def test05(self): '''SAMLv2 Authn request emitted and received using Artifact binding''' sp = lasso.Server(os.path.join(dataDir, 'sp5-saml2/metadata.xml'), os.path.join(dataDir, 'sp5-saml2/private-key.pem')) assert sp sp.addProvider(lasso.PROVIDER_ROLE_IDP, os.path.join(dataDir, 'idp5-saml2/metadata.xml')) sp_login = lasso.Login(sp) assert sp_login sp_login.initAuthnRequest(None, lasso.HTTP_METHOD_ARTIFACT_GET) sp_login.buildAuthnRequestMsg() sp_login_dump = sp_login.dump() idp = lasso.Server(os.path.join(dataDir, 'idp5-saml2/metadata.xml'), os.path.join(dataDir, 'idp5-saml2/private-key.pem')) idp.addProvider(lasso.PROVIDER_ROLE_SP, os.path.join(dataDir, 'sp5-saml2/metadata.xml')) idp_login = lasso.Login(idp) idp_login.initRequest( sp_login.msgUrl.split('?')[1], lasso.HTTP_METHOD_ARTIFACT_GET) idp_login.buildRequestMsg() sp_login2 = lasso.Login.newFromDump(sp, sp_login_dump) assert isinstance(sp_login2, lasso.Login) assert idp_login.msgBody sp_login2.processRequestMsg(idp_login.msgBody) sp_login2.buildResponseMsg() assert sp_login2.msgBody try: idp_login.processResponseMsg(sp_login2.msgBody) except: raise assert isinstance(idp_login.request, lasso.Samlp2AuthnRequest)
def test01(self): '''Attribute request and response test between sp5 and idp6''' s = lasso.Server( os.path.join(dataDir, 'sp5-saml2/metadata.xml'), os.path.join(dataDir, 'sp5-saml2/private-key.pem')) s.addProvider(lasso.PROVIDER_ROLE_ATTRIBUTE_AUTHORITY, os.path.join(dataDir, 'idp6-saml2/metadata.xml')) s2 = lasso.Server( os.path.join(dataDir, 'idp6-saml2/metadata.xml'), os.path.join(dataDir, 'idp6-saml2/private-key.pem')) s2.addProvider(lasso.PROVIDER_ROLE_SP, os.path.join(dataDir, 'sp5-saml2/metadata.xml')) aq = lasso.AssertionQuery(s) rpid = s.providers.keys()[0] aq.initRequest(rpid, lasso.HTTP_METHOD_SOAP, lasso.ASSERTION_QUERY_REQUEST_TYPE_ATTRIBUTE) assert aq.request assert aq.remoteProviderId == rpid nid = lasso.Saml2NameID.newWithPersistentFormat( lasso.buildUniqueId(32), s.providerId, s2.providerId) aq.nameIdentifier = nid aq.addAttributeRequest( lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC, 'testAttribute') aq.buildRequestMsg() assert aq.msgUrl assert aq.msgBody aq2 = lasso.AssertionQuery(s2) aq2.processRequestMsg(aq.msgBody) assert aq.request aq2.validateRequest() assert aq2.response assertion = lasso.Saml2Assertion() aq2.response.assertion = (assertion, ) for attribute in aq2.request.attribute: content = lasso.MiscTextNode.newWithString("xxx") content.textChild = True assertion.addAttributeWithNode(attribute.name, attribute.nameFormat, content) assertion.addAttributeWithNode(attribute.name, attribute.nameFormat, content) assertion.subject = aq.request.subject s2.saml2AssertionSetupSignature(assertion) aq2.buildResponseMsg() aq.processResponseMsg(aq2.msgBody) assert aq.response assert aq.response.assertion[0] assert aq.response.assertion[0].attributeStatement[0] assert aq.response.assertion[0].attributeStatement[0].attribute[0] assert aq.response.assertion[0].attributeStatement[0].attribute[0].attributeValue[0]
def get_idp_server(self): server = lasso.Server(idp_metadata, idp_private_key, None, None) server.addProvider(lasso.PROVIDER_ROLE_SP, wsp_metadata, wsp_public_key, None) server.addProvider(lasso.PROVIDER_ROLE_SP, wsc_metadata, wsc_public_key, None) return server
def test04(self): """Conversion of a lib:AuthnRequest with extensions into a query and back.""" sp = lasso.Server( os.path.join(dataDir, 'sp1-la/metadata.xml'), os.path.join(dataDir, 'sp1-la/private-key-raw.pem'), None, os.path.join(dataDir, 'sp1-la/certificate.pem')) sp.addProvider( lasso.PROVIDER_ROLE_IDP, os.path.join(dataDir, 'idp1-la/metadata.xml'), os.path.join(dataDir, 'idp1-la/public-key.pem'), os.path.join(dataDir, 'idp1-la/certificate.pem')) spLogin = lasso.Login(sp) spLogin.initAuthnRequest() requestAuthnContext = lasso.LibRequestAuthnContext() extensionList = [] for extension in ( '<action>do</action>', '<action2>do action 2</action2><action3>do action 3</action3>'): extensionList.append( '<lib:Extension xmlns:lib="urn:liberty:iff:2003-08">%s</lib:Extension>' % extension) spLogin.request.extension = tuple(extensionList) spLogin.request.protocolProfile = lasso.LIB_PROTOCOL_PROFILE_BRWS_ART spLogin.buildAuthnRequestMsg() authnRequestUrl = spLogin.msgUrl authnRequestQuery = spLogin.msgUrl[spLogin.msgUrl.index('?') + 1:] idp = lasso.Server( os.path.join(dataDir, 'idp1-la/metadata.xml'), os.path.join(dataDir, 'idp1-la/private-key-raw.pem'), None, os.path.join(dataDir, 'idp1-la/certificate.pem')) idp.addProvider( lasso.PROVIDER_ROLE_SP, os.path.join(dataDir, 'sp1-la/metadata.xml'), os.path.join(dataDir, 'sp1-la/public-key.pem'), os.path.join(dataDir, 'sp1-la/certificate.pem')) idpLogin = lasso.Login(idp) idpLogin.processAuthnRequestMsg(authnRequestQuery) self.failUnless(idpLogin.request.extension) extensionsList = idpLogin.request.extension self.failUnlessEqual(len(extensionsList), 1) self.failUnless('<action>do</action>' in extensionsList[0]) self.failUnless('<action2>do action 2</action2>' in extensionsList[0]) self.failUnless('<action3>do action 3</action3>' in extensionsList[0])
def server(local_name, remote_role, remote_name): pwd = os.path.join(dataDir, local_name, 'password') password = None if os.path.exists(pwd): password = file(pwd).read() s = lasso.Server(os.path.join(dataDir, local_name, 'metadata.xml'), os.path.join(dataDir, local_name, 'private-key.pem'), password) s.addProvider(remote_role, os.path.join(dataDir, remote_name, 'metadata.xml')) return s
def getWscServer(self): wsc_metadata = os.path.join(dataDir, 'sp6-saml2/metadata.xml') wsc_private_key = os.path.join(dataDir, 'sp6-saml2/private-key.pem') idp_metadata = os.path.join(dataDir, 'idp5-saml2/metadata.xml') server = lasso.Server(wsc_metadata, wsc_private_key, None, None) server.role = lasso.PROVIDER_ROLE_SP server.addProvider(lasso.PROVIDER_ROLE_IDP, idp_metadata, None, None) return server
def test03(self): """Conversion of a lib:AuthnRequest with an AuthnContext into a query and back.""" sp = lasso.Server( os.path.join(dataDir, 'sp1-la/metadata.xml'), os.path.join(dataDir, 'sp1-la/private-key-raw.pem'), None, os.path.join(dataDir, 'sp1-la/certificate.pem')) sp.addProvider( lasso.PROVIDER_ROLE_IDP, os.path.join(dataDir, 'idp1-la/metadata.xml'), os.path.join(dataDir, 'idp1-la/public-key.pem'), os.path.join(dataDir, 'idp1-la/certificate.pem')) spLogin = lasso.Login(sp) spLogin.initAuthnRequest() requestAuthnContext = lasso.LibRequestAuthnContext() authnContextClassRefsList = [] authnContextClassRefsList.append( lasso.LIB_AUTHN_CONTEXT_CLASS_REF_PASSWORD) requestAuthnContext.authnContextClassRef = tuple(authnContextClassRefsList) spLogin.request.requestAuthnContext = requestAuthnContext spLogin.request.protocolProfile = lasso.LIB_PROTOCOL_PROFILE_BRWS_ART spLogin.buildAuthnRequestMsg() authnRequestUrl = spLogin.msgUrl authnRequestQuery = spLogin.msgUrl[spLogin.msgUrl.index('?') + 1:] idp = lasso.Server( os.path.join(dataDir, 'idp1-la/metadata.xml'), os.path.join(dataDir, 'idp1-la/private-key-raw.pem'), None, os.path.join(dataDir, 'idp1-la/certificate.pem')) idp.addProvider( lasso.PROVIDER_ROLE_SP, os.path.join(dataDir, 'sp1-la/metadata.xml'), os.path.join(dataDir, 'sp1-la/public-key.pem'), os.path.join(dataDir, 'sp1-la/certificate.pem')) idpLogin = lasso.Login(idp) idpLogin.processAuthnRequestMsg(authnRequestQuery) self.failUnless(idpLogin.request.requestAuthnContext) authnContextClassRefsList = idpLogin.request.requestAuthnContext.authnContextClassRef self.failUnlessEqual(len(authnContextClassRefsList), 1) self.failUnlessEqual(authnContextClassRefsList[0], lasso.LIB_AUTHN_CONTEXT_CLASS_REF_PASSWORD)
def getWspServer(self): wsp_metadata = os.path.join(dataDir, 'sp5-saml2/metadata.xml') wsp_private_key = os.path.join(dataDir, 'sp5-saml2/private-key.pem') idp_metadata = os.path.join(dataDir, 'idp5-saml2/metadata.xml') server = lasso.Server(wsp_metadata, wsp_private_key, None, None) server.role = lasso.PROVIDER_ROLE_SP server.addProvider(lasso.PROVIDER_ROLE_IDP, idp_metadata, None, None) server.setEncryptionPrivateKey(wsp_private_key); return server;
def test10(self): '''Test Server.setEncryptionPrivateKeyWithPassword''' pkey_path = os.path.join(dataDir, 'idp5-saml2', 'private-key.pem') server = lasso.Server( os.path.join(dataDir, 'idp5-saml2', 'metadata.xml'), pkey_path) # from file server.setEncryptionPrivateKeyWithPassword(pkey_path) # from buffer server.setEncryptionPrivateKeyWithPassword(open(pkey_path).read()) # reset server.setEncryptionPrivateKeyWithPassword()
def test11(self): '''Test saving and reloading a Server using an encrypted private key''' pkey = os.path.join(dataDir, 'sp7-saml2', 'private-key.pem') mdata = os.path.join(dataDir, 'sp7-saml2', 'metadata.xml') password = file(os.path.join(dataDir, 'sp7-saml2', 'password')).read().strip() server = lasso.Server(mdata, pkey, password) assert isinstance(server, lasso.Server) server_dump = server.dump() assert server_dump server = lasso.Server.newFromDump(server_dump) assert isinstance(server, lasso.Server)
def test02(self): """Server construction without argument, dump & newFromDump.""" lassoServer = lasso.Server(os.path.join(dataDir, 'sp1-la/metadata.xml')) lassoServer.addProvider( lasso.PROVIDER_ROLE_IDP, os.path.join(dataDir, 'idp1-la/metadata.xml'), os.path.join(dataDir, 'idp1-la/public-key.pem')) dump = lassoServer.dump() lassoServer2 = lassoServer.newFromDump(dump) dump2 = lassoServer2.dump() self.failUnlessEqual(dump, dump2)
def test02(self): """IDP logout without session and identity; testing logout.getNextProviderId.""" lassoServer = lasso.Server( os.path.join(dataDir, 'idp1-la/metadata.xml'), os.path.join(dataDir, 'idp1-la/private-key-raw.pem'), None, os.path.join(dataDir, 'idp1-la/certificate.pem')) lassoServer.addProvider( lasso.PROVIDER_ROLE_SP, os.path.join(dataDir, 'sp1-la/metadata.xml'), os.path.join(dataDir, 'sp1-la/public-key.pem'), os.path.join(dataDir, 'sp1-la/certificate.pem')) logout = lasso.Logout(lassoServer) self.failIf(logout.getNextProviderId())
def test07(self): '''SAMLv2 SSO with DSA key for the IdP''' sp = lasso.Server(os.path.join(dataDir, 'sp5-saml2/metadata.xml'), os.path.join(dataDir, 'sp5-saml2/private-key.pem')) assert sp sp.addProvider(lasso.PROVIDER_ROLE_IDP, os.path.join(dataDir, 'idp12-dsa-saml2/metadata.xml')) sp_login = lasso.Login(sp) assert sp_login sp_login.initAuthnRequest(None, lasso.HTTP_METHOD_REDIRECT) sp_login.buildAuthnRequestMsg() idp = lasso.Server( os.path.join(dataDir, 'idp12-dsa-saml2/metadata.xml'), os.path.join(dataDir, 'idp12-dsa-saml2/private-key.pem')) idp.signatureMethod = lasso.SIGNATURE_METHOD_DSA_SHA1 idp.addProvider(lasso.PROVIDER_ROLE_SP, os.path.join(dataDir, 'sp5-saml2/metadata.xml')) idp_login = lasso.Login(idp) idp_login.processAuthnRequestMsg(sp_login.msgUrl.split('?')[1]) idp_login.protocolProfile = lasso.LOGIN_PROTOCOL_PROFILE_BRWS_POST idp_login.validateRequestMsg(True, True) idp_login.buildAssertion("None", "None", "None", "None", "None") idp_login.buildAuthnResponseMsg()
def test01(self): """Server construction, dump & newFromDump.""" lassoServer = lasso.Server( os.path.join(dataDir, 'sp1-la/metadata.xml'), os.path.join(dataDir, 'sp1-la/private-key-raw.pem'), None, os.path.join(dataDir, 'sp1-la/certificate.pem')) lassoServer.addProvider( lasso.PROVIDER_ROLE_IDP, os.path.join(dataDir, 'idp1-la/metadata.xml'), os.path.join(dataDir, 'idp1-la/public-key.pem'), os.path.join(dataDir, 'idp1-la/certificate.pem')) dump = lassoServer.dump() lassoServer2 = lassoServer.newFromDump(dump) dump2 = lassoServer2.dump() self.failUnlessEqual(dump, dump2)
def test06(self): """Get & set attributes of nodes of type node.""" login = lasso.Login( lasso.Server(os.path.join(dataDir, 'sp1-la/metadata.xml'), os.path.join(dataDir, 'sp1-la/private-key-raw.pem'), None, os.path.join(dataDir, 'sp1-la/certificate.pem'))) self.failUnlessEqual(login.request, None) login.request = lasso.LibAuthnRequest() login.request.consent = lasso.LIB_CONSENT_OBTAINED self.failUnlessEqual(login.request.consent, lasso.LIB_CONSENT_OBTAINED) login.request = None self.failUnlessEqual(login.request, None) del login
def test01(self): """SP login; testing access to authentication request.""" lassoServer = lasso.Server( os.path.join(dataDir, 'sp1-la/metadata.xml'), os.path.join(dataDir, 'sp1-la/private-key-raw.pem'), None, os.path.join(dataDir, 'sp1-la/certificate.pem')) lassoServer.addProvider( lasso.PROVIDER_ROLE_IDP, os.path.join(dataDir, 'idp1-la/metadata.xml'), os.path.join(dataDir, 'idp1-la/public-key.pem'), os.path.join(dataDir, 'idp1-la/certificate.pem')) login = lasso.Login(lassoServer) login.initAuthnRequest() login.request login.request.protocolProfile = lasso.LIB_PROTOCOL_PROFILE_BRWS_ART self.failUnlessEqual(login.request.protocolProfile, lasso.LIB_PROTOCOL_PROFILE_BRWS_ART)
def test02(self): """SP login; testing processing of an empty Response.""" lassoServer = lasso.Server( os.path.join(dataDir, 'sp1-la/metadata.xml'), os.path.join(dataDir, 'sp1-la/private-key-raw.pem'), None, os.path.join(dataDir, 'sp1-la/certificate.pem')) lassoServer.addProvider( lasso.PROVIDER_ROLE_IDP, os.path.join(dataDir, 'idp1-la/metadata.xml'), os.path.join(dataDir, 'idp1-la/public-key.pem'), os.path.join(dataDir, 'idp1-la/certificate.pem')) login = lasso.Login(lassoServer) try: login.processResponseMsg('') except lasso.Error as error: if error[0] != lasso.PROFILE_ERROR_INVALID_MSG: raise
def getIdpServer(self): if hasattr(self, 'idp_server_dump') and self.idp_server_dump is not None: server = lasso.Server.newFromDump(self.idp_server_dump) server.role = lasso.PROVIDER_ROLE_IDP else: idp_metadata = os.path.join(dataDir, 'idp5-saml2/metadata.xml') idp_private_key = os.path.join(dataDir, 'idp5-saml2/private-key.pem') wsp_metadata = os.path.join(dataDir, 'sp5-saml2/metadata.xml') wsc_metadata = os.path.join(dataDir, 'sp6-saml2/metadata.xml') server = lasso.Server(idp_metadata, idp_private_key, None, None) server.role = lasso.PROVIDER_ROLE_IDP server.addProvider(lasso.PROVIDER_ROLE_SP, wsp_metadata, None, None) server.getProvider(server.providerIds[0]).setEncryptionMode(lasso.ENCRYPTION_MODE_NAMEID); server.addProvider(lasso.PROVIDER_ROLE_SP, wsc_metadata, None, None) self.idp_server_dump = server.dump() return server
def test01(self): """SP logout without session and identity; testing initRequest.""" lassoServer = lasso.Server( os.path.join(dataDir, 'sp1-la/metadata.xml'), os.path.join(dataDir, 'sp1-la/private-key-raw.pem'), None, os.path.join(dataDir, 'sp1-la/certificate.pem')) lassoServer.addProvider( lasso.PROVIDER_ROLE_IDP, os.path.join(dataDir, 'idp1-la/metadata.xml'), os.path.join(dataDir, 'idp1-la/public-key.pem'), os.path.join(dataDir, 'idp1-la/certificate.pem')) logout = lasso.Logout(lassoServer) try: logout.initRequest() except lasso.Error, error: if error[0] != lasso.PROFILE_ERROR_SESSION_NOT_FOUND: raise
def test04(self): """IDP logout; testing processResponseMsg with non Liberty query.""" lassoServer = lasso.Server( os.path.join(dataDir, 'idp1-la/metadata.xml'), os.path.join(dataDir, 'idp1-la/private-key-raw.pem'), None, os.path.join(dataDir, 'idp1-la/certificate.pem')) lassoServer.addProvider( lasso.PROVIDER_ROLE_SP, os.path.join(dataDir, 'sp1-la/metadata.xml'), os.path.join(dataDir, 'sp1-la/public-key.pem'), os.path.join(dataDir, 'sp1-la/certificate.pem')) logout = lasso.Logout(lassoServer) # The processResponseMsg should fail but not abort. try: logout.processResponseMsg('liberty=&alliance') except lasso.Error, error: if error[0] != lasso.PROFILE_ERROR_INVALID_MSG: raise
def test01(self): """IDP initiated defederation; testing processNotificationMsg with non Liberty query.""" lassoServer = lasso.Server( os.path.join(dataDir, 'idp1-la/metadata.xml'), os.path.join(dataDir, 'idp1-la/private-key-raw.pem'), None, os.path.join(dataDir, 'idp1-la/certificate.pem')) lassoServer.addProvider( lasso.PROVIDER_ROLE_SP, os.path.join(dataDir, 'sp1-la/metadata.xml'), os.path.join(dataDir, 'sp1-la/public-key.pem'), os.path.join(dataDir, 'sp1-la/certificate.pem')) defederation = lasso.Defederation(lassoServer) # The processNotificationMsg should fail but not abort. try: defederation.processNotificationMsg('nonLibertyQuery=1') except lasso.Error, error: if error[0] != lasso.PROFILE_ERROR_INVALID_MSG: raise
def test03(self): """IDP logout; testing processRequestMsg with non Liberty query.""" lassoServer = lasso.Server( os.path.join(dataDir, 'idp1-la/metadata.xml'), os.path.join(dataDir, 'idp1-la/private-key-raw.pem'), None, os.path.join(dataDir, 'idp1-la/certificate.pem')) lassoServer.addProvider( lasso.PROVIDER_ROLE_SP, os.path.join(dataDir, 'sp1-la/metadata.xml'), os.path.join(dataDir, 'sp1-la/public-key.pem'), os.path.join(dataDir, 'sp1-la/certificate.pem')) logout = lasso.Logout(lassoServer) # The processRequestMsg should fail but not abort. try: logout.processRequestMsg('passport=0&lasso=1') except lasso.Error as error: if error[0] != lasso.PROFILE_ERROR_INVALID_MSG: raise else: self.fail('Logout processRequestMsg should have failed.')
def validate_sp_metadata(metadata): '''Validate SP metadata Attempt to load the metadata into Lasso and verify it loads. Assure only 1 provider is included in the metadata and return it's id. If not valid raise an exception. Note, loading the metadata into Lasso is a weak check, basically all that Lasso does is to parse the XML, it doesn't verify the contents until first use. ''' test = lasso.Server() try: test.addProviderFromBuffer(lasso.PROVIDER_ROLE_SP, metadata) except Exception as e: # pylint: disable=broad-except raise InvalidProviderMetadata(str(e)) newsps = test.get_providers() if len(newsps) != 1: raise InvalidProviderMetadata("Metadata must contain one Provider") spid = newsps.keys()[0] return spid
def __init__(self, config, sessionfactory): self.server = lasso.Server(config.idp_metadata_file, config.idp_key_file, None, config.idp_certificate_file) self.server.role = lasso.PROVIDER_ROLE_IDP self.sessionfactory = sessionfactory