Merge branch 'master' into master

Author: peppelinux

.travis.yml

@@ -5,6 +5,7 @@ language: python
 python:
   - 3.6
   - 3.7
+  - 3.8
   - pypy3
 
 addons:

CHANGELOG.md

@@ -1,5 +1,22 @@
 # Changelog
 
+## 5.1.0 (2020-06-09)
+
+- support eIDAS RequestedAttributes per AuthnRequest
+- fix xmlsec1 --id-attr configuration option value
+- do not remove existing disco URL query params
+- load attribute maps in predictable order
+- better error message when AudienceRestriction does not validate
+- always use base64.encodebytes instead of base64.encodestring
+- update the eIDAS attribute mapping for legal person
+- fix py_compile warnings
+- fix pylint errors and warnings
+- various small fixes
+- add Python3.8 as supported
+- tests: fix validity dates
+- docs: document default value for 'want_response_signed'
+
+
 ## 5.0.0 (2020-01-13)
 
 - Fix XML Signature Wrapping (XSW) vulnerabilities - CVE-2020-5390

VERSION

@@ -1 +1 @@
-5.0.0
+5.1.0

docs/howto/config.rst

@@ -189,7 +189,7 @@ Format::
     key_file: "key.pem"
 
 *key_file* is the name of a PEM formatted file that contains the private key
-of the service. This is presently used both to encrypt/sign assertions and as
+of the service. This is currently used both to encrypt/sign assertions and as
 the client key in an HTTPS session.
 
 metadata
@@ -270,7 +270,7 @@ Where you describe the organization responsible for the service.::
 preferred_binding
 ^^^^^^^^^^^^^^^^^
 
-Which binding should be prefered for a service.
+Which binding should be preferred for a service.
 Example configuration::
 
     "preferred_binding" = {
@@ -340,16 +340,16 @@ accepted_time_diff
 ^^^^^^^^^^^^^^^^^^
 
 If your computer and another computer that you are communicating with are not
-in synch regarding the computer clock, then here you can state how big a
+in sync regarding the computer clock, then here you can state how big a
 difference you are prepared to accept.
 
-.. note:: This will indiscriminately affect all-time comparisons.
-    Hence your server my accept a statement that in fact is too old.
+.. note:: This will indiscriminately affect all time comparisons.
+    Hence your server may accept a statement that in fact is too old.
 
 xmlsec_binary
 ^^^^^^^^^^^^^
 
-Presently xmlsec1 binaries are used for all the signing and encryption stuff.
+Currently xmlsec1 binaries are used for all the signing and encryption stuff.
 This option defines where the binary is situated.
 
 Example::
@@ -385,7 +385,7 @@ Directives that are specific to a certain type of service.
 idp/aa
 ^^^^^^
 
-Directives that are specific to an IdP or AA service instance
+Directives that are specific to an IdP or AA service instance.
 
 sign_assertion
 """"""""""""""
@@ -498,6 +498,8 @@ want_response_signed
 Indicates that Authentication Responses to this SP must be signed. If set to
 True, the SP will not consume any SAML Responses that are not signed.
 
+Valid values are True or False. Default value is True.
+
 Example::
 
     "service": {
@@ -629,7 +631,7 @@ name_format indicates the name format for that attribute, such as
 
 It is mandatory that at least name or friendly_name is set.
 By default attributes are assumed to be required.
-Missing attributes are infered based on the attribute maps data.
+Missing attributes are inferred based on the attribute maps data.
 
 Example::
 
@@ -844,7 +846,7 @@ or if you want to use for instance memcache::
 
     "subject_data": ("memcached", "localhost:12121"),
 
-*shelve* and *memcached* are the only database types that are presently
+*shelve* and *memcached* are the only database types that are currently
 supported.
 
 

example/sp-wsgi/sp.py

@@ -2,7 +2,10 @@
 from __future__ import print_function
 
 import argparse
-import cgi
+try:
+    import html
+except:
+    import cgi as html
 import importlib
 import logging
 import os
@@ -48,6 +51,9 @@
 from saml2.saml import NAMEID_FORMAT_PERSISTENT
 from saml2.samlp import Extensions
 
+def _html_escape(payload):
+    return html.escape(payload, quote=True)
+
 logger = logging.getLogger("")
 hdlr = logging.FileHandler("spx.log")
 base_formatter = logging.Formatter("%(asctime)s %(name)s:%(levelname)s %(message)s")
@@ -699,7 +705,7 @@ def main(environ, start_response, sp):
     body = dict_to_table(user.data)
     body.append(
         "<br><pre>{authn_stmt}</pre>".format(
-            authn_stmt=cgi.escape(user.authn_statement)
+            authn_stmt=_html_escape(user.authn_statement)
         )
     )
     body.append("<br><a href='/logout'>logout</a>")

setup.cfg

@@ -22,6 +22,7 @@ classifier =
     Programming Language :: Python :: 3 :: Only
     Programming Language :: Python :: 3.6
     Programming Language :: Python :: 3.7
+    Programming Language :: Python :: 3.8
 requires-dist = setuptools
 keywords =
     saml

src/saml2/__init__.py

@@ -21,7 +21,7 @@
 
 import six
 
-import saml2.version
+from saml2.version import version as __version__
 from saml2.validate import valid_instance
 
 try:
@@ -40,11 +40,7 @@
 import defusedxml.ElementTree
 
 
-__version__ = str(saml2.version.version)
-
-
-root_logger = logging.getLogger(__name__)
-root_logger.level = logging.NOTSET
+logger = logging.getLogger(__name__)
 
 NAMESPACE = 'urn:oasis:names:tc:SAML:2.0:assertion'
 # TEMPLATE = '{urn:oasis:names:tc:SAML:2.0:assertion}%s'

src/saml2/attribute_converter.py

@@ -62,7 +62,7 @@ def ac_factory(path=""):
         if path not in sys.path:
             sys.path.insert(0, path)
 
-        for fil in os.listdir(path):
+        for fil in sorted(os.listdir(path)):
             if fil.endswith(".py"):
                 mod = import_module(fil[:-3])
                 for key, item in mod.__dict__.items():

src/saml2/attributemaps/saml_uri.py

@@ -36,9 +36,9 @@
     'identifier': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
     'fro': {
         EIDAS_LEGALPERSON+'LegalPersonIdentifier': 'LegalPersonIdentifier',
-        EIDAS_LEGALPERSON+'LegalAddress': 'LegalAddress',
+        EIDAS_LEGALPERSON+'LegalPersonAddress': 'LegalAddress',
         EIDAS_LEGALPERSON+'LegalName': 'LegalName',
-        EIDAS_LEGALPERSON+'VATRegistration': 'VATRegistration',
+        EIDAS_LEGALPERSON+'VATRegistrationNumber': 'VATRegistration',
         EIDAS_LEGALPERSON+'TaxReference': 'TaxReference',
         EIDAS_LEGALPERSON+'BusinessCodes': 'BusinessCodes',
         EIDAS_LEGALPERSON+'LEI': 'LEI',
@@ -218,9 +218,9 @@
     },
     'to': {
         'LegalPersonIdentifier': EIDAS_LEGALPERSON+'LegalPersonIdentifier',
-        'LegalAddress': EIDAS_LEGALPERSON+'LegalAddress',
+        'LegalAddress': EIDAS_LEGALPERSON+'LegalPersonAddress',
         'LegalName': EIDAS_LEGALPERSON+'LegalName',
-        'VATRegistration': EIDAS_LEGALPERSON+'VATRegistration',
+        'VATRegistration': EIDAS_LEGALPERSON+'VATRegistrationNumber',
         'TaxReference': EIDAS_LEGALPERSON+'TaxReference',
         'BusinessCodes': EIDAS_LEGALPERSON+'BusinessCodes',
         'LEI': EIDAS_LEGALPERSON+'LEI',

src/saml2/authn.py

@@ -29,13 +29,13 @@ def __init__(self, srv):
         self.srv = srv
 
     def __call__(self, *args, **kwargs):
-        raise NotImplemented
+        raise NotImplementedError
 
     def authenticated_as(self, **kwargs):
-        raise NotImplemented
+        raise NotImplementedError
 
     def verify(self, **kwargs):
-        raise NotImplemented
+        raise NotImplementedError
 
 
 def is_equal(a, b):