def test_get_user_id(self):
user = UserFactory(email="*****@*****.**")
SamlApplicationFactory(entity_id="an_entity_id")
processor = ModelProcessor(entity_id="an_entity_id")
assert processor.get_user_id(user, None, None, None) == user.email
def test_user_has_perms(self, client):
saml_app = SamlApplicationFactory(
entity_id="http://testsp/saml2/metadata/",
_processor="sso.samlidp.processors.ModelProcessor",
)
access_profile = AccessProfileFactory(saml_apps_list=[saml_app])
user = UserFactory(add_access_profiles=[access_profile])
client.force_login(user)
session_data = {
"Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"SAMLRequest": saml_request(),
"RelayState": "",
}
session = client.session
session.update(session_data)
session.save()
response = client.get(reverse("djangosaml2idp:saml_login_process"))
assert response.status_code == 200
assert b'<form method="post" action="https://testing.com/saml2/acs/">' in response.content
def test_has_access_user_not_in_profile(self, rf):
SamlApplicationFactory(entity_id="an_entity_id")
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/")
request.user = UserFactory()
assert not processor.has_access(request)
def test_user_has_access_is_disabled(self, rf):
SamlApplicationFactory(entity_id="an_entity_id")
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/")
request.user = UserFactory(is_active=False)
assert not processor.has_access(request)
def test_get_service_email(self):
ap = SamlApplicationFactory(entity_id="an_entity_id")
processor = ModelProcessor(entity_id="an_entity_id")
user = UserFactory(email="*****@*****.**",
email_list=["*****@*****.**"])
user2 = UserFactory(email="*****@*****.**")
ServiceEmailAddressFactory(
user=user,
saml_application=ap,
email=user.emails.get(email="*****@*****.**"),
)
assert processor.get_service_email(user) == "*****@*****.**"
assert not processor.get_service_email(user2)
def test_is_valid_ip_with_ip_restriction_disabled(self, rf):
saml_app = SamlApplicationFactory(entity_id="an_entity_id")
ap = AccessProfileFactory(saml_apps_list=[saml_app])
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/")
request.user = UserFactory(add_access_profiles=[ap])
assert processor.has_access(request)
def test_has_access_by_email_domain(self, rf, email, allowed_emails,
expected):
SamlApplicationFactory(entity_id="an_entity_id",
allow_access_by_email_suffix=allowed_emails)
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/")
request.user = UserFactory(email=email)
assert processor.has_access(request) == expected
def test_has_access_ip_restriction_no_x_forwarded_header(self, rf):
saml_app = SamlApplicationFactory(entity_id="an_entity_id",
allowed_ips="1.1.1.1")
ap = AccessProfileFactory(saml_apps_list=[saml_app])
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/")
request.user = UserFactory(add_access_profiles=[ap])
assert not processor.has_access(request)
def test_user_id_field_uses_email_if_contact_email_is_empty(self):
user = UserFactory(email="*****@*****.**", contact_email="")
SamlApplicationFactory(entity_id="an_entity_id")
processor = ModelProcessor(entity_id="an_entity_id")
processor.USER_ID_FIELD = "contact_email"
assert not user.contact_email
assert processor.get_user_id(user, None, None, None) == user.email
def test_has_access_ip_restriction_ip_not_whitelisted(self, rf):
saml_app = SamlApplicationFactory(entity_id="an_entity_id",
allowed_ips="8.8.8.8")
ap = AccessProfileFactory(saml_apps_list=[saml_app])
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/",
HTTP_X_FORWARDED_FOR="1.1.1.1, 2.2.2.2, 3.3.3.3")
request.user = UserFactory(add_access_profiles=[ap])
assert not processor.has_access(request)
def test_alias_entry(self, client, settings):
saml_application = SamlApplicationFactory(
entity_id="an-alias",
real_entity_id="http://testsp/saml2/metadata/",
active=True)
SamlApplicationFactory(entity_id="another-alias",
real_entity_id="http://testsp/saml2/metadata/",
active=True)
access_profile = AccessProfileFactory(
saml_apps_list=[saml_application])
credentials = {
"email": "*****@*****.**",
"password": "******",
}
user = UserFactory(**credentials, add_access_profiles=[access_profile])
user.set_password(user.password)
user.save()
assert client.login(request=HttpRequest(), **credentials)
url = (reverse("samlidp:saml_idp_init_legacy") +
"?sp=an-alias&RelayState=https://testing.com")
response = client.get(url)
assert b'<form method="post" action="https://testing.com/saml2/acs/">' in response.content
assert (
b'<input type="hidden" name="RelayState" value="https://testing.com" />'
in response.content)
def test_create_identity_role_is_provided(self, settings):
user = UserFactory()
extra_config = {"role": "test_role"}
SamlApplicationFactory(entity_id="an_entity_id",
extra_config=extra_config)
processor = AWSProcessor(entity_id="an_entity_id")
identity = processor.create_identity(user, {})
assert identity[
"https://aws.amazon.com/SAML/Attributes/Role"] == "test_role"
def test_groups_are_supplied(self):
app1 = SamlApplicationFactory(entity_id="an_entity_id")
app2 = SamlApplicationFactory(entity_id="an_second_entity_id")
ap1 = ApplicationPermissionFactory(saml2_application=app1)
ap2 = ApplicationPermissionFactory(saml2_application=app1)
ap3 = ApplicationPermissionFactory()
ap4 = ApplicationPermissionFactory(saml2_application=app2)
ApplicationPermissionFactory(saml2_application=app1)
ApplicationPermissionFactory()
ap7 = ApplicationPermissionFactory(saml2_application=app2)
ap8 = ApplicationPermissionFactory(saml2_application=app1)
processor = ApplicationPermissionProcessor(entity_id="an_entity_id")
user = UserFactory(email="*****@*****.**",
application_permission_list=[ap1, ap3, ap4, ap8])
UserFactory(email="*****@*****.**",
application_permission_list=[ap2, ap3, ap7])
identity = processor.create_identity(user, {})
assert set(identity["groups"]) == {ap1.permission, ap8.permission}
def test_x_application_logging_without_access(self, rf, mocker):
saml_app = SamlApplicationFactory(entity_id="an_entity_id")
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/")
request.user = UserFactory()
mock_create_x_access_log = mocker.patch(
"sso.samlidp.processors.create_x_access_log")
processor.has_access(request)
mock_create_x_access_log.assert_called_once_with(
request, 403, application=saml_app.name)
def test_idp_initiated_not_permitted(self, client):
saml_app = SamlApplicationFactory(
entity_id="http://testsp/saml2/metadata/",
_processor="sso.samlidp.processors.ModelProcessor",
)
user = UserFactory()
client.force_login(user)
response = client.get(
reverse("samlidp:saml_idp_init_legacy") +
"?sp=http://testsp/saml2/metadata/")
assert response.status_code == 403
assert response.templates[0].name == "403.html"
def test_x_application_logging(self, rf, mocker):
saml_app = SamlApplicationFactory(entity_id="an_entity_id")
ap = AccessProfileFactory(saml_apps_list=[saml_app])
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/")
request.user = UserFactory(add_access_profiles=[ap])
mock_create_x_access_log = mocker.patch(
"sso.samlidp.processors.create_x_access_log")
processor.has_access(request)
mock_create_x_access_log.assert_called_once_with(
request, 200, application=saml_app.name)
def test_get_user_id_with_service_override(self):
service_email = "*****@*****.**"
user = UserFactory(
email="*****@*****.**",
email_list=[service_email, "*****@*****.**"],
)
ap = SamlApplicationFactory(entity_id="an_entity_id")
processor = ModelProcessor(entity_id="an_entity_id")
ServiceEmailAddressFactory(user=user,
saml_application=ap,
email=user.emails.get(email=service_email))
assert processor.get_user_id(user, None, None, None) == service_email
def test_role_session_name_can_be_overridden(self):
user = UserFactory()
extra_config = {"role": "test_role"}
app = SamlApplicationFactory(entity_id="an_entity_id",
extra_config=extra_config)
processor = AWSProcessor(entity_id="an_entity_id")
email = user.emails.first()
user.service_emails.create(email=user.emails.first(),
saml_application=app)
identity = processor.create_identity(user, {})
assert identity[
"https://aws.amazon.com/SAML/Attributes/RoleSessionName"] == email.email
def test_groups_field_can_be_renamed(self):
app = SamlApplicationFactory(
entity_id="an_entity_id",
extra_config={"group_name": "overridden_group_name"})
ap1 = ApplicationPermissionFactory(saml2_application=app)
ApplicationPermissionFactory(saml2_application=app)
processor = ApplicationPermissionProcessor(entity_id="an_entity_id")
user = UserFactory(email="*****@*****.**",
application_permission_list=[ap1])
identity = processor.create_identity(user, {})
assert "groups" not in identity
assert set(identity["overridden_group_name"]) == {ap1.permission}
def test_user_without_perms(self, client):
user = UserFactory()
client.force_login(user)
session_data = {
"Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"SAMLRequest": saml_request(),
"RelayState": "",
}
session = client.session
session.update(session_data)
session.save()
SamlApplicationFactory(
entity_id="http://testsp/saml2/metadata/",
_processor="sso.samlidp.processors.ModelProcessor",
)
response = client.get(reverse("djangosaml2idp:saml_login_process"))
assert response.status_code == 403
def test_log_without_user(self, rf, mocker):
mock_logger = mocker.patch("sso.core.logging.logger")
request = rf.get("/whatever/")
user = UserFactory()
request.user = user
create_x_access_log(request, 200, message="test message")
mock_logger.info.assert_called_once()
assert json.loads(mock_logger.info.call_args[0][0]) == {
"request_id": "",
"request_time": "2017-06-22 15:50:00",
"sso_user_id": str(user.user_id),
"local_user_id": user.id,
"path": "/whatever/",
"url": {
"domain": "testserver"
},
"status": 200,
"ip": None,
"message": "test message",
"service": "staff-sso test",
}