Several improvements in html templates and spid validation

- fix: spid validator tests 94, 95, 96 and 97 - fix: html template statics
italia · Jun 22, 2021 · 052a56a · 052a56a
1 parent 9430755
commit 052a56a
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 7 deletions.
diff --git a/example/backends/spidsaml2.py b/example/backends/spidsaml2.py
@@ -556,7 +556,8 @@ def authn_response(self, context, binding):
                             requester = requester,
                             accepted_time_diff = accepted_time_diff,
                             authn_context_class_ref=authn_context_classref,
-                            return_addrs=authn_response.return_addrs
+                            return_addrs=authn_response.return_addrs,
+                            allowed_acrs = self.config['spid_allowed_acrs']
         )
         try:
             validator.run()

diff --git a/example/backends/spidsaml2_validator.py b/example/backends/spidsaml2_validator.py
@@ -34,7 +34,8 @@ def __init__(self, authn_response='', issuer='',
                  in_response_to='',
                  requester='',
                  authn_context_class_ref='https://www.spid.gov.it/SpidL2',
-                 return_addrs = []):
+                 return_addrs = [],
+                 allowed_acrs = []):
 
         self.response = samlp.response_from_string(authn_response)
         self.nameid_formats = nameid_formats
@@ -45,7 +46,7 @@ def __init__(self, authn_response='', issuer='',
         self.requester = requester
         self.return_addrs = return_addrs
         self.issuer = issuer
-
+        self.allowed_acrs = allowed_acrs
 
     # handled adding authn req arguments in the session state (cookie)
     def validate_in_response_to(self):
@@ -269,8 +270,9 @@ def validate_assertion_authn_statement(self):
                     f'{_ERROR_TROUBLESHOOT}'
                 )
 
-            # 90, 92, 93
+
             for authns in i.authn_statement:
+                # 90, 92, 93
                 if not hasattr(authns, 'authn_context') or \
                    not getattr(authns, 'authn_context', None) or \
                    not hasattr(authns.authn_context, 'authn_context_class_ref') or \
@@ -290,12 +292,12 @@ def validate_assertion_authn_statement(self):
                         level_sp = int(self.authn_context_class_ref[-1])
                         level_idp = int(authns.authn_context.authn_context_class_ref.text.strip().replace('\n', '')[-1])
                         if level_idp < level_sp:
-                            raise SpidError(_msg)
+                            raise SPIDValidatorException(_msg)
                     except Exception as e:
-                        raise SpidError(_msg)
+                        raise SPIDValidatorException(_msg)
 
                 # 97
-                if authns.authn_context.authn_context_class_ref.text != self.authn_context_class_ref:
+                if authns.authn_context.authn_context_class_ref.text not in self.allowed_acrs:
                     raise SPIDValidatorException(
                         'Assertion authn_statement.authn_context.authn_context_class_ref is missing/invalid. '
                         f'{_ERROR_TROUBLESHOOT}'

diff --git a/example/plugins/backends/spidsaml2_backend.yaml b/example/plugins/backends/spidsaml2_backend.yaml
@@ -12,6 +12,11 @@ config:
   # make metadata downloadable from entityid url
   entityid_endpoint: true
 
+  spid_allowed_acrs:
+    - https://www.spid.gov.it/SpidL1
+    - https://www.spid.gov.it/SpidL2
+    - https://www.spid.gov.it/SpidL3
+
   acr_mapping:
     "": 'https://www.spid.gov.it/SpidL2'
     # specify AuthnContext per IdP