Merge branch 'master' into master

Author: rohe

README.rst

@@ -38,3 +38,15 @@ testing. To run the tests on your system's version of python
 
 To run tests in multiple python environments, you can use
 `pyenv <https://github.com/yyuu/pyenv>`_ with `tox <https://tox.readthedocs.io/en/latest/>`_.
+
+
+Please contribute!
+==================
+
+To help out, you could:
+
+1. Test and report any bugs or other difficulties.
+2. Implement missing features.
+3. Write more unit tests.
+
+**If you have the time and inclination I'm looking for Collaborators**

src/saml2/algsupport.py

@@ -23,7 +23,7 @@
     "rsa-sha256": 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
     "rsa-sha384": 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384',
     "rsa-sha512": 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512',
-    "dsa-sha1": 'http,//www.w3.org/2000/09/xmldsig#dsa-sha1',
+    "dsa-sha1": 'http://www.w3.org/2000/09/xmldsig#dsa-sha1',
     'dsa-sha256': 'http://www.w3.org/2009/xmldsig11#dsa-sha256',
     'ecdsa_sha1': 'http://www.w3.org/2001/04/xmldsig-more#ECDSA_sha1',
     'ecdsa_sha224': 'http://www.w3.org/2001/04/xmldsig-more#ECDSA_sha224',

src/saml2/assertion.py

@@ -78,19 +78,22 @@ def filter_on_attributes(ava, required=None, optional=None, acs=None,
     """
 
     def _match_attr_name(attr, ava):
-        try:
-            friendly_name = attr["friendly_name"]
-        except KeyError:
-            friendly_name = get_local_name(acs, attr["name"],
-                                           attr["name_format"])
+        
+        local_name = get_local_name(acs, attr["name"], attr["name_format"])
+        if not local_name:
+            try:
+                local_name = attr["friendly_name"]
+            except KeyError:
+                pass
 
-        _fn = _match(friendly_name, ava)
+        _fn = _match(local_name, ava)
         if not _fn:  # In the unlikely case that someone has provided us with
             #  URIs as attribute names
             _fn = _match(attr["name"], ava)
 
         return _fn
 
+
     def _apply_attr_value_restrictions(attr, res, must=False):
         try:
             values = [av["text"] for av in attr["attribute_value"]]
@@ -105,7 +108,6 @@ def _apply_attr_value_restrictions(attr, res, must=False):
         return _filter_values(ava[_fn], values, must)
 
     res = {}
-
     if required is None:
         required = []
 

src/saml2/attribute_converter.py

@@ -246,7 +246,7 @@ def get_local_name(acs, attr, name_format):
     for aconv in acs:
         #print(ac.format, name_format)
         if aconv.name_format == name_format:
-            return aconv._fro[attr]
+            return aconv._fro.get(attr)
 
 
 def d_to_local_name(acs, attr):

src/saml2/attributemaps/saml_uri.py

@@ -13,10 +13,19 @@
 SIS = 'urn:oid:1.2.752.194.10.2.'
 UMICH = 'urn:oid:1.3.6.1.4.1.250.1.57.'
 OPENOSI_OID = 'urn:oid:1.3.6.1.4.1.27630.2.1.1.' #openosi-0.82.schema http://www.openosi.org/osi/display/ldap/Home
+EIDAS_NATURALPERSON = 'http://eidas.europa.eu/attributes/naturalperson/'
 
 MAP = {
     'identifier': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
     'fro': {
+        EIDAS_NATURALPERSON+'PersonIdentifier': 'PersonIdentifier',
+        EIDAS_NATURALPERSON+'FamilyName': 'FamilyName',
+        EIDAS_NATURALPERSON+'FirstName': 'FirstName',
+        EIDAS_NATURALPERSON+'DateOfBirth': 'DateOfBirth',
+        EIDAS_NATURALPERSON+'BirthName': 'BirthName',
+        EIDAS_NATURALPERSON+'PlaceOfBirth': 'PlaceOfBirth',
+        EIDAS_NATURALPERSON+'CurrentAddress': 'CurrentAddress',
+        EIDAS_NATURALPERSON+'Gender': 'Gender',
         EDUCOURSE_OID+'1': 'eduCourseOffering',
         EDUCOURSE_OID+'2': 'eduCourseMember',
         EDUMEMBER1_OID+'1': 'isMemberOf',
@@ -161,6 +170,14 @@
         X500ATTR_OID+'65': 'pseudonym',
     },
     'to': {
+        'PersonIdentifier': EIDAS_NATURALPERSON+'PersonIdentifier',
+        'FamilyName': EIDAS_NATURALPERSON+'FamilyName',
+        'FirstName': EIDAS_NATURALPERSON+'FirstName',
+        'DateOfBirth': EIDAS_NATURALPERSON+'DateOfBirth',
+        'BirthName': EIDAS_NATURALPERSON+'BirthName',
+        'PlaceOfBirth': EIDAS_NATURALPERSON+'PlaceOfBirth',
+        'CurrentAddress': EIDAS_NATURALPERSON+'CurrentAddress',
+        'Gender': EIDAS_NATURALPERSON+'Gender',
         'associatedDomain': UCL_DIR_PILOT+'37',
         'authorityRevocationList': X500ATTR_OID+'38',
         'businessCategory': X500ATTR_OID+'15',

src/saml2/client_base.py

@@ -10,6 +10,8 @@
 
 from saml2.entity import Entity
 
+import saml2.attributemaps as attributemaps
+
 from saml2.mdstore import destinations
 from saml2.profile import paos, ecp
 from saml2.saml import NAMEID_FORMAT_TRANSIENT
@@ -18,6 +20,9 @@
 from saml2.samlp import AttributeQuery
 from saml2.samlp import AuthzDecisionQuery
 from saml2.samlp import AuthnRequest
+from saml2.samlp import Extensions
+from saml2.extension import sp_type
+from saml2.extension import requested_attributes
 
 import saml2
 import time
@@ -207,7 +212,7 @@ def create_authn_request(self, destination, vorg="", scoping=None,
             nameid_format=None,
             service_url_binding=None, message_id=0,
             consent=None, extensions=None, sign=None,
-            allow_create=False, sign_prepare=False, sign_alg=None,
+            allow_create=None, sign_prepare=False, sign_alg=None,
             digest_alg=None, **kwargs):
         """ Creates an authentication request.
 
@@ -235,26 +240,30 @@ def create_authn_request(self, destination, vorg="", scoping=None,
 
         args = {}
 
-        try:
-            args["assertion_consumer_service_url"] = kwargs[
-                "assertion_consumer_service_urls"][0]
-            del kwargs["assertion_consumer_service_urls"]
-        except KeyError:
+        if self.config.getattr('hide_assertion_consumer_service', 'sp'):
+            args["assertion_consumer_service_url"] = None
+            binding = None
+        else:
             try:
                 args["assertion_consumer_service_url"] = kwargs[
-                    "assertion_consumer_service_url"]
-                del kwargs["assertion_consumer_service_url"]
+                    "assertion_consumer_service_urls"][0]
+                del kwargs["assertion_consumer_service_urls"]
             except KeyError:
                 try:
-                    args["assertion_consumer_service_index"] = str(kwargs[
-                                                                       "assertion_consumer_service_index"])
-                    del kwargs["assertion_consumer_service_index"]
+                    args["assertion_consumer_service_url"] = kwargs[
+                        "assertion_consumer_service_url"]
+                    del kwargs["assertion_consumer_service_url"]
                 except KeyError:
-                    if service_url_binding is None:
-                        service_urls = self.service_urls(binding)
-                    else:
-                        service_urls = self.service_urls(service_url_binding)
-                    args["assertion_consumer_service_url"] = service_urls[0]
+                    try:
+                        args["assertion_consumer_service_index"] = str(
+                            kwargs["assertion_consumer_service_index"])
+                        del kwargs["assertion_consumer_service_index"]
+                    except KeyError:
+                        if service_url_binding is None:
+                            service_urls = self.service_urls(binding)
+                        else:
+                            service_urls = self.service_urls(service_url_binding)
+                        args["assertion_consumer_service_url"] = service_urls[0]
 
         try:
             args["provider_name"] = kwargs["provider_name"]
@@ -268,7 +277,7 @@ def create_authn_request(self, destination, vorg="", scoping=None,
         # all of these have cardinality 0..1
         _msg = AuthnRequest()
         for param in ["scoping", "requested_authn_context", "conditions",
-                      "subject", "scoping"]:
+                      "subject"]:
             try:
                 _item = kwargs[param]
             except KeyError:
@@ -288,23 +297,37 @@ def create_authn_request(self, destination, vorg="", scoping=None,
             args["name_id_policy"] = kwargs["name_id_policy"]
             del kwargs["name_id_policy"]
         except KeyError:
-            if allow_create:
-                allow_create = "true"
-            else:
-                allow_create = "false"
+            if allow_create is None:
+                allow_create = self.config.getattr("name_id_format_allow_create", "sp")
+                if allow_create is None:
+                    allow_create = "false"
+                else:
+                    if allow_create is True:
+                        allow_create = "true"
+                    else:
+                        allow_create = "false"
 
             if nameid_format == "":
                 name_id_policy = None
             else:
                 if nameid_format is None:
                     nameid_format = self.config.getattr("name_id_format", "sp")
 
+                    # If no nameid_format has been set in the configuration
+                    # or passed in then transient is the default.
                     if nameid_format is None:
                         nameid_format = NAMEID_FORMAT_TRANSIENT
+
+                    # If a list has been configured or passed in choose the
+                    # first since NameIDPolicy can only have one format specified.
                     elif isinstance(nameid_format, list):
-                        # NameIDPolicy can only have one format specified
                         nameid_format = nameid_format[0]
 
+                    # Allow a deployer to signal that no format should be specified
+                    # in the NameIDPolicy by passing in or configuring the string 'None'.
+                    elif nameid_format == 'None':
+                        nameid_format = None
+
                 name_id_policy = samlp.NameIDPolicy(allow_create=allow_create,
                                                     format=nameid_format)
 
@@ -321,6 +344,75 @@ def create_authn_request(self, destination, vorg="", scoping=None,
         except KeyError:
             nsprefix = None
 
+        try:
+            force_authn = kwargs['force_authn']
+        except KeyError:
+            force_authn = self.config.getattr('force_authn', 'sp')
+        finally:
+            if force_authn:
+                args['force_authn'] = 'true'
+
+        conf_sp_type = self.config.getattr('sp_type', 'sp')
+        conf_sp_type_in_md = self.config.getattr('sp_type_in_metadata', 'sp')
+        if conf_sp_type and conf_sp_type_in_md is False:
+            if not extensions:
+                extensions = Extensions()
+            item = sp_type.SPType(text=conf_sp_type)
+            extensions.add_extension_element(item)
+
+        requested_attrs = self.config.getattr('requested_attributes', 'sp')
+        if requested_attrs:
+            if not extensions:
+                extensions = Extensions()
+
+            attributemapsmods = []
+            for modname in attributemaps.__all__:
+                attributemapsmods.append(getattr(attributemaps, modname))
+
+            items = []
+            for attr in requested_attrs:
+                friendly_name = attr.get('friendly_name')
+                name = attr.get('name')
+                name_format = attr.get('name_format')
+                is_required = str(attr.get('required', False)).lower()
+
+                if not name and not friendly_name:
+                    raise ValueError(
+                        "Missing required attribute: '{}' or '{}'".format(
+                            'name', 'friendly_name'))
+
+                if not name:
+                    for mod in attributemapsmods:
+                        try:
+                            name = mod.MAP['to'][friendly_name]
+                        except KeyError:
+                            continue
+                        else:
+                            if not name_format:
+                                name_format = mod.MAP['identifier']
+                            break
+
+                if not friendly_name:
+                    for mod in attributemapsmods:
+                        try:
+                            friendly_name = mod.MAP['fro'][name]
+                        except KeyError:
+                            continue
+                        else:
+                            if not name_format:
+                                name_format = mod.MAP['identifier']
+                            break
+
+                items.append(requested_attributes.RequestedAttribute(
+                    is_required=is_required,
+                    name_format=name_format,
+                    friendly_name=friendly_name,
+                    name=name))
+
+            item = requested_attributes.RequestedAttributes(
+                extension_elements=items)
+            extensions.add_extension_element(item)
+
         if kwargs:
             _args, extensions = self._filter_args(AuthnRequest(), extensions,
                                                   **kwargs)

src/saml2/config.py

@@ -73,8 +73,14 @@
     "allow_unsolicited",
     "ecp",
     "name_id_format",
+    "name_id_format_allow_create",
     "logout_requests_signed",
-    "requested_attribute_name_format"
+    "requested_attribute_name_format",
+    "hide_assertion_consumer_service",
+    "force_authn",
+    "sp_type",
+    "sp_type_in_metadata",
+    "requested_attributes",
 ]
 
 AA_IDP_ARGS = [
@@ -187,6 +193,7 @@ def __init__(self, homedir="."):
         self.contact_person = None
         self.name_form = None
         self.name_id_format = None
+        self.name_id_format_allow_create = None
         self.virtual_organization = None
         self.logger = None
         self.only_use_keys_in_metadata = True
@@ -205,7 +212,6 @@ def __init__(self, homedir="."):
         self.crypto_backend = 'xmlsec1'
         self.scope = ""
         self.allow_unknown_attributes = False
-        self.allow_unsolicited = False
         self.extension_schema = {}
         self.cert_handler_extra_class = None
         self.verify_encrypt_cert_advice = None