def test_filter_values_req_opt_4():
r = [
Attribute(
friendly_name="surName",
name="urn:oid:2.5.4.4",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"),
Attribute(
friendly_name="givenName",
name="urn:oid:2.5.4.42",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri")]
o = [
Attribute(
friendly_name="title",
name="urn:oid:2.5.4.12",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri")]
acs = attribute_converter.ac_factory(full_path("attributemaps"))
rava = attribute_converter.list_to_local(acs, r)
oava = attribute_converter.list_to_local(acs, o)
ava = {"sn": ["Hedberg"], "givenName": ["Roland"],
"eduPersonAffiliation": ["staff"], "uid": ["rohe0002"]}
ava = assertion.filter_on_demands(ava, rava, oava)
print ava
assert _eq(ava.keys(), ['givenName', 'sn'])
assert ava == {'givenName': ['Roland'], 'sn': ['Hedberg']}
def test_filter_values_req_opt_4():
r = [
Attribute(
friendly_name="surName",
name="urn:oid:2.5.4.4",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"),
Attribute(
friendly_name="givenName",
name="urn:oid:2.5.4.42",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri")
]
o = [
Attribute(
friendly_name="title",
name="urn:oid:2.5.4.12",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri")
]
acs = attribute_converter.ac_factory(full_path("attributemaps"))
rava = attribute_converter.list_to_local(acs, r)
oava = attribute_converter.list_to_local(acs, o)
ava = {
"sn": ["Hedberg"],
"givenName": ["Roland"],
"eduPersonAffiliation": ["staff"],
"uid": ["rohe0002"]
}
ava = assertion.filter_on_demands(ava, rava, oava)
print(ava)
assert _eq(sorted(list(ava.keys())), ['givenName', 'sn'])
assert ava == {'givenName': ['Roland'], 'sn': ['Hedberg']}
def login(self):
"""
Login endpoint (verify user credentials)
"""
def from_session(key):
return session[key] if key in session else None
key = from_session('request_key')
relay_state = from_session('relay_state')
self.app.logger.debug('Request key: {}'.format(key))
if key and key in self.ticket:
authn_request = self.ticket[key]
message = authn_request.message
sp_id = message.issuer.text
destination = self.get_destination(authn_request, sp_id)
authn_context = message.requested_authn_context
spid_level = authn_context.authn_context_class_ref[0].text
authn_info = self.authn_broker.pick(authn_context)
callback, reference = authn_info[0]
if request.method == 'GET':
# inject extra data in form login based on spid level
extra_challenge = callback(**{'key': key})
rendered_form = render_template(
'login.html', **{
'action': url_for('login'),
'request_key': key,
'relay_state': relay_state,
'extra_challenge': extra_challenge
})
return rendered_form, 200
if 'confirm' in request.form:
# verify optional challenge based on spid level
verified = callback(verify=True,
**{
'key': key,
'data': request.form
})
if verified:
# verify user credentials
user_id, user = self.user_manager.get(
request.form['username'], request.form['password'],
sp_id)
if user_id is not None:
# setup response
identity = user['attrs'].copy()
AUTHN = {
"class_ref": spid_level,
"authn_auth": spid_level
}
self.app.logger.debug(
'Unfiltered data: {}'.format(identity))
atcs_idx = message.attribute_consuming_service_index
self.app.logger.debug(
'attribute_consuming_service_index: {}'.format(
atcs_idx))
if atcs_idx:
attrs = self.server.wants(sp_id, atcs_idx)
required = [
Attribute(name=el.get('name'),
friendly_name=None,
name_format=NAME_FORMAT_BASIC)
for el in attrs.get('required')
]
optional = [
Attribute(name=el.get('name'),
friendly_name=None,
name_format=NAME_FORMAT_BASIC)
for el in attrs.get('optional')
]
acs = ac_factory(
'./testenv/attributemaps',
**{'override_types': self._all_attributes})
rava = list_to_local(acs, required)
oava = list_to_local(acs, optional)
else:
rava = {}
oava = {}
self.app.logger.debug(
'Required attributes: {}'.format(rava))
self.app.logger.debug(
'Optional attributes: {}'.format(oava))
identity = filter_on_demands(identity, rava, oava)
self.app.logger.debug(
'Filtered data: {}'.format(identity))
_data = dict(identity=identity,
userid=user_id,
in_response_to=message.id,
destination=destination,
sp_entity_id=sp_id,
authn=AUTHN,
issuer=self.server.config.entityid,
sign_alg=SIGN_ALG,
digest_alg=DIGEST_ALG,
sign_assertion=True,
release_policy=SpidPolicy(restrictions={
'default': {
'name_form': NAME_FORMAT_BASIC,
}
},
index=atcs_idx))
response = self.server.create_authn_response(**_data)
self.app.logger.debug(
'Response: \n{}'.format(response))
http_args = self.server.apply_binding(
BINDING_HTTP_POST,
response,
destination,
response=True,
sign=True,
relay_state=relay_state)
# Setup confirmation page data
self.responses[key] = http_args['data']
rendered_response = render_template(
'confirm.html', **{
'destination_service':
sp_id,
'lines':
escape(prettify_xml(response)).splitlines(),
'attrs':
identity.keys(),
'action':
'/continue-response',
'request_key':
key
})
return rendered_response, 200
elif 'delete' in request.form:
error_response = self.server.create_error_response(
in_response_to=authn_request.message.id,
destination=destination,
info=get_spid_error(AUTH_NO_CONSENT))
self.app.logger.debug('Error response: \n{}'.format(
prettify_xml(str(error_response))))
http_args = self.server.apply_binding(BINDING_HTTP_POST,
error_response,
destination,
response=True,
sign=True,
relay_state=relay_state)
del self.ticket[key]
return http_args['data'], 200
return render_template('403.html'), 403
