Fix, so if no encryption keys exists will the server not encrypt the message.

Hans Hörberg · Hans Hörberg · commit ff7a69fc9371 · 2015-05-19T16:10:35.000+02:00
Extended the test suite with negative tests.
diff --git a/src/saml2/config.py b/src/saml2/config.py
@@ -67,7 +67,8 @@
     "cert_handler_extra_class",
     "generate_cert_func",
     "generate_cert_info",
-    "verify_encrypt_cert",
+    "verify_encrypt_cert_advice",
+    "verify_encrypt_cert_assertion",
     "tmp_cert_file",
     "tmp_key_file",
     "validate_certificate",
@@ -97,6 +98,8 @@
     "sign_assertion",
     "sign_response",
     "encrypt_assertion",
+    "encrypted_advice_attributes",
+    "encrypt_assertion_self_contained",
     "want_authn_requests_signed",
     "want_authn_requests_only_with_valid_cert",
     "provided_attributes",
@@ -219,7 +222,8 @@ def __init__(self, homedir="."):
         self.allow_unsolicited = False
         self.extension_schema = {}
         self.cert_handler_extra_class = None
-        self.verify_encrypt_cert = None
+        self.verify_encrypt_cert_advice = None
+        self.verify_encrypt_cert_assertion = None
         self.generate_cert_func = None
         self.generate_cert_info = None
         self.tmp_cert_file = None
diff --git a/src/saml2/entity.py b/src/saml2/entity.py
@@ -502,14 +502,22 @@ def _add_info(self, msg, **kwargs):
             else:
                 msg.extension_elements = extensions
 
+    def has_encrypt_cert_in_metadata(self, sp_entity_id):
+        if sp_entity_id is not None:
+            _certs = self.metadata.certs(sp_entity_id, "any", "encryption")
+            if len(_certs) > 0:
+                return True
+        return False
+
+
     def _encrypt_assertion(self, encrypt_cert, sp_entity_id, response, node_xpath=None):
         _certs = []
         cbxs = CryptoBackendXmlSec1(self.config.xmlsec_binary)
         if encrypt_cert:
             _certs = []
             _certs.append(encrypt_cert)
         elif sp_entity_id is not None:
-            _certs = self.metadata.certs(sp_entity_id, "any", "encrypt")
+            _certs = self.metadata.certs(sp_entity_id, "any", "encryption")
         exception = None
         for _cert in _certs:
             try:
@@ -528,6 +536,7 @@ def _encrypt_assertion(self, encrypt_cert, sp_entity_id, response, node_xpath=No
                 pass
         if exception:
             raise exception
+        return response
 
     def _response(self, in_response_to, consumer_url=None, status=None,
                   issuer=None, sign=False, to_sign=None, sp_entity_id=None,
@@ -552,7 +561,6 @@ def _response(self, in_response_to, consumer_url=None, status=None,
         :return: A Response instance
         """
 
-
         if not status:
             status = success_status_factory()
 
@@ -570,8 +578,13 @@ def _response(self, in_response_to, consumer_url=None, status=None,
         if not sign and to_sign and not encrypt_assertion:
             return signed_instance_factory(response, self.sec, to_sign)
 
-        if encrypt_assertion or (encrypted_advice_attributes and response.assertion.advice is not None and
-                                         len(response.assertion.advice.assertion) == 1):
+        has_encrypt_cert = self.has_encrypt_cert_in_metadata(sp_entity_id)
+        if not has_encrypt_cert and encrypt_cert_advice is None:
+            encrypted_advice_attributes = False
+        if not has_encrypt_cert and encrypt_cert_assertion is None:
+            encrypt_assertion = False
+
+        if encrypt_assertion or (encrypted_advice_attributes and response.assertion.advice is not None and len(response.assertion.advice.assertion) == 1):
             if sign:
                 response.signature = pre_signature_part(response.id,
                                                         self.sec.my_cert, 1)
diff --git a/src/saml2/server.py b/src/saml2/server.py
@@ -545,7 +545,6 @@ def create_authn_response(self, identity, in_response_to, destination,
                 if not verify_encrypt_cert(encrypt_cert_advice):
                     raise CertificateError("Invalid certificate for encryption!")
 
-
         if encrypt_assertion:
             verify_encrypt_cert = self.config.getattr("verify_encrypt_cert_assertion", "idp")
             if verify_encrypt_cert is not None:
diff --git a/tests/idp_conf_sp_no_encrypt.py b/tests/idp_conf_sp_no_encrypt.py
@@ -0,0 +1,67 @@
+from saml2 import BINDING_SOAP
+from saml2 import BINDING_HTTP_REDIRECT
+from saml2 import BINDING_HTTP_POST
+from saml2.saml import NAMEID_FORMAT_PERSISTENT
+from saml2.saml import NAME_FORMAT_URI
+
+from pathutils import full_path
+from pathutils import xmlsec_path
+
+BASE = "http://localhost:8088"
+
+CONFIG = {
+    "entityid": "urn:mace:example.com:saml:roland:idp",
+    "name": "Rolands IdP",
+    "service": {
+        "idp": {
+            "endpoints": {
+                "single_sign_on_service": [
+                    ("%s/sso" % BASE, BINDING_HTTP_REDIRECT)],
+                "single_logout_service": [
+                    ("%s/slo" % BASE, BINDING_SOAP),
+                    ("%s/slop" % BASE, BINDING_HTTP_POST)]
+            },
+            "policy": {
+                "default": {
+                    "lifetime": {"minutes": 15},
+                    "attribute_restrictions": None,  # means all I have
+                    "name_form": NAME_FORMAT_URI,
+                },
+                "urn:mace:example.com:saml:roland:sp": {
+                    "lifetime": {"minutes": 5},
+                    "nameid_format": NAMEID_FORMAT_PERSISTENT,
+                    # "attribute_restrictions":{
+                    #     "givenName": None,
+                    #     "surName": None,
+                    # }
+                }
+            },
+            "subject_data": full_path("subject_data.db"),
+            #"domain": "umu.se",
+            #"name_qualifier": ""
+        },
+    },
+    "debug": 1,
+    "key_file": full_path("test.key"),
+    "cert_file": full_path("test.pem"),
+    "xmlsec_binary": xmlsec_path,
+    "metadata": [{
+        "class": "saml2.mdstore.MetaDataFile",
+        "metadata": [(full_path("metadata_sp_1_no_encryption.xml"), ),
+                     (full_path("vo_metadata.xml"), )],
+    }],
+    "attribute_map_dir": full_path("attributemaps"),
+    "organization": {
+        "name": "Exempel AB",
+        "display_name": [("Exempel AB", "se"), ("Example Co.", "en")],
+        "url": "http://www.example.com/roland",
+    },
+    "contact_person": [
+        {
+            "given_name": "John",
+            "sur_name": "Smith",
+            "email_address": ["john.smith@example.com"],
+            "contact_type": "technical",
+        },
+    ],
+}
diff --git a/tests/idp_conf_verify_cert.py b/tests/idp_conf_verify_cert.py
@@ -0,0 +1,76 @@
+from saml2 import BINDING_SOAP
+from saml2 import BINDING_HTTP_REDIRECT
+from saml2 import BINDING_HTTP_POST
+from saml2.cert import OpenSSLWrapper
+from saml2.saml import NAMEID_FORMAT_PERSISTENT
+from saml2.saml import NAME_FORMAT_URI
+
+from pathutils import full_path
+from pathutils import xmlsec_path
+
+BASE = "http://localhost:8088"
+
+def verify_encrypt_cert(cert_str):
+    osw = OpenSSLWrapper()
+    ca_cert_str = osw.read_str_from_file(full_path("root_cert/localhost.ca.crt"))
+    valid, mess = osw.verify(ca_cert_str, cert_str)
+    return valid
+
+CONFIG = {
+    "entityid": "urn:mace:example.com:saml:roland:idp",
+    "name": "Rolands IdP",
+    "service": {
+        "idp": {
+            "verify_encrypt_cert_advice": verify_encrypt_cert,
+            "verify_encrypt_cert_assertion": verify_encrypt_cert,
+            "endpoints": {
+                "single_sign_on_service": [
+                    ("%s/sso" % BASE, BINDING_HTTP_REDIRECT)],
+                "single_logout_service": [
+                    ("%s/slo" % BASE, BINDING_SOAP),
+                    ("%s/slop" % BASE, BINDING_HTTP_POST)]
+            },
+            "policy": {
+                "default": {
+                    "lifetime": {"minutes": 15},
+                    "attribute_restrictions": None,  # means all I have
+                    "name_form": NAME_FORMAT_URI,
+                },
+                "urn:mace:example.com:saml:roland:sp": {
+                    "lifetime": {"minutes": 5},
+                    "nameid_format": NAMEID_FORMAT_PERSISTENT,
+                    # "attribute_restrictions":{
+                    #     "givenName": None,
+                    #     "surName": None,
+                    # }
+                }
+            },
+            "subject_data": full_path("subject_data.db"),
+            #"domain": "umu.se",
+            #"name_qualifier": ""
+        },
+    },
+    "debug": 1,
+    "key_file": full_path("test.key"),
+    "cert_file": full_path("test.pem"),
+    "xmlsec_binary": xmlsec_path,
+    "metadata": [{
+        "class": "saml2.mdstore.MetaDataFile",
+        "metadata": [(full_path("metadata_sp_1.xml"), ),
+                     (full_path("vo_metadata.xml"), )],
+    }],
+    "attribute_map_dir": full_path("attributemaps"),
+    "organization": {
+        "name": "Exempel AB",
+        "display_name": [("Exempel AB", "se"), ("Example Co.", "en")],
+        "url": "http://www.example.com/roland",
+    },
+    "contact_person": [
+        {
+            "given_name": "John",
+            "sur_name": "Smith",
+            "email_address": ["john.smith@example.com"],
+            "contact_type": "technical",
+        },
+    ],
+}
diff --git a/tests/metadata_sp_1.xml b/tests/metadata_sp_1.xml
@@ -5,7 +5,30 @@
         <ns0:SPSSODescriptor AuthnRequestsSigned="false"
                              WantAssertionsSigned="true"
                              protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-            <ns0:KeyDescriptor>
+            <ns0:KeyDescriptor use="signing">
+                <ns1:KeyInfo>
+                    <ns1:X509Data>
+                        <ns1:X509Certificate>
+                            MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
+                            BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
+                            aWRnaXRzIFB0eSBMdGQwHhcNMDkxMDA2MTk0OTQxWhcNMDkxMTA1MTk0OTQxWjBF
+                            MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
+                            ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+                            gQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMXE9tXOdqwYCA1cc8vQdzkihscQMXy
+                            3iPw2cMggBu6gjMTOSOxECkuvX5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaN
+                            efiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABo4GnMIGkMB0G
+                            A1UdDgQWBBRePsKHKYJsiojE78ZWXccK9K4aJTB1BgNVHSMEbjBsgBRePsKHKYJs
+                            iojE78ZWXccK9K4aJaFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
+                            U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAJrzqSSw
+                            mDY9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAJSrKOEzHO7TL5cy6
+                            h3qh+3+JAk8HbGBW+cbX6KBCAw/mzU8flK25vnWwXS3dv2FF3Aod0/S7AWNfKib5
+                            U/SA9nJaz/mWeF9S0farz9AQFc8/NSzAzaVq7YbM4F6f6N2FRl7GikdXRCed45j6
+                            mrPzGzk3ECbupFnqyREH3+ZPSdk=
+                        </ns1:X509Certificate>
+                    </ns1:X509Data>
+                </ns1:KeyInfo>
+            </ns0:KeyDescriptor>
+            <ns0:KeyDescriptor  use="encryption">
                 <ns1:KeyInfo>
                     <ns1:X509Data>
                         <ns1:X509Certificate>
diff --git a/tests/metadata_sp_1_no_encryption.xml b/tests/metadata_sp_1_no_encryption.xml
@@ -0,0 +1,74 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<ns0:EntitiesDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata"
+                        xmlns:ns1="http://www.w3.org/2000/09/xmldsig#">
+    <ns0:EntityDescriptor entityID="urn:mace:example.com:saml:roland:sp">
+        <ns0:SPSSODescriptor AuthnRequestsSigned="false"
+                             WantAssertionsSigned="true"
+                             protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+            <ns0:KeyDescriptor use="signing">
+                <ns1:KeyInfo>
+                    <ns1:X509Data>
+                        <ns1:X509Certificate>
+                            MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
+                            BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
+                            aWRnaXRzIFB0eSBMdGQwHhcNMDkxMDA2MTk0OTQxWhcNMDkxMTA1MTk0OTQxWjBF
+                            MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
+                            ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+                            gQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMXE9tXOdqwYCA1cc8vQdzkihscQMXy
+                            3iPw2cMggBu6gjMTOSOxECkuvX5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaN
+                            efiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABo4GnMIGkMB0G
+                            A1UdDgQWBBRePsKHKYJsiojE78ZWXccK9K4aJTB1BgNVHSMEbjBsgBRePsKHKYJs
+                            iojE78ZWXccK9K4aJaFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
+                            U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAJrzqSSw
+                            mDY9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAJSrKOEzHO7TL5cy6
+                            h3qh+3+JAk8HbGBW+cbX6KBCAw/mzU8flK25vnWwXS3dv2FF3Aod0/S7AWNfKib5
+                            U/SA9nJaz/mWeF9S0farz9AQFc8/NSzAzaVq7YbM4F6f6N2FRl7GikdXRCed45j6
+                            mrPzGzk3ECbupFnqyREH3+ZPSdk=
+                        </ns1:X509Certificate>
+                    </ns1:X509Data>
+                </ns1:KeyInfo>
+            </ns0:KeyDescriptor>
+            <ns0:AssertionConsumerService
+                    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                    Location="http://lingon.catalogix.se:8087/" index="1"/>
+            <ns0:AttributeConsumingService index="1">
+                <ns0:ServiceName xml:lang="en">
+                    urn:mace:example.com:saml:roland:sp
+                </ns0:ServiceName>
+                <ns0:ServiceDescription xml:lang="en">My own SP
+                </ns0:ServiceDescription>
+                <ns0:RequestedAttribute FriendlyName="surName"
+                                        Name="urn:oid:2.5.4.4"
+                                        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                                        isRequired="true"/>
+                <ns0:RequestedAttribute FriendlyName="givenName"
+                                        Name="urn:oid:2.5.4.42"
+                                        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                                        isRequired="true"/>
+                <ns0:RequestedAttribute FriendlyName="mail"
+                                        Name="urn:oid:0.9.2342.19200300.100.1.3"
+                                        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                                        isRequired="true"/>
+                <ns0:RequestedAttribute FriendlyName="title"
+                                        Name="urn:oid:2.5.4.12"
+                                        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                                        isRequired="false"/>
+            </ns0:AttributeConsumingService>
+        </ns0:SPSSODescriptor>
+        <ns0:Organization>
+            <ns0:OrganizationName xml:lang="se">AB Exempel
+            </ns0:OrganizationName>
+            <ns0:OrganizationDisplayName xml:lang="se">AB Exempel
+            </ns0:OrganizationDisplayName>
+            <ns0:OrganizationURL xml:lang="en">http://www.example.org
+            </ns0:OrganizationURL>
+        </ns0:Organization>
+        <ns0:ContactPerson contactType="technical">
+            <ns0:GivenName>Roland</ns0:GivenName>
+            <ns0:SurName>Hedberg</ns0:SurName>
+            <ns0:EmailAddress>tech@eample.com</ns0:EmailAddress>
+            <ns0:EmailAddress>tech@example.org</ns0:EmailAddress>
+            <ns0:TelephoneNumber>+46 70 100 0000</ns0:TelephoneNumber>
+        </ns0:ContactPerson>
+    </ns0:EntityDescriptor>
+</ns0:EntitiesDescriptor>
diff --git a/tests/test_50_server.py b/tests/test_50_server.py
