Skip to content

Commit

Permalink
Add an alert about the monkey-patch of pysaml2
Browse files Browse the repository at this point in the history
  • Loading branch information
brunato committed Jul 20, 2021
1 parent 8ae1687 commit 94f56c9
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 9 deletions.
6 changes: 6 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,12 @@ source env/bin/activate
pip install djangosaml2-spid
````

⚠️ djangosaml2-spid uses a *monkey-patch* version of the pysaml2 library that fixes
some limitations or small bugs that can affect SPID data. Patches are applied only
once after the app is ready to run. Take a look at module `djangosaml2_spid._saml2`
for patches code and references.


Your example saml2 configuration is in `spid_config/spid_settings.py`.
See djangosaml2 and pysaml2 official docs for clarifications.

Expand Down
19 changes: 10 additions & 9 deletions src/djangosaml2_spid/_saml2.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
#
DISABLE_WEAK_XMLSEC_ALGORITHMS = True # https://github.com/IdentityPython/pysaml2/pull/628
ADD_XSD_DATE_TYPE = True # https://github.com/IdentityPython/pysaml2/pull/602
PATCH_RESPONSE_VERIFY = True # https://github.com/peppelinux/pysaml2/commit/8bdbbdf41ce63a37d3ba02c8f48a3dba0217d463
PATCH_RESPONSE_VERIFY = True # https://github.com/IdentityPython/pysaml2/pull/812


def pysaml2_patch():
Expand Down Expand Up @@ -167,27 +167,28 @@ def _wrong_type_value(xsd, value):
AttributeValueBase.set_text = set_text

if PATCH_RESPONSE_VERIFY:
logger = logging.getLogger(__name__)
logger = logging.getLogger(StatusResponse.__module__)

def _verify(self):
if self.request_id and self.in_response_to and \
self.in_response_to != self.request_id:
logger.error("Not the id I expected: %s != %s",
self.in_response_to, self.request_id)
return None

if self.response.version != "2.0":
_ver = float(self.response.version)
if _ver < 2.0:
if float(self.response.version) < 2.0:
raise RequestVersionTooLow()
else:
raise RequestVersionTooHigh()

destination = self.response.destination
if self.asynchop and destination:
# Destination must be present
if destination not in self.return_addrs:
if self.asynchop:
if not getattr(self.response, 'destination'):
logger.error("Invalid response destination in asynchop")
return None
elif self.response.destination not in self.return_addrs:
logger.error(
f"{destination} not in {self.return_addrs}"
f"{self.response.destination} not in {self.return_addrs}"
)
return None

Expand Down

0 comments on commit 94f56c9

Please sign in to comment.