diff --git a/.gitignore b/.gitignore index 1941be8..f86e33b 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,6 @@ *.pyc *.pyo *.egg-info + +# Sphinx +/docs/_build diff --git a/docs/Makefile b/docs/Makefile new file mode 100644 index 0000000..10dbbc7 --- /dev/null +++ b/docs/Makefile @@ -0,0 +1,192 @@ +# Makefile for Sphinx documentation +# + +# You can set these variables from the command line. +SPHINXOPTS = +SPHINXBUILD = sphinx-build +PAPER = +BUILDDIR = _build + +# User-friendly check for sphinx-build +ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1) +$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/) +endif + +# Internal variables. +PAPEROPT_a4 = -D latex_paper_size=a4 +PAPEROPT_letter = -D latex_paper_size=letter +ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . +# the i18n builder cannot share the environment and doctrees with the others +I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . + +.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest coverage gettext + +help: + @echo "Please use \`make ' where is one of" + @echo " html to make standalone HTML files" + @echo " dirhtml to make HTML files named index.html in directories" + @echo " singlehtml to make a single large HTML file" + @echo " pickle to make pickle files" + @echo " json to make JSON files" + @echo " htmlhelp to make HTML files and a HTML help project" + @echo " qthelp to make HTML files and a qthelp project" + @echo " applehelp to make an Apple Help Book" + @echo " devhelp to make HTML files and a Devhelp project" + @echo " epub to make an epub" + @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" + @echo " latexpdf to make LaTeX files and run them through pdflatex" + @echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx" + @echo " text to make text files" + @echo " man to make manual pages" + @echo " texinfo to make Texinfo files" + @echo " info to make Texinfo files and run them through makeinfo" + @echo " gettext to make PO message catalogs" + @echo " changes to make an overview of all changed/added/deprecated items" + @echo " xml to make Docutils-native XML files" + @echo " pseudoxml to make pseudoxml-XML files for display purposes" + @echo " linkcheck to check all external links for integrity" + @echo " doctest to run all doctests embedded in the documentation (if enabled)" + @echo " coverage to run coverage check of the documentation (if enabled)" + +clean: + rm -rf $(BUILDDIR)/* + +html: + $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html + @echo + @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." + +dirhtml: + $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml + @echo + @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." + +singlehtml: + $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml + @echo + @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." + +pickle: + $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle + @echo + @echo "Build finished; now you can process the pickle files." + +json: + $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json + @echo + @echo "Build finished; now you can process the JSON files." + +htmlhelp: + $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp + @echo + @echo "Build finished; now you can run HTML Help Workshop with the" \ + ".hhp project file in $(BUILDDIR)/htmlhelp." + +qthelp: + $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp + @echo + @echo "Build finished; now you can run "qcollectiongenerator" with the" \ + ".qhcp project file in $(BUILDDIR)/qthelp, like this:" + @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/python-saml.qhcp" + @echo "To view the help file:" + @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/python-saml.qhc" + +applehelp: + $(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp + @echo + @echo "Build finished. The help book is in $(BUILDDIR)/applehelp." + @echo "N.B. You won't be able to view it unless you put it in" \ + "~/Library/Documentation/Help or install it in your application" \ + "bundle." + +devhelp: + $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp + @echo + @echo "Build finished." + @echo "To view the help file:" + @echo "# mkdir -p $$HOME/.local/share/devhelp/python-saml" + @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/python-saml" + @echo "# devhelp" + +epub: + $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub + @echo + @echo "Build finished. The epub file is in $(BUILDDIR)/epub." + +latex: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo + @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." + @echo "Run \`make' in that directory to run these through (pdf)latex" \ + "(use \`make latexpdf' here to do that automatically)." + +latexpdf: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo "Running LaTeX files through pdflatex..." + $(MAKE) -C $(BUILDDIR)/latex all-pdf + @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." + +latexpdfja: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo "Running LaTeX files through platex and dvipdfmx..." + $(MAKE) -C $(BUILDDIR)/latex all-pdf-ja + @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." + +text: + $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text + @echo + @echo "Build finished. The text files are in $(BUILDDIR)/text." + +man: + $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man + @echo + @echo "Build finished. The manual pages are in $(BUILDDIR)/man." + +texinfo: + $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo + @echo + @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo." + @echo "Run \`make' in that directory to run these through makeinfo" \ + "(use \`make info' here to do that automatically)." + +info: + $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo + @echo "Running Texinfo files through makeinfo..." + make -C $(BUILDDIR)/texinfo info + @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo." + +gettext: + $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale + @echo + @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale." + +changes: + $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes + @echo + @echo "The overview file is in $(BUILDDIR)/changes." + +linkcheck: + $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck + @echo + @echo "Link check complete; look for any errors in the above output " \ + "or in $(BUILDDIR)/linkcheck/output.txt." + +doctest: + $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest + @echo "Testing of doctests in the sources finished, look at the " \ + "results in $(BUILDDIR)/doctest/output.txt." + +coverage: + $(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage + @echo "Testing of coverage in the sources finished, look at the " \ + "results in $(BUILDDIR)/coverage/python.txt." + +xml: + $(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml + @echo + @echo "Build finished. The XML files are in $(BUILDDIR)/xml." + +pseudoxml: + $(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml + @echo + @echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml." diff --git a/docs/conf.py b/docs/conf.py new file mode 100644 index 0000000..82fce68 --- /dev/null +++ b/docs/conf.py @@ -0,0 +1,50 @@ +# -*- coding: utf-8 -*- + +import sys +import os + +sys.path.insert(0, os.path.abspath('../')) + +from saml import __version__ # noqa + +extensions = [ + 'sphinx.ext.autodoc', + 'sphinx.ext.coverage', + 'sphinx.ext.ifconfig', + 'sphinx.ext.viewcode', +] + +templates_path = ['_templates'] +source_suffix = ['.rst'] +master_doc = 'index' + +project = u'python-saml' +copyright = u'2015, Ryan Leckey' +author = u'Ryan Leckey' + +version = __version__ +release = version + +exclude_patterns = ['_build'] +pygments_style = 'sphinx' +todo_include_todos = False +html_theme = 'alabaster' +html_static_path = ['_static'] +htmlhelp_basename = 'python-samldoc' +latex_elements = {} + +latex_documents = [ + (master_doc, 'python-saml.tex', u'python-saml Documentation', + u'Ryan Leckey', 'manual'), +] + +man_pages = [ + (master_doc, 'python-saml', u'python-saml Documentation', + [author], 1) +] + +texinfo_documents = [ + (master_doc, 'python-saml', u'python-saml Documentation', + author, 'python-saml', 'One line description of project.', + 'Miscellaneous'), +] diff --git a/docs/contributing.rst b/docs/contributing.rst new file mode 100644 index 0000000..760c1d0 --- /dev/null +++ b/docs/contributing.rst @@ -0,0 +1,29 @@ +Contributing +============ + +Setting up your environment +--------------------------- + +1. Fork the repository +2. Clone your fork +3. `Create a virtual environment `_. +4. Install **python-saml** in development mode with testing enabled. This will download all dependencies required for running the unit tests. +:: + pip install -e ".[test]" +5. Make changes with tests and documentation +6. Open a pull request + +Running the tests +----------------- + +Tests are run with `py.test`. +:: + py.test --pep8 --flakes --cov saml + +Testing documentation changes +----------------------------- + +Documentation is handled with `Sphinx `_. Use the `make html` command in the `docs` directory to build an HTML preview of the documentation. +:: + cd docs + make html diff --git a/docs/creating_documents.rst b/docs/creating_documents.rst new file mode 100644 index 0000000..30ac7d8 --- /dev/null +++ b/docs/creating_documents.rst @@ -0,0 +1,4 @@ +Creating Documents +================== + +.. automodule:: saml.schema diff --git a/docs/index.rst b/docs/index.rst new file mode 100644 index 0000000..c6dcda4 --- /dev/null +++ b/docs/index.rst @@ -0,0 +1,22 @@ +Python-SAML Documentation +========================= + +.. automodule:: saml + +Contents: + +.. toctree:: + :maxdepth: 2 + + installation + creating_documents + signing_documents + contributing + +Indices and tables +================== + +* :ref:`genindex` +* :ref:`modindex` +* :ref:`search` + diff --git a/docs/installation.rst b/docs/installation.rst new file mode 100644 index 0000000..c4ddc74 --- /dev/null +++ b/docs/installation.rst @@ -0,0 +1,44 @@ +Installation +============ + +Supported platforms +------------------- + - Python 2.7 + - Python 3.3 + - Python 3.4 + +Dependencies +------------ + +In order to sign and verify signatures, `libxml2` and `libxmlsec` are required. + +Linux +:: + apt-get install libxml2-dev libxmlsec1-dev + +Mac +:: + brew install libxml2 libxmlsec1 + + +Installing an official release +------------------------------ + +The most recent release is available from PyPI +:: + pip install saml + +Installing the development version +---------------------------------- + +1. Clone the **python-saml** repository +:: + git clone git://github.com/mehcode/python-saml.git + +2. Change into the project directory +:: + cd python-saml + +3. Install the project and all its dependencies using `pip` +:: + pip install . diff --git a/docs/signing_documents.rst b/docs/signing_documents.rst new file mode 100644 index 0000000..999881b --- /dev/null +++ b/docs/signing_documents.rst @@ -0,0 +1,4 @@ +Signing Documents +================= + +.. automodule:: saml.signature diff --git a/saml/__init__.py b/saml/__init__.py index c15af75..443aaf5 100644 --- a/saml/__init__.py +++ b/saml/__init__.py @@ -1,11 +1,9 @@ # -*- coding: utf-8 -*- -"""Security Assertion Markup Language (SAML) v2.0 - +""" A python interface to produce and consume Security Assertion Markup Language (SAML) v2.0 messages. -@par References - - https://www.oasis-open.org/standards#samlv2.0 +See: https://www.oasis-open.org/standards#samlv2.0 """ # Version of the library. from ._version import __version__, __version_info__ # noqa diff --git a/saml/schema/__init__.py b/saml/schema/__init__.py index 7172147..1ea6bdd 100644 --- a/saml/schema/__init__.py +++ b/saml/schema/__init__.py @@ -1,4 +1,25 @@ # -*- coding: utf-8 -*- + +""" +Create XML documents in accordance with the SAML 2.0 specification + +AuthnRequest +------------ +.. autoclass:: saml.schema.AuthenticationRequest + +Response +-------- +.. autoclass:: saml.schema.Response + +LogoutRequest +------------- +.. autoclass:: saml.schema.LogoutRequest + +LogoutResponse +-------------- +.. autoclass:: saml.schema.LogoutResponse +""" + from .meta import version as VERSION # noqa from .saml import * # noqa from .samlp import * # noqa diff --git a/saml/schema/samlp.py b/saml/schema/samlp.py index 4f938f8..41fb604 100644 --- a/saml/schema/samlp.py +++ b/saml/schema/samlp.py @@ -80,6 +80,44 @@ class Protocol: class AuthenticationRequest(_Message): + """ + Create a SAML AuthnRequest + :: + from saml import schema + from datetime import datetime + + document = schema.AuthenticationRequest() + document.id = '11111111-2222-3333-4444-555555555555' + document.issue_instant = datetime(2000, 1, 1) + document.assertion_consumer_service_index = 0 + document.attribute_consuming_service_index = 0 + document.issuer = 'https://sp.example.com/SAML2' + + policy = schema.NameIDPolicy() + policy.allow_create = True + policy.format = schema.NameID.Format.TRANSIENT + document.policy = policy + + print document.tostring() + + Produces the following XML document: + + .. code-block:: xml + + + https://sp.example.com/SAML2 + + + """ class Meta: name = 'AuthnRequest' @@ -236,8 +274,113 @@ class StatusResponse(_Message): class Response(StatusResponse): """ - Used when a response consists of a list of zero or more assertions - that satisfy the request. + Create a SAML Response + :: + from saml import schema + from datetime import datetime + + document = schema.Response() + document.id = '11111111-1111-1111-1111-111111111111' + document.in_response_to = '22222222-2222-2222-2222-222222222222' + document.issue_instant = datetime(2000, 1, 1, 1) + document.issuer = 'https://idp.example.org/SAML2' + document.destination = 'https://sp.example.com/SAML2/SSO/POST' + document.status.code.value = schema.StatusCode.SUCCESS + + # Create an assertion for the response. + document.assertions = assertion = schema.Assertion() + assertion.id = '33333333-3333-3333-3333-333333333333' + assertion.issue_instant = datetime(2000, 1, 1, 2) + assertion.issuer = 'https://idp.example.org/SAML2' + + # Create a subject. + assertion.subject = schema.Subject() + assertion.subject.principal = '44444444-4444-4444-4444-444444444444' + assertion.subject.principal.format = schema.NameID.Format.TRANSIENT + data = schema.SubjectConfirmationData() + data.in_response_to = '22222222-2222-2222-2222-222222222222' + data.not_on_or_after = datetime(2000, 1, 1, 1, 10) + data.recipient = 'https://sp.example.com/SAML2/SSO/POST' + confirmation = schema.SubjectConfirmation() + confirmation.data = data + assertion.subject.confirmation = confirmation + + # Create an authentication statement. + statement = schema.AuthenticationStatement() + assertion.statements.append(statement) + statement.authn_instant = datetime(2000, 1, 1, 1, 3) + statement.session_index = '33333333-3333-3333-3333-333333333333' + reference = schema.AuthenticationContextReference + statement.context.reference = reference.PASSWORD_PROTECTED_TRANSPORT + + # Create a authentication condition. + assertion.conditions = conditions = schema.Conditions() + conditions.not_before = datetime(2000, 1, 1, 1, 3) + conditions.not_on_or_after = datetime(2000, 1, 1, 1, 9) + condition = schema.AudienceRestriction() + condition.audiences = 'https://sp.example.com/SAML2' + conditions.condition = condition + + print document.tostring() + + Produces the following XML document: + + .. code-block:: xml + + + https://idp.example.org/SAML2 + + + + + https://idp.example.org/SAML2 + + + 44444444-4444-4444-4444-444444444444 + + + + + + + + + https://sp.example.com/SAML2 + + + + + + + urn:oasis:names:tc:SAML:2.0:ac:classes: + PasswordProtectedTransport + + + + + """ # Specifies an assertion by value, or optionally an encrypted assertion @@ -281,8 +424,44 @@ class SessionIndex(Base): class LogoutRequest(_Message): """ - A session participant or session authority sends a - message to indicate that a session has been terminated. + Create a SAML LogoutRequest + :: + from saml import schema + from datetime import datetime + + document = schema.LogoutRequest() + document.id = '11111111-1111-1111-1111-111111111111' + document.issue_instant = datetime(2000, 1, 1) + document.issuer = 'https://idp.example.org/SAML2' + document.destination = 'https://sp.example.org/SAML2/logout' + document.principal = 'myemail@mydomain.com' + document.principal.format = schema.NameID.Format.EMAIL + document.principal.name_qualifier = 'https://idp.example.org/SAML2' + document.session_index = 'SESSION-22222222-2222-2222-2222-222222222222' + + print document.tostring() + + Produces the following XML document: + + .. code-block:: xml + + + https://idp.example.org/SAML2 + + myemail@mydomain.com + + + SESSION-22222222-2222-2222-2222-222222222222 + + """ # The time at which the request expires, after which the recipient @@ -305,6 +484,37 @@ class LogoutRequest(_Message): class LogoutResponse(StatusResponse): """ - The message returned to the client when all sessions have been - terminated by a . + Create a SAML LogoutResponse + :: + from saml import schema + from datetime import datetime + + document = schema.LogoutResponse() + document.id = '22222222-2222-2222-2222-222222222222' + document.in_response_to = '11111111-1111-1111-1111-111111111111' + document.issue_instant = datetime(2000, 1, 1) + document.issuer = 'https://idp.example.org/SAML2' + document.destination = 'https://sp.example.com/SAML2/SLO/POST' + document.status.code.value = schema.StatusCode.SUCCESS + + print document.tostring() + + Produces the following XML document: + + .. code-block:: xml + + + https://idp.example.org/SAML2 + + + + """ diff --git a/saml/signature.py b/saml/signature.py index 3eb8a8c..8f02294 100644 --- a/saml/signature.py +++ b/saml/signature.py @@ -1,7 +1,78 @@ # -*- coding: utf-8 -*- +""" +Sign and verify signatures using the `python-xmlsec` library. + +.. autofunction:: sign +.. autofunction:: verify +""" + def sign(xml, stream, password=None): + """ + Sign an XML document with the given private key file. This will add a + element to the document. + + :param lxml.etree._Element xml: The document to sign + :param file stream: The private key to sign the document with + :param str password: The password used to access the private key + + :rtype: None + + Example usage: + :: + from saml import schema + from lxml import etree + + document = schema.AuthenticationRequest() + xml_document = document.serialize() + with open('my_key_file.pem', 'r+') as stream: + sign(xml_document, stream) + + print etree.tostring(xml_document) + + Produces the following XML document: + + .. code-block:: xml + + + + + + + + + + + + + 94O1FOjRE4JQYVDqStkYzne9StQ= + + + + + aFYRRjtB3bDyLLJzLZmsn0K4SXmOpFYJ+8R8D31VojgiF37FOElbE56UFbm8BAjn + l2AixrUGXP4djxoxxnfBD/reYw5yVuIVXlMxKec784nF2V4GyrfwJOKaNmlVPkq5 + c8SI+EkKJ02mwiail0Zvjb9FzwvlYD+osMSXvJXVqnGHQDVFlhwbBRRVB6t44/M3 + TzC4mLSVhuvcpsm4GTQSpGkHP7HvweKN/OTc0aTy8Kh/YUrImwnUCii+J0EW4nGg + 71eZyq/IiSPnTD09WDHsWe3g29kpicZXqrQCWeLE2zfVKtyxxs7PyEmodH19jXyz + wh9hQ8t6PFO47Ros5aV0bw== + + + + """ + # Import xmlsec here to delay initializing the C library in # case we don't need it. import xmlsec @@ -29,8 +100,8 @@ def sign(xml, stream, password=None): # Create a digital signature context (no key manager is needed). ctx = xmlsec.SignatureContext() - # Load private key (assuming that there is no password). - key = xmlsec.Key.from_memory(stream, xmlsec.KeyFormat.PEM) + # Load private key. + key = xmlsec.Key.from_memory(stream, xmlsec.KeyFormat.PEM, password) # Set the key on the context. ctx.key = key @@ -40,6 +111,17 @@ def sign(xml, stream, password=None): def verify(xml, stream): + """ + Verify the signaure of an XML document with the given certificate. + Returns `True` if the document is signed with a valid signature. + Returns `False` if the document is not signed or if the signature is + invalid. + + :param lxml.etree._Element xml: The document to sign + :param file stream: The private key to sign the document with + + :rtype: Boolean + """ # Import xmlsec here to delay initializing the C library in # case we don't need it. import xmlsec