packages/lasso
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!17 Upgrade to 2.7.0

Browse Source 
From: @wk333 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia
This commit is contained in:
openeuler-ci-bot 2022-10-17 08:12:29 +00:00 committed by Gitee
commit a619d76690
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
11 changed files with 25 additions and 752 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
0001-Explicitly-define-tests-cases-and-add-them-to-tests.patch
View File

@ -1,63 +0,0 @@
From e09284a6b1c34178d0e6817f3ffeae9342f13786 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 17 Jan 2020 15:35:27 +0100
Subject: [PATCH] Explicitly define tests cases and add them to tests
---
tests/non_regression_tests.c | 35 +++++++++++++++++------------------
1 file changed, 17 insertions(+), 18 deletions(-)
diff --git a/tests/non_regression_tests.c b/tests/non_regression_tests.c
index d2993ecd..a03b458f 100644
--- a/tests/non_regression_tests.c
+++ b/tests/non_regression_tests.c
@@ -233,29 +233,28 @@ START_TEST(malformed_logout_request)
}
END_TEST
-struct {
- char *name;
- void *function;
-} tests[] = {
- { "Googleapps error from coudot@ on 27-09-2010", test01_googleapps_27092010},
- { "Wrong assertionConsumer ordering on 08-10-2010", indexed_endpoints_20101008},
- { "Warning when parsing AttributeValue node containing unknown namespace nodes", remove_warning_when_parssing_unknown_SNIPPET_LIST_NODES_20111007 },
- { "Wrong endpoint index in artifacts", wrong_endpoint_index_in_artifacts },
- { "Malformed logout request", malformed_logout_request },
-};
-
Suite*
non_regression_suite()
{
Suite *s = suite_create("Non regression tests");
- unsigned int i = 0;
- for (i = 0 ; i < G_N_ELEMENTS(tests); i++) {
- TCase *c = tcase_create(tests[i].name);
- void *f = tests[i].function;
- tcase_add_test(c, f);
- suite_add_tcase(s, c);
- }
+ TCase *tc_googleapps_27092010 = tcase_create("Create server from empty string");
+ TCase *tc_indexed_endpoints_20101008 = tcase_create("Wrong assertionConsumer ordering on 08-10-2010");
+ TCase *tc_remove_warning_when_parssing_unknown_SNIPPET_LIST_NODES_20111007 = tcase_create("Warning when parsing AttributeValue node containing unknown namespace nodes");
+ TCase *tc_wrong_endpoint_index_in_artifacts = tcase_create("Wrong endpoint index in artifacts");
+ TCase *tc_malformed_logout_request = tcase_create("Malformed logout request");
+
+ tcase_add_test(tc_googleapps_27092010, test01_googleapps_27092010);
+ tcase_add_test(tc_googleapps_27092010, indexed_endpoints_20101008);
+ tcase_add_test(tc_googleapps_27092010, remove_warning_when_parssing_unknown_SNIPPET_LIST_NODES_20111007);
+ tcase_add_test(tc_googleapps_27092010, wrong_endpoint_index_in_artifacts);
+ tcase_add_test(tc_googleapps_27092010, malformed_logout_request);
+
+ suite_add_tcase(s, tc_googleapps_27092010);
+ suite_add_tcase(s, tc_indexed_endpoints_20101008);
+ suite_add_tcase(s, tc_remove_warning_when_parssing_unknown_SNIPPET_LIST_NODES_20111007);
+ suite_add_tcase(s, tc_wrong_endpoint_index_in_artifacts);
+ suite_add_tcase(s, tc_malformed_logout_request);
return s;
}
--
2.21.0

29
0005-tests-Remove-the-use-of-an-expired-cert-in-tests-as-.patch
View File

@ -1,29 +0,0 @@
From: Jakub Hrozek &lt;jhrozek@redhat.com&gt;
Date: Mon, 3 Jun 2019 13:30:27 +0200
Subject: [PATCH] tests: Remove the use of an expired cert in tests as a
workaround
The test used to verify the signature of the IDP metadata in
test13_test_lasso_server_load_metadata() expired at &#34;Mar 23 09:51:37
2019 GMT&#34;
This patch just removes the certificate usage from
lasso_server_load_metadata() which means we don&#39;t validate the metadata,
but we can keep the rest of the test at least.
---
tests/basic_tests.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/basic_tests.c b/tests/basic_tests.c
index 398d789..bbb0972 100644
--- a/tests/basic_tests.c
+++ b/tests/basic_tests.c
@@ -1983,7 +1983,7 @@ START_TEST(test13_test_lasso_server_load_metadata)
block_lasso_logs;
check_good_rc(lasso_server_load_metadata(server, LASSO_PROVIDER_ROLE_IDP,
TESTSDATADIR "/metadata/renater-metadata.xml",
- TESTSDATADIR "/metadata/metadata-federation-renater.crt",
+ NULL,
&blacklisted_1, &loaded_entity_ids,
LASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT));
unblock_lasso_logs;

179
backport-CVE-2021-28091.patch
View File

@ -1,179 +0,0 @@
From ea7e5efe9741e1b1787a58af16cb15b40c23be5a Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Mon, 8 Mar 2021 11:33:26 +0100
Subject: Fix signature checking on unsigned response with multiple assertions
CVE-2021-28091 : when AuthnResponse messages are not signed (which is
permitted by the specifiation), all assertion's signatures should be
checked, but currently after the first signed assertion is checked all
following assertions are accepted without checking their signature, and
the last one is considered the main assertion.
This patch :
* check signatures from all assertions if the message is not signed,
* refuse messages with assertion from different issuers than the one on
the message, to prevent assertion bundling event if they are signed.
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
index 0d4bb1d..cf62c1c 100644
--- a/lasso/saml-2.0/login.c
+++ b/lasso/saml-2.0/login.c
@@ -1257,7 +1257,11 @@ lasso_saml20_login_check_assertion_signature(LassoLogin *login,
original_node = lasso_node_get_original_xmlnode(LASSO_NODE(assertion));
goto_cleanup_if_fail_with_rc(original_node, LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE);
- rc = profile->signature_status = lasso_provider_verify_saml_signature(remote_provider, original_node, NULL);
+ /* Shouldn't set the profile->signature_status here as we're only
+ * checking the assertion signature.
+ * Instead, we'll set the status after all the assertions are iterated.
+ */
+ rc = lasso_provider_verify_saml_signature(remote_provider, original_node, NULL);
#define log_verify_assertion_signature_error(msg) \
message(G_LOG_LEVEL_WARNING, "Could not verify signature of assertion" \
@@ -1282,18 +1286,6 @@ cleanup:
return rc;
}
-static gboolean
-_lasso_check_assertion_issuer(LassoSaml2Assertion *assertion, const gchar *provider_id)
-{
- if (! LASSO_SAML2_ASSERTION(assertion) || ! provider_id)
- return FALSE;
-
- if (! assertion->Issuer || ! assertion->Issuer->content)
- return FALSE;
-
- return lasso_strisequal(assertion->Issuer->content,provider_id);
-}
-
static gint
_lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *samlp2_response)
{
@@ -1358,11 +1350,23 @@ _lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *sa
return 0;
}
+/* Verify that an assertion comes from a designated Issuer */
+static gboolean
+_lasso_check_assertion_issuer(LassoSaml2Assertion *assertion, const gchar *provider_id)
+{
+ if (! LASSO_SAML2_ASSERTION(assertion) || ! provider_id)
+ return FALSE;
+ if (! assertion->Issuer || ! assertion->Issuer->content)
+ return FALSE;
+ return lasso_strisequal(assertion->Issuer->content,provider_id);
+}
+
static gint
lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
{
LassoSamlp2StatusResponse *response;
LassoSamlp2Response *samlp2_response = NULL;
+ LassoSaml2Assertion *last_assertion = NULL;
LassoProfile *profile;
char *status_value;
lasso_error_t rc = 0;
@@ -1404,34 +1408,62 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
/* Decrypt all EncryptedAssertions */
_lasso_saml20_login_decrypt_assertion(login, samlp2_response);
- /* traverse all assertions */
- goto_cleanup_if_fail_with_rc (samlp2_response->Assertion != NULL,
- LASSO_PROFILE_ERROR_MISSING_ASSERTION);
+ /* Check there is at least one assertion */
+ goto_cleanup_if_fail_with_rc (samlp2_response->Assertion != NULL, LASSO_PROFILE_ERROR_MISSING_ASSERTION);
+
+ /* In case of verify_hint as 'FORCE', if there's no response signature,
+ * we reject.
+ * In case of 'MAYBE', if response signature is present and valid, or
+ * not present, then we proceed with checking assertion signature(s).
+ * In any case, if there's a response signature and it's not valid,
+ * we reject.
+ */
verify_hint = lasso_profile_get_signature_verify_hint(profile);
+ if (profile->signature_status == LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) {
+ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE) {
+ goto_cleanup_with_rc(profile->signature_status);
+ }
+ } else if (profile->signature_status != 0) {
+ goto_cleanup_with_rc(profile->signature_status);
+ }
lasso_foreach_full_begin(LassoSaml2Assertion*, assertion, it, samlp2_response->Assertion);
LassoSaml2Subject *subject = NULL;
- lasso_assign_gobject (login->private_data->saml2_assertion, assertion);
+ /* All Assertions MUST come from the same issuer as the Response. */
+ if (! _lasso_check_assertion_issuer(assertion, profile->remote_providerID)) {
+ goto_cleanup_with_rc(LASSO_PROFILE_ERROR_INVALID_ISSUER);
+ }
- /* If signature has already been verified on the message, and assertion has the same
- * issuer as the message, the assertion is covered. So no need to verify a second
- * time */
- if (profile->signature_status != 0
- || ! _lasso_check_assertion_issuer(assertion,
- profile->remote_providerID)
- || verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE) {
+ if (profile->signature_status != 0) {
+ /* When response signature is not present */
+ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE) {
+ assertion_signature_status =
+ lasso_saml20_login_check_assertion_signature(login, assertion);
+ if (assertion_signature_status) {
+ goto_cleanup_with_rc(assertion_signature_status);
+ }
+ }
+ } else {
+ /* response signature is present and valid */
assertion_signature_status = lasso_saml20_login_check_assertion_signature(login,
- assertion);
- /* If signature validation fails, it is the return code for this function */
+ assertion);
if (assertion_signature_status) {
- rc = LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE;
+ /* assertion signature is not valid or not present */
+ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE) {
+ /* In case of FORCE, we reject right away */
+ goto_cleanup_with_rc(assertion_signature_status);
+ } else if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE) {
+ /* In case of MAYBE, if assertion signature is present and invalid, then we reject */
+ if (assertion_signature_status != LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) {
+ goto_cleanup_with_rc(assertion_signature_status);
+ }
+ }
}
}
-
lasso_extract_node_or_fail(subject, assertion->Subject, SAML2_SUBJECT,
- LASSO_PROFILE_ERROR_MISSING_SUBJECT);
+ LASSO_PROFILE_ERROR_MISSING_SUBJECT);
/* Verify Subject->SubjectConfirmationData->InResponseTo */
if (login->private_data->request_id) {
@@ -1446,8 +1478,20 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
/** Handle nameid */
lasso_check_good_rc(lasso_saml20_profile_process_name_identifier_decryption(profile,
&subject->NameID, &subject->EncryptedID));
+
+ last_assertion = assertion;
lasso_foreach_full_end();
+ /* set the profile signature status only after all the signatures are
+ * verified.
+ */
+ profile->signature_status = rc;
+
+ /* set the default assertion to the last one */
+ if (last_assertion) {
+ lasso_assign_gobject (login->private_data->saml2_assertion, last_assertion);
+ }
+
switch (verify_hint) {
case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
--
cgit v0.10.2

255
build-scripts-py3-compatible.patch
View File

@ -1,255 +0,0 @@
commit d526669810e0dc0a454260d5081fc96e16fc9e13
Author: John Dennis <jdennis@redhat.com>
Date: Mon Jun 25 16:26:24 2018 -0400
Make Python scripts compatible with both Py2 and Py3
During the build if the Python3 interpreter is used a number of
scripts will fail because they were never ported from Py2 to Py3. In
general we want Python code to be compatible with both Py2 and
Py3. This patch brings the scripts up to date with Py3 but retains
backwards compatibility with Py2 (specifically Py 2.7, the last Py2
release).
Examples of the required changes are:
* Replace use of the built-in function file() with open(). file()
does not exist in Py3, open works in both Py2 and Py3. The code was
also modified to use a file context manager (e.g. with open(xxx) as
f:). This assures open files are properly closed when the code block
using the file goes out of scope. This is a standard modern Python
idiom.
* Replace all use of the print keyword with the six.print_()
function, which itself is an emulation of Py3's print function. Py3
no longer has a print keyword, only a print() function.
* The dict methods .keys(), .values(), .items() no longer return a
list in Py3, instead they return a "view" object which is an
iterator whose result is an unordered set. The most notable
consequence is you cannot index the result of these functions like
your could in Py2 (e.g. dict.keys()[0] will raise a run time
exception).
* Replace use of StringIO.StringIO and cStringIO with
six.StringIO. Py3 no longer has cStringIO and the six variant
handles the correct import.
* Py3 no longer allows the "except xxx, variable" syntax, where
variable appering after the comma is assigned the exception object,
you must use the "as" keyword to perform the variable assignment
(e.g. execpt xxx as variable)
Note: the modifications in this patch are the minimum necessary to get
the build to run with the Py3 interpreter. There are numerous other
Python scripts in the repo which need Py3 porting as well but because
they are not invoked during a build they will be updated in a
subsequent patch.
License: MIT
Signed-off-by: John Dennis <jdennis@redhat.com>
diff --git a/bindings/python/examples/get_attributes_from_assertion.py b/bindings/python/examples/get_attributes_from_assertion.py
index 44ceb9e5..8f37a337 100644
--- a/bindings/python/examples/get_attributes_from_assertion.py
+++ b/bindings/python/examples/get_attributes_from_assertion.py
@@ -1,8 +1,10 @@
# Example SP Python code to get attributes from an assertion
+from six import print_
+
for attribute in assertion.attributeStatement[0].attribute:
if attribute.name == lasso.SAML2_ATTRIBUTE_NAME_EPR:
continue
- print 'attribute : ' + attribute.name
+ print_('attribute : ' + attribute.name)
for value in attribute.attributeValue:
- print ' value : ' + value.any[0].content
+ print_(' value : ' + value.any[0].content)
diff --git a/bindings/python/tests/binding_tests.py b/bindings/python/tests/binding_tests.py
index 6d8e0dfa..54c3635f 100755
--- a/bindings/python/tests/binding_tests.py
+++ b/bindings/python/tests/binding_tests.py
@@ -311,8 +311,8 @@ class BindingTestCase(unittest.TestCase):
</samlp:Extensions>'''
node = lasso.Node.newFromXmlNode(content)
assert 'next_url' in node.any[1]
- assert 'huhu' in node.attributes.keys()[0]
- assert node.attributes.values()[0] == 'xxx'
+ assert '{https://www.entrouvert.com/}huhu' in node.attributes.keys()
+ assert 'xxx' in node.attributes.values()
node.any = ('<zob>coin</zob>',)
node.attributes = {'michou': 'zozo'}
assert '<zob>coin</zob>' in node.dump()
diff --git a/bindings/python/tests/idwsf2_tests.py b/bindings/python/tests/idwsf2_tests.py
index 6f80c53d..4e47a4a1 100755
--- a/bindings/python/tests/idwsf2_tests.py
+++ b/bindings/python/tests/idwsf2_tests.py
@@ -27,7 +27,7 @@
import os
import unittest
import sys
-from StringIO import StringIO
+from six import StringIO
import logging
logging.basicConfig()
@@ -310,11 +310,11 @@ class MetadataTestCase(IdWsf2TestCase):
self.failUnless(idp_disco.request.svcMD[0].svcMDID is None)
try:
idp_disco.checkSecurityMechanism()
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
try:
idp_disco.validateRequest()
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
self.failUnless(idp_disco.response is not None)
self.failUnlessEqual(len(idp_disco.metadatas), 1)
@@ -391,16 +391,16 @@ class MetadataTestCase(IdWsf2TestCase):
self.failUnless(idp_disco is not None)
try:
idp_disco.processRequestMsg(wsp_disco.msgBody)
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
self.failUnless(idp_disco.request is not None)
try:
idp_disco.checkSecurityMechanism()
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
try:
idp_disco.failRequest(lasso.IDWSF2_DISCOVERY_STATUS_CODE_FAILED, lasso.IDWSF2_DISCOVERY_STATUS_CODE_FORBIDDEN)
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
self.failUnless(idp_disco.response is not None)
self.failUnless(idp_disco.response.status is not None)
@@ -415,7 +415,7 @@ class MetadataTestCase(IdWsf2TestCase):
wsp_disco.processResponseMsg(idp_disco.msgBody)
except lasso.Idwsf2DiscoveryForbiddenError:
pass
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
def test03(self):
@@ -475,7 +475,7 @@ class MetadataTestCase(IdWsf2TestCase):
self.failUnless(soap_envelope.getMessageId() is not None)
try:
idp_disco.checkSecurityMechanism()
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
# redirect
interactionUrl = spInteractionUrl
@@ -488,7 +488,7 @@ class MetadataTestCase(IdWsf2TestCase):
self.failUnless(response.detail.any[0].redirectURL.startswith(interactionUrl + '?transactionID='))
try:
idp_disco.buildResponseMsg()
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
self.failUnless(idp_disco.msgBody is not None)
@@ -500,7 +500,7 @@ class MetadataTestCase(IdWsf2TestCase):
wsp_disco.processResponseMsg(idp_disco.msgBody)
except lasso.WsfprofileRedirectRequestError:
pass
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
response_envelope = wsp_disco.getSoapEnvelopeResponse()
self.failUnless(response_envelope.sb2GetRedirectRequestUrl().startswith(interactionUrl + '?transactionID='))
@@ -527,11 +527,11 @@ class MetadataTestCase(IdWsf2TestCase):
self.failUnless(idp_disco.request.svcMD[0].svcMDID is None)
try:
idp_disco.checkSecurityMechanism()
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
try:
idp_disco.validateRequest()
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
self.failUnless(idp_disco.response is not None)
self.failUnlessEqual(len(idp_disco.metadatas), 1)
diff --git a/lasso/build_strerror.py b/lasso/build_strerror.py
index fca59628..908638d5 100644
--- a/lasso/build_strerror.py
+++ b/lasso/build_strerror.py
@@ -1,42 +1,42 @@
#! /usr/bin/env python
-from cStringIO import StringIO
import glob
import re
import sys
import os
+from six import print_, StringIO
srcdir = sys.argv[1]
-hlines = file('%s/errors.h' % srcdir,'r').readlines()
messages = dict()
description = ''
-for line in hlines:
- m = re.match(r'^ \* LASSO.*ERROR', line)
- if m:
- description = ''
- continue
- m = re.match(r'^ \* (.*[^:])$', line)
- if m:
- description += m.group(1)
- m = re.match(r'#define (LASSO_\w*ERROR\w+)', line)
- if m and description:
- description = re.sub(r'[ \n]+', ' ', description).strip()
- messages[m.group(1)] = description
- description = ''
- else:
- m = re.match(r'#define (LASSO_\w*ERROR\w+)',line)
+with open('%s/errors.h' % srcdir,'r') as f:
+ for line in f:
+ m = re.match(r'^ \* LASSO.*ERROR', line)
if m:
- messages[m.group(1)] = m.group(1)
+ description = ''
+ continue
+ m = re.match(r'^ \* (.*[^:])$', line)
+ if m:
+ description += m.group(1)
+ m = re.match(r'#define (LASSO_\w*ERROR\w+)', line)
+ if m and description:
+ description = re.sub(r'[ \n]+', ' ', description).strip()
+ messages[m.group(1)] = description
+ description = ''
+ else:
+ m = re.match(r'#define (LASSO_\w*ERROR\w+)',line)
+ if m:
+ messages[m.group(1)] = m.group(1)
-clines = file('%s/errors.c.in' % srcdir,'r').readlines()
-for line in clines:
- if '@ERROR_CASES@' in line:
- keys = messages.keys()
- keys.sort()
- for k in keys:
- print """ case %s:
- return "%s";""" % (k,messages[k].rstrip('\n'))
- else:
- print line,
+with open('%s/errors.c.in' % srcdir,'r') as f:
+ for line in f:
+ if '@ERROR_CASES@' in line:
+ keys = sorted(messages.keys())
+ for k in keys:
+ print_(' case %s:\n'
+ ' return "%s";' %
+ (k,messages[k].rstrip('\n')))
+ else:
+ print_(line, end="")

83
duplicate-python-LogoutTestCase.patch
View File

@ -1,83 +0,0 @@
commit 623d785f957acc9eccb47a9a3f88e5e167a370b6
Author: John Dennis <jdennis@redhat.com>
Date: Mon Jun 25 17:37:45 2018 -0400
fix duplicate definition of LogoutTestCase and logoutSuite
Commit 6f617027e added a duplicate definition of the LogoutTestCase
class containing only 1 test which shaddowed the original
LogoutTestCase containing 4 tests. The logoutSuite variable was also
shadowed and the allTests variable contained a duplicate of
logoutSuite causing the 2nd definition of LogoutTestCase to be run
twice.
Not only were the original 4 tests not being run but the entire unit
test in profiles_tests.py was failing under Python3. This is because
the unittest code in Py3 deletes a test from it's list of tests to run
once it's been run. The second time the logoutSuite was invoked it no
longer contained any tests which caused an exception to be raised
because there were no tests to be run.
License: MIT
Signed-off-by: John Dennis <jdennis@redhat.com>
diff --git a/bindings/python/tests/profiles_tests.py b/bindings/python/tests/profiles_tests.py
index 547c9e24..0ba1e56e 100755
--- a/bindings/python/tests/profiles_tests.py
+++ b/bindings/python/tests/profiles_tests.py
@@ -386,6 +386,21 @@ class LogoutTestCase(unittest.TestCase):
else:
self.fail('Logout processResponseMsg should have failed.')
+ def test05(self):
+ '''Test parsing of a logout request with more than one session index'''
+ content = '''<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="xxxx" Version="2.0" IssueInstant="2010-06-14T22:00:00">
+ <saml:Issuer>me</saml:Issuer>
+ <saml:NameID>coin</saml:NameID>
+ <samlp:SessionIndex>id1</samlp:SessionIndex>
+ <samlp:SessionIndex>id2</samlp:SessionIndex>
+ <samlp:SessionIndex>id3</samlp:SessionIndex>
+ </samlp:LogoutRequest>'''
+
+ node = lasso.Samlp2LogoutRequest.newFromXmlNode(content)
+ assert isinstance(node, lasso.Samlp2LogoutRequest)
+ assert node.sessionIndex == 'id1'
+ assert node.sessionIndexes == ('id1', 'id2', 'id3')
+
class DefederationTestCase(unittest.TestCase):
def test01(self):
"""IDP initiated defederation; testing processNotificationMsg with non Liberty query."""
@@ -478,32 +493,15 @@ class AttributeAuthorityTestCase(unittest.TestCase):
assert aq.response.assertion[0].attributeStatement[0].attribute[0]
assert aq.response.assertion[0].attributeStatement[0].attribute[0].attributeValue[0]
-class LogoutTestCase(unittest.TestCase):
- def test01(self):
- '''Test parsing of a logout request with more than one session index'''
- content = '''<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="xxxx" Version="2.0" IssueInstant="2010-06-14T22:00:00">
- <saml:Issuer>me</saml:Issuer>
- <saml:NameID>coin</saml:NameID>
- <samlp:SessionIndex>id1</samlp:SessionIndex>
- <samlp:SessionIndex>id2</samlp:SessionIndex>
- <samlp:SessionIndex>id3</samlp:SessionIndex>
- </samlp:LogoutRequest>'''
-
- node = lasso.Samlp2LogoutRequest.newFromXmlNode(content)
- assert isinstance(node, lasso.Samlp2LogoutRequest)
- assert node.sessionIndex == 'id1'
- assert node.sessionIndexes == ('id1', 'id2', 'id3')
-
serverSuite = unittest.makeSuite(ServerTestCase, 'test')
loginSuite = unittest.makeSuite(LoginTestCase, 'test')
logoutSuite = unittest.makeSuite(LogoutTestCase, 'test')
defederationSuite = unittest.makeSuite(DefederationTestCase, 'test')
identitySuite = unittest.makeSuite(IdentityTestCase, 'test')
attributeSuite = unittest.makeSuite(AttributeAuthorityTestCase, 'test')
-logoutSuite = unittest.makeSuite(LogoutTestCase, 'test')
allTests = unittest.TestSuite((serverSuite, loginSuite, logoutSuite, defederationSuite,
- identitySuite, attributeSuite, logoutSuite))
+ identitySuite, attributeSuite))
if __name__ == '__main__':
sys.exit(not unittest.TextTestRunner(verbosity = 2).run(allTests).wasSuccessful())

BIN
lasso-2.6.0.tar.gz
View File

Binary file not shown.

BIN
lasso-2.7.0.tar.gz Normal file
View File

Binary file not shown.

12
lasso-python-dont-decref-true-false.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git a/bindings/python/lang.py b/bindings/python/lang.py
index bd7ef70..644de23 100644
--- a/bindings/python/lang.py
+++ b/bindings/python/lang.py
@@ -739,7 +739,6 @@ register_constants(PyObject *d)
else:
print_('E: unknown constant type: %r' % c[0], file=sys.stderr)
print_(' PyDict_SetItemString(d, "%s", obj);' % c[1][6:], file=fd)
- print_(' Py_DECREF(obj);', file=fd)
print_('}', file=fd)
print_('', file=fd)

28
lasso.spec
View File

@ -1,27 +1,23 @@
Name: lasso
Version: 2.6.0
Release: 14
Version: 2.7.0
Release: 1
Summary: Liberty Alliance Single Sign On
License: GPLv2+
URL: http://lasso.entrouvert.org/
Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz
Requires: xmlsec1 >= 1.2.25-4
Patch1: use-specified-python-interpreter.patch
Patch2: build-scripts-py3-compatible.patch
Patch3: duplicate-python-LogoutTestCase.patch
patch4: versioned-python-configure.patch
Patch5: 0005-tests-Remove-the-use-of-an-expired-cert-in-tests-as-.patch
Patch6000: backport-CVE-2021-28091.patch
Patch6001: 0001-Explicitly-define-tests-cases-and-add-them-to-tests.patch
Patch1: lasso-python-dont-decref-true-false.patch
BuildRequires: autoconf automake check-devel glib2-devel gtk-doc libtool
BuildRequires: libxml2-devel openssl-devel swig xmlsec1-devel >= 1.2.25-4
BuildRequires: xmlsec1-openssl-devel >= 1.2.25-4 zlib-devel jpackage-utils
BuildRequires: java-devel perl(ExtUtils::MakeMaker) perl(strict) perl(Error)
BuildRequires: java-1.8.0-openjdk-devel perl(ExtUtils::MakeMaker) perl(strict) perl(Error)
BuildRequires: perl-devel perl-generators perl(XSLoader) perl(warnings)
BuildRequires: perl(Test::More) python3 python3-devel
BuildRequires: python3-lxml python3-six libtool-ltdl-devel
Obsoletes: java-lasso < %{version}-%{release}
%description
The package is a implements the Liberty Alliance Single Sign On standards library,
includeing the SAML2 and SAML specifications. it provides bindings for multiple
@ -73,16 +69,17 @@ sed -i -E -e '/^#![[:blank:]]*(\/usr\/bin\/env[[:blank:]]+python[^3]?\>) \
|(/usr/bin/env[[:blank:]]+python[^3]?)' *`
%build
export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk
./autogen.sh
%configure --enable-php5=no --with-python=%{__python3}
%make_build CFLAGS="%{optflags}"
%check
make check
make check CK_TIMEOUT_MULTIPLIER=10
%install
%make_install exec_prefix=%{_prefix}
%delete_la
%make_install exec_prefix=%{_prefix} DESTDIR=%{buildroot}
find %{buildroot} -type f -name '*.la' -exec rm -f {} \;
find %{buildroot} -type f -name '*.a' -exec rm -f {} \;
find %{buildroot} \( -name perllocal.pod -o -name .packlist \) -exec rm -v {} \;
find %{buildroot}/usr/lib*/perl5 -type f -print |
@ -106,8 +103,6 @@ fi
%files -n perl-lasso -f lasso-perl-filelist
%files -n java-lasso
%{_libdir}/java/libjnilasso.so
%{_javadir}/lasso.jar
%files -n python3-lasso
%{python3_sitearch}/{lasso.py*,_lasso.so,__pycache__/*}
@ -116,6 +111,9 @@ fi
%doc AUTHORS NEWS README
%changelog
* Mon Oct 17 2022 wangkai <wangkai385@h-partners.com> - 2.7.0-1
- Upgrade to 2.7.0
* Fri Feb 18 2022 yangping <yangping69@huawei.com> - 2.6.0-14
- fix error:initializer element is not constant

80
use-specified-python-interpreter.patch
View File

@ -1,80 +0,0 @@
commit e3e904af7dd308fe7530773bd9ea136afc90049b
Author: John Dennis <jdennis@redhat.com>
Date: Thu Jun 21 10:49:30 2018 -0400
Use python interpreter specified configure script
The configure script allows you to specify the python interpreter to
use via the --with-python option. There were several places where the
python interpreter was implicity invoked without using the specified
version. This can create a number of problems in an environment with
multiple python versions as is the case during the transition from
Python 2 to Python 3. Python 2 is not compatible with Python
3. Lasso's Python code is supposed to be compatible with both
versions. But during the build and when running the unit tests it is
essential the same interpreter be used consistently otherwise you can
have problems.
This patch assures whenever python is invoked it does so via the
$(PYTHON) configuration variable.
What about shebang lines (e.g #/usr/bin/python) at the top of scripts?
Python PEP 394 (https://www.python.org/dev/peps/pep-0394/) covers
this. Basically it says if a script is compatible only with Py2 the
shebang should be #/usr/bin/python2, if only compatible with Py3 the
shebang should be #/usr/bin/python3. However, if the script is
compatible with both versions it can continue to use the
compatible with both Py2 and Py3.
License: MIT
Signed-off-by: John Dennis <jdennis@redhat.com>
diff --git a/bindings/java/Makefile.am b/bindings/java/Makefile.am
index 05e5f9ee..8de0178d 100644
--- a/bindings/java/Makefile.am
+++ b/bindings/java/Makefile.am
@@ -26,7 +26,7 @@ if WSF_ENABLED
EXTRA_ARGS = --enable-id-wsf
endif
-java_lasso_source_files := $(shell python $(top_srcdir)/bindings/bindings.py -l java-list --src-dir=$(top_srcdir)/lasso/ $(EXTRA_ARGS) )
+java_lasso_source_files := $(shell $(PYTHON) $(top_srcdir)/bindings/bindings.py -l java-list --src-dir=$(top_srcdir)/lasso/ $(EXTRA_ARGS) )
lasso_jardir=$(prefix)/share/java
lasso_jar_DATA=lasso.jar
diff --git a/bindings/python/tests/Makefile.am b/bindings/python/tests/Makefile.am
index 205e7613..1305f26f 100644
--- a/bindings/python/tests/Makefile.am
+++ b/bindings/python/tests/Makefile.am
@@ -11,5 +11,8 @@ if WSF_ENABLED
TESTS += idwsf1_tests.py idwsf2_tests.py
endif
+TEST_EXTENSIONS = .py
+PY_LOG_COMPILER = $(PYTHON)
+
EXTRA_DIST = profiles_tests.py binding_tests.py idwsf1_tests.py idwsf2_tests.py \
tests.py XmlTestRunner.py
diff --git a/lasso/Makefile.am b/lasso/Makefile.am
index 751f9419..49ae88a7 100644
--- a/lasso/Makefile.am
+++ b/lasso/Makefile.am
@@ -91,7 +91,7 @@ liblasso_la_LDFLAGS = -no-undefined -version-info @LASSO_VERSION_INFO@ \
endif
$(srcdir)/errors.c: $(srcdir)/errors.h $(srcdir)/build_strerror.py
- python $(srcdir)/build_strerror.py $(srcdir) >.errors.c.new
+ $(PYTHON) $(srcdir)/build_strerror.py $(srcdir) >.errors.c.new
if ! cmp -s $(srcdir)/errors.c .errors.c.new; then \
mv -f .errors.c.new $@; else \
rm .errors.c.new; fi
diff --git a/tools/check-lasso-sections.py b/tools/check-lasso-sections.py
index cb4c39c4..3a6c9880 100755
--- a/tools/check-lasso-sections.py
+++ b/tools/check-lasso-sections.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python
import sys
import os.path

48
versioned-python-configure.patch
View File

@ -1,48 +0,0 @@
commit af29047480cacafaed697cb2a1fb24c5143078a8
Author: John Dennis <jdennis@redhat.com>
Date: Sat Jul 7 10:59:32 2018 -0400
Configure should search for versioned Python interpreter.
Following the guidelines in Python PEP 394 with regards to the python
command on UNIX like systems preference should be given to explicitly
versioned command interpreter as opposed to unversioned and that an
unversioned python command should (but might not) refer to
Python2. Also in some environments unversioned Python interpreters
(e.g. /usr/bin/python) do not even exist, onlyh their explicitly
versioned variants are (e.g. /usr/bin/python2 and /usr/bin/python3).
Therefore the AC_CHECK_PROGS directive in configure.ac should not rely
exclusively on an unversioned Python interpreter as it does not,
rather it should search in priority order. First for python3, then for
an unversionsed python because some distributions have already moved
the default unversioned python to python3, and then finally search for
python2. In the scenario where unversioned python is still pointing to
python2 it's equivalent to selecting the last prority option of
python2, but if unversioned python is pointing to python3 you get
instead. The net result is always preferring python3 but gracefully
falling back to python2 not matter how the environment exports it's
Python.
If AC_CHECK_PROGS for python does not check for the versioned variants
the build fails in environments that only have versioned variants with
this error:
configure: error: Python must be installed to compile lasso
License: MIT
Signed-off-by: John Dennis <jdennis@redhat.com>
diff --git a/configure.ac b/configure.ac
index 898468e6..74766972 100644
--- a/configure.ac
+++ b/configure.ac
@@ -131,7 +131,7 @@ dnl AC_CHECK_PROGS(JAR, fastjar jar)
AC_CHECK_PROGS(PERL, perl)
AC_CHECK_PROGS(PHP5, php5 php)
AC_CHECK_PROGS(PHP5_CONFIG, php-config5 php-config)
-AC_CHECK_PROGS(PYTHON, python)
+AC_CHECK_PROGS(PYTHON, python3 python python2)
AC_CHECK_PROGS(SWIG, swig)
dnl Make sure we have an ANSI compiler