Hello community, here is the log from the commit of package python-pysaml2 for openSUSE:Factory checked in at 2020-07-15 15:05:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-pysaml2 (Old) and /work/SRC/openSUSE:Factory/.python-pysaml2.new.3060 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-pysaml2" Wed Jul 15 15:05:22 2020 rev:18 rq:820840 version:6.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/python-pysaml2/python-pysaml2.changes 2020-07-14 07:58:46.297689005 +0200 +++ /work/SRC/openSUSE:Factory/.python-pysaml2.new.3060/python-pysaml2.changes 2020-07-15 15:06:06.631473845 +0200 @@ -1,0 +2,14 @@ +Sat Jul 11 18:07:25 UTC 2020 - Michael Ströder <[email protected]> + +- update to 6.1.0: + * Fix signed logout requests flag + * Differentiate between metadata NameIDFormat and AuthnRequest NameIDPolicy Format + - Users using `name_id_format` to set the `<NameIDPolicy Format="...">` attribute now + need to use the new configuration option `name_id_policy_format`. + * Fix documentation formatting + * Fix generation of signed metadata + * Add attribute mappings used by SwedenConnect (DIGG, INERA and PKIX specifications) + * Update SWAMID entity category + * Document the `additional_cert_files` configuration option + +------------------------------------------------------------------- Old: ---- v5.3.0.tar.gz New: ---- v6.1.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-pysaml2.spec ++++++ --- /var/tmp/diff_new_pack.wV6sl3/_old 2020-07-15 15:06:12.447479516 +0200 +++ /var/tmp/diff_new_pack.wV6sl3/_new 2020-07-15 15:06:12.451479521 +0200 @@ -20,7 +20,7 @@ %global modname pysaml2 %global skip_python2 1 Name: python-pysaml2 -Version: 5.3.0 +Version: 6.1.0 Release: 0 Summary: Python implementation of SAML Version 2 to be used in a WSGI environment License: Apache-2.0 ++++++ v5.3.0.tar.gz -> v6.1.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pysaml2-5.3.0/CHANGELOG.md new/pysaml2-6.1.0/CHANGELOG.md --- old/pysaml2-5.3.0/CHANGELOG.md 2020-06-25 19:31:48.000000000 +0200 +++ new/pysaml2-6.1.0/CHANGELOG.md 2020-07-10 21:01:20.000000000 +0200 @@ -1,5 +1,25 @@ # Changelog +## 6.1.0 (2020-07-10) + +- Fix signed logout requests flag + + +## 6.0.0 (2020-07-10) + +- Differentiate between metadata NameIDFormat and AuthnRequest NameIDPolicy Format + - Users using `name_id_format` to set the `<NameIDPolicy Format="...">` attribute now + need to use the new configuration option `name_id_policy_format`. +- Fix documentation formatting + +## 5.4.0 (2020-07-10) + +- Fix generation of signed metadata +- Add attribute mappings used by SwedenConnect (DIGG, INERA and PKIX specifications) +- Update SWAMID entity category +- Document the `additional_cert_files` configuration option + + ## 5.3.0 (2020-06-25) - Fix check for nameid_format set to the string "None" in the configuration diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pysaml2-5.3.0/VERSION new/pysaml2-6.1.0/VERSION --- old/pysaml2-5.3.0/VERSION 2020-06-25 19:31:48.000000000 +0200 +++ new/pysaml2-6.1.0/VERSION 2020-07-10 21:01:20.000000000 +0200 @@ -1 +1 @@ -5.3.0 +6.1.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pysaml2-5.3.0/docs/howto/config.rst new/pysaml2-6.1.0/docs/howto/config.rst --- old/pysaml2-5.3.0/docs/howto/config.rst 2020-06-25 19:31:48.000000000 +0200 +++ new/pysaml2-6.1.0/docs/howto/config.rst 2020-07-10 21:01:20.000000000 +0200 @@ -64,32 +64,45 @@ General directives ------------------ +additional_cert_files +^^^^^^^^^^^^^^^^^^^^^ + +Example:: + + additional_cert_files: ["other-cert.pem", "another-cert.pem"] + +Additional public certs that will be listed. Useful during cert/key rotation or +if you need to include a certificate chain. + +Each entry in *additional_cert_files* must be a PEM formatted file with a single certificate. + assurance_certification ^^^^^^^^^^^^^^^^^^^^^^^ -Format:: +Example:: "assurance_specification": [ "https://refeds.org/sirtfi";, ] -Generates an `Attribute` element with name-format -`urn:oasis:names:tc:SAML:2.0:attrname-format:uri` and name -`urn:oasis:names:tc:SAML:attribute:assurance-certification` that contains -`AttributeValue` elements with the given values from the list. -The element is added under the generated metadata `EntityDescriptor` as an -`Extension` element under the `EntityAttributes` element. +Generates an ``Attribute`` element with name-format +``urn:oasis:names:tc:SAML:2.0:attrname-format:uri`` and name +``urn:oasis:names:tc:SAML:attribute:assurance-certification`` that contains +``AttributeValue`` elements with the given values from the list. +The element is added under the generated metadata ``EntityDescriptor`` as an +``Extension`` element under the ``EntityAttributes`` element. Read more about `representing assurance information at the specification <https://wiki.oasis-open.org/security/SAML2IDAssuranceProfile>`_. attribute_map_dir ^^^^^^^^^^^^^^^^^ -Format:: +Points to a directory which has the attribute maps in Python modules. + +Example:: "attribute_map_dir": "attribute-maps" -Points to a directory which has the attribute maps in Python modules. A typical map file will look like this:: MAP = { @@ -126,12 +139,12 @@ cert_file ^^^^^^^^^ -Format:: +Example:: cert_file: "cert.pem" This is the public part of the service private/public key pair. -*cert_file* must be a PEM formatted certificate chain file. +*cert_file* must be a PEM formatted file with a single certificate. contact_person ^^^^^^^^^^^^^^ @@ -163,7 +176,7 @@ debug ^^^^^ -Format:: +Example:: debug: 1 @@ -172,7 +185,7 @@ entityid ^^^^^^^^ -Format:: +Example:: entityid: "http://saml.example.com/sp"; @@ -184,7 +197,7 @@ key_file ^^^^^^^^ -Format:: +Example:: key_file: "key.pem" @@ -524,10 +537,26 @@ } +name_id_policy_format +""""""""""""""""""""" + +A string value that will be used to set the ``Format`` attribute of the +``<NameIDPolicy>`` element of an ``<AuthnRequest>``. + +Example:: + + "service": { + "sp": { + "name_id_policy_format": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", + } + } + + name_id_format_allow_create """"""""""""""""""""""""""" -Enable AllowCreate in NameIDPolicy. +A boolean value (``True`` or ``False``) that will be used to set the ``AllowCreate`` +attribute of the ``<NameIDPolicy>`` element of an ``<AuthnRequest>``. Example:: @@ -537,6 +566,24 @@ } } + +name_id_format +"""""""""""""" + +A list of string values that will be used to set the ``<NameIDFormat>`` element of the +metadata of an entity. + +Example:: + + "service": { + "idp": { + "name_id_format": [ + "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", + "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", + ] + } + } + allow_unsolicited """"""""""""""""" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pysaml2-5.3.0/src/saml2/attributemaps/saml_uri.py new/pysaml2-6.1.0/src/saml2/attributemaps/saml_uri.py --- old/pysaml2-5.3.0/src/saml2/attributemaps/saml_uri.py 2020-06-25 19:31:48.000000000 +0200 +++ new/pysaml2-6.1.0/src/saml2/attributemaps/saml_uri.py 2020-07-10 21:01:20.000000000 +0200 @@ -32,9 +32,36 @@ # https://github.com/Umbrella-Commiters/UmbrellaIdP3/blob/master/schema/99-user.ldif UMBRELLA_EAAUser_ID = 'urn:oid:1.3.6.1.4.1.42750.1.1.' +# PKIX specification (SMI Security for PKIX Personal Data Attributes) +# https://tools.ietf.org/html/rfc7299 +PKIX_OID = 'urn:oid:1.3.6.1.5.5.7.9.' + +# INERA specification +# Closet public spec source I could find, sadly in swedish +# https://www.sambi.se/wordpress/wp-content/uploads/2017/06/Sambi_Attributspecifikation_1.1.pdf +INERA_OID = 'urn:oid:1.2.752.29.4.' + +# DIGG specification +# https://docs.swedenconnect.se/technical-framework/latest/ELN-0604_-_Attribute_Specification_for_the_Swedish_eID_Framework.html +DIGG_OID = 'urn:oid:1.2.752.201.3.' + MAP = { 'identifier': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'fro': { + DIGG_OID + '1': 'orgAffiliation', + DIGG_OID + '2': 'transactionIdentifier', + DIGG_OID + '3': 'authContextParams', + DIGG_OID + '4': 'prid', + DIGG_OID + '5': 'pridPersistence', + DIGG_OID + '6': 'personalIdentityNumberBinding', + DIGG_OID + '7': 'eidasPersonIdentifier', + DIGG_OID + '8': 'birthName', + DIGG_OID + '9': 'eidasNaturalPersonAddress', + DIGG_OID + '10': 'userCertificate', + DIGG_OID + '11': 'userSignature', + DIGG_OID + '12': 'sad', + DIGG_OID + '13': 'authServerSignature', + DIGG_OID + '14': 'signMessageDigest', EIDAS_LEGALPERSON+'LegalPersonIdentifier': 'LegalPersonIdentifier', EIDAS_LEGALPERSON+'LegalPersonAddress': 'LegalAddress', EIDAS_LEGALPERSON+'LegalName': 'LegalName', @@ -71,6 +98,8 @@ EDUPERSON_OID+'12': 'eduPersonPrincipalNamePrior', EDUPERSON_OID+'13': 'eduPersonUniqueId', EDUPERSON_OID+'16': 'eduPersonOrcid', + INERA_OID + '1': 'employeeHsaId', + INERA_OID + '13': 'personalIdentityNumber', LDAPGVAT_OID+'1': 'PVP-GID', LDAPGVAT_OID+'149': 'PVP-BPK', LDAPGVAT_OID+'153': 'PVP-OU-OKZ', @@ -118,6 +147,11 @@ OPENOSI_OID+'109': 'osiOtherHomePhone', OPENOSI_OID+'120': 'osiWorkURL', PKCS_9+'1': 'email', + PKIX_OID + '1': 'dateOfBirth', + PKIX_OID + '2': 'placeOfBirth', + PKIX_OID + '3': 'gender', + PKIX_OID + '4': 'countryOfCitizenship', + PKIX_OID + '5': 'countryOfResidence', SAML_SUBJECT_ID+'subject-id': 'subject-id', SAML_SUBJECT_ID+'pairwise-id': 'pairwise-id', SCHAC+'1': 'schacMotherTongue', @@ -237,7 +271,10 @@ 'CurrentAddress': EIDAS_NATURALPERSON+'CurrentAddress', 'Gender': EIDAS_NATURALPERSON+'Gender', 'associatedDomain': UCL_DIR_PILOT+'37', + 'authContextParams': DIGG_OID+'3', 'authorityRevocationList': X500ATTR_OID+'38', + 'authServerSignature': DIGG_OID+'13', + 'birthName': DIGG_OID+'8', 'businessCategory': X500ATTR_OID+'15', 'c': X500ATTR_OID+'6', 'cACertificate': X500ATTR_OID+'37', @@ -245,7 +282,10 @@ 'certificateRevocationList': X500ATTR_OID+'39', 'cn': X500ATTR_OID+'3', 'co': UCL_DIR_PILOT+'43', + 'countryOfCitizenship': PKIX_OID+'4', + 'countryOfResidence': PKIX_OID+'5', 'crossCertificatePair': X500ATTR_OID+'40', + 'dateOfBirth': PKIX_OID+'1', 'dc': UCL_DIR_PILOT+'25', 'deltaRevocationList': X500ATTR_OID+'53', 'departmentNumber': NETSCAPE_LDAP+'2', @@ -271,12 +311,16 @@ 'eduPersonAssurance': EDUPERSON_OID+'11', 'eduPersonUniqueId': EDUPERSON_OID+'13', 'eduPersonOrcid': EDUPERSON_OID+'16', + 'eidasNaturalPersonAddress': DIGG_OID+'9', + 'eidasPersonIdentifier': DIGG_OID+'7', 'email': PKCS_9+'1', + 'employeeHsaId': INERA_OID+'1', 'employeeNumber': NETSCAPE_LDAP+'3', 'employeeType': NETSCAPE_LDAP+'4', 'enhancedSearchGuide': X500ATTR_OID+'47', 'facsimileTelephoneNumber': X500ATTR_OID+'23', 'federationFeideSchemaVersion': NOREDUPERSON_OID+'9', + 'gender': PKIX_OID+'3', 'generationQualifier': X500ATTR_OID+'44', 'givenName': X500ATTR_OID+'42', 'houseIdentifier': X500ATTR_OID+'51', @@ -309,15 +353,21 @@ 'osiOtherHomePhone': OPENOSI_OID+'109', 'osiWorkURL': OPENOSI_OID+'120', 'ou': X500ATTR_OID+'11', + 'orgAffiliation': DIGG_OID+'1', 'owner': X500ATTR_OID+'32', 'pairwise-id': SAML_SUBJECT_ID+'pairwise-id', + 'personalIdentityNumber': INERA_OID+'13', + 'personalIdentityNumberBinding': DIGG_OID+'6', 'physicalDeliveryOfficeName': X500ATTR_OID+'19', + 'placeOfBirth': PKIX_OID+'2', 'postOfficeBox': X500ATTR_OID+'18', 'postalAddress': X500ATTR_OID+'16', 'postalCode': X500ATTR_OID+'17', 'preferredDeliveryMethod': X500ATTR_OID+'28', 'preferredLanguage': NETSCAPE_LDAP+'39', 'presentationAddress': X500ATTR_OID+'29', + 'prid': DIGG_OID+'4', + 'pridPersistence': DIGG_OID+'5', 'protocolInformation': X500ATTR_OID+'48', 'pseudonym': X500ATTR_OID+'65', 'PVP-USERID': LDAPGVAT_UCL_DIR_PILOT+'1', @@ -341,6 +391,7 @@ 'PVP-GIVENNAME': LDAPGVAT_X500ATTR_OID+'42', 'registeredAddress': X500ATTR_OID+'26', 'roleOccupant': X500ATTR_OID+'33', + 'sad': DIGG_OID+'12', 'schacCountryOfCitizenship': SCHAC+'5', 'schacCountryOfResidence': SCHAC+'11', 'schacDateOfBirth': SCHAC+'3', @@ -363,6 +414,7 @@ 'schacUserStatus': SCHAC+'19', 'searchGuide': X500ATTR_OID+'14', 'serialNumber': X500ATTR_OID+'5', + 'signMessageDigest': DIGG_OID+'14', 'sisLegalGuardianFor': SIS+'1', 'sisSchoolGrade': SIS+'2', 'sn': X500ATTR_OID+'4', @@ -375,11 +427,14 @@ 'teletexTerminalIdentifier': X500ATTR_OID+'22', 'telexNumber': X500ATTR_OID+'21', 'title': X500ATTR_OID+'12', + 'transactionIdentifier': DIGG_OID+'2', 'uid': UCL_DIR_PILOT+'1', 'uniqueMember': X500ATTR_OID+'50', 'userCertificate': X500ATTR_OID+'36', + # 'userCertificate': DIGG_OID+'10', 'userPKCS12': NETSCAPE_LDAP+'216', 'userSMIMECertificate': NETSCAPE_LDAP+'40', + 'userSignature': DIGG_OID+'11', 'x121Address': X500ATTR_OID+'24', 'x500UniqueIdentifier': X500ATTR_OID+'45', 'swissEduPersonUniqueID': SWISSEDUPERSON_OID+'1', diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pysaml2-5.3.0/src/saml2/client.py new/pysaml2-6.1.0/src/saml2/client.py --- old/pysaml2-5.3.0/src/saml2/client.py 2020-06-25 19:31:48.000000000 +0200 +++ new/pysaml2-6.1.0/src/saml2/client.py 2020-07-10 21:01:20.000000000 +0200 @@ -222,7 +222,7 @@ sign = True if sign is None: - sign = self.config.logout_requests_signed + sign = self.logout_requests_signed sigalg = None if sign: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pysaml2-5.3.0/src/saml2/client_base.py new/pysaml2-6.1.0/src/saml2/client_base.py --- old/pysaml2-5.3.0/src/saml2/client_base.py 2020-06-25 19:31:48.000000000 +0200 +++ new/pysaml2-6.1.0/src/saml2/client_base.py 2020-07-10 21:01:20.000000000 +0200 @@ -288,7 +288,7 @@ :param vorg: The virtual organization the service belongs to. :param scoping: The scope of the request :param binding: The protocol to use for the Response !! - :param nameid_format: Format of the NameID + :param nameid_format: Format of the NameIDPolicy :param service_url_binding: Where the reply should be sent dependent on reply binding. :param message_id: The identifier for this request @@ -351,29 +351,20 @@ raise ValueError("Wrong type for param {name}".format(name=param)) # NameIDPolicy - nameid_format_config = self.config.getattr("name_id_format", "sp") - nameid_format_config = ( - nameid_format_config[0] - if isinstance(nameid_format_config, list) - else nameid_format_config - ) - nameid_format = ( + nameid_policy_format_config = self.config.getattr("name_id_policy_format", "sp") + nameid_policy_format = ( nameid_format - if nameid_format is not None - else NAMEID_FORMAT_TRANSIENT - if nameid_format_config is None - else None - if nameid_format_config == 'None' - else nameid_format_config + or nameid_policy_format_config + or None ) allow_create_config = self.config.getattr("name_id_format_allow_create", "sp") allow_create = ( None # SAML 2.0 errata says AllowCreate MUST NOT be used for transient ids - if nameid_format == NAMEID_FORMAT_TRANSIENT + if nameid_policy_format == NAMEID_FORMAT_TRANSIENT else allow_create - if allow_create is not None + if allow_create else str(bool(allow_create_config)).lower() ) @@ -381,13 +372,15 @@ kwargs.pop("name_id_policy", None) if "name_id_policy" in kwargs else None - if nameid_format == "" - else samlp.NameIDPolicy(allow_create=allow_create, format=nameid_format) + if not nameid_policy_format + else samlp.NameIDPolicy( + allow_create=allow_create, format=nameid_policy_format + ) ) if name_id_policy and vorg: name_id_policy.sp_name_qualifier = vorg - name_id_policy.format = nameid_format or NAMEID_FORMAT_PERSISTENT + name_id_policy.format = nameid_policy_format or NAMEID_FORMAT_PERSISTENT args["name_id_policy"] = name_id_policy diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pysaml2-5.3.0/src/saml2/config.py new/pysaml2-6.1.0/src/saml2/config.py --- old/pysaml2-5.3.0/src/saml2/config.py 2020-06-25 19:31:48.000000000 +0200 +++ new/pysaml2-6.1.0/src/saml2/config.py 2020-07-10 21:01:20.000000000 +0200 @@ -89,6 +89,7 @@ "allow_unsolicited", "ecp", "name_id_format", + "name_id_policy_format", "name_id_format_allow_create", "logout_requests_signed", "requested_attribute_name_format", @@ -209,6 +210,7 @@ self.contact_person = None self.name_form = None self.name_id_format = None + self.name_id_policy_format = None self.name_id_format_allow_create = None self.virtual_organization = None self.only_use_keys_in_metadata = True diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pysaml2-5.3.0/src/saml2/entity_category/swamid.py new/pysaml2-6.1.0/src/saml2/entity_category/swamid.py --- old/pysaml2-5.3.0/src/saml2/entity_category/swamid.py 2020-06-25 19:31:48.000000000 +0200 +++ new/pysaml2-6.1.0/src/saml2/entity_category/swamid.py 2020-07-10 21:01:20.000000000 +0200 @@ -1,35 +1,81 @@ __author__ = 'rolandh' -NAME = ["givenName", "displayName", "sn", "cn"] -STATIC_ORG_INFO = ["c", "o", "co", "norEduOrgAcronym", "schacHomeOrganization", - 'schacHomeOrganizationType'] -OTHER = ["eduPersonPrincipalName", "eduPersonScopedAffiliation", "mail", - "eduPersonAssurance"] - -R_AND_S = ['eduPersonTargetedID', - 'eduPersonPrincipalName', - 'mail', - 'displayName', - 'givenName', - 'sn', - 'eduPersonScopedAffiliation' - ] +NAME = [ + 'givenName', + 'displayName', + 'sn', + 'cn', +] + +STATIC_ORG_INFO = [ + 'c', + 'o', + 'co', + 'norEduOrgAcronym', + 'schacHomeOrganization', + 'schacHomeOrganizationType', +] + +OTHER = [ + 'eduPersonPrincipalName', + 'eduPersonScopedAffiliation', + 'mail', + 'eduPersonAssurance' +] + +R_AND_S = [ + 'eduPersonTargetedID', + 'eduPersonPrincipalName', + 'eduPersonUniqueID', + 'mail', + 'displayName', + 'givenName', + 'sn', + 'eduPersonAssurance', + 'eduPersonScopedAffiliation' +] + +GEANT_COCO = [ + 'eduPersonTargetedID', + 'eduPersonPrincipalName', + 'eduPersonUniqueID', + 'eduPersonOrcid', + 'norEduPersonNIN', + 'personalIdentityNumber', + 'schacDateOfBirth', + 'mail', + 'displayName', + 'cn', + 'givenName', + 'sn', + 'eduPersonAssurance', + 'eduPersonScopedAffiliation', + 'eduPersonAffiliation', + 'o', + 'norEduOrgAcronym', + 'c', + 'co', + 'schacHomeOrganization', + 'schacHomeOrganizationType', +] # These give you access to information -RESEARCH_AND_EDUCATION = "http://www.swamid.se/category/research-and-education"; -SFS_1993_1153 = "http://www.swamid.se/category/sfs-1993-1153"; -RESEARCH_AND_SCHOLARSHIP = "http://refeds.org/category/research-and-scholarship"; +RESEARCH_AND_EDUCATION = 'http://www.swamid.se/category/research-and-education' # Deprecated from 2021-03-31 +SFS_1993_1153 = 'http://www.swamid.se/category/sfs-1993-1153' # Deprecated from 2021-03-31 +RESEARCH_AND_SCHOLARSHIP = 'http://refeds.org/category/research-and-scholarship' +COCO = 'http://www.geant.net/uri/dataprotection-code-of-conduct/v1' # presently these don't by themself -EU = "http://www.swamid.se/category/eu-adequate-protection"; -NREN = "http://www.swamid.se/category/nren-service"; -HEI = "http://www.swamid.se/category/hei-service"; +EU = 'http://www.swamid.se/category/eu-adequate-protection' # Deprecated from 2021-03-31 +NREN = 'http://www.swamid.se/category/nren-service' # Deprecated from 2021-03-31 +HEI = 'http://www.swamid.se/category/hei-service' # Deprecated from 2021-03-31 RELEASE = { - "": ["eduPersonTargetedID"], - SFS_1993_1153: ["norEduPersonNIN", "eduPersonAssurance"], + '': ['eduPersonTargetedID'], + SFS_1993_1153: ['norEduPersonNIN', 'eduPersonAssurance'], (RESEARCH_AND_EDUCATION, EU): NAME + STATIC_ORG_INFO + OTHER, (RESEARCH_AND_EDUCATION, NREN): NAME + STATIC_ORG_INFO + OTHER, (RESEARCH_AND_EDUCATION, HEI): NAME + STATIC_ORG_INFO + OTHER, RESEARCH_AND_SCHOLARSHIP: R_AND_S, -} \ No newline at end of file + COCO: GEANT_COCO, +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pysaml2-5.3.0/src/saml2/metadata.py new/pysaml2-6.1.0/src/saml2/metadata.py --- old/pysaml2-5.3.0/src/saml2/metadata.py 2020-06-25 19:31:48.000000000 +0200 +++ new/pysaml2-6.1.0/src/saml2/metadata.py 2020-07-10 21:01:20.000000000 +0200 @@ -66,10 +66,10 @@ if not xmlstring: xmlstring = desc.to_string(nspair) - if six.PY2: + try: if "\"xs:string\"" in xmlstring and XMLNSXS not in xmlstring: xmlstring = xmlstring.replace(MDNS, MDNS + XMLNSXS) - else: + except TypeError: if b"\"xs:string\"" in xmlstring and bXMLNSXS not in xmlstring: xmlstring = xmlstring.replace(bMDNS, bMDNS + bXMLNSXS) @@ -379,13 +379,15 @@ def _do_nameid_format(cls, conf, typ): - namef = conf.getattr("name_id_format", typ) - if namef: - if isinstance(namef, six.string_types): - ids = [md.NameIDFormat(namef)] - else: - ids = [md.NameIDFormat(text=form) for form in namef] - setattr(cls, "name_id_format", ids) + name_id_format = conf.getattr("name_id_format", typ) + if not name_id_format: + return + + if isinstance(name_id_format, six.string_types): + name_id_format = [name_id_format] + + formats = [md.NameIDFormat(text=format) for format in name_id_format] + setattr(cls, "name_id_format", formats) def do_endpoints(conf, endpoints): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pysaml2-5.3.0/tests/sp_conf_nameidpolicy.py new/pysaml2-6.1.0/tests/sp_conf_nameidpolicy.py --- old/pysaml2-5.3.0/tests/sp_conf_nameidpolicy.py 2020-06-25 19:31:48.000000000 +0200 +++ new/pysaml2-6.1.0/tests/sp_conf_nameidpolicy.py 2020-07-10 21:01:20.000000000 +0200 @@ -14,7 +14,7 @@ "required_attributes": ["surName", "givenName", "mail"], "optional_attributes": ["title"], "idp": ["urn:mace:example.com:saml:roland:idp"], - "name_id_format": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", + "name_id_policy_format": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "name_id_format_allow_create": "true" } }, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pysaml2-5.3.0/tests/test_39_metadata.py new/pysaml2-6.1.0/tests/test_39_metadata.py --- old/pysaml2-5.3.0/tests/test_39_metadata.py 2020-06-25 19:31:48.000000000 +0200 +++ new/pysaml2-6.1.0/tests/test_39_metadata.py 2020-07-10 21:01:20.000000000 +0200 @@ -1,7 +1,10 @@ import copy from saml2.config import SPConfig -from saml2.metadata import entity_descriptor +from saml2.metadata import create_metadata_string, entity_descriptor from saml2.saml import NAME_FORMAT_URI, NAME_FORMAT_BASIC +from saml2 import sigver + +from pathutils import full_path __author__ = 'roland' @@ -47,5 +50,17 @@ assert req_attr.name_format == NAME_FORMAT_BASIC +def test_signed_metadata_proper_str_bytes_handling(): + sp_conf_2 = sp_conf.copy() + sp_conf_2['key_file'] = full_path("test.key") + sp_conf_2['cert_file'] = full_path("inc-md-cert.pem") + # requires xmlsec binaries per https://pysaml2.readthedocs.io/en/latest/examples/sp.html + sp_conf_2['xmlsec_binary'] = sigver.get_xmlsec_binary(["/opt/local/bin"]) + cnf = SPConfig().load(sp_conf_2, metadata_construction=True) + + # This will raise TypeError if string/bytes handling is not correct + sp_metadata = create_metadata_string('', config=cnf, sign=True) + + if __name__ == '__main__': - test_requested_attribute_name_format() \ No newline at end of file + test_requested_attribute_name_format() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pysaml2-5.3.0/tests/test_50_server.py new/pysaml2-6.1.0/tests/test_50_server.py --- old/pysaml2-5.3.0/tests/test_50_server.py 2020-06-25 19:31:48.000000000 +0200 +++ new/pysaml2-6.1.0/tests/test_50_server.py 2020-07-10 21:01:20.000000000 +0200 @@ -251,7 +251,10 @@ def test_parse_ok_request(self): req_id, authn_request = self.client.create_authn_request( - message_id="id1", destination="http://localhost:8088/sso";) + message_id="id1", + destination="http://localhost:8088/sso";, + nameid_format=saml.NAMEID_FORMAT_TRANSIENT, + ) print(authn_request) binding = BINDING_HTTP_REDIRECT @@ -1308,7 +1311,10 @@ def test_parse_ok_request(self): req_id, authn_request = self.client.create_authn_request( - message_id="id1", destination="http://localhost:8088/sso";) + message_id="id1", + destination="http://localhost:8088/sso";, + nameid_format=saml.NAMEID_FORMAT_TRANSIENT, + ) print(authn_request) binding = BINDING_HTTP_REDIRECT diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pysaml2-5.3.0/tests/test_51_client.py new/pysaml2-6.1.0/tests/test_51_client.py --- old/pysaml2-5.3.0/tests/test_51_client.py 2020-06-25 19:31:48.000000000 +0200 +++ new/pysaml2-6.1.0/tests/test_51_client.py 2020-07-10 21:01:20.000000000 +0200 @@ -242,7 +242,7 @@ req_id, req = self.client.create_attribute_query( "https://aai-demo-idp.switch.ch/idp/shibboleth";, "_e7b68a04488f715cda642fbdd90099f5", - format=saml.NAMEID_FORMAT_TRANSIENT, + format=NAMEID_FORMAT_TRANSIENT, message_id="id1") assert isinstance(req, samlp.AttributeQuery) @@ -253,12 +253,15 @@ assert req.issue_instant assert req.issuer.text == "urn:mace:example.com:saml:roland:sp" nameid = req.subject.name_id - assert nameid.format == saml.NAMEID_FORMAT_TRANSIENT + assert nameid.format == NAMEID_FORMAT_TRANSIENT assert nameid.text == "_e7b68a04488f715cda642fbdd90099f5" def test_create_auth_request_0(self): ar_str = "%s" % self.client.create_authn_request( - "http://www.example.com/sso";, message_id="id1")[1] + "http://www.example.com/sso";, + message_id="id1", + nameid_format=NAMEID_FORMAT_TRANSIENT, + )[1] ar = samlp.authn_request_from_string(ar_str) assert ar.assertion_consumer_service_url == ("http://lingon.catalogix"; @@ -270,7 +273,7 @@ assert ar.issuer.text == "urn:mace:example.com:saml:roland:sp" nid_policy = ar.name_id_policy assert nid_policy.allow_create is None - assert nid_policy.format == saml.NAMEID_FORMAT_TRANSIENT + assert nid_policy.format == NAMEID_FORMAT_TRANSIENT node_requested_attributes = None for e in ar.extensions.extension_elements: @@ -892,7 +895,7 @@ subject=factory(saml.Subject, text="_aaa", name_id=factory( saml.NameID, - format=saml.NAMEID_FORMAT_TRANSIENT)), + format=NAMEID_FORMAT_TRANSIENT)), attribute_statement=do_attribute_statement( { ("", "", "sn"): ("Jeter", ""), @@ -976,7 +979,7 @@ self.client.config.entityid, self.server.config.attribute_converters, self.server.config.getattr("policy", "idp"), - name_id=factory(saml.NameID, format=saml.NAMEID_FORMAT_TRANSIENT), + name_id=factory(saml.NameID, format=NAMEID_FORMAT_TRANSIENT), issuer=self.server._issuer(), authn_class=INTERNETPROTOCOLPASSWORD, authn_auth="http://www.example.com/login";, @@ -1037,7 +1040,7 @@ 'in_response_to': "_012345", 'subject_confirmation_method': saml.SCM_BEARER } - name_id = factory(saml.NameID, format=saml.NAMEID_FORMAT_TRANSIENT) + name_id = factory(saml.NameID, format=NAMEID_FORMAT_TRANSIENT) farg = add_path( {}, @@ -1149,7 +1152,7 @@ farg['assertion']['subject']['subject_confirmation'], ['subject_confirmation_data', 'recipient', "http://lingon.catalogix.se:8087/";]) - name_id = factory(saml.NameID, format=saml.NAMEID_FORMAT_TRANSIENT) + name_id = factory(saml.NameID, format=NAMEID_FORMAT_TRANSIENT) assertion_1 = asser_1.construct( self.client.config.entityid, @@ -1796,7 +1799,7 @@ req_id, req = self.client.create_attribute_query( "https://aai-demo-idp.switch.ch/idp/shibboleth";, "_e7b68a04488f715cda642fbdd90099f5", - format=saml.NAMEID_FORMAT_TRANSIENT, + format=NAMEID_FORMAT_TRANSIENT, message_id="id1") assert isinstance(req, samlp.AttributeQuery) @@ -1807,12 +1810,15 @@ assert req.issue_instant assert req.issuer.text == "urn:mace:example.com:saml:roland:sp" nameid = req.subject.name_id - assert nameid.format == saml.NAMEID_FORMAT_TRANSIENT + assert nameid.format == NAMEID_FORMAT_TRANSIENT assert nameid.text == "_e7b68a04488f715cda642fbdd90099f5" def test_create_auth_request_0(self): ar_str = "%s" % self.client.create_authn_request( - "http://www.example.com/sso";, message_id="id1")[1] + "http://www.example.com/sso";, + message_id="id1", + nameid_format=NAMEID_FORMAT_TRANSIENT, + )[1] ar = samlp.authn_request_from_string(ar_str) assert ar.assertion_consumer_service_url == ("http://lingon.catalogix"; @@ -1824,7 +1830,7 @@ assert ar.issuer.text == "urn:mace:example.com:saml:roland:sp" nid_policy = ar.name_id_policy assert nid_policy.allow_create is None - assert nid_policy.format == saml.NAMEID_FORMAT_TRANSIENT + assert nid_policy.format == NAMEID_FORMAT_TRANSIENT node_requested_attributes = None for e in ar.extensions.extension_elements: @@ -2464,7 +2470,7 @@ subject=factory(saml.Subject, text="_aaa", name_id=factory( saml.NameID, - format=saml.NAMEID_FORMAT_TRANSIENT)), + format=NAMEID_FORMAT_TRANSIENT)), attribute_statement=do_attribute_statement( { ("", "", "sn"): ("Jeter", ""), @@ -2548,7 +2554,7 @@ self.client.config.entityid, self.server.config.attribute_converters, self.server.config.getattr("policy", "idp"), - name_id=factory(saml.NameID, format=saml.NAMEID_FORMAT_TRANSIENT), + name_id=factory(saml.NameID, format=NAMEID_FORMAT_TRANSIENT), issuer=self.server._issuer(), authn_class=INTERNETPROTOCOLPASSWORD, authn_auth="http://www.example.com/login";, @@ -2609,7 +2615,7 @@ 'in_response_to': "_012345", 'subject_confirmation_method': saml.SCM_BEARER } - name_id = factory(saml.NameID, format=saml.NAMEID_FORMAT_TRANSIENT) + name_id = factory(saml.NameID, format=NAMEID_FORMAT_TRANSIENT) farg = add_path( {}, @@ -2722,7 +2728,7 @@ farg['assertion']['subject']['subject_confirmation'], ['subject_confirmation_data', 'recipient', "http://lingon.catalogix.se:8087/";]) - name_id = factory(saml.NameID, format=saml.NAMEID_FORMAT_TRANSIENT) + name_id = factory(saml.NameID, format=NAMEID_FORMAT_TRANSIENT) assertion_1 = asser_1.construct( self.client.config.entityid,
