Exemplo n.º 1
0
 def test_no_credentials_with_wrong_destination(self):
     resp = CreateFromDocument(get_data('resp_success.xml'),
                               suppress_verification=True)
     resp.Destination = u'https://www.google.com'
     resp = self.sign_response(resp)
     req = TestRequest(form={'SAMLResponse': b64encode(resp.toxml())})
     self.assertEqual({}, self.plugin.extractCredentials(req))
Exemplo n.º 2
0
 def test_credentials_from_successful_response(self):
     resp = CreateFromDocument(get_data('resp_success.xml'),
                               suppress_verification=True)
     resp = self.sign_response(resp)
     req = TestRequest(form={'SAMLResponse': b64encode(resp.toxml())})
     creds = self.plugin.extractCredentials(req)
     self.assertIn('subject', creds)
     self.assertEqual('*****@*****.**', creds['subject'])
     self.assertIn('attributes', creds)
     self.assertEqual('Jim Raynor', creds['attributes']['fullname'])
Exemplo n.º 3
0
 def sign_response(self, resp, update_issueinstant=True):
     ctx = SignatureContext()
     key = Key.loadMemory(get_data('signing.key'), KeyDataFormatPem)
     ctx.add_key(key, self.plugin.issuer_id)
     if update_issueinstant:
         resp.IssueInstant = dateTime.utcnow().replace(
             tzinfo=UTCOffsetTimeZone())
     if resp.Assertion:
         resp.Assertion[0].Signature = None
         resp.Assertion[0].request_signature(keyname=self.plugin.issuer_id,
                                             context=ctx)
     else:
         resp.Signature = None
         resp.request_signature(keyname=self.plugin.issuer_id, context=ctx)
     return resp
Exemplo n.º 4
0
 def setUpPloneSite(self, portal):
     # Setup PAS plugin
     uf = portal.acl_users
     plugin = Saml2WebSSOPlugin('saml2_websso')
     uf._setObject(plugin.getId(), plugin)
     plugin = uf['saml2_websso']
     plugin.manage_activateInterfaces([
         'IAuthenticationPlugin',
         'IExtractionPlugin',
         'IRolesPlugin',
         'IUserEnumerationPlugin',
     ])
     plugin.idp_url = 'https://fs.domain.local/adfs/ls/'
     plugin.sp_url = 'https://sp.domain.local'
     plugin.issuer_id = 'http://fs.domain.local/adfs/services/trust'
     plugin.signing_cert = get_data('signing.crt')
Exemplo n.º 5
0
    def setUp(self):
        self.portal = self.layer['portal']
        self.request = self.layer['request']

        self.request.setServerURL(
            protocol='https', hostname='sp.domain.local', port='443')
        self.request.environ['HTTP_HOST'] = 'sp.domain.local'
        self.request.environ['SERVER_PORT'] = '443'

        # Configure SAML2 settings
        registry = queryUtility(IRegistry)
        self.settings = registry.forInterface(IServiceProviderSettings)
        self.settings.idp_cert = get_data('signing.crt').decode('utf8')
        self.settings.idp_issuer_id = u'http://fs.domain.local/adfs/services/trust'
        self.settings.idp_url = u'https://fs.domain.local/adfs/ls'
        self.settings.sp_issuer_id = u'https://sp.domain.local'
        self.settings.autoprovision_users = True
        self.settings.enabled = True
Exemplo n.º 6
0
 def test_no_credentials_with_old_response(self):
     resp = CreateFromDocument(get_data('resp_success.xml'),
                               suppress_verification=True)
     resp = self.sign_response(resp, update_issueinstant=False)
     req = TestRequest(form={'SAMLResponse': b64encode(resp.toxml())})
     self.assertEqual({}, self.plugin.extractCredentials(req))
Exemplo n.º 7
0
 def test_no_credentials_with_unsuccessful_status(self):
     resp = CreateFromDocument(get_data('resp_invalid.xml'),
                               suppress_verification=True)
     resp = self.sign_response(resp)
     req = TestRequest(form={'SAMLResponse': b64encode(resp.toxml())})
     self.assertEqual({}, self.plugin.extractCredentials(req))
Exemplo n.º 8
0
 def test_no_credentials_with_invalid_signature(self):
     req = TestRequest(
         form={'SAMLResponse': b64encode(get_data('resp_success.xml'))})
     self.assertEqual({}, self.plugin.extractCredentials(req))