def test05(self):
'''SAMLv2 Authn request emitted and received using Artifact binding'''
sp = lasso.Server(os.path.join(dataDir, 'sp5-saml2/metadata.xml'),
os.path.join(dataDir, 'sp5-saml2/private-key.pem'))
assert sp
sp.addProvider(lasso.PROVIDER_ROLE_IDP,
os.path.join(dataDir, 'idp5-saml2/metadata.xml'))
sp_login = lasso.Login(sp)
assert sp_login
sp_login.initAuthnRequest(None, lasso.HTTP_METHOD_ARTIFACT_GET)
sp_login.buildAuthnRequestMsg()
sp_login_dump = sp_login.dump()
idp = lasso.Server(os.path.join(dataDir, 'idp5-saml2/metadata.xml'),
os.path.join(dataDir, 'idp5-saml2/private-key.pem'))
idp.addProvider(lasso.PROVIDER_ROLE_SP,
os.path.join(dataDir, 'sp5-saml2/metadata.xml'))
idp_login = lasso.Login(idp)
idp_login.initRequest(
sp_login.msgUrl.split('?')[1], lasso.HTTP_METHOD_ARTIFACT_GET)
idp_login.buildRequestMsg()
sp_login2 = lasso.Login.newFromDump(sp, sp_login_dump)
assert isinstance(sp_login2, lasso.Login)
assert idp_login.msgBody
sp_login2.processRequestMsg(idp_login.msgBody)
sp_login2.buildResponseMsg()
assert sp_login2.msgBody
try:
idp_login.processResponseMsg(sp_login2.msgBody)
except:
raise
assert isinstance(idp_login.request, lasso.Samlp2AuthnRequest)
def test01(self):
'''Attribute request and response test between sp5 and idp6'''
s = lasso.Server(
os.path.join(dataDir, 'sp5-saml2/metadata.xml'),
os.path.join(dataDir, 'sp5-saml2/private-key.pem'))
s.addProvider(lasso.PROVIDER_ROLE_ATTRIBUTE_AUTHORITY,
os.path.join(dataDir, 'idp6-saml2/metadata.xml'))
s2 = lasso.Server(
os.path.join(dataDir, 'idp6-saml2/metadata.xml'),
os.path.join(dataDir, 'idp6-saml2/private-key.pem'))
s2.addProvider(lasso.PROVIDER_ROLE_SP,
os.path.join(dataDir, 'sp5-saml2/metadata.xml'))
aq = lasso.AssertionQuery(s)
rpid = s.providers.keys()[0]
aq.initRequest(rpid,
lasso.HTTP_METHOD_SOAP,
lasso.ASSERTION_QUERY_REQUEST_TYPE_ATTRIBUTE)
assert aq.request
assert aq.remoteProviderId == rpid
nid = lasso.Saml2NameID.newWithPersistentFormat(
lasso.buildUniqueId(32),
s.providerId, s2.providerId)
aq.nameIdentifier = nid
aq.addAttributeRequest(
lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC,
'testAttribute')
aq.buildRequestMsg()
assert aq.msgUrl
assert aq.msgBody
aq2 = lasso.AssertionQuery(s2)
aq2.processRequestMsg(aq.msgBody)
assert aq.request
aq2.validateRequest()
assert aq2.response
assertion = lasso.Saml2Assertion()
aq2.response.assertion = (assertion, )
for attribute in aq2.request.attribute:
content = lasso.MiscTextNode.newWithString("xxx")
content.textChild = True
assertion.addAttributeWithNode(attribute.name, attribute.nameFormat,
content)
assertion.addAttributeWithNode(attribute.name, attribute.nameFormat,
content)
assertion.subject = aq.request.subject
s2.saml2AssertionSetupSignature(assertion)
aq2.buildResponseMsg()
aq.processResponseMsg(aq2.msgBody)
assert aq.response
assert aq.response.assertion[0]
assert aq.response.assertion[0].attributeStatement[0]
assert aq.response.assertion[0].attributeStatement[0].attribute[0]
assert aq.response.assertion[0].attributeStatement[0].attribute[0].attributeValue[0]
def get_idp_server(self):
server = lasso.Server(idp_metadata, idp_private_key, None, None)
server.addProvider(lasso.PROVIDER_ROLE_SP, wsp_metadata,
wsp_public_key, None)
server.addProvider(lasso.PROVIDER_ROLE_SP, wsc_metadata,
wsc_public_key, None)
return server
def test04(self):
"""Conversion of a lib:AuthnRequest with extensions into a query and back."""
sp = lasso.Server(
os.path.join(dataDir, 'sp1-la/metadata.xml'),
os.path.join(dataDir, 'sp1-la/private-key-raw.pem'),
None,
os.path.join(dataDir, 'sp1-la/certificate.pem'))
sp.addProvider(
lasso.PROVIDER_ROLE_IDP,
os.path.join(dataDir, 'idp1-la/metadata.xml'),
os.path.join(dataDir, 'idp1-la/public-key.pem'),
os.path.join(dataDir, 'idp1-la/certificate.pem'))
spLogin = lasso.Login(sp)
spLogin.initAuthnRequest()
requestAuthnContext = lasso.LibRequestAuthnContext()
extensionList = []
for extension in (
'<action>do</action>',
'<action2>do action 2</action2><action3>do action 3</action3>'):
extensionList.append(
'<lib:Extension xmlns:lib="urn:liberty:iff:2003-08">%s</lib:Extension>'
% extension)
spLogin.request.extension = tuple(extensionList)
spLogin.request.protocolProfile = lasso.LIB_PROTOCOL_PROFILE_BRWS_ART
spLogin.buildAuthnRequestMsg()
authnRequestUrl = spLogin.msgUrl
authnRequestQuery = spLogin.msgUrl[spLogin.msgUrl.index('?') + 1:]
idp = lasso.Server(
os.path.join(dataDir, 'idp1-la/metadata.xml'),
os.path.join(dataDir, 'idp1-la/private-key-raw.pem'),
None,
os.path.join(dataDir, 'idp1-la/certificate.pem'))
idp.addProvider(
lasso.PROVIDER_ROLE_SP,
os.path.join(dataDir, 'sp1-la/metadata.xml'),
os.path.join(dataDir, 'sp1-la/public-key.pem'),
os.path.join(dataDir, 'sp1-la/certificate.pem'))
idpLogin = lasso.Login(idp)
idpLogin.processAuthnRequestMsg(authnRequestQuery)
self.failUnless(idpLogin.request.extension)
extensionsList = idpLogin.request.extension
self.failUnlessEqual(len(extensionsList), 1)
self.failUnless('<action>do</action>' in extensionsList[0])
self.failUnless('<action2>do action 2</action2>' in extensionsList[0])
self.failUnless('<action3>do action 3</action3>' in extensionsList[0])
def server(local_name, remote_role, remote_name):
pwd = os.path.join(dataDir, local_name, 'password')
password = None
if os.path.exists(pwd):
password = file(pwd).read()
s = lasso.Server(os.path.join(dataDir, local_name, 'metadata.xml'),
os.path.join(dataDir, local_name, 'private-key.pem'),
password)
s.addProvider(remote_role, os.path.join(dataDir, remote_name, 'metadata.xml'))
return s
def getWscServer(self):
wsc_metadata = os.path.join(dataDir, 'sp6-saml2/metadata.xml')
wsc_private_key = os.path.join(dataDir, 'sp6-saml2/private-key.pem')
idp_metadata = os.path.join(dataDir, 'idp5-saml2/metadata.xml')
server = lasso.Server(wsc_metadata, wsc_private_key, None, None)
server.role = lasso.PROVIDER_ROLE_SP
server.addProvider(lasso.PROVIDER_ROLE_IDP, idp_metadata, None, None)
return server
def test03(self):
"""Conversion of a lib:AuthnRequest with an AuthnContext into a query and back."""
sp = lasso.Server(
os.path.join(dataDir, 'sp1-la/metadata.xml'),
os.path.join(dataDir, 'sp1-la/private-key-raw.pem'),
None,
os.path.join(dataDir, 'sp1-la/certificate.pem'))
sp.addProvider(
lasso.PROVIDER_ROLE_IDP,
os.path.join(dataDir, 'idp1-la/metadata.xml'),
os.path.join(dataDir, 'idp1-la/public-key.pem'),
os.path.join(dataDir, 'idp1-la/certificate.pem'))
spLogin = lasso.Login(sp)
spLogin.initAuthnRequest()
requestAuthnContext = lasso.LibRequestAuthnContext()
authnContextClassRefsList = []
authnContextClassRefsList.append(
lasso.LIB_AUTHN_CONTEXT_CLASS_REF_PASSWORD)
requestAuthnContext.authnContextClassRef = tuple(authnContextClassRefsList)
spLogin.request.requestAuthnContext = requestAuthnContext
spLogin.request.protocolProfile = lasso.LIB_PROTOCOL_PROFILE_BRWS_ART
spLogin.buildAuthnRequestMsg()
authnRequestUrl = spLogin.msgUrl
authnRequestQuery = spLogin.msgUrl[spLogin.msgUrl.index('?') + 1:]
idp = lasso.Server(
os.path.join(dataDir, 'idp1-la/metadata.xml'),
os.path.join(dataDir, 'idp1-la/private-key-raw.pem'),
None,
os.path.join(dataDir, 'idp1-la/certificate.pem'))
idp.addProvider(
lasso.PROVIDER_ROLE_SP,
os.path.join(dataDir, 'sp1-la/metadata.xml'),
os.path.join(dataDir, 'sp1-la/public-key.pem'),
os.path.join(dataDir, 'sp1-la/certificate.pem'))
idpLogin = lasso.Login(idp)
idpLogin.processAuthnRequestMsg(authnRequestQuery)
self.failUnless(idpLogin.request.requestAuthnContext)
authnContextClassRefsList = idpLogin.request.requestAuthnContext.authnContextClassRef
self.failUnlessEqual(len(authnContextClassRefsList), 1)
self.failUnlessEqual(authnContextClassRefsList[0],
lasso.LIB_AUTHN_CONTEXT_CLASS_REF_PASSWORD)
def getWspServer(self):
wsp_metadata = os.path.join(dataDir, 'sp5-saml2/metadata.xml')
wsp_private_key = os.path.join(dataDir, 'sp5-saml2/private-key.pem')
idp_metadata = os.path.join(dataDir, 'idp5-saml2/metadata.xml')
server = lasso.Server(wsp_metadata, wsp_private_key, None, None)
server.role = lasso.PROVIDER_ROLE_SP
server.addProvider(lasso.PROVIDER_ROLE_IDP, idp_metadata, None, None)
server.setEncryptionPrivateKey(wsp_private_key);
return server;
def test10(self):
'''Test Server.setEncryptionPrivateKeyWithPassword'''
pkey_path = os.path.join(dataDir, 'idp5-saml2', 'private-key.pem')
server = lasso.Server(
os.path.join(dataDir, 'idp5-saml2', 'metadata.xml'), pkey_path)
# from file
server.setEncryptionPrivateKeyWithPassword(pkey_path)
# from buffer
server.setEncryptionPrivateKeyWithPassword(open(pkey_path).read())
# reset
server.setEncryptionPrivateKeyWithPassword()
def test11(self):
'''Test saving and reloading a Server using an encrypted private key'''
pkey = os.path.join(dataDir, 'sp7-saml2', 'private-key.pem')
mdata = os.path.join(dataDir, 'sp7-saml2', 'metadata.xml')
password = file(os.path.join(dataDir, 'sp7-saml2',
'password')).read().strip()
server = lasso.Server(mdata, pkey, password)
assert isinstance(server, lasso.Server)
server_dump = server.dump()
assert server_dump
server = lasso.Server.newFromDump(server_dump)
assert isinstance(server, lasso.Server)
def test02(self):
"""Server construction without argument, dump & newFromDump."""
lassoServer = lasso.Server(os.path.join(dataDir,
'sp1-la/metadata.xml'))
lassoServer.addProvider(
lasso.PROVIDER_ROLE_IDP,
os.path.join(dataDir, 'idp1-la/metadata.xml'),
os.path.join(dataDir, 'idp1-la/public-key.pem'))
dump = lassoServer.dump()
lassoServer2 = lassoServer.newFromDump(dump)
dump2 = lassoServer2.dump()
self.failUnlessEqual(dump, dump2)
def test02(self):
"""IDP logout without session and identity; testing logout.getNextProviderId."""
lassoServer = lasso.Server(
os.path.join(dataDir, 'idp1-la/metadata.xml'),
os.path.join(dataDir, 'idp1-la/private-key-raw.pem'), None,
os.path.join(dataDir, 'idp1-la/certificate.pem'))
lassoServer.addProvider(
lasso.PROVIDER_ROLE_SP, os.path.join(dataDir,
'sp1-la/metadata.xml'),
os.path.join(dataDir, 'sp1-la/public-key.pem'),
os.path.join(dataDir, 'sp1-la/certificate.pem'))
logout = lasso.Logout(lassoServer)
self.failIf(logout.getNextProviderId())
def test07(self):
'''SAMLv2 SSO with DSA key for the IdP'''
sp = lasso.Server(os.path.join(dataDir, 'sp5-saml2/metadata.xml'),
os.path.join(dataDir, 'sp5-saml2/private-key.pem'))
assert sp
sp.addProvider(lasso.PROVIDER_ROLE_IDP,
os.path.join(dataDir, 'idp12-dsa-saml2/metadata.xml'))
sp_login = lasso.Login(sp)
assert sp_login
sp_login.initAuthnRequest(None, lasso.HTTP_METHOD_REDIRECT)
sp_login.buildAuthnRequestMsg()
idp = lasso.Server(
os.path.join(dataDir, 'idp12-dsa-saml2/metadata.xml'),
os.path.join(dataDir, 'idp12-dsa-saml2/private-key.pem'))
idp.signatureMethod = lasso.SIGNATURE_METHOD_DSA_SHA1
idp.addProvider(lasso.PROVIDER_ROLE_SP,
os.path.join(dataDir, 'sp5-saml2/metadata.xml'))
idp_login = lasso.Login(idp)
idp_login.processAuthnRequestMsg(sp_login.msgUrl.split('?')[1])
idp_login.protocolProfile = lasso.LOGIN_PROTOCOL_PROFILE_BRWS_POST
idp_login.validateRequestMsg(True, True)
idp_login.buildAssertion("None", "None", "None", "None", "None")
idp_login.buildAuthnResponseMsg()
def test01(self):
"""Server construction, dump & newFromDump."""
lassoServer = lasso.Server(
os.path.join(dataDir, 'sp1-la/metadata.xml'),
os.path.join(dataDir, 'sp1-la/private-key-raw.pem'), None,
os.path.join(dataDir, 'sp1-la/certificate.pem'))
lassoServer.addProvider(
lasso.PROVIDER_ROLE_IDP,
os.path.join(dataDir, 'idp1-la/metadata.xml'),
os.path.join(dataDir, 'idp1-la/public-key.pem'),
os.path.join(dataDir, 'idp1-la/certificate.pem'))
dump = lassoServer.dump()
lassoServer2 = lassoServer.newFromDump(dump)
dump2 = lassoServer2.dump()
self.failUnlessEqual(dump, dump2)
def test06(self):
"""Get & set attributes of nodes of type node."""
login = lasso.Login(
lasso.Server(os.path.join(dataDir, 'sp1-la/metadata.xml'),
os.path.join(dataDir,
'sp1-la/private-key-raw.pem'), None,
os.path.join(dataDir, 'sp1-la/certificate.pem')))
self.failUnlessEqual(login.request, None)
login.request = lasso.LibAuthnRequest()
login.request.consent = lasso.LIB_CONSENT_OBTAINED
self.failUnlessEqual(login.request.consent, lasso.LIB_CONSENT_OBTAINED)
login.request = None
self.failUnlessEqual(login.request, None)
del login
def test01(self):
"""SP login; testing access to authentication request."""
lassoServer = lasso.Server(
os.path.join(dataDir, 'sp1-la/metadata.xml'),
os.path.join(dataDir, 'sp1-la/private-key-raw.pem'), None,
os.path.join(dataDir, 'sp1-la/certificate.pem'))
lassoServer.addProvider(
lasso.PROVIDER_ROLE_IDP,
os.path.join(dataDir, 'idp1-la/metadata.xml'),
os.path.join(dataDir, 'idp1-la/public-key.pem'),
os.path.join(dataDir, 'idp1-la/certificate.pem'))
login = lasso.Login(lassoServer)
login.initAuthnRequest()
login.request
login.request.protocolProfile = lasso.LIB_PROTOCOL_PROFILE_BRWS_ART
self.failUnlessEqual(login.request.protocolProfile,
lasso.LIB_PROTOCOL_PROFILE_BRWS_ART)
def test02(self):
"""SP login; testing processing of an empty Response."""
lassoServer = lasso.Server(
os.path.join(dataDir, 'sp1-la/metadata.xml'),
os.path.join(dataDir, 'sp1-la/private-key-raw.pem'), None,
os.path.join(dataDir, 'sp1-la/certificate.pem'))
lassoServer.addProvider(
lasso.PROVIDER_ROLE_IDP,
os.path.join(dataDir, 'idp1-la/metadata.xml'),
os.path.join(dataDir, 'idp1-la/public-key.pem'),
os.path.join(dataDir, 'idp1-la/certificate.pem'))
login = lasso.Login(lassoServer)
try:
login.processResponseMsg('')
except lasso.Error as error:
if error[0] != lasso.PROFILE_ERROR_INVALID_MSG:
raise
def getIdpServer(self):
if hasattr(self, 'idp_server_dump') and self.idp_server_dump is not None:
server = lasso.Server.newFromDump(self.idp_server_dump)
server.role = lasso.PROVIDER_ROLE_IDP
else:
idp_metadata = os.path.join(dataDir, 'idp5-saml2/metadata.xml')
idp_private_key = os.path.join(dataDir, 'idp5-saml2/private-key.pem')
wsp_metadata = os.path.join(dataDir, 'sp5-saml2/metadata.xml')
wsc_metadata = os.path.join(dataDir, 'sp6-saml2/metadata.xml')
server = lasso.Server(idp_metadata, idp_private_key, None, None)
server.role = lasso.PROVIDER_ROLE_IDP
server.addProvider(lasso.PROVIDER_ROLE_SP, wsp_metadata, None, None)
server.getProvider(server.providerIds[0]).setEncryptionMode(lasso.ENCRYPTION_MODE_NAMEID);
server.addProvider(lasso.PROVIDER_ROLE_SP, wsc_metadata, None, None)
self.idp_server_dump = server.dump()
return server
def test01(self):
"""SP logout without session and identity; testing initRequest."""
lassoServer = lasso.Server(
os.path.join(dataDir, 'sp1-la/metadata.xml'),
os.path.join(dataDir, 'sp1-la/private-key-raw.pem'),
None,
os.path.join(dataDir, 'sp1-la/certificate.pem'))
lassoServer.addProvider(
lasso.PROVIDER_ROLE_IDP,
os.path.join(dataDir, 'idp1-la/metadata.xml'),
os.path.join(dataDir, 'idp1-la/public-key.pem'),
os.path.join(dataDir, 'idp1-la/certificate.pem'))
logout = lasso.Logout(lassoServer)
try:
logout.initRequest()
except lasso.Error, error:
if error[0] != lasso.PROFILE_ERROR_SESSION_NOT_FOUND:
raise
def test04(self):
"""IDP logout; testing processResponseMsg with non Liberty query."""
lassoServer = lasso.Server(
os.path.join(dataDir, 'idp1-la/metadata.xml'),
os.path.join(dataDir, 'idp1-la/private-key-raw.pem'),
None,
os.path.join(dataDir, 'idp1-la/certificate.pem'))
lassoServer.addProvider(
lasso.PROVIDER_ROLE_SP,
os.path.join(dataDir, 'sp1-la/metadata.xml'),
os.path.join(dataDir, 'sp1-la/public-key.pem'),
os.path.join(dataDir, 'sp1-la/certificate.pem'))
logout = lasso.Logout(lassoServer)
# The processResponseMsg should fail but not abort.
try:
logout.processResponseMsg('liberty=&alliance')
except lasso.Error, error:
if error[0] != lasso.PROFILE_ERROR_INVALID_MSG:
raise
def test01(self):
"""IDP initiated defederation; testing processNotificationMsg with non Liberty query."""
lassoServer = lasso.Server(
os.path.join(dataDir, 'idp1-la/metadata.xml'),
os.path.join(dataDir, 'idp1-la/private-key-raw.pem'),
None,
os.path.join(dataDir, 'idp1-la/certificate.pem'))
lassoServer.addProvider(
lasso.PROVIDER_ROLE_SP,
os.path.join(dataDir, 'sp1-la/metadata.xml'),
os.path.join(dataDir, 'sp1-la/public-key.pem'),
os.path.join(dataDir, 'sp1-la/certificate.pem'))
defederation = lasso.Defederation(lassoServer)
# The processNotificationMsg should fail but not abort.
try:
defederation.processNotificationMsg('nonLibertyQuery=1')
except lasso.Error, error:
if error[0] != lasso.PROFILE_ERROR_INVALID_MSG:
raise
def test03(self):
"""IDP logout; testing processRequestMsg with non Liberty query."""
lassoServer = lasso.Server(
os.path.join(dataDir, 'idp1-la/metadata.xml'),
os.path.join(dataDir, 'idp1-la/private-key-raw.pem'), None,
os.path.join(dataDir, 'idp1-la/certificate.pem'))
lassoServer.addProvider(
lasso.PROVIDER_ROLE_SP, os.path.join(dataDir,
'sp1-la/metadata.xml'),
os.path.join(dataDir, 'sp1-la/public-key.pem'),
os.path.join(dataDir, 'sp1-la/certificate.pem'))
logout = lasso.Logout(lassoServer)
# The processRequestMsg should fail but not abort.
try:
logout.processRequestMsg('passport=0&lasso=1')
except lasso.Error as error:
if error[0] != lasso.PROFILE_ERROR_INVALID_MSG:
raise
else:
self.fail('Logout processRequestMsg should have failed.')
def validate_sp_metadata(metadata):
'''Validate SP metadata
Attempt to load the metadata into Lasso and verify it loads.
Assure only 1 provider is included in the metadata and return
it's id. If not valid raise an exception.
Note, loading the metadata into Lasso is a weak check, basically
all that Lasso does is to parse the XML, it doesn't verify the
contents until first use.
'''
test = lasso.Server()
try:
test.addProviderFromBuffer(lasso.PROVIDER_ROLE_SP, metadata)
except Exception as e: # pylint: disable=broad-except
raise InvalidProviderMetadata(str(e))
newsps = test.get_providers()
if len(newsps) != 1:
raise InvalidProviderMetadata("Metadata must contain one Provider")
spid = newsps.keys()[0]
return spid
def __init__(self, config, sessionfactory):
self.server = lasso.Server(config.idp_metadata_file,
config.idp_key_file, None,
config.idp_certificate_file)
self.server.role = lasso.PROVIDER_ROLE_IDP
self.sessionfactory = sessionfactory
