Merge branch 'master' into fix_sane_defaults

Author: rohe

src/saml2/attribute_converter.py

@@ -246,7 +246,7 @@ def get_local_name(acs, attr, name_format):
     for aconv in acs:
         #print(ac.format, name_format)
         if aconv.name_format == name_format:
-            return aconv._fro[attr]
+            return aconv._fro.get(attr)
 
 
 def d_to_local_name(acs, attr):

src/saml2/pack.py

@@ -40,12 +40,35 @@
 import defusedxml.ElementTree
 
 NAMESPACE = "http://schemas.xmlsoap.org/soap/envelope/"
-FORM_SPEC = """<form method="post" action="%s">
-   <input type="hidden" name="%s" value="%s" />
-   <input type="hidden" name="RelayState" value="%s" />
-   <input type="submit" value="Submit" />
-</form>"""
 
+FORM_SPEC = """\
+<!DOCTYPE html>
+<html>
+    <head>
+        <meta charset="utf-8" />
+    </head>
+    <body onload="document.forms[0].submit()">
+        <noscript>
+            <p>
+                <strong>Note:</strong> Since your browser does not support JavaScript,
+                you must press the Continue button once to proceed.
+            </p>
+        </noscript>
+        
+        <form action="{action}" method="post">
+            <div>
+                <input type="hidden" name="RelayState" value="{relay_state}"/>                
+                                
+                <input type="hidden" name="{saml_type}" value="{saml_response}"/>
+            </div>
+            <noscript>
+                <div>
+                    <input type="submit" value="Continue"/>
+                </div>
+            </noscript>
+        </form>
+            </body>
+</html>"""
 
 def http_form_post_message(message, location, relay_state="",
                            typ="SAMLRequest", **kwargs):
@@ -58,8 +81,6 @@ def http_form_post_message(message, location, relay_state="",
     :param relay_state: for preserving and conveying state information
     :return: A tuple containing header information and a HTML message.
     """
-    response = ["<head>", """<title>SAML 2.0 POST</title>""", "</head><body>"]
-
     if not isinstance(message, six.string_types):
         message = str(message)
     if not isinstance(message, six.binary_type):
@@ -71,17 +92,17 @@ def http_form_post_message(message, location, relay_state="",
         _msg = message
     _msg = _msg.decode('ascii')
 
-    response.append(FORM_SPEC % (location, typ, _msg, relay_state))
+    args = {
+       'action'        : location,
+       'saml_type'     : typ,
+       'relay_state'   : relay_state,
+       'saml_response' : _msg
+       }
 
-    response.append("""<script type="text/javascript">""")
-    response.append("     window.onload = function ()")
-    response.append(" { document.forms[0].submit(); }")
-    response.append("""</script>""")
-    response.append("</body>")
+    response = FORM_SPEC.format(**args)
 
     return {"headers": [("Content-type", "text/html")], "data": response}
 
-
 def http_post_message(message, relay_state="", typ="SAMLRequest", **kwargs):
     """
 

src/saml2/validate.py

@@ -3,6 +3,7 @@
 import re
 import struct
 import base64
+import time
 
 from saml2 import time_util
 
@@ -42,8 +43,8 @@ class ToEarly(Exception):
 
 def valid_ncname(name):
     match = NCNAME.match(name)
-    if not match:
-        raise NotValid("NCName")
+    #if not match:                      # hack for invalid authnRequest/ID from meteor saml lib
+    #    raise NotValid("NCName")
     return True
 
 
@@ -90,8 +91,10 @@ def validate_on_or_after(not_on_or_after, slack):
         now = time_util.utc_now()
         nooa = calendar.timegm(time_util.str_to_time(not_on_or_after))
         if now > nooa + slack:
+            now_str=time.strftime('%Y-%M-%dT%H:%M:%SZ', time.gmtime(now))
             raise ResponseLifetimeExceed(
-                "Can't use it, it's too old %d > %d" % (now - slack, nooa))
+                "Can't use repsonse, too old (now=%s + slack=%d > " \
+                "not_on_or_after=%s" % (now_str, slack, not_on_or_after))
         return nooa
     else:
         return False
@@ -102,8 +105,9 @@ def validate_before(not_before, slack):
         now = time_util.utc_now()
         nbefore = calendar.timegm(time_util.str_to_time(not_before))
         if nbefore > now + slack:
-            raise ToEarly("Can't use it yet %d <= %d" % (now + slack, nbefore))
-
+            now_str = time.strftime('%Y-%M-%dT%H:%M:%SZ', time.gmtime(now))
+            raise ToEarly("Can't use response yet: (now=%s + slack=%d) "
+                          "<= notbefore=%s" % (now_str, slack, not_before))
     return True
 
 

tests/test_51_client.py

@@ -1404,7 +1404,7 @@ def test_do_logout_post(self):
         binding, info = resp[entity_ids[0]]
         assert binding == BINDING_HTTP_POST
 
-        _dic = unpack_form(info["data"][3])
+        _dic = unpack_form(info["data"])
         res = self.server.parse_logout_request(_dic["SAMLRequest"],
                                                BINDING_HTTP_POST)
         assert b'<ns0:SessionIndex>_foo</ns0:SessionIndex>' in res.xmlstr
@@ -1434,7 +1434,7 @@ def test_do_logout_session_expired(self):
         binding, info = resp[entity_ids[0]]
         assert binding == BINDING_HTTP_POST
 
-        _dic = unpack_form(info["data"][3])
+        _dic = unpack_form(info["data"])
         res = self.server.parse_logout_request(_dic["SAMLRequest"],
                                                BINDING_HTTP_POST)
         assert b'<ns0:SessionIndex>_foo</ns0:SessionIndex>' in res.xmlstr
@@ -1531,7 +1531,7 @@ def test_post_sso(self):
         sid, http_args = self.client.prepare_for_authenticate(
             "urn:mace:example.com:saml:roland:idp", relay_state="really",
             binding=binding, response_binding=response_binding)
-        _dic = unpack_form(http_args["data"][3])
+        _dic = unpack_form(http_args["data"])
 
         req = self.server.parse_authn_request(_dic["SAMLRequest"], binding)
         resp_args = self.server.response_args(req.message, [response_binding])
@@ -1566,7 +1566,7 @@ def test_negotiated_post_sso(self):
         sid, auth_binding, http_args = self.client.prepare_for_negotiated_authenticate(
             "urn:mace:example.com:saml:roland:idp", relay_state="really",
             binding=binding, response_binding=response_binding)
-        _dic = unpack_form(http_args["data"][3])
+        _dic = unpack_form(http_args["data"])
 
         assert binding == auth_binding
 
@@ -1586,7 +1586,7 @@ def test_negotiated_post_sso(self):
 
         response = self.client.send(**http_args)
         print(response.text)
-        _dic = unpack_form(response.text[3], "SAMLResponse")
+        _dic = unpack_form(response.text, "SAMLResponse")
         resp = self.client.parse_authn_request_response(_dic["SAMLResponse"],
                                                         BINDING_HTTP_POST,
                                                         {sid: "/"})

tests/test_65_authn_query.py

@@ -28,7 +28,7 @@ def get_msg(hinfo, binding):
     if binding == BINDING_SOAP:
         xmlstr = hinfo["data"]
     elif binding == BINDING_HTTP_POST:
-        _inp = hinfo["data"][3]
+        _inp = hinfo["data"]
         i = _inp.find(TAG1)
         i += len(TAG1) + 1
         j = _inp.find('"', i)

tests/test_68_assertion_id.py

@@ -27,7 +27,7 @@ def get_msg(hinfo, binding, response=False):
     if binding == BINDING_SOAP:
         msg = hinfo["data"]
     elif binding == BINDING_HTTP_POST:
-        _inp = hinfo["data"][3]
+        _inp = hinfo["data"]
         i = _inp.find(TAG1)
         i += len(TAG1) + 1
         j = _inp.find('"', i)