Skip to content

Commit eb2d968

Browse files
author
Hans Hörberg
committed
Added a PEFIM parameter for PEFIM specific configurations.
1 parent ea021d6 commit eb2d968

File tree

4 files changed

+68
-43
lines changed

4 files changed

+68
-43
lines changed

src/saml2/entity.py

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -541,7 +541,7 @@ def _encrypt_assertion(self, encrypt_cert, sp_entity_id, response, node_xpath=No
541541
def _response(self, in_response_to, consumer_url=None, status=None,
542542
issuer=None, sign=False, to_sign=None, sp_entity_id=None,
543543
encrypt_assertion=False, encrypt_assertion_self_contained=False, encrypted_advice_attributes=False,
544-
encrypt_cert_advice=None, encrypt_cert_assertion=None,sign_assertion=None, **kwargs):
544+
encrypt_cert_advice=None, encrypt_cert_assertion=None,sign_assertion=None, pefim=False, **kwargs):
545545
""" Create a Response.
546546
Encryption:
547547
encrypt_assertion must be true for encryption to be performed. If encrypted_advice_attributes also is
@@ -584,7 +584,8 @@ def _response(self, in_response_to, consumer_url=None, status=None,
584584
if not has_encrypt_cert and encrypt_cert_assertion is None:
585585
encrypt_assertion = False
586586

587-
if encrypt_assertion or (encrypted_advice_attributes and response.assertion.advice is not None and len(response.assertion.advice.assertion) == 1):
587+
if encrypt_assertion or (encrypted_advice_attributes and response.assertion.advice is not None and
588+
len(response.assertion.advice.assertion) == 1):
588589
if sign:
589590
response.signature = pre_signature_part(response.id,
590591
self.sec.my_cert, 1)
@@ -605,7 +606,7 @@ def _response(self, in_response_to, consumer_url=None, status=None,
605606
_advice_assertions = [_advice_assertions]
606607
for tmp_assertion in _advice_assertions:
607608
to_sign_advice = []
608-
if sign_assertion is not None and sign_assertion:
609+
if sign_assertion and not pefim:
609610
tmp_assertion.signature = pre_signature_part(tmp_assertion.id, self.sec.my_cert, 1)
610611
to_sign_advice.append((class_name(tmp_assertion), tmp_assertion.id))
611612
#tmp_assertion = response.assertion.advice.assertion[0]

src/saml2/response.py

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -797,7 +797,7 @@ def _assertion(self, assertion, verified=False):
797797
logger.exception("get subject")
798798
raise
799799

800-
def decrypt_assertions(self, encrypted_assertions, decr_txt):
800+
def decrypt_assertions(self, encrypted_assertions, decr_txt, issuer=None):
801801
res = []
802802
for encrypted_assertion in encrypted_assertions:
803803
if encrypted_assertion.extension_elements:
@@ -807,7 +807,7 @@ def decrypt_assertions(self, encrypted_assertions, decr_txt):
807807
if assertion.signature:
808808
if not self.sec.check_signature(
809809
assertion, origdoc=decr_txt,
810-
node_name=class_name(assertion)):
810+
node_name=class_name(assertion), issuer=issuer):
811811
logger.error(
812812
"Failed to verify signature on '%s'" % assertion)
813813
raise SignatureError()
@@ -842,7 +842,9 @@ def parse_assertion(self, key_file="", decrypt=True):
842842
if resp.assertion:
843843
for tmp_ass in resp.assertion:
844844
if tmp_ass.advice and tmp_ass.advice.encrypted_assertion:
845-
advice_res = self.decrypt_assertions(tmp_ass.advice.encrypted_assertion, decr_text)
845+
advice_res = self.decrypt_assertions(tmp_ass.advice.encrypted_assertion,
846+
decr_text,
847+
tmp_ass.issuer)
846848
if tmp_ass.advice.assertion:
847849
tmp_ass.advice.assertion.extend(advice_res)
848850
else:

src/saml2/server.py

Lines changed: 16 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -324,7 +324,7 @@ def _authn_response(self, in_response_to, consumer_url,
324324
sign_assertion=False, sign_response=False,
325325
best_effort=False, encrypt_assertion=False,
326326
encrypt_cert_advice=None, encrypt_cert_assertion=None, authn_statement=None,
327-
encrypt_assertion_self_contained=False, encrypted_advice_attributes=False):
327+
encrypt_assertion_self_contained=False, encrypted_advice_attributes=False, pefim=False):
328328
""" Create a response. A layer of indirection.
329329
330330
:param in_response_to: The session identifier of the request
@@ -358,21 +358,23 @@ def _authn_response(self, in_response_to, consumer_url,
358358
# tmp_authn_statement = authn_statement
359359
# authn_statement = None
360360

361-
if encrypted_advice_attributes:
361+
if pefim:
362+
encrypted_advice_attributes = True
363+
encrypt_assertion_self_contained = True
362364
assertion_attributes = self.setup_assertion(None, sp_entity_id, None, None, None, policy,
363-
None, None, identity, best_effort, sign_response, False)
365+
None, None, identity, best_effort, sign_response, False)
364366
assertion = self.setup_assertion(authn, sp_entity_id, in_response_to, consumer_url,
365-
name_id, policy, _issuer, authn_statement, [], True,
366-
sign_response)
367+
name_id, policy, _issuer, authn_statement, [], True,
368+
sign_response)
367369
assertion.advice = saml.Advice()
368370

369371
#assertion.advice.assertion_id_ref.append(saml.AssertionIDRef())
370372
#assertion.advice.assertion_uri_ref.append(saml.AssertionURIRef())
371373
assertion.advice.assertion.append(assertion_attributes)
372374
else:
373375
assertion = self.setup_assertion(authn, sp_entity_id, in_response_to, consumer_url,
374-
name_id, policy, _issuer, authn_statement, identity, True,
375-
sign_response)
376+
name_id, policy, _issuer, authn_statement, identity, True,
377+
sign_response)
376378

377379
to_sign = []
378380
if not encrypt_assertion:
@@ -405,6 +407,7 @@ def _authn_response(self, in_response_to, consumer_url,
405407
encrypt_cert_assertion=encrypt_cert_assertion,
406408
encrypt_assertion_self_contained=encrypt_assertion_self_contained,
407409
encrypted_advice_attributes=encrypted_advice_attributes,sign_assertion=sign_assertion,
410+
pefim=pefim,
408411
**args)
409412

410413
# ------------------------------------------------------------------------
@@ -481,7 +484,7 @@ def create_authn_response(self, identity, in_response_to, destination,
481484
sign_response=None, sign_assertion=None,
482485
encrypt_cert_advice=None, encrypt_cert_assertion=None, encrypt_assertion=None,
483486
encrypt_assertion_self_contained=True,
484-
encrypted_advice_attributes=False,
487+
encrypted_advice_attributes=False, pefim=False,
485488
**kwargs):
486489
""" Constructs an AuthenticationResponse
487490
@@ -536,7 +539,7 @@ def create_authn_response(self, identity, in_response_to, destination,
536539
if encrypted_advice_attributes is None:
537540
encrypted_advice_attributes = False
538541

539-
if encrypted_advice_attributes:
542+
if encrypted_advice_attributes or pefim:
540543
verify_encrypt_cert = self.config.getattr("verify_encrypt_cert_advice", "idp")
541544
if verify_encrypt_cert is not None:
542545
if encrypt_cert_advice is None:
@@ -613,7 +616,8 @@ def create_authn_response(self, identity, in_response_to, destination,
613616
encrypt_assertion_self_contained=encrypt_assertion_self_contained,
614617
encrypted_advice_attributes=encrypted_advice_attributes,
615618
encrypt_cert_advice=encrypt_cert_advice,
616-
encrypt_cert_assertion=encrypt_cert_assertion)
619+
encrypt_cert_assertion=encrypt_cert_assertion,
620+
pefim=peifm)
617621
return self._authn_response(in_response_to, # in_response_to
618622
destination, # consumer_url
619623
sp_entity_id, # sp_entity_id
@@ -629,7 +633,8 @@ def create_authn_response(self, identity, in_response_to, destination,
629633
encrypt_assertion_self_contained=encrypt_assertion_self_contained,
630634
encrypted_advice_attributes=encrypted_advice_attributes,
631635
encrypt_cert_advice=encrypt_cert_advice,
632-
encrypt_cert_assertion=encrypt_cert_assertion)
636+
encrypt_cert_assertion=encrypt_cert_assertion,
637+
pefim=pefim)
633638

634639
except MissingValue as exc:
635640
return self.create_error_response(in_response_to, destination,

tests/test_50_server.py

Lines changed: 43 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -539,7 +539,8 @@ def test_encrypted_signed_response_1(self):
539539
sign_assertion=True,
540540
encrypt_assertion=False,
541541
encrypt_assertion_self_contained=True,
542-
encrypted_advice_attributes=True,
542+
pefim=True,
543+
#encrypted_advice_attributes=True,
543544
encrypt_cert_advice=cert_str,
544545
)
545546

@@ -573,11 +574,15 @@ def test_encrypted_signed_response_1(self):
573574

574575
self.verify_assertion(assertion)
575576

576-
valid = self.server.sec.verify_signature(decr_text,
577-
self.server.config.cert_file,
578-
node_name='urn:oasis:names:tc:SAML:2.0:assertion:Assertion',
579-
node_id=assertion[0].id,
580-
id_attr="")
577+
578+
579+
#PEFIM never signs assertions.
580+
assert assertion[0].signature is None
581+
#valid = self.server.sec.verify_signature(decr_text,
582+
# self.server.config.cert_file,
583+
# node_name='urn:oasis:names:tc:SAML:2.0:assertion:Assertion',
584+
# node_id=assertion[0].id,
585+
# id_attr="")
581586
assert valid
582587

583588
def test_encrypted_signed_response_2(self):
@@ -593,7 +598,6 @@ def test_encrypted_signed_response_2(self):
593598
sign_assertion=False,
594599
encrypt_assertion=True,
595600
encrypt_assertion_self_contained=True,
596-
encrypt_cert=cert_str,
597601
)
598602

599603
sresponse = response_from_string(signed_resp)
@@ -649,7 +653,6 @@ def test_encrypted_signed_response_3(self):
649653

650654
resp.assertion = extension_elements_to_elements(resp.encrypted_assertion[0].extension_elements, [saml, samlp])
651655

652-
653656
valid = self.server.sec.verify_signature(decr_text,
654657
self.server.config.cert_file,
655658
node_name='urn:oasis:names:tc:SAML:2.0:assertion:Assertion',
@@ -677,7 +680,8 @@ def test_encrypted_signed_response_4(self):
677680
sign_assertion=True,
678681
encrypt_assertion=True,
679682
encrypt_assertion_self_contained=True,
680-
encrypted_advice_attributes=True,
683+
#encrypted_advice_attributes=True,
684+
pefim=True,
681685
encrypt_cert_advice=cert_str,
682686
)
683687

@@ -715,11 +719,13 @@ def test_encrypted_signed_response_4(self):
715719
extension_elements_to_elements(assertion[0].advice.encrypted_assertion[0].extension_elements,[saml, samlp])
716720
self.verify_assertion(assertion)
717721

718-
valid = self.server.sec.verify_signature(decr_text,
719-
self.server.config.cert_file,
720-
node_name='urn:oasis:names:tc:SAML:2.0:assertion:Assertion',
721-
node_id=assertion[0].id,
722-
id_attr="")
722+
#PEFIM never signs assertion in advice
723+
assert assertion[0].signature is None
724+
#valid = self.server.sec.verify_signature(decr_text,
725+
# self.server.config.cert_file,
726+
# node_name='urn:oasis:names:tc:SAML:2.0:assertion:Assertion',
727+
# node_id=assertion[0].id,
728+
# id_attr="")
723729
assert valid
724730

725731
def test_encrypted_response_1(self):
@@ -735,7 +741,8 @@ def test_encrypted_response_1(self):
735741
sign_assertion=False,
736742
encrypt_assertion=False,
737743
encrypt_assertion_self_contained=True,
738-
encrypted_advice_attributes=True,
744+
#encrypted_advice_attributes=True,
745+
pefim=True,
739746
encrypt_cert_advice=cert_str_advice,
740747
)
741748

@@ -767,7 +774,8 @@ def test_encrypted_response_2(self):
767774
sign_assertion=False,
768775
encrypt_assertion=True,
769776
encrypt_assertion_self_contained=True,
770-
encrypted_advice_attributes=True,
777+
#encrypted_advice_attributes=True,
778+
pefim=True,
771779
encrypt_cert_advice=cert_str_advice,
772780
)
773781

@@ -859,7 +867,8 @@ def test_encrypted_response_5(self):
859867
sign_assertion=False,
860868
encrypt_assertion=False,
861869
encrypt_assertion_self_contained=True,
862-
encrypted_advice_attributes=True,
870+
#encrypted_advice_attributes=True,
871+
pefim=True
863872
)
864873

865874
_resp = "%s" % _resp
@@ -891,7 +900,8 @@ def test_encrypted_response_6(self):
891900
sign_assertion=False,
892901
encrypt_assertion=True,
893902
encrypt_assertion_self_contained=True,
894-
encrypted_advice_attributes=True,
903+
#encrypted_advice_attributes=True,
904+
pefim=True,
895905
encrypt_cert_advice=cert_str_advice,
896906
encrypt_cert_assertion=cert_str_assertion
897907
)
@@ -925,7 +935,8 @@ def test_encrypted_response_7(self):
925935
sign_assertion=False,
926936
encrypt_assertion=True,
927937
encrypt_assertion_self_contained=True,
928-
encrypted_advice_attributes=True,
938+
#encrypted_advice_attributes=True,
939+
pefim=True
929940
)
930941

931942
sresponse = response_from_string(_resp)
@@ -954,7 +965,8 @@ def test_encrypted_response_8(self):
954965
sign_assertion=False,
955966
encrypt_assertion=True,
956967
encrypt_assertion_self_contained=True,
957-
encrypted_advice_attributes=True,
968+
#encrypted_advice_attributes=True,
969+
pefim=True,
958970
encrypt_cert_advice="whatever",
959971
encrypt_cert_assertion="whatever"
960972
)
@@ -975,7 +987,8 @@ def test_encrypted_response_8(self):
975987
sign_assertion=False,
976988
encrypt_assertion=False,
977989
encrypt_assertion_self_contained=True,
978-
encrypted_advice_attributes=True,
990+
#encrypted_advice_attributes=True,
991+
pefim=True,
979992
encrypt_cert_advice="whatever",
980993
)
981994
assert False, "Must throw an exception"
@@ -1017,7 +1030,8 @@ def test_encrypted_response_8(self):
10171030
sign_assertion=False,
10181031
encrypt_assertion=True,
10191032
encrypt_assertion_self_contained=True,
1020-
encrypted_advice_attributes=True,
1033+
#encrypted_advice_attributes=True,
1034+
pefim=True,
10211035
encrypt_cert_advice="whatever",
10221036
encrypt_cert_assertion="whatever"
10231037
)
@@ -1038,7 +1052,8 @@ def test_encrypted_response_8(self):
10381052
sign_assertion=False,
10391053
encrypt_assertion=False,
10401054
encrypt_assertion_self_contained=True,
1041-
encrypted_advice_attributes=True,
1055+
#encrypted_advice_attributes=True,
1056+
pefim=True,
10421057
encrypt_cert_advice="whatever",
10431058
)
10441059
assert False, "Must throw an exception"
@@ -1080,7 +1095,8 @@ def test_encrypted_response_9(self):
10801095
sign_assertion=False,
10811096
encrypt_assertion=True,
10821097
encrypt_assertion_self_contained=True,
1083-
encrypted_advice_attributes=True,
1098+
#encrypted_advice_attributes=True,
1099+
pefim=True,
10841100
)
10851101

10861102
self.verify_assertion(_resp.assertion.advice.assertion)
@@ -1095,7 +1111,8 @@ def test_encrypted_response_9(self):
10951111
sign_assertion=False,
10961112
encrypt_assertion=False,
10971113
encrypt_assertion_self_contained=True,
1098-
encrypted_advice_attributes=True,
1114+
#encrypted_advice_attributes=True,
1115+
pefim=True
10991116
)
11001117

11011118
self.verify_assertion(_resp.assertion.advice.assertion)
@@ -1253,4 +1270,4 @@ def test_1(self):
12531270
if __name__ == "__main__":
12541271
ts = TestServer1()
12551272
ts.setup_class()
1256-
ts.test_encrypted_response_9()
1273+
ts.test_encrypted_signed_response_1()

0 commit comments

Comments
 (0)