class TestIdentifier():
def setup_class(self):
self.id = IdentDB("subject.db", "example.com", "example")
def test_persistent_1(self):
policy = Policy({
"default": {
"name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"nameid_format": NAMEID_FORMAT_PERSISTENT,
"attribute_restrictions": {
"surName": [".*berg"],
}
}
})
nameid = self.id.construct_nameid("foobar", policy,
"urn:mace:example.com:sp:1")
assert _eq(nameid.keyswv(), ['format', 'text', 'sp_name_qualifier',
'name_qualifier'])
assert nameid.sp_name_qualifier == "urn:mace:example.com:sp:1"
assert nameid.format == NAMEID_FORMAT_PERSISTENT
id = self.id.find_local_id(nameid)
assert id == "foobar"
def test_transient_1(self):
policy = Policy({
"default": {
"name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"nameid_format": NAMEID_FORMAT_TRANSIENT,
"attribute_restrictions": {
"surName": [".*berg"],
}
}
})
nameid = self.id.construct_nameid("foobar", policy,
"urn:mace:example.com:sp:1")
assert _eq(nameid.keyswv(), ['text', 'format', 'sp_name_qualifier',
'name_qualifier'])
assert nameid.format == NAMEID_FORMAT_TRANSIENT
def test_vo_1(self):
policy = Policy({
"default": {
"name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"nameid_format": NAMEID_FORMAT_PERSISTENT,
"attribute_restrictions": {
"surName": [".*berg"],
}
}
})
name_id_policy = samlp.name_id_policy_from_string(NAME_ID_POLICY_1)
print(name_id_policy)
nameid = self.id.construct_nameid("foobar", policy,
'http://vo.example.org/biomed',
name_id_policy)
print(nameid)
assert _eq(nameid.keyswv(), ['text', 'sp_name_qualifier', 'format',
'name_qualifier'])
assert nameid.sp_name_qualifier == 'http://vo.example.org/biomed'
assert nameid.format == NAMEID_FORMAT_PERSISTENT
assert nameid.text != "foobar"
def test_vo_2(self):
policy = Policy({
"default": {
"name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"nameid_format": NAMEID_FORMAT_PERSISTENT,
"attribute_restrictions": {
"surName": [".*berg"],
}
}
})
name_id_policy = samlp.name_id_policy_from_string(NAME_ID_POLICY_2)
nameid = self.id.construct_nameid("foobar", policy,
'http://vo.example.org/design',
name_id_policy)
assert _eq(nameid.keyswv(), ['text', 'sp_name_qualifier', 'format',
'name_qualifier'])
assert nameid.sp_name_qualifier == 'http://vo.example.org/design'
assert nameid.format == NAMEID_FORMAT_PERSISTENT
assert nameid.text != "foobar01"
def test_persistent_nameid(self):
sp_id = "urn:mace:umu.se:sp"
nameid = self.id.persistent_nameid("abcd0001", sp_id)
remote_id = nameid.text.strip()
print(remote_id)
local = self.id.find_local_id(nameid)
assert local == "abcd0001"
# Always get the same
nameid2 = self.id.persistent_nameid("abcd0001", sp_id)
assert nameid.text.strip() == nameid2.text.strip()
def test_transient_nameid(self):
sp_id = "urn:mace:umu.se:sp"
nameid = self.id.transient_nameid("abcd0001", sp_id)
remote_id = nameid.text.strip()
print(remote_id)
local = self.id.find_local_id(nameid)
assert local == "abcd0001"
# Getting a new, means really getting a new !
nameid2 = self.id.transient_nameid(sp_id, "abcd0001")
assert nameid.text.strip() != nameid2.text.strip()
def teardown_class(self):
if os.path.exists("foobar.db"):
os.unlink("foobar.db")
class TargetIdTestCase(unittest.TestCase):
def setup_class(self):
self.id = IdentDB({})
self.sp_entity_id = "https://localhost:/sp.xml"
sp_id = "urn:mace:umu.se:sp"
self.nameid1_text = "abcd0001"
self.nameid1 = self.id.persistent_nameid(self.nameid1_text, sp_id)
def get_aes_128_key(self):
return os.urandom(16)
def get_aes_192_key(self):
return os.urandom(24)
def get_aes_256_key(self):
return os.urandom(32)
def test_create_tid2_json(self):
tih = TargetIdHandler()
tid1 = self.nameid1.text.strip()
tid2_json = tih.tid2_json(tid1, self.sp_entity_id)
tid2_dict = tih.tid2_dict(tid2_json)
assert tid2_dict["tid1"] == self.nameid1_text, "Cannot verify tid1."
assert tid2_dict["sp_entityid"] == self.sp_entity_id, "Cannot verify SP entity id."
assert tid2_dict["uuid"] is not None and len(tid2_dict["uuid"]) > 0, "Cannot verify SP entity id."
def test_hash_tid1(self):
hash_verify = {'md5': 32, 'sha1': 40, 'sha224': 56, 'sha256': 64, 'sha384': 96, 'sha512': 128}
try:
TargetIdHandler(h_alg="do_not_exist_alg")
assert False, "Must be an assert since the alg. do not exist."
except:
pass
tih = TargetIdHandler()
tid1 = self.nameid1.text.strip()
tid2_hash = tih.tid2_hash(tid1, self.sp_entity_id)
assert len(tid2_hash) == 64, "Default is sha256 alg and i should generate a string with length 64."
for tmp_h_alg in hash_verify:
tih = TargetIdHandler(h_alg=tmp_h_alg)
tid1 = self.nameid1.text.strip()
tid2_hash = tih.tid2_hash(tid1, self.sp_entity_id)
assert len(tid2_hash) == hash_verify[tmp_h_alg], "%s alg should generate a string with length %d." % \
(tmp_h_alg, hash_verify[tmp_h_alg])
def test_encrypt_tid1(self):
tih = TargetIdHandler()
tid1 = self.nameid1.text.strip()
tid2_encrypted = tih.tid2_encrypt(tid1, self.sp_entity_id)
tid2_dict = tih.tid2_decrypt(tid2_encrypted)
assert tid2_dict["tid1"] == self.nameid1_text, "Cannot verify tid1."
assert tid2_dict["sp_entityid"] == self.sp_entity_id, "Cannot verify SP entity id."
assert tid2_dict["uuid"] is not None and len(tid2_dict["uuid"]) > 0, "Cannot verify SP entity id."
def test_encrypt_alg_1(self):
for alg in TargetIdHandler.AES_ALG:
typ, bits, cmode = alg.split("_")
tih = TargetIdHandler(e_alg=alg)
tid1 = self.nameid1.text.strip()
tid2_encrypted = tih.tid2_encrypt(tid1, self.sp_entity_id)
tid2_dict = tih.tid2_decrypt(tid2_encrypted)
assert tid2_dict["tid1"] == self.nameid1_text, "Cannot verify tid1."
assert tid2_dict["sp_entityid"] == self.sp_entity_id, "Cannot verify SP entity id."
assert tid2_dict["uuid"] is not None and len(tid2_dict["uuid"]) > 0, "Cannot verify SP entity id."
def test_encrypt_alg_2(self):
for alg in TargetIdHandler.AES_ALG:
typ, bits, cmode = alg.split("_")
iv = os.urandom(16)
key = os.urandom(int(bits) >> 3)
tih = TargetIdHandler(e_alg=alg, iv=iv, key=key)
tid1 = self.nameid1.text.strip()
tid2_encrypted = tih.tid2_encrypt(tid1, self.sp_entity_id)
tid2_dict = tih.tid2_decrypt(tid2_encrypted)
assert tid2_dict["tid1"] == self.nameid1_text, "Cannot verify tid1."
assert tid2_dict["sp_entityid"] == self.sp_entity_id, "Cannot verify SP entity id."
assert tid2_dict["uuid"] is not None and len(tid2_dict["uuid"]) > 0, "Cannot verify uuid."
def test_encrypt_alg_3(self):
for alg in TargetIdHandler.AES_ALG:
typ, bits, cmode = alg.split("_")
iv = os.urandom(16)
key = os.urandom(int(bits) >> 3)
tih = TargetIdHandler(e_alg=alg, iv=iv, key=key)
tid1 = self.nameid1.text.strip()
tid2_encrypted_1 = tih.tid2_encrypt(tid1, self.sp_entity_id)
tid2_encrypted_2 = tih.tid2_encrypt(tid1, self.sp_entity_id)
tid2_dict_1 = tih.tid2_decrypt(tid2_encrypted_1)
tid2_dict_2 = tih.tid2_decrypt(tid2_encrypted_2)
assert tid2_encrypted_1 != tid2_encrypted_2, "Two encryption of the same data must never be the same!"
assert tid2_dict_1["tid1"] == tid2_dict_2["tid1"] == self.nameid1_text, "Cannot verify tid1."
assert tid2_dict_1["sp_entityid"] == tid2_dict_2["sp_entityid"] == self.sp_entity_id, \
"Cannot verify SP entity id."
assert tid2_dict_1["uuid"] != tid2_dict_2["uuid"], "Cannot verify uuid."
def test_encrypt_alg_4(self):
for alg in TargetIdHandler.AES_ALG:
typ, bits, cmode = alg.split("_")
iv = os.urandom(16)
key = os.urandom(int(bits) >> 3)
tih = TargetIdHandler(e_alg=alg, iv=iv, key=key)
tid1 = self.nameid1.text.strip()
iv = tih.get_new_iv()
tid2_encrypted_1 = tih.tid2_encrypt(tid1, self.sp_entity_id, iv=iv)
tid2_encrypted_2 = tih.tid2_encrypt(tid1, self.sp_entity_id, iv=iv)
tid2_dict_1 = tih.tid2_decrypt(tid2_encrypted_1)
tid2_dict_2 = tih.tid2_decrypt(tid2_encrypted_2)
assert tid2_encrypted_1 != tid2_encrypted_2, "Two encryption of the same data must never be the same!"
assert tid2_dict_1["tid1"] == tid2_dict_2["tid1"] == self.nameid1_text, "Cannot verify tid1."
assert tid2_dict_1["sp_entityid"] == tid2_dict_2["sp_entityid"] == self.sp_entity_id, \
"Cannot verify SP entity id."
assert tid2_dict_1["uuid"] != tid2_dict_2["uuid"], "Cannot verify uuid."
class TestIdentifier():
def setup_class(self):
self.id = IdentDB("subject.db", "example.com", "example")
def test_persistent_1(self):
policy = Policy({
"default": {
"name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"nameid_format": NAMEID_FORMAT_PERSISTENT,
"attribute_restrictions": {
"surName": [".*berg"],
}
}
})
nameid = self.id.construct_nameid("foobar", policy,
"urn:mace:example.com:sp:1")
assert _eq(nameid.keyswv(), ['format', 'text', 'sp_name_qualifier',
'name_qualifier'])
assert nameid.sp_name_qualifier == "urn:mace:example.com:sp:1"
assert nameid.format == NAMEID_FORMAT_PERSISTENT
id = self.id.find_local_id(nameid)
assert id == "foobar"
def test_transient_1(self):
policy = Policy({
"default": {
"name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"nameid_format": NAMEID_FORMAT_TRANSIENT,
"attribute_restrictions": {
"surName": [".*berg"],
}
}
})
nameid = self.id.construct_nameid("foobar", policy,
"urn:mace:example.com:sp:1")
assert _eq(nameid.keyswv(), ['text', 'format', 'sp_name_qualifier',
'name_qualifier'])
assert nameid.format == NAMEID_FORMAT_TRANSIENT
def test_vo_1(self):
policy = Policy({
"default": {
"name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"nameid_format": NAMEID_FORMAT_PERSISTENT,
"attribute_restrictions": {
"surName": [".*berg"],
}
}
})
name_id_policy = samlp.name_id_policy_from_string(NAME_ID_POLICY_1)
print name_id_policy
nameid = self.id.construct_nameid("foobar", policy,
'http://vo.example.org/biomed',
name_id_policy)
print nameid
assert _eq(nameid.keyswv(), ['text', 'sp_name_qualifier', 'format',
'name_qualifier'])
assert nameid.sp_name_qualifier == 'http://vo.example.org/biomed'
assert nameid.format == NAMEID_FORMAT_PERSISTENT
assert nameid.text != "foobar"
def test_vo_2(self):
policy = Policy({
"default": {
"name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"nameid_format": NAMEID_FORMAT_PERSISTENT,
"attribute_restrictions": {
"surName": [".*berg"],
}
}
})
name_id_policy = samlp.name_id_policy_from_string(NAME_ID_POLICY_2)
nameid = self.id.construct_nameid("foobar", policy,
'http://vo.example.org/design',
name_id_policy)
assert _eq(nameid.keyswv(), ['text', 'sp_name_qualifier', 'format',
'name_qualifier'])
assert nameid.sp_name_qualifier == 'http://vo.example.org/design'
assert nameid.format == NAMEID_FORMAT_PERSISTENT
assert nameid.text != "foobar01"
def test_persistent_nameid(self):
sp_id = "urn:mace:umu.se:sp"
nameid = self.id.persistent_nameid("abcd0001", sp_id)
remote_id = nameid.text.strip()
print remote_id
local = self.id.find_local_id(nameid)
assert local == "abcd0001"
# Always get the same
nameid2 = self.id.persistent_nameid("abcd0001", sp_id)
assert nameid.text.strip() == nameid2.text.strip()
def test_transient_nameid(self):
sp_id = "urn:mace:umu.se:sp"
nameid = self.id.transient_nameid("abcd0001", sp_id)
remote_id = nameid.text.strip()
print remote_id
local = self.id.find_local_id(nameid)
assert local == "abcd0001"
# Getting a new, means really getting a new !
nameid2 = self.id.transient_nameid(sp_id, "abcd0001")
assert nameid.text.strip() != nameid2.text.strip()
def teardown_class(self):
if os.path.exists("foobar.db"):
os.unlink("foobar.db")
class TestIdentifier:
def setup_class(self):
for extension in ('.db', '.dir', '.dat', '.bak'):
try:
os.remove(full_path("subject.db{}".format(extension)))
except (OSError, IOError):
pass
self.id = IdentDB(full_path("subject.db"), "example.com", "example")
def test_persistent_1(self):
policy = Policy({
"default": {
"name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"nameid_format": NAMEID_FORMAT_PERSISTENT,
"attribute_restrictions": {
"surName": [".*berg"],
}
}
})
nameid = self.id.construct_nameid("foobar", policy,
"urn:mace:example.com:sp:1")
assert _eq(nameid.keyswv(),
['format', 'text', 'sp_name_qualifier', 'name_qualifier'])
assert nameid.sp_name_qualifier == "urn:mace:example.com:sp:1"
assert nameid.format == NAMEID_FORMAT_PERSISTENT
id_ = self.id.find_local_id(nameid)
assert id_ == "foobar"
def test_persistent_2(self):
userid = 'foobar'
nameid1 = self.id.persistent_nameid(userid,
sp_name_qualifier="sp1",
name_qualifier="name0")
nameid2 = self.id.persistent_nameid(userid,
sp_name_qualifier="sp1",
name_qualifier="name0")
# persistent NameIDs should be _persistent_ :-)
assert nameid1 == nameid2
def test_transient_1(self):
policy = Policy({
"default": {
"name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"nameid_format": NAMEID_FORMAT_TRANSIENT,
"attribute_restrictions": {
"surName": [".*berg"],
}
}
})
nameid = self.id.construct_nameid("foobar", policy,
"urn:mace:example.com:sp:1")
assert _eq(nameid.keyswv(),
['text', 'format', 'sp_name_qualifier', 'name_qualifier'])
assert nameid.format == NAMEID_FORMAT_TRANSIENT
assert nameid.text != "foobar"
def test_vo_1(self):
policy = Policy({
"default": {
"name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"nameid_format": NAMEID_FORMAT_PERSISTENT,
"attribute_restrictions": {
"surName": [".*berg"],
}
}
})
name_id_policy = samlp.name_id_policy_from_string(NAME_ID_POLICY_1)
print(name_id_policy)
nameid = self.id.construct_nameid("foobar", policy,
'http://vo.example.org/biomed',
name_id_policy)
print(nameid)
assert _eq(nameid.keyswv(),
['text', 'sp_name_qualifier', 'format', 'name_qualifier'])
assert nameid.sp_name_qualifier == 'http://vo.example.org/biomed'
assert nameid.format == NAMEID_FORMAT_PERSISTENT
# we want to *NOT* keep the user identifier in the nameid node
assert nameid.text != "foobar"
def test_vo_2(self):
policy = Policy({
"default": {
"name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"nameid_format": NAMEID_FORMAT_PERSISTENT,
"attribute_restrictions": {
"surName": [".*berg"],
}
}
})
name_id_policy = samlp.name_id_policy_from_string(NAME_ID_POLICY_2)
nameid = self.id.construct_nameid("foobar", policy,
'http://vo.example.org/design',
name_id_policy)
assert _eq(nameid.keyswv(),
['text', 'sp_name_qualifier', 'format', 'name_qualifier'])
assert nameid.sp_name_qualifier == 'http://vo.example.org/design'
assert nameid.format == NAMEID_FORMAT_PERSISTENT
assert nameid.text != "foobar01"
def test_persistent_nameid(self):
sp_id = "urn:mace:umu.se:sp"
nameid = self.id.persistent_nameid("abcd0001", sp_id)
remote_id = nameid.text.strip()
print(remote_id)
local = self.id.find_local_id(nameid)
assert local == "abcd0001"
# Always get the same
nameid2 = self.id.persistent_nameid("abcd0001", sp_id)
assert nameid.text.strip() == nameid2.text.strip()
def test_transient_nameid(self):
sp_id = "urn:mace:umu.se:sp"
nameid = self.id.transient_nameid("abcd0001", sp_id)
remote_id = nameid.text.strip()
print(remote_id)
local = self.id.find_local_id(nameid)
assert local == "abcd0001"
# Getting a new, means really getting a new !
nameid2 = self.id.transient_nameid(sp_id, "abcd0001")
assert nameid.text.strip() != nameid2.text.strip()
def teardown_class(self):
if os.path.exists(full_path("subject.db")):
os.unlink(full_path("subject.db"))
