* [gentoo-commits] repo/gentoo:master commit in: dev-python/pysaml2/files/
@ 2019-04-23 9:55 David Seifert
0 siblings, 0 replies; 2+ messages in thread
From: David Seifert @ 2019-04-23 9:55 UTC (permalink / raw
To: gentoo-commits
commit: 2fd4c9dcd2f329f676a0621fe164d56de31ea1c8
Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Mon Apr 22 07:44:00 2019 +0000
Commit: David Seifert <soap <AT> gentoo <DOT> org>
CommitDate: Tue Apr 23 09:54:23 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2fd4c9dc
dev-python/pysaml2: remove unused patch(es)
Closes: https://github.com/gentoo/gentoo/pull/11774
Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com>
Signed-off-by: David Seifert <soap <AT> gentoo.org>
.../files/pysaml-4.0.2_CVE-2017-1000433.patch | 33 ---
dev-python/pysaml2/files/xxe-4.0.2.patch | 305 ---------------------
2 files changed, 338 deletions(-)
diff --git a/dev-python/pysaml2/files/pysaml-4.0.2_CVE-2017-1000433.patch b/dev-python/pysaml2/files/pysaml-4.0.2_CVE-2017-1000433.patch
deleted file mode 100644
index 7abc765c298..00000000000
--- a/dev-python/pysaml2/files/pysaml-4.0.2_CVE-2017-1000433.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 6312a41e037954850867f29d329e5007df1424a5 Mon Sep 17 00:00:00 2001
-From: Ioannis Kakavas <ikakavas@noc.grnet.gr>
-Date: Tue, 12 Sep 2017 12:22:47 +0300
-Subject: [PATCH] Quick fix for the authentication bypass due to optimizations
- #451
-
----
- src/saml2/authn.py | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/src/saml2/authn.py b/src/saml2/authn.py
-index 1f2d02cf..1e1a220b 100644
---- a/src/saml2/authn.py
-+++ b/src/saml2/authn.py
-@@ -146,7 +146,8 @@ def __call__(self, cookie=None, policy_url=None, logo_url=None,
- return resp
-
- def _verify(self, pwd, user):
-- assert is_equal(pwd, self.passwd[user])
-+ if not is_equal(pwd, self.passwd[user]):
-+ raise ValueError("Wrong password")
-
- def verify(self, request, **kwargs):
- """
-@@ -176,7 +177,7 @@ def verify(self, request, **kwargs):
- return_to = create_return_url(self.return_to, _dict["query"][0],
- **{self.query_param: "true"})
- resp = Redirect(return_to, headers=[cookie])
-- except (AssertionError, KeyError):
-+ except (ValueError, KeyError):
- resp = Unauthorized("Unknown user or wrong password")
-
- return resp
diff --git a/dev-python/pysaml2/files/xxe-4.0.2.patch b/dev-python/pysaml2/files/xxe-4.0.2.patch
deleted file mode 100644
index 8e1a2ef53cc..00000000000
--- a/dev-python/pysaml2/files/xxe-4.0.2.patch
+++ /dev/null
@@ -1,305 +0,0 @@
-diff -Naur pysaml2/setup.py pysaml2.new/setup.py
---- pysaml2/setup.py 2015-12-06 00:46:33.000000000 -0600
-+++ pysaml2.new/setup.py 2017-01-10 20:31:43.387413477 -0600
-@@ -17,6 +17,7 @@
- 'pytz',
- 'pyOpenSSL',
- 'python-dateutil',
-+ 'defusedxml',
- 'six'
- ]
-
-diff -Naur pysaml2/src/saml2/__init__.py pysaml2.new/src/saml2/__init__.py
---- pysaml2/src/saml2/__init__.py 2016-01-07 05:53:57.000000000 -0600
-+++ pysaml2.new/src/saml2/__init__.py 2017-01-10 20:34:04.171641116 -0600
-@@ -35,6 +35,7 @@
- import cElementTree as ElementTree
- except ImportError:
- from elementtree import ElementTree
-+import defusedxml.ElementTree
-
- root_logger = logging.getLogger(__name__)
- root_logger.level = logging.NOTSET
-@@ -86,7 +87,7 @@
- """
- if not isinstance(xml_string, six.binary_type):
- xml_string = xml_string.encode('utf-8')
-- tree = ElementTree.fromstring(xml_string)
-+ tree = defusedxml.ElementTree.fromstring(xml_string)
- return create_class_from_element_tree(target_class, tree)
-
-
-@@ -268,7 +269,7 @@
-
-
- def extension_element_from_string(xml_string):
-- element_tree = ElementTree.fromstring(xml_string)
-+ element_tree = defusedxml.ElementTree.fromstring(xml_string)
- return _extension_element_from_element_tree(element_tree)
-
-
-diff -Naur pysaml2/src/saml2/pack.py pysaml2.new/src/saml2/pack.py
---- pysaml2/src/saml2/pack.py 2015-12-11 07:31:39.000000000 -0600
-+++ pysaml2.new/src/saml2/pack.py 2017-01-10 20:35:35.382435020 -0600
-@@ -37,6 +37,7 @@
- import cElementTree as ElementTree
- except ImportError:
- from elementtree import ElementTree
-+import defusedxml.ElementTree
-
- NAMESPACE = "http://schemas.xmlsoap.org/soap/envelope/"
- FORM_SPEC = """<form method="post" action="%s">
-@@ -235,7 +236,7 @@
- :param text: The SOAP object as XML
- :return: header parts and body as saml.samlbase instances
- """
-- envelope = ElementTree.fromstring(text)
-+ envelope = defusedxml.ElementTree.fromstring(text)
- assert envelope.tag == '{%s}Envelope' % NAMESPACE
-
- # print(len(envelope))
-diff -Naur pysaml2/src/saml2/soap.py pysaml2.new/src/saml2/soap.py
---- pysaml2/src/saml2/soap.py 2015-05-18 02:54:05.000000000 -0500
-+++ pysaml2.new/src/saml2/soap.py 2017-01-10 20:36:16.163808770 -0600
-@@ -19,6 +19,7 @@
- except ImportError:
- #noinspection PyUnresolvedReferences
- from elementtree import ElementTree
-+import defusedxml.ElementTree
-
-
- logger = logging.getLogger(__name__)
-@@ -133,7 +134,7 @@
- :param expected_tags: What the tag of the SAML thingy is expected to be.
- :return: SAML thingy as a string
- """
-- envelope = ElementTree.fromstring(text)
-+ envelope = defusedxml.ElementTree.fromstring(text)
-
- # Make sure it's a SOAP message
- assert envelope.tag == '{%s}Envelope' % soapenv.NAMESPACE
-@@ -183,7 +184,7 @@
- :return: The body and headers as class instances
- """
- try:
-- envelope = ElementTree.fromstring(text)
-+ envelope = defusedxml.ElementTree.fromstring(text)
- except Exception as exc:
- raise XmlParseError("%s" % exc)
-
-@@ -209,7 +210,7 @@
- :return: dictionary with two keys "body"/"header"
- """
- try:
-- envelope = ElementTree.fromstring(text)
-+ envelope = defusedxml.ElementTree.fromstring(text)
- except Exception as exc:
- raise XmlParseError("%s" % exc)
-
-diff -Naur pysaml2/tests/test_03_saml2.py pysaml2.new/tests/test_03_saml2.py
---- pysaml2/tests/test_03_saml2.py 2015-06-06 02:15:20.000000000 -0500
-+++ pysaml2.new/tests/test_03_saml2.py 2017-01-10 20:38:32.541728380 -0600
-@@ -17,6 +17,7 @@
- import cElementTree as ElementTree
- except ImportError:
- from elementtree import ElementTree
-+from defusedxml.common import EntitiesForbidden
-
- ITEMS = {
- NameID: ["""<?xml version="1.0" encoding="utf-8"?>
-@@ -27,7 +28,7 @@
- </NameID>
- """, """<?xml version="1.0" encoding="utf-8"?>
- <NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
-- SPNameQualifier="https://foo.example.com/sp"
-+ SPNameQualifier="https://foo.example.com/sp"
- Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_1632879f09d08ea5ede2dc667cbed7e429ebc4335c</NameID>
- """, """<?xml version="1.0" encoding="utf-8"?>
- <NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
-@@ -47,9 +48,9 @@
- SubjectConfirmationData:
- """<?xml version="1.0" encoding="utf-8"?>
- <SubjectConfirmationData xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
--InResponseTo="_1683146e27983964fbe7bf8f08961108d166a652e5"
--NotOnOrAfter="2010-02-18T13:52:13.959Z"
--NotBefore="2010-01-16T12:00:00Z"
-+InResponseTo="_1683146e27983964fbe7bf8f08961108d166a652e5"
-+NotOnOrAfter="2010-02-18T13:52:13.959Z"
-+NotBefore="2010-01-16T12:00:00Z"
- Recipient="http://192.168.0.10/saml/sp" />""",
- SubjectConfirmation:
- """<?xml version="1.0" encoding="utf-8"?>
-@@ -166,6 +167,19 @@
- assert kl == None
-
-
-+def test_create_class_from_xml_string_xxe():
-+ xml = """<?xml version="1.0"?>
-+ <!DOCTYPE lolz [
-+ <!ENTITY lol "lol">
-+ <!ELEMENT lolz (#PCDATA)>
-+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
-+ ]>
-+ <lolz>&lol1;</lolz>
-+ """
-+ with raises(EntitiesForbidden) as err:
-+ create_class_from_xml_string(NameID, xml)
-+
-+
- def test_ee_1():
- ee = saml2.extension_element_from_string(
- """<?xml version='1.0' encoding='UTF-8'?><foo>bar</foo>""")
-@@ -193,7 +207,7 @@
- def test_ee_3():
- ee = saml2.extension_element_from_string(
- """<?xml version='1.0' encoding='UTF-8'?>
-- <foo xmlns="urn:mace:example.com:saml:ns"
-+ <foo xmlns="urn:mace:example.com:saml:ns"
- id="xyz">bar</foo>""")
- assert ee != None
- print(ee.__dict__)
-@@ -454,6 +468,19 @@
- assert nid.text.strip() == "http://federationX.org"
-
-
-+def test_ee_xxe():
-+ xml = """<?xml version="1.0"?>
-+ <!DOCTYPE lolz [
-+ <!ENTITY lol "lol">
-+ <!ELEMENT lolz (#PCDATA)>
-+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
-+ ]>
-+ <lolz>&lol1;</lolz>
-+ """
-+ with raises(EntitiesForbidden):
-+ saml2.extension_element_from_string(xml)
-+
-+
- def test_extension_element_loadd():
- ava = {'attributes': {},
- 'tag': 'ExternalEntityAttributeAuthority',
-diff -Naur pysaml2/tests/test_43_soap.py pysaml2.new/tests/test_43_soap.py
---- pysaml2/tests/test_43_soap.py 2013-04-28 09:38:07.000000000 -0500
-+++ pysaml2.new/tests/test_43_soap.py 2017-01-10 20:39:53.730364008 -0600
-@@ -12,16 +12,20 @@
- import cElementTree as ElementTree
- except ImportError:
- from elementtree import ElementTree
-+from defusedxml.common import EntitiesForbidden
-+
-+from pytest import raises
-
- import saml2.samlp as samlp
- from saml2.samlp import NAMESPACE as SAMLP_NAMESPACE
-+from saml2 import soap
-
- NAMESPACE = "http://schemas.xmlsoap.org/soap/envelope/"
-
- example = """<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/">
- <Body>
-- <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
-- xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-+ <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
-+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
- ID="_6c3a4f8b9c2d" Version="2.0" IssueInstant="2004-03-27T08:42:00Z">
- <saml:Issuer>https://www.example.com/SAML</saml:Issuer>
- <Status>
-@@ -55,7 +59,7 @@
- envelope.tag = '{%s}Envelope' % NAMESPACE
- body = ElementTree.Element('')
- body.tag = '{%s}Body' % NAMESPACE
-- envelope.append(body)
-+ envelope.append(body)
- request = samlp.AuthnRequest()
- request.become_child_element_of(body)
-
-@@ -66,3 +70,42 @@
- assert len(body) == 1
- saml_part = body[0]
- assert saml_part.tag == '{%s}AuthnRequest' % SAMLP_NAMESPACE
-+
-+
-+def test_parse_soap_enveloped_saml_thingy_xxe():
-+ xml = """<?xml version="1.0"?>
-+ <!DOCTYPE lolz [
-+ <!ENTITY lol "lol">
-+ <!ELEMENT lolz (#PCDATA)>
-+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
-+ ]>
-+ <lolz>&lol1;</lolz>
-+ """
-+ with raises(EntitiesForbidden):
-+ soap.parse_soap_enveloped_saml_thingy(xml, None)
-+
-+
-+def test_class_instances_from_soap_enveloped_saml_thingies_xxe():
-+ xml = """<?xml version="1.0"?>
-+ <!DOCTYPE lolz [
-+ <!ENTITY lol "lol">
-+ <!ELEMENT lolz (#PCDATA)>
-+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
-+ ]>
-+ <lolz>&lol1;</lolz>
-+ """
-+ with raises(soap.XmlParseError):
-+ soap.class_instances_from_soap_enveloped_saml_thingies(xml, None)
-+
-+
-+def test_open_soap_envelope_xxe():
-+ xml = """<?xml version="1.0"?>
-+ <!DOCTYPE lolz [
-+ <!ENTITY lol "lol">
-+ <!ELEMENT lolz (#PCDATA)>
-+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
-+ ]>
-+ <lolz>&lol1;</lolz>
-+ """
-+ with raises(soap.XmlParseError):
-+ soap.open_soap_envelope(xml)
-diff -Naur pysaml2/tests/test_51_client.py pysaml2.new/tests/test_51_client.py
---- pysaml2/tests/test_51_client.py 2015-12-11 05:10:01.000000000 -0600
-+++ pysaml2.new/tests/test_51_client.py 2017-01-10 20:42:12.819280442 -0600
-@@ -5,6 +5,7 @@
- import uuid
- import six
- from six.moves.urllib.parse import parse_qs, urlencode, urlparse
-+from pytest import raises
- from saml2.cert import OpenSSLWrapper
- from saml2.xmldsig import SIG_RSA_SHA256
- from saml2 import BINDING_HTTP_POST
-@@ -21,6 +22,7 @@
- from saml2.authn_context import INTERNETPROTOCOLPASSWORD
- from saml2.client import Saml2Client
- from saml2.config import SPConfig
-+from saml2.pack import parse_soap_enveloped_saml
- from saml2.response import LogoutResponse
- from saml2.saml import NAMEID_FORMAT_PERSISTENT, EncryptedAssertion, Advice
- from saml2.saml import NAMEID_FORMAT_TRANSIENT
-@@ -34,6 +36,8 @@
- from saml2.s_utils import factory
- from saml2.time_util import in_a_while, a_while_ago
-
-+from defusedxml.common import EntitiesForbidden
-+
- from fakeIDP import FakeIDP
- from fakeIDP import unpack_form
- from pathutils import full_path
-@@ -1445,6 +1449,18 @@
- 'http://www.example.com/login'
- assert ac.authn_context_class_ref.text == INTERNETPROTOCOLPASSWORD
-
-+def test_parse_soap_enveloped_saml_xxe():
-+ xml = """<?xml version="1.0"?>
-+ <!DOCTYPE lolz [
-+ <!ENTITY lol "lol">
-+ <!ELEMENT lolz (#PCDATA)>
-+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
-+ ]>
-+ <lolz>&lol1;</lolz>
-+ """
-+ with raises(EntitiesForbidden):
-+ parse_soap_enveloped_saml(xml, None)
-+
-
- # if __name__ == "__main__":
- # tc = TestClient()
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-python/pysaml2/files/
@ 2020-12-20 18:26 Bernard Cafarelli
0 siblings, 0 replies; 2+ messages in thread
From: Bernard Cafarelli @ 2020-12-20 18:26 UTC (permalink / raw
To: gentoo-commits
commit: 7ef77620eb59ce6c47f264c0ae9c93994396b7fe
Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Sat Dec 19 17:35:23 2020 +0000
Commit: Bernard Cafarelli <voyageur <AT> gentoo <DOT> org>
CommitDate: Sun Dec 20 18:25:51 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ef77620
dev-python/pysaml2: remove unused patch(es)
Package-Manager: Portage-3.0.12, Repoman-3.0.2
Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com>
Signed-off-by: Bernard Cafarelli <voyageur <AT> gentoo.org>
dev-python/pysaml2/files/cve-2020-5390.patch | 189 ---------------------------
1 file changed, 189 deletions(-)
diff --git a/dev-python/pysaml2/files/cve-2020-5390.patch b/dev-python/pysaml2/files/cve-2020-5390.patch
deleted file mode 100644
index bef46808d92..00000000000
--- a/dev-python/pysaml2/files/cve-2020-5390.patch
+++ /dev/null
@@ -1,189 +0,0 @@
-From 5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25 Mon Sep 17 00:00:00 2001
-From: Ivan Kanakarakis <ivan.kanak@gmail.com>
-Date: Sat, 4 Jan 2020 00:39:47 +0200
-Subject: [PATCH] Fix XML Signature Wrapping (XSW) vulnerabilities
-
-PySAML2 did not check that the signature in a SAML document is enveloped and thus
-XML signature wrapping (XSW) was effective.
-
-The signature information and the node/object that is signed can be in different places
-and thus the signature verification will succeed, but the wrong data will be used. This
-specifically affects the verification of assertions that have been signed.
-
-This was assigned CVE-2020-5390
-
-Thanks to Alexey Sintsov and Yuri Goltsev from HERE Technologies to report this.
-
-+ + + + + + + +
-
-In more detail:
-
-libxml2 follows the xmldsig-core specification. The xmldsig specification is way too
-general. saml-core reuses the xmldsig specification, but constrains it to use of
-specific facilities. The implementation of the SAML specification is responsible to
-enforce those constraints. libxml2/xmlsec1 are not aware of those constraints and thus
-process the document based on the full/general xmldsig rules.
-
-What is happening is the following:
-
-- xmldsig-core allows the signature-information and the data that was signed to be in
- different places. This works by setting the URI attribute of the Reference element.
- The URI attribute contains an optional identifier of the object being signed. (see
- "4.4.3 The Reference Element" -- https://www.w3.org/TR/xmldsig-core1/#sec-Reference)
- This identifier is actually a pointer that can be defined in many different ways; from
- XPath expressions that need to be executed(!), to a full URL that should be fetched(!)
- in order to recalculate the signature.
-
-- saml-core section "5.4 XML Signature Profile" defines constrains on the xmldsig-core
- facilities. It explicitly dictates that enveloped signatures are the only signatures
- allowed. This mean that:
- * Assertion/RequestType/ResponseType elements must have an ID attribute
- * signatures must have a single Reference element
- * the Reference element must have a URI attribute
- * the URI attribute contains an anchor
- * the anchor points to the enclosing element's ID attribute
-
-xmlsec1 does the right thing - it follows the reference URI pointer and validates the
-assertion. But, the pointer points to an assertion in another part of the document; not
-the assertion in which the signature is embedded/enveloped. SAML processing thinks that
-the signature is fine (that's what xmlsec1 said), and gets the assertion data from the
-assertion that contains the signature - but that assertion was never validated. The
-issue is that pysaml2 does not enforce the constrains on the signature validation
-facilities of xmldsig-core, that the saml-core spec defines.
-
-The solution is simple; all we need is to make sure that assertions with signatures (1)
-contain one reference element that (2) has a URI attribute (3) that is an anchor that
-(4) points to the assertion in which the signature is embedded. If those conditions are
-met then we're good, otherwise we should fail the verification.
-
-Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
----
- src/saml2/sigver.py | 49 ++++++++++++++++++++++++++++++++++++
- tests/saml2_response_xsw.xml | 6 +++++
- tests/test_xsw.py | 44 ++++++++++++++++++++++++++++++++
- 3 files changed, 99 insertions(+)
- create mode 100644 tests/saml2_response_xsw.xml
- create mode 100644 tests/test_xsw.py
-
-diff --git a/src/saml2/sigver.py b/src/saml2/sigver.py
-index cbeca41f..c3d298a9 100644
---- a/src/saml2/sigver.py
-+++ b/src/saml2/sigver.py
-@@ -1476,6 +1476,55 @@ def _check_signature(self, decoded_xml, item, node_name=NODE_NAME, origdoc=None,
- if not certs:
- raise MissingKey(_issuer)
-
-+ # saml-core section "5.4 XML Signature Profile" defines constrains on the
-+ # xmldsig-core facilities. It explicitly dictates that enveloped signatures
-+ # are the only signatures allowed. This mean that:
-+ # * Assertion/RequestType/ResponseType elements must have an ID attribute
-+ # * signatures must have a single Reference element
-+ # * the Reference element must have a URI attribute
-+ # * the URI attribute contains an anchor
-+ # * the anchor points to the enclosing element's ID attribute
-+ references = item.signature.signed_info.reference
-+ signatures_must_have_a_single_reference_element = len(references) == 1
-+ the_Reference_element_must_have_a_URI_attribute = (
-+ signatures_must_have_a_single_reference_element
-+ and hasattr(references[0], "uri")
-+ )
-+ the_URI_attribute_contains_an_anchor = (
-+ the_Reference_element_must_have_a_URI_attribute
-+ and references[0].uri.startswith("#")
-+ and len(references[0].uri) > 1
-+ )
-+ the_anchor_points_to_the_enclosing_element_ID_attribute = (
-+ the_URI_attribute_contains_an_anchor
-+ and references[0].uri == "#{id}".format(id=item.id)
-+ )
-+ validators = {
-+ "signatures must have a single reference element": (
-+ signatures_must_have_a_single_reference_element
-+ ),
-+ "the Reference element must have a URI attribute": (
-+ the_Reference_element_must_have_a_URI_attribute
-+ ),
-+ "the URI attribute contains an anchor": (
-+ the_URI_attribute_contains_an_anchor
-+ ),
-+ "the anchor points to the enclosing element ID attribute": (
-+ the_anchor_points_to_the_enclosing_element_ID_attribute
-+ ),
-+ }
-+ if not all(validators.values()):
-+ error_context = {
-+ "message": "Signature failed to meet constraints on xmldsig",
-+ "validators": validators,
-+ "item ID": item.id,
-+ "reference URI": item.signature.signed_info.reference[0].uri,
-+ "issuer": _issuer,
-+ "node name": node_name,
-+ "xml document": decoded_xml,
-+ }
-+ raise SignatureError(error_context)
-+
- verified = False
- last_pem_file = None
-
-diff --git a/tests/saml2_response_xsw.xml b/tests/saml2_response_xsw.xml
-new file mode 100644
-index 00000000..3671eb48
---- /dev/null
-+++ b/tests/saml2_response_xsw.xml
-@@ -0,0 +1,6 @@
-+<?xml version="1.0" encoding="UTF-8"?>
-+<ns0:Response xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="http://lingon.catalogix.se:8087/" ID="id-vqOQ72JCppXaBWnBE" InResponseTo="id12" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns0:Status><ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></ns0:Status><ns1:Assertion ID="id-SPOOFED_ASSERTION" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns2:Signature Id="Signature2"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns2:Referen
ce URI="#id-Aa9IWfDxJVIX6GQye"><ns2:Transforms><ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns2:DigestValue>EWBvQUlrwQbtrAjuUXkSBAVsZ50=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>m4zRgTWleMcx1dFboeiYlbiDigHWAVhHVa+GLN++ELNMFDutuzBxc3tu6okyaNQGW3leu32wzbfdpb5+3RlpGoKj2wPX570/EMJj4uw91XfXsZfpNP+5GlgNT8w/elDmBXhG/KwmSO477Imk0szKovTBMVHmo3QOd+ba//dVsJE=</ns2:SignatureValue><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMDkxMDA2MTk0OTQxWhcNMDkxMTA1MTk0OTQxWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMX
E9tXOdqwYCA1cc8vQdzkihscQMXy3iPw2cMggBu6gjMTOSOxECkuv
X5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaNefiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABo4GnMIGkMB0GA1UdDgQWBBRePsKHKYJsiojE78ZWXccK9K4aJTB1BgNVHSMEbjBsgBRePsKHKYJsiojE78ZWXccK9K4aJaFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAJrzqSSwmDY9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAJSrKOEzHO7TL5cy6h3qh+3+JAk8HbGBW+cbX6KBCAw/mzU8flK25vnWwXS3dv2FF3Aod0/S7AWNfKib5U/SA9nJaz/mWeF9S0farz9AQFc8/NSzAzaVq7YbM4F6f6N2FRl7GikdXRCed45j6mrPzGzk3ECbupFnqyREH3+ZPSdk=</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature><ns1:Subject><ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="" SPNameQualifier="id12">ANOTHER_ID</ns1:NameID><ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns1:SubjectConfirmationData InResponseTo="id12" NotOnOrAfter="2019-12-20T12:20:16Z" Recipient="http://lingon.catalogix.se:8087/"/></ns1:SubjectConfirmation></ns1:Subject><ns1:Conditions NotBefor
e="2019-12-20T12:15:16Z" NotOnOrAfter="2019-12-20T12:20:16Z"><ns1:AudienceRestriction><ns1:Audience>urn:mace:example.com:saml:roland:sp</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement AuthnInstant="2019-12-20T12:15:16Z" SessionIndex="id-eEhNCc5BSiesVOl8B"><ns1:AuthnContext><ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword</ns1:AuthnContextClassRef><ns1:AuthenticatingAuthority>http://www.example.com/login</ns1:AuthenticatingAuthority></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement><ns1:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">staff</ns1:AttributeValue><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">ADMIN</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="mail" Na
me="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="ur
n:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">HACKER@gmail.com</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Derek</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="surName" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Jeter</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="title" Name="urn:oid:2.5.4.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">shortstop</ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion>
-+<XSW_ATTACK>
-+<ns1:Assertion ID="id-Aa9IWfDxJVIX6GQye" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns1:Subject><ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="" SPNameQualifier="id12">ac5b22bb8eac4a26ed07a55432a0fe0da243f6e911aa614cff402c44d7cdec36</ns1:NameID><ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns1:SubjectConfirmationData InResponseTo="id12" NotOnOrAfter="2019-12-20T12:20:16Z" Recipient="http://lingon.catalogix.se:8087/"/></ns1:SubjectConfirmation></ns1:Subject><ns1:Conditions NotBefore="2019-12-20T12:15:16Z" NotOnOrAfter="2019-12-20T12:20:16Z"><ns1:AudienceRestriction><ns1:Audience>urn:mace:example.com:saml:roland:sp</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement AuthnInstant="2019-12-20T12:15:16Z" SessionIndex="id-eEhNCc5BSiesVOl8B"><ns1:AuthnContext><ns1:AuthnCon
textClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword</ns1:AuthnContextClassRef><ns1:AuthenticatingAuthority>http://www.example.com/login</ns1:AuthenticatingAuthority></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement><ns1:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">staff</ns1:AttributeValue><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">member</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">foo@gmail.com</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:
oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:Att
ributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Derek</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="surName" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Jeter</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="title" Name="urn:oid:2.5.4.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">shortstop</ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion>
-+</XSW_ATTACK>
-+</ns0:Response>
-diff --git a/tests/test_xsw.py b/tests/test_xsw.py
-new file mode 100644
-index 00000000..9978c4d3
---- /dev/null
-+++ b/tests/test_xsw.py
-@@ -0,0 +1,44 @@
-+from datetime import datetime
-+from unittest.mock import Mock
-+from unittest.mock import patch
-+
-+from saml2.config import config_factory
-+from saml2.response import authn_response
-+from saml2.sigver import SignatureError
-+
-+from dateutil import parser
-+
-+from pytest import raises
-+
-+from pathutils import dotname
-+from pathutils import full_path
-+
-+
-+XML_RESPONSE_XSW = full_path("saml2_response_xsw.xml")
-+
-+
-+class TestAuthnResponse:
-+ def setup_class(self):
-+ self.conf = config_factory("sp", dotname("server_conf"))
-+ self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
-+
-+ @patch('saml2.response.validate_on_or_after', return_value=True)
-+ def test_verify_signed_xsw(self, mock_validate_on_or_after):
-+ self.ar.issue_instant_ok = Mock(return_value=True)
-+
-+ with open(XML_RESPONSE_XSW) as fp:
-+ xml_response = fp.read()
-+
-+ self.ar.outstanding_queries = {"id12": "http://localhost:8088/sso"}
-+ self.ar.timeslack = 10000
-+ self.ar.loads(xml_response, decode=False)
-+
-+ assert self.ar.came_from == 'http://localhost:8088/sso'
-+ assert self.ar.session_id() == "id12"
-+ assert self.ar.issuer() == 'urn:mace:example.com:saml:roland:idp'
-+
-+ with raises(SignatureError):
-+ self.ar.verify()
-+
-+ assert self.ar.ava is None
-+ assert self.ar.name_id is None
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-12-20 18:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-04-23 9:55 [gentoo-commits] repo/gentoo:master commit in: dev-python/pysaml2/files/ David Seifert
-- strict thread matches above, loose matches on Subject: below --
2020-12-20 18:26 Bernard Cafarelli
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox