def dump_db(self, db_outdir, readonly): if readonly: db_name = 'userprefs' else: db_name = 'adminconfig' test_db = os.path.join(db_outdir, '%s.sqlite' % db_name) p = subprocess.Popen(['/usr/bin/sqlite3', test_db, '.dump'], stdout=subprocess.PIPE, stderr=self.stderr) output, _ = p.communicate() if p.returncode: TC.fail('Sqlite dump failed') return output
def run_test(testname, test, args): supported = test.platform_supported() if supported is not None: return (TEST_RESULT_SKIP, supported) if args['verbose'] <= VERBOSE_SHOWOUTPUT: devnull = open(os.devnull, 'w') test.stdout = devnull test.stderr = devnull if args['verbose'] >= VERBOSE_SHOWCASES: test.print_cases = True test.setup_base(args['path'], test) env = try_wrappers(test.testdir, args['wrappers'], test.allow_wrappers) env['PYTHONPATH'] = test.rootdir env['TESTDIR'] = test.testdir results = [] post_setup = False TC.store_results(results) try: test.setup_servers(env) post_setup = True code, results = test.run(env) if code: return (TEST_RESULT_FAIL, code, results) except Exception as e: # pylint: disable=broad-except if post_setup: return (TEST_RESULT_EXCEPTION, e, results) else: return (TEST_RESULT_SETUP_FAILED, test.current_setup_step) finally: test.wait() return (TEST_RESULT_SUCCESS, results)
self.setup_step("Starting first SP's httpd server") self.start_http_server(conf, env) if __name__ == '__main__': idpname = 'idp1' sp1name = 'sp1' user = pwd.getpwuid(os.getuid())[0] sess = HttpSessions() sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon') sess.add_server(sp1name, 'https://127.0.0.11:45081') with TC.case('Verify logged out state'): page = sess.fetch_page(idpname, 'https://127.0.0.10:45080/idp1/') page.expected_value('//div[@id="content"]/p/a/text()', 'Log In') with TC.case('Authenticating to IdP'): sess.auth_to_idp(idpname) with TC.case('Add SP Metadata to IdP'): sess.add_sp_metadata(idpname, sp1name) with TC.case('Access first SP Protected Area'): page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/sp/') page.expected_value('text()', 'WORKS!') with TC.case('Verify logged in state'): page = sess.fetch_page(idpname, 'https://127.0.0.10:45080/idp1/')
self.start_http_server(conf, env) if __name__ == '__main__': idpname = 'idp1' sp1name = 'sp1' sp2name = 'sp2-test.example.com' user = pwd.getpwuid(os.getuid())[0] sess = HttpSessions() sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon') sess.add_server(sp1name, 'https://127.0.0.11:45081') sess.add_server(sp2name, 'https://127.0.0.11:45082') with TC.case('Authenticate to IdP'): sess.auth_to_idp(idpname) with TC.case('Add first SP Metadata to IdP'): sess.add_sp_metadata(idpname, sp1name) with TC.case('Access first SP Protected Area'): page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/sp/') page.expected_value('text()', 'WORKS!') with TC.case('Access second SP Protected Area'): page = sess.fetch_page(idpname, 'https://127.0.0.11:45082/sp/') page.expected_value('text()', 'WORKS!') with TC.case('Update Second SP'): # This is a test to see whether we can update SAML SPs where the name
if __name__ == '__main__': idpname = 'idp1' spname = 'sp1' sp2name = 'sp2-test.example.com' sp3name = 'sp3_invalid' user = pwd.getpwuid(os.getuid())[0] sess = HttpSessions() sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon') sess.add_server(spname, 'https://127.0.0.11:45081') sess.add_server(sp2name, 'https://127.0.0.10:45082') sess.add_server(sp3name, 'https://127.0.0.10:45083') with TC.case('Authenticate to IdP'): sess.auth_to_idp(idpname) with TC.case('List initial Service Providers via REST'): result = sess.get_rest_sp(idpname) if len(result['result']) != 0: raise ValueError( 'Expected no SP and got %d' % len(result['result']) ) with TC.case('Add SP Metadata to IdP via admin'): sess.add_sp_metadata(idpname, spname) with TC.case('List Service Providers via REST'): result = sess.get_rest_sp(idpname) if len(result['result']) != 1:
self.start_http_server(conf, env) self.setup_step("Installing SP server") name = 'sp1' addr = '127.0.0.11' port = '45081' sp = self.generate_profile(sp_g, sp_a, name, addr, port) conf = self.setup_sp_server(sp, name, addr, port, env) fixup_sp_httpd(os.path.dirname(conf)) self.setup_step("Starting SP's httpd server") self.start_http_server(conf, env) if __name__ == '__main__': idpname = 'idp1' spname = 'sp1' user = '******' sess = HttpSessions() sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'tuser') sess.add_server(spname, 'https://127.0.0.11:45081') with TC.case('Authenticate to Idp with no LDAP backend'): sess.auth_to_idp( idpname, rule='//div[@class="alert alert-danger"]/p/text()', expected="Internal system error" )
name = 'sp1' addr = '127.0.0.11' port = '45081' sp = self.generate_profile(sp_g, sp_a, name, addr, port) conf = self.setup_sp_server(sp, name, addr, port, env) fixup_sp_httpd(os.path.dirname(conf)) self.setup_step("Starting SP's httpd server") self.start_http_server(conf, env) if __name__ == '__main__': idpname = 'idp1' spname = 'sp1' user = pwd.getpwuid(os.getuid())[0] with TC.case('Add SP Metadata to IdP'): sess = HttpSessions() sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon') sess.add_server(spname, 'https://127.0.0.11:45081') sess.auth_to_idp(idpname) sess.add_sp_metadata(idpname, spname) with TC.case('Access SP Protected Area'): sess = HttpSessions() sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon') sess.add_server(spname, 'https://127.0.0.11:45081') page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/sp/') page.expected_value('text()', 'WORKS!')
addr = '127.0.0.11' port = '45081' sp = self.generate_profile(sp_g, sp_a, name, addr, port) conf = self.setup_sp_server(sp, name, addr, port, env) fixup_sp_httpd(os.path.dirname(conf)) self.setup_step("Starting SP's httpd server") self.start_http_server(conf, env) if __name__ == '__main__': idpname = 'idp1' spname = 'sp1' user = pwd.getpwuid(os.getuid())[0] sess = HttpSessions() sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon') sess.add_server(spname, 'https://127.0.0.11:45081') with TC.case('Authenticate to IdP'): sess.auth_to_idp(idpname) with TC.case('Add SP Metadata to IdP'): sess.add_sp_metadata(idpname, spname) with TC.case('Access SP Protected Area Variables'): page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/sp/index.shtml') page.expected_value('text()', 'Test User %s' % user)
self.start_http_server(conf, env) if __name__ == '__main__': idpname = 'idp1' sp1name = 'sp1' sp2name = 'sp2-test.example.com' user = pwd.getpwuid(os.getuid())[0] sess = HttpSessions() sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon') sess.add_server(sp1name, 'https://127.0.0.11:45081') sess.add_server(sp2name, 'https://127.0.0.11:45082') with TC.case('Authenticate to IDP'): sess.auth_to_idp(idpname) with TC.case('Add first SP metadata to IDP'): sess.add_sp_metadata(idpname, sp1name) with TC.case('Make sure we send no RelayState if none was requested'): page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/sp/', follow_redirect=1) # Cut off the RelayState target = page.result.headers['Location'] target = target[:target.find('&RelayState=')] page = sess.fetch_page(idpname, target, post_forms=False) data = sess.get_form_data(page, 'saml-response', ['name', 'value']) if data[0] != 'https://127.0.0.11:45081/saml2/postResponse':
if __name__ == '__main__': idpname = 'idp1' sp1name = 'sp1' sp2name = 'sp2' sp3name = 'sp3' user = pwd.getpwuid(os.getuid())[0] sess = HttpSessions() sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon') sess.add_server(sp1name, 'https://127.0.0.11:45081') sess.add_server(sp2name, 'https://127.0.0.12:45082') sess.add_server(sp3name, 'https://127.0.0.13:45083') with TC.case('Authenticate to IdP'): sess.auth_to_idp(idpname) with TC.case('Registering test client'): client_info = { 'redirect_uris': ['https://invalid/'], 'response_types': ['code'], 'grant_types': ['authorization_code'], 'application_type': 'web', 'client_name': 'Test suite client', 'client_uri': 'https://invalid/', 'token_endpoint_auth_method': 'client_secret_post' } r = requests.post('https://127.0.0.10:45080/idp1/openidc/Registration', json=client_info) r.raise_for_status()
if __name__ == '__main__': idpname = 'idp1' user = pwd.getpwuid(os.getuid())[0] sp = sp_list[0] spurl = 'https://%s:%s' % (sp['addr'], sp['port']) # Set global mapping and allowed attributes, then test fetch from # SP. sess = HttpSessions() sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon') sess.add_server(sp['name'], spurl) with TC.case('Authenticate to IdP'): sess.auth_to_idp(idpname) with TC.case('Add SP Metadata to IdP'): sess.add_sp_metadata(idpname, sp['name']) with TC.case('Test default mapping and attrs'): expect = { 'NAME_ID': user, 'fullname': 'Test User %s' % user, 'surname': user, 'givenname': u'Test User δΈ€', 'email': '*****@*****.**' % user, 'groups': user, } check_info_plugin(sess, idpname, spurl, expect)
self.setup_step("Starting SP's httpd server") self.start_http_server(conf, env) if __name__ == '__main__': idpname = 'idp1' spname = 'sp1' user = pwd.getpwuid(os.getuid())[0] sess = HttpSessions() sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon') sess.add_server(spname, 'https://127.0.0.11:45081') with TC.case('Authenticate to IdP'): # Stress-test database connections for i in xrange(50): sess.auth_to_idp(idpname) sess.logout_from_idp(idpname) sess.auth_to_idp(idpname) with TC.case('Add SP Metadata to IdP'): sess.add_sp_metadata(idpname, spname) with TC.case('Access SP Protected Area'): page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/sp/') page.expected_value('text()', 'WORKS!') with TC.case('Logout from SP'): page = sess.fetch_page(
} for kkey in kenv: os.environ[kkey] = kenv[kkey] sp_list = generate_sp_list() for sp in sp_list: krb = False spname = sp['nameid'] spurl = 'https://%s:%s' % (sp['addr'], sp['port']) sess = HttpSessions() sess.add_server(idpname, 'https://%s:45080' % WRAP_HOSTNAME, user, 'ipsilon') sess.add_server(spname, spurl) TC.info('Testing NameID format %s' % spname) if spname == 'kerberos': krb = True with TC.case('Authenticate to IdP'): sess.auth_to_idp(idpname, krb=krb) with TC.case('Add SP Metadata to IdP'): sess.add_sp_metadata(idpname, spname) with TC.case('Set supported Name ID formats'): sess.set_sp_default_nameids(idpname, spname, [spname]) with TC.case('Access SP Protected Area', should_fail=bool(expected[spname])):
def test_upgrade_from(self, env, old_version, with_readonly): # Setup IDP Server TC.info("Installing IDP server to test upgrade from %i" % old_version) name = 'idp_v%i' % old_version if with_readonly: name = name + '_readonly' addr = '127.0.0.%i' % (10 + old_version) port = str(45080 + old_version) idp = self.generate_profile(idp_g, idp_a, name, addr, port) conf = self.setup_idp_server(idp, name, addr, port, env) # Move database of old_version into place cfgfile = os.path.join(self.testdir, 'etc', name, 'ipsilon.conf') db_indir = os.path.join(self.rootdir, 'tests', 'blobs', 'old_dbs', 'v%i' % old_version) db_outdir = os.path.join(self.testdir, 'lib', name) if with_readonly: self.use_readonly_adminconfig(name) if old_version > 0: for database in [ 'adminconfig', 'openid', 'saml2.sessions.db', 'transactions', 'userprefs' ]: db_in = os.path.join(db_indir, '%s.sqlite.dump' % database) db_out = os.path.join(db_outdir, '%s.sqlite' % database) os.unlink(db_out) if database not in ['adminconfig', 'openid' ] or not with_readonly: cmd = ['/usr/bin/sqlite3', db_out, '.read %s' % db_in] subprocess.check_call(cmd, stdout=self.stdout, stderr=self.stderr) # Upgrade that database cmd = [ os.path.join(self.rootdir, 'ipsilon/install/ipsilon-upgrade-database'), cfgfile ] subprocess.check_call(cmd, cwd=os.path.join(self.testdir, 'lib', name), env=env, stdout=self.stdout, stderr=self.stderr) # Check some version-specific changes, to see if the upgrade went OK if old_version == 0: # Check all features in a newly created database # Let's verify if at least one index was created output = self.dump_db(db_outdir, with_readonly) if 'CREATE INDEX' not in output: raise Exception('Database upgrade did not introduce index') if 'PRIMARY KEY' not in output: raise Exception('Database upgrade did not introduce primary ' + 'key') elif old_version == 1: # In 1 -> 2, we added indexes and primary keys # Let's verify if at least one index was created output = self.dump_db(db_outdir, with_readonly) if 'CREATE INDEX' not in output: raise Exception('Database upgrade did not introduce index') # SQLite did not support creating primary keys, so we can't test elif old_version == 2 and not with_readonly: # Version 3 added the authz_config table # Make sure it exists output = self.dump_db(db_outdir, with_readonly) if 'TABLE authz_config' not in output: raise Exception('Database upgrade did not introduce ' + 'authz_config table') # Start the httpd server http_server = self.start_http_server(conf, env) # Now attempt to use the upgraded database exe = self.execname if exe.endswith('c'): exe = exe[:-1] exe = [exe] exe.append(str(old_version)) if with_readonly: exe.append('readonly') else: exe.append('no-readonly') exe.append(name) exe.append('%s:%s' % (addr, port)) result = self.run_and_collect(exe, env=env) # Now kill the last http server os.killpg(http_server.pid, signal.SIGTERM) self.processes.remove(http_server) return result
self.setup_step("Starting SP's httpd server") self.start_http_server(conf, env) if __name__ == '__main__': idpname = 'idp1' sp1name = 'sp1' user = pwd.getpwuid(os.getuid())[0] sess = HttpSessions() sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon') sess.add_server(sp1name, 'https://127.0.0.11:45081') with TC.case('Authenticate to IdP'): sess.auth_to_idp(idpname) with TC.case('Run OpenID Protocol'): page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/?extensions=NO', require_consent=True) page.expected_value('text()', 'SUCCESS, WITHOUT EXTENSIONS') with TC.case('Run OpenID Protocol without consent'): page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/?extensions=NO', require_consent=False) page.expected_value('text()', 'SUCCESS, WITHOUT EXTENSIONS') with TC.case('Revoking SP consent'):
'ipsilon/install/ipsilon-upgrade-database'), cfgfile ] subprocess.check_call(cmd, cwd=os.path.join(self.testdir, 'lib', idpname), env=env, stdout=self.stdout, stderr=self.stderr) self.setup_step("Starting IDP's httpd server") self.start_http_server(idpconf, env) self.setup_step("Starting SP's httpd server") self.start_http_server(spconf, env) if __name__ == '__main__': user = pwd.getpwuid(os.getuid())[0] sess = HttpSessions() sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon') sess.add_server(spname, 'https://127.0.0.11:45081') with TC.case('Access IdP homepage'): page = sess.fetch_page(idpname, 'https://127.0.0.10:45080/idp1/') page.expected_value('//title/text()', 'Ipsilon') with TC.case('Access SP protected area'): page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/sp/') page.expected_value('text()', 'WORKS!')
krb5conf = os.path.join(testdir, 'krb5.conf') kenv = { 'PATH': '/sbin:/bin:/usr/sbin:/usr/bin', 'KRB5_CONFIG': krb5conf, 'KRB5CCNAME': 'FILE:' + os.path.join(testdir, 'ccaches/user') } for key in kenv: os.environ[key] = kenv[key] sess = HttpSessions() sess.add_server(idpname, 'https://%s:45080' % WRAP_HOSTNAME, user, 'ipsilon') sess.add_server(sp1name, 'https://127.0.0.11:45081') sess.add_server(sp2name, 'https://127.0.0.11:45082') with TC.case('Authenticate to IdP'): sess.auth_to_idp(idpname, krb=True) with TC.case('Add first SP Metadata to IdP'): sess.add_sp_metadata(idpname, sp1name) with TC.case('Access first SP Protected Area'): page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/sp/') page.expected_value('text()', 'WORKS!') with TC.case('Access second SP Protected Area'): page = sess.fetch_page(idpname, 'https://127.0.0.11:45082/sp/') page.expected_value('text()', 'WORKS!')
self.start_http_server(conf, env) if __name__ == '__main__': idpname = 'idp1' sp1name = 'sp1' sp2name = 'sp2' user = pwd.getpwuid(os.getuid())[0] sess = HttpSessions() sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon') sess.add_server(sp1name, 'https://127.0.0.11:45081') sess.add_server(sp2name, 'https://127.0.0.12:45082') with TC.case('Authenticate to IdP'): sess.auth_to_idp(idpname) with TC.case('Add SP1 Metadata to IdP'): sess.add_sp_metadata(idpname, sp1name) with TC.case('Add SP2 Metadata to IdP'): sess.add_sp_metadata(idpname, sp2name) with TC.case('Access SP1 when authz stack set to allow'): page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/sp/') page.expected_value('text()', 'WORKS!') with TC.case('Set IdP authz stack to deny'): sess.disable_plugin(idpname, 'authz', 'allow') sess.enable_plugin(idpname, 'authz', 'deny')
self.start_http_server(conf, env) if __name__ == '__main__': idpname = 'idp1' user = pwd.getpwuid(os.getuid())[0] sess = HttpSessions() sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon') for sp in splist: spname = sp['nameid'] spurl = 'https://%s:%s' % (sp['addr'], sp['port']) sess.add_server(spname, spurl) with TC.case('Authenticate to IdP'): sess.auth_to_idp(idpname) for sp in splist: spname = sp['nameid'] with TC.case('Add SP Metadata for %s to IdP' % spname): sess.add_sp_metadata(idpname, spname) with TC.case('Logout without logging into SP'): page = sess.fetch_page(idpname, '%s/%s?%s' % ( 'https://127.0.0.11:45081', 'saml2/logout', 'ReturnTo=https://127.0.0.11:45081/open/logged_out.html')) page.expected_value('text()', 'Logged out') with TC.case('Access SP Protected Area'): page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/sp/')
def run(self, env): overall_exit_code = 0 overall_results = [] for version in range(ipsilon.util.data.CURRENT_SCHEMA_VERSION): for with_readonly in [True, False]: exit_code, results = self.test_upgrade_from( env, version, with_readonly) if exit_code != 0: overall_exit_code = 1 overall_results.extend(results) return overall_exit_code, overall_results if __name__ == '__main__': from_version = sys.argv[1] with_ro = sys.argv[2] idpname = sys.argv[3] url = sys.argv[4] user = pwd.getpwuid(os.getuid())[0] sess = HttpSessions() sess.add_server(idpname, 'https://%s' % url, user, 'ipsilon') with TC.case('From v%s %s: Authenticate to IdP' % (from_version, with_ro)): sess.auth_to_idp(idpname)