def test_logout_service_startingIDP(self):
self.config.testing_securitypolicy(userid='*****@*****.**',
permissive=True)
self.set_user_cookie('*****@*****.**')
came_from = '/afterlogin/'
session_id = self.add_outstanding_query(came_from)
saml_response = auth_response(session_id, "hubba-bubba@test")
# Log in through IDP SAMLResponse
res = self.testapp.post('/saml2/acs/', params={
'SAMLResponse': base64.b64encode(saml_response),
'RelayState': came_from,
})
res = self.testapp.get('/saml2/ls/', params={
'SAMLRequest': deflate_and_base64_encode(
logout_request(session_id)
),
'RelayState': 'testing-relay-state',
})
self.assertEqual(res.status, '302 Found')
self.assertIn('https://idp.example.com/simplesaml/saml2/idp/'
'SingleLogoutService.php?SAMLResponse=', res.location)
# Set a expired cookie (just the logout header)
self.assertIn('auth_tkt=""; Path=/; Domain=localhost; Max-Age=0; '
'Expires=Wed, 31-Dec-97 23:59:59 GMT',
res.headers.getall('Set-Cookie'))
def test_assertion_consumer_service(self):
came_from = '/afterlogin/'
session_id = self.add_outstanding_query(came_from)
saml_response = auth_response(session_id, "hubba-bubba@test")
res = self.testapp.post('/saml2/acs/', params={
'SAMLResponse': base64.b64encode(saml_response),
'RelayState': came_from,
})
self.assertEquals(res.status_code, 302)
self.assertEquals(res.location, 'http://localhost' + came_from)
def test_logout_loggedin(self):
came_from = '/afterlogin/'
session_id = self.add_outstanding_query(came_from)
saml_response = auth_response(session_id, "hubba-bubba@test")
res = self.testapp.post('/saml2/acs/', params={
'SAMLResponse': base64.b64encode(saml_response),
'RelayState': came_from,
})
cookies = self.testapp.cookies
res = self.testapp.get('/saml2/logout/',
headers={'cookies': cookies['auth_tkt']})
self.assertEqual(res.status, '302 Found')
self.assertIn('https://idp.example.com/simplesaml/saml2/idp/'
'SingleLogoutService.php', res.location)
def test_logout_service_startingIDP(self):
eppn = 'hubba-bubba'
came_from = '/afterlogin/'
session_id = self.add_outstanding_query(came_from)
cookie = self.dump_session_cookie(session_id)
saml_response = auth_response(session_id, eppn).encode('utf-8')
# Log in through IDP SAMLResponse
with self.app.test_request_context(
'/saml2-acs',
method='POST',
headers={'Cookie': cookie},
data={
'SAMLResponse': base64.b64encode(saml_response),
'RelayState': '/testing-relay-state',
},
):
self.app.dispatch_request()
session.persist(
) # Explicit session.persist is needed when working within a test_request_context
with self.app.test_request_context(
'/saml2-ls',
method='POST',
headers={'Cookie': cookie},
data={
'SAMLRequest':
deflate_and_base64_encode(logout_request(session_id)),
'RelayState':
'/testing-relay-state',
},
):
response = self.app.dispatch_request()
self.assertEqual(response.status, '302 FOUND')
self.assertIn(
'https://idp.example.com/simplesaml/saml2/idp/'
'SingleLogoutService.php?SAMLResponse=',
response.location,
)
def test_assertion_consumer_service(self):
came_from = '/afterlogin/'
eppn = 'hubba-bubba'
with self.app.test_client() as c:
resp = c.get('/login')
token = session._session.token
authr = auth_response(token, eppn)
with self.app.test_request_context('/saml2-acs', method='POST',
data={'SAMLResponse': base64.b64encode(authr),
'RelayState': came_from}):
oq_cache = OutstandingQueriesCache(session)
oq_cache.set(token, came_from)
resp = self.app.dispatch_request()
self.assertEquals(resp.status_code, 302)
self.assertEquals(resp.location, came_from)
self.assertEquals(session['eduPersonPrincipalName'], eppn)
def acs(self, url, eppn, check_fn, came_from='/camefrom/'):
"""
common code for the tests that need to access the assertion consumer service
and then check the side effects of this access.
:param url: the url of the desired authentication mode.
:type url: str
:param eppn: the eppn of the user to access the service
:type eppn: str
:param check_fn: the function that checks the side effects after accessing the acs
:type check_fn: callable
:param came_from: Relay state
:type came_from: six.string_types
"""
with self.app.test_client() as c:
resp = c.get(url)
cookie = resp.headers['Set-Cookie']
token = session._session.token
if isinstance(token, six.binary_type):
token = token.decode('ascii')
authr = auth_response(token, eppn).encode('utf-8')
with self.app.test_request_context(
'/saml2-acs',
method='POST',
headers={'Cookie': cookie},
data={
'SAMLResponse': base64.b64encode(authr),
'RelayState': came_from
},
):
oq_cache = OutstandingQueriesCache(session)
oq_cache.set(token, came_from)
resp = self.app.dispatch_request()
self.assertEqual(resp.status_code, 302)
self.assertEqual(resp.location, came_from)
check_fn()
def login(self, eppn, came_from):
"""
Add a SAML2 authentication query to the queries cache,
build a cookie with a session id corresponding to the added query,
build a SAML2 authn response for the added query,
and send both to the assertion consumer service,
so that the user is logged in (the session corresponding to the cookie
has her eppn).
This method returns the cookie that has to be sent with any
subsequent request that needs to be authenticated.
:param eppn: the eppn of the user to be logged in
:type eppn: str
:param came_from: url to redirect back the client
after finishing with the authn service.
:type came_from: str
:return: the cookie corresponding to the authn session
:rtype: str
"""
session_id = self.add_outstanding_query(came_from)
cookie = self.dump_session_cookie(session_id)
saml_response = auth_response(session_id, eppn).encode('utf-8')
with self.app.test_request_context(
'/saml2-acs',
method='POST',
headers={'Cookie': cookie},
data={
'SAMLResponse': base64.b64encode(saml_response),
'RelayState': came_from
},
):
self.app.dispatch_request()
session.persist(
) # Explicit session.persist is needed when working within a test_request_context
return cookie
def test_logout_service_startingIDP_no_subject_id(self):
eppn = 'hubba-bubba'
came_from = '/afterlogin/'
session_id = self.add_outstanding_query(came_from)
cookie = self.dump_session_cookie(session_id)
saml_response = auth_response(session_id, eppn)
# Log in through IDP SAMLResponse
with self.app.test_request_context('/saml2-acs',
method='POST',
headers={'Cookie': cookie},
data={
'SAMLResponse':
base64.b64encode(saml_response),
'RelayState':
'testing-relay-state',
}):
response = self.app.dispatch_request()
with self.app.test_request_context('/saml2-ls',
method='POST',
headers={'Cookie': cookie},
data={
'SAMLRequest':
deflate_and_base64_encode(
logout_request(session_id)),
'RelayState':
'testing-relay-state',
}):
del session['_saml2_session_name_id']
session.persist()
response = self.app.dispatch_request()
self.assertEqual(response.status, '302 FOUND')
self.assertIn('testing-relay-state', response.location)