def test_valid_signature(self):
saml_request = self.saml_request.format(
break_digest='',
signature_value=self.signature_value,
signed_info=self.signed_info.format(sig_alg=self.sig_alg,
break_signature=''),
certificate=self.cert,
)
relay_state = 'relay_state'
request = HTTPPostRequest(saml_request=saml_request,
relay_state=relay_state)
verifier = HTTPPostSignatureVerifier(self.cert, request)
self.assertIsNone(verifier.verify())
def test_signature_mismatch(self):
saml_request = self.saml_request.format(
break_digest='',
signature_value=self.signature_value,
signed_info=self.signed_info.format(sig_alg=self.sig_alg,
break_signature='broken'),
certificate=self.cert,
)
relay_state = 'relay_state'
request = HTTPPostRequest(saml_request=saml_request,
relay_state=relay_state)
verifier = HTTPPostSignatureVerifier(self.cert, request)
with pytest.raises(SignatureVerificationError) as excinfo:
verifier.verify()
exc = excinfo.value
self.assertEqual('Verifica della firma fallita.', exc.args[0])
def test_certificate_mismatch(self):
saml_request = self.saml_request.format(
break_digest='',
signature_value=self.signature_value,
signed_info=self.signed_info.format(sig_alg=self.sig_alg,
break_signature=''),
certificate='fake cert',
)
relay_state = 'relay_state'
request = HTTPPostRequest(saml_request=saml_request,
relay_state=relay_state)
verifier = HTTPPostSignatureVerifier(self.cert, request)
with pytest.raises(SignatureVerificationError) as excinfo:
verifier.verify()
exc = excinfo.value
self.assertEqual(
'Il certificato X509 contenuto nella request è differente '
'rispetto a quello contenuto nei metadata del Service Provider.',
exc.args[0])
def test_unknown_algorithm(self):
sig_alg = 'unknown_sig_alg'
saml_request = self.saml_request.format(
break_digest='',
signature_value=self.signature_value,
signed_info=self.signed_info.format(sig_alg=sig_alg,
break_signature=''),
certificate=self.cert,
)
relay_state = 'relay_state'
request = HTTPPostRequest(saml_request=saml_request,
relay_state=relay_state)
verifier = HTTPPostSignatureVerifier(self.cert, request)
with pytest.raises(SignatureVerificationError) as excinfo:
verifier.verify()
exc = excinfo.value
self.assertEqual(
"L'algoritmo 'unknown_sig_alg' è sconosciuto o non supportato. Si prega di "
"utilizzare uno dei seguenti: {}".format(self.supported_sig_alg),
exc.args[0])
def test_deprecated_algorithm(self):
sig_alg = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
saml_request = self.saml_request.format(
break_digest='',
signature_value=self.signature_value,
signed_info=self.signed_info.format(sig_alg=sig_alg,
break_signature=''),
certificate=self.cert,
)
relay_state = 'relay_state'
request = HTTPPostRequest(saml_request=saml_request,
relay_state=relay_state)
verifier = HTTPPostSignatureVerifier(self.cert, request)
with pytest.raises(SignatureVerificationError) as excinfo:
verifier.verify()
exc = excinfo.value
self.assertEqual(
"L'algoritmo 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' è considerato deprecato. "
"Si prega di utilizzare uno dei seguenti: {}".format(
self.supported_sig_alg), exc.args[0])
def _handle_http_post(self, action):
# FIXME: replace the following code with a call to a function
# in the parser.py module after metadata refactoring.
# The IdpServer class should not
# be responsible of request parsing, or know anything
# about request parsing *at all*.
saml_msg = self.unpack_args(request.form)
request_data = HTTPPostRequestParser(saml_msg).parse()
deserializer = get_http_post_request_deserializer(
request_data, action, self.server.metadata)
saml_tree = deserializer.deserialize()
certs = self._get_certificates_by_issuer(saml_tree.issuer.text)
for cert in certs:
HTTPPostSignatureVerifier(cert, request_data).verify()
return SPIDRequest(request_data, saml_tree)