def test_valid_saml_auth(self, mock_datetime):
mock_datetime.now.return_value = datetime(2019,
4,
9,
21,
35,
0,
tzinfo=timezone.utc)
mock_datetime.strptime = datetime.strptime
a = SAMLAuthenticator()
signed_xml = a._verify_saml_signature(self.metadata_etree,
self.response_etree)
assert etree.tostring(signed_xml) == etree.tostring(
self.verified_signed_xml)
response_is_valid, signed_xml = a._test_valid_saml_response(
self.metadata_etree, self.response_etree)
assert response_is_valid
# Check the signed xml is the subset of the xml that is returned by signxml
assert etree.tostring(signed_xml) == etree.tostring(
self.verified_signed_xml)
def test_signed_xml_bad_recipient(self):
a = SAMLAuthenticator()
a.recipient = 'bad_recipient'
assert not a._verify_saml_response_against_configured_fields(
self.verified_signed_xml)
assert not a._verify_saml_response_fields(self.metadata_etree,
self.verified_signed_xml)
response_is_valid, signed_xml = a._test_valid_saml_response(
self.metadata_etree, self.response_etree)
assert not response_is_valid
assert etree.tostring(
self.verified_signed_xml) == etree.tostring(signed_xml)
def test_signed_xml_bad_audience(self):
a = SAMLAuthenticator()
a.audience = '''bad_audience'''
assert not a._verify_saml_response_against_configured_fields(
self.verified_signed_xml)
assert not a._verify_saml_response_fields(self.metadata_etree,
self.verified_signed_xml)
response_is_valid, signed_xml = a._test_valid_saml_response(
self.metadata_etree, self.response_etree)
assert not response_is_valid
# We will get the signed xml back, but the response is not valid, so it doesn't really matter
assert etree.tostring(
self.verified_signed_xml) == etree.tostring(signed_xml)
def test_no_metadata_cert(self):
a = SAMLAuthenticator()
no_cert_metadata_etree = etree.fromstring(
test_constants.sample_metadata_no_cert_xml)
bad_signed_xml = a._verify_saml_signature(no_cert_metadata_etree,
self.response_etree)
assert bad_signed_xml is None
response_is_valid, signed_xml = a._test_valid_saml_response(
no_cert_metadata_etree, self.response_etree)
assert not response_is_valid
assert signed_xml is None
def test_tampered_saml_response(self):
a = SAMLAuthenticator()
tampered_etree = etree.fromstring(
test_constants.tampered_sample_response_xml)
bad_signed_xml = a._verify_saml_signature(self.metadata_etree,
tampered_etree)
assert bad_signed_xml is None
response_is_valid, signed_xml = a._test_valid_saml_response(
self.metadata_etree, tampered_etree)
assert not response_is_valid
assert signed_xml is None
def test_metadata_no_entity(self):
a = SAMLAuthenticator()
no_metadata_entity_etree = etree.fromstring(
test_constants.sample_metadata_no_entity)
assert a._verify_saml_response_against_metadata(
no_metadata_entity_etree, self.verified_signed_xml) is False
assert a._verify_saml_response_fields(
no_metadata_entity_etree, self.verified_signed_xml) is False
response_is_valid, signed_xml = a._test_valid_saml_response(
no_metadata_entity_etree, self.response_etree)
assert not response_is_valid
assert etree.tostring(signed_xml) == etree.tostring(
self.verified_signed_xml)
def test_now_after_allowed(self, mock_datetime):
mock_datetime.now.return_value = datetime(2020,
4,
9,
21,
35,
0,
tzinfo=timezone.utc)
mock_datetime.strptime = datetime.strptime
a = SAMLAuthenticator()
assert not a._verify_physical_constraints(self.verified_signed_xml)
assert not a._verify_saml_response_fields(self.metadata_etree,
self.verified_signed_xml)
response_is_valid, signed_xml = a._test_valid_saml_response(
self.metadata_etree, self.response_etree)
assert not response_is_valid
assert etree.tostring(
self.verified_signed_xml) == etree.tostring(signed_xml)
def test_signed_xml_good_recipient(self, mock_datetime):
mock_datetime.now.return_value = datetime(2019,
4,
9,
21,
35,
0,
tzinfo=timezone.utc)
mock_datetime.strptime = datetime.strptime
a = SAMLAuthenticator()
a.recipient = '''{recipient}'''
assert a._verify_saml_response_against_configured_fields(
self.verified_signed_xml)
assert a._verify_saml_response_fields(self.metadata_etree,
self.verified_signed_xml)
response_is_valid, signed_xml = a._test_valid_saml_response(
self.metadata_etree, self.response_etree)
assert response_is_valid
assert etree.tostring(
self.verified_signed_xml) == etree.tostring(signed_xml)
