Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: SAML2 Issuer format SPID test 30, issuer MAY be omitted #128

Merged
merged 5 commits into from
Feb 21, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion example/backends/ciesaml2.py
Original file line number Diff line number Diff line change
Expand Up @@ -472,7 +472,6 @@ def authn_response(self, context, binding):
**{"message": _msg, "troubleshoot": _TROUBLESHOOT_MSG}
)

list(context.state.keys())[1]
# deprecated
# if not context.state.get('Saml2IDP'):
# _msg = "context.state['Saml2IDP'] KeyError"
Expand All @@ -496,6 +495,7 @@ def authn_response(self, context, binding):
authn_context_class_ref=authn_context_classref,
return_addrs=authn_response.return_addrs,
allowed_acrs=self.config["spid_allowed_acrs"],
cie_mode = True
)
try:
validator.run()
Expand Down
32 changes: 18 additions & 14 deletions example/backends/spidsaml2_validator.py
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ def __init__(
authn_context_class_ref="https://www.spid.gov.it/SpidL2",
return_addrs=[],
allowed_acrs=[],
cie_mode = False
):

self.response = samlp.response_from_string(authn_response)
Expand All @@ -45,6 +46,7 @@ def __init__(
self.return_addrs = return_addrs
self.issuer = issuer
self.allowed_acrs = allowed_acrs
self.cie_mode = cie_mode

# handled adding authn req arguments in the session state (cookie)
def validate_in_response_to(self):
Expand Down Expand Up @@ -77,7 +79,8 @@ def validate_issuer(self):

# 30
# check that this issuer is in the metadata...
if self.response.issuer.format:
# L'attributo Format di Issuer della Response deve essere omesso o assumere valore urn:oasis:names:tc:SAML:2.0:nameid-format:entity. In questo test il valore è diverso. Risultato atteso: KO
if hasattr(self.response.issuer, "format") and self.response.issuer.format:
if (
self.response.issuer.format
!= "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
Expand All @@ -87,22 +90,23 @@ def validate_issuer(self):
'!= "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"'
)

msg = "Issuer format is not valid: {}. {}"
# 70, 71
assiss = self.response.assertion[0].issuer
if not hasattr(assiss, "format") or not getattr(assiss, "format", None):
raise SPIDValidatorException(
msg.format(self.response.issuer.format, _ERROR_TROUBLESHOOT)
)

# 72
for i in self.response.assertion:
if i.issuer.format != "urn:oasis:names:tc:SAML:2.0:nameid-format:entity":
if not self.cie_mode:
msg = "Issuer format is not valid: {}. {}"
# 70, 71
assiss = self.response.assertion[0].issuer
if not hasattr(assiss, "format") or not getattr(assiss, "format", None):
raise SPIDValidatorException(
msg.format(self.response.issuer.format,
_ERROR_TROUBLESHOOT)
msg.format(self.response.issuer.format, _ERROR_TROUBLESHOOT)
)

# 72
for i in self.response.assertion:
if i.issuer.format != "urn:oasis:names:tc:SAML:2.0:nameid-format:entity":
raise SPIDValidatorException(
msg.format(self.response.issuer.format,
_ERROR_TROUBLESHOOT)
)

def validate_assertion_version(self):
"""spid saml check 35"""
for i in self.response.assertion:
Expand Down
Loading