def load_metadata(self, metadata_conf):
""" Loads metadata into an internal structure """
acs = self.attribute_converters
if acs is None:
raise ConfigurationError(
"Missing attribute converter specification")
try:
ca_certs = self.ca_certs
except:
ca_certs = None
try:
disable_validation = self.disable_ssl_certificate_validation
except:
disable_validation = False
mds = MetadataStore(
acs,
self,
ca_certs,
disable_ssl_certificate_validation=disable_validation)
mds.imp(metadata_conf)
return mds
def test_shibmd_scope_no_regex_all_descriptors():
mds = MetadataStore(ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["15"])
scopes = mds.sbibmd_scopes(entity_id='http://example.com/saml2/idp.xml',
typ="idpsso_descriptor")
all_scopes = list(scopes)
expected = [
{
"regexp": False,
"text": "descriptor-example.org",
},
{
"regexp": True,
"text": regex_compile("descriptor-example[^0-9]*\.org"),
},
{
"regexp": False,
"text": "idpssodescriptor-example.org",
},
]
assert len(all_scopes) == 3
assert all_scopes == expected
def test_xmlsec_err_non_ascii_ava():
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", full_path("idp_example.xml"))
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
assertion = factory(
saml.Assertion, version="2.0", id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("11111", sec.my_cert, 1),
attribute_statement=do_attribute_statement(
{("", "", "surName"): ("Föö", ""),
("", "", "givenName"): ("Bär", ""), })
)
try:
sec.sign_statement(assertion, class_name(assertion),
key_file=full_path("tes.key"),
node_id=assertion.id)
except (XmlsecError, SigverError) as err: # should throw an exception
pass
else:
assert False
def test_get_certs_from_metadata():
mds = MetadataStore(ONTS.values(), ATTRCONV, None)
mds.imp(METADATACONF["11"])
certs1 = mds.certs("http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php", "any")
certs2 = mds.certs("http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php", "idpsso")
assert certs1[0] == certs2[0] == TEST_CERT
def test_filter_ava3():
policy = Policy({
"default": {
"lifetime": {
"minutes": 15
},
#"attribute_restrictions": None # means all I have
"entity_categories": ["swamid"]
}
})
mds = MetadataStore(ONTS.values(),
ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
mds.imp([{
"class": "saml2.mdstore.MetaDataFile",
"metadata": [(full_path("entity_cat_sfs_hei.xml"), )]
}])
ava = {
"givenName": ["Derek"],
"sn": ["Jeter"],
"mail": ["*****@*****.**"],
"c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz",
"norEduPersonNIN": "19800101134"
}
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", mds)
assert _eq(ava.keys(), ['eduPersonTargetedID', "norEduPersonNIN"])
def test_sha256_signing():
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", IDP_EXAMPLE)
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
assertion = factory(saml.Assertion,
version="2.0",
id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part(
"11111", sec.my_cert, 1, sign_alg=SIG_RSA_SHA256),
attribute_statement=do_attribute_statement({
("", "", "surName"): ("Foo", ""),
("", "", "givenName"): ("Bar", ""),
}))
s = sec.sign_statement(assertion,
class_name(assertion),
key_file=PRIV_KEY,
node_id=assertion.id)
assert s
def test_swami_1():
UMU_IDP = 'https://idp.umu.se/saml2/idp/metadata.php'
mds = MetadataStore(ATTRCONV, sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["1"])
assert len(mds) == 1 # One source
idps = mds.with_descriptor("idpsso")
assert idps.keys()
idpsso = mds.single_sign_on_service(UMU_IDP)
assert len(idpsso) == 1
assert list(locations(idpsso)) == [
'https://idp.umu.se/saml2/idp/SSOService.php'
]
_name = name(mds[UMU_IDP])
assert _name == u'Umeå University (SAML2)'
certs = mds.certs(UMU_IDP, "idpsso", "signing")
assert len(certs) == 1
sps = mds.with_descriptor("spsso")
assert len(sps) == 108
wants = mds.attribute_requirement('https://connect8.sunet.se/shibboleth')
lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["optional"]]
assert _eq(lnamn, ['eduPersonPrincipalName', 'mail', 'givenName', 'sn',
'eduPersonScopedAffiliation'])
wants = mds.attribute_requirement('https://beta.lobber.se/shibboleth')
assert wants["required"] == []
lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["optional"]]
assert _eq(lnamn, ['eduPersonPrincipalName', 'mail', 'givenName', 'sn',
'eduPersonScopedAffiliation', 'eduPersonEntitlement'])
def test_metadata_file():
sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
mds = MetadataStore(list(ONTS.values()), ATTRCONV, sec_config, disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["8"])
print((len(list(mds.keys()))))
assert len(list(mds.keys())) == 560
def test_xmlsec_err():
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", full_path("idp_example.xml"))
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
assertion = factory(
saml.Assertion, version="2.0", id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("11111", sec.my_cert, 1),
attribute_statement=do_attribute_statement(
{("", "", "surName"): ("Foo", ""),
("", "", "givenName"): ("Bar", ""), })
)
try:
sec.sign_statement(assertion, class_name(assertion),
key_file=full_path("tes.key"),
node_id=assertion.id)
except (XmlsecError, SigverError) as err: # should throw an exception
pass
else:
assert False
def test_xmlsec_err_non_ascii_ava():
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", IDP_EXAMPLE)
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
assertion = factory(
saml.Assertion, version="2.0", id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("11111", sec.my_cert, 1),
attribute_statement=do_attribute_statement(
{("", "", "surName"): ("Föö", ""),
("", "", "givenName"): ("Bär", ""), })
)
with raises(XmlsecError):
sec.sign_statement(
assertion,
class_name(assertion),
key_file=INVALID_KEY,
node_id=assertion.id,
)
def test_xbox_non_ascii_ava():
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", IDP_EXAMPLE)
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
assertion = factory(
saml.Assertion, version="2.0", id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("11111", sec.my_cert, 1),
attribute_statement=do_attribute_statement(
{
("", "", "surName"): ("Föö", ""),
("", "", "givenName"): ("Bär", ""),
}
)
)
sigass = sec.sign_statement(
assertion,
class_name(assertion),
key_file=PRIV_KEY,
node_id=assertion.id,
)
_ass0 = saml.assertion_from_string(sigass)
encrypted_assertion = EncryptedAssertion()
encrypted_assertion.add_extension_element(_ass0)
_, pre = make_temp(
str(pre_encryption_part()).encode('utf-8'), decode=False
)
enctext = sec.crypto.encrypt(
str(encrypted_assertion),
conf.cert_file,
pre,
"des-192",
'/*[local-name()="EncryptedAssertion"]/*[local-name()="Assertion"]',
)
decr_text = sec.decrypt(enctext, key_file=PRIV_KEY)
_seass = saml.encrypted_assertion_from_string(decr_text)
assertions = []
assers = extension_elements_to_elements(
_seass.extension_elements, [saml, samlp]
)
for ass in assers:
_txt = sec.verify_signature(
str(ass), PUB_KEY, node_name=class_name(assertion)
)
if _txt:
assertions.append(ass)
assert assertions
print(assertions)
def load_metadata(self, metadata_conf):
""" Loads metadata into an internal structure """
acs = self.attribute_converters
if acs is None:
raise ConfigurationError(
"Missing attribute converter specification")
try:
ca_certs = self.ca_certs
except:
ca_certs = None
try:
disable_validation = self.disable_ssl_certificate_validation
except:
disable_validation = False
mds = MetadataStore(
ONTS.values(), acs, self, ca_certs,
disable_ssl_certificate_validation=disable_validation)
mds.imp(metadata_conf)
return mds
def test_xmlsec_err_non_ascii_ava():
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", IDP_EXAMPLE)
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
assertion = factory(saml.Assertion,
version="2.0",
id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part(
"11111", sec.my_cert, 1),
attribute_statement=do_attribute_statement({
("", "", "surName"): ("Föö", ""),
("", "", "givenName"): ("Bär", ""),
}))
with raises(XmlsecError):
sec.sign_statement(
assertion,
class_name(assertion),
key_file=INVALID_KEY,
node_id=assertion.id,
)
def load_metadata(self, metadata_conf):
""" Loads metadata into an internal structure """
xmlsec_binary = self.xmlsec_binary
acs = self.attribute_converters
if xmlsec_binary is None:
raise Exception("Missing xmlsec1 specification")
if acs is None:
raise Exception("Missing attribute converter specification")
try:
ca_certs = self.ca_certs
except:
ca_certs = None
try:
disable_validation = self.disable_ssl_certificate_validation
except:
disable_validation = False
mds = MetadataStore(ONTS.values(), acs, xmlsec_binary, ca_certs,
disable_ssl_certificate_validation=disable_validation)
mds.imp(metadata_conf)
return mds
def test_registration_info_no_policy():
mds = MetadataStore(ATTRCONV, sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["13"])
registration_info = mds.registration_info(entity_id='https://idp.szie.hu/idp/shibboleth')
assert 'http://eduid.hu' == registration_info['registration_authority']
assert registration_info['registration_instant'] is None
assert registration_info['registration_policy'] == {}
def test_extension():
mds = MetadataStore(ATTRCONV, None)
# use ordered dict to force expected entity to be last
metadata = OrderedDict()
metadata["1"] = {"entity1": {}}
metadata["2"] = {"entity2": {"idpsso_descriptor": [{"extensions": {"extension_elements": [{"__class__": "test"}]}}]}}
mds.metadata = metadata
assert mds.extension("entity2", "idpsso_descriptor", "test")
def test_extension():
mds = MetadataStore(ATTRCONV, None)
# use ordered dict to force expected entity to be last
metadata = OrderedDict()
metadata["1"] = {"entity1": {}}
metadata["2"] = {"entity2": {"idpsso_descriptor": [{"extensions": {"extension_elements": [{"__class__": "test"}]}}]}}
mds.metadata = metadata
assert mds.extension("entity2", "idpsso_descriptor", "test")
def test_load_local_dir():
sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config, disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["9"])
print mds
assert len(mds) == 3 # Three sources
assert len(mds.keys()) == 4 # number of idps
def test_registration_info():
mds = MetadataStore(ATTRCONV, sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["13"])
registration_info = mds.registration_info(entity_id='https://aai-idp.unibe.ch/idp/shibboleth')
assert 'http://rr.aai.switch.ch/' == registration_info['registration_authority']
assert '2013-06-15T18:15:03Z' == registration_info['registration_instant']
assert 'https://www.switch.ch/aai/federation/switchaai/metadata-registration-practice-statement-20110711.txt' == \
registration_info['registration_policy']['en']
def test_load_local_dir():
sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
mds = MetadataStore(ATTRCONV, sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["9"])
print(mds)
assert len(mds) == 3 # Three sources
assert len(mds.keys()) == 4 # number of idps
def __init__(self, idp_conf, logger, conf, publicKey, privateKey, metadataList):
"""
Constructor.
Initiates the class.
:param logger: Logger to be used when something needs to be logged.
:param conf: idp_proxy_conf see IdpProxy/conig/idp_proxy_conf.example.py
:param key: A RSA key to be used for encryption.
:param metadataList: A list of metadata files.
[{"local": ["swamid-1.0.xml"]}, {"local": ["sp.xml"]}]
:raise:
"""
if (logger is None) or (conf is None) or (publicKey is None)or (privateKey is None):
raise ValueError(
"A new instance must include a value for logger, conf and key.")
#Public key to be used for encryption.
self.publicKey = publicKey
self.privateKey = privateKey
#Used for presentation of mako files.
self.lookup = TemplateLookup(
directories=[MetadataGeneration.CONST_STATIC_MAKO + 'templates',
MetadataGeneration.CONST_STATIC_MAKO + 'htdocs'],
module_directory='modules',
input_encoding='utf-8',
output_encoding='utf-8')
#The logger.
self.logger = logger
#A list of all social services used by this IdPproxy.
self.socialServiceKeyList = []
#A list of all service providers used by this sp.
self.spKeyList = []
for key in conf:
self.socialServiceKeyList.append(conf[key]["name"])
try:
xmlsec_path = get_xmlsec_binary(["/opt/local/bin"])
except:
try:
xmlsec_path = get_xmlsec_binary(["/usr/local/bin"])
except:
self.logger.info('Xmlsec must be installed! Tries /usr/bin/xmlsec1.')
xmlsec_path = '/usr/bin/xmlsec1'
self.xmlsec_path = xmlsec_path
config = Config()
config.disable_ssl_certificate_validation = True
config.key_file = idp_conf["key_file"]
config.cert_file = idp_conf["cert_file"]
config.xmlsec_binary = idp_conf["xmlsec_binary"]
config.debug = idp_conf["debug"]
for metadata in metadataList:
mds = MetadataStore(MetadataGeneration.CONST_ONTS.values(),
MetadataGeneration.CONST_ATTRCONV, config)
mds.imp(metadata)
for entityId in mds.keys():
self.spKeyList.append(entityId)
def test_load_external():
sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
mds = MetadataStore(ATTRCONV, sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["10"])
print(mds)
assert len(mds) == 1 # One source
assert len(mds.keys()) > 1 # number of idps
def test_ext_2():
mds = MetadataStore(list(ONTS.values()), ATTRCONV, sec_config, disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["3"])
# No specific binding defined
ents = mds.with_descriptor("spsso")
for binding in [BINDING_SOAP, BINDING_HTTP_POST, BINDING_HTTP_ARTIFACT, BINDING_HTTP_REDIRECT]:
assert mds.single_logout_service(list(ents.keys())[0], binding, "spsso")
def test_load_external():
sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["10"])
print(mds)
assert len(mds) == 1 # One source
assert len(mds.keys()) > 1 # number of idps
def test_xbox_non_ascii_ava():
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", IDP_EXAMPLE)
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
assertion = factory(saml.Assertion,
version="2.0",
id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part(
"11111", sec.my_cert, 1),
attribute_statement=do_attribute_statement({
("", "", "surName"): ("Föö", ""),
("", "", "givenName"): ("Bär", ""),
}))
sigass = sec.sign_statement(
assertion,
class_name(assertion),
key_file=PRIV_KEY,
node_id=assertion.id,
)
_ass0 = saml.assertion_from_string(sigass)
encrypted_assertion = EncryptedAssertion()
encrypted_assertion.add_extension_element(_ass0)
_, pre = make_temp(str(pre_encryption_part()).encode('utf-8'),
decode=False)
enctext = sec.crypto.encrypt(
str(encrypted_assertion),
conf.cert_file,
pre,
"des-192",
'/*[local-name()="EncryptedAssertion"]/*[local-name()="Assertion"]',
)
decr_text = sec.decrypt(enctext, key_file=PRIV_KEY)
_seass = saml.encrypted_assertion_from_string(decr_text)
assertions = []
assers = extension_elements_to_elements(_seass.extension_elements,
[saml, samlp])
for ass in assers:
_txt = sec.verify_signature(str(ass),
PUB_KEY,
node_name=class_name(assertion))
if _txt:
assertions.append(ass)
assert assertions
print(assertions)
def test_load_extern_incommon():
sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["10"])
print(mds)
assert mds
assert len(mds.keys())
def test_filter_ava_esi_coco():
entity_id = "https://esi-coco.example.edu/saml2/metadata/"
mds = MetadataStore(ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
mds.imp([{
"class": "saml2.mdstore.MetaDataFile",
"metadata": [(full_path("entity_esi_and_coco_sp.xml"), )]
}])
policy_conf = {
"default": {
"lifetime": {
"minutes": 15
},
"entity_categories": ["swamid"]
}
}
policy = Policy(policy_conf, mds)
ava = {
"givenName": ["Test"],
"sn": ["Testsson"],
"mail": ["*****@*****.**"],
"c": ["SE"],
"schacHomeOrganization": ["example.com"],
"eduPersonScopedAffiliation": ["*****@*****.**"],
"schacPersonalUniqueCode": [
"urn:schac:personalUniqueCode:int:esi:ladok.se:externtstudentuid-00000000-1111-2222-3333-444444444444"
]
}
requested_attributes = [{
'friendly_name': 'eduPersonScopedAffiliation',
'name': '1.3.6.1.4.1.5923.1.1.1.9',
'name_format': NAME_FORMAT_URI,
'is_required': 'true'
}, {
'friendly_name': 'schacHomeOrganization',
'name': '1.3.6.1.4.1.25178.1.2.9',
'name_format': NAME_FORMAT_URI,
'is_required': 'true'
}]
ava = policy.filter(ava, entity_id, required=requested_attributes)
assert _eq(list(ava.keys()), [
'eduPersonScopedAffiliation', 'schacHomeOrganization',
'schacPersonalUniqueCode'
])
assert _eq(ava["eduPersonScopedAffiliation"], ["*****@*****.**"])
assert _eq(ava["schacHomeOrganization"], ["example.com"])
assert _eq(ava["schacPersonalUniqueCode"], [
"urn:schac:personalUniqueCode:int:esi:ladok.se:externtstudentuid-00000000-1111-2222-3333-444444444444"
])
def test_xbox():
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", full_path("idp_example.xml"))
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
assertion = factory(saml.Assertion,
version="2.0",
id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part(
"11111", sec.my_cert, 1),
attribute_statement=do_attribute_statement({
("", "", "surName"): ("Foo", ""),
("", "", "givenName"): ("Bar", ""),
}))
sigass = sec.sign_statement(assertion,
class_name(assertion),
key_file=full_path("test.key"),
node_id=assertion.id)
_ass0 = saml.assertion_from_string(sigass)
encrypted_assertion = EncryptedAssertion()
encrypted_assertion.add_extension_element(_ass0)
_, pre = make_temp(str(pre_encryption_part()).encode('utf-8'),
decode=False)
enctext = sec.crypto.encrypt(
str(encrypted_assertion), conf.cert_file, pre, "des-192",
'/*[local-name()="EncryptedAssertion"]/*[local-name()="Assertion"]')
decr_text = sec.decrypt(enctext)
_seass = saml.encrypted_assertion_from_string(decr_text)
assertions = []
assers = extension_elements_to_elements(_seass.extension_elements,
[saml, samlp])
sign_cert_file = full_path("test.pem")
for ass in assers:
_ass = "%s" % ass
#_ass = _ass.replace('xsi:nil="true" ', '')
#assert sigass == _ass
_txt = sec.verify_signature(_ass,
sign_cert_file,
node_name=class_name(assertion))
if _txt:
assertions.append(ass)
print(assertions)
def test_swamid_idp():
mds = MetadataStore(ATTRCONV, sec_config,
disable_ssl_certificate_validation=True,
filter=AllowDescriptor(["idpsso"]))
mds.imp(METADATACONF["1"])
sps = mds.with_descriptor("spsso")
assert len(sps) == 0
idps = mds.with_descriptor("idpsso")
assert len(idps) == 275
def create_metadata(self, metadata):
# For database implementation
#mds = MetaDataStoreDB(db, self.config.attribute_converters, self.config)
#mds.load_from_database()
mds = MetadataStore(self.config.attribute_converters, self.config)
mds.imp(metadata)
return mds
def test_metadata_file():
sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
mds = MetadataStore(list(ONTS.values()),
ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["8"])
print((len(list(mds.keys()))))
assert len(list(mds.keys())) == 560
def test_load_extern_incommon():
sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
mds = MetadataStore(ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["10"])
print(mds)
assert mds
assert len(mds.keys())
def test_switch_1():
mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["5"])
assert len(mds.keys()) > 160
idps = mds.with_descriptor("idpsso")
print(idps.keys())
idpsso = mds.single_sign_on_service(
'https://aai-demo-idp.switch.ch/idp/shibboleth')
assert len(idpsso) == 1
print(idpsso)
assert destinations(idpsso) == [
'https://aai-demo-idp.switch.ch/idp/profile/SAML2/Redirect/SSO']
assert len(idps) > 30
aas = mds.with_descriptor("attribute_authority")
print(aas.keys())
aad = aas['https://aai-demo-idp.switch.ch/idp/shibboleth']
print(aad.keys())
assert len(aad["attribute_authority_descriptor"]) == 1
assert len(aad["idpsso_descriptor"]) == 1
sps = mds.with_descriptor("spsso")
dual = [eid for eid, ent in idps.items() if eid in sps]
print(len(dual))
assert len(dual) == 0
def test_incommon_1():
mds = MetadataStore(list(ONTS.values()), ATTRCONV, sec_config, disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["2"])
print((mds.entities()))
assert mds.entities() > 1700
idps = mds.with_descriptor("idpsso")
print((list(idps.keys())))
assert len(idps) > 300 # ~ 18%
try:
_ = mds.single_sign_on_service("urn:mace:incommon:uiuc.edu")
except UnknownPrincipal:
pass
idpsso = mds.single_sign_on_service("urn:mace:incommon:alaska.edu")
assert len(idpsso) == 1
print(idpsso)
assert destinations(idpsso) == ["https://idp.alaska.edu/idp/profile/SAML2/Redirect/SSO"]
sps = mds.with_descriptor("spsso")
acs_sp = []
for nam, desc in list(sps.items()):
if "attribute_consuming_service" in desc:
acs_sp.append(nam)
assert len(acs_sp) == 0
# Look for attribute authorities
aas = mds.with_descriptor("attribute_authority")
print((list(aas.keys())))
assert len(aas) == 180
def test_swami_1():
UMU_IDP = 'https://idp.umu.se/saml2/idp/metadata.php'
mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["1"])
assert len(mds) == 1 # One source
idps = mds.with_descriptor("idpsso")
assert idps.keys()
idpsso = mds.single_sign_on_service(UMU_IDP)
assert len(idpsso) == 1
assert destinations(idpsso) == [
'https://idp.umu.se/saml2/idp/SSOService.php']
_name = name(mds[UMU_IDP])
assert _name == u'Umeå University (SAML2)'
certs = mds.certs(UMU_IDP, "idpsso", "signing")
assert len(certs) == 1
sps = mds.with_descriptor("spsso")
assert len(sps) == 108
wants = mds.attribute_requirement('https://connect8.sunet.se/shibboleth')
lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["optional"]]
assert _eq(lnamn, ['eduPersonPrincipalName', 'mail', 'givenName', 'sn',
'eduPersonScopedAffiliation'])
wants = mds.attribute_requirement('https://beta.lobber.se/shibboleth')
assert wants["required"] == []
lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["optional"]]
assert _eq(lnamn, ['eduPersonPrincipalName', 'mail', 'givenName', 'sn',
'eduPersonScopedAffiliation', 'eduPersonEntitlement'])
def test_supported_algorithms():
mds = MetadataStore(ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["11"])
algs = mds.supported_algorithms(
entity_id=
'http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php')
assert 'http://www.w3.org/2001/04/xmlenc#sha256' in algs['digest_methods']
assert 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' in algs[
'signing_methods']
def handleMetadataVerifyJson(self, environ, start_response, qs):
"""
Handles JSON metadata verifications.
The post body must contains a JSON message like { 'xml' : 'a metadata file'}
:param environ: wsgi enviroment
:param start_response: wsgi start respons
:param qs: Query parameters in a dictionary.
:return: wsgi response contaning a JSON response. The JSON message will contain the parameter ok and services.
ok will contain true if the metadata file can be parsed, otherwise false.
services will contain a list of all the service names contained in the metadata file.
"""
ok = False
services = "[]"
try:
if MetadataGeneration.CONST_BODY in qs:
jsonMessage = json.loads(qs[MetadataGeneration.CONST_BODY])
if "xml" in jsonMessage:
xml = jsonMessage["xml"]
xml = xml.strip()
metadataOK = False
ci = None
try:
mds = MetadataStore(MetadataGeneration.CONST_ONTS.values(),
MetadataGeneration.CONST_ATTRCONV, self.xmlsec_path,
disable_ssl_certificate_validation=True)
md = MetaData(MetadataGeneration.CONST_ONTS.values(), MetadataGeneration.CONST_ATTRCONV, metadata=xml)
md.load()
entityId = md.entity.keys()[0]
mds.metadata[entityId] = md
args = {"metad": mds, "dkeys": {"rsa": [self.privateKey]}}
ci = utils.ConsumerInfo(['metadata'], **args)
metadataOK = True
except:
self.logger.info('Could not parse the metadata file in handleMetadataVerifyJSON.',
exc_info=True)
services = "["
first = True
if ci is not None:
for item in ci._info:
if item._ava is not None and entityId in item._ava:
for social in item._ava[entityId]:
if not first:
services += ","
else:
first = False
services += '"' + social + '"'
services += "]"
if metadataOK:
ok = True
except:
self.logger.fatal('Unknown error in handleMetadataVerifyJSON.',
exc_info=True)
resp = Response('{"ok":"' + str(ok) + '", "services":' + services + '}', headers=[('Content-Type', MetadataGeneration.CONST_TYPEJSON)])
return resp(environ, start_response)
def test_metadata():
conf = config.Config()
conf.load_file("idp_conf_mdb")
umu_idp = 'https://idp.umu.se/saml2/idp/metadata.php'
# Set up a Metadata store
mds = MetadataStore(ATTRCONV, conf,
disable_ssl_certificate_validation=True)
# Import metadata from local file.
mds.imp([{"class": "saml2.mdstore.MetaDataFile",
"metadata": [(full_path("swamid-2.0.xml"), )]}])
assert len(mds) == 1 # One source
try:
export_mdstore_to_mongo_db(mds, "metadata", "test")
except ConnectionFailure:
pass
else:
mdmdb = MetadataMDB(ATTRCONV, "metadata", "test")
# replace all metadata instances with this one
mds.metadata = {"mongo_db": mdmdb}
idps = mds.with_descriptor("idpsso")
assert idps.keys()
idpsso = mds.single_sign_on_service(umu_idp)
assert len(idpsso) == 1
assert destinations(idpsso) == [
'https://idp.umu.se/saml2/idp/SSOService.php']
_name = name(mds[umu_idp])
assert _name == u'Ume\xe5 University'
certs = mds.certs(umu_idp, "idpsso", "signing")
assert len(certs) == 1
sps = mds.with_descriptor("spsso")
assert len(sps) == 417
wants = mds.attribute_requirement('https://connect.sunet.se/shibboleth')
assert wants["optional"] == []
lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["required"]]
assert _eq(lnamn,
['eduPersonPrincipalName', 'mail', 'givenName', 'sn',
'eduPersonScopedAffiliation', 'eduPersonAffiliation'])
wants = mds.attribute_requirement(
"https://gidp.geant.net/sp/module.php/saml/sp/metadata.php/default-sp")
# Optional
lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["optional"]]
assert _eq(lnamn, ['displayName', 'commonName', 'schacHomeOrganization',
'eduPersonAffiliation', 'schacHomeOrganizationType'])
# Required
lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["required"]]
assert _eq(lnamn, ['eduPersonTargetedID', 'mail',
'eduPersonScopedAffiliation'])
def test_xbox():
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", full_path("idp_example.xml"))
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
assertion = factory(
saml.Assertion,
version="2.0",
id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("11111", sec.my_cert, 1),
attribute_statement=do_attribute_statement(
{("", "", "surName"): ("Foo", ""), ("", "", "givenName"): ("Bar", "")}
),
)
sigass = sec.sign_statement(assertion, class_name(assertion), key_file=full_path("test.key"), node_id=assertion.id)
_ass0 = saml.assertion_from_string(sigass)
encrypted_assertion = EncryptedAssertion()
encrypted_assertion.add_extension_element(_ass0)
_, pre = make_temp(str(pre_encryption_part()).encode("utf-8"), decode=False)
enctext = sec.crypto.encrypt(
str(encrypted_assertion),
conf.cert_file,
pre,
"des-192",
'/*[local-name()="EncryptedAssertion"]/*[local-name()="Assertion"]',
)
decr_text = sec.decrypt(enctext)
_seass = saml.encrypted_assertion_from_string(decr_text)
assertions = []
assers = extension_elements_to_elements(_seass.extension_elements, [saml, samlp])
sign_cert_file = full_path("test.pem")
for ass in assers:
_ass = "%s" % ass
# _ass = _ass.replace('xsi:nil="true" ', '')
# assert sigass == _ass
_txt = sec.verify_signature(_ass, sign_cert_file, node_name=class_name(assertion))
if _txt:
assertions.append(ass)
print(assertions)
def __init__(self, user, passwd, sp="", idp=None, metadata_file=None,
xmlsec_binary=None, verbose=0, ca_certs="",
disable_ssl_certificate_validation=True, key_file=None,
cert_file=None, config=None):
"""
:param user: user name
:param passwd: user password
:param sp: The SP URL
:param idp: The IdP PAOS endpoint
:param metadata_file: Where the metadata file is if used
:param xmlsec_binary: Where the xmlsec1 binary can be found (*)
:param verbose: Chatty or not
:param ca_certs: is the path of a file containing root CA certificates
for SSL server certificate validation (*)
:param disable_ssl_certificate_validation: If
disable_ssl_certificate_validation is true, SSL cert validation
will not be performed (*)
:param key_file: Private key filename (*)
:param cert_file: Certificate filename (*)
:param config: Config() instance, overrides all the parameters marked
with an asterisk (*) above
"""
if not config:
config = Config()
config.disable_ssl_certificate_validation = \
disable_ssl_certificate_validation
config.key_file = key_file
config.cert_file = cert_file
config.ca_certs = ca_certs
config.xmlsec_binary = xmlsec_binary
Entity.__init__(self, "sp", config)
self._idp = idp
self._sp = sp
self.user = user
self.passwd = passwd
self._verbose = verbose
if metadata_file:
self._metadata = MetadataStore([saml, samlp], None, config)
self._metadata.load("local", metadata_file)
logger.debug("Loaded metadata from '%s'", metadata_file)
else:
self._metadata = None
self.metadata = self._metadata
self.cookie_handler = None
self.done_ecp = False
self.cookie_jar = cookielib.LWPCookieJar()
def test_switch_1():
mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["5"])
assert len(mds.keys()) > 160
idps = mds.with_descriptor("idpsso")
print(idps.keys())
idpsso = mds.single_sign_on_service(
'https://aai-demo-idp.switch.ch/idp/shibboleth')
assert len(idpsso) == 1
print(idpsso)
assert destinations(idpsso) == [
'https://aai-demo-idp.switch.ch/idp/profile/SAML2/Redirect/SSO']
assert len(idps) > 30
aas = mds.with_descriptor("attribute_authority")
print(aas.keys())
aad = aas['https://aai-demo-idp.switch.ch/idp/shibboleth']
print(aad.keys())
assert len(aad["attribute_authority_descriptor"]) == 1
assert len(aad["idpsso_descriptor"]) == 1
sps = mds.with_descriptor("spsso")
dual = [eid for eid, ent in idps.items() if eid in sps]
print(len(dual))
assert len(dual) == 0
def test_metadata():
conf = config.Config()
conf.load_file("idp_conf_mdb")
UMU_IDP = "https://idp.umu.se/saml2/idp/metadata.php"
# Set up a Metadata store
mds = MetadataStore(list(ONTS.values()), ATTRCONV, conf, disable_ssl_certificate_validation=True)
# Import metadata from local file.
mds.imp({"local": [full_path("swamid-2.0.xml")]})
assert len(mds) == 1 # One source
export_mdstore_to_mongo_db(mds, "metadata", "test")
mdmdb = MetadataMDB(ONTS, ATTRCONV, "metadata", "test")
# replace all metadata instances with this one
mds.metadata = {"mongo_db": mdmdb}
idps = mds.with_descriptor("idpsso")
assert list(idps.keys())
idpsso = mds.single_sign_on_service(UMU_IDP)
assert len(idpsso) == 1
assert destinations(idpsso) == ["https://idp.umu.se/saml2/idp/SSOService.php"]
_name = name(mds[UMU_IDP])
assert _name == "Ume\xe5 University"
certs = mds.certs(UMU_IDP, "idpsso", "signing")
assert len(certs) == 1
sps = mds.with_descriptor("spsso")
assert len(sps) == 431
wants = mds.attribute_requirement("https://connect.sunet.se/shibboleth")
assert wants["optional"] == []
lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["required"]]
assert _eq(
lnamn,
["eduPersonPrincipalName", "mail", "givenName", "sn", "eduPersonScopedAffiliation", "eduPersonAffiliation"],
)
wants = mds.attribute_requirement("https://gidp.geant.net/sp/module.php/saml/sp/metadata.php/default-sp")
# Optional
lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["optional"]]
assert _eq(
lnamn,
["displayName", "commonName", "schacHomeOrganization", "eduPersonAffiliation", "schacHomeOrganizationType"],
)
# Required
lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["required"]]
assert _eq(lnamn, ["eduPersonTargetedID", "mail", "eduPersonScopedAffiliation"])
def test_load_external(mock_request):
filepath = os.path.join(TESTS_DIR, "remote_data/InCommon-metadata-export.xml")
with open(filepath) as fd:
data = fd.read()
mock_request.return_value.ok = True
mock_request.return_value.status_code = 200
mock_request.return_value.content = data
sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
mds = MetadataStore(ATTRCONV, sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["10"])
print(mds)
assert len(mds) == 1 # One source
assert len(mds.keys()) > 1 # number of idps
def test_entity_category_import_from_path():
mds = MetadataStore(ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
# The file entity_cat_rs.xml contains the SAML metadata for an SP
# tagged with the REFEDs R&S entity category.
mds.imp([{
"class": "saml2.mdstore.MetaDataFile",
"metadata": [(full_path("entity_cat_rs.xml"), )]
}])
# The entity category module myentitycategory.py is in the tests
# directory which is on the standard module search path.
# The module uses a custom interpretation of the REFEDs R&S entity category
# by adding eduPersonUniqueId.
policy = Policy(
{
"default": {
"lifetime": {
"minutes": 15
},
"entity_categories": ["myentitycategory"]
}
}, mds)
ava = {
"givenName": ["Derek"],
"sn": ["Jeter"],
"displayName": "Derek Jeter",
"mail": ["*****@*****.**"],
"c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz",
"eduPersonUniqueId": "*****@*****.**",
"eduPersonScopedAffiliation": "*****@*****.**",
"eduPersonPrincipalName": "*****@*****.**",
"norEduPersonNIN": "19800101134"
}
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp")
# We expect c and norEduPersonNIN to be filtered out since they are not
# part of the custom entity category.
assert _eq(list(ava.keys()), [
"eduPersonTargetedID", "eduPersonPrincipalName", "eduPersonUniqueId",
"displayName", "givenName", "eduPersonScopedAffiliation", "mail", "sn"
])
def test_sp_metadata():
mds = MetadataStore(ONTS.values(),
ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["6"])
assert len(mds.keys()) == 1
assert mds.keys() == ['urn:mace:umu.se:saml:roland:sp']
assert _eq(mds['urn:mace:umu.se:saml:roland:sp'].keys(),
['entity_id', '__class__', 'spsso_descriptor'])
req = mds.attribute_requirement('urn:mace:umu.se:saml:roland:sp')
print req
assert len(req["required"]) == 3
assert len(req["optional"]) == 1
assert req["optional"][0]["name"] == 'urn:oid:2.5.4.12'
assert req["optional"][0]["friendly_name"] == 'title'
assert _eq([n["name"] for n in req["required"]], [
'urn:oid:2.5.4.4', 'urn:oid:2.5.4.42',
'urn:oid:0.9.2342.19200300.100.1.3'
])
assert _eq([n["friendly_name"] for n in req["required"]],
['surName', 'givenName', 'mail'])
def setup_class(self):
xmlexec = get_xmlsec_binary()
md = MetadataStore([saml, samlp], None, xmlexec)
md.load("local", "metadata_cert.xml")
self.sec = sigver.SecurityContext(xmlexec, key_file=PRIV_KEY,
cert_file=PUB_KEY, debug=1, metadata=md)
self._assertion = factory( saml.Assertion,
version="2.0",
id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("11111", self.sec.my_cert, 1),
attribute_statement=do_attribute_statement({
("","","surName"): ("Foo",""),
("","","givenName") :("Bar",""),
})
)
def setup_class(self):
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", full_path("metadata_cert.xml"))
conf.metadata = md
conf.only_use_keys_in_metadata = False
self.sec = sigver.security_context(conf)
assertion = factory(
saml.Assertion, version="2.0", id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("11111", self.sec.my_cert, 1),
attribute_statement=do_attribute_statement(
{("", "", "surName"): ("Foo", ""),
("", "", "givenName"): ("Bar", ""), })
)
def test_filter_ava_registration_authority_1():
mds = MetadataStore(ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["1"])
policy_conf = {
"default": {
"lifetime": {
"minutes": 15
},
"attribute_restrictions": None,
},
"http://rr.aai.switch.ch/": {
"attribute_restrictions": {
"givenName": None,
"surName": None,
}
}
}
policy = Policy(restrictions=policy_conf, mds=mds)
attributes = {
"givenName": ["Derek"],
"surName": ["Jeter"],
"mail": [
"*****@*****.**",
"*****@*****.**",
],
}
# SP registered with http://rr.aai.switch.ch/
ava = policy.filter(attributes, "https://aai-idp.unibe.ch/idp/shibboleth")
assert _eq(sorted(list(ava.keys())), ["givenName", "surName"])
assert ava["givenName"] == ["Derek"]
assert ava["surName"] == ["Jeter"]
# SP not registered with http://rr.aai.switch.ch/
ava = policy.filter(attributes, "https://alpha.kib.ki.se/shibboleth")
assert _eq(sorted(list(ava.keys())), ["givenName", "mail", "surName"])
assert ava["givenName"] == ["Derek"]
assert ava["surName"] == ["Jeter"]
assert ava["mail"] == ["*****@*****.**", "*****@*****.**"]
def test_filter_ava_required_attributes_with_no_friendly_name():
entity_id = "https://no-friendly-name.example.edu/saml2/metadata/"
mds = MetadataStore(ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
mds.imp([{
"class": "saml2.mdstore.MetaDataFile",
"metadata": [(full_path("entity_no_friendly_name_sp.xml"), )]
}])
policy_conf = {
"default": {
"lifetime": {
"minutes": 15
},
"entity_categories": ["swamid"]
}
}
policy = Policy(policy_conf, mds)
ava = {
"givenName": ["Derek"],
"sn": ["Jeter"],
"mail": ["*****@*****.**"],
"c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz",
"norEduPersonNIN": "19800101134",
}
attribute_requirements = mds.attribute_requirement(entity_id)
required = attribute_requirements.get("required", [])
optional = attribute_requirements.get("optional", [])
# ensure the requirements define the eduPersonTargetedID
# without the friendlyName attribute
oid_eptid = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10'
requested_attribute_eptid = RequestedAttribute(name=oid_eptid,
name_format=NAME_FORMAT_URI,
is_required='true')
assert required == [to_dict(requested_attribute_eptid, onts=[mdattr])]
ava = policy.filter(ava, entity_id, required=required, optional=optional)
assert _eq(list(ava.keys()), ["eduPersonTargetedID"])
def find_allowed_algorithms(metadata_file, ic):
mds = MetadataStore(ic.attribute_converters, ic,
disable_ssl_certificate_validation=True)
mds.imp([{
"class": "saml2.mdstore.MetaDataFile",
"metadata": [(metadata_file,)]}])
md = mds.metadata[metadata_file]
ed = list(md.entity.values())[0]
res = {"digest_algorithms":[], "signing_algorithms":[]}
for elem in ed['extensions']['extension_elements']:
if elem['__class__'] == '{}&DigestMethod'.format(algsupport.NAMESPACE):
res['digest_algorithms'].append(elem['algorithm'])
elif elem['__class__'] == '{}&SigningMethod'.format(
algsupport.NAMESPACE):
res['signing_algorithms'].append(elem['algorithm'])
return res
def setup_class(self):
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", full_path("metadata_cert.xml"))
crypto = get_xmlsec_cryptobackend()
self.sec = sigver.SecurityContext(crypto, key_file=PRIV_KEY,
cert_file=PUB_KEY, debug=1, metadata=md)
self._assertion = factory( saml.Assertion,
version="2.0",
id="11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("11111", self.sec.my_cert, 1),
attribute_statement=do_attribute_statement({
("","","surName"): ("Foo",""),
("","","givenName") :("Bar",""),
})
)
def test_metadata():
conf = config.Config()
conf.load_file("idp_conf_mdb")
UMU_IDP = 'https://idp.umu.se/saml2/idp/metadata.php'
mds = MetadataStore(ONTS.values(), ATTRCONV, conf,
disable_ssl_certificate_validation=True)
mds.imp({"local": [full_path("swamid-1.0.xml")]})
assert len(mds) == 1 # One source
export_mdstore_to_mongo_db(mds, "metadata", "test")
mdmdb = MetadataMDB(ONTS, ATTRCONV, "metadata", "test")
# replace all metadata instances with this one
mds.metadata = {"mongo_db": mdmdb}
idps = mds.with_descriptor("idpsso")
assert idps.keys()
idpsso = mds.single_sign_on_service(UMU_IDP)
assert len(idpsso) == 1
assert destinations(idpsso) == [
'https://idp.umu.se/saml2/idp/SSOService.php']
_name = name(mds[UMU_IDP])
assert _name == u'Umeå University (SAML2)'
certs = mds.certs(UMU_IDP, "idpsso", "signing")
assert len(certs) == 1
sps = mds.with_descriptor("spsso")
assert len(sps) == 108
wants = mds.attribute_requirement('https://connect8.sunet.se/shibboleth')
lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["optional"]]
assert _eq(lnamn, ['eduPersonPrincipalName', 'mail', 'givenName', 'sn',
'eduPersonScopedAffiliation'])
wants = mds.attribute_requirement('https://beta.lobber.se/shibboleth')
assert wants["required"] == []
lnamn = [d_to_local_name(mds.attrc, attr) for attr in wants["optional"]]
assert _eq(lnamn, ['eduPersonPrincipalName', 'mail', 'givenName', 'sn',
'eduPersonScopedAffiliation', 'eduPersonEntitlement'])
def test_filter_ava3():
policy = Policy({
"default": {
"lifetime": {"minutes": 15},
#"attribute_restrictions": None # means all I have
"entity_categories": ["swamid"]
}
})
mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
disable_ssl_certificate_validation=True)
mds.imp([{"class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_cat_sfs_hei.xml"), )]}])
ava = {"givenName": ["Derek"], "sn": ["Jeter"],
"mail": ["*****@*****.**"], "c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz",
"norEduPersonNIN": "19800101134"}
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", mds)
assert _eq(list(ava.keys()), ['eduPersonTargetedID', "norEduPersonNIN"])
def test_get_certs_from_metadata():
mds = MetadataStore(ATTRCONV, None)
mds.imp(METADATACONF["11"])
certs1 = mds.certs("http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php", "any")
certs2 = mds.certs("http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php", "idpsso")
assert certs1[0] == certs2[0] == TEST_CERT
def test_okta():
conf = config.Config()
conf.load_file("server_conf")
conf.id_attr_name = 'Id'
md = MetadataStore([saml, samlp], None, conf)
md.load("local", IDP_EXAMPLE)
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
with open(OKTA_RESPONSE) as f:
enctext = f.read()
decr_text = sec.decrypt(enctext)
_seass = saml.encrypted_assertion_from_string(decr_text)
assers = extension_elements_to_elements(_seass.extension_elements,
[saml, samlp])
with open(OKTA_ASSERTION) as f:
okta_assertion = f.read()
expected_assert = assertion_from_string(okta_assertion)
assert len(assers) == 1
assert assers[0] == expected_assert
def test_okta():
conf = config.Config()
conf.load_file("server_conf")
conf.id_attr_name = 'Id'
md = MetadataStore([saml, samlp], None, conf)
md.load("local", IDP_EXAMPLE)
conf.metadata = md
conf.only_use_keys_in_metadata = False
sec = sigver.security_context(conf)
with open(OKTA_RESPONSE) as f:
enctext = f.read()
decr_text = sec.decrypt(enctext)
_seass = saml.encrypted_assertion_from_string(decr_text)
assers = extension_elements_to_elements(_seass.extension_elements,
[saml, samlp])
with open(OKTA_ASSERTION) as f:
okta_assertion = f.read()
expected_assert = assertion_from_string(okta_assertion)
assert len(assers) == 1
assert assers[0] == expected_assert
def test_get_certs_from_metadata_without_keydescriptor():
mds = MetadataStore(ATTRCONV, None)
mds.imp([{
"class":
"saml2.mdstore.InMemoryMetaData",
"metadata": [("""
<EntitiesDescriptor
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Name="urn:mace:example.com:test-1.0">
<EntityDescriptor
entityID="http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php"
xml:base="swamid-1.0/idp.umu.se-saml2.xml">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php"/>
</IDPSSODescriptor>
<Organization>
<OrganizationName xml:lang="en">Catalogix</OrganizationName>
<OrganizationDisplayName xml:lang="en">Catalogix</OrganizationDisplayName>
<OrganizationURL xml:lang="en">http://www.catalogix.se</OrganizationURL>
</Organization>
<ContactPerson contactType="technical">
<SurName>Hedberg</SurName>
<EmailAddress>[email protected]</EmailAddress>
</ContactPerson>
</EntityDescriptor>
</EntitiesDescriptor>""", )]
}])
certs = mds.certs(
"http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php",
"idpsso")
assert len(certs) == 0
def __init__(self, user, passwd, sp="", idp=None, metadata_file=None,
xmlsec_binary=None, verbose=0, ca_certs="",
disable_ssl_certificate_validation=True, key_file=None,
cert_file=None, config=None):
"""
:param user: user name
:param passwd: user password
:param sp: The SP URL
:param idp: The IdP PAOS endpoint
:param metadata_file: Where the metadata file is if used
:param xmlsec_binary: Where the xmlsec1 binary can be found (*)
:param verbose: Chatty or not
:param ca_certs: is the path of a file containing root CA certificates
for SSL server certificate validation (*)
:param disable_ssl_certificate_validation: If
disable_ssl_certificate_validation is true, SSL cert validation
will not be performed (*)
:param key_file: Private key filename (*)
:param cert_file: Certificate filename (*)
:param config: Config() instance, overrides all the parameters marked
with an asterisk (*) above
"""
if not config:
config = Config()
config.disable_ssl_certificate_validation = \
disable_ssl_certificate_validation
config.key_file = key_file
config.cert_file = cert_file
config.ca_certs = ca_certs
config.xmlsec_binary = xmlsec_binary
Entity.__init__(self, "sp", config)
self._idp = idp
self._sp = sp
self.user = user
self.passwd = passwd
self._verbose = verbose
if metadata_file:
self._metadata = MetadataStore([saml, samlp], None, config)
self._metadata.load("local", metadata_file)
logger.debug("Loaded metadata from '%s'" % metadata_file)
else:
self._metadata = None
self.metadata = self._metadata
self.cookie_handler = None
self.done_ecp = False
self.cookie_jar = cookielib.LWPCookieJar()
def load(insecure, conf, md_conf, typ):
try:
md_conf = conf["metadata"]
del conf["metadata"]
except KeyError:
pass
if typ == 'sp':
_cnf = SPConfig().load(conf)
else:
_cnf = IdPConfig().load(conf)
if insecure:
disable_validation = True
else:
disable_validation = False
mds = MetadataStore(_cnf.attribute_converters, _cnf,
disable_ssl_certificate_validation=disable_validation)
mds.imp(md_conf)
return mds
