Exemplo n.º 1
0
    def setup_class(self):
        with closing(Server(dotname("idp_conf"))) as server:
            name_id = server.ident.transient_nameid(
                                "urn:mace:example.com:saml:roland:sp","id12")

            self._resp_ = server.create_authn_response(
                                IDENTITY,
                                "id12",                       # in_response_to
                                "http://lingon.catalogix.se:8087/",   # consumer_url
                                "urn:mace:example.com:saml:roland:sp", # sp_entity_id
                                name_id=name_id,
                                authn=AUTHN)

            self._sign_resp_ = server.create_authn_response(
                                IDENTITY,
                                "id12",                       # in_response_to
                                "http://lingon.catalogix.se:8087/",   # consumer_url
                                "urn:mace:example.com:saml:roland:sp", # sp_entity_id
                                name_id=name_id, sign_assertion=True,
                                authn=AUTHN)

            self._resp_authn = server.create_authn_response(
                                IDENTITY,
                                "id12",                       # in_response_to
                                "http://lingon.catalogix.se:8087/",   # consumer_url
                                "urn:mace:example.com:saml:roland:sp", # sp_entity_id
                                name_id=name_id,
                                authn=AUTHN)

            self.conf = config_factory("sp", dotname("server_conf"))
            self.conf.only_use_keys_in_metadata = False
            self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
Exemplo n.º 2
0
    def setup_class(self):
        with closing(Server(dotname("idp_conf"))) as server:
            name_id = server.ident.transient_nameid(
                "urn:mace:example.com:saml:roland:sp", "id12")

            self._resp_ = server.create_authn_response(
                IDENTITY,
                "id12",  # in_response_to
                "http://lingon.catalogix.se:8087/",  # consumer_url
                "urn:mace:example.com:saml:roland:sp",  # sp_entity_id
                name_id=name_id,
                authn=AUTHN)

            self._sign_resp_ = server.create_authn_response(
                IDENTITY,
                "id12",  # in_response_to
                "http://lingon.catalogix.se:8087/",  # consumer_url
                "urn:mace:example.com:saml:roland:sp",  # sp_entity_id
                name_id=name_id,
                sign_assertion=True,
                authn=AUTHN)

            self._resp_authn = server.create_authn_response(
                IDENTITY,
                "id12",  # in_response_to
                "http://lingon.catalogix.se:8087/",  # consumer_url
                "urn:mace:example.com:saml:roland:sp",  # sp_entity_id
                name_id=name_id,
                authn=AUTHN)

            self.conf = config_factory("sp", dotname("server_conf"))
            self.conf.only_use_keys_in_metadata = False
            self.ar = authn_response(self.conf,
                                     "http://lingon.catalogix.se:8087/")
Exemplo n.º 3
0
    def setup_class(self):
        server = Server("idp_conf")
        name_id = server.ident.transient_nameid(
                            "urn:mace:example.com:saml:roland:sp","id12")
        policy = server.conf.getattr("policy", "idp")
        self._resp_ = server.create_response(
                    "id12",                       # in_response_to
                    "http://lingon.catalogix.se:8087/",   # consumer_url
                    "urn:mace:example.com:saml:roland:sp", # sp_entity_id
                    IDENTITY, name_id = name_id, policy=policy)
                
        self._sign_resp_ = server.create_response(
                    "id12",                       # in_response_to
                    "http://lingon.catalogix.se:8087/",   # consumer_url
                    "urn:mace:example.com:saml:roland:sp", # sp_entity_id
                    IDENTITY,
                    name_id = name_id, sign_assertion=True, policy=policy)

        self._resp_authn = server.create_response(
                    "id12",                       # in_response_to
                    "http://lingon.catalogix.se:8087/",   # consumer_url
                    "urn:mace:example.com:saml:roland:sp", # sp_entity_id
                    IDENTITY,
                    name_id = name_id,
                    authn=(saml.AUTHN_PASSWORD, "http://www.example.com/login"),
                    policy=policy)

        self.conf = config_factory("sp", "server_conf")
        self.conf.only_use_keys_in_metadata = False
        self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
Exemplo n.º 4
0
    def setup_class(self):
        server = Server("idp_conf")
        name_id = server.ident.transient_nameid(
                            "urn:mace:example.com:saml:roland:sp","id12")

        self._resp_ = server.do_response(
                    "id12",                       # in_response_to
                    "http://lingon.catalogix.se:8087/",   # consumer_url
                    "urn:mace:example.com:saml:roland:sp", # sp_entity_id
                    {"eduPersonEntitlement":"Jeter"},
                    name_id = name_id
                )
                
        self._sign_resp_ = server.do_response(
                    "id12",                       # in_response_to
                    "http://lingon.catalogix.se:8087/",   # consumer_url
                    "urn:mace:example.com:saml:roland:sp", # sp_entity_id
                    {"eduPersonEntitlement":"Jeter"},
                    name_id = name_id,
                    sign=True
                )

        self._resp_authn = server.do_response(
                    "id12",                       # in_response_to
                    "http://lingon.catalogix.se:8087/",   # consumer_url
                    "urn:mace:example.com:saml:roland:sp", # sp_entity_id
                    {"eduPersonEntitlement":"Jeter"},
                    name_id = name_id,
                    authn=(saml.AUTHN_PASSWORD, "http://www.example.com/login")
                )

        self.conf = config_factory("sp", "server_conf")
        self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
Exemplo n.º 5
0
    def setup_class(self):
        server = Server("idp_conf")
        name_id = server.ident.transient_nameid(
            "urn:mace:example.com:saml:roland:sp", "id12")

        self._resp_ = server.do_response(
            "id12",  # in_response_to
            "http://lingon.catalogix.se:8087/",  # consumer_url
            "urn:mace:example.com:saml:roland:sp",  # sp_entity_id
            {"eduPersonEntitlement": "Jeter"},
            name_id=name_id)

        self._sign_resp_ = server.do_response(
            "id12",  # in_response_to
            "http://lingon.catalogix.se:8087/",  # consumer_url
            "urn:mace:example.com:saml:roland:sp",  # sp_entity_id
            {"eduPersonEntitlement": "Jeter"},
            name_id=name_id,
            sign=True)

        self._resp_authn = server.do_response(
            "id12",  # in_response_to
            "http://lingon.catalogix.se:8087/",  # consumer_url
            "urn:mace:example.com:saml:roland:sp",  # sp_entity_id
            {"eduPersonEntitlement": "Jeter"},
            name_id=name_id,
            authn=(saml.AUTHN_PASSWORD, "http://www.example.com/login"))

        self.conf = config_factory("sp", "server_conf")
        self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
Exemplo n.º 6
0
    def test_unpack_nested_eptid(self):
        authn_response_xml = """<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                ID="CORTO54673f841c5297dd3614527d38e217332f9e3000"
                Version="2.0"
                IssueInstant="2016-09-23T14:00:45Z"
                Destination="https://sp.example.com/acs/post"
                InResponseTo="id-Wnv7CMQO1pFJoRWgi"
                >
            <saml:Issuer>https://idp.example.com</saml:Issuer>
            <samlp:Status>
                <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
            </samlp:Status>
            <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                            xmlns:xs="http://www.w3.org/2001/XMLSchema"
                            ID="CORTOadad7cb5e1237cf30fa7ab49544c15eec582854e"
                            Version="2.0"
                            IssueInstant="2016-09-23T14:00:45Z"
                            >
                <saml:Issuer>https://idp.example.com</saml:Issuer>
                <saml:Subject>
                    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">b8e734571d9adb0e6444a5b49a22f4206df24d88</saml:NameID>
                    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                        <saml:SubjectConfirmationData Recipient="https://sp.example.com/acs/post"
                                                      InResponseTo="id-Wnv7CMQO1pFJoRWgi"
                                                      />
                    </saml:SubjectConfirmation>
                </saml:Subject>
                <saml:Conditions NotBefore="2016-09-23T14:00:44Z">
                    <saml:AudienceRestriction>
                        <saml:Audience>urn:mace:example.com:saml:roland:sp</saml:Audience>
                    </saml:AudienceRestriction>
                </saml:Conditions>
                <saml:AuthnStatement AuthnInstant="2016-09-23T13:55:40Z"
                                     SessionIndex="_9f1148918f12525c6cad9aea29bc557afab2cb8c33"
                                     >
                    <saml:AuthnContext>
                        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
                        <saml:AuthenticatingAuthority>https://idp.example.com</saml:AuthenticatingAuthority>
                    </saml:AuthnContext>
                </saml:AuthnStatement>
                <saml:AttributeStatement>
                    <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
                                    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                                    >
                        <saml:AttributeValue>
                            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">b8e734571d9adb0e6444a5b49a22f4206df24d88</saml:NameID>
                        </saml:AttributeValue>
                    </saml:Attribute>
                </saml:AttributeStatement>
            </saml:Assertion>
        </samlp:Response>"""

        resp = authn_response(self.conf, "https://sp.example.com/acs/post", asynchop=False, allow_unsolicited=True)
        resp.loads(authn_response_xml, False)
        resp.parse_assertion()
        ava = resp.get_identity()
        assert len(ava) == 1
        assert ava["eduPersonTargetedID"] == ["b8e734571d9adb0e6444a5b49a22f4206df24d88"]
Exemplo n.º 7
0
    def test_unpack_nested_eptid(self):
        authn_response_xml = """<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                ID="CORTO54673f841c5297dd3614527d38e217332f9e3000"
                Version="2.0"
                IssueInstant="2016-09-23T14:00:45Z"
                Destination="https://sp.example.com/acs/post"
                InResponseTo="id-Wnv7CMQO1pFJoRWgi"
                >
            <saml:Issuer>https://idp.example.com</saml:Issuer>
            <samlp:Status>
                <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
            </samlp:Status>
            <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                            xmlns:xs="http://www.w3.org/2001/XMLSchema"
                            ID="CORTOadad7cb5e1237cf30fa7ab49544c15eec582854e"
                            Version="2.0"
                            IssueInstant="2016-09-23T14:00:45Z"
                            >
                <saml:Issuer>https://idp.example.com</saml:Issuer>
                <saml:Subject>
                    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">b8e734571d9adb0e6444a5b49a22f4206df24d88</saml:NameID>
                    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                        <saml:SubjectConfirmationData Recipient="https://sp.example.com/acs/post"
                                                      InResponseTo="id-Wnv7CMQO1pFJoRWgi"
                                                      />
                    </saml:SubjectConfirmation>
                </saml:Subject>
                <saml:Conditions NotBefore="2016-09-23T14:00:44Z">
                    <saml:AudienceRestriction>
                        <saml:Audience>https://sp.example.com</saml:Audience>
                    </saml:AudienceRestriction>
                </saml:Conditions>
                <saml:AuthnStatement AuthnInstant="2016-09-23T13:55:40Z"
                                     SessionIndex="_9f1148918f12525c6cad9aea29bc557afab2cb8c33"
                                     >
                    <saml:AuthnContext>
                        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
                        <saml:AuthenticatingAuthority>https://idp.example.com</saml:AuthenticatingAuthority>
                    </saml:AuthnContext>
                </saml:AuthnStatement>
                <saml:AttributeStatement>
                    <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
                                    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                                    >
                        <saml:AttributeValue>
                            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">b8e734571d9adb0e6444a5b49a22f4206df24d88</saml:NameID>
                        </saml:AttributeValue>
                    </saml:Attribute>
                </saml:AttributeStatement>
            </saml:Assertion>
        </samlp:Response>"""

        resp = authn_response(self.conf, "https://sp.example.com/acs/post", asynchop=False, allow_unsolicited=True)
        resp.loads(authn_response_xml, False)
        resp.parse_assertion()
        ava = resp.get_identity()
        assert ava["eduPersonTargetedID"] == ["b8e734571d9adb0e6444a5b49a22f4206df24d88"]
Exemplo n.º 8
0
 def _get_test_response(self, path):
     conf = config_factory("idp", dotname("server_conf"))
     resp = authn_response(
         conf,
         "https://sp:443/.auth/saml/login",
         asynchop=False,
         allow_unsolicited=True,
     )
     with open(path, "r") as fp:
         authn_response_xml = fp.read()
     resp.loads(authn_response_xml, False)
     return resp
Exemplo n.º 9
0
def handle_ecp_authn_response(cls, soap_message, outstanding=None):
    rdict = soap.class_instances_from_soap_enveloped_saml_thingies(
        soap_message, [paos, ecp, samlp])

    _relay_state = None
    for item in rdict["header"]:
        if item.c_tag == "RelayState" and item.c_namespace == ecp.NAMESPACE:
            _relay_state = item

    response = authn_response(cls.config, cls.service_url(), outstanding,
                              allow_unsolicited=True)

    response.loads("%s" % rdict["body"], False, soap_message)
    response.verify()
    cls.users.add_information_about_person(response.session_info())

    return response, _relay_state
Exemplo n.º 10
0
def handle_ecp_authn_response(cls, soap_message, outstanding=None):
    rdict = soap.class_instances_from_soap_enveloped_saml_thingies(
        soap_message, [paos, ecp, samlp])

    _relay_state = None
    for item in rdict["header"]:
        if item.c_tag == "RelayState" and item.c_namespace == ecp.NAMESPACE:
            _relay_state = item

    response = authn_response(cls.config, cls.service_url(), outstanding,
                              allow_unsolicited=True)

    response.loads("%s" % rdict["body"], False, soap_message)
    response.verify()
    cls.users.add_information_about_person(response.session_info())

    return response, _relay_state
Exemplo n.º 11
0
    def test_signed_response_with_hmac_should_fail(self,
                                                   mock_validate_on_or_after):
        conf = config_factory("sp", dotname("server_conf"))
        ar = authn_response(conf, return_addrs="https://example.org/acs/post")
        ar.issue_instant_ok = Mock(return_value=True)

        with open(SIGNED_RESPONSE_HMAC) as fp:
            xml_response = fp.read()

        ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"}
        ar.timeslack = 10000

        # .loads checks the response signature
        with raises(SignatureError):
            ar.loads(xml_response, decode=False)

        assert ar.ava is None
        assert ar.name_id is None
Exemplo n.º 12
0
    def test_signed_assertion_with_random_embedded_cert_should_be_ignored(
            self, mock_validate_on_or_after):
        """
        if the embedded cert is not ignored then verification will fail
        """

        conf = config_factory("sp", dotname("server_conf"))
        ar = authn_response(
            conf, return_addrs="https://51.15.251.81.xip.io/acs/post")
        ar.issue_instant_ok = Mock(return_value=True)

        with open(SIGNED_ASSERTION_RANDOM_EMBEDDED_CERT) as fp:
            xml_response = fp.read()

        ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"}
        ar.timeslack = 10000

        # .loads does not check the assertion, only the response signature
        # use .verify to verify the contents of the response
        assert ar.loads(xml_response, decode=False)
        assert ar.verify()
Exemplo n.º 13
0
 def setup_class(self):
     self.conf = config_factory("sp", dotname("server_conf"))
     self.ar = authn_response(self.conf,
                              return_addrs="https://example.org/acs/post")
Exemplo n.º 14
0
            headers = None

        logger.info( "Headers: {0:>s}".format(headers))

        # send the request and receive the response
        response = ecp.phase2(request, acsu, idp_entity_id, headers,
                              sign)
    except Exception, exc:
        exception_trace("soap", exc, logger)
        logger.info("SoapClient exception: %s" % (exc,))
        return None

    if response:
        try:
            # synchronous operation
            aresp = authn_response(cls.config, acsu, asynchop=False,
                                   allow_unsolicited=True)
            #aresp.debug = True
        except Exception, exc:
            logger.error("%s" % exc)
            return None

        try:
            _resp = aresp.load_instance(response).verify()
        except Exception, err:
            logger.error("%s" % err)
            return None

        if _resp is None:
            logger.error("Didn't like the response")
            return None
Exemplo n.º 15
0
 def setup_class(self):
     self.conf = config_factory("sp", dotname("server_conf"))
     self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
Exemplo n.º 16
0
            headers.append(("Authorization", "Basic %s" % _str))

        logger.info("Headers: {0:>s}".format(headers))

        # send the request and receive the response
        response = ecp.phase2(request, acsu, idp_entity_id, headers, sign)
    except Exception, exc:
        exception_trace("soap", exc, logger)
        logger.info("SoapClient exception: %s" % (exc, ))
        return None

    if response:
        try:
            # synchronous operation
            aresp = authn_response(cls.config,
                                   acsu,
                                   asynchop=False,
                                   allow_unsolicited=True)
            #aresp.debug = True
        except Exception, exc:
            logger.error("%s" % exc)
            return None

        try:
            _resp = aresp.load_instance(response).verify()
        except Exception, err:
            logger.error("%s" % err)
            return None

        if _resp is None:
            logger.error("Didn't like the response")
            return None