class TestSP():
def setup_class(self):
self.sp = make_plugin("rem", saml_conf="server_conf")
# Explicitly allow unsigned responses for this test
self.sp.saml_client.want_response_signed = False
self.server = Server(config_file="idp_conf")
def teardown_class(self):
self.server.close()
def test_setup(self):
assert self.sp
def test_identify(self):
# Create a SAMLResponse
ava = {"givenName": ["Derek"], "surName": ["Jeter"],
"mail": ["*****@*****.**"], "title": ["The man"]}
resp_str = "%s" % self.server.create_authn_response(
ava, "id1", "http://lingon.catalogix.se:8087/",
"urn:mace:example.com:saml:roland:sp", trans_name_policy,
"*****@*****.**", authn=AUTHN)
resp_str = base64.encodestring(resp_str.encode('utf-8'))
self.sp.outstanding_queries = {"id1": "http://www.example.com/service"}
session_info = self.sp._eval_authn_response(
{}, {"SAMLResponse": [resp_str]})
assert len(session_info) > 1
assert session_info["came_from"] == 'http://www.example.com/service'
assert session_info["ava"] == {'givenName': ['Derek'],
'mail': ['*****@*****.**'],
'sn': ['Jeter'],
'title': ['The man']}
class TestSP():
def setup_class(self):
self.sp = make_plugin("rem", saml_conf="server_conf")
# Explicitly allow unsigned responses for this test
self.sp.saml_client.want_response_signed = False
self.server = Server(config_file="idp_conf")
def teardown_class(self):
self.server.close()
def test_setup(self):
assert self.sp
def test_identify(self):
# Create a SAMLResponse
ava = {
"givenName": ["Derek"],
"surName": ["Jeter"],
"mail": ["*****@*****.**"],
"title": ["The man"]
}
resp_str = "%s" % self.server.create_authn_response(
ava,
"id1",
"http://lingon.catalogix.se:8087/",
"urn:mace:example.com:saml:roland:sp",
trans_name_policy,
"*****@*****.**",
authn=AUTHN)
resp_str = base64.encodestring(resp_str.encode('utf-8'))
self.sp.outstanding_queries = {"id1": "http://www.example.com/service"}
session_info = self.sp._eval_authn_response(
{}, {"SAMLResponse": [resp_str]})
assert len(session_info) > 1
assert session_info["came_from"] == 'http://www.example.com/service'
assert session_info["ava"] == {
'givenName': ['Derek'],
'mail': ['*****@*****.**'],
'sn': ['Jeter'],
'title': ['The man']
}
class TestSignedResponse():
def setup_class(self):
self.server = Server("idp_conf")
sign_alg = Mock()
sign_alg.return_value = ds.SIG_RSA_SHA512
digest_alg = Mock()
digest_alg.return_value = ds.DIGEST_SHA512
self.restet_default = ds.DefaultSignature
ds.DefaultSignature = MagicMock()
ds.DefaultSignature().get_sign_alg = sign_alg
ds.DefaultSignature().get_digest_alg = digest_alg
conf = config.SPConfig()
conf.load_file("server_conf")
self.client = client.Saml2Client(conf)
self.name_id = self.server.ident.transient_nameid(
"urn:mace:example.com:saml:roland:sp", "id12")
self.ava = {"givenName": ["Derek"], "surName": ["Jeter"],
"mail": ["*****@*****.**"], "title": "The man"}
def teardown_class(self):
ds.DefaultSignature = self.restet_default
self.server.close()
def verify_assertion(self, assertion):
assert assertion
assert assertion[0].attribute_statement
ava = ava = get_ava(assertion[0])
assert ava ==\
{'mail': ['*****@*****.**'], 'givenName': ['Derek'],
'surName': ['Jeter'], 'title': ['The man']}
def test_signed_response(self):
print(ds.DefaultSignature().get_digest_alg())
name_id = self.server.ident.transient_nameid(
"urn:mace:example.com:saml:roland:sp", "id12")
ava = {"givenName": ["Derek"], "surName": ["Jeter"],
"mail": ["*****@*****.**"], "title": "The man"}
signed_resp = self.server.create_authn_response(
ava,
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
name_id=name_id,
sign_assertion=True
)
print(signed_resp)
assert signed_resp
sresponse = response_from_string(signed_resp)
assert ds.SIG_RSA_SHA512 in str(sresponse), "Not correctly signed!"
assert ds.DIGEST_SHA512 in str(sresponse), "Not correctly signed!"
def test_signed_response_1(self):
signed_resp = self.server.create_authn_response(
self.ava,
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
name_id=self.name_id,
sign_response=True,
sign_assertion=True,
)
sresponse = response_from_string(signed_resp)
assert ds.SIG_RSA_SHA512 in str(sresponse), "Not correctly signed!"
assert ds.DIGEST_SHA512 in str(sresponse), "Not correctly signed!"
valid = self.server.sec.verify_signature(signed_resp,
self.server.config.cert_file,
node_name='urn:oasis:names:tc:SAML:2.0:protocol:Response',
node_id=sresponse.id,
id_attr="")
assert valid
assert ds.SIG_RSA_SHA512 in str(sresponse.assertion[0]), "Not correctly signed!"
assert ds.DIGEST_SHA512 in str(sresponse.assertion[0]), "Not correctly signed!"
valid = self.server.sec.verify_signature(signed_resp,
self.server.config.cert_file,
node_name='urn:oasis:names:tc:SAML:2.0:assertion:Assertion',
node_id=sresponse.assertion[0].id,
id_attr="")
assert valid
self.verify_assertion(sresponse.assertion)
def test_signed_response_2(self):
signed_resp = self.server.create_authn_response(
self.ava,
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
name_id=self.name_id,
sign_response=True,
sign_assertion=True,
sign_alg=ds.SIG_RSA_SHA256,
digest_alg=ds.DIGEST_SHA256
)
sresponse = response_from_string(signed_resp)
assert ds.SIG_RSA_SHA256 in str(sresponse), "Not correctly signed!"
assert ds.DIGEST_SHA256 in str(sresponse), "Not correctly signed!"
valid = self.server.sec.verify_signature(signed_resp,
self.server.config.cert_file,
node_name='urn:oasis:names:tc:SAML:2.0:protocol:Response',
node_id=sresponse.id,
id_attr="")
assert valid
assert ds.SIG_RSA_SHA256 in str(sresponse.assertion[0]), "Not correctly signed!"
assert ds.DIGEST_SHA256 in str(sresponse.assertion[0]), "Not correctly signed!"
valid = self.server.sec.verify_signature(signed_resp,
self.server.config.cert_file,
node_name='urn:oasis:names:tc:SAML:2.0:assertion:Assertion',
node_id=sresponse.assertion[0].id,
id_attr="")
assert valid
self.verify_assertion(sresponse.assertion)