def test_raise_exception_if_file_dont_exist(self):
with pytest.raises(IOError):
SATOSAConfig._readfile("no_exist")
def test_can_read_endpoint_configs_from_file(self, satosa_config_dict, modules_key):
satosa_config_dict[modules_key] = ["/fake_file_path"]
with pytest.raises(SATOSAConfigurationError):
SATOSAConfig(satosa_config_dict)
def run_test(self, satosa_config_dict, sp_conf, oidc_backend_config,
frontend_config):
subject_id = "testuser1"
# proxy config
satosa_config_dict["FRONTEND_MODULES"] = [frontend_config]
satosa_config_dict["BACKEND_MODULES"] = [oidc_backend_config]
satosa_config_dict["INTERNAL_ATTRIBUTES"]["attributes"] = {
attr_name: {
"openid": [attr_name],
"saml": [attr_name]
}
for attr_name in USERS[subject_id]
}
frontend_metadata, backend_metadata = create_entity_descriptors(
SATOSAConfig(satosa_config_dict))
# application
test_client = Client(make_app(SATOSAConfig(satosa_config_dict)),
BaseResponse)
# config test SP
frontend_metadata_str = str(
frontend_metadata[frontend_config["name"]][0])
sp_conf["metadata"]["inline"].append(frontend_metadata_str)
fakesp = FakeSP(SPConfig().load(sp_conf))
# create auth req
destination, req_args = fakesp.make_auth_req(
frontend_metadata[frontend_config["name"]][0].entity_id)
auth_req = urlparse(destination).path + "?" + urlencode(req_args)
# make auth req to proxy
proxied_auth_req = test_client.get(auth_req)
assert proxied_auth_req.status == "302 Found"
parsed_auth_req = dict(
parse_qsl(urlparse(proxied_auth_req.data.decode("utf-8")).query))
# create auth resp
id_token_claims = {k: v for k, v in OIDC_USERS[subject_id].items()}
id_token_claims["sub"] = subject_id
id_token_claims["iat"] = time.time()
id_token_claims["exp"] = time.time() + 3600
id_token_claims["iss"] = "https://op.example.com"
id_token_claims["aud"] = oidc_backend_config["config"]["client"][
"client_metadata"]["client_id"]
id_token_claims["nonce"] = parsed_auth_req["nonce"]
id_token = IdToken(**id_token_claims).to_jwt()
authn_resp = {"state": parsed_auth_req["state"], "id_token": id_token}
# make auth resp to proxy
redirect_uri_path = urlparse(
oidc_backend_config["config"]["client"]["client_metadata"]
["redirect_uris"][0]).path
authn_resp_req = redirect_uri_path + "?" + urlencode(authn_resp)
authn_resp = test_client.get(authn_resp_req)
assert authn_resp.status == "303 See Other"
# verify auth resp from proxy
resp_dict = dict(
parse_qsl(urlparse(authn_resp.data.decode("utf-8")).query))
auth_resp = fakesp.parse_authn_request_response(
resp_dict["SAMLResponse"], BINDING_HTTP_REDIRECT)
assert auth_resp.ava == USERS[subject_id]
def test_can_read_endpoint_configs_from_dict(self, satosa_config_dict, modules_key):
expected_config = [{"foo": "bar"}, {"abc": "xyz"}]
satosa_config_dict[modules_key] = expected_config
config = SATOSAConfig(satosa_config_dict)
assert config[modules_key] == expected_config
def test_constructor_should_raise_exception_if_sensitive_keys_are_missing(self, non_sensitive_config_dict):
with pytest.raises(SATOSAConfigurationError):
SATOSAConfig(non_sensitive_config_dict)
def test_senstive_config_data_from_env_var_overrides_config(self, monkeypatch, non_sensitive_config_dict):
non_sensitive_config_dict["STATE_ENCRYPTION_KEY"] = "bar"
monkeypatch.setenv("SATOSA_STATE_ENCRYPTION_KEY", "state_encryption_key")
config = SATOSAConfig(non_sensitive_config_dict)
assert config["STATE_ENCRYPTION_KEY"] == "state_encryption_key"
def __init__(self):
if TestConfiguration._instance:
raise TypeError(
'Singletons must be accessed through `get_instance()`.')
else:
TestConfiguration._instance = self
# Add test directory to path to be able to import configurations
sys.path.append(os.path.dirname(__file__))
if os.path.isfile("/usr/bin/xmlsec1"):
self.xmlsec_path = "/usr/bin/xmlsec1"
elif os.path.isfile("/usr/local/bin/xmlsec1"):
self.xmlsec_path = "/usr/local/bin/xmlsec1"
proxy_config_dict = {
"BASE": "https://localhost:8090",
"COOKIE_STATE_NAME": "TEST_STATE",
"STATE_ENCRYPTION_KEY": "ASDasd123",
"PLUGIN_PATH": [os.path.dirname(__file__)],
"BACKEND_MODULES": [inspect.getmodulename(__file__)],
"FRONTEND_MODULES": [inspect.getmodulename(__file__)],
"USER_ID_HASH_SALT": "qwerty",
"INTERNAL_ATTRIBUTES": INTERNAL_ATTRIBUTES
}
self.proxy_config = SATOSAConfig(proxy_config_dict)
frontend_metadata = []
backend_metadata = []
self.fake_idp_metadata = []
self.fake_sp_metadata = []
self.backend_cert, self.backend_key = \
FileGenerator.get_instance().generate_cert("Saml2Backend")
self.frontend_cert, self.frontend_key = \
FileGenerator.get_instance().generate_cert("Saml2Frontend")
fake_idp_base = "https://example.com"
fake_idp_cert, fake_idp_key = FileGenerator.get_instance(
).generate_cert("fake_idp")
self.fake_idp_config = {
"entityid": "{}/unittest_idp.xml".format(fake_idp_base),
"service": {
"idp": {
"endpoints": {
"single_sign_on_service": [
("%s/sso/post" % fake_idp_base, BINDING_HTTP_POST),
("%s/sso/redirect" % fake_idp_base,
BINDING_HTTP_REDIRECT),
],
},
},
},
"key_file": fake_idp_key.name,
"cert_file": fake_idp_cert.name,
"metadata": {
"local": backend_metadata,
},
"xmlsec_binary": self.xmlsec_path,
}
fake_sp_base = "http://example.com"
fake_sp_cert, fake_sp_key = FileGenerator.get_instance().generate_cert(
"fake_sp")
self.fake_sp_config = {
"entityid": "{}/unittest_sp.xml".format(fake_sp_base),
"service": {
"sp": {
"endpoints": {
"assertion_consumer_service":
[("%s/acs/redirect" % fake_sp_base,
BINDING_HTTP_REDIRECT),
("%s/acs/post" % fake_sp_base, BINDING_HTTP_POST)],
},
"allow_unsolicited": "true",
},
},
"key_file": fake_sp_key.name,
"cert_file": fake_sp_cert.name,
"metadata": {
"local": frontend_metadata,
},
"xmlsec_binary": self.xmlsec_path,
}
fake_idp_metadata_file = FileGenerator.get_instance().create_metadata(
self.fake_idp_config, "fake_idp")
fake_sp_metadata_file = FileGenerator.get_instance().create_metadata(
self.fake_sp_config, "fake_sp")
frontend_metadata_file = FileGenerator.get_instance().create_metadata(
Saml2FrontendPlugin(self.proxy_config.BASE).config["idp_config"],
"frontend")
backend_metadata_file = FileGenerator.get_instance().create_metadata(
Saml2BackendPlugin(self.proxy_config.BASE).config["config"],
"backend")
self.fake_idp_metadata.append(fake_idp_metadata_file.name)
self.fake_sp_metadata.append(fake_sp_metadata_file.name)
frontend_metadata.append(frontend_metadata_file.name)
backend_metadata.append(backend_metadata_file.name)
def test_read_senstive_config_data_from_env_var(self, monkeypatch, non_sensitive_config_dict):
monkeypatch.setenv("SATOSA_USER_ID_HASH_SALT", "user_id_hash_salt")
monkeypatch.setenv("SATOSA_STATE_ENCRYPTION_KEY", "state_encryption_key")
config = SATOSAConfig(non_sensitive_config_dict)
assert config["USER_ID_HASH_SALT"] == "user_id_hash_salt"
assert config["STATE_ENCRYPTION_KEY"] == "state_encryption_key"
