Skip to content

Latest commit

 

History

History
340 lines (256 loc) · 13 KB

CHANGELOG.md

File metadata and controls

340 lines (256 loc) · 13 KB

Changelog

7.0.0 (2021-05-18)

  • BREAKING Replace encryption method rsa-1_5 with rsa-oaep-mgf1p
  • Add documentation next to the code

6.5.2 (2021-05-18)

  • Add shibmd_scopes metadata extractor
  • Allow the Issuer element on a Response to be missing
  • Respect the preferred_binding configuration for the single_logout_service
  • Fix logout signature flags for redirect, post and soap requests
  • Respect the logout_requests_signed configuration option
  • Fix crash when applying policy on RequestedAttribute without a friendlyName
  • Correctly validate IssueInstant
  • Correctly handle AudienceRestriction elements with no value
  • Raise InvalidAssertion exception when assertion requirements are not met
  • Raise SAMLError on failure to parse a metadata file
  • Raise StatusInvalidAuthnResponseStatement when the AuthnStatement is not valid
  • Handle all forms of ACS endpoint specifications
  • tests: Always use base64.encodebytes; base64.encodestring has been dropped
  • build: Set minimum version needed for xmlschema
  • docs: Update Travis CI badge from travis-ci.org to travis-ci.com
  • examples: Fix example code

6.5.1 (2021-01-21)

  • Fix the parser to take into account both the xs and xsd namespace prefixes

6.5.0 (2021-01-20) - Security release

  • Fix processing of invalid SAML XML documents - CVE-2021-21238
  • Fix unspecified xmlsec1 key-type preference - CVE-2021-21239
  • Add more tests regarding XSW attacks
  • Add XML Schemas for SAML2 and common extensions
  • Fix the XML parser to not break on ePTID AttributeValues
  • Fix the initialization value of the return_addrs property of the StatusResponse object
  • Fix SWAMID entity-category policy regarding eduPersonTargetedID
  • data: use importlib to load package data (backwards compatibility through the importlib_resources package)
  • docs: improve the documentation for the signing_algorithm and digest_algorithm options
  • examples: fix the logging configuration of the example-IdP
  • tests: allow tests to pass on 32bit systems by properly choosing dates in test XML documents
  • tests: improvements on the generation of response and assertion objects
  • tests: expand tests on python-3.9 and python-3.10-dev

6.4.1 (2020-12-08)

  • Indicate minimum required python version during installation

6.4.0 (2020-12-08)

  • Add preferred signing and digest algorithms configuration options: Use the new configuration options signing_algorithm and digest_algorithm.
  • Fix signed SAML AuthnRequest and Response when HTTP-Redirect binding is used: Previously, the query params Signature and SigAlg were not included.
  • Ignore duplicate RequestedAttribute entries when filtering attributes
  • tests: Avoid reuse of old test data files

6.3.1 (2020-11-11)

  • Fix extraction of RegistrationInfo when no information is available
  • Fix http_info struct to include status-code

6.3.0 (2020-10-30)

  • Allow to specify policy configurations based on the registration authority.

  • Add new configuration option logout_responses_signed to sign logout responses.

  • When available and appropriate return the ResponseLocation along with the Location attribute.

  • Always use base64.encodebytes; base64.encodestring has been dropped.

  • Examples: fix IdP example that was outputing debug statements on stdout that became part of its metadata.

  • CI/CD: Use Ubuntu bionic as the host to run the CI/CD process.

  • CI/CD: Pre-releases are now available on test.pypi.org. Each commit/merge on the master branch autotically creates a new pre-release. To install a prelease, run:

    $ pip install -U -i https://test.pypi.org/simple --extra-index-url https://pypi.org/simple pysaml2

6.2.0 (2020-10-05)

  • Fix the generated xsd:ID format for EncryptedData and EncryptedKey elements
  • Set the default value for the NameFormat attribute to unspecified when parsing
  • Support arbitrary entity attributes
  • Replace all asserts with proper checks
  • Allow request signing in artifact2message
  • Support logging configuration through the python logger
  • Fix wrong identifiers for ecdsa algos
  • Fix automatic inversion of attribute map files
  • Factor out common codepaths in attribute_converter
  • Remove uneeded exception logging
  • Docs: Update configuration options documentation
  • Examples: Support both str and bytes in SAML requests on the example idp
  • Examples: Update to key generation to 2048 bits

6.1.0 (2020-07-10)

  • Fix signed logout requests flag

6.0.0 (2020-07-10)

  • Differentiate between metadata NameIDFormat and AuthnRequest NameIDPolicy Format
    • Users using name_id_format to set the <NameIDPolicy Format="..."> attribute now need to use the new configuration option name_id_policy_format.
  • Fix documentation formatting

5.4.0 (2020-07-10)

  • Fix generation of signed metadata
  • Add attribute mappings used by SwedenConnect (DIGG, INERA and PKIX specifications)
  • Update SWAMID entity category
  • Document the additional_cert_files configuration option

5.3.0 (2020-06-25)

  • Fix check for nameid_format set to the string "None" in the configuration

5.2.0 (2020-06-23)

  • Fix presence of empty eIDAS RequestedAttributes element on AuthnRequest
  • Refactor create_authn_request method to be easier to reason about
  • Fix NameIDPolicy checks for allowed Format and allowCreate values

5.1.0 (2020-06-09)

  • support eIDAS RequestedAttributes per AuthnRequest
  • fix xmlsec1 --id-attr configuration option value
  • do not remove existing disco URL query params
  • load attribute maps in predictable order
  • better error message when AudienceRestriction does not validate
  • always use base64.encodebytes instead of base64.encodestring
  • update the eIDAS attribute mapping for legal person
  • fix py_compile warnings
  • fix pylint errors and warnings
  • various small fixes
  • add Python3.8 as supported
  • tests: fix validity dates
  • docs: document default value for 'want_response_signed'

5.0.0 (2020-01-13) - Security release

  • Fix XML Signature Wrapping (XSW) vulnerabilities - CVE-2020-5390
  • Add freshness period feature for MetaDataMDX
  • Fix bug in duration calculation in time_util library
  • Fix ipv6 validation to accommodate for addresses with brackets
  • Fix xmlsec temporary files deletions
  • Add method to get supported algorithms from metadata
  • Add mdstore method to extract assurance certifications
  • Add mdstore method to extract contact_person data
  • Add attribute mappings from the Swiss eduPerson Schema
  • Make AESCipher and Fernet interfaces compatible
  • Remove deprecated saml2.aes module
  • Remove deprecated saml2.extensions.ui module
  • Replace deprecated mongodb operations
  • Rename ToOld error to TooOld
  • Fix pytest warnings
  • Mock tests that need a network connection
  • Start dropping python2 support

4.9.0 (2019-11-03)

  • Add mdstore methods to extract mdui uiinfo elements
  • Add attribute mapping for umbrellaID attributes
  • Fix logic error in pick_binding method for Entity class
  • Validate the audience of assertions regardless of a response being unsolicited
  • Fix PKCS_9 saml_url prefix
  • docs: Fix warnings from docs generation
  • docs: Update release instructions regarding branch releases
  • docs: Fix list formatting on IdP example page
  • docs: Update pysaml2 options doc with name_id_format_allow_create
  • misc: fix various typos

4.8.0 (2019-07-08)

  • Refactor the way ForceAuthn is set: check for "true" and "1"
  • Allow to set NameQualifier and SPNameQualifier attributes for ePTID
  • Parse assertions with Holder-of-Key profile
  • Add created_at timestamps to all mongodb documents
  • Look for existing persistent id's before creating new ones
  • Do not add AllowCreate property for default transient NameID
  • Enable entity category import from module search path
  • Add SAML subject identifier attributes to saml2_uri attributemap
  • Fix deprecation warning regarding the cgi module - use the html module when available
  • Misc minor improvements
  • tests: Be compatible with latest pytest
  • tests: Make tests pass after 2024
  • tests: Add py37 as a test target
  • docs: Correct instructions to run tests
  • docs: Fix misc typos
  • examples: Set cherrypy version explicitly

4.7.0 (2019-04-02)

  • Add support for MDQ signature verification
  • Raise XmlsecError if xmlsec1 operations do not succeed
  • Handle non standard response error status codes correctly
  • Remove the hardcoded warning filter; pass -Wd to the python interpreter to enable warnings
  • Remove the python-future dependency and only use six
  • Minor python2 and python3 compatibility fixes (unicode strings and example code)
  • Minor documentation fixes

4.6.5 (2018-12-04)

  • Fix for response status error case handling (introduced in v4.6.5)
  • Added assurance-certification support
  • Added entity-category-support support

Thanks @rectalogic @skanct

4.6.4 (2018-11-22)

  • Make use of the sign argument to entity.Entity::apply_binding when binding is HTTP-Redirect. Reminder: use authn_requests_signed configuration option to indicate that Authentication Requests sent by the SP must be signed
  • Add want_assertions_or_response_signed configuration option - see documentation about the introduced behaviour
  • Fix code for idp and sp examples
  • Do not require assertion conditions
  • Fix response encoding format
  • Various code improvements for config, sigver, client_base, client, ecp_client, ecp, s2repoze and entity modules
  • Support non-ascii attribute values for encryption and decryption

Thanks to @johanlundberg @skoranda @yuqing0708 @erakli

4.6.3 (2018-10-08)

Do not map between attribute FriendlyName and attribute Name when no attributemaps are provided.

4.6.2 (2018-09-06)

Refactor AttributeValueBase::set_text method.

  • set_text is doing too many things. At least the structure is a bit cleaner; though, still complex.
  • set_text will set the type if no type has been set.
  • set_text should not modify the type if it has already been set,
  • set_text should not depend on the type's namespace.
  • set_text should not interfere with the 'anyType' type.
  • set_text will raise a ValueError if the value cannot be represented by the type.
  • set_text will raise a ValueError if the type is unknown.

4.6.1 (2018-08-29)

  • Allow multiple AttributeStatement tags per Assertion
  • Raise ValueError for invalid attribute type
  • Make NameID element optional
  • tests: fix test that depended on actual datetime
  • build: Set minimum build-tool version through pyproject.toml

4.6.0 (2018-08-07) - Security release

  • Allow configuration and specification of id attribute name
  • Retrieve SLO endpoint by the appropriate service type
  • Deprecate AESCipher and aes.py module
  • Add saml2.cryptography module
  • Always generate a random IV for AES operations / Address CVE-2017-1000246
  • Remove unused and broken RSA code
  • Add more nameid-format definitions
  • Remove invalid nameid-format
  • Retrieve pacakge version from pkg_resources
  • Fully replace Cryptodome library with cryptography
  • Fix SSRF caused by URI attribute of Reference element
  • Omit relay state in HTTP-POST response when empty
  • Fix eidas natural person attribute URIs
  • Add eidas attributes for legal person to saml2_uri attributemap
  • Fix deprecation and resource warnings.
  • Fix date format to show month, not minutes
  • Fix typos
  • s2repoze: Define session_info variable before use
  • s2repoze: Correctly pull the SAMLRequest from Redirect LogoutRequests
  • s2repoze: Include SCRIPT_NAME when checking whether current URL is a logout endpoint
  • tests: Document and test all supported Python versions
  • tests: Generate and upload coverage reports to codecov
  • tests: Include dependencies information in test report
  • tests: Run tests in verbose mode
  • tests: Clean up unclosed files causing ResourceWarnings
  • build: Set minimal version for cryptography package
  • build: Set the correct version in the docs
  • build: Update build manifest to include the correct files
  • build: Switch from setup.py to setup.cfg
  • docs: Add editorconfig file with basic rules
  • docs: Update gitignore file
  • docs: Remove downloads badge as it is no longer available
  • docs: Update all pypi.python.org URLs to pypi.org
  • docs: Updated license and renamed the file.
  • examples: Do not request a signed response - backwards compatibility
  • examples: Fix wsgiserver usage for example sp
  • examples: Fix cherrypy.wsgiserver usage

0.4.2 (2012-03-27)

  • Add default attribute mappings

0.4.1 (2012-03-18)

  • Auto sign authentication and logout requests following config options.
  • Add backwards compatibility with ElementTree in python < 2.7.
  • Fix minor bugs in the tests.
  • Support one more nameid format.