summaryrefslogtreecommitdiff
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
| * fix: mdstore: fix MetadataStore.dumps(format="md")Vlad Mencl2021-06-091-1/+2
| | | | | | | | | | | | | | | | | | | | MetadataStore.dumps(format="md") was failing with TypeError: Object of type dict_items is not JSON serializable ... because self.items() returns dictitems() - while only a dict would be serializable into JSON. Convert the dictitems back into a dict.
| * fix: saml2/time_util: get before/after docstrings rightVlad Mencl2021-06-091-2/+2
| | | | | | | | Align the docstrings with what the functions actually implement.
* | Consider DeclRef equivalent to ClassRefIvan Kanakarakis2021-07-131-1/+4
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Refactor saml2.response.Response.authn_infoIvan Kanakarakis2021-07-131-14/+18
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Require the enveloped-signature transform to be presentIvan Kanakarakis2021-06-201-10/+18
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Improve signature checksIvan Kanakarakis2021-06-202-9/+61
|/ | | | | | | | - Enforce allowed canonicalization methods - Enforce allowed transform aglorithms - Ensure the Object element is absent Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Do not look at preferred_binding on handle_logout_requestIvan Kanakarakis2021-05-201-2/+1
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Correctly order response_bindings based on requested bindingIvan Kanakarakis2021-05-191-6/+6
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Do not restrict the falsy values of bindings on pick_binding methodIvan Kanakarakis2021-05-191-1/+1
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Refactor do_logoutIvan Kanakarakis2021-05-191-78/+107
| | | | | | | | | | | | Consider: - what the IdP supports - what the SP prefers - the expected binding Find the common set and select the first preferred choice. Then do the logout. Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Do not limit the single_logout_service resultsIvan Kanakarakis2021-05-191-2/+0
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Merge pull request #791 from wibed/commentaryIvan Kanakarakis2021-05-182-6/+85
|\ | | | | Add inline documentation
| * Add links to updated spec versions with errataIvan Kanakarakis2021-05-182-3/+9
| |
| * some documentation for newcomers and returnerswibed2021-04-052-6/+79
| |
* | Embed the cert in the EncryptedData elementIvan Kanakarakis2021-05-182-9/+16
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Do not comment out RSA_1_5, but mark as deprecatedIvan Kanakarakis2021-05-181-3/+2
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Do not embed the cert in the EncryptedData elementIvan Kanakarakis2021-05-182-26/+20
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | [Strengthen Encryption] PySAML2 Encrypted Assertions now works with ↵peppelinux2021-05-183-21/+41
| | | | | | | | | | | | | | Shibboleth SP 3 - Fixed: "ERROR Shibboleth.SSO.SAML2 [6] [default]: failed to decrypt assertion: Unable to resolve any key decryption keys." - Fixed: "WARN XMLTooling.Decrypter [7] [default]: XMLSecurity exception while decrypting key: XSECAlgorithmMapper::mapURIToHandler - URI http://www.w3.org/2001/04/xmlenc#rsa-1_5 disallowed by whitelist/blacklist policy"
* | Add shibmd_scopes metadata extractorIvan Kanakarakis2021-05-181-0/+39
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Merge pull request #801 from ErwinJunge/response-issuer-noneIvan Kanakarakis2021-05-181-2/+7
|\ \ | | | | | | Issuer in a Response is optional
| * | Format codeIvan Kanakarakis2021-05-181-1/+1
| | | | | | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * | Derive the issuer value then return itIvan Kanakarakis2021-05-181-4/+6
| | | | | | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * | Response issuer can be NoneErwin Junge2021-05-051-1/+4
| | |
* | | Set expected_binding for SLO from preferred_binding as configuredIvan Kanakarakis2021-05-181-0/+5
| | | | | | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | | Fix sign flags on logoutIvan Kanakarakis2021-05-171-2/+4
|/ / | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Merge pull request #783 from peppelinux/issue_instantIvan Kanakarakis2021-04-201-1/+1
|\ \ | | | | | | Fix IssueInstant validation
| * | fix: invalid IssueInstantpeppelinux2021-03-201-1/+1
| |/
* | Try to get the friendlyName of the required RequestedAttribute else derive ↵Ivan Kanakarakis2021-04-181-6/+10
| | | | | | | | | | | | it using the canonical Name Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Bandaid for crash when friendlyName is not set in metadataJohan Lundberg2021-04-161-1/+6
| |
* | Sign logout requests according to logout_requests_signed config optionIvan Kanakarakis2021-04-092-1/+6
|/ | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Merge pull request #772 from peppelinux/unhandled_audience_restrIvan Kanakarakis2021-03-081-2/+2
|\ | | | | Correctly handle AudienceRestriction elements with no value
| * Response with unvalued AudienceRestriction (Condition) Handlingpeppelinux2021-01-241-2/+2
| |
* | Merge pull request #766 from peppelinux/invalid_assertionIvan Kanakarakis2021-03-071-1/+5
|\ \ | | | | | | Raise InvalidAssertion exception when assertion requirements are not met
| * | InvalidASsertion Exceptionpeppelinux2021-01-241-1/+5
| |/
* | Merge pull request #763 from peppelinux/invalid_destination_urlIvan Kanakarakis2021-03-071-2/+9
|\ \ | | | | | | Invalid Destination URL Exception Handling
| * | Invalid Destination URL Exception Handlingpeppelinux2021-01-241-2/+9
| |/
* | Merge pull request #779 from peppelinux/metadata_exp_handlerIvan Kanakarakis2021-03-071-3/+5
|\ \ | | | | | | Raise SAMLError on failure to parse a metadata file
| * | Raise SAMLError when metadata file cannot be parsedIvan Kanakarakis2021-03-071-6/+3
| | | | | | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * | Remove whitespace changesIvan Kanakarakis2021-03-071-1/+2
| | | | | | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * | Metadata Parse error Exception handlingpeppelinux2021-03-062-4/+8
| |/
* | Merge pull request #757 from peppelinux/authn_3tuple_acsIvan Kanakarakis2021-03-071-1/+6
|\ \ | |/ |/| Handle all types of ACS endpoint specifications
| * Fixes https://github.com/IdentityPython/pysaml2/issues/599peppelinux2020-12-261-1/+6
| | | | | | | | The SP authnReq now works with a 3-tuple (URL+binding+index) ACS service conf
* | Fix the parser to take into account both the xs and xsd namespace prefixesIvan Kanakarakis2021-01-211-0/+6
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Merge pull request from GHSA-f4g9-h89h-jgv9Ivan Kanakarakis2021-01-2048-3/+5632
|\ \ | | | | | | Validate XML documents before verifying the signature
| * | Fix CVE-2021-21238 - SAML XML Signature wrappingIvan Kanakarakis2021-01-153-0/+100
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | All users of pysaml2 that use the default `CryptoBackendXmlSec1` backend and need to verify signed SAML documents are impacted. `pysaml2 <= 6.4.1` does not validate the SAML document against an XML schema. This allows invalid XML documents to trick the verification process, by presenting elements with a valid signature inside elements whose content has been malformed. The verification is offloaded to `xmlsec1` and `xmlsec1` will not validate every signature in the given document, but only the first it finds in the given scope. Credits for the report: - Victor Schönfelder Garcia (isits AG International School of IT Security) - Juraj Somorovsky (Paderborn University) - Vladislav Mladenov (Ruhr University Bochum) Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * | Add xsd schemasIvan Kanakarakis2021-01-1544-0/+5514
| | | | | | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * | Fix the parser to not break on ePTID AttributeValuesIvan Kanakarakis2021-01-151-3/+18
| | | | | | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | | Fix CVE-2021-21239 - Restrict the key data that xmlsec1 accepts to only x509 ↵Ivan Kanakarakis2021-01-181-0/+1
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | certs All users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. pysaml2 <= 6.4.1 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default, xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only x509 certificates for the verification process of the SAML document signature. Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Load the encryption template using package resourcesIvan Kanakarakis2021-01-074-2/+3
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Cleanup and reorder sigver importsIvan Kanakarakis2021-01-071-14/+9
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
View Lorry Controller Status