class TestIdentifier(): def setup_class(self): self.id = IdentDB("subject.db", "example.com", "example") def test_persistent_1(self): policy = Policy({ "default": { "name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "nameid_format": NAMEID_FORMAT_PERSISTENT, "attribute_restrictions": { "surName": [".*berg"], } } }) nameid = self.id.construct_nameid("foobar", policy, "urn:mace:example.com:sp:1") assert _eq(nameid.keyswv(), ['format', 'text', 'sp_name_qualifier', 'name_qualifier']) assert nameid.sp_name_qualifier == "urn:mace:example.com:sp:1" assert nameid.format == NAMEID_FORMAT_PERSISTENT id = self.id.find_local_id(nameid) assert id == "foobar" def test_transient_1(self): policy = Policy({ "default": { "name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "nameid_format": NAMEID_FORMAT_TRANSIENT, "attribute_restrictions": { "surName": [".*berg"], } } }) nameid = self.id.construct_nameid("foobar", policy, "urn:mace:example.com:sp:1") assert _eq(nameid.keyswv(), ['text', 'format', 'sp_name_qualifier', 'name_qualifier']) assert nameid.format == NAMEID_FORMAT_TRANSIENT def test_vo_1(self): policy = Policy({ "default": { "name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "nameid_format": NAMEID_FORMAT_PERSISTENT, "attribute_restrictions": { "surName": [".*berg"], } } }) name_id_policy = samlp.name_id_policy_from_string(NAME_ID_POLICY_1) print(name_id_policy) nameid = self.id.construct_nameid("foobar", policy, 'http://vo.example.org/biomed', name_id_policy) print(nameid) assert _eq(nameid.keyswv(), ['text', 'sp_name_qualifier', 'format', 'name_qualifier']) assert nameid.sp_name_qualifier == 'http://vo.example.org/biomed' assert nameid.format == NAMEID_FORMAT_PERSISTENT assert nameid.text != "foobar" def test_vo_2(self): policy = Policy({ "default": { "name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "nameid_format": NAMEID_FORMAT_PERSISTENT, "attribute_restrictions": { "surName": [".*berg"], } } }) name_id_policy = samlp.name_id_policy_from_string(NAME_ID_POLICY_2) nameid = self.id.construct_nameid("foobar", policy, 'http://vo.example.org/design', name_id_policy) assert _eq(nameid.keyswv(), ['text', 'sp_name_qualifier', 'format', 'name_qualifier']) assert nameid.sp_name_qualifier == 'http://vo.example.org/design' assert nameid.format == NAMEID_FORMAT_PERSISTENT assert nameid.text != "foobar01" def test_persistent_nameid(self): sp_id = "urn:mace:umu.se:sp" nameid = self.id.persistent_nameid("abcd0001", sp_id) remote_id = nameid.text.strip() print(remote_id) local = self.id.find_local_id(nameid) assert local == "abcd0001" # Always get the same nameid2 = self.id.persistent_nameid("abcd0001", sp_id) assert nameid.text.strip() == nameid2.text.strip() def test_transient_nameid(self): sp_id = "urn:mace:umu.se:sp" nameid = self.id.transient_nameid("abcd0001", sp_id) remote_id = nameid.text.strip() print(remote_id) local = self.id.find_local_id(nameid) assert local == "abcd0001" # Getting a new, means really getting a new ! nameid2 = self.id.transient_nameid(sp_id, "abcd0001") assert nameid.text.strip() != nameid2.text.strip() def teardown_class(self): if os.path.exists("foobar.db"): os.unlink("foobar.db")
class TargetIdTestCase(unittest.TestCase): def setup_class(self): self.id = IdentDB({}) self.sp_entity_id = "https://localhost:/sp.xml" sp_id = "urn:mace:umu.se:sp" self.nameid1_text = "abcd0001" self.nameid1 = self.id.persistent_nameid(self.nameid1_text, sp_id) def get_aes_128_key(self): return os.urandom(16) def get_aes_192_key(self): return os.urandom(24) def get_aes_256_key(self): return os.urandom(32) def test_create_tid2_json(self): tih = TargetIdHandler() tid1 = self.nameid1.text.strip() tid2_json = tih.tid2_json(tid1, self.sp_entity_id) tid2_dict = tih.tid2_dict(tid2_json) assert tid2_dict["tid1"] == self.nameid1_text, "Cannot verify tid1." assert tid2_dict["sp_entityid"] == self.sp_entity_id, "Cannot verify SP entity id." assert tid2_dict["uuid"] is not None and len(tid2_dict["uuid"]) > 0, "Cannot verify SP entity id." def test_hash_tid1(self): hash_verify = {'md5': 32, 'sha1': 40, 'sha224': 56, 'sha256': 64, 'sha384': 96, 'sha512': 128} try: TargetIdHandler(h_alg="do_not_exist_alg") assert False, "Must be an assert since the alg. do not exist." except: pass tih = TargetIdHandler() tid1 = self.nameid1.text.strip() tid2_hash = tih.tid2_hash(tid1, self.sp_entity_id) assert len(tid2_hash) == 64, "Default is sha256 alg and i should generate a string with length 64." for tmp_h_alg in hash_verify: tih = TargetIdHandler(h_alg=tmp_h_alg) tid1 = self.nameid1.text.strip() tid2_hash = tih.tid2_hash(tid1, self.sp_entity_id) assert len(tid2_hash) == hash_verify[tmp_h_alg], "%s alg should generate a string with length %d." % \ (tmp_h_alg, hash_verify[tmp_h_alg]) def test_encrypt_tid1(self): tih = TargetIdHandler() tid1 = self.nameid1.text.strip() tid2_encrypted = tih.tid2_encrypt(tid1, self.sp_entity_id) tid2_dict = tih.tid2_decrypt(tid2_encrypted) assert tid2_dict["tid1"] == self.nameid1_text, "Cannot verify tid1." assert tid2_dict["sp_entityid"] == self.sp_entity_id, "Cannot verify SP entity id." assert tid2_dict["uuid"] is not None and len(tid2_dict["uuid"]) > 0, "Cannot verify SP entity id." def test_encrypt_alg_1(self): for alg in TargetIdHandler.AES_ALG: typ, bits, cmode = alg.split("_") tih = TargetIdHandler(e_alg=alg) tid1 = self.nameid1.text.strip() tid2_encrypted = tih.tid2_encrypt(tid1, self.sp_entity_id) tid2_dict = tih.tid2_decrypt(tid2_encrypted) assert tid2_dict["tid1"] == self.nameid1_text, "Cannot verify tid1." assert tid2_dict["sp_entityid"] == self.sp_entity_id, "Cannot verify SP entity id." assert tid2_dict["uuid"] is not None and len(tid2_dict["uuid"]) > 0, "Cannot verify SP entity id." def test_encrypt_alg_2(self): for alg in TargetIdHandler.AES_ALG: typ, bits, cmode = alg.split("_") iv = os.urandom(16) key = os.urandom(int(bits) >> 3) tih = TargetIdHandler(e_alg=alg, iv=iv, key=key) tid1 = self.nameid1.text.strip() tid2_encrypted = tih.tid2_encrypt(tid1, self.sp_entity_id) tid2_dict = tih.tid2_decrypt(tid2_encrypted) assert tid2_dict["tid1"] == self.nameid1_text, "Cannot verify tid1." assert tid2_dict["sp_entityid"] == self.sp_entity_id, "Cannot verify SP entity id." assert tid2_dict["uuid"] is not None and len(tid2_dict["uuid"]) > 0, "Cannot verify uuid." def test_encrypt_alg_3(self): for alg in TargetIdHandler.AES_ALG: typ, bits, cmode = alg.split("_") iv = os.urandom(16) key = os.urandom(int(bits) >> 3) tih = TargetIdHandler(e_alg=alg, iv=iv, key=key) tid1 = self.nameid1.text.strip() tid2_encrypted_1 = tih.tid2_encrypt(tid1, self.sp_entity_id) tid2_encrypted_2 = tih.tid2_encrypt(tid1, self.sp_entity_id) tid2_dict_1 = tih.tid2_decrypt(tid2_encrypted_1) tid2_dict_2 = tih.tid2_decrypt(tid2_encrypted_2) assert tid2_encrypted_1 != tid2_encrypted_2, "Two encryption of the same data must never be the same!" assert tid2_dict_1["tid1"] == tid2_dict_2["tid1"] == self.nameid1_text, "Cannot verify tid1." assert tid2_dict_1["sp_entityid"] == tid2_dict_2["sp_entityid"] == self.sp_entity_id, \ "Cannot verify SP entity id." assert tid2_dict_1["uuid"] != tid2_dict_2["uuid"], "Cannot verify uuid." def test_encrypt_alg_4(self): for alg in TargetIdHandler.AES_ALG: typ, bits, cmode = alg.split("_") iv = os.urandom(16) key = os.urandom(int(bits) >> 3) tih = TargetIdHandler(e_alg=alg, iv=iv, key=key) tid1 = self.nameid1.text.strip() iv = tih.get_new_iv() tid2_encrypted_1 = tih.tid2_encrypt(tid1, self.sp_entity_id, iv=iv) tid2_encrypted_2 = tih.tid2_encrypt(tid1, self.sp_entity_id, iv=iv) tid2_dict_1 = tih.tid2_decrypt(tid2_encrypted_1) tid2_dict_2 = tih.tid2_decrypt(tid2_encrypted_2) assert tid2_encrypted_1 != tid2_encrypted_2, "Two encryption of the same data must never be the same!" assert tid2_dict_1["tid1"] == tid2_dict_2["tid1"] == self.nameid1_text, "Cannot verify tid1." assert tid2_dict_1["sp_entityid"] == tid2_dict_2["sp_entityid"] == self.sp_entity_id, \ "Cannot verify SP entity id." assert tid2_dict_1["uuid"] != tid2_dict_2["uuid"], "Cannot verify uuid."
class TestIdentifier(): def setup_class(self): self.id = IdentDB("subject.db", "example.com", "example") def test_persistent_1(self): policy = Policy({ "default": { "name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "nameid_format": NAMEID_FORMAT_PERSISTENT, "attribute_restrictions": { "surName": [".*berg"], } } }) nameid = self.id.construct_nameid("foobar", policy, "urn:mace:example.com:sp:1") assert _eq(nameid.keyswv(), ['format', 'text', 'sp_name_qualifier', 'name_qualifier']) assert nameid.sp_name_qualifier == "urn:mace:example.com:sp:1" assert nameid.format == NAMEID_FORMAT_PERSISTENT id = self.id.find_local_id(nameid) assert id == "foobar" def test_transient_1(self): policy = Policy({ "default": { "name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "nameid_format": NAMEID_FORMAT_TRANSIENT, "attribute_restrictions": { "surName": [".*berg"], } } }) nameid = self.id.construct_nameid("foobar", policy, "urn:mace:example.com:sp:1") assert _eq(nameid.keyswv(), ['text', 'format', 'sp_name_qualifier', 'name_qualifier']) assert nameid.format == NAMEID_FORMAT_TRANSIENT def test_vo_1(self): policy = Policy({ "default": { "name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "nameid_format": NAMEID_FORMAT_PERSISTENT, "attribute_restrictions": { "surName": [".*berg"], } } }) name_id_policy = samlp.name_id_policy_from_string(NAME_ID_POLICY_1) print name_id_policy nameid = self.id.construct_nameid("foobar", policy, 'http://vo.example.org/biomed', name_id_policy) print nameid assert _eq(nameid.keyswv(), ['text', 'sp_name_qualifier', 'format', 'name_qualifier']) assert nameid.sp_name_qualifier == 'http://vo.example.org/biomed' assert nameid.format == NAMEID_FORMAT_PERSISTENT assert nameid.text != "foobar" def test_vo_2(self): policy = Policy({ "default": { "name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "nameid_format": NAMEID_FORMAT_PERSISTENT, "attribute_restrictions": { "surName": [".*berg"], } } }) name_id_policy = samlp.name_id_policy_from_string(NAME_ID_POLICY_2) nameid = self.id.construct_nameid("foobar", policy, 'http://vo.example.org/design', name_id_policy) assert _eq(nameid.keyswv(), ['text', 'sp_name_qualifier', 'format', 'name_qualifier']) assert nameid.sp_name_qualifier == 'http://vo.example.org/design' assert nameid.format == NAMEID_FORMAT_PERSISTENT assert nameid.text != "foobar01" def test_persistent_nameid(self): sp_id = "urn:mace:umu.se:sp" nameid = self.id.persistent_nameid("abcd0001", sp_id) remote_id = nameid.text.strip() print remote_id local = self.id.find_local_id(nameid) assert local == "abcd0001" # Always get the same nameid2 = self.id.persistent_nameid("abcd0001", sp_id) assert nameid.text.strip() == nameid2.text.strip() def test_transient_nameid(self): sp_id = "urn:mace:umu.se:sp" nameid = self.id.transient_nameid("abcd0001", sp_id) remote_id = nameid.text.strip() print remote_id local = self.id.find_local_id(nameid) assert local == "abcd0001" # Getting a new, means really getting a new ! nameid2 = self.id.transient_nameid(sp_id, "abcd0001") assert nameid.text.strip() != nameid2.text.strip() def teardown_class(self): if os.path.exists("foobar.db"): os.unlink("foobar.db")
class TestIdentifier: def setup_class(self): for extension in ('.db', '.dir', '.dat', '.bak'): try: os.remove(full_path("subject.db{}".format(extension))) except (OSError, IOError): pass self.id = IdentDB(full_path("subject.db"), "example.com", "example") def test_persistent_1(self): policy = Policy({ "default": { "name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "nameid_format": NAMEID_FORMAT_PERSISTENT, "attribute_restrictions": { "surName": [".*berg"], } } }) nameid = self.id.construct_nameid("foobar", policy, "urn:mace:example.com:sp:1") assert _eq(nameid.keyswv(), ['format', 'text', 'sp_name_qualifier', 'name_qualifier']) assert nameid.sp_name_qualifier == "urn:mace:example.com:sp:1" assert nameid.format == NAMEID_FORMAT_PERSISTENT id_ = self.id.find_local_id(nameid) assert id_ == "foobar" def test_persistent_2(self): userid = 'foobar' nameid1 = self.id.persistent_nameid(userid, sp_name_qualifier="sp1", name_qualifier="name0") nameid2 = self.id.persistent_nameid(userid, sp_name_qualifier="sp1", name_qualifier="name0") # persistent NameIDs should be _persistent_ :-) assert nameid1 == nameid2 def test_transient_1(self): policy = Policy({ "default": { "name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "nameid_format": NAMEID_FORMAT_TRANSIENT, "attribute_restrictions": { "surName": [".*berg"], } } }) nameid = self.id.construct_nameid("foobar", policy, "urn:mace:example.com:sp:1") assert _eq(nameid.keyswv(), ['text', 'format', 'sp_name_qualifier', 'name_qualifier']) assert nameid.format == NAMEID_FORMAT_TRANSIENT assert nameid.text != "foobar" def test_vo_1(self): policy = Policy({ "default": { "name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "nameid_format": NAMEID_FORMAT_PERSISTENT, "attribute_restrictions": { "surName": [".*berg"], } } }) name_id_policy = samlp.name_id_policy_from_string(NAME_ID_POLICY_1) print(name_id_policy) nameid = self.id.construct_nameid("foobar", policy, 'http://vo.example.org/biomed', name_id_policy) print(nameid) assert _eq(nameid.keyswv(), ['text', 'sp_name_qualifier', 'format', 'name_qualifier']) assert nameid.sp_name_qualifier == 'http://vo.example.org/biomed' assert nameid.format == NAMEID_FORMAT_PERSISTENT # we want to *NOT* keep the user identifier in the nameid node assert nameid.text != "foobar" def test_vo_2(self): policy = Policy({ "default": { "name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "nameid_format": NAMEID_FORMAT_PERSISTENT, "attribute_restrictions": { "surName": [".*berg"], } } }) name_id_policy = samlp.name_id_policy_from_string(NAME_ID_POLICY_2) nameid = self.id.construct_nameid("foobar", policy, 'http://vo.example.org/design', name_id_policy) assert _eq(nameid.keyswv(), ['text', 'sp_name_qualifier', 'format', 'name_qualifier']) assert nameid.sp_name_qualifier == 'http://vo.example.org/design' assert nameid.format == NAMEID_FORMAT_PERSISTENT assert nameid.text != "foobar01" def test_persistent_nameid(self): sp_id = "urn:mace:umu.se:sp" nameid = self.id.persistent_nameid("abcd0001", sp_id) remote_id = nameid.text.strip() print(remote_id) local = self.id.find_local_id(nameid) assert local == "abcd0001" # Always get the same nameid2 = self.id.persistent_nameid("abcd0001", sp_id) assert nameid.text.strip() == nameid2.text.strip() def test_transient_nameid(self): sp_id = "urn:mace:umu.se:sp" nameid = self.id.transient_nameid("abcd0001", sp_id) remote_id = nameid.text.strip() print(remote_id) local = self.id.find_local_id(nameid) assert local == "abcd0001" # Getting a new, means really getting a new ! nameid2 = self.id.transient_nameid(sp_id, "abcd0001") assert nameid.text.strip() != nameid2.text.strip() def teardown_class(self): if os.path.exists(full_path("subject.db")): os.unlink(full_path("subject.db"))