def test_no_credentials_with_wrong_destination(self): resp = CreateFromDocument(get_data('resp_success.xml'), suppress_verification=True) resp.Destination = u'https://www.google.com' resp = self.sign_response(resp) req = TestRequest(form={'SAMLResponse': b64encode(resp.toxml())}) self.assertEqual({}, self.plugin.extractCredentials(req))
def test_credentials_from_successful_response(self): resp = CreateFromDocument(get_data('resp_success.xml'), suppress_verification=True) resp = self.sign_response(resp) req = TestRequest(form={'SAMLResponse': b64encode(resp.toxml())}) creds = self.plugin.extractCredentials(req) self.assertIn('subject', creds) self.assertEqual('*****@*****.**', creds['subject']) self.assertIn('attributes', creds) self.assertEqual('Jim Raynor', creds['attributes']['fullname'])
def sign_response(self, resp, update_issueinstant=True): ctx = SignatureContext() key = Key.loadMemory(get_data('signing.key'), KeyDataFormatPem) ctx.add_key(key, self.plugin.issuer_id) if update_issueinstant: resp.IssueInstant = dateTime.utcnow().replace( tzinfo=UTCOffsetTimeZone()) if resp.Assertion: resp.Assertion[0].Signature = None resp.Assertion[0].request_signature(keyname=self.plugin.issuer_id, context=ctx) else: resp.Signature = None resp.request_signature(keyname=self.plugin.issuer_id, context=ctx) return resp
def setUpPloneSite(self, portal): # Setup PAS plugin uf = portal.acl_users plugin = Saml2WebSSOPlugin('saml2_websso') uf._setObject(plugin.getId(), plugin) plugin = uf['saml2_websso'] plugin.manage_activateInterfaces([ 'IAuthenticationPlugin', 'IExtractionPlugin', 'IRolesPlugin', 'IUserEnumerationPlugin', ]) plugin.idp_url = 'https://fs.domain.local/adfs/ls/' plugin.sp_url = 'https://sp.domain.local' plugin.issuer_id = 'http://fs.domain.local/adfs/services/trust' plugin.signing_cert = get_data('signing.crt')
def setUp(self): self.portal = self.layer['portal'] self.request = self.layer['request'] self.request.setServerURL( protocol='https', hostname='sp.domain.local', port='443') self.request.environ['HTTP_HOST'] = 'sp.domain.local' self.request.environ['SERVER_PORT'] = '443' # Configure SAML2 settings registry = queryUtility(IRegistry) self.settings = registry.forInterface(IServiceProviderSettings) self.settings.idp_cert = get_data('signing.crt').decode('utf8') self.settings.idp_issuer_id = u'http://fs.domain.local/adfs/services/trust' self.settings.idp_url = u'https://fs.domain.local/adfs/ls' self.settings.sp_issuer_id = u'https://sp.domain.local' self.settings.autoprovision_users = True self.settings.enabled = True
def test_no_credentials_with_old_response(self): resp = CreateFromDocument(get_data('resp_success.xml'), suppress_verification=True) resp = self.sign_response(resp, update_issueinstant=False) req = TestRequest(form={'SAMLResponse': b64encode(resp.toxml())}) self.assertEqual({}, self.plugin.extractCredentials(req))
def test_no_credentials_with_unsuccessful_status(self): resp = CreateFromDocument(get_data('resp_invalid.xml'), suppress_verification=True) resp = self.sign_response(resp) req = TestRequest(form={'SAMLResponse': b64encode(resp.toxml())}) self.assertEqual({}, self.plugin.extractCredentials(req))
def test_no_credentials_with_invalid_signature(self): req = TestRequest( form={'SAMLResponse': b64encode(get_data('resp_success.xml'))}) self.assertEqual({}, self.plugin.extractCredentials(req))