def test_no_not_before(self):
a = SAMLAuthenticator()
tampered_etree = etree.fromstring(
test_constants.tampered_assertion_no_not_before)
assert not a._verify_physical_constraints(tampered_etree)
assert not a._verify_saml_response_fields(self.metadata_etree,
tampered_etree)
def test_assertion_no_issuer(self):
a = SAMLAuthenticator()
tampered_etree = etree.fromstring(
test_constants.tampered_assertion_no_issuer)
assert not a._verify_saml_response_against_metadata(
self.metadata_etree, tampered_etree)
assert not a._verify_saml_response_fields(self.metadata_etree,
tampered_etree)
def test_signed_xml_no_recipient(self):
a = SAMLAuthenticator()
a.recipient = 'unimportant_recipient'
tampered_etree = etree.fromstring(
test_constants.tampered_assertion_no_recipient)
assert not a._verify_saml_response_against_configured_fields(
tampered_etree)
assert not a._verify_saml_response_fields(self.metadata_etree,
tampered_etree)
def test_signed_xml_no_audience(self):
a = SAMLAuthenticator()
a.audience = '''audience_should_exist'''
tampered_etree = etree.fromstring(
test_constants.tampered_assertion_no_audience)
assert not a._verify_saml_response_against_configured_fields(
tampered_etree)
assert not a._verify_saml_response_fields(self.metadata_etree,
tampered_etree)
def test_signed_xml_bad_recipient(self):
a = SAMLAuthenticator()
a.recipient = 'bad_recipient'
assert not a._verify_saml_response_against_configured_fields(
self.verified_signed_xml)
assert not a._verify_saml_response_fields(self.metadata_etree,
self.verified_signed_xml)
response_is_valid, signed_xml = a._test_valid_saml_response(
self.metadata_etree, self.response_etree)
assert not response_is_valid
assert etree.tostring(
self.verified_signed_xml) == etree.tostring(signed_xml)
def test_signed_xml_bad_audience(self):
a = SAMLAuthenticator()
a.audience = '''bad_audience'''
assert not a._verify_saml_response_against_configured_fields(
self.verified_signed_xml)
assert not a._verify_saml_response_fields(self.metadata_etree,
self.verified_signed_xml)
response_is_valid, signed_xml = a._test_valid_saml_response(
self.metadata_etree, self.response_etree)
assert not response_is_valid
# We will get the signed xml back, but the response is not valid, so it doesn't really matter
assert etree.tostring(
self.verified_signed_xml) == etree.tostring(signed_xml)
def test_metadata_no_entity(self):
a = SAMLAuthenticator()
no_metadata_entity_etree = etree.fromstring(
test_constants.sample_metadata_no_entity)
assert a._verify_saml_response_against_metadata(
no_metadata_entity_etree, self.verified_signed_xml) is False
assert a._verify_saml_response_fields(
no_metadata_entity_etree, self.verified_signed_xml) is False
response_is_valid, signed_xml = a._test_valid_saml_response(
no_metadata_entity_etree, self.response_etree)
assert not response_is_valid
assert etree.tostring(signed_xml) == etree.tostring(
self.verified_signed_xml)
def test_now_after_allowed(self, mock_datetime):
mock_datetime.now.return_value = datetime(2020,
4,
9,
21,
35,
0,
tzinfo=timezone.utc)
mock_datetime.strptime = datetime.strptime
a = SAMLAuthenticator()
assert not a._verify_physical_constraints(self.verified_signed_xml)
assert not a._verify_saml_response_fields(self.metadata_etree,
self.verified_signed_xml)
response_is_valid, signed_xml = a._test_valid_saml_response(
self.metadata_etree, self.response_etree)
assert not response_is_valid
assert etree.tostring(
self.verified_signed_xml) == etree.tostring(signed_xml)
def test_signed_xml_good_recipient(self, mock_datetime):
mock_datetime.now.return_value = datetime(2019,
4,
9,
21,
35,
0,
tzinfo=timezone.utc)
mock_datetime.strptime = datetime.strptime
a = SAMLAuthenticator()
a.recipient = '''{recipient}'''
assert a._verify_saml_response_against_configured_fields(
self.verified_signed_xml)
assert a._verify_saml_response_fields(self.metadata_etree,
self.verified_signed_xml)
response_is_valid, signed_xml = a._test_valid_saml_response(
self.metadata_etree, self.response_etree)
assert response_is_valid
assert etree.tostring(
self.verified_signed_xml) == etree.tostring(signed_xml)
