signed_instance_factory fails with an error deep in xml.etree tostring

[valpackett]

Just trying to use SATOSA, specifically the satosa-saml-proxy container, and when signing the response it explodes several stackframes deep into xml.etree (!):

[2025-08-16 05:02:33,354][ERROR][satosa.proxy_server.__call__] Unknown error
Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/satosa/base.py", line 268, in run
    resp = self._run_bound_endpoint(context, spec)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/satosa/base.py", line 193, in _run_bound_endpoint
    return spec(context)
           ^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/satosa/backends/idpy_oidc.py", line 111, in response_endpoint
    return self.auth_callback_func(context, internal_resp)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/satosa/base.py", line 164, in _auth_resp_callback_func
    return self._auth_resp_finish(context, internal_response)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/satosa/base.py", line 133, in _auth_resp_finish
    return frontend.handle_authn_response(context, internal_response)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/satosa/frontends/saml2.py", line 88, in handle_authn_response
    return self._handle_authn_response(context, internal_response, self.idp)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/satosa/frontends/saml2.py", line 464, in _handle_authn_response
    resp = idp.create_authn_response(**args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/saml2/server.py", line 861, in create_authn_response
    return self._authn_response(
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/saml2/server.py", line 591, in _authn_response
    return self._response(
           ^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/saml2/entity.py", line 918, in _response
    return self.sign(response, to_sign=to_sign, sign_alg=sign_alg, digest_alg=digest_alg)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/saml2/entity.py", line 524, in sign
    return signed_instance_factory(msg, self.sec, to_sign)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/saml2/sigver.py", line 328, in signed_instance_factory
    signed_xml = instance.to_string()
                 ^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/saml2/__init__.py", line 670, in to_string
    return ElementTree.tostring(self._to_element_tree(), encoding="UTF-8")
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/xml/etree/ElementTree.py", line 1084, in tostring
    ElementTree(element).write(stream, encoding,
  File "/usr/local/lib/python3.12/xml/etree/ElementTree.py", line 729, in write
    serialize(write, self._root, qnames, namespaces,
  File "/usr/local/lib/python3.12/xml/etree/ElementTree.py", line 892, in _serialize_xml
    _serialize_xml(write, e, qnames, None,
  File "/usr/local/lib/python3.12/xml/etree/ElementTree.py", line 892, in _serialize_xml
    _serialize_xml(write, e, qnames, None,
  File "/usr/local/lib/python3.12/xml/etree/ElementTree.py", line 892, in _serialize_xml
    _serialize_xml(write, e, qnames, None,
  [Previous line repeated 1 more time]
  File "/usr/local/lib/python3.12/xml/etree/ElementTree.py", line 890, in _serialize_xml
    write(_escape_cdata(text))
TypeError: write() argument must be str, not list
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/satosa/proxy_server.py", line 160, in __call__
    resp = self.run(context)
           ^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/satosa/base.py", line 366, in run
    raise SATOSAUnknownError("Unknown error") from e

I think this might be because of the handmade metadata XML I provided (are parts of it directly included in responses?)

<EntityDescriptor ID="_2240bd9c-30c4-4d2a-ab3e-87a94ea334fd" entityID="https://XXX/sp"
        xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>
                        MIIDXXX==
                    </X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                Location="https://XXX/saml/acs"/>
    </SPSSODescriptor>
</EntityDescriptor>

but whatever the actual error is, it should be caught way earlier…

[valpackett]

Oh, no, I think this might be coming from the client's request? (The client is Part-DB) Or.. no, from the OIDC IdP? (Rauthy likes its MFA…)

The issue is with instance.assertion.authn_statement[0].authn_context.authn_context_class_ref:

{'encrypted_assertion': None,
 'extension_attributes': {},
 'extension_elements': [],
 'text': ['mfa']}