def test_create_auth_request_vo(self): assert self.client.config.vorg.keys() == [ "urn:mace:example.com:it:tek" ] ar_str = "%s" % self.client.create_authn_request( "http://www.example.com/sso", "urn:mace:example.com:it:tek", # vo nameid_format=NAMEID_FORMAT_PERSISTENT, message_id="666")[1] ar = samlp.authn_request_from_string(ar_str) print ar assert ar.id == "666" assert ar.assertion_consumer_service_url == "http://lingon.catalogix" \ ".se:8087/" assert ar.destination == "http://www.example.com/sso" assert ar.protocol_binding == BINDING_HTTP_POST assert ar.version == "2.0" assert ar.provider_name == "urn:mace:example.com:saml:roland:sp" assert ar.issuer.text == "urn:mace:example.com:saml:roland:sp" nid_policy = ar.name_id_policy assert nid_policy.allow_create == "false" assert nid_policy.format == saml.NAMEID_FORMAT_PERSISTENT assert nid_policy.sp_name_qualifier == "urn:mace:example.com:it:tek"
def test_create_auth_request_vo(self): assert self.client.config.virtual_organization.keys() == ["urn:mace:example.com:it:tek"] ar_str = "%s" % self.client.authn_request( "666", "http://www.example.com/sso", "http://www.example.org/service", "urn:mace:example.org:saml:sp", "My Name", vorg="urn:mace:example.com:it:tek", ) ar = samlp.authn_request_from_string(ar_str) print ar assert ar.id == "666" assert ar.assertion_consumer_service_url == "http://www.example.org/service" assert ar.destination == "http://www.example.com/sso" assert ar.protocol_binding == BINDING_HTTP_POST assert ar.version == "2.0" assert ar.provider_name == "My Name" assert ar.issuer.text == "urn:mace:example.org:saml:sp" nid_policy = ar.name_id_policy assert nid_policy.allow_create == "true" assert nid_policy.format == saml.NAMEID_FORMAT_PERSISTENT assert nid_policy.sp_name_qualifier == "urn:mace:example.com:it:tek"
def correctly_signed_authn_request(self, decoded_xml, must=False, origdoc=None): """ Check if a request is correctly signed, if we have metadata for the SP that sent the info use that, if not use the key that are in the message if any. :param decoded_xml: The SAML message as a XML string :param must: Whether there must be a signature :return: None if the signature can not be verified otherwise request as a samlp.Request instance """ request = samlp.authn_request_from_string(decoded_xml) if not request: raise TypeError("Not an AuthnRequest") if not request.signature: if must: raise SignatureError("Missing must signature") else: return request return self._check_signature(decoded_xml, request, class_name(request), origdoc=origdoc)
def test_sign_auth_request_0(self): #print self.client.config ar_str = "%s" % self.client.authn_request("id1", "http://www.example.com/sso", "http://www.example.org/service", "urn:mace:example.org:saml:sp", "My Name", sign=True) ar = samlp.authn_request_from_string(ar_str) assert ar assert ar.signature assert ar.signature.signature_value signed_info = ar.signature.signed_info #print signed_info assert len(signed_info.reference) == 1 assert signed_info.reference[0].uri == "#id1" assert signed_info.reference[0].digest_value print "------------------------------------------------" try: assert self.client.sec.correctly_signed_authn_request(ar_str, self.client.config.xmlsec_binary, self.client.config.metadata) except Exception: # missing certificate self.client.sec.verify_signature(ar_str, node_name=class_name(ar))
def testUsingTestData(self): """Test for authn_request_from_string() using test data""" new_ar = samlp.authn_request_from_string(samlp_data.TEST_AUTHN_REQUEST) assert new_ar.id == "request id" assert new_ar.version == saml2.VERSION assert new_ar.issue_instant == "2007-09-14T01:05:02Z" assert new_ar.destination == "http://www.example.com/Destination" assert new_ar.consent == saml.CONSENT_UNSPECIFIED assert isinstance(new_ar.issuer, saml.Issuer) assert isinstance(new_ar.signature, ds.Signature) assert isinstance(new_ar.extensions, samlp.Extensions) assert isinstance(new_ar.subject, saml.Subject) assert isinstance(new_ar.name_id_policy, samlp.NameIDPolicy) assert isinstance(new_ar.conditions, saml.Conditions) assert isinstance(new_ar.requested_authn_context, samlp.RequestedAuthnContext) assert isinstance(new_ar.scoping, samlp.Scoping) assert new_ar.force_authn == 'true' assert new_ar.is_passive == 'true' assert new_ar.assertion_consumer_service_index == '1' assert new_ar.assertion_consumer_service_url == \ 'http://www.example.com/acs' assert new_ar.protocol_binding == saml2.BINDING_HTTP_POST assert new_ar.attribute_consuming_service_index == '2' assert new_ar.provider_name == "provider name"
def test_create_auth_request_vo(self): assert list(self.client.config.vorg.keys()) == [ "urn:mace:example.com:it:tek"] ar_id, areq = self.client.create_authn_request( "http://www.example.com/sso", "urn:mace:example.com:it:tek", # vo nameid_format=NAMEID_FORMAT_PERSISTENT, message_id="666") ar_str = "%s" % areq ar = samlp.authn_request_from_string(ar_str) print(ar) assert ar.id == "666" assert ar.assertion_consumer_service_url == ("http://lingon.catalogix" ".se:8087/") assert ar.destination == "http://www.example.com/sso" assert ar.protocol_binding == BINDING_HTTP_POST assert ar.version == "2.0" assert ar.provider_name == "urn:mace:example.com:saml:roland:sp" assert ar.issuer.text == "urn:mace:example.com:saml:roland:sp" nid_policy = ar.name_id_policy assert nid_policy.allow_create == "false" assert nid_policy.format == saml.NAMEID_FORMAT_PERSISTENT assert nid_policy.sp_name_qualifier == "urn:mace:example.com:it:tek"
def test_sign_auth_request_0(self): #print self.client.config ar_str = "%s" % self.client.authn_request( "id1", "http://www.example.com/sso", "http://www.example.org/service", "urn:mace:example.org:saml:sp", "My Name", sign=True) ar = samlp.authn_request_from_string(ar_str) assert ar assert ar.signature assert ar.signature.signature_value signed_info = ar.signature.signed_info #print signed_info assert len(signed_info.reference) == 1 assert signed_info.reference[0].uri == "#id1" assert signed_info.reference[0].digest_value print "------------------------------------------------" try: assert self.client.sec.correctly_signed_authn_request( ar_str, self.client.config.xmlsec_binary, self.client.config.metadata) except Exception: # missing certificate self.client.sec.verify_signature(ar_str, node_name=class_name(ar))
def test_create_auth_request_vo(self): assert self.client.config.virtual_organization.keys() == [ "urn:mace:example.com:it:tek" ] ar_str = "%s" % self.client.authn_request( "666", "http://www.example.com/sso", "http://www.example.org/service", "urn:mace:example.org:saml:sp", "My Name", vorg="urn:mace:example.com:it:tek") ar = samlp.authn_request_from_string(ar_str) print ar assert ar.id == "666" assert ar.assertion_consumer_service_url == "http://www.example.org/service" assert ar.destination == "http://www.example.com/sso" assert ar.protocol_binding == BINDING_HTTP_POST assert ar.version == "2.0" assert ar.provider_name == "My Name" assert ar.issuer.text == "urn:mace:example.org:saml:sp" nid_policy = ar.name_id_policy assert nid_policy.allow_create == "true" assert nid_policy.format == saml.NAMEID_FORMAT_PERSISTENT assert nid_policy.sp_name_qualifier == "urn:mace:example.com:it:tek"
def test_sign_auth_request_0(self): #print self.client.config req_id, a_req = self.client.create_authn_request( "http://www.example.com/sso", sign=True, message_id="id1") if isinstance(a_req, bytes): ar_str = a_req else: ar_str = a_req.to_string() ar = samlp.authn_request_from_string(ar_str) assert ar assert ar.signature assert ar.signature.signature_value signed_info = ar.signature.signed_info #print signed_info assert len(signed_info.reference) == 1 assert signed_info.reference[0].uri == "#id1" assert signed_info.reference[0].digest_value print("------------------------------------------------") try: assert self.client.sec.correctly_signed_authn_request( ar_str, self.client.config.xmlsec_binary, self.client.config.metadata) except Exception: # missing certificate self.client.sec.verify_signature(ar_str, node_name=class_name(ar))
def test_Saml_authenticate(self): # modifying config in this test, make copy so as not to effect # following tests. tmp_sp_config = copy.deepcopy(sp_config) # test signed authentication request with self.app.test_request_context('/', method='GET'): sp = auth.Saml(tmp_sp_config) resp = sp.authenticate(next_url='/next') self.assertEqual(resp.status_code, 302) self.assert_('SAMLRequest' in resp.headers['Location']) url = urlparse.urlparse(resp.headers['Location']) self.assertEqual(url.hostname, 'sso.example.com') self.assertEqual(url.path, '/idp/sso') params = urlparse.parse_qs(url.query) self.assert_('SAMLRequest' in params) self.assertEqual(params['RelayState'], ['/next']) authn = samlp.authn_request_from_string( decode_base64_and_inflate(params['SAMLRequest'][0])) self.assertEqual(authn.destination, 'https://sso.example.com/idp/sso') self.assertEqual(authn.assertion_consumer_service_url, 'https://foo.example.com/sp/acs') self.assertEqual(authn.protocol_binding, BINDING_HTTP_POST) self.assertIsNotNone(authn.signature) self.assertEqual(session['_saml_outstanding_queries'], {authn.id: '/next'}) # test un-signed authentication request with self.app.test_request_context('/', method='GET'): tmp_sp_config['key_file'] = None tmp_sp_config['service']['sp']['authn_requests_signed'] = None sp = auth.Saml(tmp_sp_config) resp = sp.authenticate(next_url='/next') self.assertEqual(resp.status_code, 302) self.assert_('SAMLRequest' in resp.headers['Location']) url = urlparse.urlparse(resp.headers['Location']) params = urlparse.parse_qs(url.query) authn = samlp.authn_request_from_string( decode_base64_and_inflate(params['SAMLRequest'][0])) self.assertIsNone(authn.signature)
def test_authenticate(self): print self.client.config.idps() id, response = self.client.do_authenticate( "urn:mace:example.com:saml:roland:idp", "http://www.example.com/relay_state") assert response[0] == "Location" o = urlparse(response[1]) qdict = parse_qs(o.query) assert _leq(qdict.keys(), ['SAMLRequest', 'RelayState']) saml_request = decode_base64_and_inflate(qdict["SAMLRequest"][0]) print saml_request authnreq = samlp.authn_request_from_string(saml_request)
def test_create_auth_request_0(self): ar_str = "%s" % self.client.create_authn_request( "http://www.example.com/sso", message_id="id1") ar = samlp.authn_request_from_string(ar_str) print ar assert ar.assertion_consumer_service_url == "http://lingon.catalogix.se:8087/" assert ar.destination == "http://www.example.com/sso" assert ar.protocol_binding == BINDING_HTTP_POST assert ar.version == "2.0" assert ar.provider_name == "urn:mace:example.com:saml:roland:sp" assert ar.issuer.text == "urn:mace:example.com:saml:roland:sp" nid_policy = ar.name_id_policy assert nid_policy.allow_create == "false" assert nid_policy.format == saml.NAMEID_FORMAT_TRANSIENT
def test_authenticate(self): print self.client.config.idps() (sid, response) = self.client.authenticate( "urn:mace:example.com:saml:roland:idp", "http://www.example.com/relay_state") assert sid is not None assert response[0] == "Location" o = urlparse(response[1]) qdict = parse_qs(o.query) assert _leq(qdict.keys(), ['SAMLRequest', 'RelayState']) saml_request = decode_base64_and_inflate(qdict["SAMLRequest"][0]) print saml_request authnreq = samlp.authn_request_from_string(saml_request) assert authnreq.id == sid
def testAccessors(self): """Test for AuthnRequest accessors""" self.ar.id = "request id" self.ar.version = saml2.VERSION self.ar.issue_instant = "2007-09-14T01:05:02Z" self.ar.destination = "http://www.example.com/Destination" self.ar.consent = saml.CONSENT_UNSPECIFIED self.ar.issuer = saml.Issuer() self.ar.signature = ds.Signature() self.ar.extensions = samlp.Extensions() self.ar.subject = saml.Subject() self.ar.name_id_policy = samlp.NameIDPolicy() self.ar.conditions = saml.Conditions() self.ar.requested_authn_context = samlp.RequestedAuthnContext() self.ar.scoping = samlp.Scoping() self.ar.force_authn = 'true' self.ar.is_passive = 'true' self.ar.assertion_consumer_service_index = "1" self.ar.assertion_consumer_service_url = "http://www.example.com/acs" self.ar.protocol_binding = saml2.BINDING_HTTP_POST self.ar.attribute_consuming_service_index = "2" self.ar.provider_name = "provider name" new_ar = samlp.authn_request_from_string(self.ar.to_string()) assert new_ar.id == "request id" assert new_ar.version == saml2.VERSION assert new_ar.issue_instant == "2007-09-14T01:05:02Z" assert new_ar.destination == "http://www.example.com/Destination" assert new_ar.consent == saml.CONSENT_UNSPECIFIED assert isinstance(new_ar.issuer, saml.Issuer) assert isinstance(new_ar.signature, ds.Signature) assert isinstance(new_ar.extensions, samlp.Extensions) assert isinstance(new_ar.subject, saml.Subject) assert isinstance(new_ar.name_id_policy, samlp.NameIDPolicy) assert isinstance(new_ar.conditions, saml.Conditions) assert isinstance(new_ar.requested_authn_context, samlp.RequestedAuthnContext) assert isinstance(new_ar.scoping, samlp.Scoping) assert new_ar.force_authn == 'true' assert new_ar.is_passive == 'true' assert new_ar.assertion_consumer_service_index == '1' assert new_ar.assertion_consumer_service_url == \ 'http://www.example.com/acs' assert new_ar.protocol_binding == saml2.BINDING_HTTP_POST assert new_ar.attribute_consuming_service_index == '2' assert new_ar.provider_name == "provider name"
def test_create_auth_request_0(self): ar_str = "%s" % self.client.authn_request( "id1", "http://www.example.com/sso", "http://www.example.org/service", "urn:mace:example.org:saml:sp", "My Name") ar = samlp.authn_request_from_string(ar_str) print ar assert ar.assertion_consumer_service_url == "http://www.example.org/service" assert ar.destination == "http://www.example.com/sso" assert ar.protocol_binding == BINDING_HTTP_POST assert ar.version == "2.0" assert ar.provider_name == "My Name" assert ar.issuer.text == "urn:mace:example.org:saml:sp" nid_policy = ar.name_id_policy assert nid_policy.allow_create == "true" assert nid_policy.format == saml.NAMEID_FORMAT_TRANSIENT
def test_create_auth_request_0(self): ar_str = "%s" % self.client.authn_request("id1", "http://www.example.com/sso", "http://www.example.org/service", "urn:mace:example.org:saml:sp", "My Name") ar = samlp.authn_request_from_string(ar_str) print ar assert ar.assertion_consumer_service_url == "http://www.example.org/service" assert ar.destination == "http://www.example.com/sso" assert ar.protocol_binding == BINDING_HTTP_POST assert ar.version == "2.0" assert ar.provider_name == "My Name" assert ar.issuer.text == "urn:mace:example.org:saml:sp" nid_policy = ar.name_id_policy assert nid_policy.allow_create == "true" assert nid_policy.format == saml.NAMEID_FORMAT_TRANSIENT
def test_authenticate_no_args(self): id, response = self.client.do_authenticate(relay_state="http://www.example.com/relay_state") assert response[0] == "Location" o = urlparse(response[1]) qdict = parse_qs(o.query) assert _leq(qdict.keys(), ['SAMLRequest', 'RelayState']) saml_request = decode_base64_and_inflate(qdict["SAMLRequest"][0]) assert qdict["RelayState"][0] == "http://www.example.com/relay_state" print saml_request authnreq = samlp.authn_request_from_string(saml_request) print authnreq.keyswv() assert authnreq.destination == "http://localhost:8088/sso" assert authnreq.assertion_consumer_service_url == "http://lingon.catalogix.se:8087/" assert authnreq.provider_name == "urn:mace:example.com:saml:roland:sp" assert authnreq.protocol_binding == BINDING_HTTP_REDIRECT name_id_policy = authnreq.name_id_policy assert name_id_policy.allow_create == "false" assert name_id_policy.format == NAMEID_FORMAT_PERSISTENT issuer = authnreq.issuer assert issuer.text == "urn:mace:example.com:saml:roland:sp"
def testAuthnRequestExtraction(self): from pas.plugins.suisseid.tests.utils import MockRequest, FormParser from saml2.samlp import authn_request_from_string plugin = self.createPlugin() plugin.changeConfiguration('', 'http://nohost/', '', '', '', '', '', xmlsec_binary, os.path.join(path, 'data', 'metadata.xml')) request = MockRequest() request.form['__ac_suisseid_provider_url'] = 'https://idp.swisssign.net/suisseid/eidp/' result = plugin.extractCredentials(request) # No credentials since that's only the first step self.assertEquals(result, None) response = request.response self.assertEquals(response.status, 200) self.assertEquals(response.headers['Content-type'], 'text/html') parser = FormParser() parser.parse(response.body) saml_request = parser.inputs['SAMLRequest'] decoded_xml = base64.b64decode(saml_request) request = authn_request_from_string(decoded_xml) self.assertEquals(request.destination, 'https://idp.swisssign.net/suisseid/eidp/') self.assertEquals(request.assertion_consumer_service_url, plugin.getConfiguration()['portal_url'])
def test_authenticate_no_args(self): (sid, request) = self.client.authenticate(relay_state="http://www.example.com/relay_state") assert sid is not None assert request[0] == "Location" o = urlparse(request[1]) qdict = parse_qs(o.query) assert _leq(qdict.keys(), ['SAMLRequest', 'RelayState']) saml_request = decode_base64_and_inflate(qdict["SAMLRequest"][0]) assert qdict["RelayState"][0] == "http://www.example.com/relay_state" print saml_request authnreq = samlp.authn_request_from_string(saml_request) print authnreq.keyswv() assert authnreq.id == sid assert authnreq.destination == "http://localhost:8088/sso" assert authnreq.assertion_consumer_service_url == "http://lingon.catalogix.se:8087/" assert authnreq.provider_name == "urn:mace:example.com:saml:roland:sp" assert authnreq.protocol_binding == BINDING_HTTP_POST name_id_policy = authnreq.name_id_policy assert name_id_policy.allow_create == "true" assert name_id_policy.format == "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" issuer = authnreq.issuer assert issuer.text == "urn:mace:example.com:saml:roland:sp"
def test_authenticate_no_args(self): (sid, request) = self.client.authenticate( relay_state="http://www.example.com/relay_state") assert sid is not None assert request[0] == "Location" o = urlparse(request[1]) qdict = parse_qs(o.query) assert _leq(qdict.keys(), ['SAMLRequest', 'RelayState']) saml_request = decode_base64_and_inflate(qdict["SAMLRequest"][0]) assert qdict["RelayState"][0] == "http://www.example.com/relay_state" print saml_request authnreq = samlp.authn_request_from_string(saml_request) print authnreq.keyswv() assert authnreq.id == sid assert authnreq.destination == "http://localhost:8088/sso" assert authnreq.assertion_consumer_service_url == "http://lingon.catalogix.se:8087/" assert authnreq.provider_name == "urn:mace:example.com:saml:roland:sp" assert authnreq.protocol_binding == BINDING_HTTP_POST name_id_policy = authnreq.name_id_policy assert name_id_policy.allow_create == "true" assert name_id_policy.format == "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" issuer = authnreq.issuer assert issuer.text == "urn:mace:example.com:saml:roland:sp"
def correctly_signed_authn_request(self, decoded_xml, must=False, origdoc=None): """ Check if a request is correctly signed, if we have metadata for the SP that sent the info use that, if not use the key that are in the message if any. :param decoded_xml: The SAML message as a XML string :param must: Whether there must be a signature :return: None if the signature can not be verified otherwise request as a samlp.Request instance """ request = samlp.authn_request_from_string(decoded_xml) if not request: raise TypeError("Not an AuthnRequest") if not request.signature: if must: raise SignatureError("Missing must signature") else: return request return self._check_signature(decoded_xml, request, class_name(request), origdoc=origdoc )
def testAuthnRequestSignedExtraction(self): from pas.plugins.suisseid.tests.utils import MockRequest, FormParser from saml2.samlp import authn_request_from_string plugin = self.createPlugin() sp_pem = os.path.join(path, 'data', 'sp.pem') sp_key = os.path.join(path, 'data', 'sp.key') plugin.changeConfiguration('suisseID Test Portal', 'http://nohost/', '', '', '', sp_key, sp_pem, xmlsec_binary, '') request = MockRequest() request.form['__ac_suisseid_provider_url'] = 'https://idp.swisssign.net/suisseid/eidp/' plugin.extractCredentials(request) parser = FormParser() parser.parse(request.response.body) saml_request = parser.inputs['SAMLRequest'] decoded_xml = base64.b64decode(saml_request) request = authn_request_from_string(decoded_xml) self.assertEquals(request.destination, 'https://idp.swisssign.net/suisseid/eidp/') # Verify signature from saml2.sigver import verify_signature verified = verify_signature(xmlsec_binary, decoded_xml, sp_pem, node_name='urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest', cert_type='pem') self.assertEquals(verified, True)
def testExtendedAuthnRequestExtraction(self): from pas.plugins.suisseid.tests.utils import MockRequest, FormParser from saml2.samlp import authn_request_from_string plugin = self.createPlugin() request = MockRequest() request.form['__ac_suisseid_provider_url'] = 'https://idp.swisssign.net/suisseid/eidp/' # Request three attributes: First Name (required), Last Name (required) and isOver18 (optional) plugin.changeConfiguration('suisseID Test Portal', 'http://nohost/', 'First Name\r\nLast Name', 'isOver18', '', '', '', xmlsec_binary, '') request = MockRequest() request.form['__ac_suisseid_provider_url'] = 'https://idp.swisssign.net/suisseid/eidp/' plugin.extractCredentials(request) parser = FormParser() parser.parse(request.response.body) saml_request = parser.inputs['SAMLRequest'] decoded_xml = base64.b64decode(saml_request) request = authn_request_from_string(decoded_xml) self.assertEquals(request.force_authn, 'true') extenions = request.extensions.extension_elements self.assertEquals(len(extenions), 3) self.assertEquals(extenions[0].attributes['Name'], 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname') self.assertEquals(extenions[0].attributes['{http://www.ech.ch/xmlns/eCH-0113/1}required'], 'true')
cert = read_cert_from_file(full_path("test.pem"), "pem") spcertenc = SPCertEnc(x509_data=ds.X509Data( x509_certificate=ds.X509Certificate(text=cert))) extensions = Extensions( extension_elements=[element_to_extension_element(spcertenc)]) req_id, req = client.create_authn_request( "http://www.example.com/sso", "urn:mace:example.com:it:tek", nameid_format=saml.NAMEID_FORMAT_PERSISTENT, message_id="666", extensions=extensions) print req # Get a certificate from an authn request xml = "%s" % req parsed = authn_request_from_string(xml) _elem = extension_elements_to_elements(parsed.extensions.extension_elements, [pefim, ds]) assert len(_elem) == 1 _spcertenc = _elem[0] _cert = _spcertenc.x509_data[0].x509_certificate.text assert cert == _cert
def _parse_authn_request(self, enc_request): """ enc_request is an encrypted and base64 encoded request """ xmlstr = decode_base64_and_inflate(urllib.unquote(enc_request)) return authn_request_from_string(xmlstr)
spcertenc = SPCertEnc( x509_data=ds.X509Data( x509_certificate=ds.X509Certificate(text=cert))) extensions = Extensions( extension_elements=[element_to_extension_element(spcertenc)]) req_id, req = client.create_authn_request( "http://www.example.com/sso", "urn:mace:example.com:it:tek", nameid_format=saml.NAMEID_FORMAT_PERSISTENT, message_id="666", extensions=extensions) print req # Get a certificate from an authn request xml = "%s" % req parsed = authn_request_from_string(xml) _elem = extension_elements_to_elements(parsed.extensions.extension_elements, [pefim, ds]) assert len(_elem) == 1 _spcertenc = _elem[0] _cert = _spcertenc.x509_data[0].x509_certificate.text assert cert == _cert