Merge remote-tracking branch 'upstream/master'

Author: sigmunau

example/idp2/pki/create_key.sh renamed to example/create_key.sh

@@ -225,10 +225,11 @@ def verify_request(self, query, binding):
         :param query: The SAML query, transport encoded
         :param binding: Which binding the query came in over
         """
+        resp_args = {}
         if not query:
             logger.info("Missing QUERY")
             resp = Unauthorized('Unknown user')
-            return resp(self.environ, self.start_response)
+            return resp_args, resp(self.environ, self.start_response)
 
         if not self.req_info:
             self.req_info = IDP.parse_authn_request(query, binding)

example/idp2/idp.py

@@ -124,6 +124,10 @@ class Error(Exception):
     pass
 
 
+class SAMLError(Exception):
+    pass
+
+
 class ExtensionElement(object):
     """XML which is not part of the SAML specification,
     these are called extension elements. If a classes parser

src/saml2/__init__.py

@@ -409,6 +409,18 @@ def get_attribute_restriction(self, sp_entity_id):
 
         return restrictions
 
+    def entity_category_attributes(self, ec):
+        if not self._restrictions:
+            return None
+
+        ec_maps = self._restrictions["default"]["entity_categories"]
+        for ec_map in ec_maps:
+            try:
+                return ec_map[ec]
+            except KeyError:
+                pass
+        return []
+
     def get_entity_categories_restriction(self, sp_entity_id, mds):
         if not self._restrictions:
             return None

src/saml2/assertion.py

@@ -20,11 +20,15 @@
 from importlib import import_module
 
 from saml2.s_utils import factory, do_ava
-from saml2 import saml, extension_elements_to_elements
+from saml2 import saml, extension_elements_to_elements, SAMLError
 from saml2.saml import NAME_FORMAT_URI
 
 
-class UnknownNameFormat(Exception):
+class UnknownNameFormat(SAMLError):
+    pass
+
+
+class ConverterError(SAMLError):
     pass
 
 
@@ -182,7 +186,7 @@ def d_to_local_name(acs, attr):
     try:
         return attr["friendly_name"]
     except KeyError:
-        raise Exception("Could not find local name for %s" % attr)
+        raise ConverterError("Could not find local name for %s" % attr)
 
 
 class AttributeConverter(object):
@@ -224,7 +228,7 @@ def from_dict(self, mapdict):
             pass
 
         if self._fro is None and self._to is None:
-            raise Exception("Missing specifications")
+            raise ConverterError("Missing specifications")
 
         if self._fro is None or self._to is None:
             self.adjust()

src/saml2/attribute_converter.py

@@ -3,6 +3,7 @@
 from urlparse import parse_qs
 from urlparse import urlsplit
 import time
+from saml2 import SAMLError
 from saml2.cipher import AES
 from saml2.httputil import Response
 from saml2.httputil import make_cookie
@@ -15,7 +16,11 @@
 logger = logging.getLogger(__name__)
 
 
-class AuthnFailure(Exception):
+class AuthnFailure(SAMLError):
+    pass
+
+
+class EncodeError(SAMLError):
     pass
 
 
@@ -35,7 +40,7 @@ def verify(self, **kwargs):
 
 def url_encode_params(params=None):
     if not isinstance(params, dict):
-        raise Exception("You must pass in a dictionary!")
+        raise EncodeError("You must pass in a dictionary!")
     params_list = []
     for k, v in params.items():
         if isinstance(v, list):
@@ -209,7 +214,7 @@ def __init__(self, methods=None):
 
     def __call__(self, **kwargs):
         if not self.methods:
-            raise Exception("No authentication methods defined")
+            raise SAMLError("No authentication methods defined")
         elif len(self.methods) == 1:
             return self.methods[0]
         else:

src/saml2/authn.py

@@ -2,7 +2,7 @@
 
 import shelve
 from saml2.ident import code, decode
-from saml2 import time_util
+from saml2 import time_util, SAMLError
 import logging
 
 logger = logging.getLogger(__name__)
@@ -12,11 +12,11 @@
 # timeout time.
 
 
-class ToOld(Exception):
+class ToOld(SAMLError):
     pass
 
 
-class CacheError(Exception):
+class CacheError(SAMLError):
     pass
 
 

src/saml2/cache.py

@@ -21,7 +21,7 @@
 from saml2.request import LogoutRequest
 import saml2
 
-from saml2 import saml
+from saml2 import saml, SAMLError
 from saml2 import BINDING_HTTP_REDIRECT
 from saml2 import BINDING_HTTP_POST
 from saml2 import BINDING_SOAP
@@ -386,7 +386,7 @@ def do_attribute_query(self, entityid, subject_id,
         else:
             srvs = self.metadata.attribute_service(entityid, binding)
             if srvs is []:
-                raise Exception("No attribute service support at entity")
+                raise SAMLError("No attribute service support at entity")
 
             destination = destinations(srvs)[0]
 
@@ -412,7 +412,7 @@ def do_attribute_query(self, entityid, subject_id,
             return self.apply_binding(binding, "%s" % query, destination,
                                       relay_state)
         else:
-            raise Exception("Unsupported binding")
+            raise SAMLError("Unsupported binding")
 
     def handle_logout_request(self, request, name_id, binding, sign=False,
                               relay_state=""):

src/saml2/client.py

@@ -45,7 +45,7 @@
 from saml2.s_utils import signature, UnravelError
 from saml2.s_utils import do_attributes
 
-from saml2 import samlp, BINDING_SOAP
+from saml2 import samlp, BINDING_SOAP, SAMLError
 from saml2 import saml
 from saml2 import soap
 from saml2.population import Population
@@ -79,19 +79,19 @@
 MIME_PAOS = "application/vnd.paos+xml"
 
 
-class IdpUnspecified(Exception):
+class IdpUnspecified(SAMLError):
     pass
 
 
-class VerifyError(Exception):
+class VerifyError(SAMLError):
     pass
 
 
-class LogoutError(Exception):
+class LogoutError(SAMLError):
     pass
 
 
-class NoServiceDefined(Exception):
+class NoServiceDefined(SAMLError):
     pass
 
 
@@ -267,15 +267,16 @@ def create_authn_request(self, destination, vorg="", scoping=None,
                 allow_create = "false"
 
             # Profile stuff, should be configurable
-            if nameid_format is None or \
-                    nameid_format == NAMEID_FORMAT_TRANSIENT:
+            if nameid_format is None:
                 name_id_policy = samlp.NameIDPolicy(
                     allow_create=allow_create, format=NAMEID_FORMAT_TRANSIENT)
+            elif nameid_format == "":
+                name_id_policy = None
             else:
                 name_id_policy = samlp.NameIDPolicy(allow_create=allow_create,
                                                     format=nameid_format)
 
-            if vorg:
+            if name_id_policy and vorg:
                 try:
                     name_id_policy.sp_name_qualifier = vorg
                     name_id_policy.format = saml.NAMEID_FORMAT_PERSISTENT
@@ -502,7 +503,7 @@ def parse_authn_request_response(self, xmlstr, binding, outstanding=None):
         try:
             _ = self.config.entityid
         except KeyError:
-            raise Exception("Missing entity_id specification")
+            raise SAMLError("Missing entity_id specification")
 
         resp = None
         if xmlstr:
@@ -524,7 +525,7 @@ def parse_authn_request_response(self, xmlstr, binding, outstanding=None):
                 logger.error("%s" % exc)
                 raise
 
-            logger.debug(">> %s", resp)
+            #logger.debug(">> %s", resp)
 
             if resp is None:
                 return None

src/saml2/client_base.py

@@ -10,7 +10,7 @@
 
 from importlib import import_module
 
-from saml2 import root_logger, BINDING_URI
+from saml2 import root_logger, BINDING_URI, SAMLError
 from saml2 import BINDING_SOAP
 from saml2 import BINDING_HTTP_REDIRECT
 from saml2 import BINDING_HTTP_POST
@@ -60,7 +60,8 @@
     "disable_ssl_certificate_validation",
     "referred_binding",
     "session_storage",
-    "entity_category"
+    "entity_category",
+    "xmlsec_path"
 ]
 
 SP_ARGS = [
@@ -148,7 +149,7 @@
 }
 
 
-class ConfigurationError(Exception):
+class ConfigurationError(SAMLError):
     pass
 
 # -----------------------------------------------------------------
@@ -161,6 +162,7 @@ def __init__(self, homedir="."):
         self._homedir = homedir
         self.entityid = None
         self.xmlsec_binary = None
+        self.xmlsec_path = []
         self.debug = False
         self.key_file = None
         self.cert_file = None
@@ -174,7 +176,7 @@ def __init__(self, homedir="."):
         self.organization = None
         self.contact_person = None
         self.name_form = None
-        self.nameid_form = None
+        self.name_id_format = None
         self.virtual_organization = None
         self.logger = None
         self.only_use_keys_in_metadata = True
@@ -239,7 +241,7 @@ def load_complex(self, cnf, typ="", metadata_construction=False):
                 acs = ac_factory()
 
             if not acs:
-                raise Exception("No attribute converters, something is wrong!!")
+                raise ConfigurationError("No attribute converters, something is wrong!!")
 
             _acs = self.getattr("attribute_converters", typ)
             if _acs:
@@ -326,7 +328,8 @@ def load_metadata(self, metadata_conf):
         acs = self.attribute_converters
 
         if acs is None:
-            raise Exception("Missing attribute converter specification")
+            raise ConfigurationError(
+                "Missing attribute converter specification")
 
         try:
             ca_certs = self.ca_certs
@@ -390,7 +393,7 @@ def log_handler(self):
                         elif args["socktype"] == "stream":
                             args["socktype"] = socket.SOCK_STREAM
                         else:
-                            raise Exception("Unknown socktype!")
+                            raise ConfigurationError("Unknown socktype!")
                     try:
                         handler = LOG_HANDLER[htyp](**args)
                     except TypeError:  # difference between 2.6 and 2.7