Beispiel #1
0
def create_metadata_string(configfile, config=None, valid=None, cert=None,
                           keyfile=None, mid=None, name=None, sign=None):
    valid_for = 0
    nspair = {"xs": "http://www.w3.org/2001/XMLSchema"}
    # paths = [".", "/opt/local/bin"]

    if valid:
        valid_for = int(valid)  # Hours

    eds = []
    if config is None:
        if configfile.endswith(".py"):
            configfile = configfile[:-3]
        config = Config().load_file(configfile, metadata_construction=True)
    eds.append(entity_descriptor(config))

    conf = Config()
    conf.key_file = config.key_file or keyfile
    conf.cert_file = config.cert_file or cert
    conf.debug = 1
    conf.xmlsec_binary = config.xmlsec_binary
    secc = security_context(conf)

    if mid:
        eid, xmldoc = entities_descriptor(eds, valid_for, name, mid,
                                          sign, secc)
    else:
        eid = eds[0]
        if sign:
            eid, xmldoc = sign_entity_descriptor(eid, mid, secc)
        else:
            xmldoc = None

    valid_instance(eid)
    return metadata_tostring_fix(eid, nspair, xmldoc)
Beispiel #2
0
    def test_entity_attributes(self):
        fil = "sp_mdext_conf.py"
        cnf = Config().load_file(fil, metadata_construction=True)
        ed = entity_descriptor(cnf)

        entity_attributes = next(
            e
            for e in ed.extensions.extension_elements
            if e.tag == 'EntityAttributes'
        )
        attributes = [
            parse_str_as(Attribute, e.to_string())
            for e in entity_attributes.children
        ]
        assert all(
            a.name in [
                "urn:oasis:names:tc:SAML:profiles:subject-id:req",
                "somename",
            ]
            for a in attributes
        )

        import saml2.attribute_converter
        attrc = saml2.attribute_converter.ac_factory()

        import saml2.mdstore
        mds = saml2.mdstore.MetadataStore(attrc, cnf)

        mds.load("inline", ed.to_string())
        entityid = ed.entity_id
        entity_attributes = mds.entity_attributes(entityid)
        assert entity_attributes == {
            'urn:oasis:names:tc:SAML:profiles:subject-id:req': ['any'],
            'somename': ['x', 'y', 'z'],
        }
    def test_split_backend_metadata_to_separate_files(self, tmpdir,
                                                      cert_and_key,
                                                      satosa_config_dict,
                                                      saml_frontend_config,
                                                      saml_backend_config):

        satosa_config_dict["FRONTEND_MODULES"] = [saml_frontend_config]
        satosa_config_dict["BACKEND_MODULES"] = [
            saml_backend_config, saml_backend_config
        ]

        create_and_write_saml_metadata(satosa_config_dict,
                                       cert_and_key[1],
                                       cert_and_key[0],
                                       str(tmpdir),
                                       None,
                                       split_backend_metadata=True)

        conf = Config()
        conf.cert_file = cert_and_key[0]
        security_ctx = security_context(conf)

        written_metadata_files = [
            saml_backend_config["name"], saml_backend_config["name"]
        ]
        for file in written_metadata_files:
            md = MetaDataFile(None,
                              os.path.join(str(tmpdir),
                                           "{}_0.xml".format(file)),
                              security=security_ctx)
            assert md.load()
    def __init__(self,
                 user,
                 passwd,
                 sp="",
                 idp=None,
                 metadata_file=None,
                 xmlsec_binary=None,
                 verbose=0,
                 ca_certs="",
                 disable_ssl_certificate_validation=True,
                 key_file=None,
                 cert_file=None,
                 config=None):
        """
        :param user: user name
        :param passwd: user password
        :param sp: The SP URL
        :param idp: The IdP PAOS endpoint
        :param metadata_file: Where the metadata file is if used
        :param xmlsec_binary: Where the xmlsec1 binary can be found (*)
        :param verbose: Chatty or not
        :param ca_certs: is the path of a file containing root CA certificates
            for SSL server certificate validation (*)
        :param disable_ssl_certificate_validation: If
            disable_ssl_certificate_validation is true, SSL cert validation
            will not be performed (*)
        :param key_file: Private key filename (*)
        :param cert_file: Certificate filename (*)
        :param config: Config() instance, overrides all the parameters marked
            with an asterisk (*) above
        """
        if not config:
            config = Config()
            config.disable_ssl_certificate_validation = \
                disable_ssl_certificate_validation
            config.key_file = key_file
            config.cert_file = cert_file
            config.ca_certs = ca_certs
            config.xmlsec_binary = xmlsec_binary

        Entity.__init__(self, "sp", config)
        self._idp = idp
        self._sp = sp
        self.user = user
        self.passwd = passwd
        self._verbose = verbose

        if metadata_file:
            self._metadata = MetadataStore([saml, samlp], None, config)
            self._metadata.load("local", metadata_file)
            logger.debug("Loaded metadata from '%s'" % metadata_file)
        else:
            self._metadata = None

        self.metadata = self._metadata

        self.cookie_handler = None

        self.done_ecp = False
        self.cookie_jar = cookielib.LWPCookieJar()
    def test_split_frontend_metadata_to_separate_files(
            self, tmpdir, cert_and_key, satosa_config_dict,
            saml_mirror_frontend_config, saml_backend_config,
            oidc_backend_config):

        satosa_config_dict["FRONTEND_MODULES"] = [saml_mirror_frontend_config]
        satosa_config_dict["BACKEND_MODULES"] = [
            oidc_backend_config, saml_backend_config
        ]

        create_and_write_saml_metadata(satosa_config_dict,
                                       cert_and_key[1],
                                       cert_and_key[0],
                                       str(tmpdir),
                                       None,
                                       split_frontend_metadata=True)

        conf = Config()
        conf.cert_file = cert_and_key[0]
        security_ctx = security_context(conf)

        file_pattern = "{}*.xml".format(saml_mirror_frontend_config["name"])
        written_metadata_files = glob.glob(
            os.path.join(str(tmpdir), file_pattern))
        assert len(written_metadata_files) == 2
        for file in written_metadata_files:
            md = MetaDataFile(None, file, security=security_ctx)
            assert md.load()
Beispiel #6
0
def get_saml_client(domain):
    """Get SAML2 client."""
    acs_url = domain + reverse('djangosaml2:acs')
    saml_settings = {
        'metadata': {
            'remote': [{
                'url': settings.SAML2_AUTH['METADATA_AUTO_CONF_URL']
            }]
        },
        'service': {
            'sp': {
                'endpoints': {
                    'assertion_consumer_service': [
                        (acs_url, BINDING_HTTP_REDIRECT),
                        (acs_url, BINDING_HTTP_POST)
                    ],
                },
                'allow_unsolicited': True,
                'authn_requests_signed': True,
                'logout_requests_signed': True,
                'want_assertions_signed': True,
                'want_response_signed': True,
            },
        },
    }

    sp_config = Config()
    sp_config.load(saml_settings)
    sp_config.allow_unknown_attributes = True
    saml_client = Saml2Client(config=sp_config)
    return saml_client
Beispiel #7
0
    def test_sp_type_false(self):
        fil = "sp_mdext_conf.py"
        cnf = Config().load_file(fil, metadata_construction=True)
        cnf.setattr('sp', 'sp_type_in_metadata', False)
        ed = entity_descriptor(cnf)

        assert all(e.tag is not SPType.c_tag for e in ed.extensions.extension_elements)
def test_dual():
    cnf = Config().load_file(dotname("idp_sp_conf"))

    spe = cnf.getattr("endpoints", "sp")
    idpe = cnf.getattr("endpoints", "idp")
    assert spe
    assert idpe
    assert spe != idpe
def test_load_local():
    # string representation of XML idp definition
    idp_metadata = open(full_path("metadata.xml")).read()

    saml_config = Config()

    config_dict = {"metadata": {"inline": [idp_metadata]}}
    cfg = saml_config.load(config_dict)
    assert cfg
def _make_metadata(config_dict, option):
    """
    Creates metadata from the given idp config

    :type config_dict: dict[str, Any]
    :type option: vopaas.metadata_creation.make_vopaas_metadata.MetadataOption
    :rtype: str

    :param config_dict: config
    :param option: metadata creation settings
    :return: A xml string
    """
    eds = []
    cnf = Config()
    cnf.load(copy.deepcopy(config_dict), metadata_construction=True)

    if option.valid:
        cnf.valid_for = option.valid
    eds.append(entity_descriptor(cnf))

    conf = Config()
    conf.key_file = option.keyfile
    conf.cert_file = option.cert
    conf.debug = 1
    conf.xmlsec_binary = option.xmlsec
    secc = security_context(conf)

    if option.id:
        desc, xmldoc = entities_descriptor(eds, option.valid, option.name, option.id,
                                           option.sign, secc)
        valid_instance(desc)
        print(desc.to_string(NSPAIR))
    else:
        for eid in eds:
            if option.sign:
                assert conf.key_file
                assert conf.cert_file
                eid, xmldoc = sign_entity_descriptor(eid, option.id, secc)
            else:
                xmldoc = None

            valid_instance(eid)
            xmldoc = metadata_tostring_fix(eid, NSPAIR, xmldoc).decode()
            return xmldoc
Beispiel #11
0
    def test_sp_type_true(self):
        fil = "sp_mdext_conf.py"
        cnf = Config().load_file(fil, metadata_construction=True)
        ed = entity_descriptor(cnf)

        assert ed.spsso_descriptor.extensions
        assert len(ed.spsso_descriptor.extensions.extension_elements) == 3
        assert ed.extensions
        assert len(ed.extensions.extension_elements) > 1
        assert any(e.tag is SPType.c_tag for e in ed.extensions.extension_elements)
Beispiel #12
0
def test_dual():
    cnf = Config().load_file("idp_sp_conf")
    assert cnf.serves() == ["sp", "idp"]

    spcnf = cnf.copy_into("sp")
    assert isinstance(spcnf, SPConfig)
    assert spcnf.context == "sp"

    idpcnf = cnf.copy_into("idp")
    assert isinstance(idpcnf, IdPConfig)
    assert idpcnf.context == "idp"
Beispiel #13
0
def test_3():
    cnf = Config()
    cnf.load_file(dotname("sp_1_conf"))
    assert cnf.entityid == "urn:mace:example.com:saml:roland:sp"
    assert cnf.debug == 1
    assert cnf.key_file == full_path("test.key")
    assert cnf.cert_file == full_path("test.pem")
    #assert cnf.xmlsec_binary ==  "/usr/local/bin/xmlsec1"
    assert cnf.accepted_time_diff == 60
    assert cnf.secret == "0123456789"
    assert cnf.metadata is not None
    assert cnf.attribute_converters is not None
Beispiel #14
0
    def dispatch(self, request, helper):
        if self.metadata_url is None:
            metadata_url = helper.fetch_state('metadata_url')
        else:
            metadata_url = self.metadata_url
        request_id = helper.fetch_state('request_id')
        settings = {
            'entityid':
            request.build_absolute_uri('/organizations/%s/' %
                                       helper.organization.slug),
            'metadata': {
                'remote': [{
                    'url': metadata_url,
                }],
            },
            'service': {
                'sp': {
                    'endpoints': {
                        'assertion_consumer_service':
                        [(request.build_absolute_uri(
                            reverse('sentry-auth-sso')), BINDING_HTTP_POST)],
                    },
                    'allow_unsolicited': False,
                    'authn_requests_signed': False,
                    'logout_requests_signed': True,
                    'want_assertions_signed': False,
                    'want_response_signed': True,
                },
            },
        }
        config = Config()
        config.load(settings)
        client = Saml2Client(config)
        response = client.parse_authn_request_response(
            request.POST['SAMLResponse'],
            BINDING_HTTP_POST,
            outstanding={request_id: True})
        extra = {
            key.lower(): value
            for key, value in response.get_identity().items()
        }
        user_info = response.get_subject()
        email = user_info.text
        username, domain = email.rsplit('@', 1)

        if not email:
            return helper.error('no email')

        helper.bind_state('email', email)
        helper.bind_state('name', extra.get('name', username))

        return helper.next_step()
    def test_oidc_saml(self, tmpdir, cert_and_key, satosa_config_dict,
                       oidc_frontend_config, saml_backend_config):
        satosa_config_dict["FRONTEND_MODULES"] = [oidc_frontend_config]
        satosa_config_dict["BACKEND_MODULES"] = [saml_backend_config]

        create_and_write_saml_metadata(satosa_config_dict, cert_and_key[1],
                                       cert_and_key[0], str(tmpdir), None)

        conf = Config()
        conf.cert_file = cert_and_key[0]
        security_ctx = security_context(conf)
        md = MetaDataFile(None,
                          os.path.join(str(tmpdir), "backend.xml"),
                          security=security_ctx)
        assert md.load()

        assert not os.path.isfile(os.path.join(str(tmpdir), "frontend.xml"))
Beispiel #16
0
 def dispatch(self, request, helper):
     if self.metadata_url is None:
         metadata_url = helper.fetch_state('metadata_url')
     else:
         metadata_url = self.metadata_url
     org = self.get_active_organization(request)
     settings = {
         'entityid':
         request.build_absolute_uri('/organizations/%s/' % org.slug),
         'metadata': {
             'remote': [{
                 'url': metadata_url,
             }],
         },
         'service': {
             'sp': {
                 'endpoints': {
                     'assertion_consumer_service':
                     [(request.build_absolute_uri(
                         reverse('sentry-auth-sso')), BINDING_HTTP_POST)],
                 },
                 'allow_unsolicited': False,
                 'authn_requests_signed': False,
                 'logout_requests_signed': True,
                 'want_assertions_signed': False,
                 'want_response_signed': True,
             },
         },
     }
     config = Config()
     config.load(settings)
     client = Saml2Client(config)
     request_id, headers = client.prepare_for_authenticate()
     helper.bind_state('request_id', request_id)
     for key, value in headers['headers']:
         if key is 'Location':
             # helper.incr_step()
             helper.request.session['auth']['idx'] += 1
             helper.request.session.modified = True
             return self.redirect(value)
Beispiel #17
0
valid_for = 0
nspair = {"xs": "http://www.w3.org/2001/XMLSchema"}
paths = [".", "/opt/local/bin"]

if args.valid:
    # translate into hours
    valid_for = int(args.valid) * 24

eds = []
for filespec in args.config:
    bas, fil = os.path.split(filespec)
    if bas != "":
        sys.path.insert(0, bas)
    if fil.endswith(".py"):
        fil = fil[:-3]
    cnf = Config().load_file(fil, metadata_construction=True)
    if valid_for:
        cnf.valid_for = valid_for
    eds.append(entity_descriptor(cnf))

conf = Config()
conf.key_file = args.keyfile
conf.cert_file = args.cert
conf.debug = 1
conf.xmlsec_binary = args.xmlsec
secc = security_context(conf)

if args.id:
    desc, xmldoc = entities_descriptor(eds, valid_for, args.name, args.id,
                                       args.sign, secc)
    valid_instance(desc)
Beispiel #18
0
def _get_security_context(key, cert):
    conf = Config()
    conf.key_file = key
    conf.cert_file = cert
    return security_context(conf)
Beispiel #19
0
def _create_entity_descriptor(entity_config):
    cnf = Config().load(copy.deepcopy(entity_config), metadata_construction=True)
    return entity_descriptor(cnf)
Beispiel #20
0
def create_metadata_from_config_dict(config):
    nspair = {"xs": "http://www.w3.org/2001/XMLSchema"}
    conf = Config().load(config, metadata_construction=True)
    return entity_descriptor(conf).to_string(nspair).decode("utf-8")
Beispiel #21
0
valid_for = 0
nspair = {"xs": "http://www.w3.org/2001/XMLSchema"}
paths = [".", "/opt/local/bin"]

if args.valid:
    # translate into hours
    valid_for = int(args.valid) * 24

eds = []
for filespec in args.config:
    bas, fil = os.path.split(filespec)
    if bas != "":
        sys.path.insert(0, bas)
    if fil.endswith(".py"):
        fil = fil[:-3]
    cnf = Config().load_file(fil)
    if valid_for:
        cnf.valid_for = valid_for
    eds.append(entity_descriptor(cnf))

conf = Config()
conf.key_file = args.keyfile
conf.cert_file = args.cert
conf.debug = 1
conf.xmlsec_binary = args.xmlsec
secc = security_context(conf)

if args.id:
    desc, xmldoc = entities_descriptor(eds, valid_for, args.name, args.id,
                                       args.sign, secc)
    valid_instance(desc)
Beispiel #22
0
 def verification_security_context(self, cert_and_key):
     conf = Config()
     conf.cert_file = cert_and_key[0]
     return security_context(conf)
Beispiel #23
0
 def signature_security_context(self, cert_and_key):
     conf = Config()
     conf.cert_file = cert_and_key[0]
     conf.key_file = cert_and_key[1]
     return security_context(conf)
Beispiel #24
0
def _create_entity_descriptor(entity_config):
    cnf = Config().load(copy.deepcopy(entity_config))
    return entity_descriptor(cnf)