def test_exception_sign_verify_with_cert_from_instance(self):
assertion = factory(
saml.Assertion,
version="2.0",
id="id-11100",
issuer=saml.Issuer(text="the-issuer"),
issue_instant="2009-10-30T13:20:28Z",
attribute_statement=do_attribute_statement({
("name:surName", "nameformat", "surName"): ("Föö", ""),
("name:givenName", "nameformat", "givenName"): ("Bär", ""),
})
)
response = factory(
samlp.Response,
issuer=saml.Issuer(text="the-isser"),
status=success_status_factory(),
assertion=assertion,
version="2.0",
issue_instant="2099-10-30T13:20:28Z",
id="id-22222",
signature=sigver.pre_signature_part(
"id-22222", self.sec.my_cert
),
)
to_sign = [(class_name(response), response.id)]
s_response = sigver.signed_instance_factory(response, self.sec, to_sign)
response2 = response_from_string(s_response)
# Change something that should make everything fail
response2.id = "id-23456"
with raises(sigver.SignatureError):
self.sec._check_signature(s_response, response2, class_name(response2))
def issuer(self, entityid=None):
""" Return an Issuer precursor """
if entityid:
return saml.Issuer(text=entityid,
format=saml.NAMEID_FORMAT_ENTITY)
else:
return saml.Issuer(text=self.conf.entityid,
format=saml.NAMEID_FORMAT_ENTITY)
def _issuer(self, entityid=None):
""" Return an Issuer instance """
if entityid:
if isinstance(entityid, saml.Issuer):
return entityid
else:
return saml.Issuer(text=entityid,
format=saml.NAMEID_FORMAT_ENTITY)
else:
return saml.Issuer(text=self.config.entityid,
format=saml.NAMEID_FORMAT_ENTITY)
def testAccessors(self):
"""Test for LogoutRequest accessors"""
self.lr.id = "request id"
self.lr.version = saml2.VERSION
self.lr.issue_instant = "2007-09-14T01:05:02Z"
self.lr.destination = "http://www.example.com/Destination"
self.lr.consent = saml.CONSENT_UNSPECIFIED
self.lr.issuer = saml.Issuer()
self.lr.signature = ds.Signature()
self.lr.extensions = samlp.Extensions()
self.lr.not_on_or_after = "2007-10-14T01:05:02Z"
self.lr.reason = "http://www.example.com/Reason"
self.lr.base_id = saml.BaseID()
self.lr.name_id = saml.NameID()
self.lr.encrypted_id = saml.EncryptedID()
self.lr.session_index = samlp.SessionIndex()
new_lr = samlp.logout_request_from_string(self.lr.to_string())
assert new_lr.id == "request id"
assert new_lr.version == saml2.VERSION
assert new_lr.issue_instant == "2007-09-14T01:05:02Z"
assert new_lr.destination == "http://www.example.com/Destination"
assert new_lr.consent == saml.CONSENT_UNSPECIFIED
assert isinstance(new_lr.issuer, saml.Issuer)
assert isinstance(new_lr.signature, ds.Signature)
assert isinstance(new_lr.extensions, samlp.Extensions)
assert new_lr.not_on_or_after == "2007-10-14T01:05:02Z"
assert new_lr.reason == "http://www.example.com/Reason"
assert isinstance(new_lr.base_id, saml.BaseID)
assert isinstance(new_lr.name_id, saml.NameID)
assert isinstance(new_lr.encrypted_id, saml.EncryptedID)
assert isinstance(new_lr.session_index[0], samlp.SessionIndex)
def testAccessors(self):
"""Test for Response accessors"""
self.response.id = "response id"
self.response.in_response_to = "request id"
self.response.version = saml2.VERSION
self.response.issue_instant = "2007-09-14T01:05:02Z"
self.response.destination = "http://www.example.com/Destination"
self.response.consent = saml.CONSENT_UNSPECIFIED
self.response.issuer = saml.Issuer()
self.response.signature = ds.Signature()
self.response.extensions = samlp.Extensions()
self.response.status = samlp.Status()
self.response.assertion.append(saml.Assertion())
self.response.encrypted_assertion.append(saml.EncryptedAssertion())
new_response = samlp.response_from_string(self.response.to_string())
assert new_response.id == "response id"
assert new_response.in_response_to == "request id"
assert new_response.version == saml2.VERSION
assert new_response.issue_instant == "2007-09-14T01:05:02Z"
assert new_response.destination == "http://www.example.com/Destination"
assert new_response.consent == saml.CONSENT_UNSPECIFIED
assert isinstance(new_response.issuer, saml.Issuer)
assert isinstance(new_response.signature, ds.Signature)
assert isinstance(new_response.extensions, samlp.Extensions)
assert isinstance(new_response.status, samlp.Status)
assert isinstance(new_response.assertion[0], saml.Assertion)
assert isinstance(new_response.encrypted_assertion[0],
saml.EncryptedAssertion)
def setup_class(self):
# This would be one way to initialize the security context :
#
# conf = config.SPConfig()
# conf.load_file("server_conf")
# conf.only_use_keys_in_metadata = False
#
# but instead, FakeConfig() is used to really only use the minimal
# set of parameters needed for these test cases. Other test cases
# (TestSecurityMetadata below) excersise the SPConfig() mechanism.
#
conf = FakeConfig()
self.sec = sigver.security_context(conf)
self._assertion = factory(
saml.Assertion,
version="2.0",
id="id-11111",
issuer=saml.Issuer(text="the-issuer"),
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("id-11111", self.sec.my_cert, 1),
attribute_statement=do_attribute_statement({
("name:surName", "nameformat", "surName"): ("Föö", ""),
("name:givenName", "nameformat", "givenName"): ("Bär", ""),
})
)
def test_sign_response(self):
response = factory(
samlp.Response,
issuer=saml.Issuer(text="the-isser"),
status=success_status_factory(),
assertion=self._assertion,
version="2.0",
issue_instant="2099-10-30T13:20:28Z",
id="id-22222",
signature=sigver.pre_signature_part(
"id-22222", self.sec.my_cert
),
)
to_sign = [(class_name(self._assertion), self._assertion.id),
(class_name(response), response.id)]
s_response = sigver.signed_instance_factory(response, self.sec, to_sign)
assert s_response is not None
print(s_response)
response = response_from_string(s_response)
sass = response.assertion[0]
print(sass)
assert _eq(sass.keyswv(), ['issuer', 'attribute_statement', 'issue_instant',
'version', 'signature', 'id'])
assert sass.version == "2.0"
assert sass.id == "id-11111"
item = self.sec.check_signature(response, class_name(response), s_response)
assert isinstance(item, samlp.Response)
assert item.id == "id-22222"
def setup_class(self):
conf = config.SPConfig()
conf.load_file("server_conf")
md = MetadataStore([saml, samlp], None, conf)
md.load("local", METADATA_CERT)
conf.metadata = md
conf.only_use_keys_in_metadata = False
self.sec = sigver.security_context(conf)
assertion = factory(
saml.Assertion,
version="2.0",
id="id-11111",
issuer=saml.Issuer(text="the-issuer"),
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("id-11111", self.sec.my_cert, 1),
attribute_statement=do_attribute_statement({
("name:surName", "nameformat", "surName"): ("Foo", ""),
("name:givenName", "nameformat", "givenName"): ("Bar", ""),
})
)
assertion = factory(
saml.Assertion, version="2.0", id="id-11111",
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("id-11111", self.sec.my_cert, 1),
attribute_statement=do_attribute_statement(
{("", "", "surName"): ("Foo", ""),
("", "", "givenName"): ("Bar", ""), })
)
def test_sign_verify_assertion_with_cert_from_instance(self):
assertion = factory(
saml.Assertion,
version="2.0",
id="id-11100",
issuer=saml.Issuer(text="the-issuer"),
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("id-11100", self.sec.my_cert, 1),
attribute_statement=do_attribute_statement({
("name:surName", "nameformat", "surName"): ("Räv", ""),
("name:givenName", "nameformat", "givenName"): ("Björn", ""),
})
)
to_sign = [(class_name(assertion), assertion.id)]
s_assertion = sigver.signed_instance_factory(assertion, self.sec,
to_sign)
print(s_assertion)
ass = assertion_from_string(s_assertion)
ci = "".join(sigver.cert_from_instance(ass)[0].split())
assert ci == self.sec.my_cert
res = self.sec.verify_signature(s_assertion,
node_name=class_name(ass))
assert res
res = self.sec._check_signature(s_assertion, ass, class_name(ass))
assert res
def test_sign_verify_with_cert_from_instance(self):
response = factory(
samlp.Response,
issuer=saml.Issuer(text="the-isser"),
status=success_status_factory(),
assertion=self._assertion,
version="2.0",
issue_instant="2099-10-30T13:20:28Z",
id="id-22222",
signature=sigver.pre_signature_part(
"id-22222", self.sec.my_cert
),
)
to_sign = [(class_name(self._assertion), self._assertion.id),
(class_name(response), response.id)]
s_response = sigver.signed_instance_factory(response, self.sec, to_sign)
response2 = response_from_string(s_response)
ci = "".join(sigver.cert_from_instance(response2)[0].split())
assert ci == self.sec.my_cert
res = self.sec.verify_signature(s_response,
node_name=class_name(samlp.Response()))
assert res
res = self.sec._check_signature(s_response, response2,
class_name(response2), s_response)
assert res == response2
def test_sign_verify(self):
response = factory(
samlp.Response,
issuer=saml.Issuer(text="the-isser"),
status=success_status_factory(),
assertion=self._assertion,
version="2.0",
issue_instant="2099-10-30T13:20:28Z",
id="id-22233",
signature=sigver.pre_signature_part(
"id-22233", self.sec.my_cert
),
)
to_sign = [(class_name(self._assertion), self._assertion.id),
(class_name(response), response.id)]
s_response = sigver.signed_instance_factory(response, self.sec,
to_sign)
print(s_response)
res = self.sec.verify_signature(s_response,
node_name=class_name(samlp.Response()))
print(res)
assert res
def test_sign_response_2(self):
assertion2 = factory(
saml.Assertion,
version="2.0",
id="id-11122",
issuer=saml.Issuer(text="the-issuer-2"),
issue_instant="2009-10-30T13:20:28Z",
signature=sigver.pre_signature_part("id-11122", self.sec .my_cert),
attribute_statement=do_attribute_statement({
("name:surName", "nameformat", "surName"): ("Fox", ""),
("name:givenName", "nameformat", "givenName"): ("Bear", ""),
})
)
response = factory(
samlp.Response,
issuer=saml.Issuer(text="the-isser-2"),
status=success_status_factory(),
assertion=assertion2,
version="2.0",
issue_instant="2099-10-30T13:20:28Z",
id="id-22233",
signature=sigver.pre_signature_part("id-22233", self.sec.my_cert),
)
to_sign = [(class_name(assertion2), assertion2.id),
(class_name(response), response.id)]
s_response = sigver.signed_instance_factory(response, self.sec, to_sign)
assert s_response is not None
response2 = response_from_string(s_response)
sass = response2.assertion[0]
['signature', 'attribute_statement', 'version', 'id', 'issue_instant']
['issuer', 'attribute_statement', 'issue_instant', 'version', 'signature', 'id']
assert _eq(sass.keyswv(), ['issuer', 'attribute_statement', 'issue_instant',
'version', 'signature', 'id'])
assert sass.version == "2.0"
assert sass.id == "id-11122"
item = self.sec.check_signature(response2, class_name(response), s_response)
assert isinstance(item, samlp.Response)
def createLogoutRequest(self, session_index, name_id):
now = saml2.utils.getDateAndTime(time.time())
req = samlp.LogoutRequest(id=saml2.utils.createID(),
version=saml2.V2,
issue_instant=now)
req.issuer = saml.Issuer(text=self.config.get('issuer_name'))
req.name_id = name_id
req.session_index = samlp.SessionIndex(text=session_index)
req.signature = self._get_signature()
return req
def createLogoutResponse(self, logout_request_id, status_code):
now = saml2.utils.getDateAndTime(time.time())
self.response = samlp.LogoutResponse(id=saml2.utils.createID(),
version=saml2.V2,
issue_instant=now,
in_response_to=logout_request_id)
self.response.issuer = saml.Issuer(text=self.config.get('issuer_name'))
self.response.status = samlp.Status()
self.response.status.status_code = samlp.StatusCode(status_code)
self.response.signature = self._get_signature()
return self.response
def _create_issuer(self, issuer_url):
"""Create an object that represents a SAML Issuer.
<ns0:Issuer
xmlns:ns0="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://acme.com/FIM/sps/openstack/saml20</ns0:Issuer>
:returns: XML <Issuer> object
"""
issuer = saml.Issuer()
issuer.format = saml.NAMEID_FORMAT_ENTITY
issuer.set_text(issuer_url)
return issuer
def testAccessors(self):
"""Test for AuthnRequest accessors"""
self.ar.id = "request id"
self.ar.version = saml2.VERSION
self.ar.issue_instant = "2007-09-14T01:05:02Z"
self.ar.destination = "http://www.example.com/Destination"
self.ar.consent = saml.CONSENT_UNSPECIFIED
self.ar.issuer = saml.Issuer()
self.ar.signature = ds.Signature()
self.ar.extensions = samlp.Extensions()
self.ar.subject = saml.Subject()
self.ar.name_id_policy = samlp.NameIDPolicy()
self.ar.conditions = saml.Conditions()
self.ar.requested_authn_context = samlp.RequestedAuthnContext()
self.ar.scoping = samlp.Scoping()
self.ar.force_authn = 'true'
self.ar.is_passive = 'true'
self.ar.assertion_consumer_service_index = "1"
self.ar.assertion_consumer_service_url = "http://www.example.com/acs"
self.ar.protocol_binding = saml2.BINDING_HTTP_POST
self.ar.attribute_consuming_service_index = "2"
self.ar.provider_name = "provider name"
new_ar = samlp.authn_request_from_string(self.ar.to_string())
assert new_ar.id == "request id"
assert new_ar.version == saml2.VERSION
assert new_ar.issue_instant == "2007-09-14T01:05:02Z"
assert new_ar.destination == "http://www.example.com/Destination"
assert new_ar.consent == saml.CONSENT_UNSPECIFIED
assert isinstance(new_ar.issuer, saml.Issuer)
assert isinstance(new_ar.signature, ds.Signature)
assert isinstance(new_ar.extensions, samlp.Extensions)
assert isinstance(new_ar.subject, saml.Subject)
assert isinstance(new_ar.name_id_policy, samlp.NameIDPolicy)
assert isinstance(new_ar.conditions, saml.Conditions)
assert isinstance(new_ar.requested_authn_context,
samlp.RequestedAuthnContext)
assert isinstance(new_ar.scoping, samlp.Scoping)
assert new_ar.force_authn == 'true'
assert new_ar.is_passive == 'true'
assert new_ar.assertion_consumer_service_index == '1'
assert new_ar.assertion_consumer_service_url == \
'http://www.example.com/acs'
assert new_ar.protocol_binding == saml2.BINDING_HTTP_POST
assert new_ar.attribute_consuming_service_index == '2'
assert new_ar.provider_name == "provider name"
def create_logout_request(subject_id,
destination,
issuer_entity_id,
req_entity_id,
sign=True):
config = SPConfig()
config.load(sp_config)
sp_client = Saml2Client(config=config)
# construct a request
logout_request = samlp.LogoutRequest(id='a123456',
version=VERSION,
destination=destination,
issuer=saml.Issuer(
text=req_entity_id,
format=saml.NAMEID_FORMAT_ENTITY),
name_id=saml.NameID(text=subject_id))
return logout_request
def auth_response(identity, in_response_to, sp_conf):
"""Generates a fresh signed authentication response"""
sp_entity_id = sp_conf.entityid
idp_entity_id = sp_conf.idps().keys()[0]
acs = sp_conf.endpoint('assertion_consumer_service')[0]
issuer = saml.Issuer(text=idp_entity_id, format=saml.NAMEID_FORMAT_ENTITY)
response = response_factory(issuer=issuer,
in_response_to=in_response_to,
destination=acs,
status=success_status_factory())
idp_conf = IdPConfig()
name_form = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
idp_conf.load({
'entityid': idp_entity_id,
'xmlsec_binary': sp_conf.xmlsec_binary,
'attribute_map_dir': os.path.join(BASEDIR, 'attribute-maps'),
'service': {
'idp': {
'endpoints': tuple(),
'policy': {
'default': {
"lifetime": {
"minutes": 15
},
"attribute_restrictions": None,
"name_form": name_form,
}
}
},
},
'key_file': os.path.join(BASEDIR, 'idpcert.key'),
'cert_file': os.path.join(BASEDIR, 'idpcert.pem'),
'metadata': {
'local': [os.path.join(BASEDIR, 'sp_metadata.xml')],
},
})
server = Server("", idp_conf)
server.ident = Identifier(FakeDb())
userid = 'irrelevant'
response = server.authn_response(identity, in_response_to, acs,
sp_entity_id, None, userid)
return '\n'.join(response)
def test_multiple_signatures_response(self):
response = factory(
samlp.Response,
issuer=saml.Issuer(text="the-isser"),
status=success_status_factory(),
assertion=self._assertion,
version="2.0",
issue_instant="2099-10-30T13:20:28Z",
id="id-22222",
signature=sigver.pre_signature_part(
"id-22222", self.sec.my_cert
),
)
# order is important, we can't validate if the signatures are made
# in the reverse order
to_sign = [(self._assertion, self._assertion.id), (response, response.id)]
s_response = self.sec.multiple_signatures(str(response), to_sign)
assert s_response is not None
response = response_from_string(s_response)
item = self.sec.check_signature(response, class_name(response),
s_response, must=True)
assert item == response
assert item.id == "id-22222"
s_assertion = item.assertion[0]
assert isinstance(s_assertion, saml.Assertion)
# make sure the assertion was modified when we supposedly signed it
assert s_assertion != self._assertion
ci = "".join(sigver.cert_from_instance(s_assertion)[0].split())
assert ci == self.sec.my_cert
res = self.sec.check_signature(s_assertion, class_name(s_assertion),
s_response, must=True)
assert res == s_assertion
assert s_assertion.id == "id-11111"
assert s_assertion.version == "2.0"
assert _eq(s_assertion.keyswv(), ['issuer', 'attribute_statement',
'issue_instant',
'version', 'signature', 'id'])
def test_valid_instance():
attr_statem = saml.AttributeStatement()
text = [
"value of test attribute",
"value1 of test attribute",
"value2 of test attribute",
"value1 of test attribute2",
"value2 of test attribute2",
]
attr_statem.attribute.append(saml.Attribute())
attr_statem.attribute.append(saml.Attribute())
attr_statem.attribute[0].name = "testAttribute"
attr_statem.attribute[0].name_format = saml.NAME_FORMAT_URI
attr_statem.attribute[0].friendly_name = "test attribute"
attr_statem.attribute[0].attribute_value.append(saml.AttributeValue())
attr_statem.attribute[0].attribute_value[0].text = text[0]
attr_statem.attribute[1].name = "testAttribute2"
attr_statem.attribute[1].name_format = saml.NAME_FORMAT_UNSPECIFIED
attr_statem.attribute[1].friendly_name = text[2]
attr_statem.attribute[1].attribute_value.append(saml.AttributeValue())
attr_statem.attribute[1].attribute_value[0].text = text[2]
assert valid_instance(attr_statem)
response = samlp.Response()
response.id = "response id"
response.in_response_to = "request id"
response.version = saml2.VERSION
response.issue_instant = "2007-09-14T01:05:02Z"
response.destination = "http://www.example.com/Destination"
response.consent = saml.CONSENT_UNSPECIFIED
response.issuer = saml.Issuer()
response.status = samlp.Status()
response.assertion.append(saml.Assertion())
with raises(MustValueError):
valid_instance(response)
def make_logout_response(self,
idp_entity_id,
request_id,
status_code,
binding=BINDING_HTTP_REDIRECT):
"""
XXX There were issues with an explicit closing tag on
StatusCode. Check wether we still need this. XXX
Constructs a LogoutResponse
:param idp_entity_id: The entityid of the IdP that want to do the
logout
:param request_id: The Id of the request we are replying to
:param status_code: The status code of the response
:param binding: The type of binding that will be used for the response
:return: A LogoutResponse instance
"""
srvs = self.metadata.single_logout_service(idp_entity_id, binding,
"idpsso")
destination = destinations(srvs)[0]
logger.info("destination to provider: %s" % destination)
status = samlp.Status(
status_code=samlp.StatusCode(value=status_code, text='\n'),
status_message=samlp.StatusMessage(text='logout success'))
response = samlp.LogoutResponse(
id=sid(),
version=VERSION,
issue_instant=instant(),
destination=destination,
issuer=saml.Issuer(text=self.config.entityid,
format=saml.NAMEID_FORMAT_ENTITY),
in_response_to=request_id,
status=status,
)
return response, destination
def testAccessors(self):
"""Test for LogoutResponse accessors"""
self.lr.id = "response id"
self.lr.in_response_to = "request id"
self.lr.version = saml2.VERSION
self.lr.issue_instant = "2007-09-14T01:05:02Z"
self.lr.destination = "http://www.example.com/Destination"
self.lr.consent = saml.CONSENT_UNSPECIFIED
self.lr.issuer = saml.Issuer()
self.lr.signature = ds.Signature()
self.lr.extensions = samlp.Extensions()
self.lr.status = samlp.Status()
new_lr = samlp.logout_response_from_string(self.lr.to_string())
assert new_lr.id == "response id"
assert new_lr.in_response_to == "request id"
assert new_lr.version == saml2.VERSION
assert new_lr.issue_instant == "2007-09-14T01:05:02Z"
assert new_lr.destination == "http://www.example.com/Destination"
assert new_lr.consent == saml.CONSENT_UNSPECIFIED
assert isinstance(new_lr.issuer, saml.Issuer)
assert isinstance(new_lr.signature, ds.Signature)
assert isinstance(new_lr.extensions, samlp.Extensions)
assert isinstance(new_lr.status, samlp.Status)
def ecp_auth_request(cls, entityid=None, relay_state="", sign=False):
""" Makes an authentication request.
:param entityid: The entity ID of the IdP to send the request to
:param relay_state: To where the user should be returned after
successfull log in.
:param sign: Whether the request should be signed or not.
:return: AuthnRequest response
"""
eelist = []
# ----------------------------------------
# <paos:Request>
# ----------------------------------------
my_url = cls.service_urls(BINDING_PAOS)[0]
# must_understand and actor according to the standard
#
paos_request = paos.Request(must_understand="1",
actor=ACTOR,
response_consumer_url=my_url,
service=SERVICE)
eelist.append(element_to_extension_element(paos_request))
# ----------------------------------------
# <samlp:AuthnRequest>
# ----------------------------------------
logger.info("entityid: %s, binding: %s" % (entityid, BINDING_SOAP))
location = cls._sso_location(entityid, binding=BINDING_SOAP)
req_id, authn_req = cls.create_authn_request(
location, binding=BINDING_PAOS, service_url_binding=BINDING_PAOS)
body = soapenv.Body()
body.extension_elements = [element_to_extension_element(authn_req)]
# ----------------------------------------
# <ecp:Request>
# ----------------------------------------
# idp = samlp.IDPEntry(
# provider_id = "https://idp.example.org/entity",
# name = "Example identity provider",
# loc = "https://idp.example.org/saml2/sso",
# )
#
# idp_list = samlp.IDPList(idp_entry= [idp])
idp_list = None
ecp_request = ecp.Request(actor=ACTOR,
must_understand="1",
provider_name=None,
issuer=saml.Issuer(text=authn_req.issuer.text),
idp_list=idp_list)
eelist.append(element_to_extension_element(ecp_request))
# ----------------------------------------
# <ecp:RelayState>
# ----------------------------------------
relay_state = ecp.RelayState(actor=ACTOR,
must_understand="1",
text=relay_state)
eelist.append(element_to_extension_element(relay_state))
header = soapenv.Header()
header.extension_elements = eelist
# ----------------------------------------
# The SOAP envelope
# ----------------------------------------
soap_envelope = soapenv.Envelope(header=header, body=body)
return req_id, "%s" % soap_envelope