def dump_db(self, db_outdir, readonly):
if readonly:
db_name = 'userprefs'
else:
db_name = 'adminconfig'
test_db = os.path.join(db_outdir, '%s.sqlite' % db_name)
p = subprocess.Popen(['/usr/bin/sqlite3', test_db, '.dump'],
stdout=subprocess.PIPE,
stderr=self.stderr)
output, _ = p.communicate()
if p.returncode:
TC.fail('Sqlite dump failed')
return output
def run_test(testname, test, args):
supported = test.platform_supported()
if supported is not None:
return (TEST_RESULT_SKIP, supported)
if args['verbose'] <= VERBOSE_SHOWOUTPUT:
devnull = open(os.devnull, 'w')
test.stdout = devnull
test.stderr = devnull
if args['verbose'] >= VERBOSE_SHOWCASES:
test.print_cases = True
test.setup_base(args['path'], test)
env = try_wrappers(test.testdir, args['wrappers'], test.allow_wrappers)
env['PYTHONPATH'] = test.rootdir
env['TESTDIR'] = test.testdir
results = []
post_setup = False
TC.store_results(results)
try:
test.setup_servers(env)
post_setup = True
code, results = test.run(env)
if code:
return (TEST_RESULT_FAIL, code, results)
except Exception as e: # pylint: disable=broad-except
if post_setup:
return (TEST_RESULT_EXCEPTION, e, results)
else:
return (TEST_RESULT_SETUP_FAILED, test.current_setup_step)
finally:
test.wait()
return (TEST_RESULT_SUCCESS, results)
self.setup_step("Starting first SP's httpd server")
self.start_http_server(conf, env)
if __name__ == '__main__':
idpname = 'idp1'
sp1name = 'sp1'
user = pwd.getpwuid(os.getuid())[0]
sess = HttpSessions()
sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon')
sess.add_server(sp1name, 'https://127.0.0.11:45081')
with TC.case('Verify logged out state'):
page = sess.fetch_page(idpname, 'https://127.0.0.10:45080/idp1/')
page.expected_value('//div[@id="content"]/p/a/text()', 'Log In')
with TC.case('Authenticating to IdP'):
sess.auth_to_idp(idpname)
with TC.case('Add SP Metadata to IdP'):
sess.add_sp_metadata(idpname, sp1name)
with TC.case('Access first SP Protected Area'):
page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/sp/')
page.expected_value('text()', 'WORKS!')
with TC.case('Verify logged in state'):
page = sess.fetch_page(idpname, 'https://127.0.0.10:45080/idp1/')
self.start_http_server(conf, env)
if __name__ == '__main__':
idpname = 'idp1'
sp1name = 'sp1'
sp2name = 'sp2-test.example.com'
user = pwd.getpwuid(os.getuid())[0]
sess = HttpSessions()
sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon')
sess.add_server(sp1name, 'https://127.0.0.11:45081')
sess.add_server(sp2name, 'https://127.0.0.11:45082')
with TC.case('Authenticate to IdP'):
sess.auth_to_idp(idpname)
with TC.case('Add first SP Metadata to IdP'):
sess.add_sp_metadata(idpname, sp1name)
with TC.case('Access first SP Protected Area'):
page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/sp/')
page.expected_value('text()', 'WORKS!')
with TC.case('Access second SP Protected Area'):
page = sess.fetch_page(idpname, 'https://127.0.0.11:45082/sp/')
page.expected_value('text()', 'WORKS!')
with TC.case('Update Second SP'):
# This is a test to see whether we can update SAML SPs where the name
if __name__ == '__main__':
idpname = 'idp1'
spname = 'sp1'
sp2name = 'sp2-test.example.com'
sp3name = 'sp3_invalid'
user = pwd.getpwuid(os.getuid())[0]
sess = HttpSessions()
sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon')
sess.add_server(spname, 'https://127.0.0.11:45081')
sess.add_server(sp2name, 'https://127.0.0.10:45082')
sess.add_server(sp3name, 'https://127.0.0.10:45083')
with TC.case('Authenticate to IdP'):
sess.auth_to_idp(idpname)
with TC.case('List initial Service Providers via REST'):
result = sess.get_rest_sp(idpname)
if len(result['result']) != 0:
raise ValueError(
'Expected no SP and got %d' % len(result['result'])
)
with TC.case('Add SP Metadata to IdP via admin'):
sess.add_sp_metadata(idpname, spname)
with TC.case('List Service Providers via REST'):
result = sess.get_rest_sp(idpname)
if len(result['result']) != 1:
self.start_http_server(conf, env)
self.setup_step("Installing SP server")
name = 'sp1'
addr = '127.0.0.11'
port = '45081'
sp = self.generate_profile(sp_g, sp_a, name, addr, port)
conf = self.setup_sp_server(sp, name, addr, port, env)
fixup_sp_httpd(os.path.dirname(conf))
self.setup_step("Starting SP's httpd server")
self.start_http_server(conf, env)
if __name__ == '__main__':
idpname = 'idp1'
spname = 'sp1'
user = '******'
sess = HttpSessions()
sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'tuser')
sess.add_server(spname, 'https://127.0.0.11:45081')
with TC.case('Authenticate to Idp with no LDAP backend'):
sess.auth_to_idp(
idpname,
rule='//div[@class="alert alert-danger"]/p/text()',
expected="Internal system error"
)
name = 'sp1'
addr = '127.0.0.11'
port = '45081'
sp = self.generate_profile(sp_g, sp_a, name, addr, port)
conf = self.setup_sp_server(sp, name, addr, port, env)
fixup_sp_httpd(os.path.dirname(conf))
self.setup_step("Starting SP's httpd server")
self.start_http_server(conf, env)
if __name__ == '__main__':
idpname = 'idp1'
spname = 'sp1'
user = pwd.getpwuid(os.getuid())[0]
with TC.case('Add SP Metadata to IdP'):
sess = HttpSessions()
sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon')
sess.add_server(spname, 'https://127.0.0.11:45081')
sess.auth_to_idp(idpname)
sess.add_sp_metadata(idpname, spname)
with TC.case('Access SP Protected Area'):
sess = HttpSessions()
sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon')
sess.add_server(spname, 'https://127.0.0.11:45081')
page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/sp/')
page.expected_value('text()', 'WORKS!')
addr = '127.0.0.11'
port = '45081'
sp = self.generate_profile(sp_g, sp_a, name, addr, port)
conf = self.setup_sp_server(sp, name, addr, port, env)
fixup_sp_httpd(os.path.dirname(conf))
self.setup_step("Starting SP's httpd server")
self.start_http_server(conf, env)
if __name__ == '__main__':
idpname = 'idp1'
spname = 'sp1'
user = pwd.getpwuid(os.getuid())[0]
sess = HttpSessions()
sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon')
sess.add_server(spname, 'https://127.0.0.11:45081')
with TC.case('Authenticate to IdP'):
sess.auth_to_idp(idpname)
with TC.case('Add SP Metadata to IdP'):
sess.add_sp_metadata(idpname, spname)
with TC.case('Access SP Protected Area Variables'):
page = sess.fetch_page(idpname,
'https://127.0.0.11:45081/sp/index.shtml')
page.expected_value('text()', 'Test User %s' % user)
self.start_http_server(conf, env)
if __name__ == '__main__':
idpname = 'idp1'
sp1name = 'sp1'
sp2name = 'sp2-test.example.com'
user = pwd.getpwuid(os.getuid())[0]
sess = HttpSessions()
sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon')
sess.add_server(sp1name, 'https://127.0.0.11:45081')
sess.add_server(sp2name, 'https://127.0.0.11:45082')
with TC.case('Authenticate to IDP'):
sess.auth_to_idp(idpname)
with TC.case('Add first SP metadata to IDP'):
sess.add_sp_metadata(idpname, sp1name)
with TC.case('Make sure we send no RelayState if none was requested'):
page = sess.fetch_page(idpname,
'https://127.0.0.11:45081/sp/',
follow_redirect=1)
# Cut off the RelayState
target = page.result.headers['Location']
target = target[:target.find('&RelayState=')]
page = sess.fetch_page(idpname, target, post_forms=False)
data = sess.get_form_data(page, 'saml-response', ['name', 'value'])
if data[0] != 'https://127.0.0.11:45081/saml2/postResponse':
if __name__ == '__main__':
idpname = 'idp1'
sp1name = 'sp1'
sp2name = 'sp2'
sp3name = 'sp3'
user = pwd.getpwuid(os.getuid())[0]
sess = HttpSessions()
sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon')
sess.add_server(sp1name, 'https://127.0.0.11:45081')
sess.add_server(sp2name, 'https://127.0.0.12:45082')
sess.add_server(sp3name, 'https://127.0.0.13:45083')
with TC.case('Authenticate to IdP'):
sess.auth_to_idp(idpname)
with TC.case('Registering test client'):
client_info = {
'redirect_uris': ['https://invalid/'],
'response_types': ['code'],
'grant_types': ['authorization_code'],
'application_type': 'web',
'client_name': 'Test suite client',
'client_uri': 'https://invalid/',
'token_endpoint_auth_method': 'client_secret_post'
}
r = requests.post('https://127.0.0.10:45080/idp1/openidc/Registration',
json=client_info)
r.raise_for_status()
if __name__ == '__main__':
idpname = 'idp1'
user = pwd.getpwuid(os.getuid())[0]
sp = sp_list[0]
spurl = 'https://%s:%s' % (sp['addr'], sp['port'])
# Set global mapping and allowed attributes, then test fetch from
# SP.
sess = HttpSessions()
sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon')
sess.add_server(sp['name'], spurl)
with TC.case('Authenticate to IdP'):
sess.auth_to_idp(idpname)
with TC.case('Add SP Metadata to IdP'):
sess.add_sp_metadata(idpname, sp['name'])
with TC.case('Test default mapping and attrs'):
expect = {
'NAME_ID': user,
'fullname': 'Test User %s' % user,
'surname': user,
'givenname': u'Test User 一',
'email': '*****@*****.**' % user,
'groups': user,
}
check_info_plugin(sess, idpname, spurl, expect)
self.setup_step("Starting SP's httpd server")
self.start_http_server(conf, env)
if __name__ == '__main__':
idpname = 'idp1'
spname = 'sp1'
user = pwd.getpwuid(os.getuid())[0]
sess = HttpSessions()
sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon')
sess.add_server(spname, 'https://127.0.0.11:45081')
with TC.case('Authenticate to IdP'):
# Stress-test database connections
for i in xrange(50):
sess.auth_to_idp(idpname)
sess.logout_from_idp(idpname)
sess.auth_to_idp(idpname)
with TC.case('Add SP Metadata to IdP'):
sess.add_sp_metadata(idpname, spname)
with TC.case('Access SP Protected Area'):
page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/sp/')
page.expected_value('text()', 'WORKS!')
with TC.case('Logout from SP'):
page = sess.fetch_page(
}
for kkey in kenv:
os.environ[kkey] = kenv[kkey]
sp_list = generate_sp_list()
for sp in sp_list:
krb = False
spname = sp['nameid']
spurl = 'https://%s:%s' % (sp['addr'], sp['port'])
sess = HttpSessions()
sess.add_server(idpname, 'https://%s:45080' % WRAP_HOSTNAME, user,
'ipsilon')
sess.add_server(spname, spurl)
TC.info('Testing NameID format %s' % spname)
if spname == 'kerberos':
krb = True
with TC.case('Authenticate to IdP'):
sess.auth_to_idp(idpname, krb=krb)
with TC.case('Add SP Metadata to IdP'):
sess.add_sp_metadata(idpname, spname)
with TC.case('Set supported Name ID formats'):
sess.set_sp_default_nameids(idpname, spname, [spname])
with TC.case('Access SP Protected Area',
should_fail=bool(expected[spname])):
def test_upgrade_from(self, env, old_version, with_readonly):
# Setup IDP Server
TC.info("Installing IDP server to test upgrade from %i" % old_version)
name = 'idp_v%i' % old_version
if with_readonly:
name = name + '_readonly'
addr = '127.0.0.%i' % (10 + old_version)
port = str(45080 + old_version)
idp = self.generate_profile(idp_g, idp_a, name, addr, port)
conf = self.setup_idp_server(idp, name, addr, port, env)
# Move database of old_version into place
cfgfile = os.path.join(self.testdir, 'etc', name, 'ipsilon.conf')
db_indir = os.path.join(self.rootdir, 'tests', 'blobs', 'old_dbs',
'v%i' % old_version)
db_outdir = os.path.join(self.testdir, 'lib', name)
if with_readonly:
self.use_readonly_adminconfig(name)
if old_version > 0:
for database in [
'adminconfig', 'openid', 'saml2.sessions.db',
'transactions', 'userprefs'
]:
db_in = os.path.join(db_indir, '%s.sqlite.dump' % database)
db_out = os.path.join(db_outdir, '%s.sqlite' % database)
os.unlink(db_out)
if database not in ['adminconfig', 'openid'
] or not with_readonly:
cmd = ['/usr/bin/sqlite3', db_out, '.read %s' % db_in]
subprocess.check_call(cmd,
stdout=self.stdout,
stderr=self.stderr)
# Upgrade that database
cmd = [
os.path.join(self.rootdir,
'ipsilon/install/ipsilon-upgrade-database'),
cfgfile
]
subprocess.check_call(cmd,
cwd=os.path.join(self.testdir, 'lib', name),
env=env,
stdout=self.stdout,
stderr=self.stderr)
# Check some version-specific changes, to see if the upgrade went OK
if old_version == 0:
# Check all features in a newly created database
# Let's verify if at least one index was created
output = self.dump_db(db_outdir, with_readonly)
if 'CREATE INDEX' not in output:
raise Exception('Database upgrade did not introduce index')
if 'PRIMARY KEY' not in output:
raise Exception('Database upgrade did not introduce primary ' +
'key')
elif old_version == 1:
# In 1 -> 2, we added indexes and primary keys
# Let's verify if at least one index was created
output = self.dump_db(db_outdir, with_readonly)
if 'CREATE INDEX' not in output:
raise Exception('Database upgrade did not introduce index')
# SQLite did not support creating primary keys, so we can't test
elif old_version == 2 and not with_readonly:
# Version 3 added the authz_config table
# Make sure it exists
output = self.dump_db(db_outdir, with_readonly)
if 'TABLE authz_config' not in output:
raise Exception('Database upgrade did not introduce ' +
'authz_config table')
# Start the httpd server
http_server = self.start_http_server(conf, env)
# Now attempt to use the upgraded database
exe = self.execname
if exe.endswith('c'):
exe = exe[:-1]
exe = [exe]
exe.append(str(old_version))
if with_readonly:
exe.append('readonly')
else:
exe.append('no-readonly')
exe.append(name)
exe.append('%s:%s' % (addr, port))
result = self.run_and_collect(exe, env=env)
# Now kill the last http server
os.killpg(http_server.pid, signal.SIGTERM)
self.processes.remove(http_server)
return result
self.setup_step("Starting SP's httpd server")
self.start_http_server(conf, env)
if __name__ == '__main__':
idpname = 'idp1'
sp1name = 'sp1'
user = pwd.getpwuid(os.getuid())[0]
sess = HttpSessions()
sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon')
sess.add_server(sp1name, 'https://127.0.0.11:45081')
with TC.case('Authenticate to IdP'):
sess.auth_to_idp(idpname)
with TC.case('Run OpenID Protocol'):
page = sess.fetch_page(idpname,
'https://127.0.0.11:45081/?extensions=NO',
require_consent=True)
page.expected_value('text()', 'SUCCESS, WITHOUT EXTENSIONS')
with TC.case('Run OpenID Protocol without consent'):
page = sess.fetch_page(idpname,
'https://127.0.0.11:45081/?extensions=NO',
require_consent=False)
page.expected_value('text()', 'SUCCESS, WITHOUT EXTENSIONS')
with TC.case('Revoking SP consent'):
'ipsilon/install/ipsilon-upgrade-database'), cfgfile
]
subprocess.check_call(cmd,
cwd=os.path.join(self.testdir, 'lib', idpname),
env=env,
stdout=self.stdout,
stderr=self.stderr)
self.setup_step("Starting IDP's httpd server")
self.start_http_server(idpconf, env)
self.setup_step("Starting SP's httpd server")
self.start_http_server(spconf, env)
if __name__ == '__main__':
user = pwd.getpwuid(os.getuid())[0]
sess = HttpSessions()
sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon')
sess.add_server(spname, 'https://127.0.0.11:45081')
with TC.case('Access IdP homepage'):
page = sess.fetch_page(idpname, 'https://127.0.0.10:45080/idp1/')
page.expected_value('//title/text()', 'Ipsilon')
with TC.case('Access SP protected area'):
page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/sp/')
page.expected_value('text()', 'WORKS!')
krb5conf = os.path.join(testdir, 'krb5.conf')
kenv = {
'PATH': '/sbin:/bin:/usr/sbin:/usr/bin',
'KRB5_CONFIG': krb5conf,
'KRB5CCNAME': 'FILE:' + os.path.join(testdir, 'ccaches/user')
}
for key in kenv:
os.environ[key] = kenv[key]
sess = HttpSessions()
sess.add_server(idpname, 'https://%s:45080' % WRAP_HOSTNAME, user,
'ipsilon')
sess.add_server(sp1name, 'https://127.0.0.11:45081')
sess.add_server(sp2name, 'https://127.0.0.11:45082')
with TC.case('Authenticate to IdP'):
sess.auth_to_idp(idpname, krb=True)
with TC.case('Add first SP Metadata to IdP'):
sess.add_sp_metadata(idpname, sp1name)
with TC.case('Access first SP Protected Area'):
page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/sp/')
page.expected_value('text()', 'WORKS!')
with TC.case('Access second SP Protected Area'):
page = sess.fetch_page(idpname, 'https://127.0.0.11:45082/sp/')
page.expected_value('text()', 'WORKS!')
self.start_http_server(conf, env)
if __name__ == '__main__':
idpname = 'idp1'
sp1name = 'sp1'
sp2name = 'sp2'
user = pwd.getpwuid(os.getuid())[0]
sess = HttpSessions()
sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon')
sess.add_server(sp1name, 'https://127.0.0.11:45081')
sess.add_server(sp2name, 'https://127.0.0.12:45082')
with TC.case('Authenticate to IdP'):
sess.auth_to_idp(idpname)
with TC.case('Add SP1 Metadata to IdP'):
sess.add_sp_metadata(idpname, sp1name)
with TC.case('Add SP2 Metadata to IdP'):
sess.add_sp_metadata(idpname, sp2name)
with TC.case('Access SP1 when authz stack set to allow'):
page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/sp/')
page.expected_value('text()', 'WORKS!')
with TC.case('Set IdP authz stack to deny'):
sess.disable_plugin(idpname, 'authz', 'allow')
sess.enable_plugin(idpname, 'authz', 'deny')
self.start_http_server(conf, env)
if __name__ == '__main__':
idpname = 'idp1'
user = pwd.getpwuid(os.getuid())[0]
sess = HttpSessions()
sess.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon')
for sp in splist:
spname = sp['nameid']
spurl = 'https://%s:%s' % (sp['addr'], sp['port'])
sess.add_server(spname, spurl)
with TC.case('Authenticate to IdP'):
sess.auth_to_idp(idpname)
for sp in splist:
spname = sp['nameid']
with TC.case('Add SP Metadata for %s to IdP' % spname):
sess.add_sp_metadata(idpname, spname)
with TC.case('Logout without logging into SP'):
page = sess.fetch_page(idpname, '%s/%s?%s' % (
'https://127.0.0.11:45081', 'saml2/logout',
'ReturnTo=https://127.0.0.11:45081/open/logged_out.html'))
page.expected_value('text()', 'Logged out')
with TC.case('Access SP Protected Area'):
page = sess.fetch_page(idpname, 'https://127.0.0.11:45081/sp/')
def run(self, env):
overall_exit_code = 0
overall_results = []
for version in range(ipsilon.util.data.CURRENT_SCHEMA_VERSION):
for with_readonly in [True, False]:
exit_code, results = self.test_upgrade_from(
env, version, with_readonly)
if exit_code != 0:
overall_exit_code = 1
overall_results.extend(results)
return overall_exit_code, overall_results
if __name__ == '__main__':
from_version = sys.argv[1]
with_ro = sys.argv[2]
idpname = sys.argv[3]
url = sys.argv[4]
user = pwd.getpwuid(os.getuid())[0]
sess = HttpSessions()
sess.add_server(idpname, 'https://%s' % url, user, 'ipsilon')
with TC.case('From v%s %s: Authenticate to IdP' % (from_version, with_ro)):
sess.auth_to_idp(idpname)