Added the possibility to set signature and digest algorithm on all the functions I identified.

pysaml2 has a default value for sign and digest. To make it possible to always use the same algorithm this default value has been replaced with a singleton class.

 The first time the singleton class is instantiated the sign and digest algorithm will be set. After that it cannot be changed. A good place to setup this single class is in the server setup.

 Example:
        ds.DefaultSignature(ds.SIG_RSA_SHA512, ds.DIGEST_SHA512)

Author: Hans Hörberg

setup.py

@@ -43,6 +43,7 @@ def run_tests(self):
     'pytest',
     'mako',
     'webob',
+    'mock'
     #'pytest-coverage',
 ]
 

src/saml2/client.py

@@ -135,7 +135,7 @@ def prepare_for_negotiated_authenticate(
             raise SignOnError(
                 "No supported bindings available for authentication")
 
-    def global_logout(self, name_id, reason="", expire=None, sign=None):
+    def global_logout(self, name_id, reason="", expire=None, sign=None, sign_alg=None, digest_alg=None):
         """ More or less a layer of indirection :-/
         Bootstrapping the whole thing by finding all the IdPs that should
         be notified.
@@ -160,10 +160,10 @@ def global_logout(self, name_id, reason="", expire=None, sign=None):
 
         # find out which IdPs/AAs I should notify
         entity_ids = self.users.issuers_of_info(name_id)
-        return self.do_logout(name_id, entity_ids, reason, expire, sign)
+        return self.do_logout(name_id, entity_ids, reason, expire, sign, sign_alg=sign_alg)
 
     def do_logout(self, name_id, entity_ids, reason, expire, sign=None,
-                  expected_binding=None, **kwargs):
+                  expected_binding=None, sign_alg=None, digest_alg=None, **kwargs):
         """
 
         :param name_id: Identifier of the Subject (a NameID instance)
@@ -226,11 +226,11 @@ def do_logout(self, name_id, entity_ids, reason, expire, sign=None,
                 key = None
                 if sign:
                     if binding == BINDING_HTTP_REDIRECT:
-                        sigalg = kwargs.get("sigalg", ds.sig_default)
+                        sigalg = kwargs.get("sigalg", ds.DefaultSignature().get_sign_alg())
                         key = kwargs.get("key", self.signkey)
                         srequest = str(request)
                     else:
-                        srequest = self.sign(request)
+                        srequest = self.sign(request, sign_alg=sign_alg)
                 else:
                     srequest = str(request)
 
@@ -290,7 +290,7 @@ def is_logged_in(self, name_id):
         identity = self.users.get_identity(name_id)[0]
         return bool(identity)
 
-    def handle_logout_response(self, response):
+    def handle_logout_response(self, response, sign_alg=None, digest_alg=None):
         """ handles a Logout response
 
         :param response: A response.Response instance
@@ -309,10 +309,12 @@ def handle_logout_response(self, response):
             return 0, "200 Ok", [("Content-type", "text/html")], []
         else:
             status["entity_ids"].remove(issuer)
+            if "sign_alg" in status:
+                sign_alg = status["sign_alg"]
             return self.do_logout(decode(status["name_id"]),
                                   status["entity_ids"],
                                   status["reason"], status["not_on_or_after"],
-                                  status["sign"])
+                                  status["sign"], sign_alg=sign_alg)
 
     def _use_soap(self, destination, query_type, **kwargs):
         _create_func = getattr(self, "create_%s" % query_type)

src/saml2/client_base.py

@@ -202,7 +202,7 @@ def create_authn_request(self, destination, vorg="", scoping=None,
                              nameid_format=None,
                              service_url_binding=None, message_id=0,
                              consent=None, extensions=None, sign=None,
-                             allow_create=False, sign_prepare=False, **kwargs):
+                             allow_create=False, sign_prepare=False, sign_alg=None, digest_alg=None, **kwargs):
         """ Creates an authentication request.
 
         :param destination: Where the request should be sent.
@@ -339,15 +339,15 @@ def create_authn_request(self, destination, vorg="", scoping=None,
                 return self._message(AuthnRequest, destination, message_id,
                                      consent, extensions, sign, sign_prepare,
                                      protocol_binding=binding,
-                                     scoping=scoping, nsprefix=nsprefix, **args)
+                                     scoping=scoping, nsprefix=nsprefix, sign_alg=sign_alg, **args)
         return self._message(AuthnRequest, destination, message_id, consent,
                              extensions, sign, sign_prepare,
                              protocol_binding=binding,
-                             scoping=scoping, nsprefix=nsprefix, **args)
+                             scoping=scoping, nsprefix=nsprefix, sign_alg=sign_alg, **args)
 
     def create_attribute_query(self, destination, name_id=None,
                                attribute=None, message_id=0, consent=None,
-                               extensions=None, sign=False, sign_prepare=False,
+                               extensions=None, sign=False, sign_prepare=False, sign_alg=None, digest_alg=None,
                                **kwargs):
         """ Constructs an AttributeQuery
 
@@ -404,15 +404,15 @@ def create_attribute_query(self, destination, name_id=None,
 
         return self._message(AttributeQuery, destination, message_id, consent,
                              extensions, sign, sign_prepare, subject=subject,
-                             attribute=attribute, nsprefix=nsprefix)
+                             attribute=attribute, nsprefix=nsprefix, sign_alg=sign_alg)
 
     # MUST use SOAP for
     # AssertionIDRequest, SubjectQuery,
     # AuthnQuery, AttributeQuery, or AuthzDecisionQuery
     def create_authz_decision_query(self, destination, action,
                                     evidence=None, resource=None, subject=None,
                                     message_id=0, consent=None, extensions=None,
-                                    sign=None, **kwargs):
+                                    sign=None, sign_alg=None, digest_alg=None, **kwargs):
         """ Creates an authz decision query.
 
         :param destination: The IdP endpoint
@@ -430,7 +430,7 @@ def create_authz_decision_query(self, destination, action,
         return self._message(AuthzDecisionQuery, destination, message_id,
                              consent, extensions, sign, action=action,
                              evidence=evidence, resource=resource,
-                             subject=subject, **kwargs)
+                             subject=subject, sign_alg=sign_alg, **kwargs)
 
     def create_authz_decision_query_using_assertion(self, destination,
                                                     assertion, action=None,
@@ -482,7 +482,7 @@ def create_assertion_id_request(assertion_id_refs, **kwargs):
 
     def create_authn_query(self, subject, destination=None, authn_context=None,
                            session_index="", message_id=0, consent=None,
-                           extensions=None, sign=False, nsprefix=None):
+                           extensions=None, sign=False, nsprefix=None, sign_alg=None, digest_alg=None):
         """
 
         :param subject: The subject its all about as a <Subject> instance
@@ -499,14 +499,14 @@ def create_authn_query(self, subject, destination=None, authn_context=None,
                              extensions, sign, subject=subject,
                              session_index=session_index,
                              requested_authn_context=authn_context,
-                             nsprefix=nsprefix)
+                             nsprefix=nsprefix, sign_alg=sign_alg)
 
     def create_name_id_mapping_request(self, name_id_policy,
                                        name_id=None, base_id=None,
                                        encrypted_id=None, destination=None,
                                        message_id=0, consent=None,
                                        extensions=None, sign=False,
-                                       nsprefix=None):
+                                       nsprefix=None, sign_alg=None, digest_alg=None):
         """
 
         :param name_id_policy:
@@ -528,17 +528,17 @@ def create_name_id_mapping_request(self, name_id_policy,
             return self._message(NameIDMappingRequest, destination, message_id,
                                  consent, extensions, sign,
                                  name_id_policy=name_id_policy, name_id=name_id,
-                                 nsprefix=nsprefix)
+                                 nsprefix=nsprefix, sign_alg=sign_alg)
         elif base_id:
             return self._message(NameIDMappingRequest, destination, message_id,
                                  consent, extensions, sign,
                                  name_id_policy=name_id_policy, base_id=base_id,
-                                 nsprefix=nsprefix)
+                                 nsprefix=nsprefix, sign_alg=sign_alg)
         else:
             return self._message(NameIDMappingRequest, destination, message_id,
                                  consent, extensions, sign,
                                  name_id_policy=name_id_policy,
-                                 encrypted_id=encrypted_id, nsprefix=nsprefix)
+                                 encrypted_id=encrypted_id, nsprefix=nsprefix, sign_alg=sign_alg)
 
     # ======== response handling ===========