示例#1
0
    def get_auth_response(self, samlfrontend, context, internal_response,
                          sp_conf, idp_metadata_str):
        sp_config = SPConfig().load(sp_conf, metadata_construction=False)
        resp_args = {
            "name_id_policy":
            NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT),
            "in_response_to":
            None,
            "destination":
            sp_config.endpoint("assertion_consumer_service",
                               binding=BINDING_HTTP_REDIRECT)[0],
            "sp_entity_id":
            sp_conf["entityid"],
            "binding":
            BINDING_HTTP_REDIRECT
        }
        request_state = samlfrontend._create_state_data(context, resp_args, "")
        context.state[samlfrontend.name] = request_state

        resp = samlfrontend.handle_authn_response(context, internal_response)

        sp_conf["metadata"]["inline"].append(idp_metadata_str)
        fakesp = FakeSP(sp_config)
        resp_dict = parse_qs(urlparse(resp.message).query)
        return fakesp.parse_authn_request_response(
            resp_dict["SAMLResponse"][0], BINDING_HTTP_REDIRECT)
示例#2
0
 def __init__(self, conv):
     AuthnRequest.__init__(self, conv)
     self.args["name_id_policy"] = NameIDPolicy(
         format=NAMEID_FORMAT_TRANSIENT, sp_name_qualifier="Group1",
         allow_create="true")
     self.args["nameid_format"] = NAMEID_FORMAT_TRANSIENT
     self.tests["post"].append(VerifyNameIDPolicyUsage)
示例#3
0
文件: util.py 项目: trsau/SATOSA
def create_name_id_policy_persistent():
    """
    Creates a transient name id policy.
    :return:
    """
    nameid_format = NAMEID_FORMAT_PERSISTENT
    name_id_policy = NameIDPolicy(format=nameid_format)
    return name_id_policy
示例#4
0
文件: util.py 项目: trsau/SATOSA
def create_name_id_policy_transient():
    """
    Creates a transient name id policy.
    :return:
    """
    nameid_format = NAMEID_FORMAT_TRANSIENT
    name_id_policy = NameIDPolicy(format=nameid_format)
    return name_id_policy
示例#5
0
    def test_co_static_attributes(self, frontend, context, internal_response,
                                  idp_conf, sp_conf):
        # Use the frontend and context fixtures to dynamically create the
        # proxy IdP server that would be created during a flow.
        idp_server = frontend._create_co_virtual_idp(context)

        # Use the context fixture to find the CO name and the backend name
        # and then use those to dynamically update the ipd_conf fixture.
        co_name = frontend._get_co_name(context)
        backend_name = context.target_backend
        idp_conf = frontend._add_endpoints_to_config(idp_conf, co_name,
                                                     backend_name)
        idp_conf = frontend._add_entity_id(idp_conf, co_name)

        # Use a utility function to serialize the idp_conf IdP configuration
        # fixture to a string and then dynamically update the sp_conf
        # SP configuration fixture with the metadata.
        idp_metadata_str = create_metadata_from_config_dict(idp_conf)
        sp_conf["metadata"]["inline"].append(idp_metadata_str)
        sp_config = SPConfig().load(sp_conf, metadata_construction=False)

        # Use the updated sp_config fixture to generate a fake SP and then
        # use the fake SP to generate an authentication request aimed at the
        # proxy CO virtual IdP.
        fakesp = FakeSP(sp_config)
        destination, auth_req = fakesp.make_auth_req(
            idp_server.config.entityid,
            nameid_format=None,
            relay_state="relay_state",
            subject=None,
        )

        # Update the context with the authentication request.
        context.request = auth_req

        # Create the response arguments necessary for the IdP to respond to
        # the authentication request, update the request state and with it
        # the context, and then use the frontend fixture and the
        # internal_response fixture to handle the authentication response
        # and generate a response from the proxy IdP to the SP.
        resp_args = {
            "name_id_policy": NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT),
            "in_response_to": None,
            "destination": sp_config.endpoint(
                            "assertion_consumer_service",
                            binding=BINDING_HTTP_REDIRECT
                            )[0],
            "sp_entity_id": sp_conf["entityid"],
            "binding": BINDING_HTTP_REDIRECT
        }
        request_state = frontend._create_state_data(context, resp_args, "")
        context.state[frontend.name] = request_state
        frontend.handle_authn_response(context, internal_response)

        # Verify that the frontend added the CO static SAML attributes to the
        # internal response.
        for attr, value in self.CO_STATIC_SAML_ATTRIBUTES.items():
            assert internal_response.attributes[attr] == value
示例#6
0
文件: saml2.py 项目: borgand/SATOSA
    def create_name_id_policy(usr_id_hash_type):
        """
        Creates a name id policy

        :type usr_id_hash_type: satosa.internal_data.UserIdHashType
        :rtype: saml2.samlp.NameIDPolicy

        :param usr_id_hash_type: The internal id hash type
        :return: A name id policy
        """
        nameid_format = get_saml_name_id_format(usr_id_hash_type)
        name_id_policy = NameIDPolicy(format=nameid_format)
        return name_id_policy
示例#7
0
    def test_acr_mapping_per_idp_in_authn_response(self, idp_conf, sp_conf):
        expected_loa = "LoA1"
        loa = {
            "": "http://eidas.europa.eu/LoA/low",
            idp_conf["entityid"]: expected_loa
        }

        base = self.construct_base_url_from_entity_id(idp_conf["entityid"])
        conf = {
            "idp_config": idp_conf,
            "endpoints": ENDPOINTS,
            "base": base,
            "state_id": "state_id",
            "acr_mapping": loa
        }

        samlfrontend = SamlFrontend(None, INTERNAL_ATTRIBUTES, conf)
        samlfrontend.register_endpoints(["foo"])

        idp_metadata_str = create_metadata_from_config_dict(
            samlfrontend.config)
        sp_conf["metadata"]["inline"].append(idp_metadata_str)
        fakesp = FakeSP(None,
                        config=SPConfig().load(sp_conf,
                                               metadata_construction=False))

        auth_info = AuthenticationInformation(PASSWORD, "2015-09-30T12:21:37Z",
                                              idp_conf["entityid"])
        internal_response = InternalResponse(auth_info=auth_info)
        context = Context()
        context.state = State()

        resp_args = {
            "name_id_policy": NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT),
            "in_response_to": None,
            "destination": "",
            "sp_entity_id": None,
            "binding": BINDING_HTTP_REDIRECT
        }
        request_state = samlfrontend.save_state(context, resp_args, "")
        context.state.add(conf["state_id"], request_state)

        resp = samlfrontend.handle_authn_response(context, internal_response)
        resp_dict = parse_qs(urlparse(resp.message).query)
        resp = fakesp.parse_authn_request_response(
            resp_dict['SAMLResponse'][0], BINDING_HTTP_REDIRECT)

        assert len(resp.assertion.authn_statement) == 1
        authn_context_class_ref = resp.assertion.authn_statement[
            0].authn_context.authn_context_class_ref
        assert authn_context_class_ref.text == expected_loa
示例#8
0
class NameIDMappingRequest(Request):
    request = "name_id_mapping_request"
    _args = {"request_binding": BINDING_SOAP,
             "name_id_policy": NameIDPolicy(format=NAMEID_FORMAT_PERSISTENT,
                                            sp_name_qualifier="GroupOn",
                                            allow_create="true")}

    def __init__(self, conv):
        Request.__init__(self, conv)
        self.tests["post"].append(VerifyNameIDMapping)

    def setup(self):
        assertion = self.conv.saml_response[-1].assertion
        self.args["name_id"] = assertion.subject.name_id
示例#9
0
def send_assertion():
    logger.debug("Sending SAML assertion")

    idp_config = current_app.config['IDP_CONFIG']
    idp_config_object = IdPConfig().load(copy.deepcopy(idp_config),
                                         metadata_construction=False)
    idp = Server(config=idp_config_object)

    name_id_format = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
    name_id_policy = NameIDPolicy(format=name_id_format)

    args = {
        'identity': {},
        'name_id': None,
        'authn': {
            'class_ref': 'https://refeds.org/profile/mfa',
            'authn_auth': idp_config['entityid']
        },
        'sign_response': True,
        'sign_assertion': False,
        'encrypted_advice_attributes': False,
        'in_response_to': session['saml_authn_request_id'],
        'sp_entity_id': session['saml_sp_entity_id'],
        'name_id_policy': name_id_policy,
        'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
        'destination': session['saml_sp_acs'],
        'sign_alg': 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
        'digest_alg': 'http://www.w3.org/2001/04/xmlenc#sha256',
    }

    saml_response_string = idp.create_authn_response(**args)
    saml_response_string_encoded = saml_response_string.encode('utf-8')
    saml_response = b64encode(saml_response_string_encoded)
    saml_response_encoded = saml_response.decode('ascii')

    action = session['saml_sp_acs']
    saml_relay_state = session['saml_relay_state']
    rendered_template = render_template(
        'saml_http_post_binding.html',
        action=action,
        saml_response_encoded=saml_response_encoded,
        saml_relay_state=saml_relay_state)

    # Kill the session
    session.clear()

    return rendered_template
示例#10
0
def test_request_response():
    sp = Saml2Client(config_file="servera_conf")

    with closing(Server(config_file="idp_all_conf")) as idp:
        binding, destination = sp.pick_binding("name_id_mapping_service",
                                               entity_id=idp.config.entityid)

        policy = NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT,
                              sp_name_qualifier="urn:mace:swamid:junk",
                              allow_create="true")

        nameid = NameID(format=NAMEID_FORMAT_TRANSIENT, text="foobar")

        mid, nmr = sp.create_name_id_mapping_request(policy, nameid,
                                                     destination)

        print nmr

        args = sp.use_soap(nmr, destination)

        # ------- IDP ------------

        req = idp.parse_name_id_mapping_request(args["data"], binding)

        in_response_to = req.message.id
        name_id = NameID(format=NAMEID_FORMAT_PERSISTENT, text="foobar")

        idp_response = idp.create_name_id_mapping_response(
            name_id, in_response_to=in_response_to)

        print idp_response

        ht_args = sp.use_soap(idp_response)

        # ------- SP ------------

        _resp = sp.parse_name_id_mapping_request_response(
            ht_args["data"], binding)

        print _resp.response

        r_name_id = _resp.response.name_id

        assert r_name_id.format == NAMEID_FORMAT_PERSISTENT
        assert r_name_id.text == "foobar"
示例#11
0
def test_base_request():
    sp = Saml2Client(config_file="servera_conf")
    idp = Server(config_file="idp_all_conf")

    binding, destination = sp.pick_binding("name_id_mapping_service",
                                           entity_id=idp.config.entityid)

    policy = NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT,
                          sp_name_qualifier="urn:mace:swamid:junk",
                          allow_create="true")

    nameid = NameID(format=NAMEID_FORMAT_TRANSIENT, text="foobar")

    nmr = sp.create_name_id_mapping_request(policy, nameid, destination)

    print nmr

    assert isinstance(nmr, NameIDMappingRequest)
def test_handle_logout_soap():
    sp = Saml2Client(config_file="servera_conf")
    idp = Server(config_file="idp_all_conf")

    policy = NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT,
                          sp_name_qualifier=sp.config.entityid,
                          allow_create="true")

    name_id = idp.ident.construct_nameid("subject", name_id_policy=policy)

    binding, destination = idp.pick_binding("single_logout_service",
                                            [BINDING_SOAP],
                                            entity_id=sp.config.entityid)

    rid, request = idp.create_logout_request(destination, idp.config.entityid,
                                             name_id=name_id)
    args = idp.apply_binding(BINDING_SOAP, "%s" % request, destination)

    # register the user
    session_info = {
        "name_id": name_id, "issuer": idp.config.entityid,
        "not_on_or_after": in_a_while(minutes=15),
        "ava": {
            "givenName": "Anders",
            "surName": "Andersson",
            "mail": "*****@*****.**"
        }
    }
    sp.users.add_information_about_person(session_info)

    reply_args = sp.handle_logout_request(args["data"], name_id, binding,
                                          sign=False)

    print(reply_args)
    assert reply_args["method"] == "POST"
    assert reply_args["headers"] == [('content-type', 'application/soap+xml')]


#if __name__ == "__main__":
#    test_handle_logout_soap()
示例#13
0
def test_flow():
    sp = Saml2Client(config_file="servera_conf")

    with closing(Server(config_file="idp_all_conf")) as idp:
        relay_state = "FOO"
        # -- dummy request ---
        orig_req = AuthnRequest(issuer=sp._issuer(),
                                name_id_policy=NameIDPolicy(
                                    allow_create="true",
                                    format=NAMEID_FORMAT_TRANSIENT))

        # == Create an AuthnRequest response

        name_id = idp.ident.transient_nameid(sp.config.entityid, "id12")
        binding, destination = idp.pick_binding("assertion_consumer_service",
                                                entity_id=sp.config.entityid)
        resp = idp.create_authn_response(
            {
                "eduPersonEntitlement": "Short stop",
                "surName": "Jeter",
                "givenName": "Derek",
                "mail": "*****@*****.**",
                "title": "The man"
            },
            "id-123456789",
            destination,
            sp.config.entityid,
            name_id=name_id,
            authn=AUTHN)

        hinfo = idp.apply_binding(binding, "%s" % resp, destination,
                                  relay_state)

        # ------- @SP ----------

        xmlstr = get_msg(hinfo, binding)
        aresp = sp.parse_authn_request_response(xmlstr, binding,
                                                {resp.in_response_to: "/"})

        binding, destination = sp.pick_binding("authn_query_service",
                                               entity_id=idp.config.entityid)

        authn_context = requested_authn_context(INTERNETPROTOCOLPASSWORD)

        subject = aresp.assertion.subject

        aq_id, aq = sp.create_authn_query(subject, destination, authn_context)

        print(aq)

        assert isinstance(aq, AuthnQuery)
        binding = BINDING_SOAP

        hinfo = sp.apply_binding(binding, "%s" % aq, destination, "state2")

        # -------- @IDP ----------

        xmlstr = get_msg(hinfo, binding)

        pm = idp.parse_authn_query(xmlstr, binding)

        msg = pm.message
        assert msg.id == aq.id

        p_res = idp.create_authn_query_response(msg.subject, msg.session_index,
                                                msg.requested_authn_context)

        print(p_res)

        hinfo = idp.apply_binding(binding,
                                  "%s" % p_res,
                                  "",
                                  "state2",
                                  response=True)

        # ------- @SP ----------

        xmlstr = get_msg(hinfo, binding)

        final = sp.parse_authn_query_response(xmlstr, binding)

        print(final)

        assert final.response.id == p_res.id
示例#14
0
def test_basic_flow():
    sp = Saml2Client(config_file="servera_conf")
    idp = Server(config_file="idp_all_conf")

    # -------- @IDP -------------

    relay_state = "FOO"
    # -- dummy request ---
    orig_req = AuthnRequest(issuer=sp._issuer(),
                            name_id_policy=NameIDPolicy(
                                allow_create="true",
                                format=NAMEID_FORMAT_TRANSIENT))

    # == Create an AuthnRequest response

    name_id = idp.ident.transient_nameid("id12", sp.config.entityid)

    binding, destination = idp.pick_binding("assertion_consumer_service",
                                            entity_id=sp.config.entityid)
    resp = idp.create_authn_response(
        {
            "eduPersonEntitlement": "Short stop",
            "surName": "Jeter",
            "givenName": "Derek",
            "mail": "*****@*****.**",
            "title": "The man"
        },
        "id-123456789",
        destination,
        sp.config.entityid,
        name_id=name_id,
        authn=AUTHN)

    hinfo = idp.apply_binding(binding, "%s" % resp, destination, relay_state)

    # --------- @SP -------------

    xmlstr = get_msg(hinfo, binding)

    aresp = sp.parse_authn_request_response(xmlstr, binding,
                                            {resp.in_response_to: "/"})

    # == Look for assertion X

    asid = aresp.assertion.id

    binding, destination = sp.pick_binding("assertion_id_request_service",
                                           entity_id=idp.config.entityid)

    hinfo = sp.apply_binding(binding, asid, destination)

    # ---------- @IDP ------------

    aid = get_msg(hinfo, binding, response=False)

    # == construct response

    resp = idp.create_assertion_id_request_response(aid)

    hinfo = idp.apply_binding(binding, "%s" % resp, None, "", response=True)

    # ----------- @SP -------------

    xmlstr = get_msg(hinfo, binding, response=True)

    final = sp.parse_assertion_id_request_response(xmlstr, binding)

    print final.response
    assert isinstance(final.response, Assertion)
示例#15
0
    'SERVER_NAME': 'lingon-catalogix-se-2.local',
    'REMOTE_PORT': '57309',
    'wsgi.url_scheme': 'http',
    'SERVER_PORT': '8087',
    'HTTP_HOST': '127.0.0.1:8087',
    'wsgi.multithread': True,
    'HTTP_ACCEPT':
    'application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5',
    'wsgi.version': (1, 0),
    'wsgi.run_once': False,
    'wsgi.multiprocess': False,
    'HTTP_ACCEPT_LANGUAGE': 'en-us',
    'HTTP_ACCEPT_ENCODING': 'gzip, deflate'
}

trans_name_policy = NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT,
                                 allow_create="true")

AUTHN = (AUTHN_PASSWORD, "http://www.example.com/login")


class TestSP():
    def setup_class(self):
        self.sp = make_plugin("rem", saml_conf="server_conf")
        self.server = Server(config_file="idp_conf")

    def test_setup(self):
        assert self.sp

    def test_identify(self):

        # Create a SAMLResponse