def test_content_pem_file(self):
pem_content = '''-----BEGIN CERTIFICATE-----
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzAR
BgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQK
EwNTdW4xEDAOBgNVBAsTB09wZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1
MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
Q2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAKBgNVBAoTA1N1bjEQ
MA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN
/q1U5Of+RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9
hnxIhURebGEmxKW9qJNYJs0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEA
ATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/UQzPKTPTYi9upbFXlrAKMwtFf2OW4yvGW
WvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDAcGy/F2Zuj8XJJpuQRSE6
PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC/FfwWigm
rW0Y0Q==
-----END CERTIFICATE-----'''
manager = IDP_metadata_manager(
os.path.abspath(
os.path.join(os.path.dirname(__file__), '..', 'resources',
'IDP_Metadata.xml')))
metadata_content_md5 = None
with open(manager.get_trusted_pem_filename(), 'r') as f:
m = hashlib.md5()
data = f.read()
m.update(data.replace('\n', '').encode())
f.close()
metadata_content_md5 = m.digest()
m = hashlib.md5()
m.update(pem_content.replace('\n', '').encode())
pem_content_md5 = m.digest()
self.assertEqual(pem_content_md5, metadata_content_md5)
def test_content_pem_file(self):
pem_content = '''-----BEGIN CERTIFICATE-----
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzAR
BgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQK
EwNTdW4xEDAOBgNVBAsTB09wZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1
MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
Q2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAKBgNVBAoTA1N1bjEQ
MA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN
/q1U5Of+RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9
hnxIhURebGEmxKW9qJNYJs0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEA
ATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/UQzPKTPTYi9upbFXlrAKMwtFf2OW4yvGW
WvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDAcGy/F2Zuj8XJJpuQRSE6
PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC/FfwWigm
rW0Y0Q==
-----END CERTIFICATE-----'''
manager = IDP_metadata_manager(os.path.abspath(os.path.join(os.path.dirname(__file__), '..', 'resources', 'IDP_Metadata.xml')))
metadata_content_md5 = None
with open(manager.get_trusted_pem_filename(), 'r') as f:
m = hashlib.md5()
data = f.read()
m.update(data.replace('\n', '').encode())
f.close()
metadata_content_md5 = m.digest()
m = hashlib.md5()
m.update(pem_content.replace('\n', '').encode())
pem_content_md5 = m.digest()
self.assertEqual(pem_content_md5, metadata_content_md5)
def test_temp_file_management(self):
manager = IDP_metadata_manager(
os.path.abspath(
os.path.join(os.path.dirname(__file__), '..', 'resources',
'IDP_Metadata.xml')))
temp_file = manager.get_trusted_pem_filename()
self.assertTrue(os.path.exists(temp_file))
manager = None
self.assertFalse(os.path.exists(temp_file))
def test_is_signature_ok(self):
manager = SAMLResponseManager(read_resource('SAMLResponse.txt'))
metadata_manager = IDP_metadata_manager(
os.path.abspath(
os.path.join(os.path.dirname(__file__), '..', 'resources',
'IDP_Metadata.xml')))
self.assertTrue(
manager.is_signature_ok(
metadata_manager.get_trusted_pem_filename()))
def test_verification_with_incorrect_response_format(self):
manager = IDP_metadata_manager(
os.path.abspath(
os.path.join(os.path.dirname(__file__), '..', 'resources',
'IDP_Metadata.xml')))
pem_file = manager.get_trusted_pem_filename()
verification = SAMLResposneSignatureVerification(
pem_file, read_resource('SAMLResponse.xml'))
self.assertFalse(verification.verify_signature())
def saml2_post_consumer(request):
'''
This is the postback from IDP
'''
# TODO: compare with auth response id
auth_request_id = "retrieve the id"
# Validate the response id against session
__SAMLResponse = base64.b64decode(request.POST['SAMLResponse'])
__SAMLResponse_manager = SAMLResponseManager(
__SAMLResponse.decode('utf-8'))
__SAMLResponse_IDP_Metadata_manager = IDP_metadata_manager(
request.registry.settings['auth.idp.metadata'])
__skip_verification = request.registry.settings.get(
'auth.skip.verify', False)
# TODO: enable auth_request_id
# if __SAMLResponse_manager.is_auth_request_id_ok(auth_request_id)
condition = __SAMLResponse_manager.is_condition_ok()
status = __SAMLResponse_manager.is_status_ok()
signature = __SAMLResponse_manager.is_signature_ok(
__SAMLResponse_IDP_Metadata_manager.get_trusted_pem_filename())
if condition and status and (__skip_verification or signature):
# create a session
identity_parser_class = load_class(
request.registry.settings.get(
'auth.saml.identity_parser',
'edauth.security.basic_identity_parser.BasicIdentityParser'))
saml = __SAMLResponse_manager.get_SAMLResponse()
assertion = saml.get_assertion()
session_id = create_session(request, assertion.get_attributes(),
assertion.get_name_id(),
assertion.get_session_index(),
identity_parser_class)
# Save session id to cookie
headers = remember(request, session_id)
# Get the url saved in RelayState from SAML request, redirect it back to it
# If it's not found, redirect to list of reports
# TODO: Need a landing other page
redirect_url = request.POST.get('RelayState')
if redirect_url:
redirect_url = _get_cipher().decrypt(redirect_url)
else:
redirect_url = request.route_url('list_of_reports')
else:
message = "SAML response failed with Condition: {0}, Status: {1}, Signature: {2}".format(
str(condition), str(status), str(signature))
write_security_event(message, SECURITY_EVENT_TYPE.WARN)
redirect_url = request.route_url('login')
headers = []
return _get_landing_page(request, redirect_url, headers=headers)
def test_temp_file_management(self):
manager = IDP_metadata_manager(os.path.abspath(os.path.join(os.path.dirname(__file__), '..', 'resources', 'IDP_Metadata.xml')))
temp_file = manager.get_trusted_pem_filename()
self.assertTrue(os.path.exists(temp_file))
manager = None
self.assertFalse(os.path.exists(temp_file))
def test_no_file_creation(self):
manager = IDP_metadata_manager(None)
self.assertIsNone(manager.get_trusted_pem_filename())
def test_no_file_creation(self):
manager = IDP_metadata_manager(None)
self.assertIsNone(manager.get_trusted_pem_filename())
def test_is_signature_ok(self):
manager = SAMLResponseManager(read_resource('SAMLResponse.txt'))
metadata_manager = IDP_metadata_manager(os.path.abspath(os.path.join(os.path.dirname(__file__), '..', 'resources', 'IDP_Metadata.xml')))
self.assertTrue(manager.is_signature_ok(metadata_manager.get_trusted_pem_filename()))
def test_verification_with_incorrect_response_format(self):
manager = IDP_metadata_manager(os.path.abspath(os.path.join(os.path.dirname(__file__), '..', 'resources', 'IDP_Metadata.xml')))
pem_file = manager.get_trusted_pem_filename()
verification = SAMLResposneSignatureVerification(pem_file, read_resource('SAMLResponse.xml'))
self.assertFalse(verification.verify_signature())
def test_verfication_without_metadata(self):
manager = IDP_metadata_manager(None)
pem_file = manager.get_trusted_pem_filename()
verification = SAMLResposneSignatureVerification(pem_file, read_resource('SAMLResponse.txt'))
self.assertFalse(verification.verify_signature())
def test_verfication_without_metadata(self):
manager = IDP_metadata_manager(None)
pem_file = manager.get_trusted_pem_filename()
verification = SAMLResposneSignatureVerification(
pem_file, read_resource('SAMLResponse.txt'))
self.assertFalse(verification.verify_signature())