Beispiel #1
0
def test_get_certs_from_metadata():
    mds = MetadataStore(ONTS.values(), ATTRCONV, None)
    mds.imp(METADATACONF["11"])
    certs1 = mds.certs("http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php", "any")
    certs2 = mds.certs("http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php", "idpsso")

    assert certs1[0] == certs2[0] == TEST_CERT
Beispiel #2
0
def test_shibmd_scope_no_regex_all_descriptors():
    mds = MetadataStore(ATTRCONV,
                        sec_config,
                        disable_ssl_certificate_validation=True)
    mds.imp(METADATACONF["15"])

    scopes = mds.sbibmd_scopes(entity_id='http://example.com/saml2/idp.xml',
                               typ="idpsso_descriptor")
    all_scopes = list(scopes)
    expected = [
        {
            "regexp": False,
            "text": "descriptor-example.org",
        },
        {
            "regexp": True,
            "text": regex_compile("descriptor-example[^0-9]*\.org"),
        },
        {
            "regexp": False,
            "text": "idpssodescriptor-example.org",
        },
    ]
    assert len(all_scopes) == 3
    assert all_scopes == expected
Beispiel #3
0
def test_incommon_1():
    mds = MetadataStore(list(ONTS.values()), ATTRCONV, sec_config, disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["2"])

    print((mds.entities()))
    assert mds.entities() > 1700
    idps = mds.with_descriptor("idpsso")
    print((list(idps.keys())))
    assert len(idps) > 300  # ~ 18%
    try:
        _ = mds.single_sign_on_service("urn:mace:incommon:uiuc.edu")
    except UnknownPrincipal:
        pass

    idpsso = mds.single_sign_on_service("urn:mace:incommon:alaska.edu")
    assert len(idpsso) == 1
    print(idpsso)
    assert destinations(idpsso) == ["https://idp.alaska.edu/idp/profile/SAML2/Redirect/SSO"]

    sps = mds.with_descriptor("spsso")

    acs_sp = []
    for nam, desc in list(sps.items()):
        if "attribute_consuming_service" in desc:
            acs_sp.append(nam)

    assert len(acs_sp) == 0

    # Look for attribute authorities
    aas = mds.with_descriptor("attribute_authority")

    print((list(aas.keys())))
    assert len(aas) == 180
Beispiel #4
0
def test_incommon_1():
    mds = MetadataStore(ONTS.values(), ATTRCONV, xmlsec_path,
                        disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["2"])

    print mds.entities()
    assert mds.entities() == 169
    idps = mds.with_descriptor("idpsso")
    print idps.keys()
    assert len(idps) == 53 # !!!!???? < 10%
    assert mds.single_sign_on_service('urn:mace:incommon:uiuc.edu') == []
    idpsso = mds.single_sign_on_service('urn:mace:incommon:alaska.edu')
    assert len(idpsso) == 1
    print idpsso
    assert destinations(idpsso) == ['https://idp.alaska.edu/idp/profile/SAML2/Redirect/SSO']

    sps = mds.with_descriptor("spsso")

    acs_sp = []
    for nam, desc in sps.items():
        if "attribute_consuming_service" in desc:
            acs_sp.append(nam)

    assert len(acs_sp) == 0

    # Look for attribute authorities
    aas = mds.with_descriptor("attribute_authority")

    print aas.keys()
    assert len(aas) == 53
Beispiel #5
0
def test_metadata_file():
    sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
    mds = MetadataStore(list(ONTS.values()), ATTRCONV, sec_config, disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["8"])
    print((len(list(mds.keys()))))
    assert len(list(mds.keys())) == 560
Beispiel #6
0
def test_switch_1():
    mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["5"])
    assert len(mds.keys()) > 160
    idps = mds.with_descriptor("idpsso")
    print(idps.keys())
    idpsso = mds.single_sign_on_service(
        'https://aai-demo-idp.switch.ch/idp/shibboleth')
    assert len(idpsso) == 1
    print(idpsso)
    assert destinations(idpsso) == [
        'https://aai-demo-idp.switch.ch/idp/profile/SAML2/Redirect/SSO']
    assert len(idps) > 30
    aas = mds.with_descriptor("attribute_authority")
    print(aas.keys())
    aad = aas['https://aai-demo-idp.switch.ch/idp/shibboleth']
    print(aad.keys())
    assert len(aad["attribute_authority_descriptor"]) == 1
    assert len(aad["idpsso_descriptor"]) == 1

    sps = mds.with_descriptor("spsso")
    dual = [eid for eid, ent in idps.items() if eid in sps]
    print(len(dual))
    assert len(dual) == 0
Beispiel #7
0
def test_sp_metadata():
    mds = MetadataStore(ONTS.values(),
                        ATTRCONV,
                        sec_config,
                        disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["6"])

    assert len(mds.keys()) == 1
    assert mds.keys() == ['urn:mace:umu.se:saml:roland:sp']
    assert _eq(mds['urn:mace:umu.se:saml:roland:sp'].keys(),
               ['entity_id', '__class__', 'spsso_descriptor'])

    req = mds.attribute_requirement('urn:mace:umu.se:saml:roland:sp')
    print req
    assert len(req["required"]) == 3
    assert len(req["optional"]) == 1
    assert req["optional"][0]["name"] == 'urn:oid:2.5.4.12'
    assert req["optional"][0]["friendly_name"] == 'title'
    assert _eq([n["name"] for n in req["required"]], [
        'urn:oid:2.5.4.4', 'urn:oid:2.5.4.42',
        'urn:oid:0.9.2342.19200300.100.1.3'
    ])
    assert _eq([n["friendly_name"] for n in req["required"]],
               ['surName', 'givenName', 'mail'])
Beispiel #8
0
    def load_metadata(self, metadata_conf):
        """ Loads metadata into an internal structure """

        acs = self.attribute_converters

        if acs is None:
            raise ConfigurationError(
                "Missing attribute converter specification")

        try:
            ca_certs = self.ca_certs
        except:
            ca_certs = None
        try:
            disable_validation = self.disable_ssl_certificate_validation
        except:
            disable_validation = False

        mds = MetadataStore(
            acs,
            self,
            ca_certs,
            disable_ssl_certificate_validation=disable_validation)

        mds.imp(metadata_conf)

        return mds
Beispiel #9
0
def test_filter_ava3():
    policy = Policy({
        "default": {
            "lifetime": {
                "minutes": 15
            },
            # "attribute_restrictions": None  # means all I have
            "entity_categories": ["swamid"]
        }
    })

    mds = MetadataStore(ATTRCONV,
                        sec_config,
                        disable_ssl_certificate_validation=True)
    mds.imp([{
        "class": "saml2.mdstore.MetaDataFile",
        "metadata": [(full_path("entity_cat_sfs_hei.xml"), )]
    }])

    ava = {
        "givenName": ["Derek"],
        "sn": ["Jeter"],
        "mail": ["*****@*****.**"],
        "c": ["USA"],
        "eduPersonTargetedID": "foo!bar!xyz",
        "norEduPersonNIN": "19800101134"
    }

    ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", mds)

    assert _eq(list(ava.keys()), ['eduPersonTargetedID', "norEduPersonNIN"])
Beispiel #10
0
    def load_metadata(self, metadata_conf):
        """ Loads metadata into an internal structure """

        xmlsec_binary = self.xmlsec_binary
        acs = self.attribute_converters

        if xmlsec_binary is None:
            raise Exception("Missing xmlsec1 specification")
        if acs is None:
            raise Exception("Missing attribute converter specification")

        try:
            ca_certs = self.ca_certs
        except:
            ca_certs = None
        try:
            disable_validation = self.disable_ssl_certificate_validation
        except:
            disable_validation = False

        mds = MetadataStore(
            ONTS.values(),
            acs,
            xmlsec_binary,
            ca_certs,
            disable_ssl_certificate_validation=disable_validation)

        mds.imp(metadata_conf)

        return mds
Beispiel #11
0
def test_filter_ava_5():
    mds = MetadataStore(ATTRCONV,
                        sec_config,
                        disable_ssl_certificate_validation=True)
    mds.imp(METADATACONF["1"])

    policy_conf = {
        "default": {
            "lifetime": {
                "minutes": 15
            },
            "attribute_restrictions": None,  # means all I have
            "entity_categories": ["swamid", "edugain"]
        }
    }
    policy = Policy(restrictions=policy_conf, mds=mds)

    ava = {
        "givenName": ["Derek"],
        "surName": ["Jeter"],
        "mail": [
            "*****@*****.**",
            "*****@*****.**",
        ],
    }
    ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp")

    # using entity_categories means there *always* are restrictions
    # in this case the only allowed attribute is eduPersonTargetedID
    # which isn't available in the ava hence zip is returned.
    assert ava == {}
Beispiel #12
0
def test_swami_1():
    UMU_IDP = 'https://idp.umu.se/saml2/idp/metadata.php'
    mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["1"])
    assert len(mds) == 1  # One source
    idps = mds.with_descriptor("idpsso")
    assert idps.keys()
    idpsso = mds.single_sign_on_service(UMU_IDP)
    assert len(idpsso) == 1
    assert destinations(idpsso) == [
        'https://idp.umu.se/saml2/idp/SSOService.php']

    _name = name(mds[UMU_IDP])
    assert _name == u'Umeå University (SAML2)'
    certs = mds.certs(UMU_IDP, "idpsso", "signing")
    assert len(certs) == 1

    sps = mds.with_descriptor("spsso")
    assert len(sps) == 108

    wants = mds.attribute_requirement('https://connect8.sunet.se/shibboleth')
    lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["optional"]]
    assert _eq(lnamn, ['eduPersonPrincipalName', 'mail', 'givenName', 'sn',
                       'eduPersonScopedAffiliation'])

    wants = mds.attribute_requirement('https://beta.lobber.se/shibboleth')
    assert wants["required"] == []
    lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["optional"]]
    assert _eq(lnamn, ['eduPersonPrincipalName', 'mail', 'givenName', 'sn',
                       'eduPersonScopedAffiliation', 'eduPersonEntitlement'])
Beispiel #13
0
    def load_metadata(self, metadata_conf):
        """ Loads metadata into an internal structure """

        acs = self.attribute_converters

        if acs is None:
            raise ConfigurationError(
                "Missing attribute converter specification")

        try:
            ca_certs = self.ca_certs
        except:
            ca_certs = None
        try:
            disable_validation = self.disable_ssl_certificate_validation
        except:
            disable_validation = False

        mds = MetadataStore(
            ONTS.values(), acs, self, ca_certs,
            disable_ssl_certificate_validation=disable_validation)

        mds.imp(metadata_conf)

        return mds
Beispiel #14
0
    def load_metadata(self, metadata_conf):
        """ Loads metadata into an internal structure """

        xmlsec_binary = self.xmlsec_binary
        acs = self.attribute_converters

        if xmlsec_binary is None:
            raise Exception("Missing xmlsec1 specification")
        if acs is None:
            raise Exception("Missing attribute converter specification")

        try:
            ca_certs = self.ca_certs
        except:
            ca_certs = None
        try:
            disable_validation = self.disable_ssl_certificate_validation
        except:
            disable_validation = False

        mds = MetadataStore(ONTS.values(), acs, xmlsec_binary, ca_certs,
                            disable_ssl_certificate_validation=disable_validation)

        mds.imp(metadata_conf)

        return mds
Beispiel #15
0
def test_switch_1():
    mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["5"])
    assert len(mds.keys()) > 160
    idps = mds.with_descriptor("idpsso")
    print(idps.keys())
    idpsso = mds.single_sign_on_service(
        'https://aai-demo-idp.switch.ch/idp/shibboleth')
    assert len(idpsso) == 1
    print(idpsso)
    assert destinations(idpsso) == [
        'https://aai-demo-idp.switch.ch/idp/profile/SAML2/Redirect/SSO']
    assert len(idps) > 30
    aas = mds.with_descriptor("attribute_authority")
    print(aas.keys())
    aad = aas['https://aai-demo-idp.switch.ch/idp/shibboleth']
    print(aad.keys())
    assert len(aad["attribute_authority_descriptor"]) == 1
    assert len(aad["idpsso_descriptor"]) == 1

    sps = mds.with_descriptor("spsso")
    dual = [eid for eid, ent in idps.items() if eid in sps]
    print(len(dual))
    assert len(dual) == 0
Beispiel #16
0
def test_get_certs_from_metadata():
    mds = MetadataStore(ATTRCONV, None)
    mds.imp(METADATACONF["11"])
    certs1 = mds.certs("http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php", "any")
    certs2 = mds.certs("http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php", "idpsso")

    assert certs1[0] == certs2[0] == TEST_CERT
Beispiel #17
0
def test_swami_1():
    UMU_IDP = 'https://idp.umu.se/saml2/idp/metadata.php'
    mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["1"])
    assert len(mds) == 1  # One source
    idps = mds.with_descriptor("idpsso")
    assert idps.keys()
    idpsso = mds.single_sign_on_service(UMU_IDP)
    assert len(idpsso) == 1
    assert destinations(idpsso) == [
        'https://idp.umu.se/saml2/idp/SSOService.php']

    _name = name(mds[UMU_IDP])
    assert _name == u'Umeå University (SAML2)'
    certs = mds.certs(UMU_IDP, "idpsso", "signing")
    assert len(certs) == 1

    sps = mds.with_descriptor("spsso")
    assert len(sps) == 108

    wants = mds.attribute_requirement('https://connect8.sunet.se/shibboleth')
    lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["optional"]]
    assert _eq(lnamn, ['eduPersonPrincipalName', 'mail', 'givenName', 'sn',
                       'eduPersonScopedAffiliation'])

    wants = mds.attribute_requirement('https://beta.lobber.se/shibboleth')
    assert wants["required"] == []
    lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["optional"]]
    assert _eq(lnamn, ['eduPersonPrincipalName', 'mail', 'givenName', 'sn',
                       'eduPersonScopedAffiliation', 'eduPersonEntitlement'])
Beispiel #18
0
def test_supported_algorithms():
    mds = MetadataStore(ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)
    mds.imp(METADATACONF["11"])
    algs = mds.supported_algorithms(entity_id='http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php')
    assert 'http://www.w3.org/2001/04/xmlenc#sha256' in algs['digest_methods']
    assert 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' in algs['signing_methods']
Beispiel #19
0
def test_load_local_dir():
    sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
    mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config, disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["9"])
    print mds
    assert len(mds) == 3  # Three sources
    assert len(mds.keys()) == 4  # number of idps
Beispiel #20
0
def test_metadata_file():
    sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
    mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["8"])
    print(len(mds.keys()))
    assert len(mds.keys()) == 560
Beispiel #21
0
def test_registration_info_no_policy():
    mds = MetadataStore(ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)
    mds.imp(METADATACONF["13"])
    registration_info = mds.registration_info(entity_id='https://idp.szie.hu/idp/shibboleth')
    assert 'http://eduid.hu' == registration_info['registration_authority']
    assert registration_info['registration_instant'] is None
    assert registration_info['registration_policy'] == {}
Beispiel #22
0
def test_ext_2():
    mds = MetadataStore(list(ONTS.values()), ATTRCONV, sec_config, disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["3"])
    # No specific binding defined

    ents = mds.with_descriptor("spsso")
    for binding in [BINDING_SOAP, BINDING_HTTP_POST, BINDING_HTTP_ARTIFACT, BINDING_HTTP_REDIRECT]:
        assert mds.single_logout_service(list(ents.keys())[0], binding, "spsso")
Beispiel #23
0
def test_load_external():
    sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
    mds = MetadataStore(ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["10"])
    print(mds)
    assert len(mds) == 1  # One source
    assert len(mds.keys()) > 1  # number of idps
Beispiel #24
0
    def __init__(self, idp_conf, logger, conf, publicKey, privateKey, metadataList):
        """
        Constructor.
        Initiates the class.
        :param logger: Logger to be used when something needs to be logged.
        :param conf: idp_proxy_conf see IdpProxy/conig/idp_proxy_conf.example.py
        :param key: A RSA key to be used for encryption.
        :param metadataList: A list of metadata files.
            [{"local": ["swamid-1.0.xml"]}, {"local": ["sp.xml"]}]
        :raise:
        """
        if (logger is None) or (conf is None) or (publicKey is None)or (privateKey is None):
            raise ValueError(
                "A new instance must include a value for logger, conf and key.")
        #Public key to be used for encryption.
        self.publicKey = publicKey
        self.privateKey = privateKey
        #Used for presentation of mako files.
        self.lookup = TemplateLookup(
            directories=[MetadataGeneration.CONST_STATIC_MAKO + 'templates',
                         MetadataGeneration.CONST_STATIC_MAKO + 'htdocs'],
            module_directory='modules',
            input_encoding='utf-8',
            output_encoding='utf-8')
        #The logger.
        self.logger = logger
        #A list of all social services used by this IdPproxy.
        self.socialServiceKeyList = []
        #A list of all service providers used by this sp.
        self.spKeyList = []
        for key in conf:
            self.socialServiceKeyList.append(conf[key]["name"])

        try:
            xmlsec_path = get_xmlsec_binary(["/opt/local/bin"])
        except:
            try:
                xmlsec_path = get_xmlsec_binary(["/usr/local/bin"])
            except:
                self.logger.info('Xmlsec must be installed! Tries /usr/bin/xmlsec1.')
                xmlsec_path = '/usr/bin/xmlsec1'

        self.xmlsec_path = xmlsec_path

        config = Config()
        config.disable_ssl_certificate_validation = True
        config.key_file = idp_conf["key_file"]
        config.cert_file = idp_conf["cert_file"]
        config.xmlsec_binary = idp_conf["xmlsec_binary"]
        config.debug = idp_conf["debug"]

        for metadata in metadataList:
            mds = MetadataStore(MetadataGeneration.CONST_ONTS.values(),
                                MetadataGeneration.CONST_ATTRCONV, config)
            mds.imp(metadata)
            for entityId in mds.keys():
                self.spKeyList.append(entityId)
Beispiel #25
0
def test_load_external():
    sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
    mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["10"])
    print(mds)
    assert len(mds) == 1  # One source
    assert len(mds.keys()) > 1  # number of idps
Beispiel #26
0
def test_registration_info():
    mds = MetadataStore(ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)
    mds.imp(METADATACONF["13"])
    registration_info = mds.registration_info(entity_id='https://aai-idp.unibe.ch/idp/shibboleth')
    assert 'http://rr.aai.switch.ch/' == registration_info['registration_authority']
    assert '2013-06-15T18:15:03Z' == registration_info['registration_instant']
    assert 'https://www.switch.ch/aai/federation/switchaai/metadata-registration-practice-statement-20110711.txt' == \
           registration_info['registration_policy']['en']
Beispiel #27
0
def test_load_local_dir():
    sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
    mds = MetadataStore(ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["9"])
    print(mds)
    assert len(mds) == 3  # Three sources
    assert len(mds.keys()) == 4  # number of idps
Beispiel #28
0
def test_load_extern_incommon():
    sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
    mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["10"])
    print(mds)
    assert mds
    assert len(mds.keys())
Beispiel #29
0
def test_metadata():
    conf = config.Config()
    conf.load_file("idp_conf_mdb")
    UMU_IDP = 'https://idp.umu.se/saml2/idp/metadata.php'
    # Set up a Metadata store
    mds = MetadataStore(ONTS.values(),
                        ATTRCONV,
                        conf,
                        disable_ssl_certificate_validation=True)

    # Import metadata from local file.
    mds.imp({"local": [full_path("swamid-2.0.xml")]})
    assert len(mds) == 1  # One source

    export_mdstore_to_mongo_db(mds, "metadata", "test")

    mdmdb = MetadataMDB(ONTS, ATTRCONV, "metadata", "test")
    # replace all metadata instances with this one
    mds.metadata = {"mongo_db": mdmdb}

    idps = mds.with_descriptor("idpsso")
    assert idps.keys()
    idpsso = mds.single_sign_on_service(UMU_IDP)
    assert len(idpsso) == 1
    assert destinations(idpsso) == [
        'https://idp.umu.se/saml2/idp/SSOService.php'
    ]

    _name = name(mds[UMU_IDP])
    assert _name == u'Ume\xe5 University'
    certs = mds.certs(UMU_IDP, "idpsso", "signing")
    assert len(certs) == 1

    sps = mds.with_descriptor("spsso")
    assert len(sps) == 356

    wants = mds.attribute_requirement('https://connect.sunet.se/shibboleth')
    assert wants["optional"] == []
    lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["required"]]
    assert _eq(lnamn, [
        'eduPersonPrincipalName', 'mail', 'givenName', 'sn',
        'eduPersonScopedAffiliation', 'eduPersonAffiliation'
    ])

    wants = mds.attribute_requirement(
        "https://gidp.geant.net/sp/module.php/saml/sp/metadata.php/default-sp")
    # Optional
    lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["optional"]]
    assert _eq(lnamn, [
        'displayName', 'commonName', 'schacHomeOrganization',
        'eduPersonAffiliation', 'schacHomeOrganizationType'
    ])
    # Required
    lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["required"]]
    assert _eq(lnamn,
               ['eduPersonTargetedID', 'mail', 'eduPersonScopedAffiliation'])
Beispiel #30
0
def test_filter_ava_esi_coco():
    entity_id = "https://esi-coco.example.edu/saml2/metadata/"
    mds = MetadataStore(ATTRCONV,
                        sec_config,
                        disable_ssl_certificate_validation=True)
    mds.imp([{
        "class": "saml2.mdstore.MetaDataFile",
        "metadata": [(full_path("entity_esi_and_coco_sp.xml"), )]
    }])

    policy_conf = {
        "default": {
            "lifetime": {
                "minutes": 15
            },
            "entity_categories": ["swamid"]
        }
    }

    policy = Policy(policy_conf, mds)

    ava = {
        "givenName": ["Test"],
        "sn": ["Testsson"],
        "mail": ["*****@*****.**"],
        "c": ["SE"],
        "schacHomeOrganization": ["example.com"],
        "eduPersonScopedAffiliation": ["*****@*****.**"],
        "schacPersonalUniqueCode": [
            "urn:schac:personalUniqueCode:int:esi:ladok.se:externtstudentuid-00000000-1111-2222-3333-444444444444"
        ]
    }

    requested_attributes = [{
        'friendly_name': 'eduPersonScopedAffiliation',
        'name': '1.3.6.1.4.1.5923.1.1.1.9',
        'name_format': NAME_FORMAT_URI,
        'is_required': 'true'
    }, {
        'friendly_name': 'schacHomeOrganization',
        'name': '1.3.6.1.4.1.25178.1.2.9',
        'name_format': NAME_FORMAT_URI,
        'is_required': 'true'
    }]

    ava = policy.filter(ava, entity_id, required=requested_attributes)

    assert _eq(list(ava.keys()), [
        'eduPersonScopedAffiliation', 'schacHomeOrganization',
        'schacPersonalUniqueCode'
    ])
    assert _eq(ava["eduPersonScopedAffiliation"], ["*****@*****.**"])
    assert _eq(ava["schacHomeOrganization"], ["example.com"])
    assert _eq(ava["schacPersonalUniqueCode"], [
        "urn:schac:personalUniqueCode:int:esi:ladok.se:externtstudentuid-00000000-1111-2222-3333-444444444444"
    ])
Beispiel #31
0
    def create_metadata(self, metadata):

        # For database implementation
        #mds = MetaDataStoreDB(db, self.config.attribute_converters, self.config)
        #mds.load_from_database()

        mds = MetadataStore(self.config.attribute_converters, self.config)
        mds.imp(metadata)

        return mds
Beispiel #32
0
def test_load_extern_incommon():
    sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
    mds = MetadataStore(ATTRCONV,
                        sec_config,
                        disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["10"])
    print(mds)
    assert mds
    assert len(mds.keys())
Beispiel #33
0
def test_swamid_idp():
    mds = MetadataStore(ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True,
                        filter=AllowDescriptor(["idpsso"]))

    mds.imp(METADATACONF["1"])
    sps = mds.with_descriptor("spsso")
    assert len(sps) == 0
    idps = mds.with_descriptor("idpsso")
    assert len(idps) == 275
Beispiel #34
0
def test_example():
    mds = MetadataStore(list(ONTS.values()), ATTRCONV, sec_config, disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["4"])
    assert len(list(mds.keys())) == 1
    idps = mds.with_descriptor("idpsso")

    assert list(idps.keys()) == ["http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php"]
    certs = mds.certs("http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php", "idpsso", "signing")
    assert len(certs) == 1
Beispiel #35
0
def test_ext_2():
    mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["3"])
    # No specific binding defined

    ents = mds.with_descriptor("spsso")
    for binding in [BINDING_SOAP, BINDING_HTTP_POST, BINDING_HTTP_ARTIFACT,
                    BINDING_HTTP_REDIRECT]:
        assert mds.single_logout_service(list(ents.keys())[0], binding, "spsso")
Beispiel #36
0
def test_metadata():
    conf = config.Config()
    conf.load_file("idp_conf_mdb")
    umu_idp = 'https://idp.umu.se/saml2/idp/metadata.php'
    # Set up a Metadata store
    mds = MetadataStore(ATTRCONV, conf,
                        disable_ssl_certificate_validation=True)

    # Import metadata from local file.
    mds.imp([{"class": "saml2.mdstore.MetaDataFile",
              "metadata": [(full_path("swamid-2.0.xml"), )]}])
    assert len(mds) == 1  # One source

    try:
        export_mdstore_to_mongo_db(mds, "metadata", "test")
    except ConnectionFailure:
        pass
    else:
        mdmdb = MetadataMDB(ATTRCONV, "metadata", "test")
        # replace all metadata instances with this one
        mds.metadata = {"mongo_db": mdmdb}

        idps = mds.with_descriptor("idpsso")
        assert idps.keys()
        idpsso = mds.single_sign_on_service(umu_idp)
        assert len(idpsso) == 1
        assert destinations(idpsso) == [
            'https://idp.umu.se/saml2/idp/SSOService.php']

        _name = name(mds[umu_idp])
        assert _name == u'Ume\xe5 University'
        certs = mds.certs(umu_idp, "idpsso", "signing")
        assert len(certs) == 1

        sps = mds.with_descriptor("spsso")
        assert len(sps) == 417

        wants = mds.attribute_requirement('https://connect.sunet.se/shibboleth')
        assert wants["optional"] == []
        lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["required"]]
        assert _eq(lnamn,
                   ['eduPersonPrincipalName', 'mail', 'givenName', 'sn',
                    'eduPersonScopedAffiliation', 'eduPersonAffiliation'])

        wants = mds.attribute_requirement(
            "https://gidp.geant.net/sp/module.php/saml/sp/metadata.php/default-sp")
        # Optional
        lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["optional"]]
        assert _eq(lnamn, ['displayName', 'commonName', 'schacHomeOrganization',
                           'eduPersonAffiliation', 'schacHomeOrganizationType'])
        # Required
        lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["required"]]
        assert _eq(lnamn, ['eduPersonTargetedID', 'mail',
                           'eduPersonScopedAffiliation'])
Beispiel #37
0
def test_get_named_certs_from_metadata():
    mds = MetadataStore(ATTRCONV, None)
    mds.imp(METADATACONF["3"])

    cert_sign_name, cert_sign = mds.certs(
        "https://coip-test.sunet.se/shibboleth", "spsso", "signing"
    )[0]
    cert_enc_name, cert_enc = mds.certs(
        "https://coip-test.sunet.se/shibboleth", "spsso", "encryption"
    )[0]

    assert cert_sign_name == cert_enc_name == "coip-test.sunet.se"
Beispiel #38
0
def test_get_unnamed_certs_from_metadata():
    mds = MetadataStore(ATTRCONV, None)
    mds.imp(METADATACONF["11"])

    cert_any_name, cert_any = mds.certs(
        "http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php", "any"
    )[0]
    cert_idpsso_name, cert_idpsso = mds.certs(
        "http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php", "idpsso"
    )[0]

    assert cert_any_name is None
    assert cert_idpsso_name is None
Beispiel #39
0
def test_example():
    mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["4"])
    assert len(mds.keys()) == 1
    idps = mds.with_descriptor("idpsso")

    assert list(idps.keys()) == [
        'http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php']
    certs = mds.certs(
        'http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php',
        "idpsso", "signing")
    assert len(certs) == 1
Beispiel #40
0
def test_metadata():
    conf = config.Config()
    conf.load_file("idp_conf_mdb")
    UMU_IDP = "https://idp.umu.se/saml2/idp/metadata.php"
    # Set up a Metadata store
    mds = MetadataStore(list(ONTS.values()), ATTRCONV, conf, disable_ssl_certificate_validation=True)

    # Import metadata from local file.
    mds.imp({"local": [full_path("swamid-2.0.xml")]})
    assert len(mds) == 1  # One source

    export_mdstore_to_mongo_db(mds, "metadata", "test")

    mdmdb = MetadataMDB(ONTS, ATTRCONV, "metadata", "test")
    # replace all metadata instances with this one
    mds.metadata = {"mongo_db": mdmdb}

    idps = mds.with_descriptor("idpsso")
    assert list(idps.keys())
    idpsso = mds.single_sign_on_service(UMU_IDP)
    assert len(idpsso) == 1
    assert destinations(idpsso) == ["https://idp.umu.se/saml2/idp/SSOService.php"]

    _name = name(mds[UMU_IDP])
    assert _name == "Ume\xe5 University"
    certs = mds.certs(UMU_IDP, "idpsso", "signing")
    assert len(certs) == 1

    sps = mds.with_descriptor("spsso")
    assert len(sps) == 431

    wants = mds.attribute_requirement("https://connect.sunet.se/shibboleth")
    assert wants["optional"] == []
    lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["required"]]
    assert _eq(
        lnamn,
        ["eduPersonPrincipalName", "mail", "givenName", "sn", "eduPersonScopedAffiliation", "eduPersonAffiliation"],
    )

    wants = mds.attribute_requirement("https://gidp.geant.net/sp/module.php/saml/sp/metadata.php/default-sp")
    # Optional
    lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["optional"]]
    assert _eq(
        lnamn,
        ["displayName", "commonName", "schacHomeOrganization", "eduPersonAffiliation", "schacHomeOrganizationType"],
    )
    # Required
    lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["required"]]
    assert _eq(lnamn, ["eduPersonTargetedID", "mail", "eduPersonScopedAffiliation"])
Beispiel #41
0
def test_load_external(mock_request):
    filepath = os.path.join(TESTS_DIR, "remote_data/InCommon-metadata-export.xml")
    with open(filepath) as fd:
        data = fd.read()
    mock_request.return_value.ok = True
    mock_request.return_value.status_code = 200
    mock_request.return_value.content = data

    sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
    mds = MetadataStore(ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["10"])
    print(mds)
    assert len(mds) == 1  # One source
    assert len(mds.keys()) > 1  # number of idps
Beispiel #42
0
def test_load_string():
    sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
    mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["11"])
    # print(mds)
    assert len(mds.keys()) == 1
    idps = mds.with_descriptor("idpsso")

    assert list(idps.keys()) == [
        'http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php']
    certs = mds.certs(
        'http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php',
        "idpsso", "signing")
    assert len(certs) == 1
Beispiel #43
0
def test_load_string():
    sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
    mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["11"])
    print(mds)
    assert len(mds.keys()) == 1
    idps = mds.with_descriptor("idpsso")

    assert list(idps.keys()) == [
        'http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php']
    certs = mds.certs(
        'http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php',
        "idpsso", "signing")
    assert len(certs) == 1
Beispiel #44
0
def test_entity_category_import_from_path():
    mds = MetadataStore(ATTRCONV,
                        sec_config,
                        disable_ssl_certificate_validation=True)
    # The file entity_cat_rs.xml contains the SAML metadata for an SP
    # tagged with the REFEDs R&S entity category.
    mds.imp([{
        "class": "saml2.mdstore.MetaDataFile",
        "metadata": [(full_path("entity_cat_rs.xml"), )]
    }])

    # The entity category module myentitycategory.py is in the tests
    # directory which is on the standard module search path.
    # The module uses a custom interpretation of the REFEDs R&S entity category
    # by adding eduPersonUniqueId.
    policy = Policy(
        {
            "default": {
                "lifetime": {
                    "minutes": 15
                },
                "entity_categories": ["myentitycategory"]
            }
        }, mds)

    ava = {
        "givenName": ["Derek"],
        "sn": ["Jeter"],
        "displayName": "Derek Jeter",
        "mail": ["*****@*****.**"],
        "c": ["USA"],
        "eduPersonTargetedID": "foo!bar!xyz",
        "eduPersonUniqueId": "*****@*****.**",
        "eduPersonScopedAffiliation": "*****@*****.**",
        "eduPersonPrincipalName": "*****@*****.**",
        "norEduPersonNIN": "19800101134"
    }

    ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp")

    # We expect c and norEduPersonNIN to be filtered out since they are not
    # part of the custom entity category.
    assert _eq(list(ava.keys()), [
        "eduPersonTargetedID", "eduPersonPrincipalName", "eduPersonUniqueId",
        "displayName", "givenName", "eduPersonScopedAffiliation", "mail", "sn"
    ])
Beispiel #45
0
def test_filter_ava_required_attributes_with_no_friendly_name():
    entity_id = "https://no-friendly-name.example.edu/saml2/metadata/"
    mds = MetadataStore(ATTRCONV,
                        sec_config,
                        disable_ssl_certificate_validation=True)
    mds.imp([{
        "class": "saml2.mdstore.MetaDataFile",
        "metadata": [(full_path("entity_no_friendly_name_sp.xml"), )]
    }])

    policy_conf = {
        "default": {
            "lifetime": {
                "minutes": 15
            },
            "entity_categories": ["swamid"]
        }
    }
    policy = Policy(policy_conf, mds)

    ava = {
        "givenName": ["Derek"],
        "sn": ["Jeter"],
        "mail": ["*****@*****.**"],
        "c": ["USA"],
        "eduPersonTargetedID": "foo!bar!xyz",
        "norEduPersonNIN": "19800101134",
    }

    attribute_requirements = mds.attribute_requirement(entity_id)
    required = attribute_requirements.get("required", [])
    optional = attribute_requirements.get("optional", [])

    # ensure the requirements define the eduPersonTargetedID
    # without the friendlyName attribute
    oid_eptid = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10'
    requested_attribute_eptid = RequestedAttribute(name=oid_eptid,
                                                   name_format=NAME_FORMAT_URI,
                                                   is_required='true')
    assert required == [to_dict(requested_attribute_eptid, onts=[mdattr])]

    ava = policy.filter(ava, entity_id, required=required, optional=optional)
    assert _eq(list(ava.keys()), ["eduPersonTargetedID"])
Beispiel #46
0
def test_filter_ava_registration_authority_1():
    mds = MetadataStore(ATTRCONV,
                        sec_config,
                        disable_ssl_certificate_validation=True)
    mds.imp(METADATACONF["1"])

    policy_conf = {
        "default": {
            "lifetime": {
                "minutes": 15
            },
            "attribute_restrictions": None,
        },
        "http://rr.aai.switch.ch/": {
            "attribute_restrictions": {
                "givenName": None,
                "surName": None,
            }
        }
    }
    policy = Policy(restrictions=policy_conf, mds=mds)

    attributes = {
        "givenName": ["Derek"],
        "surName": ["Jeter"],
        "mail": [
            "*****@*****.**",
            "*****@*****.**",
        ],
    }

    # SP registered with http://rr.aai.switch.ch/
    ava = policy.filter(attributes, "https://aai-idp.unibe.ch/idp/shibboleth")
    assert _eq(sorted(list(ava.keys())), ["givenName", "surName"])
    assert ava["givenName"] == ["Derek"]
    assert ava["surName"] == ["Jeter"]

    # SP not registered with http://rr.aai.switch.ch/
    ava = policy.filter(attributes, "https://alpha.kib.ki.se/shibboleth")
    assert _eq(sorted(list(ava.keys())), ["givenName", "mail", "surName"])
    assert ava["givenName"] == ["Derek"]
    assert ava["surName"] == ["Jeter"]
    assert ava["mail"] == ["*****@*****.**", "*****@*****.**"]
Beispiel #47
0
def find_allowed_algorithms(metadata_file, ic):
    mds = MetadataStore(ic.attribute_converters, ic,
                        disable_ssl_certificate_validation=True)

    mds.imp([{
        "class": "saml2.mdstore.MetaDataFile",
        "metadata": [(metadata_file,)]}])

    md = mds.metadata[metadata_file]
    ed = list(md.entity.values())[0]
    res = {"digest_algorithms":[], "signing_algorithms":[]}

    for elem in ed['extensions']['extension_elements']:
        if elem['__class__'] == '{}&DigestMethod'.format(algsupport.NAMESPACE):
            res['digest_algorithms'].append(elem['algorithm'])
        elif elem['__class__'] == '{}&SigningMethod'.format(
                algsupport.NAMESPACE):
            res['signing_algorithms'].append(elem['algorithm'])

    return res
Beispiel #48
0
def test_metadata():
    conf = config.Config()
    conf.load_file("idp_conf_mdb")
    UMU_IDP = 'https://idp.umu.se/saml2/idp/metadata.php'
    mds = MetadataStore(ONTS.values(), ATTRCONV, conf,
                        disable_ssl_certificate_validation=True)

    mds.imp({"local": [full_path("swamid-1.0.xml")]})
    assert len(mds) == 1  # One source

    export_mdstore_to_mongo_db(mds, "metadata", "test")

    mdmdb = MetadataMDB(ONTS, ATTRCONV, "metadata", "test")
    # replace all metadata instances with this one
    mds.metadata = {"mongo_db": mdmdb}

    idps = mds.with_descriptor("idpsso")
    assert idps.keys()
    idpsso = mds.single_sign_on_service(UMU_IDP)
    assert len(idpsso) == 1
    assert destinations(idpsso) == [
        'https://idp.umu.se/saml2/idp/SSOService.php']

    _name = name(mds[UMU_IDP])
    assert _name == u'Umeå University (SAML2)'
    certs = mds.certs(UMU_IDP, "idpsso", "signing")
    assert len(certs) == 1

    sps = mds.with_descriptor("spsso")
    assert len(sps) == 108

    wants = mds.attribute_requirement('https://connect8.sunet.se/shibboleth')
    lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["optional"]]
    assert _eq(lnamn, ['eduPersonPrincipalName', 'mail', 'givenName', 'sn',
                       'eduPersonScopedAffiliation'])

    wants = mds.attribute_requirement('https://beta.lobber.se/shibboleth')
    assert wants["required"] == []
    lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["optional"]]
    assert _eq(lnamn, ['eduPersonPrincipalName', 'mail', 'givenName', 'sn',
                       'eduPersonScopedAffiliation', 'eduPersonEntitlement'])
Beispiel #49
0
def test_filter_ava3():
    policy = Policy({
        "default": {
            "lifetime": {"minutes": 15},
            #"attribute_restrictions": None  # means all I have
            "entity_categories": ["swamid"]
        }
    })

    mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)
    mds.imp([{"class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_cat_sfs_hei.xml"), )]}])

    ava = {"givenName": ["Derek"], "sn": ["Jeter"],
           "mail": ["*****@*****.**"], "c": ["USA"],
           "eduPersonTargetedID": "foo!bar!xyz",
           "norEduPersonNIN": "19800101134"}

    ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", mds)

    assert _eq(list(ava.keys()), ['eduPersonTargetedID', "norEduPersonNIN"])
Beispiel #50
0
def test_sp_metadata():
    mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["6"])

    assert len(mds.keys()) == 1
    assert mds.keys() == ['urn:mace:umu.se:saml:roland:sp']
    assert _eq(mds['urn:mace:umu.se:saml:roland:sp'].keys(),
               ['entity_id', '__class__', 'spsso_descriptor'])

    req = mds.attribute_requirement('urn:mace:umu.se:saml:roland:sp')
    print req
    assert len(req["required"]) == 3
    assert len(req["optional"]) == 1
    assert req["optional"][0]["name"] == 'urn:oid:2.5.4.12'
    assert req["optional"][0]["friendly_name"] == 'title'
    assert _eq([n["name"] for n in req["required"]],
               ['urn:oid:2.5.4.4', 'urn:oid:2.5.4.42',
                'urn:oid:0.9.2342.19200300.100.1.3'])
    assert _eq([n["friendly_name"] for n in req["required"]],
               ['surName', 'givenName', 'mail'])
Beispiel #51
0
def load(insecure, conf, md_conf, typ):
    try:
        md_conf = conf["metadata"]
        del conf["metadata"]
    except KeyError:
        pass

    if typ == 'sp':
        _cnf = SPConfig().load(conf)
    else:
        _cnf = IdPConfig().load(conf)

    if insecure:
        disable_validation = True
    else:
        disable_validation = False

    mds = MetadataStore(_cnf.attribute_converters, _cnf,
                        disable_ssl_certificate_validation=disable_validation)

    mds.imp(md_conf)

    return mds
Beispiel #52
0
def test_entity_category_import_from_path():
    # The entity category module myentitycategory.py is in the tests
    # directory which is on the standard module search path.
    # The module uses a custom interpretation of the REFEDs R&S entity category
    # by adding eduPersonUniqueId.
    policy = Policy({
        "default": {
            "lifetime": {"minutes": 15},
            "entity_categories": ["myentitycategory"]
        }
    })

    mds = MetadataStore(ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)

    # The file entity_cat_rs.xml contains the SAML metadata for an SP
    # tagged with the REFEDs R&S entity category.
    mds.imp([{"class": "saml2.mdstore.MetaDataFile",
              "metadata": [(full_path("entity_cat_rs.xml"),)]}])

    ava = {"givenName": ["Derek"], "sn": ["Jeter"],
           "displayName": "Derek Jeter",
           "mail": ["*****@*****.**"], "c": ["USA"],
           "eduPersonTargetedID": "foo!bar!xyz",
           "eduPersonUniqueId": "*****@*****.**",
           "eduPersonScopedAffiliation": "*****@*****.**",
           "eduPersonPrincipalName": "*****@*****.**",
           "norEduPersonNIN": "19800101134"}

    ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", mds)

    # We expect c and norEduPersonNIN to be filtered out since they are not
    # part of the custom entity category.
    assert _eq(list(ava.keys()),
               ["eduPersonTargetedID", "eduPersonPrincipalName",
                "eduPersonUniqueId", "displayName", "givenName",
                "eduPersonScopedAffiliation", "mail", "sn"])
Beispiel #53
0
def test_get_certs_from_metadata_without_keydescriptor():
    mds = MetadataStore(ONTS.values(), ATTRCONV, None)
    mds.imp([{
        "class": "saml2.mdstore.InMemoryMetaData",
        "metadata": [("""
<EntitiesDescriptor
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    Name="urn:mace:example.com:test-1.0">
  <EntityDescriptor
    entityID="http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php"
    xml:base="swamid-1.0/idp.umu.se-saml2.xml">
  <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    <SingleSignOnService
        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        Location="http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php"/>
  </IDPSSODescriptor>
  <Organization>
    <OrganizationName xml:lang="en">Catalogix</OrganizationName>
    <OrganizationDisplayName xml:lang="en">Catalogix</OrganizationDisplayName>
    <OrganizationURL xml:lang="en">http://www.catalogix.se</OrganizationURL>
  </Organization>
  <ContactPerson contactType="technical">
    <SurName>Hedberg</SurName>
    <EmailAddress>[email protected]</EmailAddress>
  </ContactPerson>
</EntityDescriptor>
</EntitiesDescriptor>""",)]
    }])
    certs = mds.certs("http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php", "idpsso")

    assert len(certs) == 0
Beispiel #54
0
def test_sp_metadata():
    mds = MetadataStore(ONTS.values(), ATTRCONV, xmlsec_path,
                        disable_ssl_certificate_validation=True)

    mds.imp(METADATACONF["6"])

    assert len(mds.keys()) == 1
    assert mds.keys() == ['urn:mace:umu.se:saml:roland:sp']
    assert _eq(mds['urn:mace:umu.se:saml:roland:sp'].keys(), [
                            'entity_id', '__class__', 'spsso_descriptor'])

    req = mds.attribute_requirement('urn:mace:umu.se:saml:roland:sp')
    print req
    assert len(req["required"]) == 3
    assert len(req["optional"]) == 1
    assert req["optional"][0]["name"] == 'urn:oid:2.5.4.12'
    assert req["optional"][0]["friendly_name"] == 'title'
    assert _eq([n["name"] for n in req["required"]],['urn:oid:2.5.4.4',
                                            'urn:oid:2.5.4.42',
                                            'urn:oid:0.9.2342.19200300.100.1.3'])
    assert _eq([n["friendly_name"] for n in req["required"]],
                ['surName', 'givenName', 'mail'])

##def test_import_external_metadata(xmlsec):
##    md = metadata.MetaData(xmlsec,attrconv=ATTRCONV)
##    mds.import_external_metadata(KALMAR2_URL, KALMAR2_CERT)
##
##    print len(mds.entity)
##    assert len(mds.entity) > 20
##    idps = dict([
##        (id,ent["idpsso"]) for id,ent in mds.entity.items() if "idpsso" in ent])
##    print idps.keys()
##    assert len(idps) > 1
##    assert "https://idp.umu.se/saml2/idp/metadata.php" in idps
#
## ------------ Constructing metadata ----------------------------------------
#
#def test_construct_contact():
#    c = make_instance(mds.ContactPerson, {
#        "given_name":"Roland",
#        "sur_name": "Hedberg",
#        "email_address": "*****@*****.**",
#    })
#    print c
#    assert c.given_name.text == "Roland"
#    assert c.sur_name.text == "Hedberg"
#    assert c.email_address[0].text == "*****@*****.**"
#    assert _eq(c.keyswv(), ["given_name","sur_name","email_address"])
#
#
#def test_construct_organisation():
#    c = make_instance( mds.Organization, {
#            "organization_name": ["Example Co.",
#                    {"text":"Exempel AB", "lang":"se"}],
#            "organization_url": "http://www.example.com/"
#        })
#
#    assert _eq(c.keyswv(), ["organization_name","organization_url"])
#    assert len(c.organization_name) == 2
#    org_names = [on.text for on in c.organization_name]
#    assert _eq(org_names,["Exempel AB","Example Co."])
#    assert len(c.organization_url) == 1
#
#def test_construct_entity_descr_1():
#    ed = make_instance(mds.EntityDescriptor,
#        {"organization": {
#            "organization_name":"Catalogix",
#            "organization_url": "http://www.catalogix.se/"},
#         "entity_id": "urn:mace:catalogix.se:sp1",
#        })
#
#    assert ed.entity_id == "urn:mace:catalogix.se:sp1"
#    org = ed.organization
#    assert org
#    assert _eq(org.keyswv(), ["organization_name","organization_url"])
#    assert len(org.organization_name) == 1
#    assert org.organization_name[0].text == "Catalogix"
#    assert org.organization_url[0].text == "http://www.catalogix.se/"
#
#def test_construct_entity_descr_2():
#    ed = make_instance(mds.EntityDescriptor,
#        {"organization": {
#            "organization_name":"Catalogix",
#            "organization_url": "http://www.catalogix.se/"},
#         "entity_id": "urn:mace:catalogix.se:sp1",
#         "contact_person": {
#            "given_name":"Roland",
#            "sur_name": "Hedberg",
#            "email_address": "*****@*****.**",
#            }
#        })
#
#    assert _eq(ed.keyswv(), ["entity_id", "contact_person", "organization"])
#    assert ed.entity_id == "urn:mace:catalogix.se:sp1"
#    org = ed.organization
#    assert org
#    assert _eq(org.keyswv(), ["organization_name", "organization_url"])
#    assert len(org.organization_name) == 1
#    assert org.organization_name[0].text == "Catalogix"
#    assert org.organization_url[0].text == "http://www.catalogix.se/"
#    assert len(ed.contact_person) == 1
#    c = ed.contact_person[0]
#    assert c.given_name.text == "Roland"
#    assert c.sur_name.text == "Hedberg"
#    assert c.email_address[0].text == "*****@*****.**"
#    assert _eq(c.keyswv(), ["given_name","sur_name","email_address"])
#
#def test_construct_key_descriptor():
#    cert = "".join(_read_lines("test.pem")[1:-1]).strip()
#    spec = {
#        "use": "signing",
#        "key_info" : {
#            "x509_data": {
#                "x509_certificate": cert
#            }
#        }
#    }
#    kd = make_instance(mds.KeyDescriptor, spec)
#    assert _eq(kd.keyswv(), ["use", "key_info"])
#    assert kd.use == "signing"
#    ki = kd.key_info
#    assert _eq(ki.keyswv(), ["x509_data"])
#    assert len(ki.x509_data) == 1
#    data = ki.x509_data[0]
#    assert _eq(data.keyswv(), ["x509_certificate"])
#    assert data.x509_certificate
#    assert len(data.x509_certificate.text.strip()) == len(cert)
#
#def test_construct_key_descriptor_with_key_name():
#    cert = "".join(_read_lines("test.pem")[1:-1]).strip()
#    spec = {
#        "use": "signing",
#        "key_info" : {
#            "key_name": "example.com",
#            "x509_data": {
#                "x509_certificate": cert
#            }
#        }
#    }
#    kd = make_instance(mds.KeyDescriptor, spec)
#    assert _eq(kd.keyswv(), ["use", "key_info"])
#    assert kd.use == "signing"
#    ki = kd.key_info
#    assert _eq(ki.keyswv(), ["x509_data", "key_name"])
#    assert len(ki.key_name) == 1
#    assert ki.key_name[0].text.strip() == "example.com"
#    assert len(ki.x509_data) == 1
#    data = ki.x509_data[0]
#    assert _eq(data.keyswv(), ["x509_certificate"])
#    assert data.x509_certificate
#    assert len(data.x509_certificate.text.strip()) == len(cert)
#
#def test_construct_AttributeAuthorityDescriptor():
#    aad = make_instance(
#            mds.AttributeAuthorityDescriptor, {
#                "valid_until": time_util.in_a_while(30), # 30 days from now
#                "id": "aad.example.com",
#                "protocol_support_enumeration": SAML2_NAMESPACE,
#                "attribute_service": {
#                    "binding": BINDING_SOAP,
#                    "location": "http://example.com:6543/saml2/aad",
#                },
#                "name_id_format":[
#                    NAMEID_FORMAT_TRANSIENT,
#                ],
#                "key_descriptor": {
#                    "use": "signing",
#                    "key_info" : {
#                        "key_name": "example.com",
#                    }
#                }
#            })
#
#    print aad
#    assert _eq(aad.keyswv(),["valid_until", "id", "attribute_service",
#                            "name_id_format", "key_descriptor",
#                            "protocol_support_enumeration"])
#    assert time_util.str_to_time(aad.valid_until)
#    assert aad.id == "aad.example.com"
#    assert aad.protocol_support_enumeration == SAML2_NAMESPACE
#    assert len(aad.attribute_service) == 1
#    atsr = aad.attribute_service[0]
#    assert _eq(atsr.keyswv(),["binding", "location"])
#    assert atsr.binding == BINDING_SOAP
#    assert atsr.location == "http://example.com:6543/saml2/aad"
#    assert len(aad.name_id_format) == 1
#    nif = aad.name_id_format[0]
#    assert nif.text.strip() == NAMEID_FORMAT_TRANSIENT
#    assert len(aad.key_descriptor) == 1
#    kdesc = aad.key_descriptor[0]
#    assert kdesc.use == "signing"
#    assert kdesc.key_info.key_name[0].text.strip() == "example.com"
#
#STATUS_RESULT = """<?xml version='1.0' encoding='UTF-8'?>
#<ns0:Status xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"><ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal" /></ns0:StatusCode><ns0:StatusMessage>Error resolving principal</ns0:StatusMessage></ns0:Status>"""
#
#def test_status():
#    input = {
#        "status_code": {
#            "value": samlp.STATUS_RESPONDER,
#            "status_code":
#                {
#                "value": samlp.STATUS_UNKNOWN_PRINCIPAL,
#                },
#        },
#        "status_message": "Error resolving principal",
#        }
#    status_text = "%s" % make_instance( samlp.Status, input)
#    assert status_text == STATUS_RESULT
#
#def test_attributes():
#    required = ["surname", "givenname", "edupersonaffiliation"]
#    ra = metadata.do_requested_attribute(required, ATTRCONV, "True")
#    print ra
#    assert ra
#    assert len(ra) == 3
#    for i in range(3):
#        assert isinstance(ra[i], mds.RequestedAttribute)
#        assert ra[i].name_format == NAME_FORMAT_URI
#        assert ra[i].attribute_value == []
#        assert ra[i].is_required == "True"
#    assert ra[0].friendly_name == "surname"
#    assert ra[0].name == 'urn:oid:2.5.4.4'
#
#def test_extend():
#    md = metadata.MetaData(attrconv=ATTRCONV)
#    mds.import_metadata(_fix_valid_until(_read_file("extended.xml")), "-")
#
#    signcerts = mds.certs("https://coip-test.sunet.se/shibboleth", "signing")
#    assert len(signcerts) == 1
#    enccerts = mds.certs("https://coip-test.sunet.se/shibboleth", "encryption")
#    assert len(enccerts) == 1
#    assert signcerts[0] == enccerts[0]
#
#def test_ui_info():
#    md = metadata.MetaData(attrconv=ATTRCONV)
#    mds.import_metadata(_fix_valid_until(_read_file("idp_uiinfo.xml")), "-")
#    loc = mds.single_sign_on_services_with_uiinfo(
#                                            "http://example.com/saml2/idp.xml")
#    assert len(loc) == 1
#    assert loc[0][0] == "http://example.com/saml2/"
#    assert len(loc[0][1]) == 1
#    ui_info = loc[0][1][0]
#    print ui_info
#    assert ui_info.description[0].text == "Exempel bolag"
#
#def test_pdp():
#    md = metadata.MetaData(attrconv=ATTRCONV)
#    mds.import_metadata(_fix_valid_until(_read_file("pdp_meta.xml")), "-")
#
#    assert md
#
#    pdps = mds.pdp_services("http://www.example.org/pysaml2/")
#
#    assert len(pdps) == 1
#    pdp = pdps[0]
#    assert len(pdp.authz_service) == 1
#    assert pdp.authz_service[0].location == "http://www.example.org/pysaml2/authz"
#    assert pdp.authz_service[0].binding == BINDING_SOAP
#    endpoints = mds.authz_service("http://www.example.org/pysaml2/")
#    assert len(endpoints) == 1
#    assert endpoints[0] == "http://www.example.org/pysaml2/authz"
Beispiel #55
0
        _idp_conf[eid] = IdPConfig()
        _idp_conf[eid].load(config.CONFIG['basic'])

    # Create necessary keys if I don't already have them
    keys = key_handling('keys')

    if args.insecure:
        disable_validation = True
    else:
        disable_validation = False

    ic = list(_idp_conf.values())[0]
    mds = MetadataStore(ic.attribute_converters, ic,
                        disable_ssl_certificate_validation=disable_validation)

    mds.imp(config.METADATA)
    for key in config.CONFIG.keys():
        _idp_conf[key].metadata = mds

    if args.metadata:
        algos = find_allowed_algorithms(args.metadata, ic)
    else:
        algos = {}

    kwargs = {"base_url": copy.copy(config.BASE), 'idpconf': _idp_conf,
              "flows": fdef['Flows'], "order": fdef['Order'],
              "desc": fdef['Desc'], 'metadata': mds,
              "profile": args.profile, "msg_factory": saml_message_factory,
              "check_factory": get_check, 'conf': config,
              "cache": {}, "entity_id": ic.entityid,
              "profile_handler": ProfileHandler, 'map_prof': None,
Beispiel #56
0
Datei: run.py Projekt: rohe/mccs 
    mdattr.NAMESPACE: mdattr,
    dri.NAMESPACE: dri,
    ui.NAMESPACE: ui,
    idpdisc.NAMESPACE: idpdisc,
    md.NAMESPACE: md,
    xmldsig.NAMESPACE: xmldsig,
    xmlenc.NAMESPACE: xmlenc
}

ATTRCONV = ac_factory()

sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
                    disable_ssl_certificate_validation=True)

mds.imp({"mdfile": ["swamid2.md"]})

# Nagios or or Not Nagios output based on command argument
NAGIOS = False
if len(sys.argv) > 1:
    if sys.argv[1].lower() == "nagios":
        NAGIOS = True

for entity_id in mds.identity_providers():
    if NAGIOS:
        p = subprocess.Popen(['./mccs.py', "-N", "-e", entity_id, "conf"],
                             stdout=subprocess.PIPE)
    else:
        p = subprocess.Popen(['./mccs.py', "-e", entity_id, "conf"],
                             stdout=subprocess.PIPE)
    print p.stdout.read()
Beispiel #57
0
def test_metadata_extension_algsupport():
    mds = MetadataStore(list(ONTS.values()), ATTRCONV, None)
    mds.imp(METADATACONF["12"])
    mdf = mds.metadata[full_path("uu.xml")]
    assert mds
Beispiel #58
0
    ui.NAMESPACE: ui,
    idpdisc.NAMESPACE: idpdisc,
    md.NAMESPACE: md,
    xmldsig.NAMESPACE: xmldsig,
    xmlenc.NAMESPACE: xmlenc
}

ATTRCONV = ac_factory(full_path("attributemaps"))
sec_config = config.Config()
sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])

__author__ = 'rolandh'

MDS = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
                    disable_ssl_certificate_validation=True)
MDS.imp([{"class": "saml2.mdstore.MetaDataMD", "metadata": [(full_path("swamid.md"), )]}])


def _eq(l1, l2):
    return set(l1) == set(l2)


def test_filter_ava():
    policy = Policy({
        "default": {
            "lifetime": {"minutes": 15},
            #"attribute_restrictions": None  # means all I have
            "entity_categories": ["swamid"]
        }
    })