def test_str(self):
self.assertEqual(
str(SAMLRequest(ElementTree(Element('root')), 'CZ', 'relay')),
"citizen_country_code = 'CZ', relay_state = 'relay', document = "
"<?xml version='1.0' encoding='utf-8' standalone='yes'?>\n<root/>\n"
)
self.assertEqual(
str(SAMLRequest(None, None, None)),
'citizen_country_code = None, relay_state = None, document = None')
def test_create_light_request_without_extensions(self):
root = Element(Q_NAMES['saml2p:AuthnRequest'], nsmap=EIDAS_NAMESPACES)
saml_request = SAMLRequest(ElementTree(root), 'CZ', 'relay123')
expected = LightRequest(citizen_country_code='CZ',
relay_state='relay123',
requested_attributes=OrderedDict())
self.assertEqual(saml_request.create_light_request(), expected)
def test_sign_request_with_issuer(self):
root = Element(Q_NAMES['saml2p:AuthnRequest'])
SubElement(root, Q_NAMES['saml2:Issuer'])
request = SAMLRequest(ElementTree(root))
request.sign_request(**SIGNATURE_OPTIONS)
self.assertIsNotNone(request.request_signature)
self.assertEqual(root.index(request.request_signature), 1)
def test_request_signature_not_exists(self):
root = Element(Q_NAMES['saml2p:AuthnRequest'])
# Booby trap
SubElement(SubElement(root, Q_NAMES['saml2:Issuer']),
Q_NAMES['ds:Signature'])
# No signature must be found
self.assertIsNone(SAMLRequest(ElementTree(root)).request_signature)
def get_saml_request(self, country_parameter: str,
cert_file: Optional[str]) -> SAMLRequest:
"""
Extract and decrypt a SAML request from POST data.
:param country_parameter: A parameter containing citizen country code.
:param cert_file: The path of a certificate to verify the signature.
:return: A SAML request.
"""
try:
request = SAMLRequest(
parse_xml(
b64decode(
self.request.POST.get('SAMLRequest',
'').encode('ascii'))),
self.request.POST[country_parameter].upper(),
self.request.POST.get('RelayState'))
except XMLSyntaxError as e:
raise ParseError(str(e)) from None
LOGGER.info('[#%r] Received SAML request: id=%r, issuer=%r',
self.log_id, request.id, request.issuer)
if cert_file:
request.verify_request(cert_file)
return request
def test_create_light_request_our_issuer_set(self):
saml_request_xml, _saml_request_encoded = self.load_saml_request()
view = ServiceProviderRequestView()
view.saml_request = SAMLRequest(parse_xml(saml_request_xml), 'ca',
'xyz')
light_request = view.create_light_request('test-saml-request-issuer',
'test-light-request-issuer')
self.assertEqual(light_request.issuer, 'test-light-request-issuer')
def test_create_light_request_success(self):
self.maxDiff = None
with cast(TextIO, (DATA_DIR / 'saml_request.xml').open('r')) as f:
data = f.read()
saml_request = SAMLRequest(parse_xml(data), 'CA', 'relay123')
self.assertEqual(
saml_request.create_light_request().get_data_as_dict(),
LIGHT_REQUEST_DICT)
def test_sign_request_already_exists(self):
root = Element(Q_NAMES['saml2p:AuthnRequest'])
signature = SubElement(root, Q_NAMES['ds:Signature'])
SubElement(root, Q_NAMES['saml2:Issuer'])
request = SAMLRequest(ElementTree(root))
with self.assertRaisesMessage(SecurityError,
'Request signature already exists.'):
request.sign_request(**SIGNATURE_OPTIONS)
self.assertIs(request.request_signature, signature)
def test_verify_request_not_found(self, signatures_mock):
root = Element(Q_NAMES['saml2p:AuthnRequest'])
SubElement(root, Q_NAMES['ds:Signature'])
signatures_mock.return_value = [
SignatureInfo(Element(Q_NAMES['ds:Signature']), (root, ))
]
with self.assertRaisesMessage(SecurityError, 'Signature not found'):
SAMLRequest(ElementTree(root)).verify_request('cert.pem')
self.assertEqual(signatures_mock.mock_calls, [call(root, 'cert.pem')])
def test_create_light_request_wrong_issuer(self):
saml_request_xml, _saml_request_encoded = self.load_saml_request()
view = ServiceProviderRequestView()
view.saml_request = SAMLRequest(parse_xml(saml_request_xml), 'ca',
'xyz')
with self.assertRaisesMessage(SecurityError,
'Invalid SAML request issuer'):
view.create_light_request('wrong-saml-issuer',
'test-light-request-issuer')
def test_verify_request_wrong_parent(self, signatures_mock):
root = Element(Q_NAMES['saml2p:AuthnRequest'])
signature = SubElement(root, Q_NAMES['ds:Signature'])
signatures_mock.return_value = [
SignatureInfo(signature, (Element('whatever'), ))
]
with self.assertRaisesMessage(
SecurityError, 'Signature does not reference parent element'):
SAMLRequest(ElementTree(root)).verify_request('cert.pem')
self.assertEqual(signatures_mock.mock_calls, [call(root, 'cert.pem')])
def test_create_light_request_missing_attribute_name(self):
root = Element(Q_NAMES['saml2p:AuthnRequest'], nsmap=EIDAS_NAMESPACES)
extensions = SubElement(root, Q_NAMES['saml2p:Extensions'])
attributes = SubElement(extensions,
Q_NAMES['eidas:RequestedAttributes'])
SubElement(attributes, Q_NAMES['eidas:RequestedAttribute'])
saml_request = SAMLRequest(ElementTree(root), 'CZ', 'relay123')
self.assert_validation_error(
'<saml2p:AuthnRequest><saml2p:Extensions><eidas:RequestedAttributes><eidas:RequestedAttribute>',
"Missing attribute 'Name'", saml_request.create_light_request)
def test_create_light_request_extra_elements(self):
self.maxDiff = None
with cast(TextIO, (DATA_DIR / 'saml_request.xml').open('r')) as f:
document = parse_xml(f.read())
SubElement(document.getroot(), 'extra').text = 'extra'
SubElement(
document.find(".//{}".format(
Q_NAMES['eidas:RequestedAttributes'])), 'extra').text = 'extra'
saml_request = SAMLRequest(document, 'CA', 'relay123')
self.assertEqual(
saml_request.create_light_request().get_data_as_dict(),
LIGHT_REQUEST_DICT)
def test_issuer_none(self):
root = Element(Q_NAMES['saml2p:AuthnRequest'], nsmap=EIDAS_NAMESPACES)
request = SAMLRequest(ElementTree(root), 'CZ', 'relay123')
self.assertIsNone(request.issuer)
def test_issuer(self):
root = Element(Q_NAMES['saml2p:AuthnRequest'], nsmap=EIDAS_NAMESPACES)
SubElement(root, Q_NAMES['saml2:Issuer']).text = 'test-issuer'
request = SAMLRequest(ElementTree(root), 'CZ', 'relay123')
self.assertEqual(request.issuer, 'test-issuer')
def test_id(self):
root = Element(Q_NAMES['saml2p:AuthnRequest'], {'ID': 'test-id'},
nsmap=EIDAS_NAMESPACES)
request = SAMLRequest(ElementTree(root), 'CZ', 'relay123')
self.assertEqual(request.id, 'test-id')
def test_verify_request_none(self, signatures_mock):
root = Element(Q_NAMES['saml2p:AuthnRequest'])
with self.assertRaisesMessage(SecurityError,
'Signature does not exist'):
SAMLRequest(ElementTree(root)).verify_request('cert.pem')
self.assertEqual(signatures_mock.mock_calls, [])
def test_verify_request(self, signatures_mock):
root = Element(Q_NAMES['saml2p:AuthnRequest'])
signature = SubElement(root, Q_NAMES['ds:Signature'])
signatures_mock.return_value = [SignatureInfo(signature, (root, ))]
SAMLRequest(ElementTree(root)).verify_request('cert.pem')
self.assertEqual(signatures_mock.mock_calls, [call(root, 'cert.pem')])
def test_create_light_request_invalid_root_element(self):
root = Element('wrongRoot')
saml_request = SAMLRequest(ElementTree(root), 'CZ', 'relay123')
self.assert_validation_error('<wrongRoot>',
"Wrong root element: 'wrongRoot'",
saml_request.create_light_request)