5757 "subject_locality" : "subject_locality"
5858}
5959
60+
6061def _shelve_compat (name , * args , ** kwargs ):
6162 try :
6263 return shelve .open (name , * args , ** kwargs )
@@ -132,7 +133,7 @@ def init_config(self, stype="idp"):
132133 elif isinstance (dbspec , six .string_types ):
133134 idb = _shelve_compat (dbspec , writeback = True , protocol = 2 )
134135 else : # database spec is a a 2-tuple (type, address)
135- #print(>> sys.stderr, "DBSPEC: %s" % (dbspec,))
136+ # print(>> sys.stderr, "DBSPEC: %s" % (dbspec,))
136137 (typ , addr ) = dbspec
137138 if typ == "shelve" :
138139 idb = _shelve_compat (addr , writeback = True , protocol = 2 )
@@ -289,8 +290,10 @@ def parse_name_id_mapping_request(self, xml_string, binding):
289290
290291 # ------------------------------------------------------------------------
291292
292- def setup_assertion (self , authn , sp_entity_id , in_response_to , consumer_url , name_id , policy , _issuer ,
293- authn_statement , identity , best_effort , sign_response , add_subject = True ):
293+ def setup_assertion (self , authn , sp_entity_id , in_response_to , consumer_url ,
294+ name_id , policy , _issuer ,
295+ authn_statement , identity , best_effort , sign_response ,
296+ add_subject = True ):
294297 ast = Assertion (identity )
295298 ast .acs = self .config .getattr ("attribute_converters" , "idp" )
296299 if policy is None :
@@ -305,34 +308,40 @@ def setup_assertion(self, authn, sp_entity_id, in_response_to, consumer_url, nam
305308 if authn : # expected to be a dictionary
306309 # Would like to use dict comprehension but ...
307310 authn_args = dict ([
308- (AUTHN_DICT_MAP [k ], v ) for k , v in authn .items ()
309- if k in AUTHN_DICT_MAP ])
311+ (AUTHN_DICT_MAP [k ], v ) for k , v in
312+ authn .items ()
313+ if k in AUTHN_DICT_MAP ])
310314
311315 assertion = ast .construct (sp_entity_id , in_response_to ,
312316 consumer_url , name_id ,
313317 self .config .attribute_converters ,
314- policy , issuer = _issuer , add_subject = add_subject ,
318+ policy , issuer = _issuer ,
319+ add_subject = add_subject ,
315320 ** authn_args )
316321 elif authn_statement : # Got a complete AuthnStatement
317322 assertion = ast .construct (sp_entity_id , in_response_to ,
318323 consumer_url , name_id ,
319324 self .config .attribute_converters ,
320325 policy , issuer = _issuer ,
321- authn_statem = authn_statement , add_subject = add_subject )
326+ authn_statem = authn_statement ,
327+ add_subject = add_subject )
322328 else :
323329 assertion = ast .construct (sp_entity_id , in_response_to ,
324330 consumer_url , name_id ,
325331 self .config .attribute_converters ,
326- policy , issuer = _issuer , add_subject = add_subject )
332+ policy , issuer = _issuer ,
333+ add_subject = add_subject )
327334 return assertion
328335
329336 def _authn_response (self , in_response_to , consumer_url ,
330337 sp_entity_id , identity = None , name_id = None ,
331338 status = None , authn = None , issuer = None , policy = None ,
332339 sign_assertion = False , sign_response = False ,
333340 best_effort = False , encrypt_assertion = False ,
334- encrypt_cert_advice = None , encrypt_cert_assertion = None , authn_statement = None ,
335- encrypt_assertion_self_contained = False , encrypted_advice_attributes = False , pefim = False ):
341+ encrypt_cert_advice = None , encrypt_cert_assertion = None ,
342+ authn_statement = None ,
343+ encrypt_assertion_self_contained = False ,
344+ encrypted_advice_attributes = False , pefim = False ):
336345 """ Create a response. A layer of indirection.
337346
338347 :param in_response_to: The session identifier of the request
@@ -351,23 +360,27 @@ def _authn_response(self, in_response_to, consumer_url,
351360 :param best_effort: Even if not the SPs demands can be met send a
352361 response.
353362 :param encrypt_assertion: True if assertions should be encrypted.
354- :param encrypt_assertion_self_contained: True if all encrypted assertions should have alla namespaces
363+ :param encrypt_assertion_self_contained: True if all encrypted
364+ assertions should have alla namespaces
355365 selfcontained.
356- :param encrypted_advice_attributes: True if assertions in the advice element should be encrypted.
357- :param encrypt_cert_advice: Certificate to be used for encryption of assertions in the advice element.
358- :param encrypt_cert_assertion: Certificate to be used for encryption of assertions.
366+ :param encrypted_advice_attributes: True if assertions in the advice
367+ element should be encrypted.
368+ :param encrypt_cert_advice: Certificate to be used for encryption of
369+ assertions in the advice element.
370+ :param encrypt_cert_assertion: Certificate to be used for encryption
371+ of assertions.
359372 :param authn_statement: Authentication statement.
360373 :param sign_assertion: True if assertions should be signed.
361- :param pefim: True if a response according to the PEFIM profile should be created.
374+ :param pefim: True if a response according to the PEFIM profile
375+ should be created.
362376 :return: A response instance
363377 """
364378
365- to_sign = []
366379 args = {}
367- #if identity:
380+ # if identity:
368381 _issuer = self ._issuer (issuer )
369382
370- #if encrypt_assertion and show_nameid:
383+ # if encrypt_assertion and show_nameid:
371384 # tmp_name_id = name_id
372385 # name_id = None
373386 # name_id = None
@@ -379,58 +392,56 @@ def _authn_response(self, in_response_to, consumer_url,
379392 if pefim :
380393 encrypted_advice_attributes = True
381394 encrypt_assertion_self_contained = True
382- assertion_attributes = self .setup_assertion (None , sp_entity_id , None , None , None , policy ,
383- None , None , identity , best_effort , sign_response , False )
384- assertion = self .setup_assertion (authn , sp_entity_id , in_response_to , consumer_url ,
385- name_id , policy , _issuer , authn_statement , [], True ,
395+ assertion_attributes = self .setup_assertion (None , sp_entity_id ,
396+ None , None , None ,
397+ policy ,
398+ None , None , identity ,
399+ best_effort ,
400+ sign_response , False )
401+ assertion = self .setup_assertion (authn , sp_entity_id ,
402+ in_response_to , consumer_url ,
403+ name_id , policy , _issuer ,
404+ authn_statement , [], True ,
386405 sign_response )
387406 assertion .advice = saml .Advice ()
388407
389- #assertion.advice.assertion_id_ref.append(saml.AssertionIDRef())
390- #assertion.advice.assertion_uri_ref.append(saml.AssertionURIRef())
408+ # assertion.advice.assertion_id_ref.append(saml.AssertionIDRef())
409+ # assertion.advice.assertion_uri_ref.append(saml.AssertionURIRef())
391410 assertion .advice .assertion .append (assertion_attributes )
392411 else :
393- assertion = self .setup_assertion (authn , sp_entity_id , in_response_to , consumer_url ,
394- name_id , policy , _issuer , authn_statement , identity , True ,
412+ assertion = self .setup_assertion (authn , sp_entity_id ,
413+ in_response_to , consumer_url ,
414+ name_id , policy , _issuer ,
415+ authn_statement , identity , True ,
395416 sign_response )
396417
397418 to_sign = []
398419 if not encrypt_assertion :
399420 if sign_assertion :
400- assertion .signature = pre_signature_part (assertion .id , self .sec .my_cert , 1 )
421+ assertion .signature = pre_signature_part (assertion .id ,
422+ self .sec .my_cert , 1 )
401423 to_sign .append ((class_name (assertion ), assertion .id ))
402424
403- #if not encrypted_advice_attributes:
404- # if sign_assertion:
405- # if assertion.advice and assertion.advice.assertion:
406- # for tmp_assertion in assertion.advice.assertion:
407- # tmp_assertion.signature = pre_signature_part(tmp_assertion.id, self.sec.my_cert, 1)
408- # to_sign.append((class_name(tmp_assertion), tmp_assertion.id))
409-
410- # Store which assertion that has been sent to which SP about which
411- # subject.
412-
413- # self.cache.set(assertion.subject.name_id.text,
414- # sp_entity_id, {"ava": identity, "authn": authn},
415- # assertion.conditions.not_on_or_after)
416-
417425 args ["assertion" ] = assertion
418426
419427 if (self .support_AssertionIDRequest () or self .support_AuthnQuery ()):
420428 self .session_db .store_assertion (assertion , to_sign )
421429
422- return self ._response (in_response_to , consumer_url , status , issuer ,
423- sign_response , to_sign ,sp_entity_id = sp_entity_id , encrypt_assertion = encrypt_assertion ,
424- encrypt_cert_advice = encrypt_cert_advice ,
425- encrypt_cert_assertion = encrypt_cert_assertion ,
426- encrypt_assertion_self_contained = encrypt_assertion_self_contained ,
427- encrypted_advice_attributes = encrypted_advice_attributes ,sign_assertion = sign_assertion ,
428- pefim = pefim ,
429- ** args )
430+ return self ._response (
431+ in_response_to , consumer_url , status , issuer ,
432+ sign_response , to_sign , sp_entity_id = sp_entity_id ,
433+ encrypt_assertion = encrypt_assertion ,
434+ encrypt_cert_advice = encrypt_cert_advice ,
435+ encrypt_cert_assertion = encrypt_cert_assertion ,
436+ encrypt_assertion_self_contained = encrypt_assertion_self_contained ,
437+ encrypted_advice_attributes = encrypted_advice_attributes ,
438+ sign_assertion = sign_assertion ,
439+ pefim = pefim ,
440+ ** args )
430441
431442 # ------------------------------------------------------------------------
432443
433- #noinspection PyUnusedLocal
444+ # noinspection PyUnusedLocal
434445 def create_attribute_response (self , identity , in_response_to , destination ,
435446 sp_entity_id , userid = "" , name_id = None ,
436447 status = None , issuer = None ,
@@ -500,7 +511,9 @@ def create_authn_response(self, identity, in_response_to, destination,
500511 sp_entity_id , name_id_policy = None , userid = None ,
501512 name_id = None , authn = None , issuer = None ,
502513 sign_response = None , sign_assertion = None ,
503- encrypt_cert_advice = None , encrypt_cert_assertion = None , encrypt_assertion = None ,
514+ encrypt_cert_advice = None ,
515+ encrypt_cert_assertion = None ,
516+ encrypt_assertion = None ,
504517 encrypt_assertion_self_contained = True ,
505518 encrypted_advice_attributes = False , pefim = False ,
506519 ** kwargs ):
@@ -520,13 +533,18 @@ def create_authn_response(self, identity, in_response_to, destination,
520533 :param sign_assertion: Whether the assertion should be signed or not.
521534 :param sign_response: Whether the response should be signed or not.
522535 :param encrypt_assertion: True if assertions should be encrypted.
523- :param encrypt_assertion_self_contained: True if all encrypted assertions should have alla namespaces
536+ :param encrypt_assertion_self_contained: True if all encrypted
537+ assertions should have alla namespaces
524538 selfcontained.
525- :param encrypted_advice_attributes: True if assertions in the advice element should be encrypted.
526- :param encrypt_cert_advice: Certificate to be used for encryption of assertions in the advice element.
527- :param encrypt_cert_assertion: Certificate to be used for encryption of assertions.
539+ :param encrypted_advice_attributes: True if assertions in the advice
540+ element should be encrypted.
541+ :param encrypt_cert_advice: Certificate to be used for encryption of
542+ assertions in the advice element.
543+ :param encrypt_cert_assertion: Certificate to be used for encryption
544+ of assertions.
528545 :param sign_assertion: True if assertions should be signed.
529- :param pefim: True if a response according to the PEFIM profile should be created.
546+ :param pefim: True if a response according to the PEFIM profile
547+ should be created.
530548 :return: A response instance
531549 """
532550
@@ -555,34 +573,43 @@ def create_authn_response(self, identity, in_response_to, destination,
555573 if encrypt_assertion is None :
556574 encrypt_assertion = False
557575
558-
559576 if encrypt_assertion_self_contained is None :
560- encrypt_assertion_self_contained = self .config .getattr ("encrypt_assertion_self_contained" , "idp" )
577+ encrypt_assertion_self_contained = self .config .getattr (
578+ "encrypt_assertion_self_contained" , "idp" )
561579 if encrypt_assertion_self_contained is None :
562580 encrypt_assertion_self_contained = True
563581
564582 if encrypted_advice_attributes is None :
565- encrypted_advice_attributes = self .config .getattr ("encrypted_advice_attributes" , "idp" )
583+ encrypted_advice_attributes = self .config .getattr (
584+ "encrypted_advice_attributes" , "idp" )
566585 if encrypted_advice_attributes is None :
567586 encrypted_advice_attributes = False
568587
569588 if encrypted_advice_attributes or pefim :
570- verify_encrypt_cert = self .config .getattr ("verify_encrypt_cert_advice" , "idp" )
589+ verify_encrypt_cert = self .config .getattr (
590+ "verify_encrypt_cert_advice" , "idp" )
571591 if verify_encrypt_cert is not None :
572592 if encrypt_cert_advice is None :
573- raise CertificateError ("No SPCertEncType certificate for encryption contained in authentication "
574- "request." )
593+ raise CertificateError (
594+ "No SPCertEncType certificate for encryption "
595+ "contained in authentication "
596+ "request." )
575597 if not verify_encrypt_cert (encrypt_cert_advice ):
576- raise CertificateError ("Invalid certificate for encryption!" )
598+ raise CertificateError (
599+ "Invalid certificate for encryption!" )
577600
578601 if encrypt_assertion :
579- verify_encrypt_cert = self .config .getattr ("verify_encrypt_cert_assertion" , "idp" )
602+ verify_encrypt_cert = self .config .getattr (
603+ "verify_encrypt_cert_assertion" , "idp" )
580604 if verify_encrypt_cert is not None :
581605 if encrypt_cert_assertion is None :
582- raise CertificateError ("No SPCertEncType certificate for encryption contained in authentication "
583- "request." )
606+ raise CertificateError (
607+ "No SPCertEncType certificate for encryption "
608+ "contained in authentication "
609+ "request." )
584610 if not verify_encrypt_cert (encrypt_cert_assertion ):
585- raise CertificateError ("Invalid certificate for encryption!" )
611+ raise CertificateError (
612+ "Invalid certificate for encryption!" )
586613
587614 if not name_id :
588615 try :
@@ -624,13 +651,17 @@ def create_authn_response(self, identity, in_response_to, destination,
624651
625652 try :
626653 _authn = authn
627- if (sign_assertion or sign_response ) and self .sec .cert_handler .generate_cert ():
654+ if (
655+ sign_assertion or sign_response ) and \
656+ self .sec .cert_handler .generate_cert ():
628657 with self .lock :
629658 self .sec .cert_handler .update_cert (True )
630- return self ._authn_response (in_response_to , # in_response_to
659+ return self ._authn_response (in_response_to ,
660+ # in_response_to
631661 destination , # consumer_url
632662 sp_entity_id , # sp_entity_id
633- identity , # identity as dictionary
663+ identity ,
664+ # identity as dictionary
634665 name_id ,
635666 authn = _authn ,
636667 issuer = issuer ,
@@ -679,7 +710,7 @@ def create_authn_request_response(self, identity, in_response_to,
679710 sign_response , sign_assertion ,
680711 authn_decl = authn_decl )
681712
682- #noinspection PyUnusedLocal
713+ # noinspection PyUnusedLocal
683714 def create_assertion_id_request_response (self , assertion_id , sign = False ,
684715 ** kwargs ):
685716 """
@@ -703,7 +734,7 @@ def create_assertion_id_request_response(self, assertion_id, sign=False,
703734 else :
704735 return assertion
705736
706- #noinspection PyUnusedLocal
737+ # noinspection PyUnusedLocal
707738 def create_name_id_mapping_response (self , name_id = None , encrypted_id = None ,
708739 in_response_to = None ,
709740 issuer = None , sign_response = False ,
0 commit comments