Merge pull request #641 from skoranda/better_pick_binding

Better pick binding by index

Author: c00kiemon5ter

src/saml2/entity.py

@@ -269,16 +269,8 @@ def pick_binding(self, service, bindings=None, descr_type="", request=None,
             else:
                 descr_type = "spsso"
 
-        _url = _index = None
-        if request:
-            try:
-                _url = getattr(request, "%s_url" % service)
-            except AttributeError:
-                _url = None
-                try:
-                    _index = getattr(request, "%s_index" % service)
-                except AttributeError:
-                    pass
+        _url = getattr(request, "%s_url" % service, None)
+        _index = getattr(request, "%s_index" % service, None)
 
         for binding in bindings:
             try:

tests/servera.xml

@@ -1,5 +1,29 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ns1="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns4="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" xmlns:ns5="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" entityID="urn:mace:example.com:saml:roland:sp"><ns0:Extensions><ns1:EntityAttributes><ns2:Attribute Name="http://macedir.org/entity-category"><ns2:AttributeValue xsi:type="xs:string">http://www.swamid.se/category/sfs-1993-1153</ns2:AttributeValue><ns2:AttributeValue xsi:type="xs:string">http://www.swamid.se/category/hei-service</ns2:AttributeValue></ns2:Attribute></ns1:EntityAttributes></ns0:Extensions><ns0:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><ns0:Extensions><ns4:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="http://lingon.catalogix.se:8087/disco" index="1" /></ns0:Extensions><ns0:KeyDescriptor use="encryption"><ns5:KeyInfo><ns5:X509Data><ns5:X509Certificate>MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
+<?xml version="1.0" encoding="UTF-8"?>
+<ns0:EntityDescriptor
+        xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata"
+        xmlns:ns1="urn:oasis:names:tc:SAML:metadata:attribute"
+        xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"
+        xmlns:ns4="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+        xmlns:ns5="http://www.w3.org/2000/09/xmldsig#"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        entityID="urn:mace:example.com:saml:roland:sp">
+  <ns0:Extensions>
+    <ns1:EntityAttributes>
+      <ns2:Attribute Name="http://macedir.org/entity-category">
+        <ns2:AttributeValue xsi:type="xs:string">http://www.swamid.se/category/sfs-1993-1153</ns2:AttributeValue>
+        <ns2:AttributeValue xsi:type="xs:string">http://www.swamid.se/category/hei-service</ns2:AttributeValue>
+      </ns2:Attribute>
+    </ns1:EntityAttributes>
+  </ns0:Extensions>
+  <ns0:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <ns0:Extensions>
+      <ns4:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="http://lingon.catalogix.se:8087/disco" index="1"/>
+    </ns0:Extensions>
+    <ns0:KeyDescriptor use="encryption">
+      <ns5:KeyInfo>
+        <ns5:X509Data>
+            <ns5:X509Certificate>
+MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
 BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
 aWRnaXRzIFB0eSBMdGQwHhcNMDkxMDA2MTk0OTQxWhcNMDkxMTA1MTk0OTQxWjBF
 MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
@@ -14,7 +38,15 @@ mDY9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAJSrKOEzHO7TL5cy6
 h3qh+3+JAk8HbGBW+cbX6KBCAw/mzU8flK25vnWwXS3dv2FF3Aod0/S7AWNfKib5
 U/SA9nJaz/mWeF9S0farz9AQFc8/NSzAzaVq7YbM4F6f6N2FRl7GikdXRCed45j6
 mrPzGzk3ECbupFnqyREH3+ZPSdk=
-</ns5:X509Certificate></ns5:X509Data></ns5:KeyInfo></ns0:KeyDescriptor><ns0:KeyDescriptor use="signing"><ns5:KeyInfo><ns5:X509Data><ns5:X509Certificate>MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
+</ns5:X509Certificate>
+        </ns5:X509Data>
+      </ns5:KeyInfo>
+    </ns0:KeyDescriptor>
+    <ns0:KeyDescriptor use="signing">
+      <ns5:KeyInfo>
+        <ns5:X509Data>
+            <ns5:X509Certificate>
+MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
 BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
 aWRnaXRzIFB0eSBMdGQwHhcNMDkxMDA2MTk0OTQxWhcNMDkxMTA1MTk0OTQxWjBF
 MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
@@ -29,4 +61,33 @@ mDY9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAJSrKOEzHO7TL5cy6
 h3qh+3+JAk8HbGBW+cbX6KBCAw/mzU8flK25vnWwXS3dv2FF3Aod0/S7AWNfKib5
 U/SA9nJaz/mWeF9S0farz9AQFc8/NSzAzaVq7YbM4F6f6N2FRl7GikdXRCed45j6
 mrPzGzk3ECbupFnqyREH3+ZPSdk=
-</ns5:X509Certificate></ns5:X509Data></ns5:KeyInfo></ns0:KeyDescriptor><ns0:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://lingon.catalogix.se:8087/ars" index="1" /><ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://lingon.catalogix.se:8087/sls" /><ns0:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://lingon.catalogix.se:8087/mni/soap" /><ns0:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://lingon.catalogix.se:8087/mni/post" /><ns0:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://lingon.catalogix.se:8087/mni/redirect" /><ns0:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://lingon.catalogix.se:8087/mni/art" /><ns0:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</ns0:NameIDFormat><ns0:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</ns0:NameIDFormat><ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://lingon.catalogix.se:8087/" index="1" /><ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://lingon.catalogix.se:8087/paos" index="2" /><ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://lingon.catalogix.se:8087/redirect" index="3" /></ns0:SPSSODescriptor><ns0:Organization><ns0:OrganizationName xml:lang="se">AB Exempel</ns0:OrganizationName><ns0:OrganizationDisplayName xml:lang="se">AB Exempel</ns0:OrganizationDisplayName><ns0:OrganizationURL xml:lang="en">http://www.example.org</ns0:OrganizationURL></ns0:Organization><ns0:ContactPerson contactType="technical"><ns0:GivenName>Roland</ns0:GivenName><ns0:SurName>Hedberg</ns0:SurName><ns0:EmailAddress>[email protected]</ns0:EmailAddress><ns0:EmailAddress>[email protected]</ns0:EmailAddress><ns0:TelephoneNumber>+46 70 100 0000</ns0:TelephoneNumber></ns0:ContactPerson></ns0:EntityDescriptor>
+</ns5:X509Certificate>
+        </ns5:X509Data>
+      </ns5:KeyInfo>
+    </ns0:KeyDescriptor>
+    <ns0:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://lingon.catalogix.se:8087/ars" index="1"/>
+    <ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://lingon.catalogix.se:8087/sls"/>
+    <ns0:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://lingon.catalogix.se:8087/mni/soap"/>
+    <ns0:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://lingon.catalogix.se:8087/mni/post"/>
+    <ns0:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://lingon.catalogix.se:8087/mni/redirect"/>
+    <ns0:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://lingon.catalogix.se:8087/mni/art"/>
+    <ns0:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</ns0:NameIDFormat>
+    <ns0:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</ns0:NameIDFormat>
+    <ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://lingon.catalogix.se:8087/" index="1"/>
+    <ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://lingon.catalogix.se:8087/paos" index="2"/>
+    <ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://lingon.catalogix.se:8087/redirect" index="3"/>
+    <ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://lingon.catalogix.se:8087/another/path" index="4"/>
+  </ns0:SPSSODescriptor>
+  <ns0:Organization>
+    <ns0:OrganizationName xml:lang="se">AB Exempel</ns0:OrganizationName>
+    <ns0:OrganizationDisplayName xml:lang="se">AB Exempel</ns0:OrganizationDisplayName>
+    <ns0:OrganizationURL xml:lang="en">http://www.example.org</ns0:OrganizationURL>
+  </ns0:Organization>
+  <ns0:ContactPerson contactType="technical">
+    <ns0:GivenName>Roland</ns0:GivenName>
+    <ns0:SurName>Hedberg</ns0:SurName>
+    <ns0:EmailAddress>[email protected]</ns0:EmailAddress>
+    <ns0:EmailAddress>[email protected]</ns0:EmailAddress>
+    <ns0:TelephoneNumber>+46 70 100 0000</ns0:TelephoneNumber>
+  </ns0:ContactPerson>
+</ns0:EntityDescriptor>

tests/test_71_authn_request.py

@@ -0,0 +1,37 @@
+from contextlib import closing
+from saml2.client import Saml2Client
+from saml2.server import Server
+
+
+def test_authn_request_with_acs_by_index():
+    # ACS index and location from SP metadata in servera.xml.
+    ACS_INDEX = '4'
+    ACS_LOCATION = 'http://lingon.catalogix.se:8087/another/path'
+
+    # Create SP using the configuration found in servera_conf.py.
+    sp = Saml2Client(config_file="servera_conf")
+
+    # Generate an authn request object that uses AssertionConsumerServiceIndex
+    # instead of AssertionConsumerServiceURL. The index with label ACS_INDEX
+    # exists in the SP metadata in servera.xml.
+    request_id, authn_request = sp.create_authn_request(
+                                sp.config.entityid,
+                                assertion_consumer_service_index=ACS_INDEX)
+
+    # Make sure the authn_request contains AssertionConsumerServiceIndex.
+    acs_index = getattr(authn_request,
+                        'assertion_consumer_service_index', None)
+
+    assert acs_index == ACS_INDEX
+
+    # Create IdP.
+    with closing(Server(config_file="idp_all_conf")) as idp:
+
+        # Ask the IdP to pick out the binding and destination from the
+        # authn_request.
+        binding, destination = idp.pick_binding("assertion_consumer_service",
+                                                request=authn_request)
+
+        # Make sure the IdP pick_binding method picks the correct location
+        # or destination based on the ACS index in the authn request.
+        assert destination == ACS_LOCATION