IdentityPython
diff --git a/‎example/idp2/idp.py
Lines changed: 20 additions & 10 deletions b/‎example/idp2/idp.py
Lines changed: 20 additions & 10 deletions
diff --git a/‎example/idp2/idp_conf.py
Lines changed: 12 additions & 4 deletions b/‎example/idp2/idp_conf.py
Lines changed: 12 additions & 4 deletions
diff --git a/‎setup.py
Lines changed: 1 addition & 1 deletion b/‎setup.py
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/saml2/aes.py
Lines changed: 123 additions & 0 deletions b/‎src/saml2/aes.py
Lines changed: 123 additions & 0 deletions
diff --git a/‎src/saml2/assertion.py
Lines changed: 7 additions & 1 deletion b/‎src/saml2/assertion.py
Lines changed: 7 additions & 1 deletion
diff --git a/‎src/saml2/attribute_converter.py
Lines changed: 47 additions & 0 deletions b/‎src/saml2/attribute_converter.py
Lines changed: 47 additions & 0 deletions
diff --git a/‎src/saml2/authn.py
Lines changed: 4 additions & 6 deletions b/‎src/saml2/authn.py
Lines changed: 4 additions & 6 deletions
@@ -9,7 +9,6 @@
 
 from urlparse import parse_qs
 from Cookie import SimpleCookie
-import subprocess
 import os
 
 from saml2 import server
@@ -125,7 +124,12 @@ def operation(self, _dict, binding):
             resp = BadRequest('Error parsing request or no request')
             return resp(self.environ, self.start_response)
         else:
-            return self.do(_dict["SAMLRequest"], binding, _dict["RelayState"])
+            try:
+                return self.do(_dict["SAMLRequest"], binding,
+                               _dict["RelayState"])
+            except KeyError:
+                # Can live with no relay state
+                return self.do(_dict["SAMLRequest"], binding)
 
     def artifact_operation(self, _dict):
         if not _dict:
@@ -134,7 +138,11 @@ def artifact_operation(self, _dict):
         else:
             # exchange artifact for request
             request = IDP.artifact2message(_dict["SAMLart"], "spsso")
-            return self.do(request, BINDING_HTTP_ARTIFACT, _dict["RelayState"])
+            try:
+                return self.do(request, BINDING_HTTP_ARTIFACT,
+                               _dict["RelayState"])
+            except KeyError:
+                return self.do(request, BINDING_HTTP_ARTIFACT)
 
     def response(self, binding, http_args):
         if binding == BINDING_HTTP_ARTIFACT:
@@ -814,6 +822,7 @@ def set_cookie(name, _, *args):
 
 # ----------------------------------------------------------------------------
 
+
 def metadata(environ, start_response):
     try:
         path = args.path
@@ -830,6 +839,7 @@ def metadata(environ, start_response):
         logger.error("An error occured while creating metadata:" + ex.message)
         return not_found(environ, start_response)
 
+
 def application(environ, start_response):
     """
     The main WSGI application. Dispatch the current request to
@@ -890,21 +900,15 @@ def application(environ, start_response):
 
 # ----------------------------------------------------------------------------
 
-from mako.lookup import TemplateLookup
-
-ROOT = './'
-LOOKUP = TemplateLookup(directories=[ROOT + 'templates', ROOT + 'htdocs'],
-                        module_directory=ROOT + 'modules',
-                        input_encoding='utf-8', output_encoding='utf-8')
 
 # ----------------------------------------------------------------------------
 
 if __name__ == '__main__':
-    import sys
     import socket
     from idp_user import USERS
     from idp_user import EXTRA
     from wsgiref.simple_server import make_server
+    from mako.lookup import TemplateLookup
 
     parser = argparse.ArgumentParser()
     parser.add_argument('-p', dest='path', help='Path to configuration file.')
@@ -918,9 +922,15 @@ def application(environ, start_response):
     parser.add_argument('-n', dest='name')
     parser.add_argument('-s', dest='sign', action='store_true',
                         help="sign the metadata")
+    parser.add_argument('-m', dest='mako_root', default="./")
     parser.add_argument(dest="config")
     args = parser.parse_args()
 
+    _rot = args.mako_root
+    LOOKUP = TemplateLookup(directories=[_rot + 'templates', _rot + 'htdocs'],
+                            module_directory=_rot + 'modules',
+                            input_encoding='utf-8', output_encoding='utf-8')
+
     PORT = 8088
 
     AUTHN_BROKER = AuthnBroker()
 
@@ -7,6 +7,7 @@
 from saml2.saml import NAME_FORMAT_URI
 from saml2.saml import NAMEID_FORMAT_TRANSIENT
 from saml2.saml import NAMEID_FORMAT_PERSISTENT
+import os.path
 
 try:
     from saml2.sigver import get_xmlsec_binary
@@ -18,13 +19,20 @@
 else:
     xmlsec_path = '/usr/bin/xmlsec1'
 
+BASEDIR = os.path.abspath(os.path.dirname(__file__))
+
+
+def full_path(local_file):
+    return os.path.join(BASEDIR, local_file)
+
 #BASE = "http://lingon.ladok.umu.se:8088"
 #BASE = "http://lingon.catalogix.se:8088"
 BASE = "http://localhost:8088"
 
 CONFIG = {
     "entityid": "%s/idp.xml" % BASE,
     "description": "My IDP",
+    "valid_for": 168,
     "service": {
         "aa": {
             "endpoints": {
@@ -86,10 +94,10 @@
         },
     },
     "debug": 1,
-    "key_file": "pki/mykey.pem",
-    "cert_file": "pki/mycert.pem",
+    "key_file": full_path("pki/mykey.pem"),
+    "cert_file": full_path("pki/mycert.pem"),
     "metadata": {
-        "local": ["../sp/sp.xml"],
+        "local": [full_path("../sp/sp.xml")],
     },
     "organization": {
         "display_name": "Rolands Identiteter",
@@ -111,7 +119,7 @@
     # This database holds the map between a subjects local identifier and
     # the identifier returned to a SP
     "xmlsec_binary": xmlsec_path,
-    "attribute_map_dir": "../attributemaps",
+    #"attribute_map_dir": "../attributemaps",
     "logger": {
         "rotating": {
             "filename": "idp.log",
 
@@ -43,7 +43,7 @@ def run_tests(self):
     'paste',
     'zope.interface',
     'repoze.who',
-    'm2crypto'
+    'pycrypto', 'Crypto'
 ]
 
 tests_require = [
 
@@ -0,0 +1,123 @@
+#!/usr/bin/env python
+import os
+from Crypto import Random
+from Crypto.Cipher import AES
+from base64 import b64encode, b64decode
+
+__author__ = 'rolandh'
+
+POSTFIX_MODE = {
+    "cbc": AES.MODE_CBC,
+    "cfb": AES.MODE_CFB,
+    "ecb": AES.MODE_CFB,
+}
+
+BLOCK_SIZE = 16
+
+
+class AESCipher(object):
+    def __init__(self, key, iv=""):
+        """
+
+        :param key: The encryption key
+        :param iv: Init vector
+        :return: AESCipher instance
+        """
+        self.key = key
+        self.iv = iv
+
+    def build_cipher(self, iv="", alg="aes_128_cbc"):
+        """
+        :param iv: init vector
+        :param alg: cipher algorithm
+        :return: A Cipher instance
+        """
+        typ, bits, cmode = alg.split("_")
+
+        if not iv:
+            if self.iv:
+                iv = self.iv
+            else:
+                iv = Random.new().read(AES.block_size)
+        else:
+            assert len(iv) == AES.block_size
+
+        if bits not in ["128", "192", "256"]:
+            raise Exception("Unsupported key length")
+        try:
+            assert len(self.key) == int(bits) >> 3
+        except AssertionError:
+            raise Exception("Wrong Key length")
+
+        try:
+            return AES.new(self.key, POSTFIX_MODE[cmode], iv), iv
+        except KeyError:
+            raise Exception("Unsupported chaining mode")
+
+
+    def encrypt(self, msg, iv=None, alg="aes_128_cbc", padding="PKCS#7",
+                b64enc=True, block_size=BLOCK_SIZE):
+        """
+        :param key: The encryption key
+        :param iv: init vector
+        :param msg: Message to be encrypted
+        :param padding: Which padding that should be used
+        :param b64enc: Whether the result should be base64encoded
+        :param block_size: If PKCS#7 padding which block size to use
+        :return: The encrypted message
+        """
+
+        if padding == "PKCS#7":
+            _block_size = block_size
+        elif padding == "PKCS#5":
+            _block_size = 8
+        else:
+            _block_size = 0
+
+        if _block_size:
+            plen = _block_size - (len(msg) % _block_size)
+            c = chr(plen)
+            msg += c*plen
+
+        cipher, iv = self.build_cipher(iv, alg)
+        cmsg = iv + cipher.encrypt(msg)
+        if b64enc:
+            return b64encode(cmsg)
+        else:
+            return cmsg
+
+
+    def decrypt(self, msg, iv=None, padding="PKCS#7", b64dec=True):
+        """
+        :param key: The encryption key
+        :param iv: init vector
+        :param msg: Base64 encoded message to be decrypted
+        :return: The decrypted message
+        """
+        if b64dec:
+            data = b64decode(msg)
+        else:
+            data = msg
+
+        _iv = data[:AES.block_size]
+        if iv:
+            assert iv == _iv
+        cipher, iv = self.build_cipher(iv)
+        res = cipher.decrypt(data)[AES.block_size:]
+        if padding in ["PKCS#5", "PKCS#7"]:
+            res = res[:-ord(res[-1])]
+        return res
+
+if __name__ == "__main__":
+    key_ = "1234523451234545"  # 16 byte key
+    # Iff padded, the message doesn't have to be multiple of 16 in length
+    msg_ = "ToBeOrNotTobe W.S."
+    aes = AESCipher(key_)
+    iv_ = os.urandom(16)
+    encrypted_msg = aes.encrypt(key_, msg_, iv_)
+    txt = aes.decrypt(key_, encrypted_msg, iv_)
+    assert txt == msg_
+
+    encrypted_msg = aes.encrypt(key_, msg_, 0)
+    txt = aes.decrypt(key_, encrypted_msg, 0)
+    assert txt == msg_
@@ -422,6 +422,12 @@ def entity_category_attributes(self, ec):
         return []
 
     def get_entity_categories_restriction(self, sp_entity_id, mds):
+        """
+
+        :param sp_entity_id:
+        :param mds: MetadataStore instance
+        :return: A dictionary with restrictionsmetat
+        """
         if not self._restrictions:
             return None
 
@@ -697,7 +703,7 @@ def construct(self, sp_entity_id, in_response_to, consumer_url,
             _ass.authn_statement = [_authn_statement]
 
         if not attr_statement.empty():
-            _ass.attribute_statement=[attr_statement],
+            _ass.attribute_statement=[attr_statement]
 
         return _ass
 
 
@@ -169,6 +169,53 @@ def to_local(acs, statement, allow_unknown_attributes=False):
     return ava
 
 
+def list_to_local(acs, attrlist, allow_unknown_attributes=False):
+    """ Replaces the attribute names in a attribute value assertion with the
+    equivalent name from a local name format.
+
+    :param acs: List of Attribute Converters
+    :param attrlist: List of Attributes
+    :param allow_unknown_attributes: If unknown attributes are allowed
+    :return: A key,values dictionary
+    """
+    if not acs:
+        acs = [AttributeConverter()]
+        acsd = {"": acs}
+    else:
+        acsd = dict([(a.name_format, a) for a in acs])
+
+    ava = {}
+    for attr in attrlist:
+        try:
+            _func = acsd[attr.name_format].ava_from
+        except KeyError:
+            if attr.name_format == NAME_FORMAT_UNSPECIFIED or \
+                    allow_unknown_attributes:
+                _func = acs[0].lcd_ava_from
+            else:
+                logger.info("Unsupported attribute name format: %s" % (
+                    attr.name_format,))
+                continue
+
+        try:
+            key, val = _func(attr)
+        except KeyError:
+            if allow_unknown_attributes:
+                key, val = acs[0].lcd_ava_from(attr)
+            else:
+                logger.info("Unknown attribute name: %s" % (attr,))
+                continue
+        except AttributeError:
+            continue
+
+        try:
+            ava[key].extend(val)
+        except KeyError:
+            ava[key] = val
+
+    return ava
+
+
 def from_local(acs, ava, name_format):
     for aconv in acs:
         #print ac.format, name_format
 
@@ -4,7 +4,7 @@
 from urlparse import urlsplit
 import time
 from saml2 import SAMLError
-from saml2.cipher import AES
+from saml2.aes import AESCipher
 from saml2.httputil import Response
 from saml2.httputil import make_cookie
 from saml2.httputil import Redirect
@@ -110,7 +110,7 @@ def __init__(self, srv, mako_template, template_lookup, pwd, return_to):
         self.return_to = return_to
         self.active = {}
         self.query_param = "upm_answer"
-        self.aes = AES(srv.iv)
+        self.aes = AESCipher(self.srv.symkey, srv.iv)
 
     def __call__(self, cookie=None, policy_url=None, logo_url=None,
                  query="", **kwargs):
@@ -159,8 +159,7 @@ def verify(self, request, **kwargs):
         try:
             assert _dict["password"][0] == self.passwd[_dict["login"][0]]
             timestamp = str(int(time.mktime(time.gmtime())))
-            info = self.aes.encrypt(self.srv.symkey,
-                                    "::".join([_dict["login"][0], timestamp]))
+            info = self.aes.encrypt("::".join([_dict["login"][0], timestamp]))
             self.active[info] = timestamp
             cookie = make_cookie(self.cookie_name, info, self.srv.seed)
             return_to = create_return_url(self.return_to, _dict["query"][0],
@@ -180,8 +179,7 @@ def authenticated_as(self, cookie=None, **kwargs):
                 info, timestamp = parse_cookie(self.cookie_name,
                                                self.srv.seed, cookie)
                 if self.active[info] == timestamp:
-                    uid, _ts = self.aes.decrypt(self.srv.symkey,
-                                                info).split("::")
+                    uid, _ts = self.aes.decrypt(info).split("::")
                     if timestamp == _ts:
                         return {"uid": uid}
             except Exception:
Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ def run_tests(self):`
`43`	`43`	`'paste',`
`44`	`44`	`'zope.interface',`
`45`	`45`	`'repoze.who',`
`46`		`- 'm2crypto'`
	`46`	`+ 'pycrypto', 'Crypto'`
`47`	`47`	`]`
`48`	`48`
`49`	`49`	`tests_require = [`