def get_auth_response(self, samlfrontend, context, internal_response, sp_conf, idp_metadata_str): sp_config = SPConfig().load(sp_conf, metadata_construction=False) resp_args = { "name_id_policy": NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT), "in_response_to": None, "destination": sp_config.endpoint("assertion_consumer_service", binding=BINDING_HTTP_REDIRECT)[0], "sp_entity_id": sp_conf["entityid"], "binding": BINDING_HTTP_REDIRECT } request_state = samlfrontend._create_state_data(context, resp_args, "") context.state[samlfrontend.name] = request_state resp = samlfrontend.handle_authn_response(context, internal_response) sp_conf["metadata"]["inline"].append(idp_metadata_str) fakesp = FakeSP(sp_config) resp_dict = parse_qs(urlparse(resp.message).query) return fakesp.parse_authn_request_response( resp_dict["SAMLResponse"][0], BINDING_HTTP_REDIRECT)
def __init__(self, conv): AuthnRequest.__init__(self, conv) self.args["name_id_policy"] = NameIDPolicy( format=NAMEID_FORMAT_TRANSIENT, sp_name_qualifier="Group1", allow_create="true") self.args["nameid_format"] = NAMEID_FORMAT_TRANSIENT self.tests["post"].append(VerifyNameIDPolicyUsage)
def create_name_id_policy_persistent(): """ Creates a transient name id policy. :return: """ nameid_format = NAMEID_FORMAT_PERSISTENT name_id_policy = NameIDPolicy(format=nameid_format) return name_id_policy
def create_name_id_policy_transient(): """ Creates a transient name id policy. :return: """ nameid_format = NAMEID_FORMAT_TRANSIENT name_id_policy = NameIDPolicy(format=nameid_format) return name_id_policy
def test_co_static_attributes(self, frontend, context, internal_response, idp_conf, sp_conf): # Use the frontend and context fixtures to dynamically create the # proxy IdP server that would be created during a flow. idp_server = frontend._create_co_virtual_idp(context) # Use the context fixture to find the CO name and the backend name # and then use those to dynamically update the ipd_conf fixture. co_name = frontend._get_co_name(context) backend_name = context.target_backend idp_conf = frontend._add_endpoints_to_config(idp_conf, co_name, backend_name) idp_conf = frontend._add_entity_id(idp_conf, co_name) # Use a utility function to serialize the idp_conf IdP configuration # fixture to a string and then dynamically update the sp_conf # SP configuration fixture with the metadata. idp_metadata_str = create_metadata_from_config_dict(idp_conf) sp_conf["metadata"]["inline"].append(idp_metadata_str) sp_config = SPConfig().load(sp_conf, metadata_construction=False) # Use the updated sp_config fixture to generate a fake SP and then # use the fake SP to generate an authentication request aimed at the # proxy CO virtual IdP. fakesp = FakeSP(sp_config) destination, auth_req = fakesp.make_auth_req( idp_server.config.entityid, nameid_format=None, relay_state="relay_state", subject=None, ) # Update the context with the authentication request. context.request = auth_req # Create the response arguments necessary for the IdP to respond to # the authentication request, update the request state and with it # the context, and then use the frontend fixture and the # internal_response fixture to handle the authentication response # and generate a response from the proxy IdP to the SP. resp_args = { "name_id_policy": NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT), "in_response_to": None, "destination": sp_config.endpoint( "assertion_consumer_service", binding=BINDING_HTTP_REDIRECT )[0], "sp_entity_id": sp_conf["entityid"], "binding": BINDING_HTTP_REDIRECT } request_state = frontend._create_state_data(context, resp_args, "") context.state[frontend.name] = request_state frontend.handle_authn_response(context, internal_response) # Verify that the frontend added the CO static SAML attributes to the # internal response. for attr, value in self.CO_STATIC_SAML_ATTRIBUTES.items(): assert internal_response.attributes[attr] == value
def create_name_id_policy(usr_id_hash_type): """ Creates a name id policy :type usr_id_hash_type: satosa.internal_data.UserIdHashType :rtype: saml2.samlp.NameIDPolicy :param usr_id_hash_type: The internal id hash type :return: A name id policy """ nameid_format = get_saml_name_id_format(usr_id_hash_type) name_id_policy = NameIDPolicy(format=nameid_format) return name_id_policy
def test_acr_mapping_per_idp_in_authn_response(self, idp_conf, sp_conf): expected_loa = "LoA1" loa = { "": "http://eidas.europa.eu/LoA/low", idp_conf["entityid"]: expected_loa } base = self.construct_base_url_from_entity_id(idp_conf["entityid"]) conf = { "idp_config": idp_conf, "endpoints": ENDPOINTS, "base": base, "state_id": "state_id", "acr_mapping": loa } samlfrontend = SamlFrontend(None, INTERNAL_ATTRIBUTES, conf) samlfrontend.register_endpoints(["foo"]) idp_metadata_str = create_metadata_from_config_dict( samlfrontend.config) sp_conf["metadata"]["inline"].append(idp_metadata_str) fakesp = FakeSP(None, config=SPConfig().load(sp_conf, metadata_construction=False)) auth_info = AuthenticationInformation(PASSWORD, "2015-09-30T12:21:37Z", idp_conf["entityid"]) internal_response = InternalResponse(auth_info=auth_info) context = Context() context.state = State() resp_args = { "name_id_policy": NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT), "in_response_to": None, "destination": "", "sp_entity_id": None, "binding": BINDING_HTTP_REDIRECT } request_state = samlfrontend.save_state(context, resp_args, "") context.state.add(conf["state_id"], request_state) resp = samlfrontend.handle_authn_response(context, internal_response) resp_dict = parse_qs(urlparse(resp.message).query) resp = fakesp.parse_authn_request_response( resp_dict['SAMLResponse'][0], BINDING_HTTP_REDIRECT) assert len(resp.assertion.authn_statement) == 1 authn_context_class_ref = resp.assertion.authn_statement[ 0].authn_context.authn_context_class_ref assert authn_context_class_ref.text == expected_loa
class NameIDMappingRequest(Request): request = "name_id_mapping_request" _args = {"request_binding": BINDING_SOAP, "name_id_policy": NameIDPolicy(format=NAMEID_FORMAT_PERSISTENT, sp_name_qualifier="GroupOn", allow_create="true")} def __init__(self, conv): Request.__init__(self, conv) self.tests["post"].append(VerifyNameIDMapping) def setup(self): assertion = self.conv.saml_response[-1].assertion self.args["name_id"] = assertion.subject.name_id
def send_assertion(): logger.debug("Sending SAML assertion") idp_config = current_app.config['IDP_CONFIG'] idp_config_object = IdPConfig().load(copy.deepcopy(idp_config), metadata_construction=False) idp = Server(config=idp_config_object) name_id_format = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' name_id_policy = NameIDPolicy(format=name_id_format) args = { 'identity': {}, 'name_id': None, 'authn': { 'class_ref': 'https://refeds.org/profile/mfa', 'authn_auth': idp_config['entityid'] }, 'sign_response': True, 'sign_assertion': False, 'encrypted_advice_attributes': False, 'in_response_to': session['saml_authn_request_id'], 'sp_entity_id': session['saml_sp_entity_id'], 'name_id_policy': name_id_policy, 'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'destination': session['saml_sp_acs'], 'sign_alg': 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', 'digest_alg': 'http://www.w3.org/2001/04/xmlenc#sha256', } saml_response_string = idp.create_authn_response(**args) saml_response_string_encoded = saml_response_string.encode('utf-8') saml_response = b64encode(saml_response_string_encoded) saml_response_encoded = saml_response.decode('ascii') action = session['saml_sp_acs'] saml_relay_state = session['saml_relay_state'] rendered_template = render_template( 'saml_http_post_binding.html', action=action, saml_response_encoded=saml_response_encoded, saml_relay_state=saml_relay_state) # Kill the session session.clear() return rendered_template
def test_request_response(): sp = Saml2Client(config_file="servera_conf") with closing(Server(config_file="idp_all_conf")) as idp: binding, destination = sp.pick_binding("name_id_mapping_service", entity_id=idp.config.entityid) policy = NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT, sp_name_qualifier="urn:mace:swamid:junk", allow_create="true") nameid = NameID(format=NAMEID_FORMAT_TRANSIENT, text="foobar") mid, nmr = sp.create_name_id_mapping_request(policy, nameid, destination) print nmr args = sp.use_soap(nmr, destination) # ------- IDP ------------ req = idp.parse_name_id_mapping_request(args["data"], binding) in_response_to = req.message.id name_id = NameID(format=NAMEID_FORMAT_PERSISTENT, text="foobar") idp_response = idp.create_name_id_mapping_response( name_id, in_response_to=in_response_to) print idp_response ht_args = sp.use_soap(idp_response) # ------- SP ------------ _resp = sp.parse_name_id_mapping_request_response( ht_args["data"], binding) print _resp.response r_name_id = _resp.response.name_id assert r_name_id.format == NAMEID_FORMAT_PERSISTENT assert r_name_id.text == "foobar"
def test_base_request(): sp = Saml2Client(config_file="servera_conf") idp = Server(config_file="idp_all_conf") binding, destination = sp.pick_binding("name_id_mapping_service", entity_id=idp.config.entityid) policy = NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT, sp_name_qualifier="urn:mace:swamid:junk", allow_create="true") nameid = NameID(format=NAMEID_FORMAT_TRANSIENT, text="foobar") nmr = sp.create_name_id_mapping_request(policy, nameid, destination) print nmr assert isinstance(nmr, NameIDMappingRequest)
def test_handle_logout_soap(): sp = Saml2Client(config_file="servera_conf") idp = Server(config_file="idp_all_conf") policy = NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT, sp_name_qualifier=sp.config.entityid, allow_create="true") name_id = idp.ident.construct_nameid("subject", name_id_policy=policy) binding, destination = idp.pick_binding("single_logout_service", [BINDING_SOAP], entity_id=sp.config.entityid) rid, request = idp.create_logout_request(destination, idp.config.entityid, name_id=name_id) args = idp.apply_binding(BINDING_SOAP, "%s" % request, destination) # register the user session_info = { "name_id": name_id, "issuer": idp.config.entityid, "not_on_or_after": in_a_while(minutes=15), "ava": { "givenName": "Anders", "surName": "Andersson", "mail": "*****@*****.**" } } sp.users.add_information_about_person(session_info) reply_args = sp.handle_logout_request(args["data"], name_id, binding, sign=False) print(reply_args) assert reply_args["method"] == "POST" assert reply_args["headers"] == [('content-type', 'application/soap+xml')] #if __name__ == "__main__": # test_handle_logout_soap()
def test_flow(): sp = Saml2Client(config_file="servera_conf") with closing(Server(config_file="idp_all_conf")) as idp: relay_state = "FOO" # -- dummy request --- orig_req = AuthnRequest(issuer=sp._issuer(), name_id_policy=NameIDPolicy( allow_create="true", format=NAMEID_FORMAT_TRANSIENT)) # == Create an AuthnRequest response name_id = idp.ident.transient_nameid(sp.config.entityid, "id12") binding, destination = idp.pick_binding("assertion_consumer_service", entity_id=sp.config.entityid) resp = idp.create_authn_response( { "eduPersonEntitlement": "Short stop", "surName": "Jeter", "givenName": "Derek", "mail": "*****@*****.**", "title": "The man" }, "id-123456789", destination, sp.config.entityid, name_id=name_id, authn=AUTHN) hinfo = idp.apply_binding(binding, "%s" % resp, destination, relay_state) # ------- @SP ---------- xmlstr = get_msg(hinfo, binding) aresp = sp.parse_authn_request_response(xmlstr, binding, {resp.in_response_to: "/"}) binding, destination = sp.pick_binding("authn_query_service", entity_id=idp.config.entityid) authn_context = requested_authn_context(INTERNETPROTOCOLPASSWORD) subject = aresp.assertion.subject aq_id, aq = sp.create_authn_query(subject, destination, authn_context) print(aq) assert isinstance(aq, AuthnQuery) binding = BINDING_SOAP hinfo = sp.apply_binding(binding, "%s" % aq, destination, "state2") # -------- @IDP ---------- xmlstr = get_msg(hinfo, binding) pm = idp.parse_authn_query(xmlstr, binding) msg = pm.message assert msg.id == aq.id p_res = idp.create_authn_query_response(msg.subject, msg.session_index, msg.requested_authn_context) print(p_res) hinfo = idp.apply_binding(binding, "%s" % p_res, "", "state2", response=True) # ------- @SP ---------- xmlstr = get_msg(hinfo, binding) final = sp.parse_authn_query_response(xmlstr, binding) print(final) assert final.response.id == p_res.id
def test_basic_flow(): sp = Saml2Client(config_file="servera_conf") idp = Server(config_file="idp_all_conf") # -------- @IDP ------------- relay_state = "FOO" # -- dummy request --- orig_req = AuthnRequest(issuer=sp._issuer(), name_id_policy=NameIDPolicy( allow_create="true", format=NAMEID_FORMAT_TRANSIENT)) # == Create an AuthnRequest response name_id = idp.ident.transient_nameid("id12", sp.config.entityid) binding, destination = idp.pick_binding("assertion_consumer_service", entity_id=sp.config.entityid) resp = idp.create_authn_response( { "eduPersonEntitlement": "Short stop", "surName": "Jeter", "givenName": "Derek", "mail": "*****@*****.**", "title": "The man" }, "id-123456789", destination, sp.config.entityid, name_id=name_id, authn=AUTHN) hinfo = idp.apply_binding(binding, "%s" % resp, destination, relay_state) # --------- @SP ------------- xmlstr = get_msg(hinfo, binding) aresp = sp.parse_authn_request_response(xmlstr, binding, {resp.in_response_to: "/"}) # == Look for assertion X asid = aresp.assertion.id binding, destination = sp.pick_binding("assertion_id_request_service", entity_id=idp.config.entityid) hinfo = sp.apply_binding(binding, asid, destination) # ---------- @IDP ------------ aid = get_msg(hinfo, binding, response=False) # == construct response resp = idp.create_assertion_id_request_response(aid) hinfo = idp.apply_binding(binding, "%s" % resp, None, "", response=True) # ----------- @SP ------------- xmlstr = get_msg(hinfo, binding, response=True) final = sp.parse_assertion_id_request_response(xmlstr, binding) print final.response assert isinstance(final.response, Assertion)
'SERVER_NAME': 'lingon-catalogix-se-2.local', 'REMOTE_PORT': '57309', 'wsgi.url_scheme': 'http', 'SERVER_PORT': '8087', 'HTTP_HOST': '127.0.0.1:8087', 'wsgi.multithread': True, 'HTTP_ACCEPT': 'application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5', 'wsgi.version': (1, 0), 'wsgi.run_once': False, 'wsgi.multiprocess': False, 'HTTP_ACCEPT_LANGUAGE': 'en-us', 'HTTP_ACCEPT_ENCODING': 'gzip, deflate' } trans_name_policy = NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT, allow_create="true") AUTHN = (AUTHN_PASSWORD, "http://www.example.com/login") class TestSP(): def setup_class(self): self.sp = make_plugin("rem", saml_conf="server_conf") self.server = Server(config_file="idp_conf") def test_setup(self): assert self.sp def test_identify(self): # Create a SAMLResponse