def test_consent_full_flow(self, internal_response, internal_request,
consent_verify_endpoint_regex, consent_registration_endpoint_regex):
consent_config = SATOSAConfig(self.satosa_config)
consent_module = ConsentModule(consent_config, identity_callback)
expected_ticket = "my_ticket"
context = Context()
state = State()
context.state = state
consent_module.save_state(internal_request, state)
with responses.RequestsMock() as rsps:
rsps.add(responses.GET, consent_verify_endpoint_regex, status=401)
rsps.add(responses.GET, consent_registration_endpoint_regex, status=200,
body=expected_ticket)
resp = consent_module.manage_consent(context, internal_response)
self.assert_redirect(resp, expected_ticket)
self.assert_registstration_req(rsps.calls[1].request,
consent_config.CONSENT["sign_key"])
with responses.RequestsMock() as rsps:
# Now consent has been given, consent service returns 200 OK
rsps.add(responses.GET, consent_verify_endpoint_regex, status=200,
body=json.dumps(FILTER))
context = Context()
context.state = state
context, internal_response = consent_module._handle_consent_response(context)
assert internal_response.get_attributes()["displayName"] == ["Test"]
assert internal_response.get_attributes()["co"] == ["example"]
assert "sn" not in internal_response.get_attributes() # 'sn' should be filtered
def test_with_pyoidc(self):
responses.add(responses.POST,
"https://graph.facebook.com/v2.5/oauth/access_token",
body=json.dumps({"access_token": "qwerty",
"token_type": "bearer",
"expires_in": 9999999999999}),
adding_headers={"set-cookie": "TEST=testing; path=/"},
status=200,
content_type='application/json')
responses.add(responses.GET,
"https://graph.facebook.com/v2.5/me",
match_querystring=False,
body=json.dumps(FB_RESPONSE),
status=200,
content_type='application/json')
context = Context()
context.path = 'facebook/sso/redirect'
context.state = State()
internal_request = InternalRequest(UserIdHashType.transient, 'http://localhost:8087/sp.xml')
get_state = Mock()
get_state.return_value = STATE
resp = self.fb_backend.start_auth(context, internal_request, get_state)
context.cookie = resp.headers[0][1]
context.request = {
"code": FB_RESPONSE_CODE,
"state": STATE
}
self.fb_backend.auth_callback_func = self.verify_callback
self.fb_backend.authn_response(context)
def test_consent_not_given(self, context, consent_config,
internal_response, internal_request,
consent_verify_endpoint_regex,
consent_registration_endpoint_regex):
expected_ticket = "my_ticket"
responses.add(responses.GET, consent_verify_endpoint_regex, status=401)
responses.add(responses.GET,
consent_registration_endpoint_regex,
status=200,
body=expected_ticket)
requester_name = internal_response.requester_name
context.state[consent.STATE_KEY] = {}
resp = self.consent_module.process(context, internal_response)
self.assert_redirect(resp, expected_ticket)
self.assert_registration_req(responses.calls[1].request,
internal_response,
consent_config["sign_key"],
self.consent_module.base_url,
requester_name)
new_context = Context()
new_context.state = context.state
# Verify endpoint of consent service still gives 401 (no consent given)
context, internal_response = self.consent_module._handle_consent_response(
context)
assert not internal_response.attributes
def setup_for_authn_req(self, idp_conf, sp_conf, nameid_format):
base = self.construct_base_url_from_entity_id(idp_conf["entityid"])
config = {"idp_config": idp_conf, "endpoints": ENDPOINTS, "base": base,
"state_id": "state_id"}
sp_metadata_str = create_metadata_from_config_dict(sp_conf)
idp_conf["metadata"]["inline"] = [sp_metadata_str]
samlfrontend = SamlFrontend(lambda context, internal_req: (context, internal_req),
INTERNAL_ATTRIBUTES, config)
samlfrontend.register_endpoints(["saml"])
idp_metadata_str = create_metadata_from_config_dict(samlfrontend.config)
sp_conf["metadata"]["inline"].append(idp_metadata_str)
fakesp = FakeSP(None, config=SPConfig().load(sp_conf, metadata_construction=False))
context = Context()
context.state = State()
context.request = parse.parse_qs(
urlparse(fakesp.make_auth_req(samlfrontend.config["entityid"], nameid_format)).query)
tmp_dict = {}
for val in context.request:
if isinstance(context.request[val], list):
tmp_dict[val] = context.request[val][0]
else:
tmp_dict[val] = context.request[val]
context.request = tmp_dict
return context, samlfrontend
def test_consent_not_given(self, internal_response, internal_request,
consent_verify_endpoint_regex, consent_registration_endpoint_regex):
consent_config = SATOSAConfig(self.satosa_config)
consent_module = ConsentModule(consent_config, identity_callback)
expected_ticket = "my_ticket"
responses.add(responses.GET, consent_verify_endpoint_regex, status=401)
responses.add(responses.GET, consent_registration_endpoint_regex, status=200,
body=expected_ticket)
context = Context()
state = State()
context.state = state
consent_module.save_state(internal_request, state)
resp = consent_module.manage_consent(context, internal_response)
self.assert_redirect(resp, expected_ticket)
self.assert_registstration_req(responses.calls[1].request,
consent_config.CONSENT["sign_key"])
context = Context()
context.state = state
# Verify endpoint of consent service still gives 401 (no consent given)
context, internal_response = consent_module._handle_consent_response(context)
assert not internal_response.get_attributes()
def test_start_auth_name_id_policy(self, sp_conf):
"""
Performs a complete test for the module satosa.backends.saml2. The flow should be accepted.
"""
samlbackend = SamlBackend(
None, INTERNAL_ATTRIBUTES, {
"config": sp_conf,
"disco_srv": "https://my.dicso.com/role/idp.ds",
"state_id": "saml_backend_test_id"
})
test_state_key = "sauyghj34589fdh"
state = State()
state.add(test_state_key, "my_state")
context = Context()
context.state = state
internal_req = InternalRequest(UserIdHashType.transient, None)
resp = samlbackend.start_auth(context, internal_req)
assert resp.status == "303 See Other", "Must be a redirect to the discovery server."
disco_resp = parse_qs(urlparse(resp.message).query)
sp_disco_resp = \
sp_conf["service"]["sp"]["endpoints"]["discovery_response"][0][0]
assert "return" in disco_resp and disco_resp["return"][0].startswith(sp_disco_resp), \
"Not a valid return url in the call to the discovery server"
assert "entityID" in disco_resp and disco_resp["entityID"][0] == sp_conf["entityid"], \
"Not a valid entity id in the call to the discovery server"
request_info_tmp = context.state
assert request_info_tmp.get(
test_state_key) == "my_state", "Wrong state!"
def test_start_auth_name_id_policy(self, sp_conf):
"""
Performs a complete test for the module satosa.backends.saml2. The flow should be accepted.
"""
samlbackend = SamlBackend(None, INTERNAL_ATTRIBUTES, {"config": sp_conf,
"disco_srv": "https://my.dicso.com/role/idp.ds",
"state_id": "saml_backend_test_id"})
test_state_key = "sauyghj34589fdh"
state = State()
state.add(test_state_key, "my_state")
context = Context()
context.state = state
internal_req = InternalRequest(UserIdHashType.transient, None)
resp = samlbackend.start_auth(context, internal_req)
assert resp.status == "303 See Other", "Must be a redirect to the discovery server."
disco_resp = parse_qs(urlparse(resp.message).query)
sp_disco_resp = \
sp_conf["service"]["sp"]["endpoints"]["discovery_response"][0][0]
assert "return" in disco_resp and disco_resp["return"][0].startswith(sp_disco_resp), \
"Not a valid return url in the call to the discovery server"
assert "entityID" in disco_resp and disco_resp["entityID"][0] == sp_conf["entityid"], \
"Not a valid entity id in the call to the discovery server"
request_info_tmp = context.state
assert request_info_tmp.get(test_state_key) == "my_state", "Wrong state!"
def test_start_auth_no_request_info(self, sp_conf):
"""
Performs a complete test for the module satosa.backends.saml2. The flow should be accepted.
"""
disco_srv = "https://my.dicso.com/role/idp.ds"
samlbackend = SamlBackend(None, INTERNAL_ATTRIBUTES, {"config": sp_conf,
"disco_srv": disco_srv,
"state_id": "saml_backend_test_id"})
internal_data = InternalRequest(None, None)
state = State()
context = Context()
context.state = state
resp = samlbackend.start_auth(context, internal_data)
assert resp.status == "303 See Other", "Must be a redirect to the discovery server."
assert resp.message.startswith("https://my.dicso.com/role/idp.ds"), \
"Redirect to wrong URL."
# create_name_id_policy_transient()
state = State()
context = Context()
context.state = state
user_id_hash_type = UserIdHashType.transient
internal_data = InternalRequest(user_id_hash_type, None)
resp = samlbackend.start_auth(context, internal_data)
assert resp.status == "303 See Other", "Must be a redirect to the discovery server."
def run_server(self, environ, start_response, debug=False):
path = environ.get('PATH_INFO', '').lstrip('/')
if ".." in path:
resp = Unauthorized()
return resp(environ, start_response)
context = Context()
context.path = path
# copy wsgi.input stream to allow it to be re-read later by satosa plugins
# see: http://stackoverflow.com/questions/1783383/how-do-i-copy-wsgi-input-if-i-want-to-process-post-data-more-than-once
content_length = int(environ.get('CONTENT_LENGTH', '0') or '0')
body = io.BytesIO(environ['wsgi.input'].read(content_length))
environ['wsgi.input'] = body
context.request = unpack_either(environ)
environ['wsgi.input'].seek(0)
context.wsgi_environ = environ
context.cookie = environ.get("HTTP_COOKIE", "")
try:
resp = self.run(context)
if isinstance(resp, Exception):
raise resp
return resp(environ, start_response)
except SATOSANoBoundEndpointError:
resp = NotFound("Couldn't find the side you asked for!")
return resp(environ, start_response)
except Exception as err:
logger.exception("%s" % err)
if debug:
raise
resp = ServiceError("%s" % err)
return resp(environ, start_response)
def test_attributes_general(self, ldap_attribute_store):
ldap_to_internal_map = (self.ldap_attribute_store_config['default']
['ldap_to_internal_map'])
for dn, attributes in self.ldap_person_records:
# Mock up the internal response the LDAP attribute store is
# expecting to receive.
response = InternalData(auth_info=AuthenticationInformation())
# The LDAP attribute store configuration and the mock records
# expect to use a LDAP search filter for the uid attribute.
uid = attributes['uid']
response.attributes = {'uid': uid}
context = Context()
context.state = dict()
ldap_attribute_store.process(context, response)
# Verify that the LDAP attribute store has retrieved the mock
# records from the mock LDAP server and has added the appropriate
# internal attributes.
for ldap_attr, ldap_value in attributes.items():
if ldap_attr in ldap_to_internal_map:
internal_attr = ldap_to_internal_map[ldap_attr]
response_attr = response.attributes[internal_attr]
assert(ldap_value in response_attr)
def test_endpoint_routing_to_frontend(self, url_path, expected_frontend,
expected_backend):
context = Context()
context.path = url_path
self.router.endpoint_routing(context)
assert context.target_frontend == expected_frontend
assert context.target_backend == expected_backend
def test_backend(path, provider, endpoint):
context = Context()
context.path = path
spec = router.endpoint_routing(context)
assert spec[0] == provider
assert spec[1] == endpoint
assert context.target_backend == provider
assert context.target_frontend is None
def test_redirect_to_login_at_auth_endpoint(self):
self.fake_op.setup_webfinger_endpoint()
self.fake_op.setup_opienid_config_endpoint()
self.fake_op.setup_client_registration_endpoint()
context = Context()
context.state = State()
auth_response = self.openid_backend.start_auth(context, None)
assert auth_response._status == Redirect._status
def test_redirect_to_login_at_auth_endpoint(self):
self.fake_op.setup_webfinger_endpoint()
self.fake_op.setup_opienid_config_endpoint()
self.fake_op.setup_client_registration_endpoint()
context = Context()
context.state = State()
auth_response = self.openid_backend.start_auth(context, None)
assert auth_response._status == Redirect._status
def test_endpoint_routing_to_microservice(self, url_path, expected_micro_service):
context = Context()
context.path = url_path
microservice_callable = self.router.endpoint_routing(context)
assert context.target_micro_service == expected_micro_service
assert microservice_callable == self.router.micro_services[expected_micro_service]["instance"].callback
assert context.target_backend is None
assert context.target_frontend is None
def test_backend(path, provider, endpoint):
context = Context()
context.path = path
spec = router.endpoint_routing(context)
assert spec[0] == provider
assert spec[1] == endpoint
assert context.target_backend == provider
assert context.target_frontend is None
def test_set_state_in_start_auth_and_use_in_redirect_endpoint(self):
self.fake_op.setup_webfinger_endpoint()
self.fake_op.setup_opienid_config_endpoint()
self.fake_op.setup_client_registration_endpoint()
context = Context()
context.state = State()
self.openid_backend.start_auth(context, None)
context = self.setup_fake_op_endpoints(FakeOP.STATE)
self.openid_backend.redirect_endpoint(context)
def test_set_state_in_start_auth_and_use_in_redirect_endpoint(self):
self.fake_op.setup_webfinger_endpoint()
self.fake_op.setup_opienid_config_endpoint()
self.fake_op.setup_client_registration_endpoint()
context = Context()
context.state = State()
self.openid_backend.start_auth(context, None)
context = self.setup_fake_op_endpoints(FakeOP.STATE)
self.openid_backend.redirect_endpoint(context)
def test_endpoint_routing_to_microservice(self, url_path,
expected_micro_service):
context = Context()
context.path = url_path
microservice_callable = self.router.endpoint_routing(context)
assert context.target_micro_service == expected_micro_service
assert microservice_callable == self.router.micro_services[
expected_micro_service]["instance"].callback
assert context.target_backend is None
assert context.target_frontend is None
def test_test_restore_state_with_separate_backends(self):
openid_backend_1 = OpenIdBackend(MagicMock, INTERNAL_ATTRIBUTES, TestConfiguration.get_instance().config)
openid_backend_2 = OpenIdBackend(MagicMock, INTERNAL_ATTRIBUTES, TestConfiguration.get_instance().config)
self.fake_op.setup_webfinger_endpoint()
self.fake_op.setup_opienid_config_endpoint()
self.fake_op.setup_client_registration_endpoint()
context = Context()
context.state = State()
openid_backend_1.start_auth(context, None)
context = self.setup_fake_op_endpoints(FakeOP.STATE)
openid_backend_2.redirect_endpoint(context)
def test_path():
context = Context()
with pytest.raises(ValueError):
context.path = None
with pytest.raises(ValueError):
context.path = "/babal"
valid_path = "Saml2/sso/redirect"
context.path = valid_path
assert context.path == valid_path
def test_path():
context = Context()
with pytest.raises(ValueError):
context.path = None
with pytest.raises(ValueError):
context.path = "/babal"
valid_path = "Saml2/sso/redirect"
context.path = valid_path
assert context.path == valid_path
def test_routing(path, provider, receiver, _):
context = Context()
context.path = path
context.state = state
router.endpoint_routing(context)
backend = router.backend_routing(context)
assert backend == backends[provider]
frontend = router.frontend_routing(context)
assert frontend == frontends[receiver]
assert context.target_frontend == receiver
def setup_authentication_response(self, state=None):
context = Context()
context.path = 'openid/authz_cb'
op_base = TestConfiguration.get_instance().rp_config.OP_URL
if not state:
state = rndstr()
context.request = {
'code': 'F+R4uWbN46U+Bq9moQPC4lEvRd2De4o=',
'scope': 'openid profile email address phone',
'state': state}
context.state = self.generate_state(op_base)
return context
def test_routing(path, provider, receiver, _):
context = Context()
context.path = path
context.state = state
router.endpoint_routing(context)
backend = router.backend_routing(context)
assert backend == backends[provider]
frontend = router.frontend_routing(context)
assert frontend == frontends[receiver]
assert context.target_frontend == receiver
def test_register_client_with_wrong_response_type(self):
redirect_uri = "https://client.example.com"
registration_request = RegistrationRequest(redirect_uris=[redirect_uri],
response_types=["code"])
context = Context()
context.request = registration_request.to_dict()
registration_response = self.instance._register_client(context)
assert registration_response.status == "400 Bad Request"
error_response = ClientRegistrationErrorResponse().deserialize(
registration_response.message, "json")
assert error_response["error"] == "invalid_request"
assert "response_type" in error_response["error_description"]
def _handle_disco_response(self, context:Context):
target_issuer = context.request.get('entityID')
if not target_issuer:
raise DiscoToTargetIssuerError('no valid entity_id in the disco response')
target_frontend = context.state.get(self.name, {}).get('target_frontend')
data_serialized = context.state.get(self.name, {}).get('internal_data', {})
data = InternalData.from_dict(data_serialized)
context.target_frontend = target_frontend
context.decorate(Context.KEY_TARGET_ENTITYID, target_issuer)
return super().process(context, data)
def setup_authentication_response(self, state=None):
context = Context()
context.path = 'openid/authz_cb'
op_base = TestConfiguration.get_instance().rp_config.OP_URL
if not state:
state = rndstr()
context.request = {
'code': 'F+R4uWbN46U+Bq9moQPC4lEvRd2De4o=',
'scope': 'openid profile email address phone',
'state': state
}
context.state = self.generate_state(op_base)
return context
def test_generate_static(self):
synthetic_attributes = {"": {"default": {"a0": "value1;value2"}}}
authz_service = self.create_syn_service(synthetic_attributes)
resp = InternalData(auth_info=AuthenticationInformation())
resp.attributes = {
"a1": ["*****@*****.**"],
}
ctx = Context()
ctx.state = dict()
authz_service.process(ctx, resp)
assert ("value1" in resp.attributes['a0'])
assert ("value2" in resp.attributes['a0'])
assert ("*****@*****.**" in resp.attributes['a1'])
def test_acr_mapping_per_idp_in_authn_response(self, idp_conf, sp_conf):
expected_loa = "LoA1"
loa = {
"": "http://eidas.europa.eu/LoA/low",
idp_conf["entityid"]: expected_loa
}
base = self.construct_base_url_from_entity_id(idp_conf["entityid"])
conf = {
"idp_config": idp_conf,
"endpoints": ENDPOINTS,
"base": base,
"state_id": "state_id",
"acr_mapping": loa
}
samlfrontend = SamlFrontend(None, INTERNAL_ATTRIBUTES, conf)
samlfrontend.register_endpoints(["foo"])
idp_metadata_str = create_metadata_from_config_dict(
samlfrontend.config)
sp_conf["metadata"]["inline"].append(idp_metadata_str)
fakesp = FakeSP(None,
config=SPConfig().load(sp_conf,
metadata_construction=False))
auth_info = AuthenticationInformation(PASSWORD, "2015-09-30T12:21:37Z",
idp_conf["entityid"])
internal_response = InternalResponse(auth_info=auth_info)
context = Context()
context.state = State()
resp_args = {
"name_id_policy": NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT),
"in_response_to": None,
"destination": "",
"sp_entity_id": None,
"binding": BINDING_HTTP_REDIRECT
}
request_state = samlfrontend.save_state(context, resp_args, "")
context.state.add(conf["state_id"], request_state)
resp = samlfrontend.handle_authn_response(context, internal_response)
resp_dict = parse_qs(urlparse(resp.message).query)
resp = fakesp.parse_authn_request_response(
resp_dict['SAMLResponse'][0], BINDING_HTTP_REDIRECT)
assert len(resp.assertion.authn_statement) == 1
authn_context_class_ref = resp.assertion.authn_statement[
0].authn_context.authn_context_class_ref
assert authn_context_class_ref.text == expected_loa
def _handle_satosa_authentication_error(self, error):
"""
Sends a response to the requestor about the error
:type error: satosa.exception.SATOSAAuthenticationError
:rtype: satosa.response.Response
:param error: The exception
:return: response
"""
context = Context()
context.state = error.state
frontend = self.module_router.frontend_routing(context)
return frontend.handle_backend_error(error)
def _handle_satosa_authentication_error(self, error):
"""
Sends a response to the requestor about the error
:type error: satosa.exception.SATOSAAuthenticationError
:rtype: satosa.response.Response
:param error: The exception
:return: response
"""
context = Context()
context.state = error.state
frontend = self.module_router.frontend_routing(context)
return frontend.handle_backend_error(error)
def test_authz_deny_fail(self):
attribute_deny = {"": {"default": {"a0": ['foo1', 'foo2']}}}
attribute_allow = {}
authz_service = self.create_authz_service(attribute_allow,
attribute_deny)
resp = InternalResponse(AuthenticationInformation(None, None, None))
resp.attributes = {
"a0": ["foo3"],
}
try:
ctx = Context()
ctx.state = dict()
authz_service.process(ctx, resp)
except SATOSAAuthenticationError as ex:
assert False
def test_authz_allow_second(self):
attribute_allow = {"": {"default": {"a0": ['foo1', 'foo2']}}}
attribute_deny = {}
authz_service = self.create_authz_service(attribute_allow,
attribute_deny)
resp = InternalData(auth_info=AuthenticationInformation())
resp.attributes = {
"a0": ["foo2", "kaka"],
}
try:
ctx = Context()
ctx.state = dict()
authz_service.process(ctx, resp)
except SATOSAAuthenticationError as ex:
assert False
def test_test_restore_state_with_separate_backends(self):
openid_backend_1 = OpenIdBackend(
MagicMock, INTERNAL_ATTRIBUTES,
TestConfiguration.get_instance().config)
openid_backend_2 = OpenIdBackend(
MagicMock, INTERNAL_ATTRIBUTES,
TestConfiguration.get_instance().config)
self.fake_op.setup_webfinger_endpoint()
self.fake_op.setup_opienid_config_endpoint()
self.fake_op.setup_client_registration_endpoint()
context = Context()
context.state = State()
openid_backend_1.start_auth(context, None)
context = self.setup_fake_op_endpoints(FakeOP.STATE)
openid_backend_2.redirect_endpoint(context)
def test_generate_static(self):
synthetic_attributes = {
"": { "default": {"a0": "value1;value2" }}
}
authz_service = self.create_syn_service(synthetic_attributes)
resp = InternalData(auth_info=AuthenticationInformation())
resp.attributes = {
"a1": ["*****@*****.**"],
}
ctx = Context()
ctx.state = dict()
authz_service.process(ctx, resp)
assert("value1" in resp.attributes['a0'])
assert("value2" in resp.attributes['a0'])
assert("*****@*****.**" in resp.attributes['a1'])
def test_consent_prev_given(self, internal_response, internal_request,
consent_verify_endpoint_regex):
consent_config = SATOSAConfig(self.satosa_config)
consent_module = ConsentModule(consent_config, identity_callback)
responses.add(responses.GET, consent_verify_endpoint_regex, status=200,
body=json.dumps(FILTER))
context = Context()
state = State()
context.state = state
consent_module.save_state(internal_request, state)
context, internal_response = consent_module.manage_consent(context, internal_response)
assert context
assert "displayName" in internal_response.get_attributes()
def setup_for_authn_response(self, auth_req):
context = Context()
context.state = self.create_state(auth_req)
auth_info = AuthenticationInformation(PASSWORD, "2015-09-30T12:21:37Z", "unittest_idp.xml")
internal_response = InternalResponse(auth_info=auth_info)
internal_response.add_attributes(
DataConverter(INTERNAL_ATTRIBUTES).to_internal("saml", USERS["testuser1"]))
internal_response.set_user_id(USERS["testuser1"]["eduPersonTargetedID"][0])
self.instance.provider.cdb = {
"client1": {"response_types": ["id_token"],
"redirect_uris": [(auth_req["redirect_uri"], None)],
"client_salt": "salt"}}
return context, internal_response
def setup(self, signing_key_path):
self.account_linking_config = {
"enable": True,
"rest_uri": "https://localhost:8167",
"redirect": "https://localhost:8167/approve",
"endpoint": "handle_account_linking",
"sign_key": signing_key_path,
"verify_ssl": False
}
self.satosa_config = {
"BASE": "https://proxy.example.com",
"USER_ID_HASH_SALT": "qwerty",
"COOKIE_STATE_NAME": "SATOSA_SATE",
"STATE_ENCRYPTION_KEY": "ASDasd123",
"PLUGIN_PATH": "",
"BACKEND_MODULES": "",
"FRONTEND_MODULES": "",
"INTERNAL_ATTRIBUTES": {},
"ACCOUNT_LINKING": self.account_linking_config
}
self.callback_func = MagicMock()
self.context = Context()
state = State()
self.context.state = state
auth_info = AuthenticationInformation("auth_class_ref", "timestamp",
"issuer")
self.internal_response = InternalResponse(auth_info=auth_info)
def test_authz_deny_fail(self):
attribute_deny = {
"": { "default": {"a0": ['foo1','foo2']} }
}
attribute_allow = {}
authz_service = self.create_authz_service(attribute_allow, attribute_deny)
resp = InternalData(auth_info=AuthenticationInformation())
resp.attributes = {
"a0": ["foo3"],
}
try:
ctx = Context()
ctx.state = dict()
authz_service.process(ctx, resp)
except SATOSAAuthenticationError as ex:
assert False
def test_register_client(self):
redirect_uri = "https://client.example.com"
registration_request = RegistrationRequest(redirect_uris=[redirect_uri],
response_types=["id_token"])
context = Context()
context.request = registration_request.to_dict()
registration_response = self.instance._register_client(context)
assert registration_response.status == "201 Created"
reg_resp = RegistrationResponse().deserialize(registration_response.message, "json")
assert "client_id" in reg_resp
assert reg_resp["client_id"] in self.instance.provider.cdb
# no need to issue client secret since to token endpoint is published
assert "client_secret" not in reg_resp
assert reg_resp["redirect_uris"] == [redirect_uri]
assert reg_resp["response_types"] == ["id_token"]
assert reg_resp["id_token_signed_response_alg"] == "RS256"
def test_generate_mustache2(self):
synthetic_attributes = {
"": { "default": {"a0": "{{kaka.first}}#{{eppn.scope}}" }}
}
authz_service = self.create_syn_service(synthetic_attributes)
resp = InternalData(auth_info=AuthenticationInformation())
resp.attributes = {
"kaka": ["kaka1","kaka2"],
"eppn": ["*****@*****.**","*****@*****.**"]
}
ctx = Context()
ctx.state = dict()
authz_service.process(ctx, resp)
assert("kaka1#example.com" in resp.attributes['a0'])
assert("kaka1" in resp.attributes['kaka'])
assert("*****@*****.**" in resp.attributes['eppn'])
assert("*****@*****.**" in resp.attributes['eppn'])
def test_consent_handles_connection_error(self, internal_response, internal_request,
consent_verify_endpoint_regex):
consent_config = SATOSAConfig(self.satosa_config)
consent_module = ConsentModule(consent_config, identity_callback)
state = State()
context = Context()
context.state = state
consent_module.save_state(internal_request, state)
with responses.RequestsMock(assert_all_requests_are_fired=True) as rsps:
rsps.add(responses.GET,
consent_verify_endpoint_regex,
body=requests.ConnectionError("No connection"))
context, internal_response = consent_module.manage_consent(context, internal_response)
assert context
assert not internal_response.get_attributes()
def test_consent_prev_given(self, internal_response, internal_request,
consent_verify_endpoint_regex):
consent_config = SATOSAConfig(self.satosa_config)
consent_module = ConsentModule(consent_config, identity_callback)
responses.add(responses.GET,
consent_verify_endpoint_regex,
status=200,
body=json.dumps(FILTER))
context = Context()
state = State()
context.state = state
consent_module.save_state(internal_request, state)
context, internal_response = consent_module.manage_consent(
context, internal_response)
assert context
assert "displayName" in internal_response.get_attributes()
def test_start_auth(self):
context = Context()
context.path = 'facebook/sso/redirect'
context.state = State()
internal_request = InternalRequest(UserIdHashType.transient, 'http://localhost:8087/sp.xml')
get_state = Mock()
get_state.return_value = STATE
resp = self.fb_backend.start_auth(context, internal_request, get_state)
# assert resp.headers[0][0] == "Set-Cookie", "Not the correct return cookie"
# assert len(resp.headers[0][1]) > 1, "Not the correct return cookie"
resp_url = resp.message.split("?")
test_url = FB_REDIRECT_URL.split("?")
resp_attr = parse_qs(resp_url[1])
test_attr = parse_qs(test_url[1])
assert resp_url[0] == test_url[0]
assert len(resp_attr) == len(test_attr), "Redirect url is not correct!"
for key in test_attr:
assert key in resp_attr, "Redirect url is not correct!"
assert test_attr[key] == resp_attr[key], "Redirect url is not correct!"
def test_attribute_policy(self):
requester = "requester"
attribute_policies = {
"attribute_policy": {
"requester_everything_allowed": {},
"requester_nothing_allowed": {
"allowed": {}
},
"requester_subset_allowed": {
"allowed": {
"attr1",
"attr2",
},
},
},
}
attributes = {
"attr1": ["foo"],
"attr2": ["foo", "bar"],
"attr3": ["foo"]
}
results = {
"requester_everything_allowed": attributes.keys(),
"requester_nothing_allowed": set(),
"requester_subset_allowed": {"attr1", "attr2"},
}
for requester, result in results.items():
attribute_policy_service = self.create_attribute_policy_service(
attribute_policies)
ctx = Context()
ctx.state = dict()
resp = InternalData(auth_info=AuthenticationInformation())
resp.requester = requester
resp.attributes = {
"attr1": ["foo"],
"attr2": ["foo", "bar"],
"attr3": ["foo"]
}
filtered = attribute_policy_service.process(ctx, resp)
assert (filtered.attributes.keys() == result)
def test_redirect_to_idp_if_only_one_idp_in_metadata(self, sp_conf, idp_conf):
sp_conf["metadata"]["inline"] = [create_metadata_from_config_dict(idp_conf)]
samlbackend = SamlBackend(None, INTERNAL_ATTRIBUTES,
{"config": sp_conf, "state_id": "saml_backend_test_id"})
state = State()
state.add("test", "state")
context = Context()
context.state = state
internal_req = InternalRequest(UserIdHashType.transient, None)
resp = samlbackend.start_auth(context, internal_req)
assert resp.status == "303 See Other"
parsed = urlparse(resp.message)
assert "{parsed.scheme}://{parsed.netloc}{parsed.path}".format(
parsed=parsed) == \
idp_conf["service"]["idp"]["endpoints"]["single_sign_on_service"][0][0]
assert "SAMLRequest" in parse_qs(parsed.query)
def test_consent_handles_connection_error(self, internal_response,
internal_request,
consent_verify_endpoint_regex):
consent_config = SATOSAConfig(self.satosa_config)
consent_module = ConsentModule(consent_config, identity_callback)
state = State()
context = Context()
context.state = state
consent_module.save_state(internal_request, state)
with responses.RequestsMock(
assert_all_requests_are_fired=True) as rsps:
rsps.add(responses.GET,
consent_verify_endpoint_regex,
body=requests.ConnectionError("No connection"))
context, internal_response = consent_module.manage_consent(
context, internal_response)
assert context
assert not internal_response.get_attributes()
def test_generate_mustache_empty_attribute(self):
synthetic_attributes = {
"": {
"default": {
"a0": "{{kaka.first}}#{{eppn.scope}}"
}
}
}
authz_service = self.create_syn_service(synthetic_attributes)
resp = InternalData(auth_info=AuthenticationInformation())
resp.attributes = {
"kaka": ["kaka1", "kaka2"],
"eppn": None,
}
ctx = Context()
ctx.state = dict()
authz_service.process(ctx, resp)
assert ("kaka1#" in resp.attributes['a0'])
assert ("kaka1" in resp.attributes['kaka'])
assert ("kaka2" in resp.attributes['kaka'])
def setUp(self):
context = Context()
context.state = State()
config = {
'disco_endpoints': [
'.*/disco',
],
}
plugin = DiscoToTargetIssuer(
config=config,
name='test_disco_to_target_issuer',
base_url='https://satosa.example.org',
)
plugin.next = lambda ctx, data: (ctx, data)
self.config = config
self.context = context
self.plugin = plugin
def test_start_auth_disco(self, sp_conf, idp_conf):
"""
Performs a complete test for the module satosa.backends.saml2. The flow should be accepted.
"""
samlbackend = SamlBackend(lambda context, internal_resp: (context, internal_resp),
INTERNAL_ATTRIBUTES, {"config": sp_conf,
"disco_srv": "https://my.dicso.com/role/idp.ds",
"state_id": "saml_backend_test_id"})
test_state_key = "test_state_key_456afgrh"
response_binding = BINDING_HTTP_REDIRECT
fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf, metadata_construction=False))
internal_req = InternalRequest(UserIdHashType.persistent, "example.se/sp.xml")
state = State()
state.add(test_state_key, "my_state")
context = Context()
context.state = state
resp = samlbackend.start_auth(context, internal_req)
assert resp.status == "303 See Other", "Must be a redirect to the discovery server."
disco_resp = parse_qs(urlparse(resp.message).query)
info = parse_qs(urlparse(disco_resp["return"][0]).query)
info[samlbackend.idp_disco_query_param] = idp_conf["entityid"]
context = Context()
context.request = info
context.state = state
resp = samlbackend.disco_response(context)
assert resp.status == "303 See Other"
req_params = dict(parse_qsl(urlparse(resp.message).query))
url, fake_idp_resp = fakeidp.handle_auth_req(
req_params["SAMLRequest"],
req_params["RelayState"],
BINDING_HTTP_REDIRECT,
"testuser1",
response_binding=response_binding)
context = Context()
context.request = fake_idp_resp
context.state = state
context, internal_resp = samlbackend.authn_response(context, response_binding)
assert isinstance(context, Context), "Not correct instance!"
assert context.state.get(test_state_key) == "my_state", "Not correct state!"
assert internal_resp.auth_info.auth_class_ref == PASSWORD, "Not correct authentication!"
_dict = internal_resp.get_attributes()
expected_data = {'surname': ['Testsson 1'], 'mail': ['*****@*****.**'],
'displayname': ['Test Testsson'], 'givenname': ['Test 1'],
'edupersontargetedid': ['one!for!all']}
for key in _dict:
assert expected_data[key] == _dict[key]
def test_micro_service():
"""
Test the micro service flow
"""
data_list = ["1", "2", "3"]
service_list = []
for d in data_list:
service = MicroService()
service.process = create_process_func(d)
service_list.append(service)
service_queue = build_micro_service_queue(service_list)
test_data = "test_data"
context = Context()
context.state = State()
data = service_queue.process_service_queue(context, test_data)
for d in data_list:
test_data = "{}{}".format(test_data, d)
assert data == test_data
def test_authn_response(self):
context = Context()
context.path = 'facebook/sso/redirect'
context.state = State()
internal_request = InternalRequest(UserIdHashType.transient, 'http://localhost:8087/sp.xml')
get_state = Mock()
get_state.return_value = STATE
resp = self.fb_backend.start_auth(context, internal_request, get_state)
context.cookie = resp.headers[0][1]
context.request = {
"code": FB_RESPONSE_CODE,
"state": STATE
}
# context.request = json.dumps(context.request)
self.fb_backend.auth_callback_func = self.verify_callback
tmp_consumer = self.fb_backend.get_consumer()
tmp_consumer.do_access_token_request = self.verify_do_access_token_request
self.fb_backend.get_consumer = Mock()
self.fb_backend.get_consumer.return_value = tmp_consumer
self.fb_backend.request_fb = self.verify_request_fb
self.fb_backend.authn_response(context)
def test_micro_service():
"""
Test the micro service flow
"""
data_list = ["1", "2", "3"]
service_list = []
for d in data_list:
service = MicroService()
service.process = create_process_func(d)
service_list.append(service)
service_queue = build_micro_service_queue(service_list)
test_data = "test_data"
context = Context()
context.state = State()
data = service_queue.process_service_queue(context, test_data)
for d in data_list:
test_data = "{}{}".format(test_data, d)
assert data == test_data
def test_generate_mustache1(self):
synthetic_attributes = {
"": {
"default": {
"a0": "{{kaka}}#{{eppn.scope}}"
}
}
}
authz_service = self.create_syn_service(synthetic_attributes)
resp = InternalData(auth_info=AuthenticationInformation())
resp.attributes = {
"kaka": ["kaka1"],
"eppn": ["*****@*****.**", "*****@*****.**"]
}
ctx = Context()
ctx.state = dict()
authz_service.process(ctx, resp)
assert ("kaka1#example.com" in resp.attributes['a0'])
assert ("kaka1" in resp.attributes['kaka'])
assert ("*****@*****.**" in resp.attributes['eppn'])
assert ("*****@*****.**" in resp.attributes['eppn'])
def setUp(self):
context = Context()
context.state = State()
config = {
'default_backend': 'default_backend',
'target_mapping': {
'mapped_idp.example.org': 'mapped_backend',
},
}
plugin = DecideBackendByTargetIssuer(
config=config,
name='test_decide_service',
base_url='https://satosa.example.org',
)
plugin.next = lambda ctx, data: (ctx, data)
self.config = config
self.context = context
self.plugin = plugin
def test_start_auth(self):
context = Context()
context.path = 'facebook/sso/redirect'
context.state = State()
internal_request = InternalRequest(UserIdHashType.transient,
'http://localhost:8087/sp.xml')
get_state = Mock()
get_state.return_value = STATE
resp = self.fb_backend.start_auth(context, internal_request, get_state)
# assert resp.headers[0][0] == "Set-Cookie", "Not the correct return cookie"
# assert len(resp.headers[0][1]) > 1, "Not the correct return cookie"
resp_url = resp.message.split("?")
test_url = FB_REDIRECT_URL.split("?")
resp_attr = parse_qs(resp_url[1])
test_attr = parse_qs(test_url[1])
assert resp_url[0] == test_url[0]
assert len(resp_attr) == len(test_attr), "Redirect url is not correct!"
for key in test_attr:
assert key in resp_attr, "Redirect url is not correct!"
assert test_attr[key] == resp_attr[
key], "Redirect url is not correct!"
def test_acr_mapping_per_idp_in_authn_response(self, idp_conf, sp_conf):
expected_loa = "LoA1"
loa = {"": "http://eidas.europa.eu/LoA/low", idp_conf["entityid"]: expected_loa}
base = self.construct_base_url_from_entity_id(idp_conf["entityid"])
conf = {"idp_config": idp_conf, "endpoints": ENDPOINTS, "base": base,
"state_id": "state_id", "acr_mapping": loa}
samlfrontend = SamlFrontend(None, INTERNAL_ATTRIBUTES, conf)
samlfrontend.register_endpoints(["foo"])
idp_metadata_str = create_metadata_from_config_dict(samlfrontend.config)
sp_conf["metadata"]["inline"].append(idp_metadata_str)
fakesp = FakeSP(None, config=SPConfig().load(sp_conf, metadata_construction=False))
auth_info = AuthenticationInformation(PASSWORD, "2015-09-30T12:21:37Z", idp_conf["entityid"])
internal_response = InternalResponse(auth_info=auth_info)
context = Context()
context.state = State()
resp_args = {
"name_id_policy": NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT),
"in_response_to": None,
"destination": "",
"sp_entity_id": None,
"binding": BINDING_HTTP_REDIRECT
}
request_state = samlfrontend.save_state(context, resp_args, "")
context.state.add(conf["state_id"], request_state)
resp = samlfrontend.handle_authn_response(context, internal_response)
resp_dict = parse_qs(urlparse(resp.message).query)
resp = fakesp.parse_authn_request_response(resp_dict['SAMLResponse'][0],
BINDING_HTTP_REDIRECT)
assert len(resp.assertion.authn_statement) == 1
authn_context_class_ref = resp.assertion.authn_statement[
0].authn_context.authn_context_class_ref
assert authn_context_class_ref.text == expected_loa
def test_with_pyoidc(self):
responses.add(responses.POST,
"https://graph.facebook.com/v2.5/oauth/access_token",
body=json.dumps({
"access_token": "qwerty",
"token_type": "bearer",
"expires_in": 9999999999999
}),
adding_headers={"set-cookie": "TEST=testing; path=/"},
status=200,
content_type='application/json')
responses.add(responses.GET,
"https://graph.facebook.com/v2.5/me",
match_querystring=False,
body=json.dumps(FB_RESPONSE),
status=200,
content_type='application/json')
context = Context()
context.path = 'facebook/sso/redirect'
context.state = State()
internal_request = InternalRequest(UserIdHashType.transient,
'http://localhost:8087/sp.xml')
get_state = Mock()
get_state.return_value = STATE
resp = self.fb_backend.start_auth(context, internal_request, get_state)
context.cookie = resp.headers[0][1]
context.request = {"code": FB_RESPONSE_CODE, "state": STATE}
self.fb_backend.auth_callback_func = self.verify_callback
self.fb_backend.authn_response(context)
def test_consent_not_given(self, internal_response, internal_request,
consent_verify_endpoint_regex,
consent_registration_endpoint_regex):
consent_config = SATOSAConfig(self.satosa_config)
consent_module = ConsentModule(consent_config, identity_callback)
expected_ticket = "my_ticket"
responses.add(responses.GET, consent_verify_endpoint_regex, status=401)
responses.add(responses.GET,
consent_registration_endpoint_regex,
status=200,
body=expected_ticket)
context = Context()
state = State()
context.state = state
consent_module.save_state(internal_request, state)
resp = consent_module.manage_consent(context, internal_response)
self.assert_redirect(resp, expected_ticket)
self.assert_registstration_req(responses.calls[1].request,
consent_config.CONSENT["sign_key"])
context = Context()
context.state = state
# Verify endpoint of consent service still gives 401 (no consent given)
context, internal_response = consent_module._handle_consent_response(
context)
assert not internal_response.get_attributes()
