def test_no_credentials_with_wrong_destination(self):
resp = CreateFromDocument(get_data('resp_success.xml'),
suppress_verification=True)
resp.Destination = u'https://www.google.com'
resp = self.sign_response(resp)
req = TestRequest(form={'SAMLResponse': b64encode(resp.toxml())})
self.assertEqual({}, self.plugin.extractCredentials(req))
def test_credentials_from_successful_response(self):
resp = CreateFromDocument(get_data('resp_success.xml'),
suppress_verification=True)
resp = self.sign_response(resp)
req = TestRequest(form={'SAMLResponse': b64encode(resp.toxml())})
creds = self.plugin.extractCredentials(req)
self.assertIn('subject', creds)
self.assertEqual('*****@*****.**', creds['subject'])
self.assertIn('attributes', creds)
self.assertEqual('Jim Raynor', creds['attributes']['fullname'])
def sign_response(self, resp, update_issueinstant=True):
ctx = SignatureContext()
key = Key.loadMemory(get_data('signing.key'), KeyDataFormatPem)
ctx.add_key(key, self.plugin.issuer_id)
if update_issueinstant:
resp.IssueInstant = dateTime.utcnow().replace(
tzinfo=UTCOffsetTimeZone())
if resp.Assertion:
resp.Assertion[0].Signature = None
resp.Assertion[0].request_signature(keyname=self.plugin.issuer_id,
context=ctx)
else:
resp.Signature = None
resp.request_signature(keyname=self.plugin.issuer_id, context=ctx)
return resp
def setUpPloneSite(self, portal):
# Setup PAS plugin
uf = portal.acl_users
plugin = Saml2WebSSOPlugin('saml2_websso')
uf._setObject(plugin.getId(), plugin)
plugin = uf['saml2_websso']
plugin.manage_activateInterfaces([
'IAuthenticationPlugin',
'IExtractionPlugin',
'IRolesPlugin',
'IUserEnumerationPlugin',
])
plugin.idp_url = 'https://fs.domain.local/adfs/ls/'
plugin.sp_url = 'https://sp.domain.local'
plugin.issuer_id = 'http://fs.domain.local/adfs/services/trust'
plugin.signing_cert = get_data('signing.crt')
def setUp(self):
self.portal = self.layer['portal']
self.request = self.layer['request']
self.request.setServerURL(
protocol='https', hostname='sp.domain.local', port='443')
self.request.environ['HTTP_HOST'] = 'sp.domain.local'
self.request.environ['SERVER_PORT'] = '443'
# Configure SAML2 settings
registry = queryUtility(IRegistry)
self.settings = registry.forInterface(IServiceProviderSettings)
self.settings.idp_cert = get_data('signing.crt').decode('utf8')
self.settings.idp_issuer_id = u'http://fs.domain.local/adfs/services/trust'
self.settings.idp_url = u'https://fs.domain.local/adfs/ls'
self.settings.sp_issuer_id = u'https://sp.domain.local'
self.settings.autoprovision_users = True
self.settings.enabled = True
def test_no_credentials_with_old_response(self):
resp = CreateFromDocument(get_data('resp_success.xml'),
suppress_verification=True)
resp = self.sign_response(resp, update_issueinstant=False)
req = TestRequest(form={'SAMLResponse': b64encode(resp.toxml())})
self.assertEqual({}, self.plugin.extractCredentials(req))
def test_no_credentials_with_unsuccessful_status(self):
resp = CreateFromDocument(get_data('resp_invalid.xml'),
suppress_verification=True)
resp = self.sign_response(resp)
req = TestRequest(form={'SAMLResponse': b64encode(resp.toxml())})
self.assertEqual({}, self.plugin.extractCredentials(req))
def test_no_credentials_with_invalid_signature(self):
req = TestRequest(
form={'SAMLResponse': b64encode(get_data('resp_success.xml'))})
self.assertEqual({}, self.plugin.extractCredentials(req))
