From dd3f479988b51ea0b8f74e68ead9aadc694a9f70 Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Wed, 21 Feb 2024 14:41:08 +0100 Subject: [PATCH] fix: SAML2 Issuer format SPID test 30, issuer MAY be omitted (#128) * fix: SAML2 Issuer format SPID test 30, issuer MAY be omitted * feat: SPIDA validator cie_mode * fix: SPIDA validator cie_mode - test 72 --- example/backends/ciesaml2.py | 2 +- example/backends/spidsaml2_validator.py | 32 ++++++++++++++----------- 2 files changed, 19 insertions(+), 15 deletions(-) diff --git a/example/backends/ciesaml2.py b/example/backends/ciesaml2.py index f3558d16..92167fb0 100644 --- a/example/backends/ciesaml2.py +++ b/example/backends/ciesaml2.py @@ -472,7 +472,6 @@ def authn_response(self, context, binding): **{"message": _msg, "troubleshoot": _TROUBLESHOOT_MSG} ) - list(context.state.keys())[1] # deprecated # if not context.state.get('Saml2IDP'): # _msg = "context.state['Saml2IDP'] KeyError" @@ -496,6 +495,7 @@ def authn_response(self, context, binding): authn_context_class_ref=authn_context_classref, return_addrs=authn_response.return_addrs, allowed_acrs=self.config["spid_allowed_acrs"], + cie_mode = True ) try: validator.run() diff --git a/example/backends/spidsaml2_validator.py b/example/backends/spidsaml2_validator.py index e740f209..a99027f5 100644 --- a/example/backends/spidsaml2_validator.py +++ b/example/backends/spidsaml2_validator.py @@ -34,6 +34,7 @@ def __init__( authn_context_class_ref="https://www.spid.gov.it/SpidL2", return_addrs=[], allowed_acrs=[], + cie_mode = False ): self.response = samlp.response_from_string(authn_response) @@ -45,6 +46,7 @@ def __init__( self.return_addrs = return_addrs self.issuer = issuer self.allowed_acrs = allowed_acrs + self.cie_mode = cie_mode # handled adding authn req arguments in the session state (cookie) def validate_in_response_to(self): @@ -77,7 +79,8 @@ def validate_issuer(self): # 30 # check that this issuer is in the metadata... - if self.response.issuer.format: + # L'attributo Format di Issuer della Response deve essere omesso o assumere valore urn:oasis:names:tc:SAML:2.0:nameid-format:entity. In questo test il valore รจ diverso. Risultato atteso: KO + if hasattr(self.response.issuer, "format") and self.response.issuer.format: if ( self.response.issuer.format != "urn:oasis:names:tc:SAML:2.0:nameid-format:entity" @@ -87,22 +90,23 @@ def validate_issuer(self): '!= "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"' ) - msg = "Issuer format is not valid: {}. {}" - # 70, 71 - assiss = self.response.assertion[0].issuer - if not hasattr(assiss, "format") or not getattr(assiss, "format", None): - raise SPIDValidatorException( - msg.format(self.response.issuer.format, _ERROR_TROUBLESHOOT) - ) - - # 72 - for i in self.response.assertion: - if i.issuer.format != "urn:oasis:names:tc:SAML:2.0:nameid-format:entity": + if not self.cie_mode: + msg = "Issuer format is not valid: {}. {}" + # 70, 71 + assiss = self.response.assertion[0].issuer + if not hasattr(assiss, "format") or not getattr(assiss, "format", None): raise SPIDValidatorException( - msg.format(self.response.issuer.format, - _ERROR_TROUBLESHOOT) + msg.format(self.response.issuer.format, _ERROR_TROUBLESHOOT) ) + # 72 + for i in self.response.assertion: + if i.issuer.format != "urn:oasis:names:tc:SAML:2.0:nameid-format:entity": + raise SPIDValidatorException( + msg.format(self.response.issuer.format, + _ERROR_TROUBLESHOOT) + ) + def validate_assertion_version(self): """spid saml check 35""" for i in self.response.assertion: