Merge branch 'master' of github.com:rohe/pysaml2

rohe · rohe · commit 25c9a8fd7a7a · 2016-09-22T08:54:29.000+03:00
diff --git a/.gitignore b/.gitignore
@@ -31,6 +31,8 @@ tmp*
 *.tmpl
 *.iml
 _build/
+.cache
+*.swp
 
 example/idp3/htdocs/login.mako
 
diff --git a/doc/howto/config.rst b/doc/howto/config.rst
@@ -270,6 +270,19 @@ idp/aa
 
 Directives that are specific to an IdP or AA service instance
 
+sign_assertion
+""""""""""""""
+
+Specifies if the IdP should sign the assertion in an authentication response
+or not. Can be True or False. Default is False.
+
+sign_response
+"""""""""""""
+
+Specifies if the IdP should sign the authentication response or not. Can be
+True or False. Default is False.
+
+
 policy
 """"""
 
@@ -419,7 +432,7 @@ Indicates if this SP wants the IdP to send the assertions signed. This
 sets the WantAssertionsSigned attribute of the SPSSODescriptor node
 of the metadata so the IdP will know this SP preference.
 
-Valid values are True or False. Default value is True.
+Valid values are True or False. Default value is False.
 
 Example::
 
diff --git a/src/saml2/algsupport.py b/src/saml2/algsupport.py
@@ -42,7 +42,7 @@ def get_algorithm_support(xmlsec):
     pof.wait()
 
     if not p_err:
-        p = p_out.split('\n')
+        p = p_out.splitlines()
         algs = [x.strip('"') for x in p[1].split(',')]
         digest = []
         signing = []
diff --git a/src/saml2/assertion.py b/src/saml2/assertion.py
@@ -615,7 +615,7 @@ def _authn_context_decl_ref(decl_ref, authn_auth=None):
 
 def authn_statement(authn_class=None, authn_auth=None,
                     authn_decl=None, authn_decl_ref=None, authn_instant="",
-                    subject_locality=""):
+                    subject_locality="", session_not_on_or_after=None):
     """
     Construct the AuthnStatement
     :param authn_class: Authentication Context Class reference
@@ -639,26 +639,30 @@ def authn_statement(authn_class=None, authn_auth=None,
             saml.AuthnStatement,
             authn_instant=_instant,
             session_index=sid(),
+            session_not_on_or_after=session_not_on_or_after,
             authn_context=_authn_context_class_ref(
                 authn_class, authn_auth))
     elif authn_decl:
         res = factory(
             saml.AuthnStatement,
             authn_instant=_instant,
             session_index=sid(),
+            session_not_on_or_after=session_not_on_or_after,
             authn_context=_authn_context_decl(authn_decl, authn_auth))
     elif authn_decl_ref:
         res = factory(
             saml.AuthnStatement,
             authn_instant=_instant,
             session_index=sid(),
+            session_not_on_or_after=session_not_on_or_after,
             authn_context=_authn_context_decl_ref(authn_decl_ref,
                                                   authn_auth))
     else:
         res = factory(
             saml.AuthnStatement,
             authn_instant=_instant,
-            session_index=sid())
+            session_index=sid(),
+            session_not_on_or_after=session_not_on_or_after)
 
     if subject_locality:
         res.subject_locality = saml.SubjectLocality(text=subject_locality)
@@ -719,7 +723,7 @@ def construct(self, sp_entity_id, attrconvs, policy, issuer, farg,
                   authn_class=None, authn_auth=None, authn_decl=None,
                   encrypt=None, sec_context=None, authn_decl_ref=None,
                   authn_instant="", subject_locality="", authn_statem=None,
-                  name_id=None):
+                  name_id=None, session_not_on_or_after=None):
         """ Construct the Assertion
 
         :param sp_entity_id: The entityid of the SP
@@ -770,7 +774,8 @@ def construct(self, sp_entity_id, attrconvs, policy, issuer, farg,
             _authn_statement = authn_statement(authn_class, authn_auth,
                                                authn_decl, authn_decl_ref,
                                                authn_instant,
-                                               subject_locality)
+                                               subject_locality,
+                                               session_not_on_or_after=session_not_on_or_after)
         else:
             _authn_statement = None
 
diff --git a/src/saml2/attributemaps/basic.py b/src/saml2/attributemaps/basic.py
@@ -61,7 +61,7 @@
         DEF+'eduPersonScopedAffiliation': 'eduPersonScopedAffiliation',
         DEF+'eduPersonTargetedID': 'eduPersonTargetedID',
         DEF+'eduPersonAssurance': 'eduPersonAssurance',
-        DEF+'eduPersonUniqueID': 'eduPersonUniqueID',
+        DEF+'eduPersonUniqueId': 'eduPersonUniqueId',
         DEF+'eduPersonOrcid': 'eduPersonOrcid',
         DEF+'email': 'email',
         DEF+'emailAddress': 'emailAddress',
@@ -228,7 +228,7 @@
         'eduPersonScopedAffiliation': DEF+'eduPersonScopedAffiliation',
         'eduPersonTargetedID': DEF+'eduPersonTargetedID',
         'eduPersonAssurance': DEF+'eduPersonAssurance',
-        'eduPersonUniqueID': DEF+'eduPersonUniqueID',
+        'eduPersonUniqueId': DEF+'eduPersonUniqueId',
         'eduPersonOrcid': DEF+'eduPersonOrcid',
         'email': DEF+'email',
         'emailAddress': DEF+'emailAddress',
diff --git a/src/saml2/attributemaps/saml_uri.py b/src/saml2/attributemaps/saml_uri.py
@@ -19,19 +19,19 @@
         EDUCOURSE_OID+'1': 'eduCourseOffering',
         EDUCOURSE_OID+'2': 'eduCourseMember',
         EDUPERSON_OID+'1': 'eduPersonAffiliation',
-        EDUPERSON_OID+'2': 'eduPersonEntitlement',
-        EDUPERSON_OID+'3': 'eduPersonNickname',
-        EDUPERSON_OID+'4': 'eduPersonOrgDN',
-        EDUPERSON_OID+'5': 'eduPersonOrgUnitDN',
-        EDUPERSON_OID+'6': 'eduPersonPrimaryAffiliation',
-        EDUPERSON_OID+'7': 'eduPersonPrimaryOrgUnitDN',
-        EDUPERSON_OID+'8': 'eduPersonPrincipalName',
-        EDUPERSON_OID+'9': 'eduPersonPrincipalName',
-        EDUPERSON_OID+'10': 'eduPersonScopedAffiliation',
-        EDUPERSON_OID+'11': 'eduPersonTargetedID',
-        EDUPERSON_OID+'12': 'eduPersonAssurance',
-        EDUPERSON_OID+'13': 'eduPersonUniqueID',
-        EDUPERSON_OID+'14': 'eduPersonOrcid',
+        EDUPERSON_OID+'2': 'eduPersonNickname',
+        EDUPERSON_OID+'3': 'eduPersonOrgDN',
+        EDUPERSON_OID+'4': 'eduPersonOrgUnitDN',
+        EDUPERSON_OID+'5': 'eduPersonPrimaryAffiliation',
+        EDUPERSON_OID+'6': 'eduPersonPrincipalName',
+        EDUPERSON_OID+'7': 'eduPersonEntitlement',
+        EDUPERSON_OID+'8': 'eduPersonPrimaryOrgUnitDN',
+        EDUPERSON_OID+'9': 'eduPersonScopedAffiliation',
+        EDUPERSON_OID+'10': 'eduPersonTargetedID',
+        EDUPERSON_OID+'11': 'eduPersonAssurance',
+        EDUPERSON_OID+'12': 'eduPersonPrincipalNamePrior',
+        EDUPERSON_OID+'13': 'eduPersonUniqueId',
+        EDUPERSON_OID+'16': 'eduPersonOrcid',
         LDAPGVAT_OID+'1': 'PVP-GID',
         LDAPGVAT_OID+'149': 'PVP-BPK',
         LDAPGVAT_OID+'153': 'PVP-OU-OKZ',
@@ -179,19 +179,19 @@
         'eduCourseMember': EDUCOURSE_OID+'2',
         'eduCourseOffering': EDUCOURSE_OID+'1',
         'eduPersonAffiliation': EDUPERSON_OID+'1',
-        'eduPersonEntitlement': EDUPERSON_OID+'2',
-        'eduPersonNickname': EDUPERSON_OID+'3',
-        'eduPersonOrgDN': EDUPERSON_OID+'4',
-        'eduPersonOrgUnitDN': EDUPERSON_OID+'5',
-        'eduPersonPrimaryAffiliation': EDUPERSON_OID+'6',
-        'eduPersonPrimaryOrgUnitDN': EDUPERSON_OID+'7',
-        'eduPersonPrincipalName': EDUPERSON_OID+'8',
-        'eduPersonPrincipalNamePrior': EDUPERSON_OID+'9',
-        'eduPersonScopedAffiliation': EDUPERSON_OID+'10',
-        'eduPersonTargetedID': EDUPERSON_OID+'11',
-        'eduPersonAssurance': EDUPERSON_OID+'12',
-        'eduPersonUniqueID': EDUPERSON_OID+'13',
-        'eduPersonOrcid': EDUPERSON_OID+'14',
+        'eduPersonEntitlement': EDUPERSON_OID+'7',
+        'eduPersonNickname': EDUPERSON_OID+'2',
+        'eduPersonOrgDN': EDUPERSON_OID+'3',
+        'eduPersonOrgUnitDN': EDUPERSON_OID+'4',
+        'eduPersonPrimaryAffiliation': EDUPERSON_OID+'5',
+        'eduPersonPrimaryOrgUnitDN': EDUPERSON_OID+'8',
+        'eduPersonPrincipalName': EDUPERSON_OID+'6',
+        'eduPersonPrincipalNamePrior': EDUPERSON_OID+'12',
+        'eduPersonScopedAffiliation': EDUPERSON_OID+'9',
+        'eduPersonTargetedID': EDUPERSON_OID+'10',
+        'eduPersonAssurance': EDUPERSON_OID+'11',
+        'eduPersonUniqueId': EDUPERSON_OID+'13',
+        'eduPersonOrcid': EDUPERSON_OID+'16',
         'email': PKCS_9+'1',
         'employeeNumber': NETSCAPE_LDAP+'3',
         'employeeType': NETSCAPE_LDAP+'4',
diff --git a/src/saml2/attributemaps/shibboleth_uri.py b/src/saml2/attributemaps/shibboleth_uri.py
@@ -11,19 +11,19 @@
     "identifier": "urn:mace:shibboleth:1.0:attributeNamespace:uri",
     'fro': {
         EDUPERSON_OID+'1': 'eduPersonAffiliation',
-        EDUPERSON_OID+'2': 'eduPersonEntitlement',
-        EDUPERSON_OID+'3': 'eduPersonNickname',
-        EDUPERSON_OID+'4': 'eduPersonOrgDN',
-        EDUPERSON_OID+'5': 'eduPersonOrgUnitDN',
-        EDUPERSON_OID+'6': 'eduPersonPrimaryAffiliation',
-        EDUPERSON_OID+'7': 'eduPersonPrimaryOrgUnitDN',
-        EDUPERSON_OID+'8': 'eduPersonPrincipalName',
-        EDUPERSON_OID+'9': 'eduPersonPrincipalNamePrior',
-        EDUPERSON_OID+'10': 'eduPersonScopedAffiliation',
-        EDUPERSON_OID+'11': 'eduPersonTargetedID',
-        EDUPERSON_OID+'12': 'eduPersonAssurance',
-        EDUPERSON_OID+'13': 'eduPersonUniqueID',
-        EDUPERSON_OID+'14': 'eduPersonOrcid',
+        EDUPERSON_OID+'2': 'eduPersonNickname',
+        EDUPERSON_OID+'3': 'eduPersonOrgDN',
+        EDUPERSON_OID+'4': 'eduPersonOrgUnitDN',
+        EDUPERSON_OID+'5': 'eduPersonPrimaryAffiliation',
+        EDUPERSON_OID+'6': 'eduPersonPrincipalName',
+        EDUPERSON_OID+'7': 'eduPersonEntitlement',
+        EDUPERSON_OID+'8': 'eduPersonPrimaryOrgUnitDN',
+        EDUPERSON_OID+'9': 'eduPersonScopedAffiliation',
+        EDUPERSON_OID+'10': 'eduPersonTargetedID',
+        EDUPERSON_OID+'11': 'eduPersonAssurance',
+        EDUPERSON_OID+'12': 'eduPersonPrincipalNamePrior',
+        EDUPERSON_OID+'13': 'eduPersonUniqueId',
+        EDUPERSON_OID+'16': 'eduPersonOrcid',
         NETSCAPE_LDAP+'1': 'carLicense',
         NETSCAPE_LDAP+'2': 'departmentNumber',
         NETSCAPE_LDAP+'3': 'employeeNumber',
@@ -114,19 +114,19 @@
         'dnQualifier': X500ATTR+'46',
         'domainComponent': UCL_DIR_PILOT+'25',
         'eduPersonAffiliation': EDUPERSON_OID+'1',
-        'eduPersonEntitlement': EDUPERSON_OID+'2',
-        'eduPersonNickname': EDUPERSON_OID+'3',
-        'eduPersonOrgDN': EDUPERSON_OID+'4',
-        'eduPersonOrgUnitDN': EDUPERSON_OID+'5',
-        'eduPersonPrimaryAffiliation': EDUPERSON_OID+'6',
-        'eduPersonPrimaryOrgUnitDN': EDUPERSON_OID+'7',
-        'eduPersonPrincipalName': EDUPERSON_OID+'8',
-        'eduPersonPrincipalNamePrior': EDUPERSON_OID+'9',
-        'eduPersonScopedAffiliation': EDUPERSON_OID+'10',
-        'eduPersonTargetedID': EDUPERSON_OID+'11',
-        'eduPersonAssurance': EDUPERSON_OID+'12',
-        'eduPersonUniqueID': EDUPERSON_OID+'13',
-        'eduPersonOrcid': EDUPERSON_OID+'14',
+        'eduPersonEntitlement': EDUPERSON_OID+'7',
+        'eduPersonNickname': EDUPERSON_OID+'2',
+        'eduPersonOrgDN': EDUPERSON_OID+'3',
+        'eduPersonOrgUnitDN': EDUPERSON_OID+'4',
+        'eduPersonPrimaryAffiliation': EDUPERSON_OID+'5',
+        'eduPersonPrimaryOrgUnitDN': EDUPERSON_OID+'8',
+        'eduPersonPrincipalName': EDUPERSON_OID+'6',
+        'eduPersonPrincipalNamePrior': EDUPERSON_OID+'12',
+        'eduPersonScopedAffiliation': EDUPERSON_OID+'9',
+        'eduPersonTargetedID': EDUPERSON_OID+'10',
+        'eduPersonAssurance': EDUPERSON_OID+'11',
+        'eduPersonUniqueId': EDUPERSON_OID+'13',
+        'eduPersonOrcid': EDUPERSON_OID+'16',
         'email': PKCS_9+'1',
         'emailAddress': PKCS_9+'1',
         'employeeNumber': NETSCAPE_LDAP+'3',
diff --git a/src/saml2/mdstore.py b/src/saml2/mdstore.py
@@ -902,6 +902,9 @@ def load(self, *args, **kwargs):
         elif typ == "loader":
             key = args[1]
             _md = MetaDataLoader(self.attrc, args[1], **_args)
+        elif typ == "mdq":
+            key = args[1]
+            _md = MetaDataMDX(args[1])
         else:
             raise SAMLError("Unknown metadata type '%s'" % typ)
         _md.load()
@@ -992,10 +995,7 @@ def extension(self, entity_id, typ, service):
             try:
                 srvs = _md[entity_id][typ]
             except KeyError:
-                return None
-
-            if not srvs:
-                return srvs
+                continue
 
             res = []
             for srv in srvs:
@@ -1005,6 +1005,8 @@ def extension(self, entity_id, typ, service):
                             res.append(elem)
             return res
 
+        return None
+
     def ext_service(self, entity_id, typ, service, binding=None):
         known_entity = False
         for key, _md in self.metadata.items():
diff --git a/src/saml2/server.py b/src/saml2/server.py
@@ -326,7 +326,8 @@ def update_farg(in_response_to, consumer_url, farg=None):
 
     def setup_assertion(self, authn, sp_entity_id, in_response_to, consumer_url,
                         name_id, policy, _issuer, authn_statement, identity,
-                        best_effort, sign_response, farg=None, **kwargs):
+                        best_effort, sign_response, farg=None,
+                        session_not_on_or_after=None, **kwargs):
         """
         Construct and return the Assertion
 
@@ -370,17 +371,20 @@ def setup_assertion(self, authn, sp_entity_id, in_response_to, consumer_url,
             assertion = ast.construct(
                 sp_entity_id, self.config.attribute_converters, policy,
                 issuer=_issuer, farg=farg['assertion'], name_id=name_id,
+                session_not_on_or_after=session_not_on_or_after,
                 **authn_args)
 
         elif authn_statement:  # Got a complete AuthnStatement
             assertion = ast.construct(
                 sp_entity_id, self.config.attribute_converters, policy,
                 issuer=_issuer, authn_statem=authn_statement,
-                farg=farg['assertion'], name_id=name_id, **kwargs)
+                farg=farg['assertion'], name_id=name_id,
+                **kwargs)
         else:
             assertion = ast.construct(
                 sp_entity_id, self.config.attribute_converters, policy,
                 issuer=_issuer, farg=farg['assertion'], name_id=name_id,
+                session_not_on_or_after=session_not_on_or_after,
                 **kwargs)
         return assertion
 
@@ -394,7 +398,7 @@ def _authn_response(self, in_response_to, consumer_url,
                         encrypt_assertion_self_contained=False,
                         encrypted_advice_attributes=False,
                         pefim=False, sign_alg=None, digest_alg=None,
-                        farg=None):
+                        farg=None, session_not_on_or_after=None):
         """ Create a response. A layer of indirection.
 
         :param in_response_to: The session identifier of the request
@@ -455,7 +459,7 @@ def _authn_response(self, in_response_to, consumer_url,
             assertion = self.setup_assertion(
                 authn, sp_entity_id, in_response_to, consumer_url, name_id,
                 policy, _issuer, authn_statement, [], True, sign_response,
-                farg=farg)
+                farg=farg, session_not_on_or_after=session_not_on_or_after)
             assertion.advice = saml.Advice()
 
             # assertion.advice.assertion_id_ref.append(saml.AssertionIDRef())
@@ -465,7 +469,8 @@ def _authn_response(self, in_response_to, consumer_url,
             assertion = self.setup_assertion(
                 authn, sp_entity_id, in_response_to, consumer_url, name_id,
                 policy, _issuer, authn_statement, identity, True,
-                sign_response, farg=farg)
+                sign_response, farg=farg,
+                session_not_on_or_after=session_not_on_or_after)
 
         to_sign = []
         if not encrypt_assertion:
@@ -681,6 +686,7 @@ def create_authn_response(self, identity, in_response_to, destination,
                               encrypt_assertion_self_contained=True,
                               encrypted_advice_attributes=False, pefim=False,
                               sign_alg=None, digest_alg=None,
+                              session_not_on_or_after=None,
                               **kwargs):
         """ Constructs an AuthenticationResponse
 
@@ -741,11 +747,13 @@ def create_authn_response(self, identity, in_response_to, destination,
                     return self._authn_response(
                         in_response_to, destination, sp_entity_id, identity,
                         authn=_authn, issuer=issuer, pefim=pefim,
-                        sign_alg=sign_alg, digest_alg=digest_alg, **args)
+                        sign_alg=sign_alg, digest_alg=digest_alg,
+                        session_not_on_or_after=session_not_on_or_after, **args)
             return self._authn_response(
                 in_response_to, destination, sp_entity_id, identity,
                 authn=_authn, issuer=issuer, pefim=pefim, sign_alg=sign_alg,
-                digest_alg=digest_alg, **args)
+                digest_alg=digest_alg,
+                session_not_on_or_after=session_not_on_or_after, **args)
 
         except MissingValue as exc:
             return self.create_error_response(in_response_to, destination,
@@ -756,13 +764,15 @@ def create_authn_request_response(self, identity, in_response_to,
                                       name_id_policy=None, userid=None,
                                       name_id=None, authn=None, authn_decl=None,
                                       issuer=None, sign_response=False,
-                                      sign_assertion=False, **kwargs):
+                                      sign_assertion=False,
+                                      session_not_on_or_after=None, **kwargs):
 
         return self.create_authn_response(identity, in_response_to, destination,
                                           sp_entity_id, name_id_policy, userid,
                                           name_id, authn, issuer,
                                           sign_response, sign_assertion,
-                                          authn_decl=authn_decl)
+                                          authn_decl=authn_decl,
+                                          session_not_on_or_after=session_not_on_or_after)
 
     # noinspection PyUnusedLocal
     def create_assertion_id_request_response(self, assertion_id, sign=False,
diff --git a/src/saml2/sigver.py b/src/saml2/sigver.py
@@ -586,7 +586,7 @@ def parse_xmlsec_output(output):
     :param output: The output from Popen
     :return: A boolean; True if the command was a success otherwise False
     """
-    for line in output.split("\n"):
+    for line in output.splitlines():
         if line == "OK":
             return True
         elif line == "FAIL":
diff --git a/src/saml2/validate.py b/src/saml2/validate.py
diff --git a/tests/test_20_assertion.py b/tests/test_20_assertion.py
diff --git a/tests/test_30_mdstore.py b/tests/test_30_mdstore.py
diff --git a/tests/test_40_sigver.py b/tests/test_40_sigver.py
diff --git a/tools/mdexport.py b/tools/mdexport.py

-Original file line number
+Diff line change
 *.tmpl
 *.iml
 _build/
 +.cache
 +*.swp
 example/idp3/htdocs/login.mako