def test_assertion_2():
    AVA = {'mail': '*****@*****.**',
           'eduPersonTargetedID': 'http://lingon.ladok.umu.se:8090/idp!http://lingon.ladok.umu.se:8088/sp!95e9ae91dbe62d35198fbbd5e1fb0976',
           'displayName': 'Roland Hedberg',
           'uid': 'http://roland.hedberg.myopenid.com/'}

    ava = Assertion(AVA)

    policy = Policy({
        "default": {
            "lifetime": {"minutes": 240},
            "attribute_restrictions": None,  # means all I have
            "name_form": NAME_FORMAT_URI
        },
    })

    ava = ava.apply_policy("", policy)
    acs = ac_factory(full_path("attributemaps"))
    attribute = from_local(acs, ava, policy.get_name_form(""))

    assert len(attribute) == 4
    names = [attr.name for attr in attribute]
    assert _eq(names, ['urn:oid:0.9.2342.19200300.100.1.3',
                       'urn:oid:1.3.6.1.4.1.5923.1.1.1.10',
                       'urn:oid:2.16.840.1.113730.3.1.241',
                       'urn:oid:0.9.2342.19200300.100.1.1'])
示例#2
0
def test_ava_filter_1():
    conf = {
        "default": {
            "lifetime": {"minutes":15},
            "attribute_restrictions": None # means all I have
        },
        "urn:mace:umu.se:saml:roland:sp": {
            "lifetime": {"minutes": 5},
            "attribute_restrictions":{
                "givenName": None,
                "surName": None,
                "mail": [".*@.*\.umu\.se"],
            }
        }}

    r = Policy(conf)
    
    ava = {"givenName":"Derek", 
            "surName": "Jeter", 
            "mail":"*****@*****.**"}
    
    ava = r.filter(ava,"urn:mace:umu.se:saml:roland:sp",None,None)
    assert _eq(ava.keys(), ["givenName","surName"])

    ava = {"givenName":"Derek", 
            "mail":"*****@*****.**"}

    assert _eq(ava.keys(), ["givenName","mail"])
示例#3
0
def test_ava_filter_dont_fail():
    conf = {
        "default": {
            "lifetime": {"minutes": 15},
            "attribute_restrictions": None,  # means all I have
            "fail_on_missing_requested": False,
        },
        "urn:mace:umu.se:saml:roland:sp": {
            "lifetime": {"minutes": 5},
            "attribute_restrictions": {"givenName": None, "surName": None, "mail": [".*@.*\.umu\.se"]},
            "fail_on_missing_requested": False,
        },
    }

    policy = Policy(conf)

    ava = {"givenName": "Derek", "surName": "Jeter", "mail": "*****@*****.**"}

    # mail removed because it doesn't match the regular expression
    # So it should fail if the 'fail_on_ ...' flag wasn't set
    _ava = policy.filter(ava, "urn:mace:umu.se:saml:roland:sp", None, [mail], [gn, sn])

    assert _ava

    ava = {"givenName": "Derek", "surName": "Jeter"}

    # it wasn't there to begin with
    _ava = policy.filter(ava, "urn:mace:umu.se:saml:roland:sp", None, [gn, sn, mail])

    assert _ava
示例#4
0
def test_filter_ava_5():
    mds = MetadataStore(ATTRCONV,
                        sec_config,
                        disable_ssl_certificate_validation=True)
    mds.imp(METADATACONF["1"])

    policy_conf = {
        "default": {
            "lifetime": {
                "minutes": 15
            },
            "attribute_restrictions": None,  # means all I have
            "entity_categories": ["swamid", "edugain"]
        }
    }
    policy = Policy(restrictions=policy_conf, mds=mds)

    ava = {
        "givenName": ["Derek"],
        "surName": ["Jeter"],
        "mail": [
            "*****@*****.**",
            "*****@*****.**",
        ],
    }
    ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp")

    # using entity_categories means there *always* are restrictions
    # in this case the only allowed attribute is eduPersonTargetedID
    # which isn't available in the ava hence zip is returned.
    assert ava == {}
示例#5
0
def test_ava_filter_2():
    conf = {
        "default": {
            "lifetime": {"minutes": 15},
            "attribute_restrictions": None  # means all I have
        },
        "urn:mace:umu.se:saml:roland:sp": {
            "lifetime": {"minutes": 5},
            "attribute_restrictions": {
                "givenName": None,
                "sn": None,
                "mail": [".*@.*\.umu\.se"],
            }
        }}

    policy = Policy(conf)

    ava = {"givenName": "Derek", "sn": "Jeter", "mail": "*****@*****.**"}

    # mail removed because it doesn't match the regular expression
    _ava = policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', None, [mail],
                         [gn, sn])

    assert _eq(sorted(list(_ava.keys())), ["givenName", 'sn'])

    ava = {"givenName": "Derek", "sn": "Jeter"}

    # it wasn't there to begin with
    try:
        policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', None,
                      [gn, sn, mail])
    except MissingValue:
        pass
示例#6
0
def test_ava_filter_1():
    conf = {
        "default": {
            "lifetime": {
                "minutes": 15
            },
            "attribute_restrictions": None  # means all I have
        },
        "urn:mace:umu.se:saml:roland:sp": {
            "lifetime": {
                "minutes": 5
            },
            "attribute_restrictions": {
                "givenName": None,
                "surName": None,
                "mail": [r".*@.*\.umu\.se"],
            }
        }
    }

    r = Policy(conf)

    ava = {
        "givenName": "Derek",
        "surName": "Jeter",
        "mail": "*****@*****.**"
    }

    ava = r.filter(ava, "urn:mace:umu.se:saml:roland:sp")
    assert _eq(list(ava.keys()), ["givenName", "surName"])

    ava = {"givenName": "Derek", "mail": "*****@*****.**"}

    assert _eq(sorted(list(ava.keys())), ["givenName", "mail"])
示例#7
0
def test_lifetime_1():
    conf = {
        "default": {
            "lifetime": {
                "minutes": 15
            },
            "attribute_restrictions": None  # means all I have
        },
        "urn:mace:umu.se:saml:roland:sp": {
            "lifetime": {
                "minutes": 5
            },
            "attribute_restrictions": {
                "givenName": None,
                "surName": None,
                "mail": [r".*@.*\.umu\.se"],
            }
        }
    }

    r = Policy(conf)

    assert r is not None

    assert r.get_lifetime("urn:mace:umu.se:saml:roland:sp") == {"minutes": 5}
    assert r.get_lifetime("urn:mace:example.se:saml:sp") == {"minutes": 15}
def test_filter_ava2():
    policy_conf = {
        "default": {
            "lifetime": {
                "minutes": 15
            },
            # "attribute_restrictions": None  # means all I have
            "entity_categories": ["refeds", "edugain"]
        }
    }
    policy = Policy(policy_conf, MDS)

    ava = {
        "givenName": ["Derek"],
        "sn": ["Jeter"],
        "mail": ["*****@*****.**"],
        "c": ["USA"],
        "eduPersonTargetedID": "foo!bar!xyz"
    }

    ava = policy.filter(ava, "https://connect.sunet.se/shibboleth")

    # Mismatch, policy deals with eduGAIN, metadata says SWAMID
    # So only minimum should come out
    assert _eq(list(ava.keys()), ['eduPersonTargetedID'])
示例#9
0
def test_filter_attribute_value_assertions_2(AVA):
    p = Policy(
        {"default": {
            "attribute_restrictions": {
                "givenName": ["^R.*"],
            }
        }})

    ava = filter_attribute_value_assertions(AVA[0].copy(),
                                            p.get_attribute_restrictions(""))

    print(ava)
    assert _eq(ava.keys(), [])

    ava = filter_attribute_value_assertions(AVA[1].copy(),
                                            p.get_attribute_restrictions(""))

    print(ava)
    assert _eq(list(ava.keys()), ["givenName"])
    assert ava["givenName"] == ["Ryan"]

    ava = filter_attribute_value_assertions(AVA[3].copy(),
                                            p.get_attribute_restrictions(""))

    print(ava)
    assert _eq(list(ava.keys()), ["givenName"])
    assert ava["givenName"] == ["Roland"]
示例#10
0
def test_ava_filter_2():
    conf = {
        "default": {
            "lifetime": {"minutes": 15},
            "attribute_restrictions": None  # means all I have
        },
        "urn:mace:umu.se:saml:roland:sp": {
            "lifetime": {"minutes": 5},
            "attribute_restrictions": {
                "givenName": None,
                "sn": None,
                "mail": [".*@.*\.umu\.se"],
            }
        }}

    policy = Policy(conf)

    ava = {"givenName": "Derek", "sn": "Jeter", "mail": "*****@*****.**"}

    # mail removed because it doesn't match the regular expression
    _ava = policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', None, [mail],
                         [gn, sn])

    assert _eq(sorted(list(_ava.keys())), ["givenName", 'sn'])

    ava = {"givenName": "Derek", "sn": "Jeter"}

    # it wasn't there to begin with
    try:
        policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', None,
                      [gn, sn, mail])
    except MissingValue:
        pass
示例#11
0
def test_filter_ava_3():
    """ Only example.com mail addresses returned """
    policy = Policy({
        "default": {
            "lifetime": {
                "minutes": 15
            },
            "attribute_restrictions": None  # means all I have
        },
        "urn:mace:example.com:saml:roland:sp": {
            "lifetime": {
                "minutes": 5
            },
            "attribute_restrictions": {
                "mail": [r".*@example\.com$"],
            }
        }
    })

    ava = {
        "givenName": ["Derek"],
        "surName": ["Jeter"],
        "mail": ["*****@*****.**", "*****@*****.**"]
    }

    # No restrictions apply
    ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp")

    assert _eq(list(ava.keys()), ["mail"])
    assert ava["mail"] == ["*****@*****.**"]
示例#12
0
    def get_ava(self, user=None):
        # IDENTITY AND ATTR POLICY
        # Generate request session stuff needed for user agreement screen
        attrs_to_exclude = self.sp['config'].get('user_agreement_attr_exclude', []) + \
                           getattr(settings, "SAML_IDP_USER_AGREEMENT_ATTR_EXCLUDE", [])

        identity = {
            k: v
            for k, v in self.processor.create_identity(user or self.request.user,
                                                       self.sp).items()
            if k not in attrs_to_exclude
        }

        # entity categories and other pysaml2 policies could filter out some attributes
        policy = Policy(restrictions=settings.SAML_IDP_CONFIG['service']['idp'].get('policy'))
        ava = policy.filter(identity,
                            self.sp['id'],
                            self.IDP.config.metadata,
                            required=[])
        # remove None
        for attr in ava:
            if not ava[attr]:
                ava[attr] = ''

        # END IDENTITY AND ATTR POLICY
        return identity, policy, ava
示例#13
0
def test_filter_ava_4():
    """ Return everything as default policy is used """
    policy = Policy({
        "default": {
            "lifetime": {
                "minutes": 15
            },
            "attribute_restrictions": None  # means all I have
        },
        "urn:mace:example.com:saml:roland:sp": {
            "lifetime": {
                "minutes": 5
            },
            "attribute_restrictions": {
                "mail": [r".*@example\.com$"],
            }
        }
    })

    ava = {
        "givenName": ["Derek"],
        "surName": ["Jeter"],
        "mail": ["*****@*****.**", "*****@*****.**"]
    }

    # No restrictions apply
    ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp")

    assert _eq(sorted(list(ava.keys())), ['mail', 'givenName', 'surName'])
    assert _eq(ava["mail"], ["*****@*****.**", "*****@*****.**"])
示例#14
0
def test_filter_attribute_value_assertions_2(AVA):
    p = Policy({
        "default": {
            "attribute_restrictions": {
                "givenName": ["^R.*"],
            }
        }
    })
    
    ava = filter_attribute_value_assertions(AVA[0].copy(), 
                                            p.get_attribute_restriction(""))
    
    print ava
    assert _eq(ava.keys(), [])
    
    ava = filter_attribute_value_assertions(AVA[1].copy(), 
                                            p.get_attribute_restriction(""))
    
    print ava
    assert _eq(ava.keys(), ["givenName"])
    assert ava["givenName"] == ["Ryan"]

    ava = filter_attribute_value_assertions(AVA[3].copy(), 
                                            p.get_attribute_restriction(""))
    
    print ava
    assert _eq(ava.keys(), ["givenName"])
    assert ava["givenName"] == ["Roland"]
示例#15
0
def test_assertion_2():
    AVA = {'mail': u'*****@*****.**',
           'eduPersonTargetedID': 'http://lingon.ladok.umu.se:8090/idp!http://lingon.ladok.umu.se:8088/sp!95e9ae91dbe62d35198fbbd5e1fb0976',
           'displayName': u'Roland Hedberg',
           'uid': 'http://roland.hedberg.myopenid.com/'}

    ava = Assertion(AVA)

    policy = Policy( {
        "default": {
            "lifetime": {"minutes": 240},
            "attribute_restrictions": None, # means all I have
            "name_form": NAME_FORMAT_URI
        },
    })

    ava = ava.apply_policy( "", policy )
    acs = ac_factory("attributemaps")
    attribute=from_local(acs, ava, policy.get_name_form(""))

    assert len(attribute) == 4
    names = [attr.name for attr in attribute]
    assert _eq(names, ['urn:oid:0.9.2342.19200300.100.1.3',
                       'urn:oid:1.3.6.1.4.1.5923.1.1.1.10',
                       'urn:oid:2.16.840.1.113730.3.1.241',
                       'urn:oid:0.9.2342.19200300.100.1.1'])
示例#16
0
def test_req_opt():
    req = [md.RequestedAttribute(friendly_name="surname", name="urn:oid:2.5.4.4",
                                 name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                                 is_required="true"),
           md.RequestedAttribute(friendly_name="givenname",
                                 name="urn:oid:2.5.4.42",
                                 name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                                 is_required="true"),
           md.RequestedAttribute(friendly_name="edupersonaffiliation",
                                 name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
                                 name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                                 is_required="true")]

    opt = [md.RequestedAttribute(friendly_name="title", 
                    name="urn:oid:2.5.4.12",
                    name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                    is_required="false")]
                
    policy = Policy()
    ava = {'givenname': 'Roland', 'surname': 'Hedberg', 
            'uid': 'rohe0002', 'edupersonaffiliation': 'staff'}
            
    sp_entity_id = "urn:mace:example.com:saml:curt:sp"
    fava = policy.filter(ava, sp_entity_id, req, opt)
    assert fava
def test_filter_ava3():
    policy = Policy({
        "default": {
            "lifetime": {
                "minutes": 15
            },
            # "attribute_restrictions": None  # means all I have
            "entity_categories": ["swamid"]
        }
    })

    mds = MetadataStore(ATTRCONV,
                        sec_config,
                        disable_ssl_certificate_validation=True)
    mds.imp([{
        "class": "saml2.mdstore.MetaDataFile",
        "metadata": [(full_path("entity_cat_sfs_hei.xml"), )]
    }])

    ava = {
        "givenName": ["Derek"],
        "sn": ["Jeter"],
        "mail": ["*****@*****.**"],
        "c": ["USA"],
        "eduPersonTargetedID": "foo!bar!xyz",
        "norEduPersonNIN": "19800101134"
    }

    ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", mds)

    assert _eq(list(ava.keys()), ['eduPersonTargetedID', "norEduPersonNIN"])
示例#18
0
def test_filter_ava_0():
    policy = Policy({
        "default": {
            "lifetime": {
                "minutes": 15
            },
            "attribute_restrictions": None  # means all I have
        },
        "urn:mace:example.com:saml:roland:sp": {
            "lifetime": {
                "minutes": 5
            },
        }
    })

    ava = {
        "givenName": ["Derek"],
        "surName": ["Jeter"],
        "mail": ["*****@*****.**"]
    }

    # No restrictions apply
    ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp")

    assert _eq(sorted(list(ava.keys())), ["givenName", "mail", "surName"])
    assert ava["givenName"] == ["Derek"]
    assert ava["surName"] == ["Jeter"]
    assert ava["mail"] == ["*****@*****.**"]
示例#19
0
def test_filter_ava_1():
    """ No mail address returned """
    policy = Policy({
        "default": {
            "lifetime": {
                "minutes": 15
            },
            "attribute_restrictions": None  # means all I have
        },
        "urn:mace:example.com:saml:roland:sp": {
            "lifetime": {
                "minutes": 5
            },
            "attribute_restrictions": {
                "givenName": None,
                "surName": None,
            }
        }
    })

    ava = {
        "givenName": ["Derek"],
        "surName": ["Jeter"],
        "mail": ["*****@*****.**"]
    }

    # No restrictions apply
    ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", [], [])

    assert _eq(ava.keys(), ["givenName", "surName"])
    assert ava["givenName"] == ["Derek"]
    assert ava["surName"] == ["Jeter"]
def test_req_opt():
    req = [
        to_dict(
            md.RequestedAttribute(
                friendly_name="surname", name="urn:oid:2.5.4.4",
                name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                is_required="true"), ONTS),
        to_dict(
            md.RequestedAttribute(
                friendly_name="givenname",
                name="urn:oid:2.5.4.42",
                name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                is_required="true"), ONTS),
        to_dict(
            md.RequestedAttribute(
                friendly_name="edupersonaffiliation",
                name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
                name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                is_required="true"), ONTS)]

    opt = [
        to_dict(
            md.RequestedAttribute(
                friendly_name="title",
                name="urn:oid:2.5.4.12",
                name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                is_required="false"), ONTS)]

    policy = Policy()
    ava = {'givenname': 'Roland', 'surname': 'Hedberg',
           'uid': 'rohe0002', 'edupersonaffiliation': 'staff'}

    sp_entity_id = "urn:mace:example.com:saml:curt:sp"
    fava = policy.filter(ava, sp_entity_id, None, req, opt)
    assert fava
示例#21
0
def test_filter_attribute_value_assertions_0(AVA):
    p = Policy({"default": {"attribute_restrictions": {"surName": [".*berg"]}}})

    ava = filter_attribute_value_assertions(AVA[3].copy(), p.get_attribute_restrictions(""))

    print ava
    assert ava.keys() == ["surName"]
    assert ava["surName"] == ["Hedberg"]
示例#22
0
def test_filter_ava_esi_coco():
    entity_id = "https://esi-coco.example.edu/saml2/metadata/"
    mds = MetadataStore(ATTRCONV,
                        sec_config,
                        disable_ssl_certificate_validation=True)
    mds.imp([{
        "class": "saml2.mdstore.MetaDataFile",
        "metadata": [(full_path("entity_esi_and_coco_sp.xml"), )]
    }])

    policy_conf = {
        "default": {
            "lifetime": {
                "minutes": 15
            },
            "entity_categories": ["swamid"]
        }
    }

    policy = Policy(policy_conf, mds)

    ava = {
        "givenName": ["Test"],
        "sn": ["Testsson"],
        "mail": ["*****@*****.**"],
        "c": ["SE"],
        "schacHomeOrganization": ["example.com"],
        "eduPersonScopedAffiliation": ["*****@*****.**"],
        "schacPersonalUniqueCode": [
            "urn:schac:personalUniqueCode:int:esi:ladok.se:externtstudentuid-00000000-1111-2222-3333-444444444444"
        ]
    }

    requested_attributes = [{
        'friendly_name': 'eduPersonScopedAffiliation',
        'name': '1.3.6.1.4.1.5923.1.1.1.9',
        'name_format': NAME_FORMAT_URI,
        'is_required': 'true'
    }, {
        'friendly_name': 'schacHomeOrganization',
        'name': '1.3.6.1.4.1.25178.1.2.9',
        'name_format': NAME_FORMAT_URI,
        'is_required': 'true'
    }]

    ava = policy.filter(ava, entity_id, required=requested_attributes)

    assert _eq(list(ava.keys()), [
        'eduPersonScopedAffiliation', 'schacHomeOrganization',
        'schacPersonalUniqueCode'
    ])
    assert _eq(ava["eduPersonScopedAffiliation"], ["*****@*****.**"])
    assert _eq(ava["schacHomeOrganization"], ["example.com"])
    assert _eq(ava["schacPersonalUniqueCode"], [
        "urn:schac:personalUniqueCode:int:esi:ladok.se:externtstudentuid-00000000-1111-2222-3333-444444444444"
    ])
示例#23
0
def test_lifetime_2():
    conf = {
        "default": {"attribute_restrictions": None},  # means all I have
        "urn:mace:umu.se:saml:roland:sp": {
            "lifetime": {"minutes": 5},
            "attribute_restrictions": {"givenName": None, "surName": None, "mail": [".*@.*\.umu\.se"]},
        },
    }

    r = Policy(conf)
    assert r is not None

    assert r.get_lifetime("urn:mace:umu.se:saml:roland:sp") == {"minutes": 5}
    assert r.get_lifetime("urn:mace:example.se:saml:sp") == {"hours": 1}
示例#24
0
def test_filter_attribute_value_assertions_0(AVA):
    p = Policy(
        {"default": {
            "attribute_restrictions": {
                "surName": [".*berg"],
            }
        }})

    ava = filter_attribute_value_assertions(AVA[3].copy(),
                                            p.get_attribute_restrictions(""))

    print(ava)
    assert list(ava.keys()) == ["surName"]
    assert ava["surName"] == ["Hedberg"]
示例#25
0
def test_req_opt():
    req = [
        to_dict(
            md.RequestedAttribute(
                friendly_name="surname",
                name="urn:oid:2.5.4.4",
                name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                is_required="true",
            ),
            ONTS,
        ),
        to_dict(
            md.RequestedAttribute(
                friendly_name="givenname",
                name="urn:oid:2.5.4.42",
                name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                is_required="true",
            ),
            ONTS,
        ),
        to_dict(
            md.RequestedAttribute(
                friendly_name="edupersonaffiliation",
                name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
                name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                is_required="true",
            ),
            ONTS,
        ),
    ]

    opt = [
        to_dict(
            md.RequestedAttribute(
                friendly_name="title",
                name="urn:oid:2.5.4.12",
                name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                is_required="false",
            ),
            ONTS,
        )
    ]

    policy = Policy()
    ava = {"givenname": "Roland", "surname": "Hedberg", "uid": "rohe0002", "edupersonaffiliation": "staff"}

    sp_entity_id = "urn:mace:example.com:saml:curt:sp"
    fava = policy.filter(ava, sp_entity_id, None, req, opt)
    assert fava
示例#26
0
def test_filter_attribute_value_assertions_1(AVA):
    p = Policy({"default": {"attribute_restrictions": {"surName": None, "givenName": [".*er.*"]}}})

    ava = filter_attribute_value_assertions(AVA[0].copy(), p.get_attribute_restrictions(""))

    print ava
    assert _eq(ava.keys(), ["givenName", "surName"])
    assert ava["surName"] == ["Jeter"]
    assert ava["givenName"] == ["Derek"]

    ava = filter_attribute_value_assertions(AVA[1].copy(), p.get_attribute_restrictions(""))

    print ava
    assert _eq(ava.keys(), ["surName"])
    assert ava["surName"] == ["Howard"]
示例#27
0
def test_assertion_with_zero_attributes():
    ava = {}
    ast = Assertion(ava)
    policy = Policy({
        "default": {
            "lifetime": {
                "minutes": 240
            },
            "attribute_restrictions": None,  # means all I have
            "name_form": NAME_FORMAT_URI
        },
    })
    name_id = NameID(format=NAMEID_FORMAT_TRANSIENT, text="foobar")
    issuer = Issuer(text="entityid", format=NAMEID_FORMAT_ENTITY)
    msg = ast.construct("sp_entity_id",
                        "in_response_to",
                        "consumer_url",
                        name_id, [AttributeConverterNOOP(NAME_FORMAT_URI)],
                        policy,
                        issuer=issuer,
                        authn_decl=ACD,
                        authn_auth="authn_authn")

    print(msg)
    assert msg.attribute_statement == []
示例#28
0
    def load_complex(self, cnf, typ="", metadata_construction=False):
        try:
            self.setattr(typ, "policy", Policy(cnf["policy"]))
        except KeyError:
            pass

        try:
            try:
                acs = ac_factory(cnf["attribute_map_dir"])
            except KeyError:
                acs = ac_factory()

            if not acs:
                raise Exception(
                    ("No attribute converters, ", "something is wrong!!"))

            _acs = self.getattr("attribute_converters", typ)
            if _acs:
                _acs.extend(acs)
            else:
                self.setattr(typ, "attribute_converters", acs)

        except KeyError:
            pass

        if not metadata_construction:
            try:
                self.setattr(typ, "metadata",
                             self.load_metadata(cnf["metadata"]))
            except KeyError:
                pass
示例#29
0
def test_assertion_with_authn_instant():
    ava = {}
    ast = Assertion(ava)
    policy = Policy({
        "default": {
            "lifetime": {
                "minutes": 240
            },
            "attribute_restrictions": None,  # means all I have
            "name_form": NAME_FORMAT_URI
        },
    })
    name_id = NameID(format=NAMEID_FORMAT_TRANSIENT, text="foobar")
    issuer = Issuer(text="entityid", format=NAMEID_FORMAT_ENTITY)

    farg = add_path(
        {}, ['subject', 'subject_confirmation', 'method', saml.SCM_BEARER])
    add_path(farg['subject']['subject_confirmation'],
             ['subject_confirmation_data', 'in_response_to', 'in_response_to'])
    add_path(farg['subject']['subject_confirmation'],
             ['subject_confirmation_data', 'recipient', 'consumer_url'])

    msg = ast.construct("sp_entity_id",
                        [AttributeConverterNOOP(NAME_FORMAT_URI)],
                        policy,
                        issuer=issuer,
                        authn_decl=ACD,
                        authn_auth="authn_authn",
                        authn_instant=1234567890,
                        name_id=name_id,
                        farg=farg)

    print(msg)
    assert msg.authn_statement[0].authn_instant == "2009-02-13T23:31:30Z"
示例#30
0
文件: config.py 项目: evansd/pysaml2
    def load_complex(self, cnf, typ="", metadata_construction=False):
        _attr_typ = self._attr[typ]
        try:
            _attr_typ["policy"] = Policy(cnf["policy"])
        except KeyError:
            pass

        try:
            try:
                acs = ac_factory(cnf["attribute_map_dir"])
            except KeyError:
                acs = ac_factory()

            if not acs:
                raise Exception(
                    ("No attribute converters, ", "something is wrong!!"))
            try:
                _attr_typ["attribute_converters"].extend(acs)
            except KeyError:
                _attr_typ["attribute_converters"] = acs
        except KeyError:
            pass

        if not metadata_construction:
            try:
                _attr_typ["metadata"] = self.load_metadata(cnf["metadata"])
            except KeyError:
                pass
示例#31
0
    def test_authz_decision_query(self):
        conf = config.SPConfig()
        conf.load_file("server3_conf")
        client = Saml2Client(conf)

        AVA = {
            'mail': u'*****@*****.**',
            'eduPersonTargetedID': '95e9ae91dbe62d35198fbbd5e1fb0976',
            'displayName': u'Roland Hedberg',
            'uid': 'http://roland.hedberg.myopenid.com/'
        }

        sp_entity_id = "sp_entity_id"
        in_response_to = "1234"
        consumer_url = "http://example.com/consumer"
        name_id = saml.NameID(saml.NAMEID_FORMAT_TRANSIENT, text="name_id")
        policy = Policy()
        ava = Assertion(AVA)
        assertion = ava.construct(sp_entity_id,
                                  in_response_to,
                                  consumer_url,
                                  name_id,
                                  conf.attribute_converters,
                                  policy,
                                  issuer=client._issuer())

        adq = client.authz_decision_query_using_assertion(
            "entity_id", assertion, "read", "http://example.com/text")

        assert adq
        print adq
        assert adq.keyswv() != []
        assert adq.destination == "entity_id"
        assert adq.resource == "http://example.com/text"
        assert adq.action[0].text == "read"
示例#32
0
def test_assertion_1(AVA):
    ava = Assertion(AVA[0])

    print(ava)
    print(ava.__dict__)

    policy = Policy(
        {"default": {
            "attribute_restrictions": {
                "givenName": ["^R.*"],
            }
        }})

    ava = ava.apply_policy("", policy)

    print(ava)
    assert _eq(list(ava.keys()), [])

    ava = Assertion(AVA[1].copy())
    ava = ava.apply_policy("", policy)
    assert _eq(list(ava.keys()), ["givenName"])
    assert ava["givenName"] == ["Ryan"]

    ava = Assertion(AVA[3].copy())
    ava = ava.apply_policy("", policy)
    assert _eq(list(ava.keys()), ["givenName"])
    assert ava["givenName"] == ["Roland"]
def test_filter_ava():
    policy = Policy({
        "default": {
            "lifetime": {"minutes": 15},
            #"attribute_restrictions": None  # means all I have
            "entity_categories": ["swamid"]
        }
    })

    ava = {"givenName": ["Derek"], "sn": ["Jeter"],
           "mail": ["*****@*****.**", "*****@*****.**"], "c": ["USA"]}

    ava = policy.filter(ava, "https://connect.sunet.se/shibboleth", MDS)

    assert _eq(list(ava.keys()), ['mail', 'givenName', 'sn', 'c'])
    assert _eq(ava["mail"], ["*****@*****.**", "*****@*****.**"])
def test_filter_ava():
    policy = Policy({
        "default": {
            "lifetime": {"minutes": 15},
            #"attribute_restrictions": None  # means all I have
            "entity_categories": ["swamid"]
        }
    })

    ava = {"givenName": ["Derek"], "sn": ["Jeter"],
           "mail": ["*****@*****.**", "*****@*****.**"], "c": ["USA"]}

    ava = policy.filter(ava, "https://connect.sunet.se/shibboleth", MDS)

    assert _eq(list(ava.keys()), ['mail', 'givenName', 'sn', 'c'])
    assert _eq(ava["mail"], ["*****@*****.**", "*****@*****.**"])
示例#35
0
    def test_persistent_1(self):
        policy = Policy({
            "default": {
                "name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                "nameid_format": NAMEID_FORMAT_PERSISTENT,
                "attribute_restrictions": {
                    "surName": [".*berg"],
                }
            }
        })

        nameid = self.id.construct_nameid(policy, "foobar",
                                          "urn:mace:example.com:sp:1")

        assert _eq(nameid.keys(), [
            'text', 'sp_provided_id', 'sp_name_qualifier', 'name_qualifier',
            'format'
        ])
        assert _eq(nameid.keyswv(), ['format', 'text', 'sp_name_qualifier'])
        assert nameid.sp_name_qualifier == "urn:mace:example.com:sp:1"
        assert nameid.format == NAMEID_FORMAT_PERSISTENT

        nameid_2 = self.id.construct_nameid(policy, "foobar",
                                            "urn:mace:example.com:sp:1")

        assert nameid != nameid_2
        assert nameid.text == nameid_2.text
def test_assertion_with_noop_attribute_conv():
    ava = {"urn:oid:2.5.4.4": "Roland", "urn:oid:2.5.4.42": "Hedberg" }
    ast = Assertion(ava)
    policy = Policy({
        "default": {
            "lifetime": {"minutes": 240},
            "attribute_restrictions": None,  # means all I have
            "name_form": NAME_FORMAT_URI
        },
    })
    name_id = NameID(format=NAMEID_FORMAT_TRANSIENT, text="foobar")
    issuer = Issuer(text="entityid", format=NAMEID_FORMAT_ENTITY)
    msg = ast.construct("sp_entity_id", "in_response_to", "consumer_url",
                        name_id, [AttributeConverterNOOP(NAME_FORMAT_URI)],
                        policy, issuer=issuer, authn_decl=ACD ,
                        authn_auth="authn_authn")

    print(msg)
    for attr in msg.attribute_statement[0].attribute:
        assert attr.name_format == NAME_FORMAT_URI
        assert len(attr.attribute_value) == 1
        if attr.name == "urn:oid:2.5.4.42":
            assert attr.attribute_value[0].text == "Hedberg"
        elif attr.name == "urn:oid:2.5.4.4":
            assert attr.attribute_value[0].text == "Roland"
def test_ava_filter_2():
    conf = {
        "default": {
            "lifetime": {"minutes": 15},
            "attribute_restrictions": None  # means all I have
        },
        "urn:mace:umu.se:saml:roland:sp": {
            "lifetime": {"minutes": 5},
            "attribute_restrictions": {
                "givenName": None,
                "surName": None,
                "mail": [".*@.*\.umu\.se"],
            }
        }}

    policy = Policy(conf)

    ava = {"givenName": "Derek",
           "surName": "Jeter",
           "mail": "*****@*****.**"}

    raises(MissingValue, policy.filter, ava, 'urn:mace:umu.se:saml:roland:sp',
           None, [mail], [gn, sn])

    ava = {"givenName": "Derek",
           "surName": "Jeter"}

    # it wasn't there to begin with
    raises(Exception, policy.filter, ava, 'urn:mace:umu.se:saml:roland:sp',
           None, [gn, sn, mail])
示例#38
0
def test_ava_filter_dont_fail():
    conf = {
        "default": {
            "lifetime": {
                "minutes": 15
            },
            "attribute_restrictions": None,  # means all I have
            "fail_on_missing_requested": False
        },
        "urn:mace:umu.se:saml:roland:sp": {
            "lifetime": {
                "minutes": 5
            },
            "attribute_restrictions": {
                "givenName": None,
                "surName": None,
                "mail": [r".*@.*\.umu\.se"],
            },
            "fail_on_missing_requested": False
        }
    }

    policy = Policy(conf)

    ava = {
        "givenName": "Derek",
        "surName": "Jeter",
        "mail": "*****@*****.**"
    }

    # mail removed because it doesn't match the regular expression
    # So it should fail if the 'fail_on_ ...' flag wasn't set
    _ava = policy.filter(ava,
                         'urn:mace:umu.se:saml:roland:sp',
                         required=[mail],
                         optional=[gn, sn])

    assert _ava

    ava = {"givenName": "Derek", "surName": "Jeter"}

    # it wasn't there to begin with
    _ava = policy.filter(ava,
                         'urn:mace:umu.se:saml:roland:sp',
                         required=[gn, sn, mail])

    assert _ava
示例#39
0
    def setup_assertion(self,
                        authn,
                        sp_entity_id,
                        in_response_to,
                        consumer_url,
                        name_id,
                        policy,
                        _issuer,
                        authn_statement,
                        identity,
                        best_effort,
                        sign_response,
                        add_subject=True):
        ast = Assertion(identity)
        ast.acs = self.config.getattr("attribute_converters", "idp")
        if policy is None:
            policy = Policy()
        try:
            ast.apply_policy(sp_entity_id, policy, self.metadata)
        except MissingValue as exc:
            if not best_effort:
                return self.create_error_response(in_response_to, consumer_url,
                                                  exc, sign_response)

        if authn:  # expected to be a dictionary
            # Would like to use dict comprehension but ...
            authn_args = dict([(AUTHN_DICT_MAP[k], v)
                               for k, v in authn.items()
                               if k in AUTHN_DICT_MAP])

            assertion = ast.construct(sp_entity_id,
                                      in_response_to,
                                      consumer_url,
                                      name_id,
                                      self.config.attribute_converters,
                                      policy,
                                      issuer=_issuer,
                                      add_subject=add_subject,
                                      **authn_args)
        elif authn_statement:  # Got a complete AuthnStatement
            assertion = ast.construct(sp_entity_id,
                                      in_response_to,
                                      consumer_url,
                                      name_id,
                                      self.config.attribute_converters,
                                      policy,
                                      issuer=_issuer,
                                      authn_statem=authn_statement,
                                      add_subject=add_subject)
        else:
            assertion = ast.construct(sp_entity_id,
                                      in_response_to,
                                      consumer_url,
                                      name_id,
                                      self.config.attribute_converters,
                                      policy,
                                      issuer=_issuer,
                                      add_subject=add_subject)
        return assertion
示例#40
0
def test_entity_category_import_from_path():
    mds = MetadataStore(ATTRCONV,
                        sec_config,
                        disable_ssl_certificate_validation=True)
    # The file entity_cat_rs.xml contains the SAML metadata for an SP
    # tagged with the REFEDs R&S entity category.
    mds.imp([{
        "class": "saml2.mdstore.MetaDataFile",
        "metadata": [(full_path("entity_cat_rs.xml"), )]
    }])

    # The entity category module myentitycategory.py is in the tests
    # directory which is on the standard module search path.
    # The module uses a custom interpretation of the REFEDs R&S entity category
    # by adding eduPersonUniqueId.
    policy = Policy(
        {
            "default": {
                "lifetime": {
                    "minutes": 15
                },
                "entity_categories": ["myentitycategory"]
            }
        }, mds)

    ava = {
        "givenName": ["Derek"],
        "sn": ["Jeter"],
        "displayName": "Derek Jeter",
        "mail": ["*****@*****.**"],
        "c": ["USA"],
        "eduPersonTargetedID": "foo!bar!xyz",
        "eduPersonUniqueId": "*****@*****.**",
        "eduPersonScopedAffiliation": "*****@*****.**",
        "eduPersonPrincipalName": "*****@*****.**",
        "norEduPersonNIN": "19800101134"
    }

    ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp")

    # We expect c and norEduPersonNIN to be filtered out since they are not
    # part of the custom entity category.
    assert _eq(list(ava.keys()), [
        "eduPersonTargetedID", "eduPersonPrincipalName", "eduPersonUniqueId",
        "displayName", "givenName", "eduPersonScopedAffiliation", "mail", "sn"
    ])
示例#41
0
def test_filter_ava_0():
    policy = Policy(
        {
            "default": {"lifetime": {"minutes": 15}, "attribute_restrictions": None},  # means all I have
            "urn:mace:example.com:saml:roland:sp": {"lifetime": {"minutes": 5}},
        }
    )

    ava = {"givenName": ["Derek"], "surName": ["Jeter"], "mail": ["*****@*****.**"]}

    # No restrictions apply
    ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", [], [])

    assert _eq(ava.keys(), ["givenName", "surName", "mail"])
    assert ava["givenName"] == ["Derek"]
    assert ava["surName"] == ["Jeter"]
    assert ava["mail"] == ["*****@*****.**"]
示例#42
0
    def create_aa_response(self, in_response_to, consumer_url, sp_entity_id,
                           identity=None, userid="", name_id=None, status=None,
                           issuer=None, sign_assertion=False,
                           sign_response=False, attributes=None):
        """ Create an attribute assertion response.
        
        :param in_response_to: The session identifier of the request
        :param consumer_url: The URL which should receive the response
        :param sp_entity_id: The entity identifier of the SP
        :param identity: A dictionary with attributes and values that are
            expected to be the bases for the assertion in the response.
        :param userid: A identifier of the user
        :param name_id: The identifier of the subject
        :param status: The status of the response
        :param issuer: The issuer of the response
        :param sign_assertion: Whether the assertion should be signed or not
        :param sign_response: Whether the whole response should be signed
        :return: A response instance
        """
        if not name_id and userid:
            try:
                name_id = self.ident.construct_nameid(self.conf.policy, userid,
                                                      sp_entity_id, identity)
                logger.warning("Unspecified NameID format")
            except Exception:
                pass

        to_sign = []
        args = {}
        if identity:
            _issuer = self.issuer(issuer)
            ast = Assertion(identity)
            policy = self.conf.getattr("policy", "aa")
            if policy:
                ast.apply_policy(sp_entity_id, policy)
            else:
                policy = Policy()

            if attributes:
                restr = restriction_from_attribute_spec(attributes)
                ast = filter_attribute_value_assertions(ast)

            assertion = ast.construct(sp_entity_id, in_response_to,
                                      consumer_url, name_id,
                                      self.conf.attribute_converters,
                                      policy, issuer=_issuer)

            if sign_assertion:
                assertion.signature = pre_signature_part(assertion.id,
                                                         self.sec.my_cert, 1)
                # Just the assertion or the response and the assertion ?
                to_sign = [(class_name(assertion), assertion.id)]


            args["assertion"] = assertion

        return self._response(in_response_to, consumer_url, status, issuer,
                              sign_response, to_sign, **args)
def test_filter_ava2():
    policy = Policy({
        "default": {
            "lifetime": {"minutes": 15},
            #"attribute_restrictions": None  # means all I have
            "entity_categories": ["refeds", "edugain"]
        }
    })

    ava = {"givenName": ["Derek"], "sn": ["Jeter"],
           "mail": ["*****@*****.**"], "c": ["USA"],
           "eduPersonTargetedID": "foo!bar!xyz"}

    ava = policy.filter(ava, "https://connect.sunet.se/shibboleth", MDS)

    # Mismatch, policy deals with eduGAIN, metadata says SWAMID
    # So only minimum should come out
    assert _eq(list(ava.keys()), ['eduPersonTargetedID'])
示例#44
0
def test_filter_ava_5():
    policy = Policy({
        "default": {
            "lifetime": {"minutes": 15},
            #"attribute_restrictions": None  # means all I have
            "entity_categories": ["swamid", "edugain"]
        }
    })

    ava = {"givenName": ["Derek"], "surName": ["Jeter"],
           "mail": ["*****@*****.**", "*****@*****.**"]}

    ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp", None, [], [])

    # using entity_categories means there *always* are restrictions
    # in this case the only allowed attribute is eduPersonTargetedID
    # which isn't available in the ava hence zip is returned.
    assert ava == {}
示例#45
0
def test_filter_ava_4():
    """ Return everything as default policy is used """
    policy = Policy(
        {
            "default": {"lifetime": {"minutes": 15}, "attribute_restrictions": None},  # means all I have
            "urn:mace:example.com:saml:roland:sp": {
                "lifetime": {"minutes": 5},
                "attribute_restrictions": {"mail": [".*@example\.com$"]},
            },
        }
    )

    ava = {"givenName": ["Derek"], "surName": ["Jeter"], "mail": ["*****@*****.**", "*****@*****.**"]}

    # No restrictions apply
    ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp", [], [])

    assert _eq(ava.keys(), ["mail", "givenName", "surName"])
    assert _eq(ava["mail"], ["*****@*****.**", "*****@*****.**"])
def test_filter_ava3():
    policy = Policy({
        "default": {
            "lifetime": {"minutes": 15},
            #"attribute_restrictions": None  # means all I have
            "entity_categories": ["swamid"]
        }
    })

    mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)
    mds.imp([{"class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_cat_sfs_hei.xml"), )]}])

    ava = {"givenName": ["Derek"], "sn": ["Jeter"],
           "mail": ["*****@*****.**"], "c": ["USA"],
           "eduPersonTargetedID": "foo!bar!xyz",
           "norEduPersonNIN": "19800101134"}

    ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", mds)

    assert _eq(list(ava.keys()), ['eduPersonTargetedID', "norEduPersonNIN"])
示例#47
0
def test_filter_ava_3():
    """ Only example.com mail addresses returned """
    policy = Policy({
            "default": {
                "lifetime": {"minutes":15},
                "attribute_restrictions": None # means all I have
            },
            "urn:mace:example.com:saml:roland:sp": {
                "lifetime": {"minutes": 5},
                "attribute_restrictions":{
                    "mail": [".*@example\.com$"],
                }
            }})
    
    ava = { "givenName": ["Derek"], "surName": ["Jeter"], 
            "mail": ["*****@*****.**", "*****@*****.**"]}
    
    # No restrictions apply
    ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", [], [])
                                
    assert _eq(ava.keys(), ["mail"])
    assert ava["mail"] == ["*****@*****.**"]
示例#48
0
def test_entity_category_import_from_path():
    # The entity category module myentitycategory.py is in the tests
    # directory which is on the standard module search path.
    # The module uses a custom interpretation of the REFEDs R&S entity category
    # by adding eduPersonUniqueId.
    policy = Policy({
        "default": {
            "lifetime": {"minutes": 15},
            "entity_categories": ["myentitycategory"]
        }
    })

    mds = MetadataStore(ATTRCONV, sec_config,
                        disable_ssl_certificate_validation=True)

    # The file entity_cat_rs.xml contains the SAML metadata for an SP
    # tagged with the REFEDs R&S entity category.
    mds.imp([{"class": "saml2.mdstore.MetaDataFile",
              "metadata": [(full_path("entity_cat_rs.xml"),)]}])

    ava = {"givenName": ["Derek"], "sn": ["Jeter"],
           "displayName": "Derek Jeter",
           "mail": ["*****@*****.**"], "c": ["USA"],
           "eduPersonTargetedID": "foo!bar!xyz",
           "eduPersonUniqueId": "*****@*****.**",
           "eduPersonScopedAffiliation": "*****@*****.**",
           "eduPersonPrincipalName": "*****@*****.**",
           "norEduPersonNIN": "19800101134"}

    ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", mds)

    # We expect c and norEduPersonNIN to be filtered out since they are not
    # part of the custom entity category.
    assert _eq(list(ava.keys()),
               ["eduPersonTargetedID", "eduPersonPrincipalName",
                "eduPersonUniqueId", "displayName", "givenName",
                "eduPersonScopedAffiliation", "mail", "sn"])
示例#49
0
def test_assertion_2():
    AVA = {
        "mail": u"*****@*****.**",
        "eduPersonTargetedID": "http://lingon.ladok.umu"
        ".se:8090/idp!http://lingon.ladok.umu"
        ".se:8088/sp!95e9ae91dbe62d35198fbbd5e1fb0976",
        "displayName": u"Roland Hedberg",
        "uid": "http://roland.hedberg.myopenid.com/",
    }

    ava = Assertion(AVA)

    policy = Policy(
        {
            "default": {
                "lifetime": {"minutes": 240},
                "attribute_restrictions": None,  # means all I have
                "name_form": NAME_FORMAT_URI,
            }
        }
    )

    ava = ava.apply_policy("", policy)
    acs = ac_factory(full_path("attributemaps"))
    attribute = from_local(acs, ava, policy.get_name_form(""))

    assert len(attribute) == 4
    names = [attr.name for attr in attribute]
    assert _eq(
        names,
        [
            "urn:oid:0.9.2342.19200300.100.1.3",
            "urn:oid:1.3.6.1.4.1.5923.1.1.1.10",
            "urn:oid:2.16.840.1.113730.3.1.241",
            "urn:oid:0.9.2342.19200300.100.1.1",
        ],
    )