_instance_factory(req, self.sec, to_sign)
