delta/python-packages/pysaml2.git/tests/test_50_server.py, branch assert_deletion github.com: rohe/pysaml2.git Differentiate between metadata NameIDFormat and AuthnRequest NameIDPolicy Format 2020-07-10T17:10:51+00:00 Ivan Kanakarakis ivan.kanak@gmail.com 2020-07-07T10:38:39+00:00 0c1873da1f280d4921b9c9b3da9126388d75e701 The `name_id_format` configuration option is used to define 1. the value of the `<NameIDFormat>` metadata element 2. and the value of the `<NameIDPolicy>` `Format` attribute in an `AuthnRequest` The configuration option to set what the value of `<NameIDFormat>` element is in the metadata should be different from the configuration option to specify what should be requested in an `AuthnRequest` through the `<NameIDPolicy Format="...">` attribute. Introduce a new option (`name_id_policy_format`), or use the same name but scoped in a specific section for metadata and AuthnRequest. On the side of this, pysaml2 defaults to _transient_ as the `<NameIDPolicy Format="...">` attribute value. To omit requesting a value for the `<NameIDPolicy Format="">` attribute the value `"None"` (a string) must be set in the configuration. This is unintuitive. It is better to be explicit and set transient to request a transient NameID, than not setting a value and requesting transient by default. If no value is set, no specific `<NameIDPolicy Format="...">` should be requested. - Refactor the name_id_format usage - Add name_id_policy_format configuration option - Remove the "None" convention value Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com> 
The `name_id_format` configuration option is used to define

1. the value of the `<NameIDFormat>` metadata element
2. and the value of the `<NameIDPolicy>` `Format` attribute in an `AuthnRequest`

The configuration option to set what the value of `<NameIDFormat>` element is in the
metadata should be different from the configuration option to specify what should be
requested in an `AuthnRequest` through the `<NameIDPolicy Format="...">` attribute.

Introduce a new option (`name_id_policy_format`), or use the same name but scoped in a
specific section for metadata and AuthnRequest.

On the side of this, pysaml2 defaults to _transient_ as the `<NameIDPolicy
Format="...">` attribute value. To omit requesting a value for the `<NameIDPolicy
Format="">` attribute the value `"None"` (a string) must be set in the configuration.
This is unintuitive. It is better to be explicit and set transient to request a
transient NameID, than not setting a value and requesting transient by default. If no
value is set, no specific `<NameIDPolicy Format="...">` should be requested.

- Refactor the name_id_format usage
- Add name_id_policy_format configuration option
- Remove the "None" convention value

Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
Fix xmlsec1 --id-attr option 2020-05-26T12:02:58+00:00 Ivan Kanakarakis ivan.kanak@gmail.com 2020-01-26T16:19:38+00:00 8d9c9a131edb5ee6f215a441ab1a75e3c8259ef4 We need to know _the name of the attribute_ that represents the identifier of the node that is being signed, or encrypted, or verified. We guess the name -by trying `ID`, `Id` and `id`- and pass it to `xmlsec1` using the `--id-attr` command line option. _Why is this needed?_ Shouldn't the attribute names be specified by the corresponding specifications? Let's look into the specs to find out. * saml-core: * `StatusResponseType` uses `ID` * `RequestAbstractType` uses `ID` * `Assertion` uses `ID` * xmldsig-core: * `SignatureType` uses `Id` * xmlenc-core: * `EncryptedType` uses `Id` So, the answer is _yes_ - the attribute names are defined and, instead of guessing, we should be passing in the id-attribute names as defined by the specs. _Note_: But, do we even need to do this? If the names are standardized, why do we bother with this? In fact, the manual for `xmlsec1` explicitly says that --id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name> adds attributes <attr-name> (default value "id") from all nodes with<node-name> and namespace <node-namespace-uri> to the list of known ID attributes; this is a hack and if you can use DTD or schema to declare ID attributes instead (see "--dtd-file" option), I don't know what else might be broken in your application when you use this hack However, it seems that `xmlsec1` by default will only look for an attribute with name `id`. The right way to solve this is to pass in a DTD file. Then, `xmlsec1` will understand that it needs to look up a different attribute name. Unfortunately, there are no official DTDs (or even unofficial, to my knowledge) for SAML. The SAML specifications instead provide XSD files. Even though `xmlsec1` mentions _schema_, there doesn't seem to be a way to pass in an XSD file. So, we have to resort to this "hack". When we sign a document, we need to point to the node that will be signed. The nodes that we are signing are always SAML nodes (Assertion, StatusResponseType (Response, etc), RequestAbstractType (AuthnRequest, etc)). All SAML nodes that will be signed use `ID` as the attribute name. So, in order to sign and verify a signature, we need to pass in `ID`. When encrypting a document, we need to point to the node whose content will be encrypted. Currently, we use XPath to point to that node, without the use of an id. But, we could be using an identifier to locate the node, and if we did so, we would still be using `ID`. When decrypting a document, we need to point to the node that contains the encrypted data. This is where things change. Since the SAML node itself is encrypted we cannot point to an `ID` attribute, as we did in the other cases. Instead, it is specified that a node named `EncryptedData` exists, that may have an `Id` attribute. This is where we want to point to. So, we need to use `Id`. Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com> 
We need to know _the name of the attribute_ that represents the identifier of the node
that is being signed, or encrypted, or verified. We guess the name -by trying `ID`, `Id`
and `id`- and pass it to `xmlsec1` using the `--id-attr` command line option.

_Why is this needed?_ Shouldn't the attribute names be specified by the corresponding
specifications? Let's look into the specs to find out.

* saml-core:
  * `StatusResponseType` uses `ID`
  * `RequestAbstractType` uses `ID`
  * `Assertion` uses `ID`

* xmldsig-core:
  * `SignatureType` uses `Id`

* xmlenc-core:
  * `EncryptedType` uses `Id`

So, the answer is _yes_ - the attribute names are defined and, instead of guessing, we
should be passing in the id-attribute names as defined by the specs.

_Note_: But, do we even need to do this? If the names are standardized, why do we bother
with this? In fact, the manual for `xmlsec1` explicitly says that

    --id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name>

        adds attributes <attr-name> (default value "id") from all nodes
        with<node-name> and namespace <node-namespace-uri> to the list of
        known ID attributes; this is a hack and  if you can use DTD or schema
        to declare ID attributes instead (see "--dtd-file" option), I don't
        know what else might be broken in your application when you use this
        hack

However, it seems that `xmlsec1` by default will only look for an attribute with name
`id`. The right way to solve this is to pass in a DTD file. Then, `xmlsec1` will
understand that it needs to look up a different attribute name. Unfortunately, there are
no official DTDs (or even unofficial, to my knowledge) for SAML. The SAML specifications
instead provide XSD files. Even though `xmlsec1` mentions _schema_, there doesn't seem
to be a way to pass in an XSD file. So, we have to resort to this "hack".

When we sign a document, we need to point to the node that will be signed. The nodes
that we are signing are always SAML nodes (Assertion, StatusResponseType (Response,
etc), RequestAbstractType (AuthnRequest, etc)). All SAML nodes that will be signed use
`ID` as the attribute name. So, in order to sign and verify a signature, we need to pass
in `ID`.

When encrypting a document, we need to point to the node whose content will be
encrypted. Currently, we use XPath to point to that node, without the use of an id. But,
we could be using an identifier to locate the node, and if we did so, we would still be
using `ID`.

When decrypting a document, we need to point to the node that contains the encrypted
data. This is where things change. Since the SAML node itself is encrypted we cannot
point to an `ID` attribute, as we did in the other cases. Instead, it is specified that
a node named `EncryptedData` exists, that may have an `Id` attribute. This is where we
want to point to. So, we need to use `Id`.

Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
Read from env var PYSAML2_DELETE_TMPFILES 2019-11-26T12:02:27+00:00 Ivan Kanakarakis ivan.kanak@gmail.com 2019-09-01T19:17:01+00:00 2109a65b1a233d42da84cc2aad982bf8a4b49816 Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com> 
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
Fix tests to be compatible with latest pytest 2019-07-08T18:14:54+00:00 Ivan Kanakarakis ivan.kanak@gmail.com 2019-07-08T18:14:54+00:00 124376b3a707edf354fcc2e7311a86af864cf647 Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com> 
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
update tests with regards to AllowCreate 2019-05-08T16:39:43+00:00 Fredrik Thulin fredrik@thulin.net 2019-05-08T16:39:43+00:00 aa5c4207a828b94cfd90b6ecc78566632a324852 AllowCreate is not supposed to be present for transient Name IDs. 
AllowCreate is not supposed to be present for transient Name IDs.
Convert exception expectation to with-raises idiom 2019-01-14T13:29:44+00:00 Ivan Kanakarakis ivan.kanak@gmail.com 2019-01-10T20:53:56+00:00 cb760c81ce6739821782040b648ce42527b22b21 Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com> 
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
Duplicated tests and added non ascii characters 2018-10-04T13:00:56+00:00 Johan Lundberg lundberg@sunet.se 2018-10-04T13:00:56+00:00 47c61dfdc4bdb4a58a0b308ad2a7a0786f42de0e 






Updated test cases
2017-06-13T09:04:51+00:00

Ioannis Kakavas
ikakavas@noc.grnet.gr

2017-06-13T09:04:51+00:00

695e2f0a98d4df6f690e12226283577920e5406f

As explained in
https://github.com/rohe/pysaml2/pull/423#issuecomment-308053607 , ava
cannot contain an 'surName' key, it should be named 'sn'





As explained in
https://github.com/rohe/pysaml2/pull/423#issuecomment-308053607 , ava
cannot contain an 'surName' key, it should be named 'sn'







Language correction.
2016-02-11T10:08:04+00:00

Roland Hedberg
roland.hedberg@adm.umu.se

2016-02-11T10:08:04+00:00

0515de9fa8b7f339baba826f87eedc8c922dfa7f

Deal with case where people want to JSON serialize session information.
Carry over more parameters in create_attribute_response.





Deal with case where people want to JSON serialize session information.
Carry over more parameters in create_attribute_response.







Merge remote-tracking branch 'upstream/master'
2015-11-06T12:01:21+00:00

Hans HoĢˆrberg
hans.horberg@umu.se

2015-11-06T12:01:21+00:00

bc93176fa6b4f15090a7d2d335727d60c6ffe2c3

# Conflicts:
#	src/saml2/entity.py

digest algorithm added to the same functions as sign alg.





# Conflicts:
#	src/saml2/entity.py

digest algorithm added to the same functions as sign alg.