Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
:type raise_exceptions: Boolean
:returns: True if the condition is valid, False otherwise
:rtype: bool
"""
conditions_nodes = self.__query_assertion('/saml:Conditions')
for conditions_node in conditions_nodes:
nb_attr = conditions_node.get('NotBefore')
nooa_attr = conditions_node.get('NotOnOrAfter')
if nb_attr and OneLogin_Saml2_Utils.parse_SAML_to_time(nb_attr) > OneLogin_Saml2_Utils.now() + OneLogin_Saml2_Constants.ALLOWED_CLOCK_DRIFT:
raise OneLogin_Saml2_ValidationError(
'Could not validate timestamp: not yet valid. Check system clock.',
OneLogin_Saml2_ValidationError.ASSERTION_TOO_EARLY
)
if nooa_attr and OneLogin_Saml2_Utils.parse_SAML_to_time(nooa_attr) + OneLogin_Saml2_Constants.ALLOWED_CLOCK_DRIFT <= OneLogin_Saml2_Utils.now():
raise OneLogin_Saml2_ValidationError(
'Could not validate timestamp: expired. Check system clock.',
OneLogin_Saml2_ValidationError.ASSERTION_EXPIRED
)
return True
def validate_timestamps(self):
"""
Verifies that the document is valid according to Conditions Element
:returns: True if the condition is valid, False otherwise
:rtype: bool
"""
conditions_nodes = self.__query_assertion('/saml:Conditions')
for conditions_node in conditions_nodes:
nb_attr = conditions_node.get('NotBefore')
nooa_attr = conditions_node.get('NotOnOrAfter')
if nb_attr and OneLogin_Saml2_Utils.parse_SAML_to_time(nb_attr) > OneLogin_Saml2_Utils.now() + OneLogin_Saml2_Constants.ALLOWED_CLOCK_DRIFT:
return False
if nooa_attr and OneLogin_Saml2_Utils.parse_SAML_to_time(nooa_attr) + OneLogin_Saml2_Constants.ALLOWED_CLOCK_DRIFT <= OneLogin_Saml2_Utils.now():
return False
return True
:param is_passive: Optional argument. When true the AuthNReuqest will set the Ispassive='true'.
:type is_passive: bool
:param set_nameid_policy: Optional argument. When true the AuthNReuqest will set a nameIdPolicy element.
:type set_nameid_policy: bool
"""
self.__settings = settings
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self.__id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
destination = idp_data['singleSignOnService']['url']
provider_name_str = ''
organization_data = settings.get_organization()
if isinstance(organization_data, dict) and organization_data:
langs = organization_data
if 'en-US' in langs:
lang = 'en-US'
else:
lang = sorted(langs)[0]
display_name = 'displayname' in organization_data[lang] and organization_data[lang]['displayname']
if display_name:
provider_name_str = "\n" + ' ProviderName="%s"' % organization_data[lang]['displayname']
:param nq: IDP Name Qualifier
:type: string
"""
self.__settings = settings
self.__error = None
self.id = None
if request is None:
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self.id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
cert = None
if security['nameIdEncrypted']:
cert = idp_data['x509cert']
if name_id is not None:
name_id_format = sp_data['NameIDFormat']
sp_name_qualifier = None
else:
name_id = idp_data['entityId']
name_id_format = OneLogin_Saml2_Constants.NAMEID_ENTITY
sp_name_qualifier = sp_data['entityId']
name_id_obj = OneLogin_Saml2_Utils.generate_name_id(
name_id,
sp_name_qualifier,
sc_data = scn.find('saml:SubjectConfirmationData', namespaces=OneLogin_Saml2_Constants.NSMAP)
if sc_data is None:
continue
else:
irt = sc_data.get('InResponseTo', None)
if (in_response_to is None and irt is not None and
security.get('rejectUnsolicitedResponsesWithInResponseTo', False)) or \
in_response_to and irt and irt != in_response_to:
continue
recipient = sc_data.get('Recipient', None)
if recipient and current_url not in recipient:
continue
nooa = sc_data.get('NotOnOrAfter', None)
if nooa:
parsed_nooa = OneLogin_Saml2_Utils.parse_SAML_to_time(nooa)
if parsed_nooa <= OneLogin_Saml2_Utils.now():
continue
nb = sc_data.get('NotBefore', None)
if nb:
parsed_nb = OneLogin_Saml2_Utils.parse_SAML_to_time(nb)
if parsed_nb > OneLogin_Saml2_Utils.now():
continue
if nooa:
self.valid_scd_not_on_or_after = OneLogin_Saml2_Utils.parse_SAML_to_time(nooa)
any_subject_confirmation = True
break
if not any_subject_confirmation:
raise OneLogin_Saml2_ValidationError(
'A valid SubjectConfirmation was not found on this Response',
get_data = ('get_data' in request_data and request_data['get_data']) or dict()
if self.__settings.is_strict():
res = OneLogin_Saml2_XML.validate_xml(root, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active())
if isinstance(res, str):
raise Exception('Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd')
security = self.__settings.get_security_data()
current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
# Check NotOnOrAfter
if root.get('NotOnOrAfter', None):
na = OneLogin_Saml2_Utils.parse_SAML_to_time(root.get('NotOnOrAfter'))
if na <= OneLogin_Saml2_Utils.now():
raise Exception('Timing issues (please check your clock settings)')
# Check destination
if root.get('Destination', None):
destination = root.get('Destination')
if destination != '':
if current_url not in destination:
raise Exception(
'The LogoutRequest was received at '
'%(currentURL)s instead of %(destination)s' %
{
'currentURL': current_url,
'destination': destination,
}
)
if self.__settings.is_strict():
res = OneLogin_Saml2_Utils.validate_xml(dom, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active())
if not isinstance(res, Document):
raise OneLogin_Saml2_ValidationError(
'Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd',
OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT
)
security = self.__settings.get_security_data()
current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
# Check NotOnOrAfter
if dom.get('NotOnOrAfter', None):
na = OneLogin_Saml2_Utils.parse_SAML_to_time(dom.get('NotOnOrAfter'))
if na <= OneLogin_Saml2_Utils.now():
raise OneLogin_Saml2_ValidationError(
'Could not validate timestamp: expired. Check system clock.',
OneLogin_Saml2_ValidationError.RESPONSE_EXPIRED
)
# Check destination
if dom.get('Destination', None):
destination = dom.get('Destination')
if destination != '':
if current_url not in destination:
raise Exception(
'The LogoutRequest was received at '
'%(currentURL)s instead of %(destination)s' %
{
'currentURL': current_url,
'destination': destination,
raise Exception('The response was received at %s instead of %s' % (current_url, destination))
# Checks audience
valid_audiences = self.get_audiences()
if valid_audiences and sp_entity_id not in valid_audiences:
raise Exception('%s is not a valid audience for this Response' % sp_entity_id)
# Checks the issuers
issuers = self.get_issuers()
for issuer in issuers:
if issuer is None or issuer != idp_entity_id:
raise Exception('Invalid issuer in the Assertion/Response')
# Checks the session Expiration
session_expiration = self.get_session_not_on_or_after()
if session_expiration and session_expiration <= OneLogin_Saml2_Utils.now():
raise Exception('The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response')
# Checks the SubjectConfirmation, at least one SubjectConfirmation must be valid
any_subject_confirmation = False
subject_confirmation_nodes = self.__query_assertion('/saml:Subject/saml:SubjectConfirmation')
for scn in subject_confirmation_nodes:
method = scn.get('Method', None)
if method and method != OneLogin_Saml2_Constants.CM_BEARER:
continue
sc_data = scn.find('saml:SubjectConfirmationData', namespaces=OneLogin_Saml2_Constants.NSMAP)
if sc_data is None:
continue
else:
irt = sc_data.get('InResponseTo', None)
if in_response_to and irt and irt != in_response_to:
:type: string
"""
self.__settings = settings
self.__error = None
self.id = None
if request is None:
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self.id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
cert = None
if 'nameIdEncrypted' in security and security['nameIdEncrypted']:
exists_multix509enc = 'x509certMulti' in idp_data and \
'encryption' in idp_data['x509certMulti'] and \
idp_data['x509certMulti']['encryption']
if exists_multix509enc:
cert = idp_data['x509certMulti']['encryption'][0]
else:
cert = idp_data['x509cert']
if name_id is not None:
if not name_id_format and sp_data['NameIDFormat'] != OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED:
name_id_format = sp_data['NameIDFormat']
else:
name_id = idp_data['entityId']