| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |\ \
| | |
| | | |
Fix StatusResponse when return_addrs is not set
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
`return_addrs` is set to `None` by default in `StatusResponse.__init__()`.
If it is not filled with a proper value then `self._verify()` will fail because it tries
to iterate over a `None` object.
This PR avoids this error, by setting the `return_addrs` to `[]`.
```
if self.asynchop:
if (
self.response.destination
and self.response.destination not in self.return_addrs
):
logger.error("%s not in %s", self.response.destination, self.return_addrs)
return None
```
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |/
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
|
| |
|
|
|
| |
According to SWAMID policy no attributes should be released when
entitity category is missing
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* client_base::Base is the base for an SP and manages SP_ARGS
* server::Server is the base for an IdP and maanges AA_IDP_ARGS
* entity::Entity is the base of SP/IdPs and manages the COMMON_ARGS
The signing_algorithm and digest_algorithm are COMMON_ARGS
and should be set and managed by entity::Entity.
On init they are set as properties of the Entity object.
If no configuration has been given, the internal-default is set (through DefaultSignature()).
The set sign_alg and digest_alg must be checked against an allow/block-list
---
- Signing is done both by SPs (on requests) and IdPs (on responses).
- Signing is done both for the Redirect-binding (apply_binding()) and the POST-binding (_message() > sign()).
---
* All client_base::Base(SP) (create_*) methods end in Entity::_message()
* Almost all server::Server(IdP) (create_*) methods end in Entity::_response()
thus:
- Entity::_message() must decide the value of "sign" and call Entity::sign()
- Entity::_response() must decide the value of "sign" and call Entity::sign()
- Entity::_status_response() must decide the value of "sign" and call Entity::sign()
- Entity::sign() must decide the value of sign_alg and digest_alg and call sigver::pre_signature_part()
---
All calls to Entity::_message() and Entity::_response() (or to their callers)
must pass on sign, sign_alg and digest_alg
All calls to sigver::pre_signature_part() should happen through the same call-chain
and should pass on specific sign_alg and digest_alg params
All relevant params should be set to None unless they have been set by the caller.
---
client::do_logout should be refactored to use the same call-chain
---
These type of checks (and self.lock blocks) should be removed (there are more for sign_assertion)
```
if (sign and self.sec.cert_handler.generate_cert()) or client_crt is not None:
```
```
if self.sec.cert_handler.generate_cert()
```
---
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When an AuthnRequest is created with HTTP-Redirect binding, the XML document is not
signed, but instead, a signature is calculated and becomes part of the query params of
the Redirect-URL, through the Signature and SignAlg params.
Previously, when the Redirect binding was requested and signing was enabled but no
SignAlg params were defined, the Signature and SignAlg query params would be missing.
Now, if no SignAlg is defined, the default is used and the request is correctly created
with the proper query params.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |\
| |
| | |
Add logout_responses_signed configuration option to sign logout responses
|
| | | |
|
