def test_get_identity_provider_settings_returns_correct_result(self):
# Arrange
configuration = create_autospec(spec=SAMLConfiguration)
configuration.get_identity_providers = MagicMock(
return_value=IDENTITY_PROVIDERS)
onelogin_configuration = SAMLOneLoginConfiguration(configuration)
expected_result = {
'idp': {
'entityId': IDENTITY_PROVIDERS[0].entity_id,
'singleSignOnService': {
'url': IDENTITY_PROVIDERS[0].sso_service.url,
'binding': IDENTITY_PROVIDERS[0].sso_service.binding.value
}
},
'security': {
'authnRequestsSigned':
IDENTITY_PROVIDERS[0].want_authn_requests_signed
}
}
db = create_autospec(spec=sqlalchemy.orm.session.Session)
# Act
result = onelogin_configuration.get_identity_provider_settings(
db, IDENTITY_PROVIDERS[0].entity_id)
# Assert
eq_(result, expected_result)
configuration.get_identity_providers.assert_called_once_with(db)
def test_get_service_provider_settings_returns_correct_result(self, name, service_provider, expected_result):
# Arrange
configuration = create_autospec(spec=SAMLConfiguration)
configuration.get_service_provider = MagicMock(return_value=service_provider)
onelogin_configuration = SAMLOneLoginConfiguration(configuration)
db = create_autospec(spec=sqlalchemy.orm.session.Session)
# Act
result = onelogin_configuration.get_service_provider_settings(db)
# Assert
result['sp']['x509cert'] = strip_certificate(result['sp']['x509cert'])
eq_(result, expected_result)
configuration.get_service_provider.assert_called_once_with(db)
def test_finish_authentication(self,
name,
saml_response,
mock_validation=False):
# Arrange
if mock_validation:
validate_mock = MagicMock(return_value=True)
else:
real_validate_sign = OneLogin_Saml2_Utils.validate_sign
validate_mock = MagicMock(side_effect=lambda *args, **kwargs:
real_validate_sign(*args, **kwargs))
configuration = create_autospec(spec=SAMLConfiguration)
configuration.get_debug = MagicMock(return_value=False)
configuration.get_strict = MagicMock(return_value=False)
configuration.get_service_provider = MagicMock(
return_value=SERVICE_PROVIDER_WITH_UNSIGNED_REQUESTS)
configuration.get_identity_providers = MagicMock(
return_value=IDENTITY_PROVIDERS)
onelogin_configuration = SAMLOneLoginConfiguration(configuration)
authentication_manager = SAMLAuthenticationManager(
onelogin_configuration, SAMLSubjectParser())
saml_response = b64encode(saml_response)
# Act
with patch(
'onelogin.saml2.response.OneLogin_Saml2_Utils.validate_sign',
validate_mock):
with self.app.test_request_context(
'/', data={'SAMLResponse': saml_response}):
result = authentication_manager.finish_authentication(
self._db, fixtures.IDP_1_ENTITY_ID)
# Assert
assert isinstance(result, Subject)
def test_authentication_document(self, name, identity_providers,
expected_result):
# Arrange
provider = SAMLWebSSOAuthenticationProvider(self._default_library,
self._integration)
configuration = create_autospec(spec=SAMLConfiguration)
configuration.get_debug = MagicMock(return_value=False)
configuration.get_strict = MagicMock(return_value=False)
configuration.get_service_provider = MagicMock(
return_value=SERVICE_PROVIDER)
configuration.get_identity_providers = MagicMock(
return_value=identity_providers)
onelogin_configuration = SAMLOneLoginConfiguration(configuration)
authentication_manager = SAMLAuthenticationManager(
onelogin_configuration, SAMLSubjectParser())
authentication_manager_factory = create_autospec(
spec=SAMLAuthenticationManagerFactory)
authentication_manager_factory.create = MagicMock(
return_value=authentication_manager)
with patch('api.saml.provider.SAMLAuthenticationManagerFactory') \
as authentication_manager_factory_constructor:
authentication_manager_factory_constructor.return_value = authentication_manager_factory
# Act
with self.app.test_request_context('/'):
result = provider.authentication_flow_document(self._db)
# Assert
eq_(result, expected_result)
def test_start_authentication(self, name, service_provider,
identity_providers):
configuration = create_autospec(spec=SAMLConfiguration)
configuration.get_debug = MagicMock(return_value=False)
configuration.get_strict = MagicMock(return_value=False)
configuration.get_service_provider = MagicMock(
return_value=service_provider)
configuration.get_identity_providers = MagicMock(
return_value=identity_providers)
onelogin_configuration = SAMLOneLoginConfiguration(configuration)
authentication_manager = SAMLAuthenticationManager(
onelogin_configuration, SAMLSubjectParser())
with self.app.test_request_context('/'):
result = authentication_manager.start_authentication(
self._db, fixtures.IDP_1_ENTITY_ID, '')
query_items = urlparse.parse_qs(urlparse.urlsplit(result).query)
saml_request = query_items['SAMLRequest'][0]
decoded_saml_request = OneLogin_Saml2_Utils.decode_base64_and_inflate(
saml_request)
validation_result = OneLogin_Saml2_Utils.validate_xml(
decoded_saml_request, 'saml-schema-protocol-2.0.xsd', False)
assert isinstance(validation_result, Document)
saml_request_dom = fromstring(decoded_saml_request)
acs_url = saml_request_dom.get('AssertionConsumerServiceURL')
eq_(acs_url,
SERVICE_PROVIDER_WITH_UNSIGNED_REQUESTS.acs_service.url)
acs_binding = saml_request_dom.get('ProtocolBinding')
eq_(
acs_binding, SERVICE_PROVIDER_WITH_UNSIGNED_REQUESTS.
acs_service.binding.value)
sso_url = saml_request_dom.get('Destination')
eq_(sso_url, IDENTITY_PROVIDERS[0].sso_service.url)
name_id_policy_nodes = OneLogin_Saml2_Utils.query(
saml_request_dom, './samlp:NameIDPolicy')
assert name_id_policy_nodes is not None
eq_(len(name_id_policy_nodes), 1)
name_id_policy_node = name_id_policy_nodes[0]
name_id_format = name_id_policy_node.get('Format')
eq_(name_id_format,
SERVICE_PROVIDER_WITH_UNSIGNED_REQUESTS.name_id_format)
def create(self, integration_owner):
"""
Creates a new instance of SAMLAuthenticationManager class
:param integration_owner: External integration owner
:type integration_owner: api.saml.configuration.ExternalIntegrationOwner
:return: SAML authentication manager
:rtype: SAMLAuthenticationManager
"""
configuration_storage = ConfigurationStorage(integration_owner)
configuration = SAMLConfiguration(configuration_storage, SAMLMetadataParser())
onelogin_configuration = SAMLOneLoginConfiguration(configuration)
subject_parser = SAMLSubjectParser()
authentication_manager = SAMLAuthenticationManager(onelogin_configuration, subject_parser)
return authentication_manager
def test_get_settings_returns_correct_result(self):
# Arrange
configuration = create_autospec(spec=SAMLConfiguration)
debug = False
strict = False
configuration.get_debug = MagicMock(return_value=False)
configuration.get_strict = MagicMock(return_value=False)
configuration.get_service_provider = MagicMock(
return_value=SERVICE_PROVIDER_WITH_CERTIFICATE)
configuration.get_identity_providers = MagicMock(
return_value=IDENTITY_PROVIDERS)
onelogin_configuration = SAMLOneLoginConfiguration(configuration)
expected_result = {
'debug': debug,
'strict': strict,
'idp': {
'entityId': IDENTITY_PROVIDERS[0].entity_id,
'singleSignOnService': {
'url': IDENTITY_PROVIDERS[0].sso_service.url,
'binding': IDENTITY_PROVIDERS[0].sso_service.binding.value
},
'x509cert': '',
'certFingerprint': '',
'certFingerprintAlgorithm': 'sha1'
},
'sp': {
'entityId':
SERVICE_PROVIDER_WITH_CERTIFICATE.entity_id,
'assertionConsumerService': {
'url':
SERVICE_PROVIDER_WITH_CERTIFICATE.acs_service.url,
'binding':
SERVICE_PROVIDER_WITH_CERTIFICATE.acs_service.binding.value
},
'attributeConsumingService': {},
'singleLogoutService': {
'binding':
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
},
'NameIDFormat':
SERVICE_PROVIDER_WITH_CERTIFICATE.name_id_format,
'x509cert':
strip_certificate(
SERVICE_PROVIDER_WITH_CERTIFICATE.certificate),
'privateKey':
SERVICE_PROVIDER_WITH_CERTIFICATE.private_key
},
'security': {
'failOnAuthnContextMismatch':
False,
'requestedAuthnContextComparison':
'exact',
'wantNameIdEncrypted':
False,
'authnRequestsSigned':
SERVICE_PROVIDER_WITH_CERTIFICATE.authn_requests_signed
or IDENTITY_PROVIDERS[0].want_authn_requests_signed,
'logoutResponseSigned':
False,
'wantMessagesSigned':
False,
'metadataCacheDuration':
None,
'rejectUnsolicitedResponsesWithInResponseTo':
False,
'requestedAuthnContext':
True,
'logoutRequestSigned':
False,
'wantAttributeStatement':
True,
'signMetadata':
False,
'digestAlgorithm':
'http://www.w3.org/2000/09/xmldsig#sha1',
'metadataValidUntil':
None,
'wantAssertionsSigned':
False,
'wantNameId':
True,
'wantAssertionsEncrypted':
False,
'nameIdEncrypted':
False,
'signatureAlgorithm':
'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
}
}
db = create_autospec(spec=sqlalchemy.orm.session.Session)
# Act
result = onelogin_configuration.get_settings(
db, IDENTITY_PROVIDERS[0].entity_id)
# Assert
result['sp']['x509cert'] = strip_certificate(result['sp']['x509cert'])
eq_(result, expected_result)
configuration.get_debug.assert_called_with(db)
configuration.get_strict.assert_called_with(db)
configuration.get_service_provider.assert_called_with(db)
configuration.get_identity_providers.assert_called_with(db)