def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self): request = OneLogin_Saml2_Utils.deflate_and_base64_encode( '<xml>invalid</xml>') request_data = { 'http_host': 'example.com', 'script_name': 'index.html' } settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) settings.set_strict(True) logout_request = OneLogin_Saml2_Logout_Request(settings, request) self.assertFalse(logout_request.is_valid(request_data)) with self.assertRaisesRegexp( OneLogin_Saml2_ValidationError, "Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd" ): logout_request.is_valid(request_data, raise_exceptions=True)
def testIsValidSignUsingX509certMulti(self): """ Tests the is_valid method of the OneLogin_Saml2_LogoutRequest """ request_data = { 'http_host': 'example.com', 'script_name': 'index.html', 'get_data': { 'SAMLRequest': 'fZJNa+MwEIb/itHdiTz6sC0SQyEsBPoB27KHXoIsj7cGW3IlGfLzV7G7kN1DL2KYmeedmRcdgp7GWT26326JP/FzwRCz6zTaoNbKkSzeKqfDEJTVEwYVjXp9eHpUsKNq9i4640Zyh3xP6BDQx8FZkp1PR3KpqexAl72QmpUCS8SW01IiZz2TVVGD4X1VQYlAsl/oQyKPJAklPIQFzzZEbWNK0YLnlOVA3wqpQCoB7yQ7pWsGq+NKfcQ4q/0+xKXvd8ZNe7Td7AYbw10UxrCbP2aSPbv4Yl/8Qx/R3+SB5bTOoXiDQvFNvjnc7lXrIr75kh+6eYdXPc0jrkMO+/umjXhOtpxP2Q/nJx2/9+uWGbq8X1tV9NqGAW0kzaVvoe1AAJeCSWqYaUVRM2SilKKuqDTpFSlszdcK29RthVm9YriZebYdXpsLdhVAB7VJzif3haYMqqTVcl0JMBR4y+s2zak3sf/4v8l/vlHzBw==', 'RelayState': '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', 'SigAlg': 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', 'Signature': 'Ouxo9BV6zmq4yrgamT9EbSKy/UmvSxGS8z26lIMgKOEP4LFR/N23RftdANmo4HafrzSfA0YTXwhKDqbOByS0j+Ql8OdQOes7vGioSjo5qq/Bi+5i6jXwQfphnfcHAQiJL4gYVIifkhhHRWpvYeiysF1Y9J02me0izwazFmoRXr4=' } } settings_info = self.loadSettingsJSON('settings8.json') settings_info['strict'] = False settings = OneLogin_Saml2_Settings(settings_info) logout_request = OneLogin_Saml2_Logout_Request(settings, request_data['get_data']['SAMLRequest']) self.assertTrue(logout_request.is_valid(request_data))
def generateAndCheckMetadata(self, settings): """ Helper method: Given some settings, generate metadata and validate it """ if not isinstance(settings, OneLogin_Saml2_Settings): settings = OneLogin_Saml2_Settings(settings) metadata = compat.to_string(settings.get_sp_metadata()) self.assertIn('<md:SPSSODescriptor', metadata) self.assertIn('entityID="http://stuff.com/endpoints/metadata.php"', metadata) self.assertIn('AuthnRequestsSigned="false"', metadata) self.assertIn('WantAssertionsSigned="false"', metadata) self.assertIn('<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://stuff.com/endpoints/endpoints/acs.php" index="1"/>', metadata) self.assertIn('<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://stuff.com/endpoints/endpoints/sls.php"/>', metadata) self.assertIn('<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>', metadata) self.assertIn('<ds:SignedInfo>\n<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>', metadata) self.assertIn('<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>', metadata) self.assertIn('<ds:Reference', metadata) self.assertIn('<ds:KeyInfo>\n<ds:X509Data>\n<ds:X509Certificate>', metadata)
def metadata(self, **kw): """ returns metadata """ custom_path = request.env['ir.config_parameter'].sudo().sudo( ).get_param("auth_saml.path") saml_settings = OneLogin_Saml2_Settings(settings=None, custom_base_path=custom_path, sp_validation_only=False) metadata = saml_settings.get_sp_metadata() errors = saml_settings.validate_metadata(metadata) if len(errors) == 0: resp = request.make_response(metadata, headers=[('Content-Type', 'text/xml') ]) else: resp = request.make_response(errors, headers=[('Content-Type', 'text/xml') ]) return resp
def testGetXML(self): """ Tests that we can get the logout request XML directly without going through intermediate steps """ request = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request.xml')) settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) logout_request_generated = OneLogin_Saml2_Logout_Request(settings) expectedFragment = ( 'Destination="http://idp.example.com/SingleLogoutService.php">\n' ' <saml:Issuer>http://stuff.com/endpoints/metadata.php</saml:Issuer>\n' ' <saml:NameID SPNameQualifier="http://stuff.com/endpoints/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://idp.example.com/</saml:NameID>\n' ' \n</samlp:LogoutRequest>' ) self.assertIn(expectedFragment, logout_request_generated.get_xml()) logout_request_processed = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request)) self.assertEqual(request, logout_request_processed.get_xml())
def testGetIssuer(self): """ Tests the get_issuer of the OneLogin_Saml2_LogoutResponse """ settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) message = self.file_contents(join(self.data_path, 'logout_responses', 'logout_response_deflated.xml.base64')) response = OneLogin_Saml2_Logout_Response(settings, message) issuer = response.get_issuer() self.assertEquals('http://idp.example.com/', issuer) dom = parseString(OneLogin_Saml2_Utils.decode_base64_and_inflate(message)) issuer_node = dom.getElementsByTagName('saml:Issuer')[0] issuer_node.parentNode.removeChild(issuer_node) xml = dom.toxml() message_2 = OneLogin_Saml2_Utils.deflate_and_base64_encode(xml) response_2 = OneLogin_Saml2_Logout_Response(settings, message_2) issuer_2 = response_2.get_issuer() self.assertIsNone(issuer_2)
def testCalculateX509Fingerprint(self): """ Tests the calculateX509Fingerprint method of the OneLogin_Saml2_Utils """ settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) cert_path = settings.get_cert_path() key = self.file_contents(cert_path + 'sp.key') cert = self.file_contents(cert_path + 'sp.crt') self.assertEqual(None, OneLogin_Saml2_Utils.calculate_x509_fingerprint(key)) self.assertEqual('afe71c28ef740bc87425be13a2263d37971da1f9', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert)) self.assertEqual('afe71c28ef740bc87425be13a2263d37971da1f9', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert, 'sha1')) self.assertEqual('c51cfa06c7a49767f6eab18238eae1c56708e29264da3d11f538a12cd2c357ba', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert, 'sha256')) self.assertEqual('bc5826e6f9429247254bae5e3c650e6968a36a62d23075eb168134978d88600559c10830c28711b2c29c7947c0c2eb1d', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert, 'sha384')) self.assertEqual('3db29251b97559c67988ea0754cb0573fc409b6f75d89282d57cfb75089539b0bbdb2dcd9ec6e032549ecbc466439d5992e18db2cf5494ca2fe1b2e16f348dff', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert, 'sha512'))
def testSetStrict(self): """ Tests the setStrict method of the OneLogin_Saml2_Settings """ settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) self.assertFalse(settings.is_strict()) settings.set_strict(True) self.assertTrue(settings.is_strict()) settings.set_strict(False) self.assertFalse(settings.is_strict()) try: settings.set_strict('a') 1 / 0 except Exception as e: self.assertIsInstance(e, AssertionError)
def testIsValidSignUsingX509certMulti(self): """ Tests the is_valid method of the OneLogin_Saml2_LogoutResponse """ request_data = { 'http_host': 'example.com', 'script_name': 'index.html', 'get_data': { 'SAMLResponse': 'fZHbasJAEIZfJey9ZrNZc1gSodRSBKtQxYveyGQz1kCyu2Q24OM3jS21UHo3p++f4Z+CoGud2th3O/hXJGcNYXDtWkNqapVs6I2yQA0pAx2S8lrtH142Ssy5cr31VtuW3SH/E0CEvW+sYcF6VbLTIktFLMWZgxQR8DSP85wDB4GJGMOqShYVaoBUsOCIPY1kyUahEScacG3Ig/FjiUdyxuOZ4IcoUVGq4vSNBSsk3xjwE3Xx3qkwJD+cz3NtuxBN7WxjPN1F1NLcXdwob77tONiS7bZPm93zenvCqopxgVJmuU50jREsZF4noKWAOuNZJbNznnBky+LTDDVd2S+/dje1m+MVOtfidEER3g8Vt2fsPfiBfmePtsbgCO2A/9tL07TaD1ojEQuXtw0/ouFfD19+AA==', 'RelayState': 'http://stuff.com/endpoints/endpoints/index.php', 'SigAlg': 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', 'Signature': 'OV9c4R0COSjN69fAKCpV7Uj/yx6/KFxvbluVCzdK3UuortpNMpgHFF2wYNlMSG9GcYGk6p3I8nB7Z+1TQchMWZOlO/StjAqgtZhtpiwPcWryNuq8vm/6hnJ3zMDhHTS7F8KG4qkCXmJ9sQD3Y31UNcuygBwIbNakvhDT5Qo9Nsw=' } } settings_info = self.loadSettingsJSON('settings8.json') settings_info['strict'] = False settings = OneLogin_Saml2_Settings(settings_info) logout_response = OneLogin_Saml2_Logout_Response(settings, request_data['get_data']['SAMLResponse']) self.assertTrue(logout_response.is_valid(request_data))
def testSignMetadata(self): """ Tests the signMetadata method of the OneLogin_Saml2_Metadata """ settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) sp_data = settings.get_sp_data() security = settings.get_security_data() metadata = OneLogin_Saml2_Metadata.builder( sp_data, security['authnRequestsSigned'], security['wantAssertionsSigned'] ) self.assertIsNotNone(metadata) cert_path = settings.get_cert_path() key = self.file_contents(join(cert_path, 'sp.key')) cert = self.file_contents(join(cert_path, 'sp.crt')) signed_metadata = OneLogin_Saml2_Metadata.sign_metadata(metadata, key, cert) self.assertIn('<md:SPSSODescriptor', signed_metadata) self.assertIn('entityID="http://stuff.com/endpoints/metadata.php"', signed_metadata) self.assertIn('AuthnRequestsSigned="false"', signed_metadata) self.assertIn('WantAssertionsSigned="false"', signed_metadata) self.assertIn('<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"', signed_metadata) self.assertIn('Location="http://stuff.com/endpoints/endpoints/acs.php"', signed_metadata) self.assertIn('<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"', signed_metadata) self.assertIn(' Location="http://stuff.com/endpoints/endpoints/sls.php"/>', signed_metadata) self.assertIn('<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>', signed_metadata) self.assertIn('<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>', signed_metadata) self.assertIn('<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>', signed_metadata) self.assertIn('<ds:Reference', signed_metadata) self.assertIn('<ds:KeyInfo><ds:X509Data>\n<ds:X509Certificate>', signed_metadata) try: OneLogin_Saml2_Metadata.sign_metadata('', key, cert) self.assertTrue(False) except Exception as e: self.assertIn('Empty string supplied as input', e.message)
def testIsInvalidXML(self): """ Tests the is_valid method of the OneLogin_Saml2_LogoutRequest Case Invalid XML """ request = b64encode('<xml>invalid</xml>') request_data = { 'http_host': 'example.com', 'script_name': 'index.html', } settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) logout_request = OneLogin_Saml2_Logout_Request(settings, request) self.assertTrue(logout_request.is_valid(request_data)) settings.set_strict(True) logout_request2 = OneLogin_Saml2_Logout_Request(settings, request) self.assertFalse(logout_request2.is_valid(request_data))
def testGetNameId(self): """ Tests the get_nameid of the OneLogin_Saml2_LogoutRequest """ request = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request.xml')) name_id = OneLogin_Saml2_Logout_Request.get_nameid(request) self.assertEqual(name_id, 'ONELOGIN_1e442c129e1f822c8096086a1103c5ee2c7cae1c') request_2 = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request_encrypted_nameid.xml')) try: OneLogin_Saml2_Logout_Request.get_nameid(request_2) self.assertTrue(False) except Exception as e: self.assertIn('Key is required in order to decrypt the NameID', e.message) settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) key = settings.get_sp_key() name_id_3 = OneLogin_Saml2_Logout_Request.get_nameid(request_2, key) self.assertEqual('ONELOGIN_9c86c4542ab9d6fce07f2f7fd335287b9b3cdf69', name_id_3)
def _get_settings(self): settings = OneLogin_Saml2_Settings( custom_base_path=current_app.config["SAML_PATH"], sp_validation_only=True ) idp = self._get_idp() if idp: idp_settings = self._parse(idp.dom) common_settings = { 'sp': settings.get_sp_data(), 'idp': idp_settings['idp'] } return common_settings else: return { 'sp': settings.get_sp_data() }
def testIsInvalidXML(self): """ Tests the is_valid method of the OneLogin_Saml2_LogoutResponse Case Invalid XML """ message = OneLogin_Saml2_Utils.deflate_and_base64_encode('<xml>invalid</xml>') request_data = { 'http_host': 'example.com', 'script_name': 'index.html', 'get_data': {} } settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) response = OneLogin_Saml2_Logout_Response(settings, message) self.assertTrue(response.is_valid(request_data)) settings.set_strict(True) response_2 = OneLogin_Saml2_Logout_Response(settings, message) self.assertFalse(response_2.is_valid(request_data))
def testGetNameIdData(self): """ Tests the get_nameid_data method of the OneLogin_Saml2_LogoutRequest """ expected_name_id_data = { 'Value': 'ONELOGIN_1e442c129e1f822c8096086a1103c5ee2c7cae1c', 'Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', 'SPNameQualifier': 'http://idp.example.com/' } request = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request.xml')) name_id_data = OneLogin_Saml2_Logout_Request.get_nameid_data(request) self.assertEqual(expected_name_id_data, name_id_data) dom = parseString(request) name_id_data_2 = OneLogin_Saml2_Logout_Request.get_nameid_data(dom) self.assertEqual(expected_name_id_data, name_id_data_2) request_2 = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request_encrypted_nameid.xml')) with self.assertRaisesRegexp(OneLogin_Saml2_Error, 'Key is required in order to decrypt the NameID'): OneLogin_Saml2_Logout_Request.get_nameid_data(request_2) settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) key = settings.get_sp_key() name_id_data_4 = OneLogin_Saml2_Logout_Request.get_nameid_data(request_2, key) expected_name_id_data = { 'Value': 'ONELOGIN_9c86c4542ab9d6fce07f2f7fd335287b9b3cdf69', 'Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress', 'SPNameQualifier': 'https://pitbulk.no-ip.org/newonelogin/demo1/metadata.php' } self.assertEqual(expected_name_id_data, name_id_data_4) dom_2 = parseString(request_2) encrypted_id_nodes = dom_2.getElementsByTagName('saml:EncryptedID') encrypted_data = encrypted_id_nodes[0].firstChild.nextSibling encrypted_id_nodes[0].removeChild(encrypted_data) with self.assertRaisesRegexp(OneLogin_Saml2_ValidationError, 'NameID not found in the Logout Request'): OneLogin_Saml2_Logout_Request.get_nameid_data(dom_2.toxml(), key) inv_request = self.file_contents(join(self.data_path, 'logout_requests', 'invalids', 'no_nameId.xml')) with self.assertRaisesRegexp(OneLogin_Saml2_ValidationError, 'NameID not found in the Logout Request'): OneLogin_Saml2_Logout_Request.get_nameid_data(inv_request)
def testIsInValidDestination(self): """ Tests the is_valid method of the OneLogin_Saml2_LogoutResponse Case invalid Destination """ request_data = { 'http_host': 'example.com', 'script_name': 'index.html', 'get_data': {} } settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) message = self.file_contents( join(self.data_path, 'logout_responses', 'logout_response_deflated.xml.base64')) settings.set_strict(False) response = OneLogin_Saml2_Logout_Response(settings, message) self.assertTrue(response.is_valid(request_data)) settings.set_strict(True) response_2 = OneLogin_Saml2_Logout_Response(settings, message) try: valid = response_2.is_valid(request_data) self.assertFalse(valid) except Exception as e: self.assertIn('The LogoutRequest was received at', str(e)) # Empty destination dom = parseString( OneLogin_Saml2_Utils.decode_base64_and_inflate(message)) dom.firstChild.setAttribute('Destination', '') xml = dom.toxml() message_3 = OneLogin_Saml2_Utils.deflate_and_base64_encode(xml) response_3 = OneLogin_Saml2_Logout_Response(settings, message_3) self.assertTrue(response_3.is_valid(request_data)) # No destination dom.firstChild.removeAttribute('Destination') xml = dom.toxml() message_4 = OneLogin_Saml2_Utils.deflate_and_base64_encode(xml) response_4 = OneLogin_Saml2_Logout_Response(settings, message_4) self.assertTrue(response_4.is_valid(request_data))
def testCreateEncSAMLRequest(self): """ Tests the OneLogin_Saml2_Authn_Request Constructor. The creation of a deflated SAML Request """ settings = self.loadSettingsJSON() settings['organization'] = { 'es': { 'name': 'sp_prueba', 'displayname': 'SP prueba', 'url': 'http://sp.example.com' } } settings['security']['wantNameIdEncrypted'] = True settings = OneLogin_Saml2_Settings(settings) authn_request = OneLogin_Saml2_Authn_Request(settings) parameters = {'SAMLRequest': authn_request.get_request()} auth_url = OneLogin_Saml2_Utils.redirect( 'http://idp.example.com/SSOService.php', parameters, True) self.assertRegexpMatches( auth_url, r'^http://idp\.example\.com\/SSOService\.php\?SAMLRequest=') exploded = urlparse(auth_url) exploded = parse_qs(exploded[4]) payload = exploded['SAMLRequest'][0] decoded = b64decode(payload) inflated = decompress(decoded, -15) self.assertRegexpMatches(inflated, '^<samlp:AuthnRequest') self.assertRegexpMatches( inflated, 'AssertionConsumerServiceURL="http://stuff.com/endpoints/endpoints/acs.php"' ) self.assertRegexpMatches( inflated, '<saml:Issuer>http://stuff.com/endpoints/metadata.php</saml:Issuer>' ) self.assertRegexpMatches( inflated, 'Format="urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted"') self.assertRegexpMatches(inflated, 'ProviderName="SP prueba"')
def testConstructorEncryptIdUsingX509certMulti(self): """ Tests the OneLogin_Saml2_LogoutRequest Constructor. Case: Able to generate encryptedID with MultiCert """ settings_info = self.loadSettingsJSON('settings8.json') settings_info['security']['nameIdEncrypted'] = True settings = OneLogin_Saml2_Settings(settings_info) logout_request = OneLogin_Saml2_Logout_Request(settings) parameters = {'SAMLRequest': logout_request.get_request()} logout_url = OneLogin_Saml2_Utils.redirect('http://idp.example.com/SingleLogoutService.php', parameters, True) self.assertRegex(logout_url, r'^http://idp\.example\.com\/SingleLogoutService\.php\?SAMLRequest=') url_parts = urlparse(logout_url) exploded = parse_qs(url_parts.query) payload = exploded['SAMLRequest'][0] inflated = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(payload)) self.assertRegex(inflated, '^<samlp:LogoutRequest') self.assertRegex(inflated, '<saml:EncryptedID>')
def testIsInvalidIssuer(self): """ Tests the is_valid method of the OneLogin_Saml2_LogoutRequest Case Invalid Issuer """ request = self.file_contents(join(self.data_path, 'logout_requests', 'invalids', 'invalid_issuer.xml')) request_data = { 'http_host': 'example.com', 'script_name': 'index.html' } current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data) request = request.replace('http://stuff.com/endpoints/endpoints/sls.php', current_url) settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) logout_request = OneLogin_Saml2_Logout_Request(settings, b64encode(request)) self.assertTrue(logout_request.is_valid(request_data)) settings.set_strict(True) logout_request2 = OneLogin_Saml2_Logout_Request(settings, b64encode(request)) self.assertFalse(logout_request2.is_valid(request_data)) self.assertIn('Invalid issuer in the Logout Request', logout_request2.get_error())
def testGetIdPData(self): """ Tests the getIdPData method of the OneLogin_Saml2_Settings """ settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) idp_data = settings.get_idp_data() self.assertNotEqual(len(idp_data), 0) self.assertIn('entityId', idp_data) self.assertIn('singleSignOnService', idp_data) self.assertIn('singleLogoutService', idp_data) self.assertIn('x509cert', idp_data) self.assertEqual('http://idp.example.com/', idp_data['entityId']) self.assertEqual('http://idp.example.com/SSOService.php', idp_data['singleSignOnService']['url']) self.assertEqual('http://idp.example.com/SingleLogoutService.php', idp_data['singleLogoutService']['url']) x509cert = 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo' formated_x509_cert = OneLogin_Saml2_Utils.format_cert(x509cert) self.assertEqual(formated_x509_cert, idp_data['x509cert'])
def testGetStatus(self): """ Tests the get_status method of the OneLogin_Saml2_LogoutResponse """ settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) message = self.file_contents( join(self.data_path, 'logout_responses', 'logout_response_deflated.xml.base64')) response = OneLogin_Saml2_Logout_Response(settings, message) status = response.get_status() self.assertEquals(status, OneLogin_Saml2_Constants.STATUS_SUCCESS) dom = parseString( OneLogin_Saml2_Utils.decode_base64_and_inflate(message)) status_code_node = dom.getElementsByTagName('samlp:StatusCode')[0] status_code_node.parentNode.removeChild(status_code_node) xml = dom.toxml() message_2 = OneLogin_Saml2_Utils.deflate_and_base64_encode(xml) response_2 = OneLogin_Saml2_Logout_Response(settings, message_2) self.assertIsNone(response_2.get_status())
def testCreateDeflatedSAMLLogoutRequestURLParameter(self): """ Tests the OneLogin_Saml2_LogoutRequest Constructor. The creation of a deflated SAML Logout Request """ settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) logout_request = OneLogin_Saml2_Logout_Request(settings) parameters = {'SAMLRequest': logout_request.get_request()} logout_url = OneLogin_Saml2_Utils.redirect( 'http://idp.example.com/SingleLogoutService.php', parameters, True) self.assertRegexpMatches( logout_url, '^http://idp\.example\.com\/SingleLogoutService\.php\?SAMLRequest=' ) url_parts = urlparse(logout_url) exploded = parse_qs(url_parts.query) payload = exploded['SAMLRequest'][0] inflated = OneLogin_Saml2_Utils.decode_base64_and_inflate(payload) self.assertRegexpMatches(inflated, '^<samlp:LogoutRequest')
def testBuilderAttributeConsumingServiceWithMultipleAttributeValue(self): settings = OneLogin_Saml2_Settings(self.loadSettingsJSON('settings5.json')) sp_data = settings.get_sp_data() security = settings.get_security_data() organization = settings.get_organization() contacts = settings.get_contacts() metadata = OneLogin_Saml2_Metadata.builder( sp_data, security['authnRequestsSigned'], security['wantAssertionsSigned'], None, None, contacts, organization ) self.assertIn(""" <md:AttributeConsumingService index="1"> <md:ServiceName xml:lang="en">Test Service</md:ServiceName> <md:ServiceDescription xml:lang="en">Test Service</md:ServiceDescription> <md:RequestedAttribute Name="userType" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">userType</saml:AttributeValue> <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">admin</saml:AttributeValue> </md:RequestedAttribute> <md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.1" FriendlyName="uid" /> </md:AttributeConsumingService>""", metadata)
def testBuilderAttributeConsumingService(self): settings = OneLogin_Saml2_Settings(self.loadSettingsJSON('settings4.json')) sp_data = settings.get_sp_data() security = settings.get_security_data() organization = settings.get_organization() contacts = settings.get_contacts() metadata = OneLogin_Saml2_Metadata.builder( sp_data, security['authnRequestsSigned'], security['wantAssertionsSigned'], None, None, contacts, organization ) self.assertIn(""" <md:AttributeConsumingService index="1"> <md:ServiceName xml:lang="en">Test Service</md:ServiceName> <md:ServiceDescription xml:lang="en">Test Service</md:ServiceDescription> <md:RequestedAttribute Name="urn:oid:2.5.4.42" FriendlyName="givenName" /> <md:RequestedAttribute Name="urn:oid:2.5.4.4" FriendlyName="sn" /> <md:RequestedAttribute Name="urn:oid:2.16.840.1.113730.3.1.241" FriendlyName="displayName" /> <md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="mail" /> <md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.1" FriendlyName="uid" /> </md:AttributeConsumingService>""", metadata)
def testIsInvalidNotOnOrAfter(self): """ Tests the is_valid method of the OneLogin_Saml2_LogoutRequest Case Invalid NotOnOrAfter """ request_data = { 'http_host': 'example.com', 'script_name': 'index.html' } request = self.file_contents(join(self.data_path, 'logout_requests', 'invalids', 'not_after_failed.xml')) current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data) request = request.replace('http://stuff.com/endpoints/endpoints/sls.php', current_url) settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) logout_request = OneLogin_Saml2_Logout_Request(settings, b64encode(request)) self.assertTrue(logout_request.is_valid(request_data)) settings.set_strict(True) logout_request2 = OneLogin_Saml2_Logout_Request(settings, b64encode(request)) self.assertFalse(logout_request2.is_valid(request_data)) self.assertIn('Could not validate timestamp: expired. Check system clock.', logout_request2.get_error())
def testIsInvalidNotOnOrAfter(self): """ Tests the is_valid method of the OneLogin_Saml2_LogoutRequest Case Invalid NotOnOrAfter """ request_data = { 'http_host': 'example.com', 'script_name': 'index.html' } request = self.file_contents(join(self.data_path, 'logout_requests', 'invalids', 'not_after_failed.xml')) current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data) request = request.replace('http://stuff.com/endpoints/endpoints/sls.php', current_url) settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) self.assertTrue(OneLogin_Saml2_Logout_Request.is_valid(settings, request, request_data)) settings.set_strict(True) try: valid = OneLogin_Saml2_Logout_Request.is_valid(settings, request, request_data) self.assertFalse(valid) except Exception as e: self.assertIn('Timing issues (please check your clock settings)', e.message)
def testIsInValidWithCapitalization(self): """ Tests the is_valid method of the OneLogin_Saml2_LogoutRequest """ request_data = { 'http_host': 'example.com', 'script_name': 'INdex.html' } request = self.file_contents( join(self.data_path, 'logout_requests', 'logout_request.xml')) settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) logout_request = OneLogin_Saml2_Logout_Request(settings, b64encode(request)) self.assertTrue(logout_request.is_valid(request_data)) settings.set_strict(True) logout_request2 = OneLogin_Saml2_Logout_Request( settings, b64encode(request)) self.assertFalse(logout_request2.is_valid(request_data)) settings.set_strict(False) dom = parseString(request) logout_request3 = OneLogin_Saml2_Logout_Request( settings, b64encode(dom.toxml())) self.assertTrue(logout_request3.is_valid(request_data)) settings.set_strict(True) logout_request4 = OneLogin_Saml2_Logout_Request( settings, b64encode(dom.toxml())) self.assertFalse(logout_request4.is_valid(request_data)) current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data) request = request.replace( 'http://stuff.com/endpoints/endpoints/sls.php', current_url.lower()) logout_request5 = OneLogin_Saml2_Logout_Request( settings, b64encode(request)) self.assertFalse(logout_request5.is_valid(request_data))
def testGetSPData(self): """ Tests the getSPData method of the OneLogin_Saml2_Settings """ settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) sp_data = settings.get_sp_data() self.assertNotEqual(len(sp_data), 0) self.assertIn('entityId', sp_data) self.assertIn('assertionConsumerService', sp_data) self.assertIn('singleLogoutService', sp_data) self.assertIn('NameIDFormat', sp_data) self.assertEqual('http://stuff.com/endpoints/metadata.php', sp_data['entityId']) self.assertEqual('http://stuff.com/endpoints/endpoints/acs.php', sp_data['assertionConsumerService']['url']) self.assertEqual('http://stuff.com/endpoints/endpoints/sls.php', sp_data['singleLogoutService']['url']) self.assertEqual( 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', sp_data['NameIDFormat'])
def __init__(self, request_data, old_settings=None, custom_base_path=None): """ Initializes the SP SAML instance. :param request_data: Request Data :type request_data: dict :param old_settings: Optional. SAML Toolkit Settings :type old_settings: dict :param custom_base_path: Optional. Path where are stored the settings file and the cert folder :type custom_base_path: string """ self._request_data = request_data if isinstance(old_settings, OneLogin_Saml2_Settings): self._settings = old_settings else: self._settings = OneLogin_Saml2_Settings(old_settings, custom_base_path) self._attributes = dict() self._friendlyname_attributes = dict() self._nameid = None self._nameid_format = None self._nameid_nq = None self._nameid_spnq = None self._session_index = None self._session_expiration = None self._authenticated = False self._errors = [] self._error_reason = None self._last_request_id = None self._last_message_id = None self._last_assertion_id = None self._last_assertion_issue_instant = None self._last_authn_contexts = [] self._last_request = None self._last_response = None self._last_response_in_response_to = None self._last_assertion_not_on_or_after = None
def __init__(self, request_data, old_settings=None, custom_base_path=None): """ Initializes the SP SAML instance. :param request_data: Request Data :type request_data: dict :param settings: Optional. SAML Toolkit Settings :type settings: dict|object :param custom_base_path: Optional. Path where are stored the settings file and the cert folder :type custom_base_path: string """ self.__request_data = request_data self.__settings = OneLogin_Saml2_Settings(old_settings, custom_base_path) self.__attributes = [] self.__nameid = None self.__session_index = None self.__authenticated = False self.__errors = [] self.__error_reason = None