def test_ava_filter_2():
conf = {
"default": {
"lifetime": {"minutes": 15},
"attribute_restrictions": None # means all I have
},
"urn:mace:umu.se:saml:roland:sp": {
"lifetime": {"minutes": 5},
"attribute_restrictions": {
"givenName": None,
"sn": None,
"mail": [".*@.*\.umu\.se"],
}
}}
policy = Policy(conf)
ava = {"givenName": "Derek", "sn": "Jeter", "mail": "*****@*****.**"}
# mail removed because it doesn't match the regular expression
_ava = policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', None, [mail],
[gn, sn])
assert _eq(sorted(list(_ava.keys())), ["givenName", 'sn'])
ava = {"givenName": "Derek", "sn": "Jeter"}
# it wasn't there to begin with
try:
policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', None,
[gn, sn, mail])
except MissingValue:
pass
def test_ava_filter_2():
conf = {
"default": {
"lifetime": {"minutes": 15},
"attribute_restrictions": None # means all I have
},
"urn:mace:umu.se:saml:roland:sp": {
"lifetime": {"minutes": 5},
"attribute_restrictions": {
"givenName": None,
"sn": None,
"mail": [".*@.*\.umu\.se"],
}
}}
policy = Policy(conf)
ava = {"givenName": "Derek", "sn": "Jeter", "mail": "*****@*****.**"}
# mail removed because it doesn't match the regular expression
_ava = policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', None, [mail],
[gn, sn])
assert _eq(sorted(list(_ava.keys())), ["givenName", 'sn'])
ava = {"givenName": "Derek", "sn": "Jeter"}
# it wasn't there to begin with
try:
policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', None,
[gn, sn, mail])
except MissingValue:
pass
def test_ava_filter_dont_fail():
conf = {
"default": {
"lifetime": {"minutes": 15},
"attribute_restrictions": None, # means all I have
"fail_on_missing_requested": False,
},
"urn:mace:umu.se:saml:roland:sp": {
"lifetime": {"minutes": 5},
"attribute_restrictions": {"givenName": None, "surName": None, "mail": [".*@.*\.umu\.se"]},
"fail_on_missing_requested": False,
},
}
policy = Policy(conf)
ava = {"givenName": "Derek", "surName": "Jeter", "mail": "*****@*****.**"}
# mail removed because it doesn't match the regular expression
# So it should fail if the 'fail_on_ ...' flag wasn't set
_ava = policy.filter(ava, "urn:mace:umu.se:saml:roland:sp", None, [mail], [gn, sn])
assert _ava
ava = {"givenName": "Derek", "surName": "Jeter"}
# it wasn't there to begin with
_ava = policy.filter(ava, "urn:mace:umu.se:saml:roland:sp", None, [gn, sn, mail])
assert _ava
def test_req_opt():
req = [
to_dict(
md.RequestedAttribute(
friendly_name="surname", name="urn:oid:2.5.4.4",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true"), ONTS),
to_dict(
md.RequestedAttribute(
friendly_name="givenname",
name="urn:oid:2.5.4.42",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true"), ONTS),
to_dict(
md.RequestedAttribute(
friendly_name="edupersonaffiliation",
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true"), ONTS)]
opt = [
to_dict(
md.RequestedAttribute(
friendly_name="title",
name="urn:oid:2.5.4.12",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="false"), ONTS)]
policy = Policy()
ava = {'givenname': 'Roland', 'surname': 'Hedberg',
'uid': 'rohe0002', 'edupersonaffiliation': 'staff'}
sp_entity_id = "urn:mace:example.com:saml:curt:sp"
fava = policy.filter(ava, sp_entity_id, None, req, opt)
assert fava
def test_filter_ava3():
policy = Policy({
"default": {
"lifetime": {
"minutes": 15
},
# "attribute_restrictions": None # means all I have
"entity_categories": ["swamid"]
}
})
mds = MetadataStore(ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
mds.imp([{
"class": "saml2.mdstore.MetaDataFile",
"metadata": [(full_path("entity_cat_sfs_hei.xml"), )]
}])
ava = {
"givenName": ["Derek"],
"sn": ["Jeter"],
"mail": ["*****@*****.**"],
"c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz",
"norEduPersonNIN": "19800101134"
}
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", mds)
assert _eq(list(ava.keys()), ['eduPersonTargetedID', "norEduPersonNIN"])
def test_filter_ava_1():
""" No mail address returned """
policy = Policy({
"default": {
"lifetime": {
"minutes": 15
},
"attribute_restrictions": None # means all I have
},
"urn:mace:example.com:saml:roland:sp": {
"lifetime": {
"minutes": 5
},
"attribute_restrictions": {
"givenName": None,
"surName": None,
}
}
})
ava = {
"givenName": ["Derek"],
"surName": ["Jeter"],
"mail": ["*****@*****.**"]
}
# No restrictions apply
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", [], [])
assert _eq(ava.keys(), ["givenName", "surName"])
assert ava["givenName"] == ["Derek"]
assert ava["surName"] == ["Jeter"]
def test_filter_ava2():
policy_conf = {
"default": {
"lifetime": {
"minutes": 15
},
# "attribute_restrictions": None # means all I have
"entity_categories": ["refeds", "edugain"]
}
}
policy = Policy(policy_conf, MDS)
ava = {
"givenName": ["Derek"],
"sn": ["Jeter"],
"mail": ["*****@*****.**"],
"c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz"
}
ava = policy.filter(ava, "https://connect.sunet.se/shibboleth")
# Mismatch, policy deals with eduGAIN, metadata says SWAMID
# So only minimum should come out
assert _eq(list(ava.keys()), ['eduPersonTargetedID'])
def test_filter_ava_5():
mds = MetadataStore(ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["1"])
policy_conf = {
"default": {
"lifetime": {
"minutes": 15
},
"attribute_restrictions": None, # means all I have
"entity_categories": ["swamid", "edugain"]
}
}
policy = Policy(restrictions=policy_conf, mds=mds)
ava = {
"givenName": ["Derek"],
"surName": ["Jeter"],
"mail": [
"*****@*****.**",
"*****@*****.**",
],
}
ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp")
# using entity_categories means there *always* are restrictions
# in this case the only allowed attribute is eduPersonTargetedID
# which isn't available in the ava hence zip is returned.
assert ava == {}
def test_ava_filter_1():
conf = {
"default": {
"lifetime": {
"minutes": 15
},
"attribute_restrictions": None # means all I have
},
"urn:mace:umu.se:saml:roland:sp": {
"lifetime": {
"minutes": 5
},
"attribute_restrictions": {
"givenName": None,
"surName": None,
"mail": [r".*@.*\.umu\.se"],
}
}
}
r = Policy(conf)
ava = {
"givenName": "Derek",
"surName": "Jeter",
"mail": "*****@*****.**"
}
ava = r.filter(ava, "urn:mace:umu.se:saml:roland:sp")
assert _eq(list(ava.keys()), ["givenName", "surName"])
ava = {"givenName": "Derek", "mail": "*****@*****.**"}
assert _eq(sorted(list(ava.keys())), ["givenName", "mail"])
def test_filter_ava_0():
policy = Policy({
"default": {
"lifetime": {
"minutes": 15
},
"attribute_restrictions": None # means all I have
},
"urn:mace:example.com:saml:roland:sp": {
"lifetime": {
"minutes": 5
},
}
})
ava = {
"givenName": ["Derek"],
"surName": ["Jeter"],
"mail": ["*****@*****.**"]
}
# No restrictions apply
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp")
assert _eq(sorted(list(ava.keys())), ["givenName", "mail", "surName"])
assert ava["givenName"] == ["Derek"]
assert ava["surName"] == ["Jeter"]
assert ava["mail"] == ["*****@*****.**"]
def test_filter_ava_3():
""" Only example.com mail addresses returned """
policy = Policy({
"default": {
"lifetime": {
"minutes": 15
},
"attribute_restrictions": None # means all I have
},
"urn:mace:example.com:saml:roland:sp": {
"lifetime": {
"minutes": 5
},
"attribute_restrictions": {
"mail": [r".*@example\.com$"],
}
}
})
ava = {
"givenName": ["Derek"],
"surName": ["Jeter"],
"mail": ["*****@*****.**", "*****@*****.**"]
}
# No restrictions apply
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp")
assert _eq(list(ava.keys()), ["mail"])
assert ava["mail"] == ["*****@*****.**"]
def test_filter_ava_4():
""" Return everything as default policy is used """
policy = Policy({
"default": {
"lifetime": {
"minutes": 15
},
"attribute_restrictions": None # means all I have
},
"urn:mace:example.com:saml:roland:sp": {
"lifetime": {
"minutes": 5
},
"attribute_restrictions": {
"mail": [r".*@example\.com$"],
}
}
})
ava = {
"givenName": ["Derek"],
"surName": ["Jeter"],
"mail": ["*****@*****.**", "*****@*****.**"]
}
# No restrictions apply
ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp")
assert _eq(sorted(list(ava.keys())), ['mail', 'givenName', 'surName'])
assert _eq(ava["mail"], ["*****@*****.**", "*****@*****.**"])
def get_ava(self, user=None):
# IDENTITY AND ATTR POLICY
# Generate request session stuff needed for user agreement screen
attrs_to_exclude = self.sp['config'].get('user_agreement_attr_exclude', []) + \
getattr(settings, "SAML_IDP_USER_AGREEMENT_ATTR_EXCLUDE", [])
identity = {
k: v
for k, v in self.processor.create_identity(user or self.request.user,
self.sp).items()
if k not in attrs_to_exclude
}
# entity categories and other pysaml2 policies could filter out some attributes
policy = Policy(restrictions=settings.SAML_IDP_CONFIG['service']['idp'].get('policy'))
ava = policy.filter(identity,
self.sp['id'],
self.IDP.config.metadata,
required=[])
# remove None
for attr in ava:
if not ava[attr]:
ava[attr] = ''
# END IDENTITY AND ATTR POLICY
return identity, policy, ava
def test_req_opt():
req = [md.RequestedAttribute(friendly_name="surname", name="urn:oid:2.5.4.4",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true"),
md.RequestedAttribute(friendly_name="givenname",
name="urn:oid:2.5.4.42",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true"),
md.RequestedAttribute(friendly_name="edupersonaffiliation",
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true")]
opt = [md.RequestedAttribute(friendly_name="title",
name="urn:oid:2.5.4.12",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="false")]
policy = Policy()
ava = {'givenname': 'Roland', 'surname': 'Hedberg',
'uid': 'rohe0002', 'edupersonaffiliation': 'staff'}
sp_entity_id = "urn:mace:example.com:saml:curt:sp"
fava = policy.filter(ava, sp_entity_id, req, opt)
assert fava
def test_ava_filter_1():
conf = {
"default": {
"lifetime": {"minutes":15},
"attribute_restrictions": None # means all I have
},
"urn:mace:umu.se:saml:roland:sp": {
"lifetime": {"minutes": 5},
"attribute_restrictions":{
"givenName": None,
"surName": None,
"mail": [".*@.*\.umu\.se"],
}
}}
r = Policy(conf)
ava = {"givenName":"Derek",
"surName": "Jeter",
"mail":"*****@*****.**"}
ava = r.filter(ava,"urn:mace:umu.se:saml:roland:sp",None,None)
assert _eq(ava.keys(), ["givenName","surName"])
ava = {"givenName":"Derek",
"mail":"*****@*****.**"}
assert _eq(ava.keys(), ["givenName","mail"])
def test_ava_filter_dont_fail():
conf = {
"default": {
"lifetime": {
"minutes": 15
},
"attribute_restrictions": None, # means all I have
"fail_on_missing_requested": False
},
"urn:mace:umu.se:saml:roland:sp": {
"lifetime": {
"minutes": 5
},
"attribute_restrictions": {
"givenName": None,
"surName": None,
"mail": [r".*@.*\.umu\.se"],
},
"fail_on_missing_requested": False
}
}
policy = Policy(conf)
ava = {
"givenName": "Derek",
"surName": "Jeter",
"mail": "*****@*****.**"
}
# mail removed because it doesn't match the regular expression
# So it should fail if the 'fail_on_ ...' flag wasn't set
_ava = policy.filter(ava,
'urn:mace:umu.se:saml:roland:sp',
required=[mail],
optional=[gn, sn])
assert _ava
ava = {"givenName": "Derek", "surName": "Jeter"}
# it wasn't there to begin with
_ava = policy.filter(ava,
'urn:mace:umu.se:saml:roland:sp',
required=[gn, sn, mail])
assert _ava
def test_filter_ava_esi_coco():
entity_id = "https://esi-coco.example.edu/saml2/metadata/"
mds = MetadataStore(ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
mds.imp([{
"class": "saml2.mdstore.MetaDataFile",
"metadata": [(full_path("entity_esi_and_coco_sp.xml"), )]
}])
policy_conf = {
"default": {
"lifetime": {
"minutes": 15
},
"entity_categories": ["swamid"]
}
}
policy = Policy(policy_conf, mds)
ava = {
"givenName": ["Test"],
"sn": ["Testsson"],
"mail": ["*****@*****.**"],
"c": ["SE"],
"schacHomeOrganization": ["example.com"],
"eduPersonScopedAffiliation": ["*****@*****.**"],
"schacPersonalUniqueCode": [
"urn:schac:personalUniqueCode:int:esi:ladok.se:externtstudentuid-00000000-1111-2222-3333-444444444444"
]
}
requested_attributes = [{
'friendly_name': 'eduPersonScopedAffiliation',
'name': '1.3.6.1.4.1.5923.1.1.1.9',
'name_format': NAME_FORMAT_URI,
'is_required': 'true'
}, {
'friendly_name': 'schacHomeOrganization',
'name': '1.3.6.1.4.1.25178.1.2.9',
'name_format': NAME_FORMAT_URI,
'is_required': 'true'
}]
ava = policy.filter(ava, entity_id, required=requested_attributes)
assert _eq(list(ava.keys()), [
'eduPersonScopedAffiliation', 'schacHomeOrganization',
'schacPersonalUniqueCode'
])
assert _eq(ava["eduPersonScopedAffiliation"], ["*****@*****.**"])
assert _eq(ava["schacHomeOrganization"], ["example.com"])
assert _eq(ava["schacPersonalUniqueCode"], [
"urn:schac:personalUniqueCode:int:esi:ladok.se:externtstudentuid-00000000-1111-2222-3333-444444444444"
])
def test_filter_ava_registration_authority_1():
mds = MetadataStore(ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["1"])
policy_conf = {
"default": {
"lifetime": {
"minutes": 15
},
"attribute_restrictions": None,
},
"http://rr.aai.switch.ch/": {
"attribute_restrictions": {
"givenName": None,
"surName": None,
}
}
}
policy = Policy(restrictions=policy_conf, mds=mds)
attributes = {
"givenName": ["Derek"],
"surName": ["Jeter"],
"mail": [
"*****@*****.**",
"*****@*****.**",
],
}
# SP registered with http://rr.aai.switch.ch/
ava = policy.filter(attributes, "https://aai-idp.unibe.ch/idp/shibboleth")
assert _eq(sorted(list(ava.keys())), ["givenName", "surName"])
assert ava["givenName"] == ["Derek"]
assert ava["surName"] == ["Jeter"]
# SP not registered with http://rr.aai.switch.ch/
ava = policy.filter(attributes, "https://alpha.kib.ki.se/shibboleth")
assert _eq(sorted(list(ava.keys())), ["givenName", "mail", "surName"])
assert ava["givenName"] == ["Derek"]
assert ava["surName"] == ["Jeter"]
assert ava["mail"] == ["*****@*****.**", "*****@*****.**"]
def test_req_opt():
req = [
to_dict(
md.RequestedAttribute(
friendly_name="surname",
name="urn:oid:2.5.4.4",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true",
),
ONTS,
),
to_dict(
md.RequestedAttribute(
friendly_name="givenname",
name="urn:oid:2.5.4.42",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true",
),
ONTS,
),
to_dict(
md.RequestedAttribute(
friendly_name="edupersonaffiliation",
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true",
),
ONTS,
),
]
opt = [
to_dict(
md.RequestedAttribute(
friendly_name="title",
name="urn:oid:2.5.4.12",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="false",
),
ONTS,
)
]
policy = Policy()
ava = {"givenname": "Roland", "surname": "Hedberg", "uid": "rohe0002", "edupersonaffiliation": "staff"}
sp_entity_id = "urn:mace:example.com:saml:curt:sp"
fava = policy.filter(ava, sp_entity_id, None, req, opt)
assert fava
def test_filter_ava():
policy = Policy({
"default": {
"lifetime": {"minutes": 15},
#"attribute_restrictions": None # means all I have
"entity_categories": ["swamid"]
}
})
ava = {"givenName": ["Derek"], "sn": ["Jeter"],
"mail": ["*****@*****.**", "*****@*****.**"], "c": ["USA"]}
ava = policy.filter(ava, "https://connect.sunet.se/shibboleth", MDS)
assert _eq(list(ava.keys()), ['mail', 'givenName', 'sn', 'c'])
assert _eq(ava["mail"], ["*****@*****.**", "*****@*****.**"])
def test_filter_ava():
policy = Policy({
"default": {
"lifetime": {"minutes": 15},
#"attribute_restrictions": None # means all I have
"entity_categories": ["swamid"]
}
})
ava = {"givenName": ["Derek"], "sn": ["Jeter"],
"mail": ["*****@*****.**", "*****@*****.**"], "c": ["USA"]}
ava = policy.filter(ava, "https://connect.sunet.se/shibboleth", MDS)
assert _eq(list(ava.keys()), ['mail', 'givenName', 'sn', 'c'])
assert _eq(ava["mail"], ["*****@*****.**", "*****@*****.**"])
def test_filter_ava_0():
policy = Policy(
{
"default": {"lifetime": {"minutes": 15}, "attribute_restrictions": None}, # means all I have
"urn:mace:example.com:saml:roland:sp": {"lifetime": {"minutes": 5}},
}
)
ava = {"givenName": ["Derek"], "surName": ["Jeter"], "mail": ["*****@*****.**"]}
# No restrictions apply
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", [], [])
assert _eq(ava.keys(), ["givenName", "surName", "mail"])
assert ava["givenName"] == ["Derek"]
assert ava["surName"] == ["Jeter"]
assert ava["mail"] == ["*****@*****.**"]
def test_entity_category_import_from_path():
mds = MetadataStore(ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
# The file entity_cat_rs.xml contains the SAML metadata for an SP
# tagged with the REFEDs R&S entity category.
mds.imp([{
"class": "saml2.mdstore.MetaDataFile",
"metadata": [(full_path("entity_cat_rs.xml"), )]
}])
# The entity category module myentitycategory.py is in the tests
# directory which is on the standard module search path.
# The module uses a custom interpretation of the REFEDs R&S entity category
# by adding eduPersonUniqueId.
policy = Policy(
{
"default": {
"lifetime": {
"minutes": 15
},
"entity_categories": ["myentitycategory"]
}
}, mds)
ava = {
"givenName": ["Derek"],
"sn": ["Jeter"],
"displayName": "Derek Jeter",
"mail": ["*****@*****.**"],
"c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz",
"eduPersonUniqueId": "*****@*****.**",
"eduPersonScopedAffiliation": "*****@*****.**",
"eduPersonPrincipalName": "*****@*****.**",
"norEduPersonNIN": "19800101134"
}
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp")
# We expect c and norEduPersonNIN to be filtered out since they are not
# part of the custom entity category.
assert _eq(list(ava.keys()), [
"eduPersonTargetedID", "eduPersonPrincipalName", "eduPersonUniqueId",
"displayName", "givenName", "eduPersonScopedAffiliation", "mail", "sn"
])
def test_filter_ava_5():
policy = Policy({
"default": {
"lifetime": {"minutes": 15},
#"attribute_restrictions": None # means all I have
"entity_categories": ["swamid", "edugain"]
}
})
ava = {"givenName": ["Derek"], "surName": ["Jeter"],
"mail": ["*****@*****.**", "*****@*****.**"]}
ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp", None, [], [])
# using entity_categories means there *always* are restrictions
# in this case the only allowed attribute is eduPersonTargetedID
# which isn't available in the ava hence zip is returned.
assert ava == {}
def test_filter_ava2():
policy = Policy({
"default": {
"lifetime": {"minutes": 15},
#"attribute_restrictions": None # means all I have
"entity_categories": ["refeds", "edugain"]
}
})
ava = {"givenName": ["Derek"], "sn": ["Jeter"],
"mail": ["*****@*****.**"], "c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz"}
ava = policy.filter(ava, "https://connect.sunet.se/shibboleth", MDS)
# Mismatch, policy deals with eduGAIN, metadata says SWAMID
# So only minimum should come out
assert _eq(list(ava.keys()), ['eduPersonTargetedID'])
def test_filter_ava_4():
""" Return everything as default policy is used """
policy = Policy(
{
"default": {"lifetime": {"minutes": 15}, "attribute_restrictions": None}, # means all I have
"urn:mace:example.com:saml:roland:sp": {
"lifetime": {"minutes": 5},
"attribute_restrictions": {"mail": [".*@example\.com$"]},
},
}
)
ava = {"givenName": ["Derek"], "surName": ["Jeter"], "mail": ["*****@*****.**", "*****@*****.**"]}
# No restrictions apply
ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp", [], [])
assert _eq(ava.keys(), ["mail", "givenName", "surName"])
assert _eq(ava["mail"], ["*****@*****.**", "*****@*****.**"])
def test_filter_ava_required_attributes_with_no_friendly_name():
entity_id = "https://no-friendly-name.example.edu/saml2/metadata/"
mds = MetadataStore(ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
mds.imp([{
"class": "saml2.mdstore.MetaDataFile",
"metadata": [(full_path("entity_no_friendly_name_sp.xml"), )]
}])
policy_conf = {
"default": {
"lifetime": {
"minutes": 15
},
"entity_categories": ["swamid"]
}
}
policy = Policy(policy_conf, mds)
ava = {
"givenName": ["Derek"],
"sn": ["Jeter"],
"mail": ["*****@*****.**"],
"c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz",
"norEduPersonNIN": "19800101134",
}
attribute_requirements = mds.attribute_requirement(entity_id)
required = attribute_requirements.get("required", [])
optional = attribute_requirements.get("optional", [])
# ensure the requirements define the eduPersonTargetedID
# without the friendlyName attribute
oid_eptid = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10'
requested_attribute_eptid = RequestedAttribute(name=oid_eptid,
name_format=NAME_FORMAT_URI,
is_required='true')
assert required == [to_dict(requested_attribute_eptid, onts=[mdattr])]
ava = policy.filter(ava, entity_id, required=required, optional=optional)
assert _eq(list(ava.keys()), ["eduPersonTargetedID"])
def test_filter_ava3():
policy = Policy({
"default": {
"lifetime": {"minutes": 15},
#"attribute_restrictions": None # means all I have
"entity_categories": ["swamid"]
}
})
mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
disable_ssl_certificate_validation=True)
mds.imp([{"class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_cat_sfs_hei.xml"), )]}])
ava = {"givenName": ["Derek"], "sn": ["Jeter"],
"mail": ["*****@*****.**"], "c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz",
"norEduPersonNIN": "19800101134"}
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", mds)
assert _eq(list(ava.keys()), ['eduPersonTargetedID', "norEduPersonNIN"])
def test_filter_ava_3():
""" Only example.com mail addresses returned """
policy = Policy({
"default": {
"lifetime": {"minutes":15},
"attribute_restrictions": None # means all I have
},
"urn:mace:example.com:saml:roland:sp": {
"lifetime": {"minutes": 5},
"attribute_restrictions":{
"mail": [".*@example\.com$"],
}
}})
ava = { "givenName": ["Derek"], "surName": ["Jeter"],
"mail": ["*****@*****.**", "*****@*****.**"]}
# No restrictions apply
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", [], [])
assert _eq(ava.keys(), ["mail"])
assert ava["mail"] == ["*****@*****.**"]
def test_filter_ava_5():
policy = Policy({
"default": {
"lifetime": {
"minutes": 15
},
#"attribute_restrictions": None # means all I have
"entity_categories": ["swamid", "edugain"]
}
})
ava = {
"givenName": ["Derek"],
"surName": ["Jeter"],
"mail": ["*****@*****.**", "*****@*****.**"]
}
ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp", None, [], [])
# using entity_categories means there *always* are restrictions
# in this case the only allowed attribute is eduPersonTargetedID
# which isn't available in the ava hence zip is returned.
assert ava == {}
def test_entity_category_import_from_path():
# The entity category module myentitycategory.py is in the tests
# directory which is on the standard module search path.
# The module uses a custom interpretation of the REFEDs R&S entity category
# by adding eduPersonUniqueId.
policy = Policy({
"default": {
"lifetime": {"minutes": 15},
"entity_categories": ["myentitycategory"]
}
})
mds = MetadataStore(ATTRCONV, sec_config,
disable_ssl_certificate_validation=True)
# The file entity_cat_rs.xml contains the SAML metadata for an SP
# tagged with the REFEDs R&S entity category.
mds.imp([{"class": "saml2.mdstore.MetaDataFile",
"metadata": [(full_path("entity_cat_rs.xml"),)]}])
ava = {"givenName": ["Derek"], "sn": ["Jeter"],
"displayName": "Derek Jeter",
"mail": ["*****@*****.**"], "c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz",
"eduPersonUniqueId": "*****@*****.**",
"eduPersonScopedAffiliation": "*****@*****.**",
"eduPersonPrincipalName": "*****@*****.**",
"norEduPersonNIN": "19800101134"}
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", mds)
# We expect c and norEduPersonNIN to be filtered out since they are not
# part of the custom entity category.
assert _eq(list(ava.keys()),
["eduPersonTargetedID", "eduPersonPrincipalName",
"eduPersonUniqueId", "displayName", "givenName",
"eduPersonScopedAffiliation", "mail", "sn"])
def build_authn_response(self, user, authn, resp_args):
""" pysaml2 server.Server.create_authn_response wrapper
"""
self.sp['name_id_format'] = resp_args.get('name_id_policy').format
idp_name_id_format_list = self.IDP.config.getattr("name_id_format",
"idp")
# name_id format availability
if idp_name_id_format_list and not self.sp['name_id_format']:
name_id_format = idp_name_id_format_list[0]
elif self.sp['name_id_format'] and not idp_name_id_format_list:
name_id_format = self.sp['name_id_format']
elif self.sp['name_id_format'] not in idp_name_id_format_list:
return self.handle_error(request,
exception=_('SP requested a name_id_format '
'that is not supported in the IDP'))
elif self.sp['name_id_format'] in idp_name_id_format_list:
name_id_format = self.sp['name_id_format']
else:
name_id_format = NAMEID_FORMAT_UNSPECIFIED
# if SP doesn't request a specific name_id_format...
if not self.sp['name_id_format']:
self.sp['name_id_format'] = name_id_format
user_id = self.processor.get_user_id(user, self.sp, self.IDP.config)
name_id = NameID(format=name_id_format,
sp_name_qualifier=self.sp['id'],
text=user_id)
#user_attrs = self.processor.create_identity(user, self.sp)
# Generate request session stuff needed for user agreement screen
attrs_to_exclude = self.sp['config'].get('user_agreement_attr_exclude', []) + \
getattr(settings, "SAML_IDP_USER_AGREEMENT_ATTR_EXCLUDE", [])
self.request.session['identity'] = {
k: v
for k, v in self.processor.create_identity(self.request.user,
self.sp).items()
if k not in attrs_to_exclude
}
# ASSERTION ENCRYPTED
encrypt_response = getattr(settings,
'SAML_ENCRYPT_AUTHN_RESPONSE',
False)
if 'encrypt_saml_responses' in self.sp['config'].keys():
encrypt_response = self.sp['config'].get('encrypt_saml_responses')
encrypt_advice_attributes = getattr(settings,
'SAML_ENCRYPT_ADV_ATTRIBUTES',
False)
if 'encrypt_advice_attributes' in self.sp['config'].keys():
encrypt_advice_attributes = self.sp['config'].get('encrypt_advice_attributes')
authn_resp = self.IDP.create_authn_response(
authn=authn,
identity=self.request.session['identity'],
userid=user_id,
name_id=name_id,
# signature
sign_response=self.sp['config'].get("sign_response") or \
self.IDP.config.getattr("sign_response", "idp") or \
False,
sign_assertion=self.sp['config'].get("sign_assertion") or \
self.IDP.config.getattr("sign_assertion", "idp") or \
False,
# default will be sha1 in pySAML2
sign_alg=self.sp['config'].get("signing_algorithm") or \
getattr(settings, 'SAML_AUTHN_SIGN_ALG', False),
digest_alg=self.sp['config'].get("digest_algorithm") or \
getattr(settings, 'SAML_AUTHN_DIGEST_ALG', False),
# Encryption
encrypt_assertion=encrypt_response,
encrypt_advice_attributes=encrypt_advice_attributes,
**resp_args
)
# entity categories and other pysaml2 policies could filter out some attributes
policy = Policy(restrictions=settings.SAML_IDP_CONFIG['service']['idp'].get('policy'))
ava = policy.filter(self.request.session['identity'],
self.sp['id'],
self.IDP.config.metadata,
required=[])
# talking logs
self.request.session['authn_log'] = ('SSO AuthnResponse to {} [{}]:'
' {} attrs ({}) on {} '
'filtered by policy').format(self.sp['id'],
self.request.session.get('message_id'),
len(ava),
','.join(ava.keys()),
len(self.request.session['identity']))
logger.info(self.request.session['authn_log'])
#
self.request.session['identity'] = ava
return authn_resp
