def handle_response(self, context):
auth_info = AuthenticationInformation("test", str(datetime.now()),
"test_issuer")
internal_resp = InternalResponse(auth_info=auth_info)
internal_resp.attributes = context.request
internal_resp.user_id = "test_user"
return self.auth_callback_func(context, internal_resp)
def test_handle_authn_response_returns_id_token_for_verified_affiliation(
self, signing_key_path, context, scope_value, affiliation):
authn_req = AuthorizationRequest(
scope='openid ' + scope_value,
client_id='client1',
redirect_uri='https://client.example.com',
response_type='id_token')
context.state[self.frontend.name] = {
'oidc_request': authn_req.to_urlencoded()
}
internal_response = InternalResponse(
AuthenticationInformation(None, str(datetime.now()),
'https://idp.example.com'))
internal_response.attributes['affiliation'] = [affiliation]
internal_response.user_id = 'user1'
resp = self.frontend.handle_authn_response(context, internal_response)
auth_resp = AuthorizationResponse().from_urlencoded(
urlparse(resp.message).fragment)
id_token = IdToken().from_jwt(
auth_resp['id_token'],
key=[RSAKey(key=rsa_load(signing_key_path))])
assert id_token['iss'] == self.frontend.base_url
assert id_token['aud'] == ['client1']
assert id_token['auth_time'] == internal_response.auth_info.timestamp
def internal_response():
auth_info = AuthenticationInformation("auth_class_ref", "timestamp", "issuer")
internal_response = InternalResponse(auth_info=auth_info)
internal_response.set_user_id_hash_type(UserIdHashType.persistent)
internal_response.add_attributes(
{"displayName": "Test", "co": "example", "sn": "removed_by_filter"})
internal_response.user_id = "usrID"
return internal_response
def setup_for_authn_response(self, context, frontend, auth_req):
context.state[frontend.name] = {"oidc_request": auth_req.to_urlencoded()}
auth_info = AuthenticationInformation(PASSWORD, "2015-09-30T12:21:37Z", "unittest_idp.xml")
internal_response = InternalResponse(auth_info=auth_info)
internal_response.attributes = AttributeMapper(INTERNAL_ATTRIBUTES).to_internal("saml", USERS["testuser1"])
internal_response.user_id = USERS["testuser1"]["eduPersonTargetedID"][0]
return internal_response
def test_auth_resp_callback_func_respects_user_id_to_attr(self, context, satosa_config):
satosa_config["INTERNAL_ATTRIBUTES"]["user_id_to_attr"] = "user_id"
base = SATOSABase(satosa_config)
internal_resp = InternalResponse(AuthenticationInformation("", "", ""))
internal_resp.user_id = "user1234"
context.state[satosa.base.STATE_KEY] = {"requester": "test_requester"}
context.state[satosa.routing.STATE_KEY] = satosa_config["FRONTEND_MODULES"][0]["name"]
UserIdHasher.save_state(InternalRequest(UserIdHashType.transient, ""), context.state)
base._auth_resp_callback_func(context, internal_resp)
assert internal_resp.attributes["user_id"] == [internal_resp.user_id]
def internal_response():
auth_info = AuthenticationInformation("auth_class_ref", "timestamp",
"issuer")
internal_response = InternalResponse(auth_info=auth_info)
internal_response.set_user_id_hash_type(UserIdHashType.persistent)
internal_response.add_attributes({
"displayName": "Test",
"co": "example",
"sn": "removed_by_filter"
})
internal_response.user_id = "usrID"
return internal_response
def test_handle_authn_response_returns_error_access_denied_for_wrong_affiliation(self, context, scope_value,
affiliation):
authn_req = AuthorizationRequest(scope='openid ' + scope_value, client_id='client1',
redirect_uri='https://client.example.com',
response_type='id_token')
context.state[self.frontend.name] = {'oidc_request': authn_req.to_urlencoded()}
internal_response = InternalResponse()
internal_response.attributes['affiliation'] = [affiliation]
internal_response.user_id = 'user1'
resp = self.frontend.handle_authn_response(context, internal_response)
auth_resp = AuthorizationErrorResponse().from_urlencoded(urlparse(resp.message).fragment)
assert auth_resp['error'] == 'access_denied'
def setup_for_authn_response(self, context, frontend, auth_req):
context.state[frontend.name] = {
"oidc_request": auth_req.to_urlencoded()
}
auth_info = AuthenticationInformation(PASSWORD, "2015-09-30T12:21:37Z",
"unittest_idp.xml")
internal_response = InternalResponse(auth_info=auth_info)
internal_response.attributes = AttributeMapper(
INTERNAL_ATTRIBUTES).to_internal("saml", USERS["testuser1"])
internal_response.user_id = USERS["testuser1"]["eduPersonTargetedID"][
0]
return internal_response
def test_auth_resp_callback_func_respects_user_id_to_attr(
self, context, satosa_config):
satosa_config["INTERNAL_ATTRIBUTES"]["user_id_to_attr"] = "user_id"
base = SATOSABase(satosa_config)
internal_resp = InternalResponse(AuthenticationInformation("", "", ""))
internal_resp.user_id = "user1234"
context.state[satosa.base.STATE_KEY] = {"requester": "test_requester"}
context.state[satosa.routing.
STATE_KEY] = satosa_config["FRONTEND_MODULES"][0]["name"]
UserIdHasher.save_state(InternalRequest(UserIdHashType.transient, ""),
context.state)
base._auth_resp_callback_func(context, internal_resp)
assert internal_resp.attributes["user_id"] == [internal_resp.user_id]
def test_auth_resp_callback_func_hashes_all_specified_attributes(self, context, satosa_config):
satosa_config["INTERNAL_ATTRIBUTES"]["hash"] = ["user_id", "mail"]
base = SATOSABase(satosa_config)
attributes = {"user_id": ["user"], "mail": ["*****@*****.**", "*****@*****.**"]}
internal_resp = InternalResponse(AuthenticationInformation("", "", ""))
internal_resp.attributes = copy.copy(attributes)
internal_resp.user_id = "test_user"
UserIdHasher.save_state(InternalRequest(UserIdHashType.transient, ""), context.state)
context.state[satosa.base.STATE_KEY] = {"requester": "test_requester"}
context.state[satosa.routing.STATE_KEY] = satosa_config["FRONTEND_MODULES"][0]["name"]
base._auth_resp_callback_func(context, internal_resp)
for attr in satosa_config["INTERNAL_ATTRIBUTES"]["hash"]:
assert internal_resp.attributes[attr] == [UserIdHasher.hash_data(satosa_config["USER_ID_HASH_SALT"], v)
for v in attributes[attr]]
def test_handle_authn_response_returns_error_access_denied_for_wrong_affiliation(
self, context, scope_value, affiliation):
authn_req = AuthorizationRequest(
scope='openid ' + scope_value,
client_id='client1',
redirect_uri='https://client.example.com',
response_type='id_token')
context.state[self.frontend.name] = {
'oidc_request': authn_req.to_urlencoded()
}
internal_response = InternalResponse()
internal_response.attributes['affiliation'] = [affiliation]
internal_response.user_id = 'user1'
resp = self.frontend.handle_authn_response(context, internal_response)
auth_resp = AuthorizationErrorResponse().from_urlencoded(
urlparse(resp.message).fragment)
assert auth_resp['error'] == 'access_denied'
def test_handle_authn_response_returns_id_token_for_verified_affiliation(
self, signing_key_path, context, scope_value, affiliation):
authn_req = AuthorizationRequest(scope='openid ' + scope_value, client_id='client1',
redirect_uri='https://client.example.com',
response_type='id_token')
context.state[self.frontend.name] = {'oidc_request': authn_req.to_urlencoded()}
internal_response = InternalResponse(AuthenticationInformation(None, str(datetime.now()),
'https://idp.example.com'))
internal_response.attributes['affiliation'] = [affiliation]
internal_response.user_id = 'user1'
resp = self.frontend.handle_authn_response(context, internal_response)
auth_resp = AuthorizationResponse().from_urlencoded(urlparse(resp.message).fragment)
id_token = IdToken().from_jwt(auth_resp['id_token'], key=[RSAKey(key=rsa_load(signing_key_path))])
assert id_token['iss'] == self.frontend.base_url
assert id_token['aud'] == ['client1']
assert id_token['auth_time'] == internal_response.auth_info.timestamp
def test_auth_resp_callback_func_hashes_all_specified_attributes(
self, context, satosa_config):
satosa_config["INTERNAL_ATTRIBUTES"]["hash"] = ["user_id", "mail"]
base = SATOSABase(satosa_config)
attributes = {
"user_id": ["user"],
"mail": ["*****@*****.**", "*****@*****.**"]
}
internal_resp = InternalResponse(AuthenticationInformation("", "", ""))
internal_resp.attributes = copy.copy(attributes)
internal_resp.user_id = "test_user"
UserIdHasher.save_state(InternalRequest(UserIdHashType.transient, ""),
context.state)
context.state[satosa.base.STATE_KEY] = {"requester": "test_requester"}
context.state[satosa.routing.
STATE_KEY] = satosa_config["FRONTEND_MODULES"][0]["name"]
base._auth_resp_callback_func(context, internal_resp)
for attr in satosa_config["INTERNAL_ATTRIBUTES"]["hash"]:
assert internal_resp.attributes[attr] == [
UserIdHasher.hash_data(satosa_config["USER_ID_HASH_SALT"], v)
for v in attributes[attr]
]
def internal_response(self):
auth_info = AuthenticationInformation("auth_class_ref", "timestamp", "issuer")
internal_response = InternalResponse(auth_info=auth_info)
internal_response.user_id = "user1"
return internal_response
def handle_response(self, context):
auth_info = AuthenticationInformation("test", str(datetime.now()), "test_issuer")
internal_resp = InternalResponse(auth_info=auth_info)
internal_resp.attributes = context.request
internal_resp.user_id = "test_user"
return self.auth_callback_func(context, internal_resp)
def internal_resp(self):
resp = InternalResponse(AuthenticationInformation(None, str(datetime.now()), 'https://idp.example.com'))
resp.requester = 'client1'
resp.user_id = 'user1'
resp.attributes['affiliation'] = ['student']
return resp
