def test_start_auth_name_id_policy(self, sp_conf):
"""
Performs a complete test for the module satosa.backends.saml2. The flow should be accepted.
"""
samlbackend = SamlBackend(None, INTERNAL_ATTRIBUTES, {"config": sp_conf,
"disco_srv": "https://my.dicso.com/role/idp.ds",
"state_id": "saml_backend_test_id"})
test_state_key = "sauyghj34589fdh"
state = State()
state.add(test_state_key, "my_state")
context = Context()
context.state = state
internal_req = InternalRequest(UserIdHashType.transient, None)
resp = samlbackend.start_auth(context, internal_req)
assert resp.status == "303 See Other", "Must be a redirect to the discovery server."
disco_resp = parse_qs(urlparse(resp.message).query)
sp_disco_resp = \
sp_conf["service"]["sp"]["endpoints"]["discovery_response"][0][0]
assert "return" in disco_resp and disco_resp["return"][0].startswith(sp_disco_resp), \
"Not a valid return url in the call to the discovery server"
assert "entityID" in disco_resp and disco_resp["entityID"][0] == sp_conf["entityid"], \
"Not a valid entity id in the call to the discovery server"
request_info_tmp = context.state
assert request_info_tmp.get(test_state_key) == "my_state", "Wrong state!"
def test_start_auth_name_id_policy(self, sp_conf):
"""
Performs a complete test for the module satosa.backends.saml2. The flow should be accepted.
"""
samlbackend = SamlBackend(
None, INTERNAL_ATTRIBUTES, {
"config": sp_conf,
"disco_srv": "https://my.dicso.com/role/idp.ds",
"state_id": "saml_backend_test_id"
})
test_state_key = "sauyghj34589fdh"
state = State()
state.add(test_state_key, "my_state")
context = Context()
context.state = state
internal_req = InternalRequest(UserIdHashType.transient, None)
resp = samlbackend.start_auth(context, internal_req)
assert resp.status == "303 See Other", "Must be a redirect to the discovery server."
disco_resp = parse_qs(urlparse(resp.message).query)
sp_disco_resp = \
sp_conf["service"]["sp"]["endpoints"]["discovery_response"][0][0]
assert "return" in disco_resp and disco_resp["return"][0].startswith(sp_disco_resp), \
"Not a valid return url in the call to the discovery server"
assert "entityID" in disco_resp and disco_resp["entityID"][0] == sp_conf["entityid"], \
"Not a valid entity id in the call to the discovery server"
request_info_tmp = context.state
assert request_info_tmp.get(
test_state_key) == "my_state", "Wrong state!"
def test_start_auth_disco(self, sp_conf, idp_conf):
"""
Performs a complete test for the module satosa.backends.saml2. The flow should be accepted.
"""
samlbackend = SamlBackend(lambda context, internal_resp: (context, internal_resp),
INTERNAL_ATTRIBUTES, {"config": sp_conf,
"disco_srv": "https://my.dicso.com/role/idp.ds",
"state_id": "saml_backend_test_id"})
test_state_key = "test_state_key_456afgrh"
response_binding = BINDING_HTTP_REDIRECT
fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf, metadata_construction=False))
internal_req = InternalRequest(UserIdHashType.persistent, "example.se/sp.xml")
state = State()
state.add(test_state_key, "my_state")
context = Context()
context.state = state
resp = samlbackend.start_auth(context, internal_req)
assert resp.status == "303 See Other", "Must be a redirect to the discovery server."
disco_resp = parse_qs(urlparse(resp.message).query)
info = parse_qs(urlparse(disco_resp["return"][0]).query)
info[samlbackend.idp_disco_query_param] = idp_conf["entityid"]
context = Context()
context.request = info
context.state = state
resp = samlbackend.disco_response(context)
assert resp.status == "303 See Other"
req_params = dict(parse_qsl(urlparse(resp.message).query))
url, fake_idp_resp = fakeidp.handle_auth_req(
req_params["SAMLRequest"],
req_params["RelayState"],
BINDING_HTTP_REDIRECT,
"testuser1",
response_binding=response_binding)
context = Context()
context.request = fake_idp_resp
context.state = state
context, internal_resp = samlbackend.authn_response(context, response_binding)
assert isinstance(context, Context), "Not correct instance!"
assert context.state.get(test_state_key) == "my_state", "Not correct state!"
assert internal_resp.auth_info.auth_class_ref == PASSWORD, "Not correct authentication!"
_dict = internal_resp.get_attributes()
expected_data = {'surname': ['Testsson 1'], 'mail': ['*****@*****.**'],
'displayname': ['Test Testsson'], 'givenname': ['Test 1'],
'edupersontargetedid': ['one!for!all']}
for key in _dict:
assert expected_data[key] == _dict[key]
def generate_state(self, op_base):
state = State()
state_id = TestConfiguration.get_instance().rp_config.STATE_ID
state_data = {
StateKeys.OP: PROVIDER,
StateKeys.NONCE: "9YraWpJAmVp4L3NJ",
StateKeys.TOKEN_ENDPOINT: TestConfiguration.get_instance().rp_config.OP_URL + "token",
StateKeys.CLIENT_ID: "client_1",
StateKeys.CLIENT_SECRET: "2222222222",
StateKeys.JWKS_URI:
TestConfiguration.get_instance().rp_config.OP_URL + "static/jwks.json",
StateKeys.USERINFO_ENDPOINT:
TestConfiguration.get_instance().rp_config.OP_URL + "userinfo",
StateKeys.STATE: FakeOP.STATE
}
state.add(state_id, state_data)
return state
def test_state_cookie():
"""
Test that the state can be converted between cookie and state
"""
state_key = "27614gjkrn"
saved_data = "data"
state = State()
state.add(state_key, saved_data)
cookie_name = "state_cookie"
path = "/"
encrypt_key = "2781y4hef90"
cookie = state_to_cookie(state, cookie_name, path, encrypt_key)
cookie_str = cookie.output()
loaded_state = cookie_to_state(cookie_str, cookie_name, encrypt_key)
assert loaded_state.get(state_key) == saved_data
def test_state_cookie():
"""
Test that the state can be converted between cookie and state
"""
state_key = "27614gjkrn"
saved_data = "data"
state = State()
state.add(state_key, saved_data)
cookie_name = "state_cookie"
path = "/"
encrypt_key = "2781y4hef90"
cookie = state_to_cookie(state, cookie_name, path, encrypt_key)
cookie_str = cookie.output()
loaded_state = cookie_to_state(cookie_str, cookie_name, encrypt_key)
assert loaded_state.get(state_key) == saved_data
def test_redirect_to_idp_if_only_one_idp_in_metadata(self, sp_conf, idp_conf):
sp_conf["metadata"]["inline"] = [create_metadata_from_config_dict(idp_conf)]
samlbackend = SamlBackend(None, INTERNAL_ATTRIBUTES,
{"config": sp_conf, "state_id": "saml_backend_test_id"})
state = State()
state.add("test", "state")
context = Context()
context.state = state
internal_req = InternalRequest(UserIdHashType.transient, None)
resp = samlbackend.start_auth(context, internal_req)
assert resp.status == "303 See Other"
parsed = urlparse(resp.message)
assert "{parsed.scheme}://{parsed.netloc}{parsed.path}".format(
parsed=parsed) == \
idp_conf["service"]["idp"]["endpoints"]["single_sign_on_service"][0][0]
assert "SAMLRequest" in parse_qs(parsed.query)
def test_simple_test():
"""
Performs a test that the state class works as intended.
:return:
"""
enc_key = "Ireallyliketoencryptthisdictionary!"
state = State()
my_dict_frontend = get_dict(10, get_str(10), get_str(10))
my_dict_frontend["resp_attr"] = get_str(100)
assert len(my_dict_frontend) == 11, "The dictionary is not correct!"
my_dict_consent = get_dict(1, get_str(10), get_str(100))
assert len(my_dict_consent) == 1, "The dictionary is not correct!"
my_dict_hash = get_dict(1, get_str(10), get_str(15))
assert len(my_dict_hash) == 1, "The dictionary is not correct!"
my_dict_router = get_dict(1, get_str(10), get_str(10))
assert len(my_dict_router) == 1, "The dictionary is not correct!"
my_dict_backend = get_dict(10, get_str(10), get_str(10))
assert len(my_dict_backend) == 10, "The dictionary is not correct!"
state.add("my_dict_frontend", my_dict_frontend)
state.add("my_dict_consent", my_dict_consent)
state.add("my_dict_hash", my_dict_hash)
state.add("my_dict_router", my_dict_router)
state.add("my_dict_backend", my_dict_backend)
urlstate = state.urlstate(enc_key)
# Some browsers only support 2000bytes, and since state is not the only parameter it should
# not be greater then half that size.
urlstate_len = len(quote_plus(urlstate))
print("Size of state on the url is:%s" % urlstate_len)
assert urlstate_len < 1000, "Urlstate is way to long!"
state = State(urlstate, enc_key)
tmp_dict_frontend = state.get("my_dict_frontend")
tmp_dict_consent = state.get("my_dict_consent")
tmp_dict_hash = state.get("my_dict_hash")
tmp_dict_router = state.get("my_dict_router")
tmp_dict_backend = state.get("my_dict_backend")
compare_dict(tmp_dict_frontend, my_dict_frontend)
compare_dict(tmp_dict_consent, my_dict_consent)
compare_dict(tmp_dict_hash, my_dict_hash)
compare_dict(tmp_dict_router, my_dict_router)
compare_dict(tmp_dict_backend, my_dict_backend)
def test_simple_test():
"""
Performs a test that the state class works as intended.
:return:
"""
enc_key = "Ireallyliketoencryptthisdictionary!"
state = State()
my_dict_frontend = get_dict(10, get_str(10), get_str(10))
my_dict_frontend["resp_attr"] = get_str(100)
assert len(my_dict_frontend) == 11, "The dictionary is not correct!"
my_dict_consent = get_dict(1, get_str(10), get_str(100))
assert len(my_dict_consent) == 1, "The dictionary is not correct!"
my_dict_hash = get_dict(1, get_str(10), get_str(15))
assert len(my_dict_hash) == 1, "The dictionary is not correct!"
my_dict_router = get_dict(1, get_str(10), get_str(10))
assert len(my_dict_router) == 1, "The dictionary is not correct!"
my_dict_backend = get_dict(10, get_str(10), get_str(10))
assert len(my_dict_backend) == 10, "The dictionary is not correct!"
state.add("my_dict_frontend", my_dict_frontend)
state.add("my_dict_consent", my_dict_consent)
state.add("my_dict_hash", my_dict_hash)
state.add("my_dict_router", my_dict_router)
state.add("my_dict_backend", my_dict_backend)
urlstate = state.urlstate(enc_key)
# Some browsers only support 2000bytes, and since state is not the only parameter it should
# not be greater then half that size.
urlstate_len = len(quote_plus(urlstate))
print("Size of state on the url is:%s" % urlstate_len)
assert urlstate_len < 1000, "Urlstate is way to long!"
state = State(urlstate, enc_key)
tmp_dict_frontend = state.get("my_dict_frontend")
tmp_dict_consent = state.get("my_dict_consent")
tmp_dict_hash = state.get("my_dict_hash")
tmp_dict_router = state.get("my_dict_router")
tmp_dict_backend = state.get("my_dict_backend")
compare_dict(tmp_dict_frontend, my_dict_frontend)
compare_dict(tmp_dict_consent, my_dict_consent)
compare_dict(tmp_dict_hash, my_dict_hash)
compare_dict(tmp_dict_router, my_dict_router)
compare_dict(tmp_dict_backend, my_dict_backend)
def test_redirect_to_idp_if_only_one_idp_in_metadata(
self, sp_conf, idp_conf):
sp_conf["metadata"]["inline"] = [
create_metadata_from_config_dict(idp_conf)
]
samlbackend = SamlBackend(None, INTERNAL_ATTRIBUTES, {
"config": sp_conf,
"state_id": "saml_backend_test_id"
})
state = State()
state.add("test", "state")
context = Context()
context.state = state
internal_req = InternalRequest(UserIdHashType.transient, None)
resp = samlbackend.start_auth(context, internal_req)
assert resp.status == "303 See Other"
parsed = urlparse(resp.message)
assert "{parsed.scheme}://{parsed.netloc}{parsed.path}".format(
parsed=parsed) == \
idp_conf["service"]["idp"]["endpoints"]["single_sign_on_service"][0][0]
assert "SAMLRequest" in parse_qs(parsed.query)
def generate_state(self, op_base):
state = State()
state_id = TestConfiguration.get_instance().rp_config.STATE_ID
state_data = {
StateKeys.OP:
PROVIDER,
StateKeys.NONCE:
"9YraWpJAmVp4L3NJ",
StateKeys.TOKEN_ENDPOINT:
TestConfiguration.get_instance().rp_config.OP_URL + "token",
StateKeys.CLIENT_ID:
"client_1",
StateKeys.CLIENT_SECRET:
"2222222222",
StateKeys.JWKS_URI:
TestConfiguration.get_instance().rp_config.OP_URL +
"static/jwks.json",
StateKeys.USERINFO_ENDPOINT:
TestConfiguration.get_instance().rp_config.OP_URL + "userinfo",
StateKeys.STATE:
FakeOP.STATE
}
state.add(state_id, state_data)
return state
def create_state(self, auth_req):
state = State()
state.add(type(self.instance).__name__, {"oidc_request": auth_req.to_urlencoded()})
return state
def test_start_auth_disco(self, sp_conf, idp_conf):
"""
Performs a complete test for the module satosa.backends.saml2. The flow should be accepted.
"""
samlbackend = SamlBackend(
lambda context, internal_resp: (context, internal_resp),
INTERNAL_ATTRIBUTES, {
"config": sp_conf,
"disco_srv": "https://my.dicso.com/role/idp.ds",
"state_id": "saml_backend_test_id"
})
test_state_key = "test_state_key_456afgrh"
response_binding = BINDING_HTTP_REDIRECT
fakeidp = FakeIdP(USERS,
config=IdPConfig().load(idp_conf,
metadata_construction=False))
internal_req = InternalRequest(UserIdHashType.persistent,
"example.se/sp.xml")
state = State()
state.add(test_state_key, "my_state")
context = Context()
context.state = state
resp = samlbackend.start_auth(context, internal_req)
assert resp.status == "303 See Other", "Must be a redirect to the discovery server."
disco_resp = parse_qs(urlparse(resp.message).query)
info = parse_qs(urlparse(disco_resp["return"][0]).query)
info[samlbackend.idp_disco_query_param] = idp_conf["entityid"]
context = Context()
context.request = info
context.state = state
resp = samlbackend.disco_response(context)
assert resp.status == "303 See Other"
req_params = dict(parse_qsl(urlparse(resp.message).query))
url, fake_idp_resp = fakeidp.handle_auth_req(
req_params["SAMLRequest"],
req_params["RelayState"],
BINDING_HTTP_REDIRECT,
"testuser1",
response_binding=response_binding)
context = Context()
context.request = fake_idp_resp
context.state = state
context, internal_resp = samlbackend.authn_response(
context, response_binding)
assert isinstance(context, Context), "Not correct instance!"
assert context.state.get(
test_state_key) == "my_state", "Not correct state!"
assert internal_resp.auth_info.auth_class_ref == PASSWORD, "Not correct authentication!"
_dict = internal_resp.get_attributes()
expected_data = {
'surname': ['Testsson 1'],
'mail': ['*****@*****.**'],
'displayname': ['Test Testsson'],
'givenname': ['Test 1'],
'edupersontargetedid': ['one!for!all']
}
for key in _dict:
assert expected_data[key] == _dict[key]
