5:05 p.m.
Hey all,
we were supposed to have the regular idpy-call today, but none showed
up. We didn't send out an agenda but the meeting should happen
nonetheless. So, I though I'd give everyone an update since the last
call.
## Governance
We finally have a governance board, consisting of 7 people. First task
is to determin whether we'll go the route of requiring a CLA or CCLA
for the code submitted to idpy.
https://lists.sunet.se/pipermail/idpy-discuss/2018-October/000292.html
Governance docs: https://github.com/IdentityPython/Governance
## pyXMLSecurity
- The p11_test suite needs to find the appropriate paths for some
components. The paths are not standard, but depend on where each
distribution places the needed files per its package-management
policy. As we cannot guarantee the location of the files on every
system, the paths are made configurable through env-vars.
https://github.com/IdentityPython/pyXMLSecurity/pull/52
- Travis skips p11_test suite because not all components are being
installed. Getting all components in place is not enough, as travis
runs an Ubuntu version (Trusty/14.04) that does not package
softhsm2/libsofthsm2. Until travis updates the test environment with a
newer ubuntu version, the tests will fail. This will be put aside
until there is an update from travis-ci.
https://github.com/IdentityPython/pyXMLSecurity/pull/53
## pysaml2
- Another issue showed up on pyXMLSecurity that is really a problem
with pysaml2. I've documented the problems on the issue. What it boils
down to is that C14N does not canonicalize namespace-prefixes and they
become an important part of the resulting signature. Any modification
of the namespaces will cast the signature invalid. On the other hand,
the xml-namspace spec says that prefixes are non-important and apps
should not depend on them. The builtin xml parser for python does not
preserve namespace prefixes. This results in cases where signatures
fail to be verified (when the document is exactly the same except for
the namespace-prefixes). Do read the issue, and the linked paper, if
you're interested in learning more.
https://github.com/IdentityPython/pyXMLSecurity/issues/55
https://github.com/IdentityPython/pysaml2/issues/551
- The pull request by Martin has been merged (thanks!), and it's the
first in series of commits I'd like to do, that stops pysaml2 from
mapping attribute names to attribute friendly-names (or vice versa).
Attribute friendly names should be preserved when given, but only
attribute-names should be used to identify attributes. Friendly names
should not appear where not requested - they are optional and
inconsequential.
https://github.com/IdentityPython/pysaml2/pull/548
More info: https://github.com/IdentityPython/pysaml2/issues/549
- Branching from above, there was a discussion around how
configuration management and deployment works.
https://lists.sunet.se/pipermail/idpy-discuss/2018-October/000290.html
- Support for encrypting attribute values encoded in unicode landed by
Johan (thanks!). This PR reveals inconsistencies between the callers
of certain functions. I think the arguments types are one of the
greatest sources of pain in pysaml2. There way too many functions that
just accept args or kwargs and until you go deep in the stack you
cannot know whether there is something of value passed through those.
Then there are arguments that can be of two or more types which lead
to many checks and divergence in the code that handles them. I would
really like to get rid of all *args and **kwargs arguments and convert
them to named arguments. That would reveal whether there is a way to
improve the interfaces without breaking the existing code (I am not
very optimistic about that.)
https://github.com/IdentityPython/pysaml2/pull/550
- Finally there is a new request to allow '--id-attr' option that is
passed to xmlsec1 to have multiple values. This seems like a
reasonable request and should be easy to implement.
https://github.com/IdentityPython/pysaml2/issues/552
## Satosa
- Last time we talked about removing the hashing behaviour that satosa
enforces, unconditionally. Work has been done on the
refactor-internal-hashing branch:
https://github.com/c00kiemon5ter/SATOSA/tree/refactor-interal-hashing
This change touches many things that we did not consider initially,
like the internal data representation, and configuration options like
'hash'-attributes. I already have a micro-service to replace the
previous behaviour while making the process a lot more flexible. It
will be on that branch soon.
That's all for now. If you have feedback, or want to add more
information on any of those topics, I encourage you to do so. Either
here, or at the appropriate issue/conversation on github.
Cheers,
--
Ivan c00kiemon5ter Kanakarakis >:3
5:11 p.m.
Sorry about the lack of a meeting cancellation notice! Many of us are at
the Internet2 Technology Exchange this week (or in Australia for the
eResearch conference) and likely wouldn't have had critical mass for the
call.
Thank you for the update!
Heather
On 10/16/18 11:05 AM, Ivan Kanakarakis wrote:
Hey all,
we were supposed to have the regular idpy-call today, but none showed
up. We didn't send out an agenda but the meeting should happen
nonetheless. So, I though I'd give everyone an update since the last
call.
## Governance
We finally have a governance board, consisting of 7 people. First task
is to determin whether we'll go the route of requiring a CLA or CCLA
for the code submitted to idpy.
https://lists.sunet.se/pipermail/idpy-discuss/2018-October/000292.html
Governance docs: https://github.com/IdentityPython/Governance
## pyXMLSecurity
- The p11_test suite needs to find the appropriate paths for some
components. The paths are not standard, but depend on where each
distribution places the needed files per its package-management
policy. As we cannot guarantee the location of the files on every
system, the paths are made configurable through env-vars.
https://github.com/IdentityPython/pyXMLSecurity/pull/52
- Travis skips p11_test suite because not all components are being
installed. Getting all components in place is not enough, as travis
runs an Ubuntu version (Trusty/14.04) that does not package
softhsm2/libsofthsm2. Until travis updates the test environment with a
newer ubuntu version, the tests will fail. This will be put aside
until there is an update from travis-ci.
https://github.com/IdentityPython/pyXMLSecurity/pull/53
## pysaml2
- Another issue showed up on pyXMLSecurity that is really a problem
with pysaml2. I've documented the problems on the issue. What it boils
down to is that C14N does not canonicalize namespace-prefixes and they
become an important part of the resulting signature. Any modification
of the namespaces will cast the signature invalid. On the other hand,
the xml-namspace spec says that prefixes are non-important and apps
should not depend on them. The builtin xml parser for python does not
preserve namespace prefixes. This results in cases where signatures
fail to be verified (when the document is exactly the same except for
the namespace-prefixes). Do read the issue, and the linked paper, if
you're interested in learning more.
https://github.com/IdentityPython/pyXMLSecurity/issues/55
https://github.com/IdentityPython/pysaml2/issues/551
- The pull request by Martin has been merged (thanks!), and it's the
first in series of commits I'd like to do, that stops pysaml2 from
mapping attribute names to attribute friendly-names (or vice versa).
Attribute friendly names should be preserved when given, but only
attribute-names should be used to identify attributes. Friendly names
should not appear where not requested - they are optional and
inconsequential.
https://github.com/IdentityPython/pysaml2/pull/548
More info: https://github.com/IdentityPython/pysaml2/issues/549
- Branching from above, there was a discussion around how
configuration management and deployment works.
https://lists.sunet.se/pipermail/idpy-discuss/2018-October/000290.html
- Support for encrypting attribute values encoded in unicode landed by
Johan (thanks!). This PR reveals inconsistencies between the callers
of certain functions. I think the arguments types are one of the
greatest sources of pain in pysaml2. There way too many functions that
just accept args or kwargs and until you go deep in the stack you
cannot know whether there is something of value passed through those.
Then there are arguments that can be of two or more types which lead
to many checks and divergence in the code that handles them. I would
really like to get rid of all *args and **kwargs arguments and convert
them to named arguments. That would reveal whether there is a way to
improve the interfaces without breaking the existing code (I am not
very optimistic about that.)
https://github.com/IdentityPython/pysaml2/pull/550
- Finally there is a new request to allow '--id-attr' option that is
passed to xmlsec1 to have multiple values. This seems like a
reasonable request and should be easy to implement.
https://github.com/IdentityPython/pysaml2/issues/552
## Satosa
- Last time we talked about removing the hashing behaviour that satosa
enforces, unconditionally. Work has been done on the
refactor-internal-hashing branch:
https://github.com/c00kiemon5ter/SATOSA/tree/refactor-interal-hashing
This change touches many things that we did not consider initially,
like the internal data representation, and configuration options like
'hash'-attributes. I already have a micro-service to replace the
previous behaviour while making the process a lot more flexible. It
will be on that branch soon.
That's all for now. If you have feedback, or want to add more
information on any of those topics, I encourage you to do so. Either
here, or at the appropriate issue/conversation on github.
Cheers,
2258
days inactive
2258
days old
1 comments
2 participants
participants (2)
-
hlflanagan@sphericalcowgroup.com -
ivan.kanak@gmail.com