1 |
commit: e7a247aadc5e35bf5aed61f78f7e8b0d9ed21dfb |
2 |
Author: Matthew Thode <prometheanfire <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Feb 28 16:28:00 2020 +0000 |
4 |
Commit: Matthew Thode <prometheanfire <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Feb 28 16:29:44 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7a247aa |
7 |
|
8 |
dev-python/pysaml2: 4.6.5-r1 added fast stable for CVE-2020-5390 |
9 |
|
10 |
Bug: https://bugs.gentoo.org/710732 |
11 |
Package-Manager: Portage-2.3.84, Repoman-2.3.20 |
12 |
RepoMan-Options: --force |
13 |
Signed-off-by: Matthew Thode <prometheanfire <AT> gentoo.org> |
14 |
|
15 |
dev-python/pysaml2/files/cve-2020-5390.patch | 189 +++++++++++++++++++++++++++ |
16 |
dev-python/pysaml2/metadata.xml | 2 +- |
17 |
dev-python/pysaml2/pysaml2-4.6.5-r1.ebuild | 42 ++++++ |
18 |
3 files changed, 232 insertions(+), 1 deletion(-) |
19 |
|
20 |
diff --git a/dev-python/pysaml2/files/cve-2020-5390.patch b/dev-python/pysaml2/files/cve-2020-5390.patch |
21 |
new file mode 100644 |
22 |
index 00000000000..bef46808d92 |
23 |
--- /dev/null |
24 |
+++ b/dev-python/pysaml2/files/cve-2020-5390.patch |
25 |
@@ -0,0 +1,189 @@ |
26 |
+From 5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25 Mon Sep 17 00:00:00 2001 |
27 |
+From: Ivan Kanakarakis <ivan.kanak@×××××.com> |
28 |
+Date: Sat, 4 Jan 2020 00:39:47 +0200 |
29 |
+Subject: [PATCH] Fix XML Signature Wrapping (XSW) vulnerabilities |
30 |
+ |
31 |
+PySAML2 did not check that the signature in a SAML document is enveloped and thus |
32 |
+XML signature wrapping (XSW) was effective. |
33 |
+ |
34 |
+The signature information and the node/object that is signed can be in different places |
35 |
+and thus the signature verification will succeed, but the wrong data will be used. This |
36 |
+specifically affects the verification of assertions that have been signed. |
37 |
+ |
38 |
+This was assigned CVE-2020-5390 |
39 |
+ |
40 |
+Thanks to Alexey Sintsov and Yuri Goltsev from HERE Technologies to report this. |
41 |
+ |
42 |
++ + + + + + + + |
43 |
+ |
44 |
+In more detail: |
45 |
+ |
46 |
+libxml2 follows the xmldsig-core specification. The xmldsig specification is way too |
47 |
+general. saml-core reuses the xmldsig specification, but constrains it to use of |
48 |
+specific facilities. The implementation of the SAML specification is responsible to |
49 |
+enforce those constraints. libxml2/xmlsec1 are not aware of those constraints and thus |
50 |
+process the document based on the full/general xmldsig rules. |
51 |
+ |
52 |
+What is happening is the following: |
53 |
+ |
54 |
+- xmldsig-core allows the signature-information and the data that was signed to be in |
55 |
+ different places. This works by setting the URI attribute of the Reference element. |
56 |
+ The URI attribute contains an optional identifier of the object being signed. (see |
57 |
+ "4.4.3 The Reference Element" -- https://www.w3.org/TR/xmldsig-core1/#sec-Reference) |
58 |
+ This identifier is actually a pointer that can be defined in many different ways; from |
59 |
+ XPath expressions that need to be executed(!), to a full URL that should be fetched(!) |
60 |
+ in order to recalculate the signature. |
61 |
+ |
62 |
+- saml-core section "5.4 XML Signature Profile" defines constrains on the xmldsig-core |
63 |
+ facilities. It explicitly dictates that enveloped signatures are the only signatures |
64 |
+ allowed. This mean that: |
65 |
+ * Assertion/RequestType/ResponseType elements must have an ID attribute |
66 |
+ * signatures must have a single Reference element |
67 |
+ * the Reference element must have a URI attribute |
68 |
+ * the URI attribute contains an anchor |
69 |
+ * the anchor points to the enclosing element's ID attribute |
70 |
+ |
71 |
+xmlsec1 does the right thing - it follows the reference URI pointer and validates the |
72 |
+assertion. But, the pointer points to an assertion in another part of the document; not |
73 |
+the assertion in which the signature is embedded/enveloped. SAML processing thinks that |
74 |
+the signature is fine (that's what xmlsec1 said), and gets the assertion data from the |
75 |
+assertion that contains the signature - but that assertion was never validated. The |
76 |
+issue is that pysaml2 does not enforce the constrains on the signature validation |
77 |
+facilities of xmldsig-core, that the saml-core spec defines. |
78 |
+ |
79 |
+The solution is simple; all we need is to make sure that assertions with signatures (1) |
80 |
+contain one reference element that (2) has a URI attribute (3) that is an anchor that |
81 |
+(4) points to the assertion in which the signature is embedded. If those conditions are |
82 |
+met then we're good, otherwise we should fail the verification. |
83 |
+ |
84 |
+Signed-off-by: Ivan Kanakarakis <ivan.kanak@×××××.com> |
85 |
+--- |
86 |
+ src/saml2/sigver.py | 49 ++++++++++++++++++++++++++++++++++++ |
87 |
+ tests/saml2_response_xsw.xml | 6 +++++ |
88 |
+ tests/test_xsw.py | 44 ++++++++++++++++++++++++++++++++ |
89 |
+ 3 files changed, 99 insertions(+) |
90 |
+ create mode 100644 tests/saml2_response_xsw.xml |
91 |
+ create mode 100644 tests/test_xsw.py |
92 |
+ |
93 |
+diff --git a/src/saml2/sigver.py b/src/saml2/sigver.py |
94 |
+index cbeca41f..c3d298a9 100644 |
95 |
+--- a/src/saml2/sigver.py |
96 |
++++ b/src/saml2/sigver.py |
97 |
+@@ -1476,6 +1476,55 @@ def _check_signature(self, decoded_xml, item, node_name=NODE_NAME, origdoc=None, |
98 |
+ if not certs: |
99 |
+ raise MissingKey(_issuer) |
100 |
+ |
101 |
++ # saml-core section "5.4 XML Signature Profile" defines constrains on the |
102 |
++ # xmldsig-core facilities. It explicitly dictates that enveloped signatures |
103 |
++ # are the only signatures allowed. This mean that: |
104 |
++ # * Assertion/RequestType/ResponseType elements must have an ID attribute |
105 |
++ # * signatures must have a single Reference element |
106 |
++ # * the Reference element must have a URI attribute |
107 |
++ # * the URI attribute contains an anchor |
108 |
++ # * the anchor points to the enclosing element's ID attribute |
109 |
++ references = item.signature.signed_info.reference |
110 |
++ signatures_must_have_a_single_reference_element = len(references) == 1 |
111 |
++ the_Reference_element_must_have_a_URI_attribute = ( |
112 |
++ signatures_must_have_a_single_reference_element |
113 |
++ and hasattr(references[0], "uri") |
114 |
++ ) |
115 |
++ the_URI_attribute_contains_an_anchor = ( |
116 |
++ the_Reference_element_must_have_a_URI_attribute |
117 |
++ and references[0].uri.startswith("#") |
118 |
++ and len(references[0].uri) > 1 |
119 |
++ ) |
120 |
++ the_anchor_points_to_the_enclosing_element_ID_attribute = ( |
121 |
++ the_URI_attribute_contains_an_anchor |
122 |
++ and references[0].uri == "#{id}".format(id=item.id) |
123 |
++ ) |
124 |
++ validators = { |
125 |
++ "signatures must have a single reference element": ( |
126 |
++ signatures_must_have_a_single_reference_element |
127 |
++ ), |
128 |
++ "the Reference element must have a URI attribute": ( |
129 |
++ the_Reference_element_must_have_a_URI_attribute |
130 |
++ ), |
131 |
++ "the URI attribute contains an anchor": ( |
132 |
++ the_URI_attribute_contains_an_anchor |
133 |
++ ), |
134 |
++ "the anchor points to the enclosing element ID attribute": ( |
135 |
++ the_anchor_points_to_the_enclosing_element_ID_attribute |
136 |
++ ), |
137 |
++ } |
138 |
++ if not all(validators.values()): |
139 |
++ error_context = { |
140 |
++ "message": "Signature failed to meet constraints on xmldsig", |
141 |
++ "validators": validators, |
142 |
++ "item ID": item.id, |
143 |
++ "reference URI": item.signature.signed_info.reference[0].uri, |
144 |
++ "issuer": _issuer, |
145 |
++ "node name": node_name, |
146 |
++ "xml document": decoded_xml, |
147 |
++ } |
148 |
++ raise SignatureError(error_context) |
149 |
++ |
150 |
+ verified = False |
151 |
+ last_pem_file = None |
152 |
+ |
153 |
+diff --git a/tests/saml2_response_xsw.xml b/tests/saml2_response_xsw.xml |
154 |
+new file mode 100644 |
155 |
+index 00000000..3671eb48 |
156 |
+--- /dev/null |
157 |
++++ b/tests/saml2_response_xsw.xml |
158 |
+@@ -0,0 +1,6 @@ |
159 |
++<?xml version="1.0" encoding="UTF-8"?> |
160 |
++<ns0:Response xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="http://lingon.catalogix.se:8087/" ID="id-vqOQ72JCppXaBWnBE" InResponseTo="id12" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns0:Status><ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></ns0:Status><ns1:Assertion ID="id-SPOOFED_ASSERTION" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns2:Signature Id="Signature2"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns2:Referen |
161 |
ce URI="#id-Aa9IWfDxJVIX6GQye"><ns2:Transforms><ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns2:DigestValue>EWBvQUlrwQbtrAjuUXkSBAVsZ50=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>m4zRgTWleMcx1dFboeiYlbiDigHWAVhHVa+GLN++ELNMFDutuzBxc3tu6okyaNQGW3leu32wzbfdpb5+3RlpGoKj2wPX570/EMJj4uw91XfXsZfpNP+5GlgNT8w/elDmBXhG/KwmSO477Imk0szKovTBMVHmo3QOd+ba//dVsJE=</ns2:SignatureValue><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMDkxMDA2MTk0OTQxWhcNMDkxMTA1MTk0OTQxWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMX |
162 |
E9tXOdqwYCA1cc8vQdzkihscQMXy3iPw2cMggBu6gjMTOSOxECkuvX5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaNefiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABo4GnMIGkMB0GA1UdDgQWBBRePsKHKYJsiojE78ZWXccK9K4aJTB1BgNVHSMEbjBsgBRePsKHKYJsiojE78ZWXccK9K4aJaFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAJrzqSSwmDY9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAJSrKOEzHO7TL5cy6h3qh+3+JAk8HbGBW+cbX6KBCAw/mzU8flK25vnWwXS3dv2FF3Aod0/S7AWNfKib5U/SA9nJaz/mWeF9S0farz9AQFc8/NSzAzaVq7YbM4F6f6N2FRl7GikdXRCed45j6mrPzGzk3ECbupFnqyREH3+ZPSdk=</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature><ns1:Subject><ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="" SPNameQualifier="id12">ANOTHER_ID</ns1:NameID><ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns1:SubjectConfirmationData InResponseTo="id12" NotOnOrAfter="2019-12-20T12:20:16Z" Recipient="http://lingon.catalogix.se:8087/"/></ns1:Subj |
163 |
ectConfirmation></ns1:Subject><ns1:Conditions NotBefore="2019-12-20T12:15:16Z" NotOnOrAfter="2019-12-20T12:20:16Z"><ns1:AudienceRestriction><ns1:Audience>urn:mace:example.com:saml:roland:sp</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement AuthnInstant="2019-12-20T12:15:16Z" SessionIndex="id-eEhNCc5BSiesVOl8B"><ns1:AuthnContext><ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword</ns1:AuthnContextClassRef><ns1:AuthenticatingAuthority>http://www.example.com/login</ns1:AuthenticatingAuthority></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement><ns1:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">staff</ns1:AttributeValue><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">ADMIN</ns1:AttributeValue |
164 |
></ns1:Attribute><ns1:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">HACKER@×××××.com</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Derek</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="surName" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Jeter</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="title" Name="urn:oid:2.5.4.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string |
165 |
">shortstop</ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion> |
166 |
++<XSW_ATTACK> |
167 |
++<ns1:Assertion ID="id-Aa9IWfDxJVIX6GQye" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns1:Subject><ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="" SPNameQualifier="id12">ac5b22bb8eac4a26ed07a55432a0fe0da243f6e911aa614cff402c44d7cdec36</ns1:NameID><ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns1:SubjectConfirmationData InResponseTo="id12" NotOnOrAfter="2019-12-20T12:20:16Z" Recipient="http://lingon.catalogix.se:8087/"/></ns1:SubjectConfirmation></ns1:Subject><ns1:Conditions NotBefore="2019-12-20T12:15:16Z" NotOnOrAfter="2019-12-20T12:20:16Z"><ns1:AudienceRestriction><ns1:Audience>urn:mace:example.com:saml:roland:sp</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement AuthnInstant="2019-12-20T12:15:16Z" SessionIndex="id-eEhNCc5BSiesVOl8B"><ns1:AuthnContext><ns1:AuthnCon |
168 |
textClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword</ns1:AuthnContextClassRef><ns1:AuthenticatingAuthority>http://www.example.com/login</ns1:AuthenticatingAuthority></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement><ns1:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">staff</ns1:AttributeValue><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">member</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">foo@×××××.com</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn: |
169 |
oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Derek</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="surName" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Jeter</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="title" Name="urn:oid:2.5.4.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">shortstop</ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion> |
170 |
++</XSW_ATTACK> |
171 |
++</ns0:Response> |
172 |
+diff --git a/tests/test_xsw.py b/tests/test_xsw.py |
173 |
+new file mode 100644 |
174 |
+index 00000000..9978c4d3 |
175 |
+--- /dev/null |
176 |
++++ b/tests/test_xsw.py |
177 |
+@@ -0,0 +1,44 @@ |
178 |
++from datetime import datetime |
179 |
++from unittest.mock import Mock |
180 |
++from unittest.mock import patch |
181 |
++ |
182 |
++from saml2.config import config_factory |
183 |
++from saml2.response import authn_response |
184 |
++from saml2.sigver import SignatureError |
185 |
++ |
186 |
++from dateutil import parser |
187 |
++ |
188 |
++from pytest import raises |
189 |
++ |
190 |
++from pathutils import dotname |
191 |
++from pathutils import full_path |
192 |
++ |
193 |
++ |
194 |
++XML_RESPONSE_XSW = full_path("saml2_response_xsw.xml") |
195 |
++ |
196 |
++ |
197 |
++class TestAuthnResponse: |
198 |
++ def setup_class(self): |
199 |
++ self.conf = config_factory("sp", dotname("server_conf")) |
200 |
++ self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/") |
201 |
++ |
202 |
++ @patch('saml2.response.validate_on_or_after', return_value=True) |
203 |
++ def test_verify_signed_xsw(self, mock_validate_on_or_after): |
204 |
++ self.ar.issue_instant_ok = Mock(return_value=True) |
205 |
++ |
206 |
++ with open(XML_RESPONSE_XSW) as fp: |
207 |
++ xml_response = fp.read() |
208 |
++ |
209 |
++ self.ar.outstanding_queries = {"id12": "http://localhost:8088/sso"} |
210 |
++ self.ar.timeslack = 10000 |
211 |
++ self.ar.loads(xml_response, decode=False) |
212 |
++ |
213 |
++ assert self.ar.came_from == 'http://localhost:8088/sso' |
214 |
++ assert self.ar.session_id() == "id12" |
215 |
++ assert self.ar.issuer() == 'urn:mace:example.com:saml:roland:idp' |
216 |
++ |
217 |
++ with raises(SignatureError): |
218 |
++ self.ar.verify() |
219 |
++ |
220 |
++ assert self.ar.ava is None |
221 |
++ assert self.ar.name_id is None |
222 |
|
223 |
diff --git a/dev-python/pysaml2/metadata.xml b/dev-python/pysaml2/metadata.xml |
224 |
index e06acc272e6..34133f9748f 100644 |
225 |
--- a/dev-python/pysaml2/metadata.xml |
226 |
+++ b/dev-python/pysaml2/metadata.xml |
227 |
@@ -10,7 +10,7 @@ |
228 |
<name>Openstack</name> |
229 |
</maintainer> |
230 |
<longdescription lang="en"> |
231 |
- Python implementation of SAML Version 2 to be used in a WSGI environment |
232 |
+ PySAML2 is a pure python implementation of SAML Version 2 Standard. It contains all necessary pieces for building a SAML2 service provider or an identity provider. The distribution contains examples of both. Originally written to work in a WSGI environment there are extensions that allow you to use it with other frameworks. |
233 |
</longdescription> |
234 |
<upstream> |
235 |
<remote-id type="pypi">pysaml2</remote-id> |
236 |
|
237 |
diff --git a/dev-python/pysaml2/pysaml2-4.6.5-r1.ebuild b/dev-python/pysaml2/pysaml2-4.6.5-r1.ebuild |
238 |
new file mode 100644 |
239 |
index 00000000000..9d807ccf40e |
240 |
--- /dev/null |
241 |
+++ b/dev-python/pysaml2/pysaml2-4.6.5-r1.ebuild |
242 |
@@ -0,0 +1,42 @@ |
243 |
+# Copyright 1999-2020 Gentoo Authors |
244 |
+# Distributed under the terms of the GNU General Public License v2 |
245 |
+ |
246 |
+EAPI=7 |
247 |
+PYTHON_COMPAT=( python3_{6,7} ) |
248 |
+ |
249 |
+inherit distutils-r1 |
250 |
+ |
251 |
+DESCRIPTION="Python implementation of SAML Version 2 to be used in a WSGI environment" |
252 |
+HOMEPAGE="https://github.com/rohe/pysaml2" |
253 |
+SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz" |
254 |
+ |
255 |
+LICENSE="Apache-2.0" |
256 |
+SLOT="0" |
257 |
+KEYWORDS="amd64 ~arm64 x86" |
258 |
+IUSE="" |
259 |
+ |
260 |
+PATCHES=( |
261 |
+) |
262 |
+ |
263 |
+DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]" |
264 |
+RDEPEND=">=dev-python/cryptography-1.4[${PYTHON_USEDEP}] |
265 |
+ dev-python/defusedxml[${PYTHON_USEDEP}] |
266 |
+ dev-python/future[${PYTHON_USEDEP}] |
267 |
+ dev-python/pyopenssl[${PYTHON_USEDEP}] |
268 |
+ dev-python/python-dateutil[${PYTHON_USEDEP}] |
269 |
+ dev-python/pytz[${PYTHON_USEDEP}] |
270 |
+ >=dev-python/requests-1.0.0[${PYTHON_USEDEP}] |
271 |
+ dev-python/six[${PYTHON_USEDEP}]" |
272 |
+ |
273 |
+PATCHES=( "${FILESDIR}/cve-2020-5390.patch" ) |
274 |
+ |
275 |
+python_prepare_all() { |
276 |
+ # Work-around for bug 675824 |
277 |
+ # With older setuptools, version = file:... is not supported, see Note 1 in: |
278 |
+ # https://setuptools.readthedocs.io/en/latest/setuptools.html#metadata |
279 |
+ # In such cases, hardcode the version |
280 |
+ has_version ">=dev-python/setuptools-39.2.0" || \ |
281 |
+ sed --in-place "s/^version = file:.*\$/version = ${PV}/" setup.cfg |
282 |
+ ## |
283 |
+ distutils-r1_python_prepare_all |
284 |
+} |