def test_assertion_2():
AVA = {'mail': '*****@*****.**',
'eduPersonTargetedID': 'http://lingon.ladok.umu.se:8090/idp!http://lingon.ladok.umu.se:8088/sp!95e9ae91dbe62d35198fbbd5e1fb0976',
'displayName': 'Roland Hedberg',
'uid': 'http://roland.hedberg.myopenid.com/'}
ava = Assertion(AVA)
policy = Policy({
"default": {
"lifetime": {"minutes": 240},
"attribute_restrictions": None, # means all I have
"name_form": NAME_FORMAT_URI
},
})
ava = ava.apply_policy("", policy)
acs = ac_factory(full_path("attributemaps"))
attribute = from_local(acs, ava, policy.get_name_form(""))
assert len(attribute) == 4
names = [attr.name for attr in attribute]
assert _eq(names, ['urn:oid:0.9.2342.19200300.100.1.3',
'urn:oid:1.3.6.1.4.1.5923.1.1.1.10',
'urn:oid:2.16.840.1.113730.3.1.241',
'urn:oid:0.9.2342.19200300.100.1.1'])
def test_ava_filter_1():
conf = {
"default": {
"lifetime": {"minutes":15},
"attribute_restrictions": None # means all I have
},
"urn:mace:umu.se:saml:roland:sp": {
"lifetime": {"minutes": 5},
"attribute_restrictions":{
"givenName": None,
"surName": None,
"mail": [".*@.*\.umu\.se"],
}
}}
r = Policy(conf)
ava = {"givenName":"Derek",
"surName": "Jeter",
"mail":"*****@*****.**"}
ava = r.filter(ava,"urn:mace:umu.se:saml:roland:sp",None,None)
assert _eq(ava.keys(), ["givenName","surName"])
ava = {"givenName":"Derek",
"mail":"*****@*****.**"}
assert _eq(ava.keys(), ["givenName","mail"])
def test_ava_filter_dont_fail():
conf = {
"default": {
"lifetime": {"minutes": 15},
"attribute_restrictions": None, # means all I have
"fail_on_missing_requested": False,
},
"urn:mace:umu.se:saml:roland:sp": {
"lifetime": {"minutes": 5},
"attribute_restrictions": {"givenName": None, "surName": None, "mail": [".*@.*\.umu\.se"]},
"fail_on_missing_requested": False,
},
}
policy = Policy(conf)
ava = {"givenName": "Derek", "surName": "Jeter", "mail": "*****@*****.**"}
# mail removed because it doesn't match the regular expression
# So it should fail if the 'fail_on_ ...' flag wasn't set
_ava = policy.filter(ava, "urn:mace:umu.se:saml:roland:sp", None, [mail], [gn, sn])
assert _ava
ava = {"givenName": "Derek", "surName": "Jeter"}
# it wasn't there to begin with
_ava = policy.filter(ava, "urn:mace:umu.se:saml:roland:sp", None, [gn, sn, mail])
assert _ava
def test_filter_ava_5():
mds = MetadataStore(ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
mds.imp(METADATACONF["1"])
policy_conf = {
"default": {
"lifetime": {
"minutes": 15
},
"attribute_restrictions": None, # means all I have
"entity_categories": ["swamid", "edugain"]
}
}
policy = Policy(restrictions=policy_conf, mds=mds)
ava = {
"givenName": ["Derek"],
"surName": ["Jeter"],
"mail": [
"*****@*****.**",
"*****@*****.**",
],
}
ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp")
# using entity_categories means there *always* are restrictions
# in this case the only allowed attribute is eduPersonTargetedID
# which isn't available in the ava hence zip is returned.
assert ava == {}
def test_ava_filter_2():
conf = {
"default": {
"lifetime": {"minutes": 15},
"attribute_restrictions": None # means all I have
},
"urn:mace:umu.se:saml:roland:sp": {
"lifetime": {"minutes": 5},
"attribute_restrictions": {
"givenName": None,
"sn": None,
"mail": [".*@.*\.umu\.se"],
}
}}
policy = Policy(conf)
ava = {"givenName": "Derek", "sn": "Jeter", "mail": "*****@*****.**"}
# mail removed because it doesn't match the regular expression
_ava = policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', None, [mail],
[gn, sn])
assert _eq(sorted(list(_ava.keys())), ["givenName", 'sn'])
ava = {"givenName": "Derek", "sn": "Jeter"}
# it wasn't there to begin with
try:
policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', None,
[gn, sn, mail])
except MissingValue:
pass
def test_ava_filter_1():
conf = {
"default": {
"lifetime": {
"minutes": 15
},
"attribute_restrictions": None # means all I have
},
"urn:mace:umu.se:saml:roland:sp": {
"lifetime": {
"minutes": 5
},
"attribute_restrictions": {
"givenName": None,
"surName": None,
"mail": [r".*@.*\.umu\.se"],
}
}
}
r = Policy(conf)
ava = {
"givenName": "Derek",
"surName": "Jeter",
"mail": "*****@*****.**"
}
ava = r.filter(ava, "urn:mace:umu.se:saml:roland:sp")
assert _eq(list(ava.keys()), ["givenName", "surName"])
ava = {"givenName": "Derek", "mail": "*****@*****.**"}
assert _eq(sorted(list(ava.keys())), ["givenName", "mail"])
def test_lifetime_1():
conf = {
"default": {
"lifetime": {
"minutes": 15
},
"attribute_restrictions": None # means all I have
},
"urn:mace:umu.se:saml:roland:sp": {
"lifetime": {
"minutes": 5
},
"attribute_restrictions": {
"givenName": None,
"surName": None,
"mail": [r".*@.*\.umu\.se"],
}
}
}
r = Policy(conf)
assert r is not None
assert r.get_lifetime("urn:mace:umu.se:saml:roland:sp") == {"minutes": 5}
assert r.get_lifetime("urn:mace:example.se:saml:sp") == {"minutes": 15}
def test_filter_ava2():
policy_conf = {
"default": {
"lifetime": {
"minutes": 15
},
# "attribute_restrictions": None # means all I have
"entity_categories": ["refeds", "edugain"]
}
}
policy = Policy(policy_conf, MDS)
ava = {
"givenName": ["Derek"],
"sn": ["Jeter"],
"mail": ["*****@*****.**"],
"c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz"
}
ava = policy.filter(ava, "https://connect.sunet.se/shibboleth")
# Mismatch, policy deals with eduGAIN, metadata says SWAMID
# So only minimum should come out
assert _eq(list(ava.keys()), ['eduPersonTargetedID'])
def test_filter_attribute_value_assertions_2(AVA):
p = Policy(
{"default": {
"attribute_restrictions": {
"givenName": ["^R.*"],
}
}})
ava = filter_attribute_value_assertions(AVA[0].copy(),
p.get_attribute_restrictions(""))
print(ava)
assert _eq(ava.keys(), [])
ava = filter_attribute_value_assertions(AVA[1].copy(),
p.get_attribute_restrictions(""))
print(ava)
assert _eq(list(ava.keys()), ["givenName"])
assert ava["givenName"] == ["Ryan"]
ava = filter_attribute_value_assertions(AVA[3].copy(),
p.get_attribute_restrictions(""))
print(ava)
assert _eq(list(ava.keys()), ["givenName"])
assert ava["givenName"] == ["Roland"]
def test_ava_filter_2():
conf = {
"default": {
"lifetime": {"minutes": 15},
"attribute_restrictions": None # means all I have
},
"urn:mace:umu.se:saml:roland:sp": {
"lifetime": {"minutes": 5},
"attribute_restrictions": {
"givenName": None,
"sn": None,
"mail": [".*@.*\.umu\.se"],
}
}}
policy = Policy(conf)
ava = {"givenName": "Derek", "sn": "Jeter", "mail": "*****@*****.**"}
# mail removed because it doesn't match the regular expression
_ava = policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', None, [mail],
[gn, sn])
assert _eq(sorted(list(_ava.keys())), ["givenName", 'sn'])
ava = {"givenName": "Derek", "sn": "Jeter"}
# it wasn't there to begin with
try:
policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', None,
[gn, sn, mail])
except MissingValue:
pass
def test_filter_ava_3():
""" Only example.com mail addresses returned """
policy = Policy({
"default": {
"lifetime": {
"minutes": 15
},
"attribute_restrictions": None # means all I have
},
"urn:mace:example.com:saml:roland:sp": {
"lifetime": {
"minutes": 5
},
"attribute_restrictions": {
"mail": [r".*@example\.com$"],
}
}
})
ava = {
"givenName": ["Derek"],
"surName": ["Jeter"],
"mail": ["*****@*****.**", "*****@*****.**"]
}
# No restrictions apply
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp")
assert _eq(list(ava.keys()), ["mail"])
assert ava["mail"] == ["*****@*****.**"]
def get_ava(self, user=None):
# IDENTITY AND ATTR POLICY
# Generate request session stuff needed for user agreement screen
attrs_to_exclude = self.sp['config'].get('user_agreement_attr_exclude', []) + \
getattr(settings, "SAML_IDP_USER_AGREEMENT_ATTR_EXCLUDE", [])
identity = {
k: v
for k, v in self.processor.create_identity(user or self.request.user,
self.sp).items()
if k not in attrs_to_exclude
}
# entity categories and other pysaml2 policies could filter out some attributes
policy = Policy(restrictions=settings.SAML_IDP_CONFIG['service']['idp'].get('policy'))
ava = policy.filter(identity,
self.sp['id'],
self.IDP.config.metadata,
required=[])
# remove None
for attr in ava:
if not ava[attr]:
ava[attr] = ''
# END IDENTITY AND ATTR POLICY
return identity, policy, ava
def test_filter_ava_4():
""" Return everything as default policy is used """
policy = Policy({
"default": {
"lifetime": {
"minutes": 15
},
"attribute_restrictions": None # means all I have
},
"urn:mace:example.com:saml:roland:sp": {
"lifetime": {
"minutes": 5
},
"attribute_restrictions": {
"mail": [r".*@example\.com$"],
}
}
})
ava = {
"givenName": ["Derek"],
"surName": ["Jeter"],
"mail": ["*****@*****.**", "*****@*****.**"]
}
# No restrictions apply
ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp")
assert _eq(sorted(list(ava.keys())), ['mail', 'givenName', 'surName'])
assert _eq(ava["mail"], ["*****@*****.**", "*****@*****.**"])
def test_filter_attribute_value_assertions_2(AVA):
p = Policy({
"default": {
"attribute_restrictions": {
"givenName": ["^R.*"],
}
}
})
ava = filter_attribute_value_assertions(AVA[0].copy(),
p.get_attribute_restriction(""))
print ava
assert _eq(ava.keys(), [])
ava = filter_attribute_value_assertions(AVA[1].copy(),
p.get_attribute_restriction(""))
print ava
assert _eq(ava.keys(), ["givenName"])
assert ava["givenName"] == ["Ryan"]
ava = filter_attribute_value_assertions(AVA[3].copy(),
p.get_attribute_restriction(""))
print ava
assert _eq(ava.keys(), ["givenName"])
assert ava["givenName"] == ["Roland"]
def test_assertion_2():
AVA = {'mail': u'*****@*****.**',
'eduPersonTargetedID': 'http://lingon.ladok.umu.se:8090/idp!http://lingon.ladok.umu.se:8088/sp!95e9ae91dbe62d35198fbbd5e1fb0976',
'displayName': u'Roland Hedberg',
'uid': 'http://roland.hedberg.myopenid.com/'}
ava = Assertion(AVA)
policy = Policy( {
"default": {
"lifetime": {"minutes": 240},
"attribute_restrictions": None, # means all I have
"name_form": NAME_FORMAT_URI
},
})
ava = ava.apply_policy( "", policy )
acs = ac_factory("attributemaps")
attribute=from_local(acs, ava, policy.get_name_form(""))
assert len(attribute) == 4
names = [attr.name for attr in attribute]
assert _eq(names, ['urn:oid:0.9.2342.19200300.100.1.3',
'urn:oid:1.3.6.1.4.1.5923.1.1.1.10',
'urn:oid:2.16.840.1.113730.3.1.241',
'urn:oid:0.9.2342.19200300.100.1.1'])
def test_req_opt():
req = [md.RequestedAttribute(friendly_name="surname", name="urn:oid:2.5.4.4",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true"),
md.RequestedAttribute(friendly_name="givenname",
name="urn:oid:2.5.4.42",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true"),
md.RequestedAttribute(friendly_name="edupersonaffiliation",
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true")]
opt = [md.RequestedAttribute(friendly_name="title",
name="urn:oid:2.5.4.12",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="false")]
policy = Policy()
ava = {'givenname': 'Roland', 'surname': 'Hedberg',
'uid': 'rohe0002', 'edupersonaffiliation': 'staff'}
sp_entity_id = "urn:mace:example.com:saml:curt:sp"
fava = policy.filter(ava, sp_entity_id, req, opt)
assert fava
def test_filter_ava3():
policy = Policy({
"default": {
"lifetime": {
"minutes": 15
},
# "attribute_restrictions": None # means all I have
"entity_categories": ["swamid"]
}
})
mds = MetadataStore(ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
mds.imp([{
"class": "saml2.mdstore.MetaDataFile",
"metadata": [(full_path("entity_cat_sfs_hei.xml"), )]
}])
ava = {
"givenName": ["Derek"],
"sn": ["Jeter"],
"mail": ["*****@*****.**"],
"c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz",
"norEduPersonNIN": "19800101134"
}
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", mds)
assert _eq(list(ava.keys()), ['eduPersonTargetedID', "norEduPersonNIN"])
def test_filter_ava_0():
policy = Policy({
"default": {
"lifetime": {
"minutes": 15
},
"attribute_restrictions": None # means all I have
},
"urn:mace:example.com:saml:roland:sp": {
"lifetime": {
"minutes": 5
},
}
})
ava = {
"givenName": ["Derek"],
"surName": ["Jeter"],
"mail": ["*****@*****.**"]
}
# No restrictions apply
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp")
assert _eq(sorted(list(ava.keys())), ["givenName", "mail", "surName"])
assert ava["givenName"] == ["Derek"]
assert ava["surName"] == ["Jeter"]
assert ava["mail"] == ["*****@*****.**"]
def test_filter_ava_1():
""" No mail address returned """
policy = Policy({
"default": {
"lifetime": {
"minutes": 15
},
"attribute_restrictions": None # means all I have
},
"urn:mace:example.com:saml:roland:sp": {
"lifetime": {
"minutes": 5
},
"attribute_restrictions": {
"givenName": None,
"surName": None,
}
}
})
ava = {
"givenName": ["Derek"],
"surName": ["Jeter"],
"mail": ["*****@*****.**"]
}
# No restrictions apply
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", [], [])
assert _eq(ava.keys(), ["givenName", "surName"])
assert ava["givenName"] == ["Derek"]
assert ava["surName"] == ["Jeter"]
def test_req_opt():
req = [
to_dict(
md.RequestedAttribute(
friendly_name="surname", name="urn:oid:2.5.4.4",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true"), ONTS),
to_dict(
md.RequestedAttribute(
friendly_name="givenname",
name="urn:oid:2.5.4.42",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true"), ONTS),
to_dict(
md.RequestedAttribute(
friendly_name="edupersonaffiliation",
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true"), ONTS)]
opt = [
to_dict(
md.RequestedAttribute(
friendly_name="title",
name="urn:oid:2.5.4.12",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="false"), ONTS)]
policy = Policy()
ava = {'givenname': 'Roland', 'surname': 'Hedberg',
'uid': 'rohe0002', 'edupersonaffiliation': 'staff'}
sp_entity_id = "urn:mace:example.com:saml:curt:sp"
fava = policy.filter(ava, sp_entity_id, None, req, opt)
assert fava
def test_filter_attribute_value_assertions_0(AVA):
p = Policy({"default": {"attribute_restrictions": {"surName": [".*berg"]}}})
ava = filter_attribute_value_assertions(AVA[3].copy(), p.get_attribute_restrictions(""))
print ava
assert ava.keys() == ["surName"]
assert ava["surName"] == ["Hedberg"]
def test_filter_ava_esi_coco():
entity_id = "https://esi-coco.example.edu/saml2/metadata/"
mds = MetadataStore(ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
mds.imp([{
"class": "saml2.mdstore.MetaDataFile",
"metadata": [(full_path("entity_esi_and_coco_sp.xml"), )]
}])
policy_conf = {
"default": {
"lifetime": {
"minutes": 15
},
"entity_categories": ["swamid"]
}
}
policy = Policy(policy_conf, mds)
ava = {
"givenName": ["Test"],
"sn": ["Testsson"],
"mail": ["*****@*****.**"],
"c": ["SE"],
"schacHomeOrganization": ["example.com"],
"eduPersonScopedAffiliation": ["*****@*****.**"],
"schacPersonalUniqueCode": [
"urn:schac:personalUniqueCode:int:esi:ladok.se:externtstudentuid-00000000-1111-2222-3333-444444444444"
]
}
requested_attributes = [{
'friendly_name': 'eduPersonScopedAffiliation',
'name': '1.3.6.1.4.1.5923.1.1.1.9',
'name_format': NAME_FORMAT_URI,
'is_required': 'true'
}, {
'friendly_name': 'schacHomeOrganization',
'name': '1.3.6.1.4.1.25178.1.2.9',
'name_format': NAME_FORMAT_URI,
'is_required': 'true'
}]
ava = policy.filter(ava, entity_id, required=requested_attributes)
assert _eq(list(ava.keys()), [
'eduPersonScopedAffiliation', 'schacHomeOrganization',
'schacPersonalUniqueCode'
])
assert _eq(ava["eduPersonScopedAffiliation"], ["*****@*****.**"])
assert _eq(ava["schacHomeOrganization"], ["example.com"])
assert _eq(ava["schacPersonalUniqueCode"], [
"urn:schac:personalUniqueCode:int:esi:ladok.se:externtstudentuid-00000000-1111-2222-3333-444444444444"
])
def test_lifetime_2():
conf = {
"default": {"attribute_restrictions": None}, # means all I have
"urn:mace:umu.se:saml:roland:sp": {
"lifetime": {"minutes": 5},
"attribute_restrictions": {"givenName": None, "surName": None, "mail": [".*@.*\.umu\.se"]},
},
}
r = Policy(conf)
assert r is not None
assert r.get_lifetime("urn:mace:umu.se:saml:roland:sp") == {"minutes": 5}
assert r.get_lifetime("urn:mace:example.se:saml:sp") == {"hours": 1}
def test_filter_attribute_value_assertions_0(AVA):
p = Policy(
{"default": {
"attribute_restrictions": {
"surName": [".*berg"],
}
}})
ava = filter_attribute_value_assertions(AVA[3].copy(),
p.get_attribute_restrictions(""))
print(ava)
assert list(ava.keys()) == ["surName"]
assert ava["surName"] == ["Hedberg"]
def test_req_opt():
req = [
to_dict(
md.RequestedAttribute(
friendly_name="surname",
name="urn:oid:2.5.4.4",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true",
),
ONTS,
),
to_dict(
md.RequestedAttribute(
friendly_name="givenname",
name="urn:oid:2.5.4.42",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true",
),
ONTS,
),
to_dict(
md.RequestedAttribute(
friendly_name="edupersonaffiliation",
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="true",
),
ONTS,
),
]
opt = [
to_dict(
md.RequestedAttribute(
friendly_name="title",
name="urn:oid:2.5.4.12",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
is_required="false",
),
ONTS,
)
]
policy = Policy()
ava = {"givenname": "Roland", "surname": "Hedberg", "uid": "rohe0002", "edupersonaffiliation": "staff"}
sp_entity_id = "urn:mace:example.com:saml:curt:sp"
fava = policy.filter(ava, sp_entity_id, None, req, opt)
assert fava
def test_filter_attribute_value_assertions_1(AVA):
p = Policy({"default": {"attribute_restrictions": {"surName": None, "givenName": [".*er.*"]}}})
ava = filter_attribute_value_assertions(AVA[0].copy(), p.get_attribute_restrictions(""))
print ava
assert _eq(ava.keys(), ["givenName", "surName"])
assert ava["surName"] == ["Jeter"]
assert ava["givenName"] == ["Derek"]
ava = filter_attribute_value_assertions(AVA[1].copy(), p.get_attribute_restrictions(""))
print ava
assert _eq(ava.keys(), ["surName"])
assert ava["surName"] == ["Howard"]
def test_assertion_with_zero_attributes():
ava = {}
ast = Assertion(ava)
policy = Policy({
"default": {
"lifetime": {
"minutes": 240
},
"attribute_restrictions": None, # means all I have
"name_form": NAME_FORMAT_URI
},
})
name_id = NameID(format=NAMEID_FORMAT_TRANSIENT, text="foobar")
issuer = Issuer(text="entityid", format=NAMEID_FORMAT_ENTITY)
msg = ast.construct("sp_entity_id",
"in_response_to",
"consumer_url",
name_id, [AttributeConverterNOOP(NAME_FORMAT_URI)],
policy,
issuer=issuer,
authn_decl=ACD,
authn_auth="authn_authn")
print(msg)
assert msg.attribute_statement == []
def load_complex(self, cnf, typ="", metadata_construction=False):
try:
self.setattr(typ, "policy", Policy(cnf["policy"]))
except KeyError:
pass
try:
try:
acs = ac_factory(cnf["attribute_map_dir"])
except KeyError:
acs = ac_factory()
if not acs:
raise Exception(
("No attribute converters, ", "something is wrong!!"))
_acs = self.getattr("attribute_converters", typ)
if _acs:
_acs.extend(acs)
else:
self.setattr(typ, "attribute_converters", acs)
except KeyError:
pass
if not metadata_construction:
try:
self.setattr(typ, "metadata",
self.load_metadata(cnf["metadata"]))
except KeyError:
pass
def test_assertion_with_authn_instant():
ava = {}
ast = Assertion(ava)
policy = Policy({
"default": {
"lifetime": {
"minutes": 240
},
"attribute_restrictions": None, # means all I have
"name_form": NAME_FORMAT_URI
},
})
name_id = NameID(format=NAMEID_FORMAT_TRANSIENT, text="foobar")
issuer = Issuer(text="entityid", format=NAMEID_FORMAT_ENTITY)
farg = add_path(
{}, ['subject', 'subject_confirmation', 'method', saml.SCM_BEARER])
add_path(farg['subject']['subject_confirmation'],
['subject_confirmation_data', 'in_response_to', 'in_response_to'])
add_path(farg['subject']['subject_confirmation'],
['subject_confirmation_data', 'recipient', 'consumer_url'])
msg = ast.construct("sp_entity_id",
[AttributeConverterNOOP(NAME_FORMAT_URI)],
policy,
issuer=issuer,
authn_decl=ACD,
authn_auth="authn_authn",
authn_instant=1234567890,
name_id=name_id,
farg=farg)
print(msg)
assert msg.authn_statement[0].authn_instant == "2009-02-13T23:31:30Z"
def load_complex(self, cnf, typ="", metadata_construction=False):
_attr_typ = self._attr[typ]
try:
_attr_typ["policy"] = Policy(cnf["policy"])
except KeyError:
pass
try:
try:
acs = ac_factory(cnf["attribute_map_dir"])
except KeyError:
acs = ac_factory()
if not acs:
raise Exception(
("No attribute converters, ", "something is wrong!!"))
try:
_attr_typ["attribute_converters"].extend(acs)
except KeyError:
_attr_typ["attribute_converters"] = acs
except KeyError:
pass
if not metadata_construction:
try:
_attr_typ["metadata"] = self.load_metadata(cnf["metadata"])
except KeyError:
pass
def test_authz_decision_query(self):
conf = config.SPConfig()
conf.load_file("server3_conf")
client = Saml2Client(conf)
AVA = {
'mail': u'*****@*****.**',
'eduPersonTargetedID': '95e9ae91dbe62d35198fbbd5e1fb0976',
'displayName': u'Roland Hedberg',
'uid': 'http://roland.hedberg.myopenid.com/'
}
sp_entity_id = "sp_entity_id"
in_response_to = "1234"
consumer_url = "http://example.com/consumer"
name_id = saml.NameID(saml.NAMEID_FORMAT_TRANSIENT, text="name_id")
policy = Policy()
ava = Assertion(AVA)
assertion = ava.construct(sp_entity_id,
in_response_to,
consumer_url,
name_id,
conf.attribute_converters,
policy,
issuer=client._issuer())
adq = client.authz_decision_query_using_assertion(
"entity_id", assertion, "read", "http://example.com/text")
assert adq
print adq
assert adq.keyswv() != []
assert adq.destination == "entity_id"
assert adq.resource == "http://example.com/text"
assert adq.action[0].text == "read"
def test_assertion_1(AVA):
ava = Assertion(AVA[0])
print(ava)
print(ava.__dict__)
policy = Policy(
{"default": {
"attribute_restrictions": {
"givenName": ["^R.*"],
}
}})
ava = ava.apply_policy("", policy)
print(ava)
assert _eq(list(ava.keys()), [])
ava = Assertion(AVA[1].copy())
ava = ava.apply_policy("", policy)
assert _eq(list(ava.keys()), ["givenName"])
assert ava["givenName"] == ["Ryan"]
ava = Assertion(AVA[3].copy())
ava = ava.apply_policy("", policy)
assert _eq(list(ava.keys()), ["givenName"])
assert ava["givenName"] == ["Roland"]
def test_filter_ava():
policy = Policy({
"default": {
"lifetime": {"minutes": 15},
#"attribute_restrictions": None # means all I have
"entity_categories": ["swamid"]
}
})
ava = {"givenName": ["Derek"], "sn": ["Jeter"],
"mail": ["*****@*****.**", "*****@*****.**"], "c": ["USA"]}
ava = policy.filter(ava, "https://connect.sunet.se/shibboleth", MDS)
assert _eq(list(ava.keys()), ['mail', 'givenName', 'sn', 'c'])
assert _eq(ava["mail"], ["*****@*****.**", "*****@*****.**"])
def test_filter_ava():
policy = Policy({
"default": {
"lifetime": {"minutes": 15},
#"attribute_restrictions": None # means all I have
"entity_categories": ["swamid"]
}
})
ava = {"givenName": ["Derek"], "sn": ["Jeter"],
"mail": ["*****@*****.**", "*****@*****.**"], "c": ["USA"]}
ava = policy.filter(ava, "https://connect.sunet.se/shibboleth", MDS)
assert _eq(list(ava.keys()), ['mail', 'givenName', 'sn', 'c'])
assert _eq(ava["mail"], ["*****@*****.**", "*****@*****.**"])
def test_persistent_1(self):
policy = Policy({
"default": {
"name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"nameid_format": NAMEID_FORMAT_PERSISTENT,
"attribute_restrictions": {
"surName": [".*berg"],
}
}
})
nameid = self.id.construct_nameid(policy, "foobar",
"urn:mace:example.com:sp:1")
assert _eq(nameid.keys(), [
'text', 'sp_provided_id', 'sp_name_qualifier', 'name_qualifier',
'format'
])
assert _eq(nameid.keyswv(), ['format', 'text', 'sp_name_qualifier'])
assert nameid.sp_name_qualifier == "urn:mace:example.com:sp:1"
assert nameid.format == NAMEID_FORMAT_PERSISTENT
nameid_2 = self.id.construct_nameid(policy, "foobar",
"urn:mace:example.com:sp:1")
assert nameid != nameid_2
assert nameid.text == nameid_2.text
def test_assertion_with_noop_attribute_conv():
ava = {"urn:oid:2.5.4.4": "Roland", "urn:oid:2.5.4.42": "Hedberg" }
ast = Assertion(ava)
policy = Policy({
"default": {
"lifetime": {"minutes": 240},
"attribute_restrictions": None, # means all I have
"name_form": NAME_FORMAT_URI
},
})
name_id = NameID(format=NAMEID_FORMAT_TRANSIENT, text="foobar")
issuer = Issuer(text="entityid", format=NAMEID_FORMAT_ENTITY)
msg = ast.construct("sp_entity_id", "in_response_to", "consumer_url",
name_id, [AttributeConverterNOOP(NAME_FORMAT_URI)],
policy, issuer=issuer, authn_decl=ACD ,
authn_auth="authn_authn")
print(msg)
for attr in msg.attribute_statement[0].attribute:
assert attr.name_format == NAME_FORMAT_URI
assert len(attr.attribute_value) == 1
if attr.name == "urn:oid:2.5.4.42":
assert attr.attribute_value[0].text == "Hedberg"
elif attr.name == "urn:oid:2.5.4.4":
assert attr.attribute_value[0].text == "Roland"
def test_ava_filter_2():
conf = {
"default": {
"lifetime": {"minutes": 15},
"attribute_restrictions": None # means all I have
},
"urn:mace:umu.se:saml:roland:sp": {
"lifetime": {"minutes": 5},
"attribute_restrictions": {
"givenName": None,
"surName": None,
"mail": [".*@.*\.umu\.se"],
}
}}
policy = Policy(conf)
ava = {"givenName": "Derek",
"surName": "Jeter",
"mail": "*****@*****.**"}
raises(MissingValue, policy.filter, ava, 'urn:mace:umu.se:saml:roland:sp',
None, [mail], [gn, sn])
ava = {"givenName": "Derek",
"surName": "Jeter"}
# it wasn't there to begin with
raises(Exception, policy.filter, ava, 'urn:mace:umu.se:saml:roland:sp',
None, [gn, sn, mail])
def test_ava_filter_dont_fail():
conf = {
"default": {
"lifetime": {
"minutes": 15
},
"attribute_restrictions": None, # means all I have
"fail_on_missing_requested": False
},
"urn:mace:umu.se:saml:roland:sp": {
"lifetime": {
"minutes": 5
},
"attribute_restrictions": {
"givenName": None,
"surName": None,
"mail": [r".*@.*\.umu\.se"],
},
"fail_on_missing_requested": False
}
}
policy = Policy(conf)
ava = {
"givenName": "Derek",
"surName": "Jeter",
"mail": "*****@*****.**"
}
# mail removed because it doesn't match the regular expression
# So it should fail if the 'fail_on_ ...' flag wasn't set
_ava = policy.filter(ava,
'urn:mace:umu.se:saml:roland:sp',
required=[mail],
optional=[gn, sn])
assert _ava
ava = {"givenName": "Derek", "surName": "Jeter"}
# it wasn't there to begin with
_ava = policy.filter(ava,
'urn:mace:umu.se:saml:roland:sp',
required=[gn, sn, mail])
assert _ava
def setup_assertion(self,
authn,
sp_entity_id,
in_response_to,
consumer_url,
name_id,
policy,
_issuer,
authn_statement,
identity,
best_effort,
sign_response,
add_subject=True):
ast = Assertion(identity)
ast.acs = self.config.getattr("attribute_converters", "idp")
if policy is None:
policy = Policy()
try:
ast.apply_policy(sp_entity_id, policy, self.metadata)
except MissingValue as exc:
if not best_effort:
return self.create_error_response(in_response_to, consumer_url,
exc, sign_response)
if authn: # expected to be a dictionary
# Would like to use dict comprehension but ...
authn_args = dict([(AUTHN_DICT_MAP[k], v)
for k, v in authn.items()
if k in AUTHN_DICT_MAP])
assertion = ast.construct(sp_entity_id,
in_response_to,
consumer_url,
name_id,
self.config.attribute_converters,
policy,
issuer=_issuer,
add_subject=add_subject,
**authn_args)
elif authn_statement: # Got a complete AuthnStatement
assertion = ast.construct(sp_entity_id,
in_response_to,
consumer_url,
name_id,
self.config.attribute_converters,
policy,
issuer=_issuer,
authn_statem=authn_statement,
add_subject=add_subject)
else:
assertion = ast.construct(sp_entity_id,
in_response_to,
consumer_url,
name_id,
self.config.attribute_converters,
policy,
issuer=_issuer,
add_subject=add_subject)
return assertion
def test_entity_category_import_from_path():
mds = MetadataStore(ATTRCONV,
sec_config,
disable_ssl_certificate_validation=True)
# The file entity_cat_rs.xml contains the SAML metadata for an SP
# tagged with the REFEDs R&S entity category.
mds.imp([{
"class": "saml2.mdstore.MetaDataFile",
"metadata": [(full_path("entity_cat_rs.xml"), )]
}])
# The entity category module myentitycategory.py is in the tests
# directory which is on the standard module search path.
# The module uses a custom interpretation of the REFEDs R&S entity category
# by adding eduPersonUniqueId.
policy = Policy(
{
"default": {
"lifetime": {
"minutes": 15
},
"entity_categories": ["myentitycategory"]
}
}, mds)
ava = {
"givenName": ["Derek"],
"sn": ["Jeter"],
"displayName": "Derek Jeter",
"mail": ["*****@*****.**"],
"c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz",
"eduPersonUniqueId": "*****@*****.**",
"eduPersonScopedAffiliation": "*****@*****.**",
"eduPersonPrincipalName": "*****@*****.**",
"norEduPersonNIN": "19800101134"
}
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp")
# We expect c and norEduPersonNIN to be filtered out since they are not
# part of the custom entity category.
assert _eq(list(ava.keys()), [
"eduPersonTargetedID", "eduPersonPrincipalName", "eduPersonUniqueId",
"displayName", "givenName", "eduPersonScopedAffiliation", "mail", "sn"
])
def test_filter_ava_0():
policy = Policy(
{
"default": {"lifetime": {"minutes": 15}, "attribute_restrictions": None}, # means all I have
"urn:mace:example.com:saml:roland:sp": {"lifetime": {"minutes": 5}},
}
)
ava = {"givenName": ["Derek"], "surName": ["Jeter"], "mail": ["*****@*****.**"]}
# No restrictions apply
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", [], [])
assert _eq(ava.keys(), ["givenName", "surName", "mail"])
assert ava["givenName"] == ["Derek"]
assert ava["surName"] == ["Jeter"]
assert ava["mail"] == ["*****@*****.**"]
def create_aa_response(self, in_response_to, consumer_url, sp_entity_id,
identity=None, userid="", name_id=None, status=None,
issuer=None, sign_assertion=False,
sign_response=False, attributes=None):
""" Create an attribute assertion response.
:param in_response_to: The session identifier of the request
:param consumer_url: The URL which should receive the response
:param sp_entity_id: The entity identifier of the SP
:param identity: A dictionary with attributes and values that are
expected to be the bases for the assertion in the response.
:param userid: A identifier of the user
:param name_id: The identifier of the subject
:param status: The status of the response
:param issuer: The issuer of the response
:param sign_assertion: Whether the assertion should be signed or not
:param sign_response: Whether the whole response should be signed
:return: A response instance
"""
if not name_id and userid:
try:
name_id = self.ident.construct_nameid(self.conf.policy, userid,
sp_entity_id, identity)
logger.warning("Unspecified NameID format")
except Exception:
pass
to_sign = []
args = {}
if identity:
_issuer = self.issuer(issuer)
ast = Assertion(identity)
policy = self.conf.getattr("policy", "aa")
if policy:
ast.apply_policy(sp_entity_id, policy)
else:
policy = Policy()
if attributes:
restr = restriction_from_attribute_spec(attributes)
ast = filter_attribute_value_assertions(ast)
assertion = ast.construct(sp_entity_id, in_response_to,
consumer_url, name_id,
self.conf.attribute_converters,
policy, issuer=_issuer)
if sign_assertion:
assertion.signature = pre_signature_part(assertion.id,
self.sec.my_cert, 1)
# Just the assertion or the response and the assertion ?
to_sign = [(class_name(assertion), assertion.id)]
args["assertion"] = assertion
return self._response(in_response_to, consumer_url, status, issuer,
sign_response, to_sign, **args)
def test_filter_ava2():
policy = Policy({
"default": {
"lifetime": {"minutes": 15},
#"attribute_restrictions": None # means all I have
"entity_categories": ["refeds", "edugain"]
}
})
ava = {"givenName": ["Derek"], "sn": ["Jeter"],
"mail": ["*****@*****.**"], "c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz"}
ava = policy.filter(ava, "https://connect.sunet.se/shibboleth", MDS)
# Mismatch, policy deals with eduGAIN, metadata says SWAMID
# So only minimum should come out
assert _eq(list(ava.keys()), ['eduPersonTargetedID'])
def test_filter_ava_5():
policy = Policy({
"default": {
"lifetime": {"minutes": 15},
#"attribute_restrictions": None # means all I have
"entity_categories": ["swamid", "edugain"]
}
})
ava = {"givenName": ["Derek"], "surName": ["Jeter"],
"mail": ["*****@*****.**", "*****@*****.**"]}
ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp", None, [], [])
# using entity_categories means there *always* are restrictions
# in this case the only allowed attribute is eduPersonTargetedID
# which isn't available in the ava hence zip is returned.
assert ava == {}
def test_filter_ava_4():
""" Return everything as default policy is used """
policy = Policy(
{
"default": {"lifetime": {"minutes": 15}, "attribute_restrictions": None}, # means all I have
"urn:mace:example.com:saml:roland:sp": {
"lifetime": {"minutes": 5},
"attribute_restrictions": {"mail": [".*@example\.com$"]},
},
}
)
ava = {"givenName": ["Derek"], "surName": ["Jeter"], "mail": ["*****@*****.**", "*****@*****.**"]}
# No restrictions apply
ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp", [], [])
assert _eq(ava.keys(), ["mail", "givenName", "surName"])
assert _eq(ava["mail"], ["*****@*****.**", "*****@*****.**"])
def test_filter_ava3():
policy = Policy({
"default": {
"lifetime": {"minutes": 15},
#"attribute_restrictions": None # means all I have
"entity_categories": ["swamid"]
}
})
mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
disable_ssl_certificate_validation=True)
mds.imp([{"class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_cat_sfs_hei.xml"), )]}])
ava = {"givenName": ["Derek"], "sn": ["Jeter"],
"mail": ["*****@*****.**"], "c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz",
"norEduPersonNIN": "19800101134"}
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", mds)
assert _eq(list(ava.keys()), ['eduPersonTargetedID', "norEduPersonNIN"])
def test_filter_ava_3():
""" Only example.com mail addresses returned """
policy = Policy({
"default": {
"lifetime": {"minutes":15},
"attribute_restrictions": None # means all I have
},
"urn:mace:example.com:saml:roland:sp": {
"lifetime": {"minutes": 5},
"attribute_restrictions":{
"mail": [".*@example\.com$"],
}
}})
ava = { "givenName": ["Derek"], "surName": ["Jeter"],
"mail": ["*****@*****.**", "*****@*****.**"]}
# No restrictions apply
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", [], [])
assert _eq(ava.keys(), ["mail"])
assert ava["mail"] == ["*****@*****.**"]
def test_entity_category_import_from_path():
# The entity category module myentitycategory.py is in the tests
# directory which is on the standard module search path.
# The module uses a custom interpretation of the REFEDs R&S entity category
# by adding eduPersonUniqueId.
policy = Policy({
"default": {
"lifetime": {"minutes": 15},
"entity_categories": ["myentitycategory"]
}
})
mds = MetadataStore(ATTRCONV, sec_config,
disable_ssl_certificate_validation=True)
# The file entity_cat_rs.xml contains the SAML metadata for an SP
# tagged with the REFEDs R&S entity category.
mds.imp([{"class": "saml2.mdstore.MetaDataFile",
"metadata": [(full_path("entity_cat_rs.xml"),)]}])
ava = {"givenName": ["Derek"], "sn": ["Jeter"],
"displayName": "Derek Jeter",
"mail": ["*****@*****.**"], "c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz",
"eduPersonUniqueId": "*****@*****.**",
"eduPersonScopedAffiliation": "*****@*****.**",
"eduPersonPrincipalName": "*****@*****.**",
"norEduPersonNIN": "19800101134"}
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", mds)
# We expect c and norEduPersonNIN to be filtered out since they are not
# part of the custom entity category.
assert _eq(list(ava.keys()),
["eduPersonTargetedID", "eduPersonPrincipalName",
"eduPersonUniqueId", "displayName", "givenName",
"eduPersonScopedAffiliation", "mail", "sn"])
def test_assertion_2():
AVA = {
"mail": u"*****@*****.**",
"eduPersonTargetedID": "http://lingon.ladok.umu"
".se:8090/idp!http://lingon.ladok.umu"
".se:8088/sp!95e9ae91dbe62d35198fbbd5e1fb0976",
"displayName": u"Roland Hedberg",
"uid": "http://roland.hedberg.myopenid.com/",
}
ava = Assertion(AVA)
policy = Policy(
{
"default": {
"lifetime": {"minutes": 240},
"attribute_restrictions": None, # means all I have
"name_form": NAME_FORMAT_URI,
}
}
)
ava = ava.apply_policy("", policy)
acs = ac_factory(full_path("attributemaps"))
attribute = from_local(acs, ava, policy.get_name_form(""))
assert len(attribute) == 4
names = [attr.name for attr in attribute]
assert _eq(
names,
[
"urn:oid:0.9.2342.19200300.100.1.3",
"urn:oid:1.3.6.1.4.1.5923.1.1.1.10",
"urn:oid:2.16.840.1.113730.3.1.241",
"urn:oid:0.9.2342.19200300.100.1.1",
],
)
