Python Information Card Processing

  1. Python Information Card Processing
    1. Abstract
      1. License
    2. Live Sample App
    3. Download
    4. Code Documentation
    5. Sample
      1. Configuration
      2. Invocation Html
      3. Processing Code (.psp)
    6. Configuration Options
      1. Keys
      2. Events
      3. Deployment
    7. Dependencies
    8. Known limitations
    9. Testing
    10. History
    11. Author/Contributors

Abstract

The core code used to produce the InfoCardAcctPlugin is also available for others to use in building their own python based !Infocard Relying Parties.

License

The extension is distributed to you under the lgpl, please note that it includes works copyrighted by others and released under permissive licenses such as BSD. Thanks to those who support opensource software!

Live Sample App

Visit https://code.bandit-project.org/demo/python/rp for a live example of this sample in action. Demonstrating how simple it is to adopt Information Cards.

Download

Code Documentation

Documentation is limited, see infocardlib, xmlseclibs , and events

Sample

The following are snippets of code from web_ui.py from the InfoCardAcctPlugin. This shows the minimal code needed to process an InformationCard. This sample mixes html and python code in a way which violates the model-view-controller pattern. A real deployment would use code structured in a more maintainable form. Real documentation and samples will be coming soon.

Configuration

I am using apache with mod_python 

<Location /demos/python/rp>
   AddHandler mod_python .psp
   PythonHandler mod_python.psp
   PythonDebug On
</Location>

Invocation Html

Trivial html which displays just an icon and requests a single claim to be returned via a saml token. 

<html>
  <head>
    <title>Sample InfoCard Form</title>
  </head>
  <body>
    <form name="infocard" id="infocard" method="post" action="process_infocard.psp">
      <center> <img src='infocard_92x64.png' onClick='infocard.submit()'/> </center>
      <OBJECT type="application/x-informationCard" name="xmlToken">
        <PARAM Name="tokenType" Value="urn:oasis:names:tc:SAML:1.0:assertion">
        <PARAM Name="requiredClaims" Value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier">
      </OBJECT>
    </form>
  </body>
</html>

Processing Code (.psp)

The sample is checked in. 

<html>
          <head><title>Processed InformationCard</title></head>
          <body>
        <%
        from mod_python import apache
        import sys
        #xmlseclibs = apache.import_module("xmlseclibs", path=["./infocard/"])
        #infocardlib = apache.import_module("infocardlib", path=["./infocard/"])
        from infocard import infocardlib
        import logging
        
        #set up a generic processor which may be used for many validation requests.
        processor = infocardlib.InfoCardProcessor()
        if processor:
           processor.setClaims("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier", None)
           processor.setOptions({'INFO' : 'parse-locate-encrypted'})
           # process and validate a specific token
           secToken = processor.processToken(form.getfirst('xmlToken', ''))
           if secToken:
              if secToken.isValid:
                 cardkeyhash = secToken.getMetaDataValues(infocard.infocardlib.META_CardKeyHash)
                 req.write("<h1>It worked - Token is valid!</h1>")
              else:
                 req.write("<h1>Token is not valid!</h1>")
        
              req.write("<h2>Events</h2>")
              for event in secToken.eventLog.events:
                 req.write(" %s : %s : %s<br>" % (logging.getLevelName(event.severity),
                    event.tag, event.text))
        
              req.write("<h2>Claims</h2>")
              claims = secToken.getAssertionValues()
              for name in claims.keys():
                req.write(name + " :: " + claims[name]+"<br>")
        
              req.write("<h2>Metadata</h2>")
              for name in secToken.getMetaDataValues().keys():
                req.write(name + " :: " + secToken.metadata[name]+"<br>")
        
           else:
              req.write("<h2>Fatal Error Processing Token</h2>")
              # endif block
           # endif block
        # endif block
        %>
        
          </body>
</html>

Configuration Options

Keys

Events

Events varied severity are reported by the InformationCard and !XMLSec processing, these events are accessible to the caller of the python InfoCard code. It is our hope that all event messages above the level of event.INFO are displayed to the user. These messages should be actionable.

The default for most security related events is either error or fatal, sometimes however it is desirable that during testing that we allow security tokens to be accepted despite potentially critical events.

The events contains a list of event levels. For a sample see the sample.

Deployment

Dependencies

I have found that when run on apache it is often better to use expanded version of .egg files, this can be accomplished by using the -Z option with easy_install.

Some form of Python xml with dom and xpath support, tested with pyxml

m2crypto as an python wrapper to openssl which must also be installed. m2crypto also requires SWIG

Systems running python older than 2.5 require hashlib

For simple creation, distribution and installation of egg files I recommend having a recent version of setuptools installed.

Known limitations

This is a list of all logged tickets for the python RP as well as the trac plugin so not all tickets may apply to the common area.

#278
Python RP should properly handle expected claims with attached attributes
#280
RP should be reviewed for potential injection attacks
#281
Python RP should handle special chars in claim values
#282
Python RP should be enhanced to support saml 2.0 tokens
#287
Python RP should verify that no namespaces are used which are not part of the inclusive namespaces element
#288
TRAC RP should have better identity selector and browser add on support

Testing

In addition to the unit tests and developer tests run this was also part of an OSIS interop event, all issues identified at that event have been resolved.

Testing has been primarily on opensuse versions of Linux.

History

-- See InfoCardAcctPlugin history as well

  • v0.2: Fixes to infocard validity checking: empty tokens, unknown token type, missing audience, incorrect audience, missing claims, additional claims, missing NotOnOrAfter or NotBefore. Support saml 1.0 and 1.1 namespaces.
  • v0.1.2: Changed errors and exceptions to events which don't stop processing. Added the ability to upgrade or downgrade the severity of any of the events which are generated while parsing the token.
  • v0.1.1: Fixed several issues with keys, removed some small bits of unconverted php, support for inclusive namespaces, and fixed processing errors as found at the OSIS interop.
  • v0.1: Base code from =Rob.Richards

Author/Contributors

Authors: =Rob.Richards, dbuss, bandit-dev
Contributors: Get involved, we would love to see your name here!