def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self):
request = OneLogin_Saml2_Utils.deflate_and_base64_encode(
'<xml>invalid</xml>')
request_data = {
'http_host': 'example.com',
'script_name': 'index.html'
}
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
settings.set_strict(True)
logout_request = OneLogin_Saml2_Logout_Request(settings, request)
self.assertFalse(logout_request.is_valid(request_data))
with self.assertRaisesRegexp(
OneLogin_Saml2_ValidationError,
"Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd"
):
logout_request.is_valid(request_data, raise_exceptions=True)
def testIsValidSignUsingX509certMulti(self):
"""
Tests the is_valid method of the OneLogin_Saml2_LogoutRequest
"""
request_data = {
'http_host': 'example.com',
'script_name': 'index.html',
'get_data': {
'SAMLRequest': 'fZJNa+MwEIb/itHdiTz6sC0SQyEsBPoB27KHXoIsj7cGW3IlGfLzV7G7kN1DL2KYmeedmRcdgp7GWT26326JP/FzwRCz6zTaoNbKkSzeKqfDEJTVEwYVjXp9eHpUsKNq9i4640Zyh3xP6BDQx8FZkp1PR3KpqexAl72QmpUCS8SW01IiZz2TVVGD4X1VQYlAsl/oQyKPJAklPIQFzzZEbWNK0YLnlOVA3wqpQCoB7yQ7pWsGq+NKfcQ4q/0+xKXvd8ZNe7Td7AYbw10UxrCbP2aSPbv4Yl/8Qx/R3+SB5bTOoXiDQvFNvjnc7lXrIr75kh+6eYdXPc0jrkMO+/umjXhOtpxP2Q/nJx2/9+uWGbq8X1tV9NqGAW0kzaVvoe1AAJeCSWqYaUVRM2SilKKuqDTpFSlszdcK29RthVm9YriZebYdXpsLdhVAB7VJzif3haYMqqTVcl0JMBR4y+s2zak3sf/4v8l/vlHzBw==',
'RelayState': '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6',
'SigAlg': 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
'Signature': 'Ouxo9BV6zmq4yrgamT9EbSKy/UmvSxGS8z26lIMgKOEP4LFR/N23RftdANmo4HafrzSfA0YTXwhKDqbOByS0j+Ql8OdQOes7vGioSjo5qq/Bi+5i6jXwQfphnfcHAQiJL4gYVIifkhhHRWpvYeiysF1Y9J02me0izwazFmoRXr4='
}
}
settings_info = self.loadSettingsJSON('settings8.json')
settings_info['strict'] = False
settings = OneLogin_Saml2_Settings(settings_info)
logout_request = OneLogin_Saml2_Logout_Request(settings, request_data['get_data']['SAMLRequest'])
self.assertTrue(logout_request.is_valid(request_data))
def generateAndCheckMetadata(self, settings):
"""
Helper method: Given some settings, generate metadata and validate it
"""
if not isinstance(settings, OneLogin_Saml2_Settings):
settings = OneLogin_Saml2_Settings(settings)
metadata = compat.to_string(settings.get_sp_metadata())
self.assertIn('<md:SPSSODescriptor', metadata)
self.assertIn('entityID="http://stuff.com/endpoints/metadata.php"', metadata)
self.assertIn('AuthnRequestsSigned="false"', metadata)
self.assertIn('WantAssertionsSigned="false"', metadata)
self.assertIn('<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://stuff.com/endpoints/endpoints/acs.php" index="1"/>', metadata)
self.assertIn('<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://stuff.com/endpoints/endpoints/sls.php"/>', metadata)
self.assertIn('<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>', metadata)
self.assertIn('<ds:SignedInfo>\n<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>', metadata)
self.assertIn('<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>', metadata)
self.assertIn('<ds:Reference', metadata)
self.assertIn('<ds:KeyInfo>\n<ds:X509Data>\n<ds:X509Certificate>', metadata)
def metadata(self, **kw):
""" returns metadata """
custom_path = request.env['ir.config_parameter'].sudo().sudo(
).get_param("auth_saml.path")
saml_settings = OneLogin_Saml2_Settings(settings=None,
custom_base_path=custom_path,
sp_validation_only=False)
metadata = saml_settings.get_sp_metadata()
errors = saml_settings.validate_metadata(metadata)
if len(errors) == 0:
resp = request.make_response(metadata,
headers=[('Content-Type', 'text/xml')
])
else:
resp = request.make_response(errors,
headers=[('Content-Type', 'text/xml')
])
return resp
def testGetXML(self):
"""
Tests that we can get the logout request XML directly without
going through intermediate steps
"""
request = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request.xml'))
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
logout_request_generated = OneLogin_Saml2_Logout_Request(settings)
expectedFragment = (
'Destination="http://idp.example.com/SingleLogoutService.php">\n'
' <saml:Issuer>http://stuff.com/endpoints/metadata.php</saml:Issuer>\n'
' <saml:NameID SPNameQualifier="http://stuff.com/endpoints/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://idp.example.com/</saml:NameID>\n'
' \n</samlp:LogoutRequest>'
)
self.assertIn(expectedFragment, logout_request_generated.get_xml())
logout_request_processed = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
self.assertEqual(request, logout_request_processed.get_xml())
def testGetIssuer(self):
"""
Tests the get_issuer of the OneLogin_Saml2_LogoutResponse
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
message = self.file_contents(join(self.data_path, 'logout_responses', 'logout_response_deflated.xml.base64'))
response = OneLogin_Saml2_Logout_Response(settings, message)
issuer = response.get_issuer()
self.assertEquals('http://idp.example.com/', issuer)
dom = parseString(OneLogin_Saml2_Utils.decode_base64_and_inflate(message))
issuer_node = dom.getElementsByTagName('saml:Issuer')[0]
issuer_node.parentNode.removeChild(issuer_node)
xml = dom.toxml()
message_2 = OneLogin_Saml2_Utils.deflate_and_base64_encode(xml)
response_2 = OneLogin_Saml2_Logout_Response(settings, message_2)
issuer_2 = response_2.get_issuer()
self.assertIsNone(issuer_2)
def testCalculateX509Fingerprint(self):
"""
Tests the calculateX509Fingerprint method of the OneLogin_Saml2_Utils
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
cert_path = settings.get_cert_path()
key = self.file_contents(cert_path + 'sp.key')
cert = self.file_contents(cert_path + 'sp.crt')
self.assertEqual(None, OneLogin_Saml2_Utils.calculate_x509_fingerprint(key))
self.assertEqual('afe71c28ef740bc87425be13a2263d37971da1f9', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert))
self.assertEqual('afe71c28ef740bc87425be13a2263d37971da1f9', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert, 'sha1'))
self.assertEqual('c51cfa06c7a49767f6eab18238eae1c56708e29264da3d11f538a12cd2c357ba', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert, 'sha256'))
self.assertEqual('bc5826e6f9429247254bae5e3c650e6968a36a62d23075eb168134978d88600559c10830c28711b2c29c7947c0c2eb1d', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert, 'sha384'))
self.assertEqual('3db29251b97559c67988ea0754cb0573fc409b6f75d89282d57cfb75089539b0bbdb2dcd9ec6e032549ecbc466439d5992e18db2cf5494ca2fe1b2e16f348dff', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert, 'sha512'))
def testSetStrict(self):
"""
Tests the setStrict method of the OneLogin_Saml2_Settings
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
self.assertFalse(settings.is_strict())
settings.set_strict(True)
self.assertTrue(settings.is_strict())
settings.set_strict(False)
self.assertFalse(settings.is_strict())
try:
settings.set_strict('a')
1 / 0
except Exception as e:
self.assertIsInstance(e, AssertionError)
def testIsValidSignUsingX509certMulti(self):
"""
Tests the is_valid method of the OneLogin_Saml2_LogoutResponse
"""
request_data = {
'http_host': 'example.com',
'script_name': 'index.html',
'get_data': {
'SAMLResponse': 'fZHbasJAEIZfJey9ZrNZc1gSodRSBKtQxYveyGQz1kCyu2Q24OM3jS21UHo3p++f4Z+CoGud2th3O/hXJGcNYXDtWkNqapVs6I2yQA0pAx2S8lrtH142Ssy5cr31VtuW3SH/E0CEvW+sYcF6VbLTIktFLMWZgxQR8DSP85wDB4GJGMOqShYVaoBUsOCIPY1kyUahEScacG3Ig/FjiUdyxuOZ4IcoUVGq4vSNBSsk3xjwE3Xx3qkwJD+cz3NtuxBN7WxjPN1F1NLcXdwob77tONiS7bZPm93zenvCqopxgVJmuU50jREsZF4noKWAOuNZJbNznnBky+LTDDVd2S+/dje1m+MVOtfidEER3g8Vt2fsPfiBfmePtsbgCO2A/9tL07TaD1ojEQuXtw0/ouFfD19+AA==',
'RelayState': 'http://stuff.com/endpoints/endpoints/index.php',
'SigAlg': 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
'Signature': 'OV9c4R0COSjN69fAKCpV7Uj/yx6/KFxvbluVCzdK3UuortpNMpgHFF2wYNlMSG9GcYGk6p3I8nB7Z+1TQchMWZOlO/StjAqgtZhtpiwPcWryNuq8vm/6hnJ3zMDhHTS7F8KG4qkCXmJ9sQD3Y31UNcuygBwIbNakvhDT5Qo9Nsw='
}
}
settings_info = self.loadSettingsJSON('settings8.json')
settings_info['strict'] = False
settings = OneLogin_Saml2_Settings(settings_info)
logout_response = OneLogin_Saml2_Logout_Response(settings, request_data['get_data']['SAMLResponse'])
self.assertTrue(logout_response.is_valid(request_data))
def testSignMetadata(self):
"""
Tests the signMetadata method of the OneLogin_Saml2_Metadata
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
sp_data = settings.get_sp_data()
security = settings.get_security_data()
metadata = OneLogin_Saml2_Metadata.builder(
sp_data, security['authnRequestsSigned'],
security['wantAssertionsSigned']
)
self.assertIsNotNone(metadata)
cert_path = settings.get_cert_path()
key = self.file_contents(join(cert_path, 'sp.key'))
cert = self.file_contents(join(cert_path, 'sp.crt'))
signed_metadata = OneLogin_Saml2_Metadata.sign_metadata(metadata, key, cert)
self.assertIn('<md:SPSSODescriptor', signed_metadata)
self.assertIn('entityID="http://stuff.com/endpoints/metadata.php"', signed_metadata)
self.assertIn('AuthnRequestsSigned="false"', signed_metadata)
self.assertIn('WantAssertionsSigned="false"', signed_metadata)
self.assertIn('<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"', signed_metadata)
self.assertIn('Location="http://stuff.com/endpoints/endpoints/acs.php"', signed_metadata)
self.assertIn('<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"', signed_metadata)
self.assertIn(' Location="http://stuff.com/endpoints/endpoints/sls.php"/>', signed_metadata)
self.assertIn('<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>', signed_metadata)
self.assertIn('<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>', signed_metadata)
self.assertIn('<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>', signed_metadata)
self.assertIn('<ds:Reference', signed_metadata)
self.assertIn('<ds:KeyInfo><ds:X509Data>\n<ds:X509Certificate>', signed_metadata)
try:
OneLogin_Saml2_Metadata.sign_metadata('', key, cert)
self.assertTrue(False)
except Exception as e:
self.assertIn('Empty string supplied as input', e.message)
def testIsInvalidXML(self):
"""
Tests the is_valid method of the OneLogin_Saml2_LogoutRequest
Case Invalid XML
"""
request = b64encode('<xml>invalid</xml>')
request_data = {
'http_host': 'example.com',
'script_name': 'index.html',
}
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
logout_request = OneLogin_Saml2_Logout_Request(settings, request)
self.assertTrue(logout_request.is_valid(request_data))
settings.set_strict(True)
logout_request2 = OneLogin_Saml2_Logout_Request(settings, request)
self.assertFalse(logout_request2.is_valid(request_data))
def testGetNameId(self):
"""
Tests the get_nameid of the OneLogin_Saml2_LogoutRequest
"""
request = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request.xml'))
name_id = OneLogin_Saml2_Logout_Request.get_nameid(request)
self.assertEqual(name_id, 'ONELOGIN_1e442c129e1f822c8096086a1103c5ee2c7cae1c')
request_2 = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request_encrypted_nameid.xml'))
try:
OneLogin_Saml2_Logout_Request.get_nameid(request_2)
self.assertTrue(False)
except Exception as e:
self.assertIn('Key is required in order to decrypt the NameID', e.message)
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
key = settings.get_sp_key()
name_id_3 = OneLogin_Saml2_Logout_Request.get_nameid(request_2, key)
self.assertEqual('ONELOGIN_9c86c4542ab9d6fce07f2f7fd335287b9b3cdf69', name_id_3)
def _get_settings(self):
settings = OneLogin_Saml2_Settings(
custom_base_path=current_app.config["SAML_PATH"],
sp_validation_only=True
)
idp = self._get_idp()
if idp:
idp_settings = self._parse(idp.dom)
common_settings = {
'sp': settings.get_sp_data(),
'idp': idp_settings['idp']
}
return common_settings
else:
return {
'sp': settings.get_sp_data()
}
def testIsInvalidXML(self):
"""
Tests the is_valid method of the OneLogin_Saml2_LogoutResponse
Case Invalid XML
"""
message = OneLogin_Saml2_Utils.deflate_and_base64_encode('<xml>invalid</xml>')
request_data = {
'http_host': 'example.com',
'script_name': 'index.html',
'get_data': {}
}
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
response = OneLogin_Saml2_Logout_Response(settings, message)
self.assertTrue(response.is_valid(request_data))
settings.set_strict(True)
response_2 = OneLogin_Saml2_Logout_Response(settings, message)
self.assertFalse(response_2.is_valid(request_data))
def testGetNameIdData(self):
"""
Tests the get_nameid_data method of the OneLogin_Saml2_LogoutRequest
"""
expected_name_id_data = {
'Value': 'ONELOGIN_1e442c129e1f822c8096086a1103c5ee2c7cae1c',
'Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
'SPNameQualifier': 'http://idp.example.com/'
}
request = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request.xml'))
name_id_data = OneLogin_Saml2_Logout_Request.get_nameid_data(request)
self.assertEqual(expected_name_id_data, name_id_data)
dom = parseString(request)
name_id_data_2 = OneLogin_Saml2_Logout_Request.get_nameid_data(dom)
self.assertEqual(expected_name_id_data, name_id_data_2)
request_2 = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request_encrypted_nameid.xml'))
with self.assertRaisesRegexp(OneLogin_Saml2_Error, 'Key is required in order to decrypt the NameID'):
OneLogin_Saml2_Logout_Request.get_nameid_data(request_2)
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
key = settings.get_sp_key()
name_id_data_4 = OneLogin_Saml2_Logout_Request.get_nameid_data(request_2, key)
expected_name_id_data = {
'Value': 'ONELOGIN_9c86c4542ab9d6fce07f2f7fd335287b9b3cdf69',
'Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress',
'SPNameQualifier': 'https://pitbulk.no-ip.org/newonelogin/demo1/metadata.php'
}
self.assertEqual(expected_name_id_data, name_id_data_4)
dom_2 = parseString(request_2)
encrypted_id_nodes = dom_2.getElementsByTagName('saml:EncryptedID')
encrypted_data = encrypted_id_nodes[0].firstChild.nextSibling
encrypted_id_nodes[0].removeChild(encrypted_data)
with self.assertRaisesRegexp(OneLogin_Saml2_ValidationError, 'NameID not found in the Logout Request'):
OneLogin_Saml2_Logout_Request.get_nameid_data(dom_2.toxml(), key)
inv_request = self.file_contents(join(self.data_path, 'logout_requests', 'invalids', 'no_nameId.xml'))
with self.assertRaisesRegexp(OneLogin_Saml2_ValidationError, 'NameID not found in the Logout Request'):
OneLogin_Saml2_Logout_Request.get_nameid_data(inv_request)
def testIsInValidDestination(self):
"""
Tests the is_valid method of the OneLogin_Saml2_LogoutResponse
Case invalid Destination
"""
request_data = {
'http_host': 'example.com',
'script_name': 'index.html',
'get_data': {}
}
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
message = self.file_contents(
join(self.data_path, 'logout_responses',
'logout_response_deflated.xml.base64'))
settings.set_strict(False)
response = OneLogin_Saml2_Logout_Response(settings, message)
self.assertTrue(response.is_valid(request_data))
settings.set_strict(True)
response_2 = OneLogin_Saml2_Logout_Response(settings, message)
try:
valid = response_2.is_valid(request_data)
self.assertFalse(valid)
except Exception as e:
self.assertIn('The LogoutRequest was received at', str(e))
# Empty destination
dom = parseString(
OneLogin_Saml2_Utils.decode_base64_and_inflate(message))
dom.firstChild.setAttribute('Destination', '')
xml = dom.toxml()
message_3 = OneLogin_Saml2_Utils.deflate_and_base64_encode(xml)
response_3 = OneLogin_Saml2_Logout_Response(settings, message_3)
self.assertTrue(response_3.is_valid(request_data))
# No destination
dom.firstChild.removeAttribute('Destination')
xml = dom.toxml()
message_4 = OneLogin_Saml2_Utils.deflate_and_base64_encode(xml)
response_4 = OneLogin_Saml2_Logout_Response(settings, message_4)
self.assertTrue(response_4.is_valid(request_data))
def testCreateEncSAMLRequest(self):
"""
Tests the OneLogin_Saml2_Authn_Request Constructor.
The creation of a deflated SAML Request
"""
settings = self.loadSettingsJSON()
settings['organization'] = {
'es': {
'name': 'sp_prueba',
'displayname': 'SP prueba',
'url': 'http://sp.example.com'
}
}
settings['security']['wantNameIdEncrypted'] = True
settings = OneLogin_Saml2_Settings(settings)
authn_request = OneLogin_Saml2_Authn_Request(settings)
parameters = {'SAMLRequest': authn_request.get_request()}
auth_url = OneLogin_Saml2_Utils.redirect(
'http://idp.example.com/SSOService.php', parameters, True)
self.assertRegexpMatches(
auth_url,
r'^http://idp\.example\.com\/SSOService\.php\?SAMLRequest=')
exploded = urlparse(auth_url)
exploded = parse_qs(exploded[4])
payload = exploded['SAMLRequest'][0]
decoded = b64decode(payload)
inflated = decompress(decoded, -15)
self.assertRegexpMatches(inflated, '^<samlp:AuthnRequest')
self.assertRegexpMatches(
inflated,
'AssertionConsumerServiceURL="http://stuff.com/endpoints/endpoints/acs.php"'
)
self.assertRegexpMatches(
inflated,
'<saml:Issuer>http://stuff.com/endpoints/metadata.php</saml:Issuer>'
)
self.assertRegexpMatches(
inflated,
'Format="urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted"')
self.assertRegexpMatches(inflated, 'ProviderName="SP prueba"')
def testConstructorEncryptIdUsingX509certMulti(self):
"""
Tests the OneLogin_Saml2_LogoutRequest Constructor.
Case: Able to generate encryptedID with MultiCert
"""
settings_info = self.loadSettingsJSON('settings8.json')
settings_info['security']['nameIdEncrypted'] = True
settings = OneLogin_Saml2_Settings(settings_info)
logout_request = OneLogin_Saml2_Logout_Request(settings)
parameters = {'SAMLRequest': logout_request.get_request()}
logout_url = OneLogin_Saml2_Utils.redirect('http://idp.example.com/SingleLogoutService.php', parameters, True)
self.assertRegex(logout_url, r'^http://idp\.example\.com\/SingleLogoutService\.php\?SAMLRequest=')
url_parts = urlparse(logout_url)
exploded = parse_qs(url_parts.query)
payload = exploded['SAMLRequest'][0]
inflated = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(payload))
self.assertRegex(inflated, '^<samlp:LogoutRequest')
self.assertRegex(inflated, '<saml:EncryptedID>')
def testIsInvalidIssuer(self):
"""
Tests the is_valid method of the OneLogin_Saml2_LogoutRequest
Case Invalid Issuer
"""
request = self.file_contents(join(self.data_path, 'logout_requests', 'invalids', 'invalid_issuer.xml'))
request_data = {
'http_host': 'example.com',
'script_name': 'index.html'
}
current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
request = request.replace('http://stuff.com/endpoints/endpoints/sls.php', current_url)
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
logout_request = OneLogin_Saml2_Logout_Request(settings, b64encode(request))
self.assertTrue(logout_request.is_valid(request_data))
settings.set_strict(True)
logout_request2 = OneLogin_Saml2_Logout_Request(settings, b64encode(request))
self.assertFalse(logout_request2.is_valid(request_data))
self.assertIn('Invalid issuer in the Logout Request', logout_request2.get_error())
def testGetIdPData(self):
"""
Tests the getIdPData method of the OneLogin_Saml2_Settings
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
idp_data = settings.get_idp_data()
self.assertNotEqual(len(idp_data), 0)
self.assertIn('entityId', idp_data)
self.assertIn('singleSignOnService', idp_data)
self.assertIn('singleLogoutService', idp_data)
self.assertIn('x509cert', idp_data)
self.assertEqual('http://idp.example.com/', idp_data['entityId'])
self.assertEqual('http://idp.example.com/SSOService.php', idp_data['singleSignOnService']['url'])
self.assertEqual('http://idp.example.com/SingleLogoutService.php', idp_data['singleLogoutService']['url'])
x509cert = 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo'
formated_x509_cert = OneLogin_Saml2_Utils.format_cert(x509cert)
self.assertEqual(formated_x509_cert, idp_data['x509cert'])
def testGetStatus(self):
"""
Tests the get_status method of the OneLogin_Saml2_LogoutResponse
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
message = self.file_contents(
join(self.data_path, 'logout_responses',
'logout_response_deflated.xml.base64'))
response = OneLogin_Saml2_Logout_Response(settings, message)
status = response.get_status()
self.assertEquals(status, OneLogin_Saml2_Constants.STATUS_SUCCESS)
dom = parseString(
OneLogin_Saml2_Utils.decode_base64_and_inflate(message))
status_code_node = dom.getElementsByTagName('samlp:StatusCode')[0]
status_code_node.parentNode.removeChild(status_code_node)
xml = dom.toxml()
message_2 = OneLogin_Saml2_Utils.deflate_and_base64_encode(xml)
response_2 = OneLogin_Saml2_Logout_Response(settings, message_2)
self.assertIsNone(response_2.get_status())
def testCreateDeflatedSAMLLogoutRequestURLParameter(self):
"""
Tests the OneLogin_Saml2_LogoutRequest Constructor.
The creation of a deflated SAML Logout Request
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
logout_request = OneLogin_Saml2_Logout_Request(settings)
parameters = {'SAMLRequest': logout_request.get_request()}
logout_url = OneLogin_Saml2_Utils.redirect(
'http://idp.example.com/SingleLogoutService.php', parameters, True)
self.assertRegexpMatches(
logout_url,
'^http://idp\.example\.com\/SingleLogoutService\.php\?SAMLRequest='
)
url_parts = urlparse(logout_url)
exploded = parse_qs(url_parts.query)
payload = exploded['SAMLRequest'][0]
inflated = OneLogin_Saml2_Utils.decode_base64_and_inflate(payload)
self.assertRegexpMatches(inflated, '^<samlp:LogoutRequest')
def testBuilderAttributeConsumingServiceWithMultipleAttributeValue(self):
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON('settings5.json'))
sp_data = settings.get_sp_data()
security = settings.get_security_data()
organization = settings.get_organization()
contacts = settings.get_contacts()
metadata = OneLogin_Saml2_Metadata.builder(
sp_data, security['authnRequestsSigned'],
security['wantAssertionsSigned'], None, None, contacts,
organization
)
self.assertIn(""" <md:AttributeConsumingService index="1">
<md:ServiceName xml:lang="en">Test Service</md:ServiceName>
<md:ServiceDescription xml:lang="en">Test Service</md:ServiceDescription>
<md:RequestedAttribute Name="userType" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">userType</saml:AttributeValue>
<saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">admin</saml:AttributeValue>
</md:RequestedAttribute>
<md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.1" FriendlyName="uid" />
</md:AttributeConsumingService>""", metadata)
def testBuilderAttributeConsumingService(self):
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON('settings4.json'))
sp_data = settings.get_sp_data()
security = settings.get_security_data()
organization = settings.get_organization()
contacts = settings.get_contacts()
metadata = OneLogin_Saml2_Metadata.builder(
sp_data, security['authnRequestsSigned'],
security['wantAssertionsSigned'], None, None, contacts,
organization
)
self.assertIn(""" <md:AttributeConsumingService index="1">
<md:ServiceName xml:lang="en">Test Service</md:ServiceName>
<md:ServiceDescription xml:lang="en">Test Service</md:ServiceDescription>
<md:RequestedAttribute Name="urn:oid:2.5.4.42" FriendlyName="givenName" />
<md:RequestedAttribute Name="urn:oid:2.5.4.4" FriendlyName="sn" />
<md:RequestedAttribute Name="urn:oid:2.16.840.1.113730.3.1.241" FriendlyName="displayName" />
<md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="mail" />
<md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.1" FriendlyName="uid" />
</md:AttributeConsumingService>""", metadata)
def testIsInvalidNotOnOrAfter(self):
"""
Tests the is_valid method of the OneLogin_Saml2_LogoutRequest
Case Invalid NotOnOrAfter
"""
request_data = {
'http_host': 'example.com',
'script_name': 'index.html'
}
request = self.file_contents(join(self.data_path, 'logout_requests', 'invalids', 'not_after_failed.xml'))
current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
request = request.replace('http://stuff.com/endpoints/endpoints/sls.php', current_url)
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
logout_request = OneLogin_Saml2_Logout_Request(settings, b64encode(request))
self.assertTrue(logout_request.is_valid(request_data))
settings.set_strict(True)
logout_request2 = OneLogin_Saml2_Logout_Request(settings, b64encode(request))
self.assertFalse(logout_request2.is_valid(request_data))
self.assertIn('Could not validate timestamp: expired. Check system clock.', logout_request2.get_error())
def testIsInvalidNotOnOrAfter(self):
"""
Tests the is_valid method of the OneLogin_Saml2_LogoutRequest
Case Invalid NotOnOrAfter
"""
request_data = {
'http_host': 'example.com',
'script_name': 'index.html'
}
request = self.file_contents(join(self.data_path, 'logout_requests', 'invalids', 'not_after_failed.xml'))
current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
request = request.replace('http://stuff.com/endpoints/endpoints/sls.php', current_url)
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
self.assertTrue(OneLogin_Saml2_Logout_Request.is_valid(settings, request, request_data))
settings.set_strict(True)
try:
valid = OneLogin_Saml2_Logout_Request.is_valid(settings, request, request_data)
self.assertFalse(valid)
except Exception as e:
self.assertIn('Timing issues (please check your clock settings)', e.message)
def testIsInValidWithCapitalization(self):
"""
Tests the is_valid method of the OneLogin_Saml2_LogoutRequest
"""
request_data = {
'http_host': 'example.com',
'script_name': 'INdex.html'
}
request = self.file_contents(
join(self.data_path, 'logout_requests', 'logout_request.xml'))
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
logout_request = OneLogin_Saml2_Logout_Request(settings,
b64encode(request))
self.assertTrue(logout_request.is_valid(request_data))
settings.set_strict(True)
logout_request2 = OneLogin_Saml2_Logout_Request(
settings, b64encode(request))
self.assertFalse(logout_request2.is_valid(request_data))
settings.set_strict(False)
dom = parseString(request)
logout_request3 = OneLogin_Saml2_Logout_Request(
settings, b64encode(dom.toxml()))
self.assertTrue(logout_request3.is_valid(request_data))
settings.set_strict(True)
logout_request4 = OneLogin_Saml2_Logout_Request(
settings, b64encode(dom.toxml()))
self.assertFalse(logout_request4.is_valid(request_data))
current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
request = request.replace(
'http://stuff.com/endpoints/endpoints/sls.php',
current_url.lower())
logout_request5 = OneLogin_Saml2_Logout_Request(
settings, b64encode(request))
self.assertFalse(logout_request5.is_valid(request_data))
def testGetSPData(self):
"""
Tests the getSPData method of the OneLogin_Saml2_Settings
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
sp_data = settings.get_sp_data()
self.assertNotEqual(len(sp_data), 0)
self.assertIn('entityId', sp_data)
self.assertIn('assertionConsumerService', sp_data)
self.assertIn('singleLogoutService', sp_data)
self.assertIn('NameIDFormat', sp_data)
self.assertEqual('http://stuff.com/endpoints/metadata.php',
sp_data['entityId'])
self.assertEqual('http://stuff.com/endpoints/endpoints/acs.php',
sp_data['assertionConsumerService']['url'])
self.assertEqual('http://stuff.com/endpoints/endpoints/sls.php',
sp_data['singleLogoutService']['url'])
self.assertEqual(
'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
sp_data['NameIDFormat'])
def __init__(self, request_data, old_settings=None, custom_base_path=None):
"""
Initializes the SP SAML instance.
:param request_data: Request Data
:type request_data: dict
:param old_settings: Optional. SAML Toolkit Settings
:type old_settings: dict
:param custom_base_path: Optional. Path where are stored the settings file and the cert folder
:type custom_base_path: string
"""
self._request_data = request_data
if isinstance(old_settings, OneLogin_Saml2_Settings):
self._settings = old_settings
else:
self._settings = OneLogin_Saml2_Settings(old_settings,
custom_base_path)
self._attributes = dict()
self._friendlyname_attributes = dict()
self._nameid = None
self._nameid_format = None
self._nameid_nq = None
self._nameid_spnq = None
self._session_index = None
self._session_expiration = None
self._authenticated = False
self._errors = []
self._error_reason = None
self._last_request_id = None
self._last_message_id = None
self._last_assertion_id = None
self._last_assertion_issue_instant = None
self._last_authn_contexts = []
self._last_request = None
self._last_response = None
self._last_response_in_response_to = None
self._last_assertion_not_on_or_after = None
def __init__(self, request_data, old_settings=None, custom_base_path=None):
"""
Initializes the SP SAML instance.
:param request_data: Request Data
:type request_data: dict
:param settings: Optional. SAML Toolkit Settings
:type settings: dict|object
:param custom_base_path: Optional. Path where are stored the settings file and the cert folder
:type custom_base_path: string
"""
self.__request_data = request_data
self.__settings = OneLogin_Saml2_Settings(old_settings,
custom_base_path)
self.__attributes = []
self.__nameid = None
self.__session_index = None
self.__authenticated = False
self.__errors = []
self.__error_reason = None
