Merge pull request #152 from rhoerbe/20140922-add-xmlsec-debug-opt

Roland Hedberg · Roland Hedberg · commit d14411a2e29a · 2014-10-19T16:18:41.000+02:00
20140922 add xmlsec debug opt
diff --git a/src/saml2/entity.py b/src/saml2/entity.py
@@ -588,10 +588,10 @@ def srv2typ(service):
                 else:
                     return typ
 
-    def _parse_request(self, xmlstr, request_cls, service, binding):
+    def _parse_request(self, enc_request, request_cls, service, binding):
         """Parse a Request
 
-        :param xmlstr: The request in its transport format
+        :param enc_request: The request in its transport format
         :param request_cls: The type of requests I expect
         :param service:
         :param binding: Which binding that was used to transport the message
@@ -625,16 +625,15 @@ def _parse_request(self, xmlstr, request_cls, service, binding):
                                self.config.attribute_converters,
                                timeslack=timeslack)
 
-        origdoc = xmlstr
-        xmlstr = self.unravel(xmlstr, binding, request_cls.msgtype)
+        xmlstr = self.unravel(enc_request, binding, request_cls.msgtype)
         must = self.config.getattr("want_authn_requests_signed", "idp")
         only_valid_cert = self.config.getattr(
             "want_authn_requests_only_with_valid_cert", "idp")
         if only_valid_cert is None:
             only_valid_cert = False
         if only_valid_cert:
             must = True
-        _request = _request.loads(xmlstr, binding, origdoc=origdoc, must=must,
+        _request = _request.loads(xmlstr, binding, origdoc=enc_request, must=must,
                                   only_valid_cert=only_valid_cert)
 
         _log_debug("Loaded request")
diff --git a/src/saml2/sigver.py b/src/saml2/sigver.py
@@ -721,7 +721,7 @@ def validate_signature(self, enctext, cert_file, cert_type, node_name,
 
 class CryptoBackendXmlSec1(CryptoBackend):
     """
-    CryptoBackend implementation using external binary xmlsec1 to sign
+    CryptoBackend implementation using external binary 1 to sign
     and verify XML documents.
     """
 
@@ -731,6 +731,10 @@ def __init__(self, xmlsec_binary, **kwargs):
         CryptoBackend.__init__(self, **kwargs)
         assert (isinstance(xmlsec_binary, basestring))
         self.xmlsec = xmlsec_binary
+        if os.environ.get('PYSAML2_KEEP_XMLSEC_TMP', None):
+            self._xmlsec_delete_tmpfiles = False
+        else:
+            self._xmlsec_delete_tmpfiles = True
 
     def version(self):
         com_list = [self.xmlsec, "--version"]
@@ -832,7 +836,8 @@ def sign_statement(self, statement, node_name, key_file, node_id,
         :return: The signed statement
         """
 
-        _, fil = make_temp("%s" % statement, decode=False)
+        _, fil = make_temp("%s" % statement, suffix=".xml", decode=False, 
+                           delete=self._xmlsec_delete_tmpfiles)
 
         com_list = [self.xmlsec, "--sign",
                     "--privkey-pem", key_file,
@@ -867,7 +872,8 @@ def validate_signature(self, signedtext, cert_file, cert_type, node_name,
         :param id_attr: Should normally be one of "id", "Id" or "ID"
         :return: Boolean True if the signature was correct otherwise False.
         """
-        _, fil = make_temp(signedtext, decode=False)
+        _, fil = make_temp(signedtext, suffix=".xml",
+                           decode=False, delete=self._xmlsec_delete_tmpfiles)
 
         com_list = [self.xmlsec, "--verify",
                     "--pubkey-cert-%s" % cert_type, cert_file,
@@ -906,7 +912,7 @@ def _run_xmlsec(self, com_list, extra_args, validate_output=True,
         :param exception: The exception class to raise on errors
         :result: Whatever xmlsec wrote to an --output temporary file
         """
-        ntf = NamedTemporaryFile()
+        ntf = NamedTemporaryFile(suffix=".xml", delete=self._xmlsec_delete_tmpfiles)
         com_list.extend(["--output", ntf.name])
         com_list += extra_args
 
@@ -1243,6 +1249,11 @@ def __init__(self, crypto, key_file="", key_type="pem",
             self.template = template
 
         self.encrypt_key_type = encrypt_key_type
+        # keep certificate files to debug xmlsec invocations
+        if os.environ.get('PYSAML2_KEEP_XMLSEC_TMP', None):
+            self._xmlsec_delete_tmpfiles = False
+        else:
+            self._xmlsec_delete_tmpfiles = True
 
     def correctly_signed(self, xml, must=False):
         logger.debug("verify correct signature")
@@ -1334,16 +1345,19 @@ def _check_signature(self, decoded_xml, item, node_name=NODE_NAME,
             certs = []
             for cert in _certs:
                 if isinstance(cert, basestring):
-                    certs.append(make_temp(pem_format(cert), ".pem", False))
+                    certs.append(make_temp(pem_format(cert), suffix=".pem",
+                                           decode=False,
+                                           delete=self._xmlsec_delete_tmpfiles))
                 else:
                     certs.append(cert)
         else:
             certs = []
 
         if not certs and not self.only_use_keys_in_metadata:
             logger.debug("==== Certs from instance ====")
-            certs = [make_temp(pem_format(cert), ".pem",
-                               False) for cert in cert_from_instance(item)]
+            certs = [make_temp(pem_format(cert), suffix=".pem",
+                               decode=False, delete=self._xmlsec_delete_tmpfiles)
+                    for cert in cert_from_instance(item)]
         else:
             logger.debug("==== Certs from metadata ==== %s: %s ====" % (issuer,
                                                                         certs))
@@ -1417,8 +1431,8 @@ def correctly_signed_message(self, decoded_xml, msgtype, must=False,
         the entity that sent the info use that, if not use the key that are in
         the message if any.
 
-        :param decoded_xml: The SAML message as a XML string
-        :param msgtype:
+        :param decoded_xml: The SAML message as an XML infoset (a string)
+        :param msgtype: SAML protocol message type
         :param must: Whether there must be a signature
         :param origdoc:
         :return:
@@ -1435,7 +1449,7 @@ def correctly_signed_message(self, decoded_xml, msgtype, must=False,
 
         if not msg.signature:
             if must:
-                raise SignatureError("Missing must signature")
+                raise SignatureError("Required signature missing on %s" % msgtype)
             else:
                 return msg
 
