def test_ava_filter_2(): conf = { "default": { "lifetime": {"minutes": 15}, "attribute_restrictions": None # means all I have }, "urn:mace:umu.se:saml:roland:sp": { "lifetime": {"minutes": 5}, "attribute_restrictions": { "givenName": None, "sn": None, "mail": [".*@.*\.umu\.se"], } }} policy = Policy(conf) ava = {"givenName": "Derek", "sn": "Jeter", "mail": "*****@*****.**"} # mail removed because it doesn't match the regular expression _ava = policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', None, [mail], [gn, sn]) assert _eq(sorted(list(_ava.keys())), ["givenName", 'sn']) ava = {"givenName": "Derek", "sn": "Jeter"} # it wasn't there to begin with try: policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', None, [gn, sn, mail]) except MissingValue: pass
def test_ava_filter_dont_fail(): conf = { "default": { "lifetime": {"minutes": 15}, "attribute_restrictions": None, # means all I have "fail_on_missing_requested": False, }, "urn:mace:umu.se:saml:roland:sp": { "lifetime": {"minutes": 5}, "attribute_restrictions": {"givenName": None, "surName": None, "mail": [".*@.*\.umu\.se"]}, "fail_on_missing_requested": False, }, } policy = Policy(conf) ava = {"givenName": "Derek", "surName": "Jeter", "mail": "*****@*****.**"} # mail removed because it doesn't match the regular expression # So it should fail if the 'fail_on_ ...' flag wasn't set _ava = policy.filter(ava, "urn:mace:umu.se:saml:roland:sp", None, [mail], [gn, sn]) assert _ava ava = {"givenName": "Derek", "surName": "Jeter"} # it wasn't there to begin with _ava = policy.filter(ava, "urn:mace:umu.se:saml:roland:sp", None, [gn, sn, mail]) assert _ava
def test_req_opt(): req = [ to_dict( md.RequestedAttribute( friendly_name="surname", name="urn:oid:2.5.4.4", name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri", is_required="true"), ONTS), to_dict( md.RequestedAttribute( friendly_name="givenname", name="urn:oid:2.5.4.42", name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri", is_required="true"), ONTS), to_dict( md.RequestedAttribute( friendly_name="edupersonaffiliation", name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1", name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri", is_required="true"), ONTS)] opt = [ to_dict( md.RequestedAttribute( friendly_name="title", name="urn:oid:2.5.4.12", name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri", is_required="false"), ONTS)] policy = Policy() ava = {'givenname': 'Roland', 'surname': 'Hedberg', 'uid': 'rohe0002', 'edupersonaffiliation': 'staff'} sp_entity_id = "urn:mace:example.com:saml:curt:sp" fava = policy.filter(ava, sp_entity_id, None, req, opt) assert fava
def test_filter_ava3(): policy = Policy({ "default": { "lifetime": { "minutes": 15 }, # "attribute_restrictions": None # means all I have "entity_categories": ["swamid"] } }) mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True) mds.imp([{ "class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_cat_sfs_hei.xml"), )] }]) ava = { "givenName": ["Derek"], "sn": ["Jeter"], "mail": ["*****@*****.**"], "c": ["USA"], "eduPersonTargetedID": "foo!bar!xyz", "norEduPersonNIN": "19800101134" } ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", mds) assert _eq(list(ava.keys()), ['eduPersonTargetedID', "norEduPersonNIN"])
def test_filter_ava_1(): """ No mail address returned """ policy = Policy({ "default": { "lifetime": { "minutes": 15 }, "attribute_restrictions": None # means all I have }, "urn:mace:example.com:saml:roland:sp": { "lifetime": { "minutes": 5 }, "attribute_restrictions": { "givenName": None, "surName": None, } } }) ava = { "givenName": ["Derek"], "surName": ["Jeter"], "mail": ["*****@*****.**"] } # No restrictions apply ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", [], []) assert _eq(ava.keys(), ["givenName", "surName"]) assert ava["givenName"] == ["Derek"] assert ava["surName"] == ["Jeter"]
def test_filter_ava2(): policy_conf = { "default": { "lifetime": { "minutes": 15 }, # "attribute_restrictions": None # means all I have "entity_categories": ["refeds", "edugain"] } } policy = Policy(policy_conf, MDS) ava = { "givenName": ["Derek"], "sn": ["Jeter"], "mail": ["*****@*****.**"], "c": ["USA"], "eduPersonTargetedID": "foo!bar!xyz" } ava = policy.filter(ava, "https://connect.sunet.se/shibboleth") # Mismatch, policy deals with eduGAIN, metadata says SWAMID # So only minimum should come out assert _eq(list(ava.keys()), ['eduPersonTargetedID'])
def test_filter_ava_5(): mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True) mds.imp(METADATACONF["1"]) policy_conf = { "default": { "lifetime": { "minutes": 15 }, "attribute_restrictions": None, # means all I have "entity_categories": ["swamid", "edugain"] } } policy = Policy(restrictions=policy_conf, mds=mds) ava = { "givenName": ["Derek"], "surName": ["Jeter"], "mail": [ "*****@*****.**", "*****@*****.**", ], } ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp") # using entity_categories means there *always* are restrictions # in this case the only allowed attribute is eduPersonTargetedID # which isn't available in the ava hence zip is returned. assert ava == {}
def test_ava_filter_1(): conf = { "default": { "lifetime": { "minutes": 15 }, "attribute_restrictions": None # means all I have }, "urn:mace:umu.se:saml:roland:sp": { "lifetime": { "minutes": 5 }, "attribute_restrictions": { "givenName": None, "surName": None, "mail": [r".*@.*\.umu\.se"], } } } r = Policy(conf) ava = { "givenName": "Derek", "surName": "Jeter", "mail": "*****@*****.**" } ava = r.filter(ava, "urn:mace:umu.se:saml:roland:sp") assert _eq(list(ava.keys()), ["givenName", "surName"]) ava = {"givenName": "Derek", "mail": "*****@*****.**"} assert _eq(sorted(list(ava.keys())), ["givenName", "mail"])
def test_filter_ava_0(): policy = Policy({ "default": { "lifetime": { "minutes": 15 }, "attribute_restrictions": None # means all I have }, "urn:mace:example.com:saml:roland:sp": { "lifetime": { "minutes": 5 }, } }) ava = { "givenName": ["Derek"], "surName": ["Jeter"], "mail": ["*****@*****.**"] } # No restrictions apply ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp") assert _eq(sorted(list(ava.keys())), ["givenName", "mail", "surName"]) assert ava["givenName"] == ["Derek"] assert ava["surName"] == ["Jeter"] assert ava["mail"] == ["*****@*****.**"]
def test_filter_ava_3(): """ Only example.com mail addresses returned """ policy = Policy({ "default": { "lifetime": { "minutes": 15 }, "attribute_restrictions": None # means all I have }, "urn:mace:example.com:saml:roland:sp": { "lifetime": { "minutes": 5 }, "attribute_restrictions": { "mail": [r".*@example\.com$"], } } }) ava = { "givenName": ["Derek"], "surName": ["Jeter"], "mail": ["*****@*****.**", "*****@*****.**"] } # No restrictions apply ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp") assert _eq(list(ava.keys()), ["mail"]) assert ava["mail"] == ["*****@*****.**"]
def test_filter_ava_4(): """ Return everything as default policy is used """ policy = Policy({ "default": { "lifetime": { "minutes": 15 }, "attribute_restrictions": None # means all I have }, "urn:mace:example.com:saml:roland:sp": { "lifetime": { "minutes": 5 }, "attribute_restrictions": { "mail": [r".*@example\.com$"], } } }) ava = { "givenName": ["Derek"], "surName": ["Jeter"], "mail": ["*****@*****.**", "*****@*****.**"] } # No restrictions apply ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp") assert _eq(sorted(list(ava.keys())), ['mail', 'givenName', 'surName']) assert _eq(ava["mail"], ["*****@*****.**", "*****@*****.**"])
def get_ava(self, user=None): # IDENTITY AND ATTR POLICY # Generate request session stuff needed for user agreement screen attrs_to_exclude = self.sp['config'].get('user_agreement_attr_exclude', []) + \ getattr(settings, "SAML_IDP_USER_AGREEMENT_ATTR_EXCLUDE", []) identity = { k: v for k, v in self.processor.create_identity(user or self.request.user, self.sp).items() if k not in attrs_to_exclude } # entity categories and other pysaml2 policies could filter out some attributes policy = Policy(restrictions=settings.SAML_IDP_CONFIG['service']['idp'].get('policy')) ava = policy.filter(identity, self.sp['id'], self.IDP.config.metadata, required=[]) # remove None for attr in ava: if not ava[attr]: ava[attr] = '' # END IDENTITY AND ATTR POLICY return identity, policy, ava
def test_req_opt(): req = [md.RequestedAttribute(friendly_name="surname", name="urn:oid:2.5.4.4", name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri", is_required="true"), md.RequestedAttribute(friendly_name="givenname", name="urn:oid:2.5.4.42", name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri", is_required="true"), md.RequestedAttribute(friendly_name="edupersonaffiliation", name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1", name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri", is_required="true")] opt = [md.RequestedAttribute(friendly_name="title", name="urn:oid:2.5.4.12", name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri", is_required="false")] policy = Policy() ava = {'givenname': 'Roland', 'surname': 'Hedberg', 'uid': 'rohe0002', 'edupersonaffiliation': 'staff'} sp_entity_id = "urn:mace:example.com:saml:curt:sp" fava = policy.filter(ava, sp_entity_id, req, opt) assert fava
def test_ava_filter_1(): conf = { "default": { "lifetime": {"minutes":15}, "attribute_restrictions": None # means all I have }, "urn:mace:umu.se:saml:roland:sp": { "lifetime": {"minutes": 5}, "attribute_restrictions":{ "givenName": None, "surName": None, "mail": [".*@.*\.umu\.se"], } }} r = Policy(conf) ava = {"givenName":"Derek", "surName": "Jeter", "mail":"*****@*****.**"} ava = r.filter(ava,"urn:mace:umu.se:saml:roland:sp",None,None) assert _eq(ava.keys(), ["givenName","surName"]) ava = {"givenName":"Derek", "mail":"*****@*****.**"} assert _eq(ava.keys(), ["givenName","mail"])
def test_ava_filter_dont_fail(): conf = { "default": { "lifetime": { "minutes": 15 }, "attribute_restrictions": None, # means all I have "fail_on_missing_requested": False }, "urn:mace:umu.se:saml:roland:sp": { "lifetime": { "minutes": 5 }, "attribute_restrictions": { "givenName": None, "surName": None, "mail": [r".*@.*\.umu\.se"], }, "fail_on_missing_requested": False } } policy = Policy(conf) ava = { "givenName": "Derek", "surName": "Jeter", "mail": "*****@*****.**" } # mail removed because it doesn't match the regular expression # So it should fail if the 'fail_on_ ...' flag wasn't set _ava = policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', required=[mail], optional=[gn, sn]) assert _ava ava = {"givenName": "Derek", "surName": "Jeter"} # it wasn't there to begin with _ava = policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', required=[gn, sn, mail]) assert _ava
def test_filter_ava_esi_coco(): entity_id = "https://esi-coco.example.edu/saml2/metadata/" mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True) mds.imp([{ "class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_esi_and_coco_sp.xml"), )] }]) policy_conf = { "default": { "lifetime": { "minutes": 15 }, "entity_categories": ["swamid"] } } policy = Policy(policy_conf, mds) ava = { "givenName": ["Test"], "sn": ["Testsson"], "mail": ["*****@*****.**"], "c": ["SE"], "schacHomeOrganization": ["example.com"], "eduPersonScopedAffiliation": ["*****@*****.**"], "schacPersonalUniqueCode": [ "urn:schac:personalUniqueCode:int:esi:ladok.se:externtstudentuid-00000000-1111-2222-3333-444444444444" ] } requested_attributes = [{ 'friendly_name': 'eduPersonScopedAffiliation', 'name': '1.3.6.1.4.1.5923.1.1.1.9', 'name_format': NAME_FORMAT_URI, 'is_required': 'true' }, { 'friendly_name': 'schacHomeOrganization', 'name': '1.3.6.1.4.1.25178.1.2.9', 'name_format': NAME_FORMAT_URI, 'is_required': 'true' }] ava = policy.filter(ava, entity_id, required=requested_attributes) assert _eq(list(ava.keys()), [ 'eduPersonScopedAffiliation', 'schacHomeOrganization', 'schacPersonalUniqueCode' ]) assert _eq(ava["eduPersonScopedAffiliation"], ["*****@*****.**"]) assert _eq(ava["schacHomeOrganization"], ["example.com"]) assert _eq(ava["schacPersonalUniqueCode"], [ "urn:schac:personalUniqueCode:int:esi:ladok.se:externtstudentuid-00000000-1111-2222-3333-444444444444" ])
def test_filter_ava_registration_authority_1(): mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True) mds.imp(METADATACONF["1"]) policy_conf = { "default": { "lifetime": { "minutes": 15 }, "attribute_restrictions": None, }, "http://rr.aai.switch.ch/": { "attribute_restrictions": { "givenName": None, "surName": None, } } } policy = Policy(restrictions=policy_conf, mds=mds) attributes = { "givenName": ["Derek"], "surName": ["Jeter"], "mail": [ "*****@*****.**", "*****@*****.**", ], } # SP registered with http://rr.aai.switch.ch/ ava = policy.filter(attributes, "https://aai-idp.unibe.ch/idp/shibboleth") assert _eq(sorted(list(ava.keys())), ["givenName", "surName"]) assert ava["givenName"] == ["Derek"] assert ava["surName"] == ["Jeter"] # SP not registered with http://rr.aai.switch.ch/ ava = policy.filter(attributes, "https://alpha.kib.ki.se/shibboleth") assert _eq(sorted(list(ava.keys())), ["givenName", "mail", "surName"]) assert ava["givenName"] == ["Derek"] assert ava["surName"] == ["Jeter"] assert ava["mail"] == ["*****@*****.**", "*****@*****.**"]
def test_req_opt(): req = [ to_dict( md.RequestedAttribute( friendly_name="surname", name="urn:oid:2.5.4.4", name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri", is_required="true", ), ONTS, ), to_dict( md.RequestedAttribute( friendly_name="givenname", name="urn:oid:2.5.4.42", name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri", is_required="true", ), ONTS, ), to_dict( md.RequestedAttribute( friendly_name="edupersonaffiliation", name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1", name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri", is_required="true", ), ONTS, ), ] opt = [ to_dict( md.RequestedAttribute( friendly_name="title", name="urn:oid:2.5.4.12", name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri", is_required="false", ), ONTS, ) ] policy = Policy() ava = {"givenname": "Roland", "surname": "Hedberg", "uid": "rohe0002", "edupersonaffiliation": "staff"} sp_entity_id = "urn:mace:example.com:saml:curt:sp" fava = policy.filter(ava, sp_entity_id, None, req, opt) assert fava
def test_filter_ava(): policy = Policy({ "default": { "lifetime": {"minutes": 15}, #"attribute_restrictions": None # means all I have "entity_categories": ["swamid"] } }) ava = {"givenName": ["Derek"], "sn": ["Jeter"], "mail": ["*****@*****.**", "*****@*****.**"], "c": ["USA"]} ava = policy.filter(ava, "https://connect.sunet.se/shibboleth", MDS) assert _eq(list(ava.keys()), ['mail', 'givenName', 'sn', 'c']) assert _eq(ava["mail"], ["*****@*****.**", "*****@*****.**"])
def test_filter_ava_0(): policy = Policy( { "default": {"lifetime": {"minutes": 15}, "attribute_restrictions": None}, # means all I have "urn:mace:example.com:saml:roland:sp": {"lifetime": {"minutes": 5}}, } ) ava = {"givenName": ["Derek"], "surName": ["Jeter"], "mail": ["*****@*****.**"]} # No restrictions apply ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", [], []) assert _eq(ava.keys(), ["givenName", "surName", "mail"]) assert ava["givenName"] == ["Derek"] assert ava["surName"] == ["Jeter"] assert ava["mail"] == ["*****@*****.**"]
def test_entity_category_import_from_path(): mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True) # The file entity_cat_rs.xml contains the SAML metadata for an SP # tagged with the REFEDs R&S entity category. mds.imp([{ "class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_cat_rs.xml"), )] }]) # The entity category module myentitycategory.py is in the tests # directory which is on the standard module search path. # The module uses a custom interpretation of the REFEDs R&S entity category # by adding eduPersonUniqueId. policy = Policy( { "default": { "lifetime": { "minutes": 15 }, "entity_categories": ["myentitycategory"] } }, mds) ava = { "givenName": ["Derek"], "sn": ["Jeter"], "displayName": "Derek Jeter", "mail": ["*****@*****.**"], "c": ["USA"], "eduPersonTargetedID": "foo!bar!xyz", "eduPersonUniqueId": "*****@*****.**", "eduPersonScopedAffiliation": "*****@*****.**", "eduPersonPrincipalName": "*****@*****.**", "norEduPersonNIN": "19800101134" } ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp") # We expect c and norEduPersonNIN to be filtered out since they are not # part of the custom entity category. assert _eq(list(ava.keys()), [ "eduPersonTargetedID", "eduPersonPrincipalName", "eduPersonUniqueId", "displayName", "givenName", "eduPersonScopedAffiliation", "mail", "sn" ])
def test_filter_ava_5(): policy = Policy({ "default": { "lifetime": {"minutes": 15}, #"attribute_restrictions": None # means all I have "entity_categories": ["swamid", "edugain"] } }) ava = {"givenName": ["Derek"], "surName": ["Jeter"], "mail": ["*****@*****.**", "*****@*****.**"]} ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp", None, [], []) # using entity_categories means there *always* are restrictions # in this case the only allowed attribute is eduPersonTargetedID # which isn't available in the ava hence zip is returned. assert ava == {}
def test_filter_ava2(): policy = Policy({ "default": { "lifetime": {"minutes": 15}, #"attribute_restrictions": None # means all I have "entity_categories": ["refeds", "edugain"] } }) ava = {"givenName": ["Derek"], "sn": ["Jeter"], "mail": ["*****@*****.**"], "c": ["USA"], "eduPersonTargetedID": "foo!bar!xyz"} ava = policy.filter(ava, "https://connect.sunet.se/shibboleth", MDS) # Mismatch, policy deals with eduGAIN, metadata says SWAMID # So only minimum should come out assert _eq(list(ava.keys()), ['eduPersonTargetedID'])
def test_filter_ava_4(): """ Return everything as default policy is used """ policy = Policy( { "default": {"lifetime": {"minutes": 15}, "attribute_restrictions": None}, # means all I have "urn:mace:example.com:saml:roland:sp": { "lifetime": {"minutes": 5}, "attribute_restrictions": {"mail": [".*@example\.com$"]}, }, } ) ava = {"givenName": ["Derek"], "surName": ["Jeter"], "mail": ["*****@*****.**", "*****@*****.**"]} # No restrictions apply ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp", [], []) assert _eq(ava.keys(), ["mail", "givenName", "surName"]) assert _eq(ava["mail"], ["*****@*****.**", "*****@*****.**"])
def test_filter_ava_required_attributes_with_no_friendly_name(): entity_id = "https://no-friendly-name.example.edu/saml2/metadata/" mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True) mds.imp([{ "class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_no_friendly_name_sp.xml"), )] }]) policy_conf = { "default": { "lifetime": { "minutes": 15 }, "entity_categories": ["swamid"] } } policy = Policy(policy_conf, mds) ava = { "givenName": ["Derek"], "sn": ["Jeter"], "mail": ["*****@*****.**"], "c": ["USA"], "eduPersonTargetedID": "foo!bar!xyz", "norEduPersonNIN": "19800101134", } attribute_requirements = mds.attribute_requirement(entity_id) required = attribute_requirements.get("required", []) optional = attribute_requirements.get("optional", []) # ensure the requirements define the eduPersonTargetedID # without the friendlyName attribute oid_eptid = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' requested_attribute_eptid = RequestedAttribute(name=oid_eptid, name_format=NAME_FORMAT_URI, is_required='true') assert required == [to_dict(requested_attribute_eptid, onts=[mdattr])] ava = policy.filter(ava, entity_id, required=required, optional=optional) assert _eq(list(ava.keys()), ["eduPersonTargetedID"])
def test_filter_ava3(): policy = Policy({ "default": { "lifetime": {"minutes": 15}, #"attribute_restrictions": None # means all I have "entity_categories": ["swamid"] } }) mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config, disable_ssl_certificate_validation=True) mds.imp([{"class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_cat_sfs_hei.xml"), )]}]) ava = {"givenName": ["Derek"], "sn": ["Jeter"], "mail": ["*****@*****.**"], "c": ["USA"], "eduPersonTargetedID": "foo!bar!xyz", "norEduPersonNIN": "19800101134"} ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", mds) assert _eq(list(ava.keys()), ['eduPersonTargetedID', "norEduPersonNIN"])
def test_filter_ava_3(): """ Only example.com mail addresses returned """ policy = Policy({ "default": { "lifetime": {"minutes":15}, "attribute_restrictions": None # means all I have }, "urn:mace:example.com:saml:roland:sp": { "lifetime": {"minutes": 5}, "attribute_restrictions":{ "mail": [".*@example\.com$"], } }}) ava = { "givenName": ["Derek"], "surName": ["Jeter"], "mail": ["*****@*****.**", "*****@*****.**"]} # No restrictions apply ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", [], []) assert _eq(ava.keys(), ["mail"]) assert ava["mail"] == ["*****@*****.**"]
def test_filter_ava_5(): policy = Policy({ "default": { "lifetime": { "minutes": 15 }, #"attribute_restrictions": None # means all I have "entity_categories": ["swamid", "edugain"] } }) ava = { "givenName": ["Derek"], "surName": ["Jeter"], "mail": ["*****@*****.**", "*****@*****.**"] } ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp", None, [], []) # using entity_categories means there *always* are restrictions # in this case the only allowed attribute is eduPersonTargetedID # which isn't available in the ava hence zip is returned. assert ava == {}
def test_entity_category_import_from_path(): # The entity category module myentitycategory.py is in the tests # directory which is on the standard module search path. # The module uses a custom interpretation of the REFEDs R&S entity category # by adding eduPersonUniqueId. policy = Policy({ "default": { "lifetime": {"minutes": 15}, "entity_categories": ["myentitycategory"] } }) mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True) # The file entity_cat_rs.xml contains the SAML metadata for an SP # tagged with the REFEDs R&S entity category. mds.imp([{"class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_cat_rs.xml"),)]}]) ava = {"givenName": ["Derek"], "sn": ["Jeter"], "displayName": "Derek Jeter", "mail": ["*****@*****.**"], "c": ["USA"], "eduPersonTargetedID": "foo!bar!xyz", "eduPersonUniqueId": "*****@*****.**", "eduPersonScopedAffiliation": "*****@*****.**", "eduPersonPrincipalName": "*****@*****.**", "norEduPersonNIN": "19800101134"} ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", mds) # We expect c and norEduPersonNIN to be filtered out since they are not # part of the custom entity category. assert _eq(list(ava.keys()), ["eduPersonTargetedID", "eduPersonPrincipalName", "eduPersonUniqueId", "displayName", "givenName", "eduPersonScopedAffiliation", "mail", "sn"])
def build_authn_response(self, user, authn, resp_args): """ pysaml2 server.Server.create_authn_response wrapper """ self.sp['name_id_format'] = resp_args.get('name_id_policy').format idp_name_id_format_list = self.IDP.config.getattr("name_id_format", "idp") # name_id format availability if idp_name_id_format_list and not self.sp['name_id_format']: name_id_format = idp_name_id_format_list[0] elif self.sp['name_id_format'] and not idp_name_id_format_list: name_id_format = self.sp['name_id_format'] elif self.sp['name_id_format'] not in idp_name_id_format_list: return self.handle_error(request, exception=_('SP requested a name_id_format ' 'that is not supported in the IDP')) elif self.sp['name_id_format'] in idp_name_id_format_list: name_id_format = self.sp['name_id_format'] else: name_id_format = NAMEID_FORMAT_UNSPECIFIED # if SP doesn't request a specific name_id_format... if not self.sp['name_id_format']: self.sp['name_id_format'] = name_id_format user_id = self.processor.get_user_id(user, self.sp, self.IDP.config) name_id = NameID(format=name_id_format, sp_name_qualifier=self.sp['id'], text=user_id) #user_attrs = self.processor.create_identity(user, self.sp) # Generate request session stuff needed for user agreement screen attrs_to_exclude = self.sp['config'].get('user_agreement_attr_exclude', []) + \ getattr(settings, "SAML_IDP_USER_AGREEMENT_ATTR_EXCLUDE", []) self.request.session['identity'] = { k: v for k, v in self.processor.create_identity(self.request.user, self.sp).items() if k not in attrs_to_exclude } # ASSERTION ENCRYPTED encrypt_response = getattr(settings, 'SAML_ENCRYPT_AUTHN_RESPONSE', False) if 'encrypt_saml_responses' in self.sp['config'].keys(): encrypt_response = self.sp['config'].get('encrypt_saml_responses') encrypt_advice_attributes = getattr(settings, 'SAML_ENCRYPT_ADV_ATTRIBUTES', False) if 'encrypt_advice_attributes' in self.sp['config'].keys(): encrypt_advice_attributes = self.sp['config'].get('encrypt_advice_attributes') authn_resp = self.IDP.create_authn_response( authn=authn, identity=self.request.session['identity'], userid=user_id, name_id=name_id, # signature sign_response=self.sp['config'].get("sign_response") or \ self.IDP.config.getattr("sign_response", "idp") or \ False, sign_assertion=self.sp['config'].get("sign_assertion") or \ self.IDP.config.getattr("sign_assertion", "idp") or \ False, # default will be sha1 in pySAML2 sign_alg=self.sp['config'].get("signing_algorithm") or \ getattr(settings, 'SAML_AUTHN_SIGN_ALG', False), digest_alg=self.sp['config'].get("digest_algorithm") or \ getattr(settings, 'SAML_AUTHN_DIGEST_ALG', False), # Encryption encrypt_assertion=encrypt_response, encrypt_advice_attributes=encrypt_advice_attributes, **resp_args ) # entity categories and other pysaml2 policies could filter out some attributes policy = Policy(restrictions=settings.SAML_IDP_CONFIG['service']['idp'].get('policy')) ava = policy.filter(self.request.session['identity'], self.sp['id'], self.IDP.config.metadata, required=[]) # talking logs self.request.session['authn_log'] = ('SSO AuthnResponse to {} [{}]:' ' {} attrs ({}) on {} ' 'filtered by policy').format(self.sp['id'], self.request.session.get('message_id'), len(ava), ','.join(ava.keys()), len(self.request.session['identity'])) logger.info(self.request.session['authn_log']) # self.request.session['identity'] = ava return authn_resp