def test_consent_full_flow(self, internal_response, internal_request, consent_verify_endpoint_regex, consent_registration_endpoint_regex): consent_config = SATOSAConfig(self.satosa_config) consent_module = ConsentModule(consent_config, identity_callback) expected_ticket = "my_ticket" context = Context() state = State() context.state = state consent_module.save_state(internal_request, state) with responses.RequestsMock() as rsps: rsps.add(responses.GET, consent_verify_endpoint_regex, status=401) rsps.add(responses.GET, consent_registration_endpoint_regex, status=200, body=expected_ticket) resp = consent_module.manage_consent(context, internal_response) self.assert_redirect(resp, expected_ticket) self.assert_registstration_req(rsps.calls[1].request, consent_config.CONSENT["sign_key"]) with responses.RequestsMock() as rsps: # Now consent has been given, consent service returns 200 OK rsps.add(responses.GET, consent_verify_endpoint_regex, status=200, body=json.dumps(FILTER)) context = Context() context.state = state context, internal_response = consent_module._handle_consent_response(context) assert internal_response.get_attributes()["displayName"] == ["Test"] assert internal_response.get_attributes()["co"] == ["example"] assert "sn" not in internal_response.get_attributes() # 'sn' should be filtered
def test_with_pyoidc(self): responses.add(responses.POST, "https://graph.facebook.com/v2.5/oauth/access_token", body=json.dumps({"access_token": "qwerty", "token_type": "bearer", "expires_in": 9999999999999}), adding_headers={"set-cookie": "TEST=testing; path=/"}, status=200, content_type='application/json') responses.add(responses.GET, "https://graph.facebook.com/v2.5/me", match_querystring=False, body=json.dumps(FB_RESPONSE), status=200, content_type='application/json') context = Context() context.path = 'facebook/sso/redirect' context.state = State() internal_request = InternalRequest(UserIdHashType.transient, 'http://localhost:8087/sp.xml') get_state = Mock() get_state.return_value = STATE resp = self.fb_backend.start_auth(context, internal_request, get_state) context.cookie = resp.headers[0][1] context.request = { "code": FB_RESPONSE_CODE, "state": STATE } self.fb_backend.auth_callback_func = self.verify_callback self.fb_backend.authn_response(context)
def test_consent_not_given(self, context, consent_config, internal_response, internal_request, consent_verify_endpoint_regex, consent_registration_endpoint_regex): expected_ticket = "my_ticket" responses.add(responses.GET, consent_verify_endpoint_regex, status=401) responses.add(responses.GET, consent_registration_endpoint_regex, status=200, body=expected_ticket) requester_name = internal_response.requester_name context.state[consent.STATE_KEY] = {} resp = self.consent_module.process(context, internal_response) self.assert_redirect(resp, expected_ticket) self.assert_registration_req(responses.calls[1].request, internal_response, consent_config["sign_key"], self.consent_module.base_url, requester_name) new_context = Context() new_context.state = context.state # Verify endpoint of consent service still gives 401 (no consent given) context, internal_response = self.consent_module._handle_consent_response( context) assert not internal_response.attributes
def setup_for_authn_req(self, idp_conf, sp_conf, nameid_format): base = self.construct_base_url_from_entity_id(idp_conf["entityid"]) config = {"idp_config": idp_conf, "endpoints": ENDPOINTS, "base": base, "state_id": "state_id"} sp_metadata_str = create_metadata_from_config_dict(sp_conf) idp_conf["metadata"]["inline"] = [sp_metadata_str] samlfrontend = SamlFrontend(lambda context, internal_req: (context, internal_req), INTERNAL_ATTRIBUTES, config) samlfrontend.register_endpoints(["saml"]) idp_metadata_str = create_metadata_from_config_dict(samlfrontend.config) sp_conf["metadata"]["inline"].append(idp_metadata_str) fakesp = FakeSP(None, config=SPConfig().load(sp_conf, metadata_construction=False)) context = Context() context.state = State() context.request = parse.parse_qs( urlparse(fakesp.make_auth_req(samlfrontend.config["entityid"], nameid_format)).query) tmp_dict = {} for val in context.request: if isinstance(context.request[val], list): tmp_dict[val] = context.request[val][0] else: tmp_dict[val] = context.request[val] context.request = tmp_dict return context, samlfrontend
def test_consent_not_given(self, internal_response, internal_request, consent_verify_endpoint_regex, consent_registration_endpoint_regex): consent_config = SATOSAConfig(self.satosa_config) consent_module = ConsentModule(consent_config, identity_callback) expected_ticket = "my_ticket" responses.add(responses.GET, consent_verify_endpoint_regex, status=401) responses.add(responses.GET, consent_registration_endpoint_regex, status=200, body=expected_ticket) context = Context() state = State() context.state = state consent_module.save_state(internal_request, state) resp = consent_module.manage_consent(context, internal_response) self.assert_redirect(resp, expected_ticket) self.assert_registstration_req(responses.calls[1].request, consent_config.CONSENT["sign_key"]) context = Context() context.state = state # Verify endpoint of consent service still gives 401 (no consent given) context, internal_response = consent_module._handle_consent_response(context) assert not internal_response.get_attributes()
def test_start_auth_name_id_policy(self, sp_conf): """ Performs a complete test for the module satosa.backends.saml2. The flow should be accepted. """ samlbackend = SamlBackend( None, INTERNAL_ATTRIBUTES, { "config": sp_conf, "disco_srv": "https://my.dicso.com/role/idp.ds", "state_id": "saml_backend_test_id" }) test_state_key = "sauyghj34589fdh" state = State() state.add(test_state_key, "my_state") context = Context() context.state = state internal_req = InternalRequest(UserIdHashType.transient, None) resp = samlbackend.start_auth(context, internal_req) assert resp.status == "303 See Other", "Must be a redirect to the discovery server." disco_resp = parse_qs(urlparse(resp.message).query) sp_disco_resp = \ sp_conf["service"]["sp"]["endpoints"]["discovery_response"][0][0] assert "return" in disco_resp and disco_resp["return"][0].startswith(sp_disco_resp), \ "Not a valid return url in the call to the discovery server" assert "entityID" in disco_resp and disco_resp["entityID"][0] == sp_conf["entityid"], \ "Not a valid entity id in the call to the discovery server" request_info_tmp = context.state assert request_info_tmp.get( test_state_key) == "my_state", "Wrong state!"
def test_start_auth_name_id_policy(self, sp_conf): """ Performs a complete test for the module satosa.backends.saml2. The flow should be accepted. """ samlbackend = SamlBackend(None, INTERNAL_ATTRIBUTES, {"config": sp_conf, "disco_srv": "https://my.dicso.com/role/idp.ds", "state_id": "saml_backend_test_id"}) test_state_key = "sauyghj34589fdh" state = State() state.add(test_state_key, "my_state") context = Context() context.state = state internal_req = InternalRequest(UserIdHashType.transient, None) resp = samlbackend.start_auth(context, internal_req) assert resp.status == "303 See Other", "Must be a redirect to the discovery server." disco_resp = parse_qs(urlparse(resp.message).query) sp_disco_resp = \ sp_conf["service"]["sp"]["endpoints"]["discovery_response"][0][0] assert "return" in disco_resp and disco_resp["return"][0].startswith(sp_disco_resp), \ "Not a valid return url in the call to the discovery server" assert "entityID" in disco_resp and disco_resp["entityID"][0] == sp_conf["entityid"], \ "Not a valid entity id in the call to the discovery server" request_info_tmp = context.state assert request_info_tmp.get(test_state_key) == "my_state", "Wrong state!"
def test_start_auth_no_request_info(self, sp_conf): """ Performs a complete test for the module satosa.backends.saml2. The flow should be accepted. """ disco_srv = "https://my.dicso.com/role/idp.ds" samlbackend = SamlBackend(None, INTERNAL_ATTRIBUTES, {"config": sp_conf, "disco_srv": disco_srv, "state_id": "saml_backend_test_id"}) internal_data = InternalRequest(None, None) state = State() context = Context() context.state = state resp = samlbackend.start_auth(context, internal_data) assert resp.status == "303 See Other", "Must be a redirect to the discovery server." assert resp.message.startswith("https://my.dicso.com/role/idp.ds"), \ "Redirect to wrong URL." # create_name_id_policy_transient() state = State() context = Context() context.state = state user_id_hash_type = UserIdHashType.transient internal_data = InternalRequest(user_id_hash_type, None) resp = samlbackend.start_auth(context, internal_data) assert resp.status == "303 See Other", "Must be a redirect to the discovery server."
def run_server(self, environ, start_response, debug=False): path = environ.get('PATH_INFO', '').lstrip('/') if ".." in path: resp = Unauthorized() return resp(environ, start_response) context = Context() context.path = path # copy wsgi.input stream to allow it to be re-read later by satosa plugins # see: http://stackoverflow.com/questions/1783383/how-do-i-copy-wsgi-input-if-i-want-to-process-post-data-more-than-once content_length = int(environ.get('CONTENT_LENGTH', '0') or '0') body = io.BytesIO(environ['wsgi.input'].read(content_length)) environ['wsgi.input'] = body context.request = unpack_either(environ) environ['wsgi.input'].seek(0) context.wsgi_environ = environ context.cookie = environ.get("HTTP_COOKIE", "") try: resp = self.run(context) if isinstance(resp, Exception): raise resp return resp(environ, start_response) except SATOSANoBoundEndpointError: resp = NotFound("Couldn't find the side you asked for!") return resp(environ, start_response) except Exception as err: logger.exception("%s" % err) if debug: raise resp = ServiceError("%s" % err) return resp(environ, start_response)
def test_attributes_general(self, ldap_attribute_store): ldap_to_internal_map = (self.ldap_attribute_store_config['default'] ['ldap_to_internal_map']) for dn, attributes in self.ldap_person_records: # Mock up the internal response the LDAP attribute store is # expecting to receive. response = InternalData(auth_info=AuthenticationInformation()) # The LDAP attribute store configuration and the mock records # expect to use a LDAP search filter for the uid attribute. uid = attributes['uid'] response.attributes = {'uid': uid} context = Context() context.state = dict() ldap_attribute_store.process(context, response) # Verify that the LDAP attribute store has retrieved the mock # records from the mock LDAP server and has added the appropriate # internal attributes. for ldap_attr, ldap_value in attributes.items(): if ldap_attr in ldap_to_internal_map: internal_attr = ldap_to_internal_map[ldap_attr] response_attr = response.attributes[internal_attr] assert(ldap_value in response_attr)
def test_endpoint_routing_to_frontend(self, url_path, expected_frontend, expected_backend): context = Context() context.path = url_path self.router.endpoint_routing(context) assert context.target_frontend == expected_frontend assert context.target_backend == expected_backend
def test_backend(path, provider, endpoint): context = Context() context.path = path spec = router.endpoint_routing(context) assert spec[0] == provider assert spec[1] == endpoint assert context.target_backend == provider assert context.target_frontend is None
def test_redirect_to_login_at_auth_endpoint(self): self.fake_op.setup_webfinger_endpoint() self.fake_op.setup_opienid_config_endpoint() self.fake_op.setup_client_registration_endpoint() context = Context() context.state = State() auth_response = self.openid_backend.start_auth(context, None) assert auth_response._status == Redirect._status
def test_endpoint_routing_to_microservice(self, url_path, expected_micro_service): context = Context() context.path = url_path microservice_callable = self.router.endpoint_routing(context) assert context.target_micro_service == expected_micro_service assert microservice_callable == self.router.micro_services[expected_micro_service]["instance"].callback assert context.target_backend is None assert context.target_frontend is None
def test_set_state_in_start_auth_and_use_in_redirect_endpoint(self): self.fake_op.setup_webfinger_endpoint() self.fake_op.setup_opienid_config_endpoint() self.fake_op.setup_client_registration_endpoint() context = Context() context.state = State() self.openid_backend.start_auth(context, None) context = self.setup_fake_op_endpoints(FakeOP.STATE) self.openid_backend.redirect_endpoint(context)
def test_endpoint_routing_to_microservice(self, url_path, expected_micro_service): context = Context() context.path = url_path microservice_callable = self.router.endpoint_routing(context) assert context.target_micro_service == expected_micro_service assert microservice_callable == self.router.micro_services[ expected_micro_service]["instance"].callback assert context.target_backend is None assert context.target_frontend is None
def test_test_restore_state_with_separate_backends(self): openid_backend_1 = OpenIdBackend(MagicMock, INTERNAL_ATTRIBUTES, TestConfiguration.get_instance().config) openid_backend_2 = OpenIdBackend(MagicMock, INTERNAL_ATTRIBUTES, TestConfiguration.get_instance().config) self.fake_op.setup_webfinger_endpoint() self.fake_op.setup_opienid_config_endpoint() self.fake_op.setup_client_registration_endpoint() context = Context() context.state = State() openid_backend_1.start_auth(context, None) context = self.setup_fake_op_endpoints(FakeOP.STATE) openid_backend_2.redirect_endpoint(context)
def test_path(): context = Context() with pytest.raises(ValueError): context.path = None with pytest.raises(ValueError): context.path = "/babal" valid_path = "Saml2/sso/redirect" context.path = valid_path assert context.path == valid_path
def test_routing(path, provider, receiver, _): context = Context() context.path = path context.state = state router.endpoint_routing(context) backend = router.backend_routing(context) assert backend == backends[provider] frontend = router.frontend_routing(context) assert frontend == frontends[receiver] assert context.target_frontend == receiver
def setup_authentication_response(self, state=None): context = Context() context.path = 'openid/authz_cb' op_base = TestConfiguration.get_instance().rp_config.OP_URL if not state: state = rndstr() context.request = { 'code': 'F+R4uWbN46U+Bq9moQPC4lEvRd2De4o=', 'scope': 'openid profile email address phone', 'state': state} context.state = self.generate_state(op_base) return context
def test_register_client_with_wrong_response_type(self): redirect_uri = "https://client.example.com" registration_request = RegistrationRequest(redirect_uris=[redirect_uri], response_types=["code"]) context = Context() context.request = registration_request.to_dict() registration_response = self.instance._register_client(context) assert registration_response.status == "400 Bad Request" error_response = ClientRegistrationErrorResponse().deserialize( registration_response.message, "json") assert error_response["error"] == "invalid_request" assert "response_type" in error_response["error_description"]
def _handle_disco_response(self, context:Context): target_issuer = context.request.get('entityID') if not target_issuer: raise DiscoToTargetIssuerError('no valid entity_id in the disco response') target_frontend = context.state.get(self.name, {}).get('target_frontend') data_serialized = context.state.get(self.name, {}).get('internal_data', {}) data = InternalData.from_dict(data_serialized) context.target_frontend = target_frontend context.decorate(Context.KEY_TARGET_ENTITYID, target_issuer) return super().process(context, data)
def setup_authentication_response(self, state=None): context = Context() context.path = 'openid/authz_cb' op_base = TestConfiguration.get_instance().rp_config.OP_URL if not state: state = rndstr() context.request = { 'code': 'F+R4uWbN46U+Bq9moQPC4lEvRd2De4o=', 'scope': 'openid profile email address phone', 'state': state } context.state = self.generate_state(op_base) return context
def test_generate_static(self): synthetic_attributes = {"": {"default": {"a0": "value1;value2"}}} authz_service = self.create_syn_service(synthetic_attributes) resp = InternalData(auth_info=AuthenticationInformation()) resp.attributes = { "a1": ["*****@*****.**"], } ctx = Context() ctx.state = dict() authz_service.process(ctx, resp) assert ("value1" in resp.attributes['a0']) assert ("value2" in resp.attributes['a0']) assert ("*****@*****.**" in resp.attributes['a1'])
def test_acr_mapping_per_idp_in_authn_response(self, idp_conf, sp_conf): expected_loa = "LoA1" loa = { "": "http://eidas.europa.eu/LoA/low", idp_conf["entityid"]: expected_loa } base = self.construct_base_url_from_entity_id(idp_conf["entityid"]) conf = { "idp_config": idp_conf, "endpoints": ENDPOINTS, "base": base, "state_id": "state_id", "acr_mapping": loa } samlfrontend = SamlFrontend(None, INTERNAL_ATTRIBUTES, conf) samlfrontend.register_endpoints(["foo"]) idp_metadata_str = create_metadata_from_config_dict( samlfrontend.config) sp_conf["metadata"]["inline"].append(idp_metadata_str) fakesp = FakeSP(None, config=SPConfig().load(sp_conf, metadata_construction=False)) auth_info = AuthenticationInformation(PASSWORD, "2015-09-30T12:21:37Z", idp_conf["entityid"]) internal_response = InternalResponse(auth_info=auth_info) context = Context() context.state = State() resp_args = { "name_id_policy": NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT), "in_response_to": None, "destination": "", "sp_entity_id": None, "binding": BINDING_HTTP_REDIRECT } request_state = samlfrontend.save_state(context, resp_args, "") context.state.add(conf["state_id"], request_state) resp = samlfrontend.handle_authn_response(context, internal_response) resp_dict = parse_qs(urlparse(resp.message).query) resp = fakesp.parse_authn_request_response( resp_dict['SAMLResponse'][0], BINDING_HTTP_REDIRECT) assert len(resp.assertion.authn_statement) == 1 authn_context_class_ref = resp.assertion.authn_statement[ 0].authn_context.authn_context_class_ref assert authn_context_class_ref.text == expected_loa
def _handle_satosa_authentication_error(self, error): """ Sends a response to the requestor about the error :type error: satosa.exception.SATOSAAuthenticationError :rtype: satosa.response.Response :param error: The exception :return: response """ context = Context() context.state = error.state frontend = self.module_router.frontend_routing(context) return frontend.handle_backend_error(error)
def test_authz_deny_fail(self): attribute_deny = {"": {"default": {"a0": ['foo1', 'foo2']}}} attribute_allow = {} authz_service = self.create_authz_service(attribute_allow, attribute_deny) resp = InternalResponse(AuthenticationInformation(None, None, None)) resp.attributes = { "a0": ["foo3"], } try: ctx = Context() ctx.state = dict() authz_service.process(ctx, resp) except SATOSAAuthenticationError as ex: assert False
def test_authz_allow_second(self): attribute_allow = {"": {"default": {"a0": ['foo1', 'foo2']}}} attribute_deny = {} authz_service = self.create_authz_service(attribute_allow, attribute_deny) resp = InternalData(auth_info=AuthenticationInformation()) resp.attributes = { "a0": ["foo2", "kaka"], } try: ctx = Context() ctx.state = dict() authz_service.process(ctx, resp) except SATOSAAuthenticationError as ex: assert False
def test_test_restore_state_with_separate_backends(self): openid_backend_1 = OpenIdBackend( MagicMock, INTERNAL_ATTRIBUTES, TestConfiguration.get_instance().config) openid_backend_2 = OpenIdBackend( MagicMock, INTERNAL_ATTRIBUTES, TestConfiguration.get_instance().config) self.fake_op.setup_webfinger_endpoint() self.fake_op.setup_opienid_config_endpoint() self.fake_op.setup_client_registration_endpoint() context = Context() context.state = State() openid_backend_1.start_auth(context, None) context = self.setup_fake_op_endpoints(FakeOP.STATE) openid_backend_2.redirect_endpoint(context)
def test_generate_static(self): synthetic_attributes = { "": { "default": {"a0": "value1;value2" }} } authz_service = self.create_syn_service(synthetic_attributes) resp = InternalData(auth_info=AuthenticationInformation()) resp.attributes = { "a1": ["*****@*****.**"], } ctx = Context() ctx.state = dict() authz_service.process(ctx, resp) assert("value1" in resp.attributes['a0']) assert("value2" in resp.attributes['a0']) assert("*****@*****.**" in resp.attributes['a1'])
def test_consent_prev_given(self, internal_response, internal_request, consent_verify_endpoint_regex): consent_config = SATOSAConfig(self.satosa_config) consent_module = ConsentModule(consent_config, identity_callback) responses.add(responses.GET, consent_verify_endpoint_regex, status=200, body=json.dumps(FILTER)) context = Context() state = State() context.state = state consent_module.save_state(internal_request, state) context, internal_response = consent_module.manage_consent(context, internal_response) assert context assert "displayName" in internal_response.get_attributes()
def setup_for_authn_response(self, auth_req): context = Context() context.state = self.create_state(auth_req) auth_info = AuthenticationInformation(PASSWORD, "2015-09-30T12:21:37Z", "unittest_idp.xml") internal_response = InternalResponse(auth_info=auth_info) internal_response.add_attributes( DataConverter(INTERNAL_ATTRIBUTES).to_internal("saml", USERS["testuser1"])) internal_response.set_user_id(USERS["testuser1"]["eduPersonTargetedID"][0]) self.instance.provider.cdb = { "client1": {"response_types": ["id_token"], "redirect_uris": [(auth_req["redirect_uri"], None)], "client_salt": "salt"}} return context, internal_response
def setup(self, signing_key_path): self.account_linking_config = { "enable": True, "rest_uri": "https://localhost:8167", "redirect": "https://localhost:8167/approve", "endpoint": "handle_account_linking", "sign_key": signing_key_path, "verify_ssl": False } self.satosa_config = { "BASE": "https://proxy.example.com", "USER_ID_HASH_SALT": "qwerty", "COOKIE_STATE_NAME": "SATOSA_SATE", "STATE_ENCRYPTION_KEY": "ASDasd123", "PLUGIN_PATH": "", "BACKEND_MODULES": "", "FRONTEND_MODULES": "", "INTERNAL_ATTRIBUTES": {}, "ACCOUNT_LINKING": self.account_linking_config } self.callback_func = MagicMock() self.context = Context() state = State() self.context.state = state auth_info = AuthenticationInformation("auth_class_ref", "timestamp", "issuer") self.internal_response = InternalResponse(auth_info=auth_info)
def test_authz_deny_fail(self): attribute_deny = { "": { "default": {"a0": ['foo1','foo2']} } } attribute_allow = {} authz_service = self.create_authz_service(attribute_allow, attribute_deny) resp = InternalData(auth_info=AuthenticationInformation()) resp.attributes = { "a0": ["foo3"], } try: ctx = Context() ctx.state = dict() authz_service.process(ctx, resp) except SATOSAAuthenticationError as ex: assert False
def test_register_client(self): redirect_uri = "https://client.example.com" registration_request = RegistrationRequest(redirect_uris=[redirect_uri], response_types=["id_token"]) context = Context() context.request = registration_request.to_dict() registration_response = self.instance._register_client(context) assert registration_response.status == "201 Created" reg_resp = RegistrationResponse().deserialize(registration_response.message, "json") assert "client_id" in reg_resp assert reg_resp["client_id"] in self.instance.provider.cdb # no need to issue client secret since to token endpoint is published assert "client_secret" not in reg_resp assert reg_resp["redirect_uris"] == [redirect_uri] assert reg_resp["response_types"] == ["id_token"] assert reg_resp["id_token_signed_response_alg"] == "RS256"
def test_generate_mustache2(self): synthetic_attributes = { "": { "default": {"a0": "{{kaka.first}}#{{eppn.scope}}" }} } authz_service = self.create_syn_service(synthetic_attributes) resp = InternalData(auth_info=AuthenticationInformation()) resp.attributes = { "kaka": ["kaka1","kaka2"], "eppn": ["*****@*****.**","*****@*****.**"] } ctx = Context() ctx.state = dict() authz_service.process(ctx, resp) assert("kaka1#example.com" in resp.attributes['a0']) assert("kaka1" in resp.attributes['kaka']) assert("*****@*****.**" in resp.attributes['eppn']) assert("*****@*****.**" in resp.attributes['eppn'])
def test_consent_handles_connection_error(self, internal_response, internal_request, consent_verify_endpoint_regex): consent_config = SATOSAConfig(self.satosa_config) consent_module = ConsentModule(consent_config, identity_callback) state = State() context = Context() context.state = state consent_module.save_state(internal_request, state) with responses.RequestsMock(assert_all_requests_are_fired=True) as rsps: rsps.add(responses.GET, consent_verify_endpoint_regex, body=requests.ConnectionError("No connection")) context, internal_response = consent_module.manage_consent(context, internal_response) assert context assert not internal_response.get_attributes()
def test_consent_prev_given(self, internal_response, internal_request, consent_verify_endpoint_regex): consent_config = SATOSAConfig(self.satosa_config) consent_module = ConsentModule(consent_config, identity_callback) responses.add(responses.GET, consent_verify_endpoint_regex, status=200, body=json.dumps(FILTER)) context = Context() state = State() context.state = state consent_module.save_state(internal_request, state) context, internal_response = consent_module.manage_consent( context, internal_response) assert context assert "displayName" in internal_response.get_attributes()
def test_start_auth(self): context = Context() context.path = 'facebook/sso/redirect' context.state = State() internal_request = InternalRequest(UserIdHashType.transient, 'http://localhost:8087/sp.xml') get_state = Mock() get_state.return_value = STATE resp = self.fb_backend.start_auth(context, internal_request, get_state) # assert resp.headers[0][0] == "Set-Cookie", "Not the correct return cookie" # assert len(resp.headers[0][1]) > 1, "Not the correct return cookie" resp_url = resp.message.split("?") test_url = FB_REDIRECT_URL.split("?") resp_attr = parse_qs(resp_url[1]) test_attr = parse_qs(test_url[1]) assert resp_url[0] == test_url[0] assert len(resp_attr) == len(test_attr), "Redirect url is not correct!" for key in test_attr: assert key in resp_attr, "Redirect url is not correct!" assert test_attr[key] == resp_attr[key], "Redirect url is not correct!"
def test_attribute_policy(self): requester = "requester" attribute_policies = { "attribute_policy": { "requester_everything_allowed": {}, "requester_nothing_allowed": { "allowed": {} }, "requester_subset_allowed": { "allowed": { "attr1", "attr2", }, }, }, } attributes = { "attr1": ["foo"], "attr2": ["foo", "bar"], "attr3": ["foo"] } results = { "requester_everything_allowed": attributes.keys(), "requester_nothing_allowed": set(), "requester_subset_allowed": {"attr1", "attr2"}, } for requester, result in results.items(): attribute_policy_service = self.create_attribute_policy_service( attribute_policies) ctx = Context() ctx.state = dict() resp = InternalData(auth_info=AuthenticationInformation()) resp.requester = requester resp.attributes = { "attr1": ["foo"], "attr2": ["foo", "bar"], "attr3": ["foo"] } filtered = attribute_policy_service.process(ctx, resp) assert (filtered.attributes.keys() == result)
def test_redirect_to_idp_if_only_one_idp_in_metadata(self, sp_conf, idp_conf): sp_conf["metadata"]["inline"] = [create_metadata_from_config_dict(idp_conf)] samlbackend = SamlBackend(None, INTERNAL_ATTRIBUTES, {"config": sp_conf, "state_id": "saml_backend_test_id"}) state = State() state.add("test", "state") context = Context() context.state = state internal_req = InternalRequest(UserIdHashType.transient, None) resp = samlbackend.start_auth(context, internal_req) assert resp.status == "303 See Other" parsed = urlparse(resp.message) assert "{parsed.scheme}://{parsed.netloc}{parsed.path}".format( parsed=parsed) == \ idp_conf["service"]["idp"]["endpoints"]["single_sign_on_service"][0][0] assert "SAMLRequest" in parse_qs(parsed.query)
def test_consent_handles_connection_error(self, internal_response, internal_request, consent_verify_endpoint_regex): consent_config = SATOSAConfig(self.satosa_config) consent_module = ConsentModule(consent_config, identity_callback) state = State() context = Context() context.state = state consent_module.save_state(internal_request, state) with responses.RequestsMock( assert_all_requests_are_fired=True) as rsps: rsps.add(responses.GET, consent_verify_endpoint_regex, body=requests.ConnectionError("No connection")) context, internal_response = consent_module.manage_consent( context, internal_response) assert context assert not internal_response.get_attributes()
def test_generate_mustache_empty_attribute(self): synthetic_attributes = { "": { "default": { "a0": "{{kaka.first}}#{{eppn.scope}}" } } } authz_service = self.create_syn_service(synthetic_attributes) resp = InternalData(auth_info=AuthenticationInformation()) resp.attributes = { "kaka": ["kaka1", "kaka2"], "eppn": None, } ctx = Context() ctx.state = dict() authz_service.process(ctx, resp) assert ("kaka1#" in resp.attributes['a0']) assert ("kaka1" in resp.attributes['kaka']) assert ("kaka2" in resp.attributes['kaka'])
def setUp(self): context = Context() context.state = State() config = { 'disco_endpoints': [ '.*/disco', ], } plugin = DiscoToTargetIssuer( config=config, name='test_disco_to_target_issuer', base_url='https://satosa.example.org', ) plugin.next = lambda ctx, data: (ctx, data) self.config = config self.context = context self.plugin = plugin
def test_start_auth_disco(self, sp_conf, idp_conf): """ Performs a complete test for the module satosa.backends.saml2. The flow should be accepted. """ samlbackend = SamlBackend(lambda context, internal_resp: (context, internal_resp), INTERNAL_ATTRIBUTES, {"config": sp_conf, "disco_srv": "https://my.dicso.com/role/idp.ds", "state_id": "saml_backend_test_id"}) test_state_key = "test_state_key_456afgrh" response_binding = BINDING_HTTP_REDIRECT fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf, metadata_construction=False)) internal_req = InternalRequest(UserIdHashType.persistent, "example.se/sp.xml") state = State() state.add(test_state_key, "my_state") context = Context() context.state = state resp = samlbackend.start_auth(context, internal_req) assert resp.status == "303 See Other", "Must be a redirect to the discovery server." disco_resp = parse_qs(urlparse(resp.message).query) info = parse_qs(urlparse(disco_resp["return"][0]).query) info[samlbackend.idp_disco_query_param] = idp_conf["entityid"] context = Context() context.request = info context.state = state resp = samlbackend.disco_response(context) assert resp.status == "303 See Other" req_params = dict(parse_qsl(urlparse(resp.message).query)) url, fake_idp_resp = fakeidp.handle_auth_req( req_params["SAMLRequest"], req_params["RelayState"], BINDING_HTTP_REDIRECT, "testuser1", response_binding=response_binding) context = Context() context.request = fake_idp_resp context.state = state context, internal_resp = samlbackend.authn_response(context, response_binding) assert isinstance(context, Context), "Not correct instance!" assert context.state.get(test_state_key) == "my_state", "Not correct state!" assert internal_resp.auth_info.auth_class_ref == PASSWORD, "Not correct authentication!" _dict = internal_resp.get_attributes() expected_data = {'surname': ['Testsson 1'], 'mail': ['*****@*****.**'], 'displayname': ['Test Testsson'], 'givenname': ['Test 1'], 'edupersontargetedid': ['one!for!all']} for key in _dict: assert expected_data[key] == _dict[key]
def test_micro_service(): """ Test the micro service flow """ data_list = ["1", "2", "3"] service_list = [] for d in data_list: service = MicroService() service.process = create_process_func(d) service_list.append(service) service_queue = build_micro_service_queue(service_list) test_data = "test_data" context = Context() context.state = State() data = service_queue.process_service_queue(context, test_data) for d in data_list: test_data = "{}{}".format(test_data, d) assert data == test_data
def test_authn_response(self): context = Context() context.path = 'facebook/sso/redirect' context.state = State() internal_request = InternalRequest(UserIdHashType.transient, 'http://localhost:8087/sp.xml') get_state = Mock() get_state.return_value = STATE resp = self.fb_backend.start_auth(context, internal_request, get_state) context.cookie = resp.headers[0][1] context.request = { "code": FB_RESPONSE_CODE, "state": STATE } # context.request = json.dumps(context.request) self.fb_backend.auth_callback_func = self.verify_callback tmp_consumer = self.fb_backend.get_consumer() tmp_consumer.do_access_token_request = self.verify_do_access_token_request self.fb_backend.get_consumer = Mock() self.fb_backend.get_consumer.return_value = tmp_consumer self.fb_backend.request_fb = self.verify_request_fb self.fb_backend.authn_response(context)
def test_generate_mustache1(self): synthetic_attributes = { "": { "default": { "a0": "{{kaka}}#{{eppn.scope}}" } } } authz_service = self.create_syn_service(synthetic_attributes) resp = InternalData(auth_info=AuthenticationInformation()) resp.attributes = { "kaka": ["kaka1"], "eppn": ["*****@*****.**", "*****@*****.**"] } ctx = Context() ctx.state = dict() authz_service.process(ctx, resp) assert ("kaka1#example.com" in resp.attributes['a0']) assert ("kaka1" in resp.attributes['kaka']) assert ("*****@*****.**" in resp.attributes['eppn']) assert ("*****@*****.**" in resp.attributes['eppn'])
def setUp(self): context = Context() context.state = State() config = { 'default_backend': 'default_backend', 'target_mapping': { 'mapped_idp.example.org': 'mapped_backend', }, } plugin = DecideBackendByTargetIssuer( config=config, name='test_decide_service', base_url='https://satosa.example.org', ) plugin.next = lambda ctx, data: (ctx, data) self.config = config self.context = context self.plugin = plugin
def test_start_auth(self): context = Context() context.path = 'facebook/sso/redirect' context.state = State() internal_request = InternalRequest(UserIdHashType.transient, 'http://localhost:8087/sp.xml') get_state = Mock() get_state.return_value = STATE resp = self.fb_backend.start_auth(context, internal_request, get_state) # assert resp.headers[0][0] == "Set-Cookie", "Not the correct return cookie" # assert len(resp.headers[0][1]) > 1, "Not the correct return cookie" resp_url = resp.message.split("?") test_url = FB_REDIRECT_URL.split("?") resp_attr = parse_qs(resp_url[1]) test_attr = parse_qs(test_url[1]) assert resp_url[0] == test_url[0] assert len(resp_attr) == len(test_attr), "Redirect url is not correct!" for key in test_attr: assert key in resp_attr, "Redirect url is not correct!" assert test_attr[key] == resp_attr[ key], "Redirect url is not correct!"
def test_acr_mapping_per_idp_in_authn_response(self, idp_conf, sp_conf): expected_loa = "LoA1" loa = {"": "http://eidas.europa.eu/LoA/low", idp_conf["entityid"]: expected_loa} base = self.construct_base_url_from_entity_id(idp_conf["entityid"]) conf = {"idp_config": idp_conf, "endpoints": ENDPOINTS, "base": base, "state_id": "state_id", "acr_mapping": loa} samlfrontend = SamlFrontend(None, INTERNAL_ATTRIBUTES, conf) samlfrontend.register_endpoints(["foo"]) idp_metadata_str = create_metadata_from_config_dict(samlfrontend.config) sp_conf["metadata"]["inline"].append(idp_metadata_str) fakesp = FakeSP(None, config=SPConfig().load(sp_conf, metadata_construction=False)) auth_info = AuthenticationInformation(PASSWORD, "2015-09-30T12:21:37Z", idp_conf["entityid"]) internal_response = InternalResponse(auth_info=auth_info) context = Context() context.state = State() resp_args = { "name_id_policy": NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT), "in_response_to": None, "destination": "", "sp_entity_id": None, "binding": BINDING_HTTP_REDIRECT } request_state = samlfrontend.save_state(context, resp_args, "") context.state.add(conf["state_id"], request_state) resp = samlfrontend.handle_authn_response(context, internal_response) resp_dict = parse_qs(urlparse(resp.message).query) resp = fakesp.parse_authn_request_response(resp_dict['SAMLResponse'][0], BINDING_HTTP_REDIRECT) assert len(resp.assertion.authn_statement) == 1 authn_context_class_ref = resp.assertion.authn_statement[ 0].authn_context.authn_context_class_ref assert authn_context_class_ref.text == expected_loa
def test_with_pyoidc(self): responses.add(responses.POST, "https://graph.facebook.com/v2.5/oauth/access_token", body=json.dumps({ "access_token": "qwerty", "token_type": "bearer", "expires_in": 9999999999999 }), adding_headers={"set-cookie": "TEST=testing; path=/"}, status=200, content_type='application/json') responses.add(responses.GET, "https://graph.facebook.com/v2.5/me", match_querystring=False, body=json.dumps(FB_RESPONSE), status=200, content_type='application/json') context = Context() context.path = 'facebook/sso/redirect' context.state = State() internal_request = InternalRequest(UserIdHashType.transient, 'http://localhost:8087/sp.xml') get_state = Mock() get_state.return_value = STATE resp = self.fb_backend.start_auth(context, internal_request, get_state) context.cookie = resp.headers[0][1] context.request = {"code": FB_RESPONSE_CODE, "state": STATE} self.fb_backend.auth_callback_func = self.verify_callback self.fb_backend.authn_response(context)
def test_consent_not_given(self, internal_response, internal_request, consent_verify_endpoint_regex, consent_registration_endpoint_regex): consent_config = SATOSAConfig(self.satosa_config) consent_module = ConsentModule(consent_config, identity_callback) expected_ticket = "my_ticket" responses.add(responses.GET, consent_verify_endpoint_regex, status=401) responses.add(responses.GET, consent_registration_endpoint_regex, status=200, body=expected_ticket) context = Context() state = State() context.state = state consent_module.save_state(internal_request, state) resp = consent_module.manage_consent(context, internal_response) self.assert_redirect(resp, expected_ticket) self.assert_registstration_req(responses.calls[1].request, consent_config.CONSENT["sign_key"]) context = Context() context.state = state # Verify endpoint of consent service still gives 401 (no consent given) context, internal_response = consent_module._handle_consent_response( context) assert not internal_response.get_attributes()