def test_str_to_time():
t = calendar.timegm(str_to_time("2000-01-12T00:00:00Z"))
#TODO: Find all instances of time.mktime(.....)
#t = time.mktime(str_to_time("2000-01-12T00:00:00Z"))
#assert t == 947631600.0
#TODO: add something to show how this time was arrived at
# do this as an external method in the
assert t == 947635200
# some IdPs omit the trailing Z, and SAML spec is unclear if it is actually required
t = calendar.timegm(str_to_time("2000-01-12T00:00:00"))
assert t == 947635200
def test_str_to_time():
t = calendar.timegm(str_to_time("2000-01-12T00:00:00Z"))
#TODO: Find all instances of time.mktime(.....)
#t = time.mktime(str_to_time("2000-01-12T00:00:00Z"))
#assert t == 947631600.0
#TODO: add something to show how this time was arrived at
# do this as an external method in the
assert t == 947635200
# some IdPs omit the trailing Z, and SAML spec is unclear if it is actually required
t = calendar.timegm(str_to_time("2000-01-12T00:00:00"))
assert t == 947635200
def test_SAML_sign_with_pkcs11(self):
"""
Test signing a SAML assertion using PKCS#11 and then verifying it.
"""
os.environ['SOFTHSM_CONF'] = self.softhsm_conf
ass = self._assertion
print(ass)
sign_ass = self.sec.sign_assertion("%s" % ass, node_id=ass.id)
#print(sign_ass)
sass = saml.assertion_from_string(sign_ass)
#print(sass)
assert _eq(sass.keyswv(), ['attribute_statement', 'issue_instant',
'version', 'signature', 'id'])
assert sass.version == "2.0"
assert sass.id == "11111"
assert time_util.str_to_time(sass.issue_instant)
print("Crypto version : %s" % (self.sec.crypto.version()))
item = self.sec.check_signature(sass, class_name(sass), sign_ass)
assert isinstance(item, saml.Assertion)
print("Test PASSED")
def test_SAML_sign_with_pkcs11(self):
"""
Test signing a SAML assertion using PKCS#11 and then verifying it.
"""
os.environ['SOFTHSM_CONF'] = self.softhsm_conf
ass = self._assertion
print(ass)
sign_ass = self.sec.sign_assertion("%s" % ass, node_id=ass.id)
#print(sign_ass)
sass = saml.assertion_from_string(sign_ass)
#print(sass)
assert _eq(sass.keyswv(), [
'attribute_statement', 'issue_instant', 'version', 'signature',
'id'
])
assert sass.version == "2.0"
assert sass.id == "11111"
assert time_util.str_to_time(sass.issue_instant)
print("Crypto version : %s" % (self.sec.crypto.version()))
item = self.sec.check_signature(sass, class_name(sass), sign_ass)
assert isinstance(item, saml.Assertion)
print("Test PASSED")
def test_add_duration_2():
#2000-01-12 PT33H 2000-01-13
t = add_duration(str_to_time("2000-01-12T00:00:00Z"), "PT33H")
assert t.tm_year == 2000
assert t.tm_mon == 1
assert t.tm_mday == 14
assert t.tm_hour == 9
assert t.tm_min == 0
assert t.tm_sec == 0
def test_add_duration_1():
#2000-01-12T12:13:14Z P1Y3M5DT7H10M3S 2001-04-17T19:23:17Z
t = add_duration(str_to_time("2000-01-12T12:13:14Z"), "P1Y3M5DT7H10M3S")
assert t.tm_year == 2001
assert t.tm_mon == 4
assert t.tm_mday == 17
assert t.tm_hour == 19
assert t.tm_min == 23
assert t.tm_sec == 17
def validate_before(not_before, slack):
if not_before:
now = time_util.utc_now()
nbefore = calendar.timegm(time_util.str_to_time(not_before))
if nbefore > now + slack:
now_str = time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime(now))
raise ToEarly("Can't use response yet: (now=%s + slack=%d) "
"<= notbefore=%s" % (now_str, slack, not_before))
return True
def test_add_duration_1():
#2000-01-12T12:13:14Z P1Y3M5DT7H10M3S 2001-04-17T19:23:17Z
t = add_duration(str_to_time("2000-01-12T12:13:14Z"), "P1Y3M5DT7H10M3S")
assert t.tm_year == 2001
assert t.tm_mon == 4
assert t.tm_mday == 17
assert t.tm_hour == 19
assert t.tm_min == 23
assert t.tm_sec == 17
def test_add_duration_2():
#2000-01-12 PT33H 2000-01-13
t = add_duration(str_to_time("2000-01-12T00:00:00Z"), "PT33H")
assert t.tm_year == 2000
assert t.tm_mon == 1
assert t.tm_mday == 14
assert t.tm_hour == 9
assert t.tm_min == 0
assert t.tm_sec == 0
def add_derek_info(sp):
not_on_or_after = str_to_time(in_a_while(days=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"givenName": ["Derek"], "umuselin": ["deje0001"]}
session_info["issuer"] = "urn:mace:example.com:saml:idp"
session_info["name_id"] = nid
session_info["not_on_or_after"] = not_on_or_after
# subject_id, entity_id, info, timestamp
sp.users.add_information_about_person(session_info)
def validate_before(not_before, slack):
if not_before:
now = time_util.utc_now()
nbefore = calendar.timegm(time_util.str_to_time(not_before))
if nbefore > now + slack:
now_str = time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime(now))
raise ToEarly("Can't use response yet: (now=%s + slack=%d) "
"<= notbefore=%s" % (now_str, slack, not_before))
return True
def add_derek_info(sp):
not_on_or_after = str_to_time(in_a_while(days=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"givenName": ["Derek"], "umuselin": ["deje0001"]}
session_info["issuer"] = "urn:mace:example.com:saml:idp"
session_info["name_id"] = nid
session_info["not_on_or_after"] = not_on_or_after
# subject_id, entity_id, info, timestamp
sp.users.add_information_about_person(session_info)
def test_set(self):
not_on_or_after = str_to_time(in_a_while(days=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"givenName": ["Derek"]}
self.cache.set(nid[0], "abcd", session_info, not_on_or_after)
(ava, inactive) = self.cache.get_identity(nid[0])
assert inactive == []
assert list(ava.keys()) == ["givenName"]
assert ava["givenName"] == ["Derek"]
def test_identity(self):
if self.cache is not None:
not_on_or_after = str_to_time(in_a_while(days=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"givenName":["Derek"]}
self.cache.set("1234", "abcd", session_info, not_on_or_after)
not_on_or_after = str_to_time(in_a_while(days=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"mail":["*****@*****.**"]}
self.cache.set("1234", "xyzv", session_info, not_on_or_after)
(ident, _) = self.cache.get_identity("1234")
print(ident)
assert len(ident.keys()) == 2
assert "givenName" in ident.keys()
assert "mail" in ident.keys()
assert ident["mail"] == ["*****@*****.**"]
assert ident["givenName"] == ["Derek"]
def test_identity(self):
if self.cache is not None:
not_on_or_after = str_to_time(in_a_while(days=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"givenName": ["Derek"]}
self.cache.set("1234", "abcd", session_info, not_on_or_after)
not_on_or_after = str_to_time(in_a_while(days=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"mail": ["*****@*****.**"]}
self.cache.set("1234", "xyzv", session_info, not_on_or_after)
(ident, _) = self.cache.get_identity("1234")
print(ident)
assert len(ident.keys()) == 2
assert "givenName" in ident.keys()
assert "mail" in ident.keys()
assert ident["mail"] == ["*****@*****.**"]
assert ident["givenName"] == ["Derek"]
def issue_instant_ok(self):
""" Check that the request was issued at a reasonable time """
upper = time_util.shift_time(time_util.time_in_a_while(days=1),
self.timeslack).timetuple()
lower = time_util.shift_time(time_util.time_a_while_ago(days=1),
-self.timeslack).timetuple()
# print("issue_instant: %s" % self.message.issue_instant)
# print("%s < x < %s" % (lower, upper))
issued_at = time_util.str_to_time(self.message.issue_instant)
return issued_at > lower and issued_at < upper
def test_receivers(self):
assert _eq(self.cache.receivers(nid[1]), ["abcd"])
not_on_or_after = str_to_time(in_a_while(days=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"givenName": ["Ichiro"], "surName": ["Suzuki"]}
self.cache.set(nid[1], "bcde", session_info, not_on_or_after)
assert _eq(self.cache.receivers(nid[1]), ["abcd", "bcde"])
assert nid_eq(self.cache.subjects(), nid[0:2])
def issue_instant_ok(self):
""" Check that the response was issued at a reasonable time """
upper = time_util.shift_time(time_util.time_in_a_while(days=1),
self.timeslack).timetuple()
lower = time_util.shift_time(time_util.time_a_while_ago(days=1),
-self.timeslack).timetuple()
# print("issue_instant: %s" % self.response.issue_instant)
# print("%s < x < %s" % (lower, upper))
issued_at = str_to_time(self.response.issue_instant)
return lower < issued_at < upper
def test_set(self):
not_on_or_after = str_to_time(in_a_while(days=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"givenName": ["Derek"]}
self.cache.set(nid[0], "abcd", session_info, not_on_or_after)
(ava, inactive) = self.cache.get_identity(nid[0])
assert inactive == []
assert list(ava.keys()) == ["givenName"]
assert ava["givenName"] == ["Derek"]
def test_timeout(self):
not_on_or_after = str_to_time(in_a_while(seconds=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"givenName": ["Alex"], "surName": ["Rodriguez"]}
self.cache.set(nid[2], "bcde", session_info, not_on_or_after)
time.sleep(2)
(ava, inactive) = self.cache.get_identity(nid[2])
assert inactive == ["bcde"]
assert ava == {}
def test_add_ava_info(self):
not_on_or_after = str_to_time(in_a_while(days=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"surName": ["Jeter"]}
self.cache.set(nid[0], "bcde", session_info, not_on_or_after)
(ava, inactive) = self.cache.get_identity(nid[0])
assert inactive == []
assert _eq(ava.keys(), ["givenName", "surName"])
assert ava["givenName"] == ["Derek"]
assert ava["surName"] == ["Jeter"]
def test_add_ava_info(self):
not_on_or_after = str_to_time(in_a_while(days=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"surName": ["Jeter"]}
self.cache.set(nid[0], "bcde", session_info, not_on_or_after)
(ava, inactive) = self.cache.get_identity(nid[0])
assert inactive == []
assert _eq(ava.keys(), ["givenName", "surName"])
assert ava["givenName"] == ["Derek"]
assert ava["surName"] == ["Jeter"]
def test_timeout(self):
not_on_or_after = str_to_time(in_a_while(seconds=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"givenName": ["Alex"],
"surName": ["Rodriguez"]}
self.cache.set(nid[2], "bcde", session_info,
not_on_or_after)
time.sleep(2)
(ava, inactive) = self.cache.get_identity(nid[2])
assert inactive == ["bcde"]
assert ava == {}
def test_second_subject(self):
not_on_or_after = str_to_time(in_a_while(days=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"givenName": ["Ichiro"], "surName": ["Suzuki"]}
self.cache.set(nid[1], "abcd", session_info, not_on_or_after)
(ava, inactive) = self.cache.get_identity(nid[1])
assert inactive == []
assert _eq(ava.keys(), ["givenName", "surName"])
assert ava["givenName"] == ["Ichiro"]
assert ava["surName"] == ["Suzuki"]
assert nid_eq(self.cache.subjects(), [nid[0], nid[1]])
def validate_on_or_after(not_on_or_after, slack):
if not_on_or_after:
now = time_util.utc_now()
nooa = calendar.timegm(time_util.str_to_time(not_on_or_after))
if now > nooa + slack:
now_str=time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime(now))
raise ResponseLifetimeExceed(
"Can't use response, too old (now=%s + slack=%d > " \
"not_on_or_after=%s" % (now_str, slack, not_on_or_after))
return nooa
else:
return False
def test_set_get_2(self):
if self.cache is not None:
not_on_or_after = str_to_time(in_a_while(seconds=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"givenName": ["Mariano"]}
# subject_id, entity_id, info, timestamp
self.cache.set("1235", "abcd", session_info, not_on_or_after)
time.sleep(2)
raises(ToOld, 'self.cache.get("1235", "abcd")')
info = self.cache.get("1235", "abcd", False)
assert info != {}
def validate_on_or_after(not_on_or_after, slack):
if not_on_or_after:
now = time_util.utc_now()
nooa = calendar.timegm(time_util.str_to_time(not_on_or_after))
if now > nooa + slack:
now_str = time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime(now))
raise ResponseLifetimeExceed(
"Can't use response, too old (now=%s + slack=%d > " \
"not_on_or_after=%s" % (now_str, slack, not_on_or_after))
return nooa
else:
return False
def test_receivers(self):
assert _eq(self.cache.receivers(nid[1]), ["abcd"])
not_on_or_after = str_to_time(in_a_while(days=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"givenName": ["Ichiro"],
"surName": ["Suzuki"]}
self.cache.set(nid[1], "bcde", session_info,
not_on_or_after)
assert _eq(self.cache.receivers(nid[1]), ["abcd", "bcde"])
assert nid_eq(self.cache.subjects(), nid[0:2])
def test_set_get_2(self):
if self.cache is not None:
not_on_or_after = str_to_time(in_a_while(seconds=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"givenName":["Mariano"]}
# subject_id, entity_id, info, timestamp
self.cache.set("1235", "abcd", session_info,
not_on_or_after)
time.sleep(2)
raises(ToOld, 'self.cache.get("1235", "abcd")')
info = self.cache.get("1235", "abcd", False)
assert info != {}
def test_second_subject(self):
not_on_or_after = str_to_time(in_a_while(days=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"givenName": ["Ichiro"],
"surName": ["Suzuki"]}
self.cache.set(nid[1], "abcd", session_info,
not_on_or_after)
(ava, inactive) = self.cache.get_identity(nid[1])
assert inactive == []
assert _eq(ava.keys(), ["givenName", "surName"])
assert ava["givenName"] == ["Ichiro"]
assert ava["surName"] == ["Suzuki"]
assert nid_eq(self.cache.subjects(), [nid[0], nid[1]])
def test_set_get_1(self):
if self.cache is not None:
not_on_or_after = str_to_time(in_a_while(days=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"givenName": ["Derek"]}
# subject_id, entity_id, info, timestamp
self.cache.set("1234", "abcd", session_info, not_on_or_after)
info = self.cache.get("1234", "abcd")
#{u'issuer': u'', u'came from': u'', u'ava': {u'givenName': [u'Derek']}, u'session_id': -1, u'not_on_or_after': 0}
ava = info["ava"]
print(ava)
assert list(ava.keys()) == ["givenName"]
assert ava["givenName"] == ["Derek"]
def test_set_get_1(self):
if self.cache is not None:
not_on_or_after = str_to_time(in_a_while(days=1))
session_info = SESSION_INFO_PATTERN.copy()
session_info["ava"] = {"givenName":["Derek"]}
# subject_id, entity_id, info, timestamp
self.cache.set("1234", "abcd", session_info, not_on_or_after)
info = self.cache.get("1234", "abcd")
#{u'issuer': u'', u'came from': u'', u'ava': {u'givenName': [u'Derek']}, u'session_id': -1, u'not_on_or_after': 0}
ava = info["ava"]
print(ava)
assert list(ava.keys()) == ["givenName"]
assert ava["givenName"] == ["Derek"]
def test_sign_assertion(self):
ass = self._assertion
print(ass)
sign_ass = self.sec.sign_assertion("%s" % ass, node_id=ass.id)
#print(sign_ass)
sass = saml.assertion_from_string(sign_ass)
#print(sass)
assert _eq(sass.keyswv(), ['attribute_statement', 'issue_instant',
'version', 'signature', 'id'])
assert sass.version == "2.0"
assert sass.id == "11111"
assert time_util.str_to_time(sass.issue_instant)
print("Crypto version : %s" % (self.sec.crypto.version()))
item = self.sec.check_signature(sass, class_name(sass), sign_ass)
assert isinstance(item, saml.Assertion)
def test_multiple_signatures_assertion(self):
ass = self._assertion
# basic test with two of the same
to_sign = [(ass, ass.id, ''),
(ass, ass.id, '')
]
sign_ass = self.sec.multiple_signatures("%s" % ass, to_sign)
sass = saml.assertion_from_string(sign_ass)
assert _eq(sass.keyswv(), ['attribute_statement', 'issue_instant',
'version', 'signature', 'id'])
assert sass.version == "2.0"
assert sass.id == "11111"
assert time_util.str_to_time(sass.issue_instant)
print("Crypto version : %s" % (self.sec.crypto.version()))
item = self.sec.check_signature(sass, class_name(sass),
sign_ass, must=True)
assert isinstance(item, saml.Assertion)
def authn_statement_ok(self, optional=False):
try:
# the assertion MUST contain one AuthNStatement
assert len(self.assertion.authn_statement) == 1
except AssertionError:
if optional:
return True
else:
logger.error("No AuthnStatement")
raise
authn_statement = self.assertion.authn_statement[0]
if authn_statement.session_not_on_or_after:
if validate_on_or_after(authn_statement.session_not_on_or_after,
self.timeslack):
self.session_not_on_or_after = calendar.timegm(
time_util.str_to_time(
authn_statement.session_not_on_or_after))
else:
return False
return True
def test_instant():
inst = str_to_time(instant())
now = time.gmtime()
assert now >= inst
def valid_date_time(item):
try:
time_util.str_to_time(item)
except Exception:
raise NotValid("dateTime")
return True
def valid_date_time(item):
try:
time_util.str_to_time(item)
except Exception:
raise NotValid("dateTime")
return True
def test_instant():
inst = str_to_time(instant())
now = time.gmtime()
assert now >= inst