Merge branch 'master' into feature-hide-assertion-consumer-service

c00kiemon5ter · web-flow · commit 8ca067dce4de · 2017-07-26T04:34:52.000-07:00
diff --git a/src/saml2/client_base.py b/src/saml2/client_base.py
@@ -339,6 +339,14 @@ def create_authn_request(self, destination, vorg="", scoping=None,
         except KeyError:
             nsprefix = None
 
+        try:
+            force_authn = kwargs['force_authn']
+        except KeyError:
+            force_authn = self.config.getattr('force_authn', 'sp')
+        finally:
+            if force_authn:
+                args['force_authn'] = 'true'
+
         if kwargs:
             _args, extensions = self._filter_args(AuthnRequest(), extensions,
                                                   **kwargs)
diff --git a/src/saml2/config.py b/src/saml2/config.py
@@ -77,6 +77,7 @@
     "logout_requests_signed",
     "requested_attribute_name_format",
     "hide_assertion_consumer_service",
+    "force_authn",
 ]
 
 AA_IDP_ARGS = [
@@ -208,7 +209,6 @@ def __init__(self, homedir="."):
         self.crypto_backend = 'xmlsec1'
         self.scope = ""
         self.allow_unknown_attributes = False
-        self.allow_unsolicited = False
         self.extension_schema = {}
         self.cert_handler_extra_class = None
         self.verify_encrypt_cert_advice = None
diff --git a/src/saml2/mdstore.py b/src/saml2/mdstore.py
@@ -750,7 +750,7 @@ def load(self, *args, **kwargs):
         """
         response = self.http.send(self.url)
         if response.status_code == 200:
-            _txt = response.text.encode("utf-8")
+            _txt = response.content
             return self.parse_and_check_signature(_txt)
         else:
             logger.info("Response status: %s", response.status_code)
@@ -814,7 +814,7 @@ def __getitem__(self, item):
             response = requests.get(mdx_url, headers={
                 'Accept': SAML_METADATA_CONTENT_TYPE})
             if response.status_code == 200:
-                _txt = response.text.encode("utf-8")
+                _txt = response.content
 
                 if self.parse_and_check_signature(_txt):
                     return self.entity[item]
diff --git a/src/saml2/response.py b/src/saml2/response.py
@@ -666,7 +666,7 @@ def get_identity(self):
                 _attr_statem = _assertion.attribute_statement[0]
                 ava.update(self.read_attribute_statement(_attr_statem))
             if not ava:
-                logger.error("Missing Attribute Statement")
+                logger.debug("Assertion contains no attribute statements")
         return ava
 
     def _bearer_confirmed(self, data):
diff --git a/tests/SWITCHaaiRootCA.crt.pem b/tests/SWITCHaaiRootCA.crt.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDnzCCAoegAwIBAgINSWITCHaai+Root+CAzANBgkqhkiG9w0BAQUFADBrMQsw
+CQYDVQQGEwJDSDFAMD4GA1UEChM3U3dpdGNoIC0gVGVsZWluZm9ybWF0aWtkaWVu
+c3RlIGZ1ZXIgTGVocmUgdW5kIEZvcnNjaHVuZzEaMBgGA1UEAxMRU1dJVENIYWFp
+IFJvb3QgQ0EwHhcNMDgwNTE1MDYzMDAwWhcNMjgwNTE1MDYyOTU5WjBrMQswCQYD
+VQQGEwJDSDFAMD4GA1UEChM3U3dpdGNoIC0gVGVsZWluZm9ybWF0aWtkaWVuc3Rl
+IGZ1ZXIgTGVocmUgdW5kIEZvcnNjaHVuZzEaMBgGA1UEAxMRU1dJVENIYWFpIFJv
+b3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUSWbn/rhWew/s
+LJRyciyRKDGyFXSgiDO/EohYuZLw6EAKLLlhZorNtEHQbbn0Oo13S33MclHMvGWT
+KJM0u1hG+6gLy78EPmJbqAE1Uv23wVEH4SX0VJfl3JVqIebiAH/CjuLubgMUspDI
+jOdQHNLS7pthTbm7Tgh7zMsiLPyMTZJep5CGbqv8NoK6bMaF0Z+Bt7e1JRlhHFCV
+iJJaR/+hfpzLsJ8NWVivvrpRGaGJ1XR+9FGsTkjNdMCirNJJZ6XvUOe5w7pHSd9M
+cppFP0eyLs02AMzMXI4iz6PK/w3EdzXGXpK+gSgvLxWYct4xHpv1e2NXhNgdJOSN
+9ra/wJLVAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG
+MB0GA1UdDgQWBBTpmuIGWOsP14EDXVyXubG1k307hDANBgkqhkiG9w0BAQUFAAOC
+AQEAMV/eIW6pFB+mbk7rD7hUPTWDRaoca3kHqmFGFnHfuY8+c0/Mqjh8Y/jyX1yb
+f58crTSWrbyGbUZ3oxDGQ34tuZSkmeR32NqryiX3sP5qlNSozVguQKt8o4vhS1Qe
+WPsXALs3em2pdKuIGSOpbuDnopPcmU2g5Zi2R5P7qpKDKAKtNUEwV+LW7GBMEksO
+Nj7BFXk4AFBFBijaYJGgHmoKSImVgeNIvsV+BSv5HJ4q6vcxfnwuvvGHM0AGphYO
+6f5qtHMUgvAblI8M/2QsBgethaGrirtKJ3aCRLdaR2R1QfaGRpck/Ron5/MpMxiJ
+wLT8YlW/zjx2yNABhPSAjfzeMw==
+-----END CERTIFICATE-----
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -1,15 +1,18 @@
 import os
+import pytest
 
 #TODO: On my system this function seems to be returning an incorrect location
-def pytest_funcarg__xmlsec(request):
+@pytest.fixture
+def xmlsec(request):
     for path in os.environ["PATH"].split(":"):
         fil = os.path.join(path, "xmlsec1")
         if os.access(fil,os.X_OK):
             return fil
 
     raise Exception("Can't find xmlsec1")
-    
-def pytest_funcarg__AVA(request):
+
+@pytest.fixture
+def AVA(request):
     return [
         {
             "surName": ["Jeter"],
@@ -27,4 +30,4 @@ def pytest_funcarg__AVA(request):
             "surName": ["Hedberg"],
             "givenName": ["Roland"],
         },
-    ]    
+    ]
diff --git a/tests/test_30_mdstore.py b/tests/test_30_mdstore.py
@@ -7,12 +7,13 @@
 from future.backports.urllib.parse import quote_plus
 
 from saml2.config import Config
-from saml2.mdstore import MetadataStore
+from saml2.mdstore import MetadataStore, MetaDataExtern
 from saml2.mdstore import MetaDataMDX
 from saml2.mdstore import SAML_METADATA_CONTENT_TYPE
 from saml2.mdstore import destinations
 from saml2.mdstore import name
 from saml2 import sigver
+from saml2.httpbase import HTTPBase
 from saml2 import BINDING_SOAP
 from saml2 import BINDING_HTTP_REDIRECT
 from saml2 import BINDING_HTTP_POST
@@ -385,6 +386,14 @@ def test_load_local():
     assert cfg
 
 
+def test_load_remote_encoding():
+    crypto = sigver._get_xmlsec_cryptobackend()
+    sc = sigver.SecurityContext(crypto, key_type="", cert_type="")
+    httpc = HTTPBase()
+    mds = MetaDataExtern(ATTRCONV, 'http://metadata.aai.switch.ch/metadata.aaitest.xml', sc, full_path('SWITCHaaiRootCA.crt.pem'), httpc)
+    mds.load()
+
+
 def test_load_string():
     sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
     mds = MetadataStore(ATTRCONV, sec_config,
diff --git a/tests/test_31_config.py b/tests/test_31_config.py
@@ -68,6 +68,7 @@
             },
             "authn_requests_signed": True,
             "logout_requests_signed": True,
+            "force_authn": True,
         }
     },
     #"xmlsec_binary" : "/opt/local/bin/xmlsec1",
@@ -408,5 +409,15 @@ def test_crypto_backend():
     sec = security_context(idpc)
     assert isinstance(sec.crypto, CryptoBackendXMLSecurity)
 
+def test_unset_force_authn():
+    cnf = SPConfig().load(sp1)
+    assert bool(cnf.getattr('force_authn', 'sp')) == False
+
+
+def test_set_force_authn():
+    cnf = SPConfig().load(sp2)
+    assert bool(cnf.getattr('force_authn', 'sp')) == True
+
+
 if __name__ == "__main__":
     test_crypto_backend()
diff --git a/tests/test_51_client.py b/tests/test_51_client.py
@@ -280,6 +280,17 @@ def test_create_auth_request_0(self):
         assert nid_policy.allow_create == "false"
         assert nid_policy.format == saml.NAMEID_FORMAT_TRANSIENT
 
+    def test_create_auth_request_unset_force_authn(self):
+        req_id, req = self.client.create_authn_request(
+            "http://www.example.com/sso", sign=False, message_id="id1")
+        assert bool(req.force_authn) == False
+
+    def test_create_auth_request_set_force_authn(self):
+        req_id, req = self.client.create_authn_request(
+            "http://www.example.com/sso", sign=False, message_id="id1",
+            force_authn="true")
+        assert bool(req.force_authn) == True
+
     def test_create_auth_request_nameid_policy_allow_create(self):
         conf = config.SPConfig()
         conf.load_file("sp_conf_nameidpolicy")
