def setup_class(self):
with closing(Server(dotname("idp_conf"))) as server:
name_id = server.ident.transient_nameid(
"urn:mace:example.com:saml:roland:sp","id12")
self._resp_ = server.create_authn_response(
IDENTITY,
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
name_id=name_id,
authn=AUTHN)
self._sign_resp_ = server.create_authn_response(
IDENTITY,
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
name_id=name_id, sign_assertion=True,
authn=AUTHN)
self._resp_authn = server.create_authn_response(
IDENTITY,
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
name_id=name_id,
authn=AUTHN)
self.conf = config_factory("sp", dotname("server_conf"))
self.conf.only_use_keys_in_metadata = False
self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
def setup_class(self):
with closing(Server(dotname("idp_conf"))) as server:
name_id = server.ident.transient_nameid(
"urn:mace:example.com:saml:roland:sp", "id12")
self._resp_ = server.create_authn_response(
IDENTITY,
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
name_id=name_id,
authn=AUTHN)
self._sign_resp_ = server.create_authn_response(
IDENTITY,
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
name_id=name_id,
sign_assertion=True,
authn=AUTHN)
self._resp_authn = server.create_authn_response(
IDENTITY,
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
name_id=name_id,
authn=AUTHN)
self.conf = config_factory("sp", dotname("server_conf"))
self.conf.only_use_keys_in_metadata = False
self.ar = authn_response(self.conf,
"http://lingon.catalogix.se:8087/")
def setup_class(self):
server = Server("idp_conf")
name_id = server.ident.transient_nameid(
"urn:mace:example.com:saml:roland:sp","id12")
policy = server.conf.getattr("policy", "idp")
self._resp_ = server.create_response(
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
IDENTITY, name_id = name_id, policy=policy)
self._sign_resp_ = server.create_response(
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
IDENTITY,
name_id = name_id, sign_assertion=True, policy=policy)
self._resp_authn = server.create_response(
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
IDENTITY,
name_id = name_id,
authn=(saml.AUTHN_PASSWORD, "http://www.example.com/login"),
policy=policy)
self.conf = config_factory("sp", "server_conf")
self.conf.only_use_keys_in_metadata = False
self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
def setup_class(self):
server = Server("idp_conf")
name_id = server.ident.transient_nameid(
"urn:mace:example.com:saml:roland:sp","id12")
self._resp_ = server.do_response(
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
{"eduPersonEntitlement":"Jeter"},
name_id = name_id
)
self._sign_resp_ = server.do_response(
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
{"eduPersonEntitlement":"Jeter"},
name_id = name_id,
sign=True
)
self._resp_authn = server.do_response(
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
{"eduPersonEntitlement":"Jeter"},
name_id = name_id,
authn=(saml.AUTHN_PASSWORD, "http://www.example.com/login")
)
self.conf = config_factory("sp", "server_conf")
self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
def setup_class(self):
server = Server("idp_conf")
name_id = server.ident.transient_nameid(
"urn:mace:example.com:saml:roland:sp", "id12")
self._resp_ = server.do_response(
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
{"eduPersonEntitlement": "Jeter"},
name_id=name_id)
self._sign_resp_ = server.do_response(
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
{"eduPersonEntitlement": "Jeter"},
name_id=name_id,
sign=True)
self._resp_authn = server.do_response(
"id12", # in_response_to
"http://lingon.catalogix.se:8087/", # consumer_url
"urn:mace:example.com:saml:roland:sp", # sp_entity_id
{"eduPersonEntitlement": "Jeter"},
name_id=name_id,
authn=(saml.AUTHN_PASSWORD, "http://www.example.com/login"))
self.conf = config_factory("sp", "server_conf")
self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
def test_unpack_nested_eptid(self):
authn_response_xml = """<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="CORTO54673f841c5297dd3614527d38e217332f9e3000"
Version="2.0"
IssueInstant="2016-09-23T14:00:45Z"
Destination="https://sp.example.com/acs/post"
InResponseTo="id-Wnv7CMQO1pFJoRWgi"
>
<saml:Issuer>https://idp.example.com</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
ID="CORTOadad7cb5e1237cf30fa7ab49544c15eec582854e"
Version="2.0"
IssueInstant="2016-09-23T14:00:45Z"
>
<saml:Issuer>https://idp.example.com</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">b8e734571d9adb0e6444a5b49a22f4206df24d88</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://sp.example.com/acs/post"
InResponseTo="id-Wnv7CMQO1pFJoRWgi"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2016-09-23T14:00:44Z">
<saml:AudienceRestriction>
<saml:Audience>urn:mace:example.com:saml:roland:sp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2016-09-23T13:55:40Z"
SessionIndex="_9f1148918f12525c6cad9aea29bc557afab2cb8c33"
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
<saml:AuthenticatingAuthority>https://idp.example.com</saml:AuthenticatingAuthority>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml:AttributeValue>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">b8e734571d9adb0e6444a5b49a22f4206df24d88</saml:NameID>
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>"""
resp = authn_response(self.conf, "https://sp.example.com/acs/post", asynchop=False, allow_unsolicited=True)
resp.loads(authn_response_xml, False)
resp.parse_assertion()
ava = resp.get_identity()
assert len(ava) == 1
assert ava["eduPersonTargetedID"] == ["b8e734571d9adb0e6444a5b49a22f4206df24d88"]
def test_unpack_nested_eptid(self):
authn_response_xml = """<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="CORTO54673f841c5297dd3614527d38e217332f9e3000"
Version="2.0"
IssueInstant="2016-09-23T14:00:45Z"
Destination="https://sp.example.com/acs/post"
InResponseTo="id-Wnv7CMQO1pFJoRWgi"
>
<saml:Issuer>https://idp.example.com</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
ID="CORTOadad7cb5e1237cf30fa7ab49544c15eec582854e"
Version="2.0"
IssueInstant="2016-09-23T14:00:45Z"
>
<saml:Issuer>https://idp.example.com</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">b8e734571d9adb0e6444a5b49a22f4206df24d88</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://sp.example.com/acs/post"
InResponseTo="id-Wnv7CMQO1pFJoRWgi"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2016-09-23T14:00:44Z">
<saml:AudienceRestriction>
<saml:Audience>https://sp.example.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2016-09-23T13:55:40Z"
SessionIndex="_9f1148918f12525c6cad9aea29bc557afab2cb8c33"
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
<saml:AuthenticatingAuthority>https://idp.example.com</saml:AuthenticatingAuthority>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml:AttributeValue>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">b8e734571d9adb0e6444a5b49a22f4206df24d88</saml:NameID>
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>"""
resp = authn_response(self.conf, "https://sp.example.com/acs/post", asynchop=False, allow_unsolicited=True)
resp.loads(authn_response_xml, False)
resp.parse_assertion()
ava = resp.get_identity()
assert ava["eduPersonTargetedID"] == ["b8e734571d9adb0e6444a5b49a22f4206df24d88"]
def _get_test_response(self, path):
conf = config_factory("idp", dotname("server_conf"))
resp = authn_response(
conf,
"https://sp:443/.auth/saml/login",
asynchop=False,
allow_unsolicited=True,
)
with open(path, "r") as fp:
authn_response_xml = fp.read()
resp.loads(authn_response_xml, False)
return resp
def handle_ecp_authn_response(cls, soap_message, outstanding=None):
rdict = soap.class_instances_from_soap_enveloped_saml_thingies(
soap_message, [paos, ecp, samlp])
_relay_state = None
for item in rdict["header"]:
if item.c_tag == "RelayState" and item.c_namespace == ecp.NAMESPACE:
_relay_state = item
response = authn_response(cls.config, cls.service_url(), outstanding,
allow_unsolicited=True)
response.loads("%s" % rdict["body"], False, soap_message)
response.verify()
cls.users.add_information_about_person(response.session_info())
return response, _relay_state
def handle_ecp_authn_response(cls, soap_message, outstanding=None):
rdict = soap.class_instances_from_soap_enveloped_saml_thingies(
soap_message, [paos, ecp, samlp])
_relay_state = None
for item in rdict["header"]:
if item.c_tag == "RelayState" and item.c_namespace == ecp.NAMESPACE:
_relay_state = item
response = authn_response(cls.config, cls.service_url(), outstanding,
allow_unsolicited=True)
response.loads("%s" % rdict["body"], False, soap_message)
response.verify()
cls.users.add_information_about_person(response.session_info())
return response, _relay_state
def test_signed_response_with_hmac_should_fail(self,
mock_validate_on_or_after):
conf = config_factory("sp", dotname("server_conf"))
ar = authn_response(conf, return_addrs="https://example.org/acs/post")
ar.issue_instant_ok = Mock(return_value=True)
with open(SIGNED_RESPONSE_HMAC) as fp:
xml_response = fp.read()
ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"}
ar.timeslack = 10000
# .loads checks the response signature
with raises(SignatureError):
ar.loads(xml_response, decode=False)
assert ar.ava is None
assert ar.name_id is None
def test_signed_assertion_with_random_embedded_cert_should_be_ignored(
self, mock_validate_on_or_after):
"""
if the embedded cert is not ignored then verification will fail
"""
conf = config_factory("sp", dotname("server_conf"))
ar = authn_response(
conf, return_addrs="https://51.15.251.81.xip.io/acs/post")
ar.issue_instant_ok = Mock(return_value=True)
with open(SIGNED_ASSERTION_RANDOM_EMBEDDED_CERT) as fp:
xml_response = fp.read()
ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"}
ar.timeslack = 10000
# .loads does not check the assertion, only the response signature
# use .verify to verify the contents of the response
assert ar.loads(xml_response, decode=False)
assert ar.verify()
def setup_class(self):
self.conf = config_factory("sp", dotname("server_conf"))
self.ar = authn_response(self.conf,
return_addrs="https://example.org/acs/post")
headers = None
logger.info( "Headers: {0:>s}".format(headers))
# send the request and receive the response
response = ecp.phase2(request, acsu, idp_entity_id, headers,
sign)
except Exception, exc:
exception_trace("soap", exc, logger)
logger.info("SoapClient exception: %s" % (exc,))
return None
if response:
try:
# synchronous operation
aresp = authn_response(cls.config, acsu, asynchop=False,
allow_unsolicited=True)
#aresp.debug = True
except Exception, exc:
logger.error("%s" % exc)
return None
try:
_resp = aresp.load_instance(response).verify()
except Exception, err:
logger.error("%s" % err)
return None
if _resp is None:
logger.error("Didn't like the response")
return None
def setup_class(self):
self.conf = config_factory("sp", dotname("server_conf"))
self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
headers.append(("Authorization", "Basic %s" % _str))
logger.info("Headers: {0:>s}".format(headers))
# send the request and receive the response
response = ecp.phase2(request, acsu, idp_entity_id, headers, sign)
except Exception, exc:
exception_trace("soap", exc, logger)
logger.info("SoapClient exception: %s" % (exc, ))
return None
if response:
try:
# synchronous operation
aresp = authn_response(cls.config,
acsu,
asynchop=False,
allow_unsolicited=True)
#aresp.debug = True
except Exception, exc:
logger.error("%s" % exc)
return None
try:
_resp = aresp.load_instance(response).verify()
except Exception, err:
logger.error("%s" % err)
return None
if _resp is None:
logger.error("Didn't like the response")
return None