def test_user_has_perms(self, client):
saml_app = SamlApplicationFactory(
entity_id="http://testsp/saml2/metadata/",
_processor="sso.samlidp.processors.ModelProcessor",
)
access_profile = AccessProfileFactory(saml_apps_list=[saml_app])
user = UserFactory(add_access_profiles=[access_profile])
client.force_login(user)
session_data = {
"Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"SAMLRequest": saml_request(),
"RelayState": "",
}
session = client.session
session.update(session_data)
session.save()
response = client.get(reverse("djangosaml2idp:saml_login_process"))
assert response.status_code == 200
assert b'<form method="post" action="https://testing.com/saml2/acs/">' in response.content
def test_alias_entry(self, client, settings):
saml_application = SamlApplicationFactory(
entity_id="an-alias",
real_entity_id="http://testsp/saml2/metadata/",
active=True)
SamlApplicationFactory(entity_id="another-alias",
real_entity_id="http://testsp/saml2/metadata/",
active=True)
access_profile = AccessProfileFactory(
saml_apps_list=[saml_application])
credentials = {
"email": "*****@*****.**",
"password": "******",
}
user = UserFactory(**credentials, add_access_profiles=[access_profile])
user.set_password(user.password)
user.save()
assert client.login(request=HttpRequest(), **credentials)
url = (reverse("samlidp:saml_idp_init_legacy") +
"?sp=an-alias&RelayState=https://testing.com")
response = client.get(url)
assert b'<form method="post" action="https://testing.com/saml2/acs/">' in response.content
assert (
b'<input type="hidden" name="RelayState" value="https://testing.com" />'
in response.content)
def test_is_valid_ip_with_ip_restriction_disabled(self, rf):
saml_app = SamlApplicationFactory(entity_id="an_entity_id")
ap = AccessProfileFactory(saml_apps_list=[saml_app])
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/")
request.user = UserFactory(add_access_profiles=[ap])
assert processor.has_access(request)
def test_has_access_ip_restriction_no_x_forwarded_header(self, rf):
saml_app = SamlApplicationFactory(entity_id="an_entity_id",
allowed_ips="1.1.1.1")
ap = AccessProfileFactory(saml_apps_list=[saml_app])
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/")
request.user = UserFactory(add_access_profiles=[ap])
assert not processor.has_access(request)
def test_has_access_ip_restriction_ip_not_whitelisted(self, rf):
saml_app = SamlApplicationFactory(entity_id="an_entity_id",
allowed_ips="8.8.8.8")
ap = AccessProfileFactory(saml_apps_list=[saml_app])
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/",
HTTP_X_FORWARDED_FOR="1.1.1.1, 2.2.2.2, 3.3.3.3")
request.user = UserFactory(add_access_profiles=[ap])
assert not processor.has_access(request)
def test_x_application_logging(self, rf, mocker):
saml_app = SamlApplicationFactory(entity_id="an_entity_id")
ap = AccessProfileFactory(saml_apps_list=[saml_app])
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/")
request.user = UserFactory(add_access_profiles=[ap])
mock_create_x_access_log = mocker.patch(
"sso.samlidp.processors.create_x_access_log")
processor.has_access(request)
mock_create_x_access_log.assert_called_once_with(
request, 200, application=saml_app.name)