def test_create_auth_request_vo(self):
assert self.client.config.vorg.keys() == [
"urn:mace:example.com:it:tek"
]
ar_str = "%s" % self.client.create_authn_request(
"http://www.example.com/sso",
"urn:mace:example.com:it:tek", # vo
nameid_format=NAMEID_FORMAT_PERSISTENT,
message_id="666")[1]
ar = samlp.authn_request_from_string(ar_str)
print ar
assert ar.id == "666"
assert ar.assertion_consumer_service_url == "http://lingon.catalogix" \
".se:8087/"
assert ar.destination == "http://www.example.com/sso"
assert ar.protocol_binding == BINDING_HTTP_POST
assert ar.version == "2.0"
assert ar.provider_name == "urn:mace:example.com:saml:roland:sp"
assert ar.issuer.text == "urn:mace:example.com:saml:roland:sp"
nid_policy = ar.name_id_policy
assert nid_policy.allow_create == "false"
assert nid_policy.format == saml.NAMEID_FORMAT_PERSISTENT
assert nid_policy.sp_name_qualifier == "urn:mace:example.com:it:tek"
def test_create_auth_request_vo(self):
assert self.client.config.virtual_organization.keys() == ["urn:mace:example.com:it:tek"]
ar_str = "%s" % self.client.authn_request(
"666",
"http://www.example.com/sso",
"http://www.example.org/service",
"urn:mace:example.org:saml:sp",
"My Name",
vorg="urn:mace:example.com:it:tek",
)
ar = samlp.authn_request_from_string(ar_str)
print ar
assert ar.id == "666"
assert ar.assertion_consumer_service_url == "http://www.example.org/service"
assert ar.destination == "http://www.example.com/sso"
assert ar.protocol_binding == BINDING_HTTP_POST
assert ar.version == "2.0"
assert ar.provider_name == "My Name"
assert ar.issuer.text == "urn:mace:example.org:saml:sp"
nid_policy = ar.name_id_policy
assert nid_policy.allow_create == "true"
assert nid_policy.format == saml.NAMEID_FORMAT_PERSISTENT
assert nid_policy.sp_name_qualifier == "urn:mace:example.com:it:tek"
def correctly_signed_authn_request(self,
decoded_xml,
must=False,
origdoc=None):
""" Check if a request is correctly signed, if we have metadata for
the SP that sent the info use that, if not use the key that are in
the message if any.
:param decoded_xml: The SAML message as a XML string
:param must: Whether there must be a signature
:return: None if the signature can not be verified otherwise
request as a samlp.Request instance
"""
request = samlp.authn_request_from_string(decoded_xml)
if not request:
raise TypeError("Not an AuthnRequest")
if not request.signature:
if must:
raise SignatureError("Missing must signature")
else:
return request
return self._check_signature(decoded_xml,
request,
class_name(request),
origdoc=origdoc)
def test_sign_auth_request_0(self):
#print self.client.config
ar_str = "%s" % self.client.authn_request("id1",
"http://www.example.com/sso",
"http://www.example.org/service",
"urn:mace:example.org:saml:sp",
"My Name", sign=True)
ar = samlp.authn_request_from_string(ar_str)
assert ar
assert ar.signature
assert ar.signature.signature_value
signed_info = ar.signature.signed_info
#print signed_info
assert len(signed_info.reference) == 1
assert signed_info.reference[0].uri == "#id1"
assert signed_info.reference[0].digest_value
print "------------------------------------------------"
try:
assert self.client.sec.correctly_signed_authn_request(ar_str,
self.client.config.xmlsec_binary,
self.client.config.metadata)
except Exception: # missing certificate
self.client.sec.verify_signature(ar_str, node_name=class_name(ar))
def testUsingTestData(self):
"""Test for authn_request_from_string() using test data"""
new_ar = samlp.authn_request_from_string(samlp_data.TEST_AUTHN_REQUEST)
assert new_ar.id == "request id"
assert new_ar.version == saml2.VERSION
assert new_ar.issue_instant == "2007-09-14T01:05:02Z"
assert new_ar.destination == "http://www.example.com/Destination"
assert new_ar.consent == saml.CONSENT_UNSPECIFIED
assert isinstance(new_ar.issuer, saml.Issuer)
assert isinstance(new_ar.signature, ds.Signature)
assert isinstance(new_ar.extensions, samlp.Extensions)
assert isinstance(new_ar.subject, saml.Subject)
assert isinstance(new_ar.name_id_policy, samlp.NameIDPolicy)
assert isinstance(new_ar.conditions, saml.Conditions)
assert isinstance(new_ar.requested_authn_context,
samlp.RequestedAuthnContext)
assert isinstance(new_ar.scoping, samlp.Scoping)
assert new_ar.force_authn == 'true'
assert new_ar.is_passive == 'true'
assert new_ar.assertion_consumer_service_index == '1'
assert new_ar.assertion_consumer_service_url == \
'http://www.example.com/acs'
assert new_ar.protocol_binding == saml2.BINDING_HTTP_POST
assert new_ar.attribute_consuming_service_index == '2'
assert new_ar.provider_name == "provider name"
def test_create_auth_request_vo(self):
assert list(self.client.config.vorg.keys()) == [
"urn:mace:example.com:it:tek"]
ar_id, areq = self.client.create_authn_request(
"http://www.example.com/sso",
"urn:mace:example.com:it:tek", # vo
nameid_format=NAMEID_FORMAT_PERSISTENT,
message_id="666")
ar_str = "%s" % areq
ar = samlp.authn_request_from_string(ar_str)
print(ar)
assert ar.id == "666"
assert ar.assertion_consumer_service_url == ("http://lingon.catalogix"
".se:8087/")
assert ar.destination == "http://www.example.com/sso"
assert ar.protocol_binding == BINDING_HTTP_POST
assert ar.version == "2.0"
assert ar.provider_name == "urn:mace:example.com:saml:roland:sp"
assert ar.issuer.text == "urn:mace:example.com:saml:roland:sp"
nid_policy = ar.name_id_policy
assert nid_policy.allow_create == "false"
assert nid_policy.format == saml.NAMEID_FORMAT_PERSISTENT
assert nid_policy.sp_name_qualifier == "urn:mace:example.com:it:tek"
def testUsingTestData(self):
"""Test for authn_request_from_string() using test data"""
new_ar = samlp.authn_request_from_string(samlp_data.TEST_AUTHN_REQUEST)
assert new_ar.id == "request id"
assert new_ar.version == saml2.VERSION
assert new_ar.issue_instant == "2007-09-14T01:05:02Z"
assert new_ar.destination == "http://www.example.com/Destination"
assert new_ar.consent == saml.CONSENT_UNSPECIFIED
assert isinstance(new_ar.issuer, saml.Issuer)
assert isinstance(new_ar.signature, ds.Signature)
assert isinstance(new_ar.extensions, samlp.Extensions)
assert isinstance(new_ar.subject, saml.Subject)
assert isinstance(new_ar.name_id_policy, samlp.NameIDPolicy)
assert isinstance(new_ar.conditions, saml.Conditions)
assert isinstance(new_ar.requested_authn_context,
samlp.RequestedAuthnContext)
assert isinstance(new_ar.scoping, samlp.Scoping)
assert new_ar.force_authn == 'true'
assert new_ar.is_passive == 'true'
assert new_ar.assertion_consumer_service_index == '1'
assert new_ar.assertion_consumer_service_url == \
'http://www.example.com/acs'
assert new_ar.protocol_binding == saml2.BINDING_HTTP_POST
assert new_ar.attribute_consuming_service_index == '2'
assert new_ar.provider_name == "provider name"
def test_sign_auth_request_0(self):
#print self.client.config
ar_str = "%s" % self.client.authn_request(
"id1",
"http://www.example.com/sso",
"http://www.example.org/service",
"urn:mace:example.org:saml:sp",
"My Name",
sign=True)
ar = samlp.authn_request_from_string(ar_str)
assert ar
assert ar.signature
assert ar.signature.signature_value
signed_info = ar.signature.signed_info
#print signed_info
assert len(signed_info.reference) == 1
assert signed_info.reference[0].uri == "#id1"
assert signed_info.reference[0].digest_value
print "------------------------------------------------"
try:
assert self.client.sec.correctly_signed_authn_request(
ar_str, self.client.config.xmlsec_binary,
self.client.config.metadata)
except Exception: # missing certificate
self.client.sec.verify_signature(ar_str, node_name=class_name(ar))
def test_create_auth_request_vo(self):
assert self.client.config.virtual_organization.keys() == [
"urn:mace:example.com:it:tek"
]
ar_str = "%s" % self.client.authn_request(
"666",
"http://www.example.com/sso",
"http://www.example.org/service",
"urn:mace:example.org:saml:sp",
"My Name",
vorg="urn:mace:example.com:it:tek")
ar = samlp.authn_request_from_string(ar_str)
print ar
assert ar.id == "666"
assert ar.assertion_consumer_service_url == "http://www.example.org/service"
assert ar.destination == "http://www.example.com/sso"
assert ar.protocol_binding == BINDING_HTTP_POST
assert ar.version == "2.0"
assert ar.provider_name == "My Name"
assert ar.issuer.text == "urn:mace:example.org:saml:sp"
nid_policy = ar.name_id_policy
assert nid_policy.allow_create == "true"
assert nid_policy.format == saml.NAMEID_FORMAT_PERSISTENT
assert nid_policy.sp_name_qualifier == "urn:mace:example.com:it:tek"
def test_sign_auth_request_0(self):
#print self.client.config
req_id, a_req = self.client.create_authn_request(
"http://www.example.com/sso", sign=True, message_id="id1")
if isinstance(a_req, bytes):
ar_str = a_req
else:
ar_str = a_req.to_string()
ar = samlp.authn_request_from_string(ar_str)
assert ar
assert ar.signature
assert ar.signature.signature_value
signed_info = ar.signature.signed_info
#print signed_info
assert len(signed_info.reference) == 1
assert signed_info.reference[0].uri == "#id1"
assert signed_info.reference[0].digest_value
print("------------------------------------------------")
try:
assert self.client.sec.correctly_signed_authn_request(
ar_str, self.client.config.xmlsec_binary,
self.client.config.metadata)
except Exception: # missing certificate
self.client.sec.verify_signature(ar_str, node_name=class_name(ar))
def test_Saml_authenticate(self):
# modifying config in this test, make copy so as not to effect
# following tests.
tmp_sp_config = copy.deepcopy(sp_config)
# test signed authentication request
with self.app.test_request_context('/',
method='GET'):
sp = auth.Saml(tmp_sp_config)
resp = sp.authenticate(next_url='/next')
self.assertEqual(resp.status_code, 302)
self.assert_('SAMLRequest' in resp.headers['Location'])
url = urlparse.urlparse(resp.headers['Location'])
self.assertEqual(url.hostname, 'sso.example.com')
self.assertEqual(url.path, '/idp/sso')
params = urlparse.parse_qs(url.query)
self.assert_('SAMLRequest' in params)
self.assertEqual(params['RelayState'], ['/next'])
authn = samlp.authn_request_from_string(
decode_base64_and_inflate(params['SAMLRequest'][0]))
self.assertEqual(authn.destination,
'https://sso.example.com/idp/sso')
self.assertEqual(authn.assertion_consumer_service_url,
'https://foo.example.com/sp/acs')
self.assertEqual(authn.protocol_binding, BINDING_HTTP_POST)
self.assertIsNotNone(authn.signature)
self.assertEqual(session['_saml_outstanding_queries'],
{authn.id: '/next'})
# test un-signed authentication request
with self.app.test_request_context('/',
method='GET'):
tmp_sp_config['key_file'] = None
tmp_sp_config['service']['sp']['authn_requests_signed'] = None
sp = auth.Saml(tmp_sp_config)
resp = sp.authenticate(next_url='/next')
self.assertEqual(resp.status_code, 302)
self.assert_('SAMLRequest' in resp.headers['Location'])
url = urlparse.urlparse(resp.headers['Location'])
params = urlparse.parse_qs(url.query)
authn = samlp.authn_request_from_string(
decode_base64_and_inflate(params['SAMLRequest'][0]))
self.assertIsNone(authn.signature)
def test_authenticate(self):
print self.client.config.idps()
id, response = self.client.do_authenticate(
"urn:mace:example.com:saml:roland:idp",
"http://www.example.com/relay_state")
assert response[0] == "Location"
o = urlparse(response[1])
qdict = parse_qs(o.query)
assert _leq(qdict.keys(), ['SAMLRequest', 'RelayState'])
saml_request = decode_base64_and_inflate(qdict["SAMLRequest"][0])
print saml_request
authnreq = samlp.authn_request_from_string(saml_request)
def test_Saml_authenticate(self):
# modifying config in this test, make copy so as not to effect
# following tests.
tmp_sp_config = copy.deepcopy(sp_config)
# test signed authentication request
with self.app.test_request_context('/', method='GET'):
sp = auth.Saml(tmp_sp_config)
resp = sp.authenticate(next_url='/next')
self.assertEqual(resp.status_code, 302)
self.assert_('SAMLRequest' in resp.headers['Location'])
url = urlparse.urlparse(resp.headers['Location'])
self.assertEqual(url.hostname, 'sso.example.com')
self.assertEqual(url.path, '/idp/sso')
params = urlparse.parse_qs(url.query)
self.assert_('SAMLRequest' in params)
self.assertEqual(params['RelayState'], ['/next'])
authn = samlp.authn_request_from_string(
decode_base64_and_inflate(params['SAMLRequest'][0]))
self.assertEqual(authn.destination,
'https://sso.example.com/idp/sso')
self.assertEqual(authn.assertion_consumer_service_url,
'https://foo.example.com/sp/acs')
self.assertEqual(authn.protocol_binding, BINDING_HTTP_POST)
self.assertIsNotNone(authn.signature)
self.assertEqual(session['_saml_outstanding_queries'],
{authn.id: '/next'})
# test un-signed authentication request
with self.app.test_request_context('/', method='GET'):
tmp_sp_config['key_file'] = None
tmp_sp_config['service']['sp']['authn_requests_signed'] = None
sp = auth.Saml(tmp_sp_config)
resp = sp.authenticate(next_url='/next')
self.assertEqual(resp.status_code, 302)
self.assert_('SAMLRequest' in resp.headers['Location'])
url = urlparse.urlparse(resp.headers['Location'])
params = urlparse.parse_qs(url.query)
authn = samlp.authn_request_from_string(
decode_base64_and_inflate(params['SAMLRequest'][0]))
self.assertIsNone(authn.signature)
def test_create_auth_request_0(self):
ar_str = "%s" % self.client.create_authn_request(
"http://www.example.com/sso", message_id="id1")
ar = samlp.authn_request_from_string(ar_str)
print ar
assert ar.assertion_consumer_service_url == "http://lingon.catalogix.se:8087/"
assert ar.destination == "http://www.example.com/sso"
assert ar.protocol_binding == BINDING_HTTP_POST
assert ar.version == "2.0"
assert ar.provider_name == "urn:mace:example.com:saml:roland:sp"
assert ar.issuer.text == "urn:mace:example.com:saml:roland:sp"
nid_policy = ar.name_id_policy
assert nid_policy.allow_create == "false"
assert nid_policy.format == saml.NAMEID_FORMAT_TRANSIENT
def test_authenticate(self):
print self.client.config.idps()
(sid, response) = self.client.authenticate(
"urn:mace:example.com:saml:roland:idp",
"http://www.example.com/relay_state")
assert sid is not None
assert response[0] == "Location"
o = urlparse(response[1])
qdict = parse_qs(o.query)
assert _leq(qdict.keys(), ['SAMLRequest', 'RelayState'])
saml_request = decode_base64_and_inflate(qdict["SAMLRequest"][0])
print saml_request
authnreq = samlp.authn_request_from_string(saml_request)
assert authnreq.id == sid
def test_create_auth_request_0(self):
ar_str = "%s" % self.client.create_authn_request(
"http://www.example.com/sso", message_id="id1")
ar = samlp.authn_request_from_string(ar_str)
print ar
assert ar.assertion_consumer_service_url == "http://lingon.catalogix.se:8087/"
assert ar.destination == "http://www.example.com/sso"
assert ar.protocol_binding == BINDING_HTTP_POST
assert ar.version == "2.0"
assert ar.provider_name == "urn:mace:example.com:saml:roland:sp"
assert ar.issuer.text == "urn:mace:example.com:saml:roland:sp"
nid_policy = ar.name_id_policy
assert nid_policy.allow_create == "false"
assert nid_policy.format == saml.NAMEID_FORMAT_TRANSIENT
def testAccessors(self):
"""Test for AuthnRequest accessors"""
self.ar.id = "request id"
self.ar.version = saml2.VERSION
self.ar.issue_instant = "2007-09-14T01:05:02Z"
self.ar.destination = "http://www.example.com/Destination"
self.ar.consent = saml.CONSENT_UNSPECIFIED
self.ar.issuer = saml.Issuer()
self.ar.signature = ds.Signature()
self.ar.extensions = samlp.Extensions()
self.ar.subject = saml.Subject()
self.ar.name_id_policy = samlp.NameIDPolicy()
self.ar.conditions = saml.Conditions()
self.ar.requested_authn_context = samlp.RequestedAuthnContext()
self.ar.scoping = samlp.Scoping()
self.ar.force_authn = 'true'
self.ar.is_passive = 'true'
self.ar.assertion_consumer_service_index = "1"
self.ar.assertion_consumer_service_url = "http://www.example.com/acs"
self.ar.protocol_binding = saml2.BINDING_HTTP_POST
self.ar.attribute_consuming_service_index = "2"
self.ar.provider_name = "provider name"
new_ar = samlp.authn_request_from_string(self.ar.to_string())
assert new_ar.id == "request id"
assert new_ar.version == saml2.VERSION
assert new_ar.issue_instant == "2007-09-14T01:05:02Z"
assert new_ar.destination == "http://www.example.com/Destination"
assert new_ar.consent == saml.CONSENT_UNSPECIFIED
assert isinstance(new_ar.issuer, saml.Issuer)
assert isinstance(new_ar.signature, ds.Signature)
assert isinstance(new_ar.extensions, samlp.Extensions)
assert isinstance(new_ar.subject, saml.Subject)
assert isinstance(new_ar.name_id_policy, samlp.NameIDPolicy)
assert isinstance(new_ar.conditions, saml.Conditions)
assert isinstance(new_ar.requested_authn_context,
samlp.RequestedAuthnContext)
assert isinstance(new_ar.scoping, samlp.Scoping)
assert new_ar.force_authn == 'true'
assert new_ar.is_passive == 'true'
assert new_ar.assertion_consumer_service_index == '1'
assert new_ar.assertion_consumer_service_url == \
'http://www.example.com/acs'
assert new_ar.protocol_binding == saml2.BINDING_HTTP_POST
assert new_ar.attribute_consuming_service_index == '2'
assert new_ar.provider_name == "provider name"
def testAccessors(self):
"""Test for AuthnRequest accessors"""
self.ar.id = "request id"
self.ar.version = saml2.VERSION
self.ar.issue_instant = "2007-09-14T01:05:02Z"
self.ar.destination = "http://www.example.com/Destination"
self.ar.consent = saml.CONSENT_UNSPECIFIED
self.ar.issuer = saml.Issuer()
self.ar.signature = ds.Signature()
self.ar.extensions = samlp.Extensions()
self.ar.subject = saml.Subject()
self.ar.name_id_policy = samlp.NameIDPolicy()
self.ar.conditions = saml.Conditions()
self.ar.requested_authn_context = samlp.RequestedAuthnContext()
self.ar.scoping = samlp.Scoping()
self.ar.force_authn = 'true'
self.ar.is_passive = 'true'
self.ar.assertion_consumer_service_index = "1"
self.ar.assertion_consumer_service_url = "http://www.example.com/acs"
self.ar.protocol_binding = saml2.BINDING_HTTP_POST
self.ar.attribute_consuming_service_index = "2"
self.ar.provider_name = "provider name"
new_ar = samlp.authn_request_from_string(self.ar.to_string())
assert new_ar.id == "request id"
assert new_ar.version == saml2.VERSION
assert new_ar.issue_instant == "2007-09-14T01:05:02Z"
assert new_ar.destination == "http://www.example.com/Destination"
assert new_ar.consent == saml.CONSENT_UNSPECIFIED
assert isinstance(new_ar.issuer, saml.Issuer)
assert isinstance(new_ar.signature, ds.Signature)
assert isinstance(new_ar.extensions, samlp.Extensions)
assert isinstance(new_ar.subject, saml.Subject)
assert isinstance(new_ar.name_id_policy, samlp.NameIDPolicy)
assert isinstance(new_ar.conditions, saml.Conditions)
assert isinstance(new_ar.requested_authn_context,
samlp.RequestedAuthnContext)
assert isinstance(new_ar.scoping, samlp.Scoping)
assert new_ar.force_authn == 'true'
assert new_ar.is_passive == 'true'
assert new_ar.assertion_consumer_service_index == '1'
assert new_ar.assertion_consumer_service_url == \
'http://www.example.com/acs'
assert new_ar.protocol_binding == saml2.BINDING_HTTP_POST
assert new_ar.attribute_consuming_service_index == '2'
assert new_ar.provider_name == "provider name"
def test_create_auth_request_0(self):
ar_str = "%s" % self.client.authn_request(
"id1", "http://www.example.com/sso",
"http://www.example.org/service", "urn:mace:example.org:saml:sp",
"My Name")
ar = samlp.authn_request_from_string(ar_str)
print ar
assert ar.assertion_consumer_service_url == "http://www.example.org/service"
assert ar.destination == "http://www.example.com/sso"
assert ar.protocol_binding == BINDING_HTTP_POST
assert ar.version == "2.0"
assert ar.provider_name == "My Name"
assert ar.issuer.text == "urn:mace:example.org:saml:sp"
nid_policy = ar.name_id_policy
assert nid_policy.allow_create == "true"
assert nid_policy.format == saml.NAMEID_FORMAT_TRANSIENT
def test_create_auth_request_0(self):
ar_str = "%s" % self.client.authn_request("id1",
"http://www.example.com/sso",
"http://www.example.org/service",
"urn:mace:example.org:saml:sp",
"My Name")
ar = samlp.authn_request_from_string(ar_str)
print ar
assert ar.assertion_consumer_service_url == "http://www.example.org/service"
assert ar.destination == "http://www.example.com/sso"
assert ar.protocol_binding == BINDING_HTTP_POST
assert ar.version == "2.0"
assert ar.provider_name == "My Name"
assert ar.issuer.text == "urn:mace:example.org:saml:sp"
nid_policy = ar.name_id_policy
assert nid_policy.allow_create == "true"
assert nid_policy.format == saml.NAMEID_FORMAT_TRANSIENT
def test_authenticate_no_args(self):
id, response = self.client.do_authenticate(relay_state="http://www.example.com/relay_state")
assert response[0] == "Location"
o = urlparse(response[1])
qdict = parse_qs(o.query)
assert _leq(qdict.keys(), ['SAMLRequest', 'RelayState'])
saml_request = decode_base64_and_inflate(qdict["SAMLRequest"][0])
assert qdict["RelayState"][0] == "http://www.example.com/relay_state"
print saml_request
authnreq = samlp.authn_request_from_string(saml_request)
print authnreq.keyswv()
assert authnreq.destination == "http://localhost:8088/sso"
assert authnreq.assertion_consumer_service_url == "http://lingon.catalogix.se:8087/"
assert authnreq.provider_name == "urn:mace:example.com:saml:roland:sp"
assert authnreq.protocol_binding == BINDING_HTTP_REDIRECT
name_id_policy = authnreq.name_id_policy
assert name_id_policy.allow_create == "false"
assert name_id_policy.format == NAMEID_FORMAT_PERSISTENT
issuer = authnreq.issuer
assert issuer.text == "urn:mace:example.com:saml:roland:sp"
def testAuthnRequestExtraction(self):
from pas.plugins.suisseid.tests.utils import MockRequest, FormParser
from saml2.samlp import authn_request_from_string
plugin = self.createPlugin()
plugin.changeConfiguration('', 'http://nohost/', '', '', '', '', '', xmlsec_binary,
os.path.join(path, 'data', 'metadata.xml'))
request = MockRequest()
request.form['__ac_suisseid_provider_url'] = 'https://idp.swisssign.net/suisseid/eidp/'
result = plugin.extractCredentials(request)
# No credentials since that's only the first step
self.assertEquals(result, None)
response = request.response
self.assertEquals(response.status, 200)
self.assertEquals(response.headers['Content-type'], 'text/html')
parser = FormParser()
parser.parse(response.body)
saml_request = parser.inputs['SAMLRequest']
decoded_xml = base64.b64decode(saml_request)
request = authn_request_from_string(decoded_xml)
self.assertEquals(request.destination, 'https://idp.swisssign.net/suisseid/eidp/')
self.assertEquals(request.assertion_consumer_service_url, plugin.getConfiguration()['portal_url'])
def test_authenticate_no_args(self):
(sid, request) = self.client.authenticate(relay_state="http://www.example.com/relay_state")
assert sid is not None
assert request[0] == "Location"
o = urlparse(request[1])
qdict = parse_qs(o.query)
assert _leq(qdict.keys(), ['SAMLRequest', 'RelayState'])
saml_request = decode_base64_and_inflate(qdict["SAMLRequest"][0])
assert qdict["RelayState"][0] == "http://www.example.com/relay_state"
print saml_request
authnreq = samlp.authn_request_from_string(saml_request)
print authnreq.keyswv()
assert authnreq.id == sid
assert authnreq.destination == "http://localhost:8088/sso"
assert authnreq.assertion_consumer_service_url == "http://lingon.catalogix.se:8087/"
assert authnreq.provider_name == "urn:mace:example.com:saml:roland:sp"
assert authnreq.protocol_binding == BINDING_HTTP_POST
name_id_policy = authnreq.name_id_policy
assert name_id_policy.allow_create == "true"
assert name_id_policy.format == "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
issuer = authnreq.issuer
assert issuer.text == "urn:mace:example.com:saml:roland:sp"
def test_authenticate_no_args(self):
(sid, request) = self.client.authenticate(
relay_state="http://www.example.com/relay_state")
assert sid is not None
assert request[0] == "Location"
o = urlparse(request[1])
qdict = parse_qs(o.query)
assert _leq(qdict.keys(), ['SAMLRequest', 'RelayState'])
saml_request = decode_base64_and_inflate(qdict["SAMLRequest"][0])
assert qdict["RelayState"][0] == "http://www.example.com/relay_state"
print saml_request
authnreq = samlp.authn_request_from_string(saml_request)
print authnreq.keyswv()
assert authnreq.id == sid
assert authnreq.destination == "http://localhost:8088/sso"
assert authnreq.assertion_consumer_service_url == "http://lingon.catalogix.se:8087/"
assert authnreq.provider_name == "urn:mace:example.com:saml:roland:sp"
assert authnreq.protocol_binding == BINDING_HTTP_POST
name_id_policy = authnreq.name_id_policy
assert name_id_policy.allow_create == "true"
assert name_id_policy.format == "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
issuer = authnreq.issuer
assert issuer.text == "urn:mace:example.com:saml:roland:sp"
def correctly_signed_authn_request(self, decoded_xml, must=False,
origdoc=None):
""" Check if a request is correctly signed, if we have metadata for
the SP that sent the info use that, if not use the key that are in
the message if any.
:param decoded_xml: The SAML message as a XML string
:param must: Whether there must be a signature
:return: None if the signature can not be verified otherwise
request as a samlp.Request instance
"""
request = samlp.authn_request_from_string(decoded_xml)
if not request:
raise TypeError("Not an AuthnRequest")
if not request.signature:
if must:
raise SignatureError("Missing must signature")
else:
return request
return self._check_signature(decoded_xml, request,
class_name(request), origdoc=origdoc )
def testAuthnRequestSignedExtraction(self):
from pas.plugins.suisseid.tests.utils import MockRequest, FormParser
from saml2.samlp import authn_request_from_string
plugin = self.createPlugin()
sp_pem = os.path.join(path, 'data', 'sp.pem')
sp_key = os.path.join(path, 'data', 'sp.key')
plugin.changeConfiguration('suisseID Test Portal', 'http://nohost/', '',
'', '', sp_key, sp_pem, xmlsec_binary, '')
request = MockRequest()
request.form['__ac_suisseid_provider_url'] = 'https://idp.swisssign.net/suisseid/eidp/'
plugin.extractCredentials(request)
parser = FormParser()
parser.parse(request.response.body)
saml_request = parser.inputs['SAMLRequest']
decoded_xml = base64.b64decode(saml_request)
request = authn_request_from_string(decoded_xml)
self.assertEquals(request.destination, 'https://idp.swisssign.net/suisseid/eidp/')
# Verify signature
from saml2.sigver import verify_signature
verified = verify_signature(xmlsec_binary, decoded_xml, sp_pem,
node_name='urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest',
cert_type='pem')
self.assertEquals(verified, True)
def testExtendedAuthnRequestExtraction(self):
from pas.plugins.suisseid.tests.utils import MockRequest, FormParser
from saml2.samlp import authn_request_from_string
plugin = self.createPlugin()
request = MockRequest()
request.form['__ac_suisseid_provider_url'] = 'https://idp.swisssign.net/suisseid/eidp/'
# Request three attributes: First Name (required), Last Name (required) and isOver18 (optional)
plugin.changeConfiguration('suisseID Test Portal', 'http://nohost/', 'First Name\r\nLast Name',
'isOver18', '', '', '', xmlsec_binary, '')
request = MockRequest()
request.form['__ac_suisseid_provider_url'] = 'https://idp.swisssign.net/suisseid/eidp/'
plugin.extractCredentials(request)
parser = FormParser()
parser.parse(request.response.body)
saml_request = parser.inputs['SAMLRequest']
decoded_xml = base64.b64decode(saml_request)
request = authn_request_from_string(decoded_xml)
self.assertEquals(request.force_authn, 'true')
extenions = request.extensions.extension_elements
self.assertEquals(len(extenions), 3)
self.assertEquals(extenions[0].attributes['Name'], 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname')
self.assertEquals(extenions[0].attributes['{http://www.ech.ch/xmlns/eCH-0113/1}required'], 'true')
cert = read_cert_from_file(full_path("test.pem"), "pem")
spcertenc = SPCertEnc(x509_data=ds.X509Data(
x509_certificate=ds.X509Certificate(text=cert)))
extensions = Extensions(
extension_elements=[element_to_extension_element(spcertenc)])
req_id, req = client.create_authn_request(
"http://www.example.com/sso",
"urn:mace:example.com:it:tek",
nameid_format=saml.NAMEID_FORMAT_PERSISTENT,
message_id="666",
extensions=extensions)
print req
# Get a certificate from an authn request
xml = "%s" % req
parsed = authn_request_from_string(xml)
_elem = extension_elements_to_elements(parsed.extensions.extension_elements,
[pefim, ds])
assert len(_elem) == 1
_spcertenc = _elem[0]
_cert = _spcertenc.x509_data[0].x509_certificate.text
assert cert == _cert
def _parse_authn_request(self, enc_request):
"""
enc_request is an encrypted and base64 encoded request
"""
xmlstr = decode_base64_and_inflate(urllib.unquote(enc_request))
return authn_request_from_string(xmlstr)
spcertenc = SPCertEnc(
x509_data=ds.X509Data(
x509_certificate=ds.X509Certificate(text=cert)))
extensions = Extensions(
extension_elements=[element_to_extension_element(spcertenc)])
req_id, req = client.create_authn_request(
"http://www.example.com/sso",
"urn:mace:example.com:it:tek",
nameid_format=saml.NAMEID_FORMAT_PERSISTENT,
message_id="666",
extensions=extensions)
print req
# Get a certificate from an authn request
xml = "%s" % req
parsed = authn_request_from_string(xml)
_elem = extension_elements_to_elements(parsed.extensions.extension_elements,
[pefim, ds])
assert len(_elem) == 1
_spcertenc = _elem[0]
_cert = _spcertenc.x509_data[0].x509_certificate.text
assert cert == _cert
