Merge pull request #96 from HaToHo/master

Added EncryptedAssertion with signature for the response.

Author: Roland Hedberg

.gitignore

@@ -155,3 +155,17 @@ example/sp/nocert_sp_conf/sp.xml
 example/sp/nocert_sp_conf/sp_conf.py
 
 example/sp/nocert_sp_conf/who.ini
+
+example/sp-repoze/my_sp.xml
+
+example/sp-repoze/pki/localhost.ca.crt
+
+example/sp-repoze/pki/localhost.ca.key
+
+example/sp-repoze/sp.xml
+
+example/sp-repoze/sp.xml
+
+example/sp-repoze/sp_conf.py
+
+example/sp-repoze/sp_conf.py

example/idp2/idp.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 import argparse
 import base64
-
+import xmldsig as ds
 import re
 import logging
 import time
@@ -24,6 +24,7 @@
 from saml2.authn_context import PASSWORD
 from saml2.authn_context import UNSPECIFIED
 from saml2.authn_context import authn_context_class_ref
+from saml2.extension import pefim
 from saml2.httputil import Response
 from saml2.httputil import NotFound
 from saml2.httputil import geturl
@@ -38,7 +39,7 @@
 from saml2.s_utils import UnknownPrincipal
 from saml2.s_utils import UnsupportedBinding
 from saml2.s_utils import PolicyError
-from saml2.sigver import verify_redirect_signature
+from saml2.sigver import verify_redirect_signature, cert_from_instance, encrypt_cert_from_item
 
 logger = logging.getLogger("saml2.idp")
 
@@ -125,8 +126,9 @@ def operation(self, _dict, binding):
             return resp(self.environ, self.start_response)
         else:
             try:
+                _encrypt_cert = encrypt_cert_from_item(_dict["req_info"].message)
                 return self.do(_dict["SAMLRequest"], binding,
-                               _dict["RelayState"])
+                               _dict["RelayState"], encrypt_cert=_encrypt_cert)
             except KeyError:
                 # Can live with no relay state
                 return self.do(_dict["SAMLRequest"], binding)
@@ -151,7 +153,7 @@ def response(self, binding, http_args):
             resp = Response(http_args["data"], headers=http_args["headers"])
         return resp(self.environ, self.start_response)
 
-    def do(self, query, binding, relay_state=""):
+    def do(self, query, binding, relay_state="", encrypt_cert=None):
         pass
 
     def redirect(self):
@@ -277,7 +279,7 @@ def verify_request(self, query, binding):
 
         return resp_args, _resp
 
-    def do(self, query, binding_in, relay_state=""):
+    def do(self, query, binding_in, relay_state="", encrypt_cert=None):
         try:
             resp_args, _resp = self.verify_request(query, binding_in)
         except UnknownPrincipal, excp:
@@ -297,13 +299,10 @@ def do(self, query, binding_in, relay_state=""):
             if REPOZE_ID_EQUIVALENT:
                 identity[REPOZE_ID_EQUIVALENT] = self.user
             try:
-                sign_assertion = IDP.config.getattr("sign_assertion", "idp")
-                if sign_assertion is None:
-                    sign_assertion = False
                 _resp = IDP.create_authn_response(
                     identity, userid=self.user,
-                    authn=AUTHN_BROKER[self.environ["idp.authn_ref"]], sign_assertion=sign_assertion,
-                    sign_response=False, **resp_args)
+                    authn=AUTHN_BROKER[self.environ["idp.authn_ref"]], encrypt_cert=encrypt_cert,
+                    **resp_args)
             except Exception, excp:
                 logging.error(exception_trace(excp))
                 resp = ServiceError("Exception: %s" % (excp,))
@@ -537,7 +536,7 @@ def not_found(environ, start_response):
 #    return subject, sp_entity_id
 
 class SLO(Service):
-    def do(self, request, binding, relay_state=""):
+    def do(self, request, binding, relay_state="", encrypt_cert=None):
         logger.info("--- Single Log Out Service ---")
         try:
             _, body = request.split("\n")
@@ -589,7 +588,7 @@ def do(self, request, binding, relay_state=""):
 
 class NMI(Service):
 
-    def do(self, query, binding, relay_state=""):
+    def do(self, query, binding, relay_state="", encrypt_cert=None):
         logger.info("--- Manage Name ID Service ---")
         req = IDP.parse_manage_name_id_request(query, binding)
         request = req.message
@@ -617,7 +616,7 @@ def do(self, query, binding, relay_state=""):
 
 # Only URI binding
 class AIDR(Service):
-    def do(self, aid, binding, relay_state=""):
+    def do(self, aid, binding, relay_state="", encrypt_cert=None):
         logger.info("--- Assertion ID Service ---")
 
         try:
@@ -646,7 +645,7 @@ def operation(self, _dict, binding, **kwargs):
 # ----------------------------------------------------------------------------
 
 class ARS(Service):
-    def do(self, request, binding, relay_state=""):
+    def do(self, request, binding, relay_state="", encrypt_cert=None):
         _req = IDP.parse_artifact_resolve(request, binding)
 
         msg = IDP.create_artifact_response(_req, _req.artifact.text)
@@ -664,7 +663,7 @@ def do(self, request, binding, relay_state=""):
 
 # Only SOAP binding
 class AQS(Service):
-    def do(self, request, binding, relay_state=""):
+    def do(self, request, binding, relay_state="", encrypt_cert=None):
         logger.info("--- Authn Query Service ---")
         _req = IDP.parse_authn_query(request, binding)
         _query = _req.message
@@ -688,7 +687,7 @@ def do(self, request, binding, relay_state=""):
 
 # Only SOAP binding
 class ATTR(Service):
-    def do(self, request, binding, relay_state=""):
+    def do(self, request, binding, relay_state="", encrypt_cert=None):
         logger.info("--- Attribute Query Service ---")
 
         _req = IDP.parse_attribute_query(request, binding)
@@ -721,7 +720,7 @@ def do(self, request, binding, relay_state=""):
 
 
 class NIM(Service):
-    def do(self, query, binding, relay_state=""):
+    def do(self, query, binding, relay_state="", encrypt_cert=None):
         req = IDP.parse_name_id_mapping_request(query, binding)
         request = req.message
         # Do the necessary stuff

example/sp-repoze/sp.xml

@@ -48,4 +48,4 @@
         },
         "loglevel": "debug",
     }
-}
+}

example/sp-repoze/sp_conf.py renamed to example/sp-repoze/sp_conf.example

@@ -27,6 +27,8 @@
 import traceback
 import saml2
 from urlparse import parse_qs, urlparse
+from saml2.md import Extensions
+import xmldsig as ds
 
 from StringIO import StringIO
 
@@ -35,14 +37,15 @@
 from paste.httpexceptions import HTTPInternalServerError
 from paste.request import parse_dict_querystring
 from paste.request import construct_url
+from saml2.extension.pefim import SPCertEnc
 from saml2.httputil import SeeOther
 from saml2.client_base import ECP_SERVICE
 from zope.interface import implements
 
 from repoze.who.interfaces import IChallenger, IIdentifier, IAuthenticator
 from repoze.who.interfaces import IMetadataProvider
 
-from saml2 import ecp, BINDING_HTTP_REDIRECT
+from saml2 import ecp, BINDING_HTTP_REDIRECT, element_to_extension_element
 from saml2 import BINDING_HTTP_POST
 
 from saml2.client import Saml2Client
@@ -126,7 +129,7 @@ class SAML2Plugin(object):
     implements(IChallenger, IIdentifier, IAuthenticator, IMetadataProvider)
 
     def __init__(self, rememberer_name, config, saml_client, wayf, cache,
-                 sid_store=None, discovery="", idp_query_param=""):
+                 sid_store=None, discovery="", idp_query_param="", sid_store_cert=None,):
         self.rememberer_name = rememberer_name
         self.wayf = wayf
         self.saml_client = saml_client
@@ -143,6 +146,11 @@ def __init__(self, rememberer_name, config, saml_client, wayf, cache,
             self.outstanding_queries = shelve.open(sid_store, writeback=True)
         else:
             self.outstanding_queries = {}
+        if sid_store_cert:
+            self.outstanding_certs = shelve.open(sid_store_cert, writeback=True)
+        else:
+            self.outstanding_certs = {}
+
         self.iam = platform.node()
 
 
@@ -362,15 +370,30 @@ def challenge(self, environ, _status, _app_headers, _forget_headers):
                 dest = srvs[0]["location"]
                 logger.debug("destination: %s" % dest)
 
+                extensions = None
+                cert = None
+
+                if _cli.config.generate_cert_func is not None:
+                    cert_str, req_key_str = _cli.config.generate_cert_func()
+                    cert = {
+                        "cert": cert_str,
+                        "key": req_key_str
+                    }
+                    spcertenc = SPCertEnc(x509_data=ds.X509Data(x509_certificate=ds.X509Certificate(text=cert_str)))
+                    extensions = Extensions(extension_elements=[element_to_extension_element(spcertenc)])
+
                 if _cli.authn_requests_signed:
                     _sid = saml2.s_utils.sid(_cli.seed)
                     msg_str = _cli.create_authn_request(dest, vorg=vorg_name, sign=_cli.authn_requests_signed,
-                                                        message_id=_sid)
+                                                        message_id=_sid, extensions=extensions)
                 else:
-                    req = _cli.create_authn_request(dest, vorg=vorg_name, sign=False)
+                    req = _cli.create_authn_request(dest, vorg=vorg_name, sign=False, extensions=extensions)
                     msg_str = "%s" % req
                     _sid = req.id
 
+                if cert is not None:
+                    self.outstanding_certs[_sid] = cert
+
                 ht_args = _cli.apply_binding(_binding, msg_str, destination=dest, relay_state=came_from)
 
                 logger.debug("ht_args: %s" % ht_args)
@@ -417,7 +440,8 @@ def _eval_authn_response(self, environ, post, binding=BINDING_HTTP_POST):
             # Evaluate the response, returns a AuthnResponse instance
             try:
                 authresp = self.saml_client.parse_authn_request_response(
-                    post["SAMLResponse"], binding, self.outstanding_queries)
+                    post["SAMLResponse"], binding, self.outstanding_queries, self.outstanding_certs)
+
             except Exception, excp:
                 logger.exception("Exception: %s" % (excp,))
                 raise

src/s2repoze/plugins/sp.py

@@ -558,6 +558,8 @@ def to_string(self, nspair=None):
                 except AttributeError:
                     # Backwards compatibility with ET < 1.3
                     ElementTree._namespace_map[uri] = prefix
+                except ValueError:
+                    pass
 
         return ElementTree.tostring(self._to_element_tree(), encoding="UTF-8")
 

src/saml2/__init__.py

@@ -122,8 +122,9 @@ def __init__(self, config=None, identity_cache=None, state_cache=None,
         self.allow_unsolicited = False
         self.authn_requests_signed = False
         self.want_assertions_signed = False
+        self.want_response_signed = False
         for foo in ["allow_unsolicited", "authn_requests_signed",
-                    "logout_requests_signed", "want_assertions_signed"]:
+                    "logout_requests_signed", "want_assertions_signed", "want_response_signed"]:
             v = self.config.getattr(foo, "sp")
             if v is True or v == 'true':
                 setattr(self, foo, True)
@@ -234,7 +235,9 @@ def create_authn_request(self, destination, vorg="", scoping=None,
         client_crt = None
         if "client_crt" in kwargs:
             client_crt = kwargs["client_crt"]
+
         args = {}
+
         try:
             args["assertion_consumer_service_url"] = kwargs[
                 "assertion_consumer_service_urls"][0]
@@ -505,7 +508,7 @@ def create_name_id_mapping_request(self, name_id_policy,
 
     # ======== response handling ===========
 
-    def parse_authn_request_response(self, xmlstr, binding, outstanding=None):
+    def parse_authn_request_response(self, xmlstr, binding, outstanding=None, outstanding_certs=None):
         """ Deal with an AuthnResponse
 
         :param xmlstr: The reply as a xml string
@@ -525,8 +528,10 @@ def parse_authn_request_response(self, xmlstr, binding, outstanding=None):
         if xmlstr:
             kwargs = {
                 "outstanding_queries": outstanding,
+                "outstanding_certs": outstanding_certs,
                 "allow_unsolicited": self.allow_unsolicited,
                 "want_assertions_signed": self.want_assertions_signed,
+                "want_response_signed": self.want_response_signed,
                 "return_addrs": self.service_urls(),
                 "entity_id": self.config.entityid,
                 "attribute_converters": self.config.attribute_converters,

src/saml2/client_base.py

@@ -65,7 +65,9 @@
     "xmlsec_path",
     "extension_schemas",
     "cert_handler_extra_class",
+    "generate_cert_func",
     "generate_cert_info",
+    "verify_encrypt_cert",
     "tmp_cert_file",
     "tmp_key_file",
     "validate_certificate",
@@ -78,6 +80,7 @@
     "idp",
     "aa",
     "subject_data",
+    "want_response_signed",
     "want_assertions_signed",
     "authn_requests_signed",
     "name_form",
@@ -92,6 +95,8 @@
 
 AA_IDP_ARGS = [
     "sign_assertion",
+    "sign_response",
+    "encrypt_assertion",
     "want_authn_requests_signed",
     "want_authn_requests_only_with_valid_cert",
     "provided_attributes",
@@ -210,6 +215,8 @@ def __init__(self, homedir="."):
         self.allow_unknown_attributes = False
         self.extension_schema = {}
         self.cert_handler_extra_class = None
+        self.verify_encrypt_cert = None
+        self.generate_cert_func = None
         self.generate_cert_info = None
         self.tmp_cert_file = None
         self.tmp_key_file = None