Skip to content

Fix AttributeError and signature mangling during construction of SOAP request#834

Merged
c00kiemon5ter merged 3 commits intoIdentityPython:masterfrom
mheuwes:soap-fixes
Nov 22, 2021
Merged

Fix AttributeError and signature mangling during construction of SOAP request#834
c00kiemon5ter merged 3 commits intoIdentityPython:masterfrom
mheuwes:soap-fixes

Conversation

@mheuwes
Copy link
Copy Markdown
Contributor

@mheuwes mheuwes commented Nov 16, 2021
edited
Loading

Currently, sending SOAP requests using pysaml2 is near-impossible, because two bugs exist:

  1. IDP.apply_binding for soap without sign=True and a pre-signed Message mangles/destroys the signature by removing the line-ends within the signature.
  2. IDP.apply_binding's implementation of signing using use_soap does not work currently, because instead of node_name, class_name is passed as a parameter to securitycontext.sign_statement, and is raising an AttributeError
    These two bugs are fixed with this PR

All Submissions:

  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?
  • Have you added an explanation of what problem you are trying to solve with this PR?
  • Have you added information on what your changes do and why you chose this as your solution?
  • Have you written new tests for your changes?
  • Does your submission pass tests?
  • This project follows PEP8 style guide. Have you run your code against the 'flake8' linter?

@c00kiemon5ter c00kiemon5ter changed the title Fixing attributeerror and signature mangling while constructing soap requests Fix AttributeError and signature mangling during construction of SOAP request Nov 16, 2021
@mheuwes mheuwes force-pushed the soap-fixes branch 2 times, most recently from 640fad3 to c95093d Compare November 16, 2021 16:38
@c00kiemon5ter c00kiemon5ter added the next-release should become part of the next release label Nov 22, 2021
@c00kiemon5ter c00kiemon5ter merged commit 72e69e4 into IdentityPython:master Nov 22, 2021
@c00kiemon5ter c00kiemon5ter mentioned this pull request Nov 30, 2021
Closed
@vladimir-mencl-eresearch vladimir-mencl-eresearch mentioned this pull request Dec 12, 2024
Merged
4 tasks
jonathanperret added a commit to proconnect-gouv/oidc2fer that referenced this pull request Sep 18, 2025
@jonathanperret
📌(pysaml2) pin pysaml2 to avoid double-signing of AuthNRequests
aad06dc 
The current version of pysaml2 (7.5.2) has an issue where AuthNRequests
are both signed in the XML and with an extra `Signature` queryparam.
This was reported initially in 2021:
    IdentityPython/pysaml2#819
And it was fixed by a changed in SATOSA:
    IdentityPython/SATOSA#380
But it reappeared apparently and the original reporter has a PR open
against pysaml2 that is supposed to fix it:
    IdentityPython/pysaml2#973
They report that the regression was introduced in pysaml2 by
   IdentityPython/pysaml2#834
We try here to pin pysaml2 to the last version before this PR was
merged. Unfortunately this is quite an old version, but from basic
testing it seems to still be compatible with the current SATOSA
version.
Hopefully this can be temporary.
jonathanperret added a commit to proconnect-gouv/oidc2fer that referenced this pull request Sep 25, 2025
@jonathanperret
📌(pysaml2) pin pysaml2 to avoid double-signing of AuthNRequests
557ecc7 
The current version of pysaml2 (7.5.2) has an issue where AuthNRequests
are both signed in the XML and with an extra `Signature` queryparam.
This was reported initially in 2021:
    IdentityPython/pysaml2#819
And it was fixed by a changed in SATOSA:
    IdentityPython/SATOSA#380
But it reappeared apparently and the original reporter has a PR open
against pysaml2 that is supposed to fix it:
    IdentityPython/pysaml2#973
They report that the regression was introduced in pysaml2 by
   IdentityPython/pysaml2#834
We try here to pin pysaml2 to the last version before this PR was
merged. Unfortunately this is quite an old version, but from basic
testing it seems to still be compatible with the current SATOSA
version.
Hopefully this can be temporary.
jonathanperret added a commit to proconnect-gouv/oidc2fer that referenced this pull request Sep 25, 2025
@jonathanperret
📌(pysaml2) pin pysaml2 to avoid double-signing of AuthNRequests
2979cd6 
The current version of pysaml2 (7.5.2) has an issue where AuthNRequests
are both signed in the XML and with an extra `Signature` queryparam.
This was reported initially in 2021:
    IdentityPython/pysaml2#819
And it was fixed by a changed in SATOSA:
    IdentityPython/SATOSA#380
But it reappeared apparently and the original reporter has a PR open
against pysaml2 that is supposed to fix it:
    IdentityPython/pysaml2#973
They report that the regression was introduced in pysaml2 by
   IdentityPython/pysaml2#834
We try here to pin pysaml2 to the last version before this PR was
merged. Unfortunately this is quite an old version, but from basic
testing it seems to still be compatible with the current SATOSA
version.
This in turn forces us to also pin xmlschema to avoid
    IdentityPython/pysaml2#947

Hopefully this can be temporary.
jonathanperret added a commit to proconnect-gouv/oidc2fer that referenced this pull request Sep 25, 2025
@jonathanperret
📌(pysaml2) pin pysaml2 to avoid double-signing of AuthNRequests
fd8ec24 
The current version of pysaml2 (7.5.2) has an issue where AuthNRequests
are both signed in the XML and with an extra `Signature` queryparam.
This was reported initially in 2021:
    IdentityPython/pysaml2#819
And it was fixed by a changed in SATOSA:
    IdentityPython/SATOSA#380
But it reappeared apparently and the original reporter has a PR open
against pysaml2 that is supposed to fix it:
    IdentityPython/pysaml2#973
They report that the regression was introduced in pysaml2 by
   IdentityPython/pysaml2#834
We try here to pin pysaml2 to the last version before this PR was
merged. Unfortunately this is quite an old version, but from basic
testing it seems to still be compatible with the current SATOSA
version.
This in turn forces us to also pin xmlschema to avoid
    IdentityPython/pysaml2#947

Hopefully this can be temporary.
jonathanperret added a commit to proconnect-gouv/oidc2fer that referenced this pull request Sep 25, 2025
@jonathanperret
📌(pysaml2) pin pysaml2 to avoid double-signing of AuthNRequests
624e49b 
The current version of pysaml2 (7.5.2) has an issue where AuthNRequests
are both signed in the XML and with an extra `Signature` queryparam.
This was reported initially in 2021:
    IdentityPython/pysaml2#819
And it was fixed by a changed in SATOSA:
    IdentityPython/SATOSA#380
But it reappeared apparently and the original reporter has a PR open
against pysaml2 that is supposed to fix it:
    IdentityPython/pysaml2#973
They report that the regression was introduced in pysaml2 by
   IdentityPython/pysaml2#834
We try here to pin pysaml2 to the last version before this PR was
merged. Unfortunately this is quite an old version, but from basic
testing it seems to still be compatible with the current SATOSA
version.
This in turn forces us to also pin xmlschema to avoid
    IdentityPython/pysaml2#947

Hopefully this can be temporary.
jonathanperret added a commit to proconnect-gouv/oidc2fer that referenced this pull request Sep 25, 2025
@jonathanperret
📌(pysaml2) pin pysaml2 to avoid double-signing of AuthNRequests
11aa5ac 
The current version of pysaml2 (7.5.2) has an issue where AuthNRequests
are both signed in the XML and with an extra `Signature` queryparam.
This was reported initially in 2021:
    IdentityPython/pysaml2#819
And it was fixed by a changed in SATOSA:
    IdentityPython/SATOSA#380
But it reappeared apparently and the original reporter has a PR open
against pysaml2 that is supposed to fix it:
    IdentityPython/pysaml2#973
They report that the regression was introduced in pysaml2 by
   IdentityPython/pysaml2#834
We try here to pin pysaml2 to the last version before this PR was
merged. Unfortunately this is quite an old version, but from basic
testing it seems to still be compatible with the current SATOSA
version.
This in turn forces us to also pin xmlschema to avoid
    IdentityPython/pysaml2#947

Hopefully this can be temporary.
jonathanperret added a commit to proconnect-gouv/oidc2fer that referenced this pull request Nov 21, 2025
@jonathanperret
📌(pysaml2) pin pysaml2 to avoid double-signing of AuthNRequests
138bc43 
The current version of pysaml2 (7.5.2) has an issue where AuthNRequests
are both signed in the XML and with an extra `Signature` queryparam.
This was reported initially in 2021:
    IdentityPython/pysaml2#819
And it was fixed by a changed in SATOSA:
    IdentityPython/SATOSA#380
But it reappeared apparently and the original reporter has a PR open
against pysaml2 that is supposed to fix it:
    IdentityPython/pysaml2#973
They report that the regression was introduced in pysaml2 by
   IdentityPython/pysaml2#834
We try here to pin pysaml2 to the last version before this PR was
merged. Unfortunately this is quite an old version, but from basic
testing it seems to still be compatible with the current SATOSA
version.
This in turn forces us to also pin xmlschema to avoid
    IdentityPython/pysaml2#947

Hopefully this can be temporary.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

next-release should become part of the next release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mheuwes @c00kiemon5ter