def test_handle_authn_request_without_name_id_policy_default_to_name_id_format_from_metadata(
self, context, idp_conf, sp_conf):
samlfrontend = self.setup_for_authn_req(context,
idp_conf,
sp_conf,
nameid_format="")
_, internal_req = samlfrontend.handle_authn_request(
context, BINDING_HTTP_REDIRECT)
assert internal_req.user_id_hash_type == saml_name_id_format_to_hash_type(
sp_conf["service"]["sp"]["name_id_format"][0])
def test_get_filter_attributes_with_sp_requested_attributes_without_friendlyname(
self, idp_conf):
sp_metadata_str = """<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://sp.example.com">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<md:AttributeConsumingService>
<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<md:RequestedAttribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<md:RequestedAttribute Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
"""
idp_conf["metadata"] = {"inline": [sp_metadata_str]}
base_url = self.construct_base_url_from_entity_id(idp_conf["entityid"])
conf = {"idp_config": idp_conf, "endpoints": ENDPOINTS}
internal_attributes = {
"attributes": {
attr_name.lower(): {
"saml": [attr_name]
}
for attr_name in [
"eduPersonTargetedID", "eduPersonPrincipalName",
"eduPersonAffiliation", "mail", "displayName", "sn",
"givenName"
]
}
} # no op mapping for saml attribute names
samlfrontend = SAMLFrontend(None, internal_attributes, conf, base_url,
"saml_frontend")
samlfrontend.register_endpoints(["testprovider"])
internal_req = InternalRequest(
saml_name_id_format_to_hash_type(NAMEID_FORMAT_PERSISTENT),
"http://sp.example.com", "Example SP")
filtered_attributes = samlfrontend._get_approved_attributes(
samlfrontend.idp, samlfrontend.idp.config.getattr("policy", "idp"),
internal_req.requester, None)
assert set(filtered_attributes) == set([
"edupersontargetedid", "edupersonprincipalname",
"edupersonaffiliation", "mail", "displayname", "sn", "givenname"
])
def test_get_filter_attributes_with_sp_requested_attributes_without_friendlyname(self, idp_conf):
sp_metadata_str = """<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://sp.example.com">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<md:AttributeConsumingService>
<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<md:RequestedAttribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<md:RequestedAttribute Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
"""
idp_conf["metadata"] = {"inline": [sp_metadata_str]}
base_url = self.construct_base_url_from_entity_id(idp_conf["entityid"])
conf = {"idp_config": idp_conf, "endpoints": ENDPOINTS}
internal_attributes = {"attributes": {attr_name.lower(): {"saml": [attr_name]} for attr_name in
["eduPersonTargetedID", "eduPersonPrincipalName",
"eduPersonAffiliation", "mail", "displayName", "sn",
"givenName"]}} # no op mapping for saml attribute names
samlfrontend = SAMLFrontend(None, internal_attributes, conf, base_url, "saml_frontend")
samlfrontend.register_endpoints(["testprovider"])
internal_req = InternalRequest(saml_name_id_format_to_hash_type(NAMEID_FORMAT_PERSISTENT),
"http://sp.example.com",
"Example SP")
filtered_attributes = samlfrontend._get_approved_attributes(samlfrontend.idp,
samlfrontend.idp.config.getattr(
"policy", "idp"),
internal_req.requester, None)
assert set(filtered_attributes) == set(["edupersontargetedid", "edupersonprincipalname",
"edupersonaffiliation", "mail", "displayname", "sn", "givenname"])
def test_should_map_unspecified(self):
assert (saml_name_id_format_to_hash_type(NAMEID_FORMAT_UNSPECIFIED) ==
UserIdHashType.unspecified)
def test_should_map_email(self):
assert (saml_name_id_format_to_hash_type(NAMEID_FORMAT_EMAILADDRESS) ==
UserIdHashType.emailaddress)
def test_should_map_persistent(self):
assert (saml_name_id_format_to_hash_type(NAMEID_FORMAT_PERSISTENT) ==
UserIdHashType.persistent)
def test_should_map_transient(self):
assert (saml_name_id_format_to_hash_type(NAMEID_FORMAT_TRANSIENT) ==
UserIdHashType.transient)
def test_should_default_to_transient(self):
assert (saml_name_id_format_to_hash_type("foobar") ==
UserIdHashType.transient)
def test_should_map_persistent(self):
assert saml_name_id_format_to_hash_type(NAMEID_FORMAT_PERSISTENT) == UserIdHashType.persistent
def test_should_map_transient(self):
assert saml_name_id_format_to_hash_type(NAMEID_FORMAT_TRANSIENT) == UserIdHashType.transient
def test_should_default_to_transient(self):
assert saml_name_id_format_to_hash_type("foobar") == UserIdHashType.transient
def test_handle_authn_request_without_name_id_policy_default_to_name_id_format_from_metadata(
self, context, idp_conf, sp_conf):
samlfrontend = self.setup_for_authn_req(context, idp_conf, sp_conf, nameid_format="")
_, internal_req = samlfrontend.handle_authn_request(context, BINDING_HTTP_REDIRECT)
assert internal_req.user_id_hash_type == saml_name_id_format_to_hash_type(
sp_conf["service"]["sp"]["name_id_format"][0])
