def test_consent_not_given(self, internal_response, internal_request,
consent_verify_endpoint_regex,
consent_registration_endpoint_regex):
consent_config = SATOSAConfig(self.satosa_config)
consent_module = ConsentModule(consent_config, identity_callback)
expected_ticket = "my_ticket"
responses.add(responses.GET, consent_verify_endpoint_regex, status=401)
responses.add(responses.GET,
consent_registration_endpoint_regex,
status=200,
body=expected_ticket)
context = Context()
state = State()
context.state = state
consent_module.save_state(internal_request, state)
resp = consent_module.manage_consent(context, internal_response)
self.assert_redirect(resp, expected_ticket)
self.assert_registstration_req(responses.calls[1].request,
consent_config.CONSENT["sign_key"])
context = Context()
context.state = state
# Verify endpoint of consent service still gives 401 (no consent given)
context, internal_response = consent_module._handle_consent_response(
context)
assert not internal_response.get_attributes()
def test_start_auth_no_request_info(self, sp_conf):
"""
Performs a complete test for the module satosa.backends.saml2. The flow should be accepted.
"""
disco_srv = "https://my.dicso.com/role/idp.ds"
samlbackend = SamlBackend(
None, INTERNAL_ATTRIBUTES, {
"config": sp_conf,
"disco_srv": disco_srv,
"state_id": "saml_backend_test_id"
})
internal_data = InternalRequest(None, None)
state = State()
context = Context()
context.state = state
resp = samlbackend.start_auth(context, internal_data)
assert resp.status == "303 See Other", "Must be a redirect to the discovery server."
assert resp.message.startswith("https://my.dicso.com/role/idp.ds"), \
"Redirect to wrong URL."
# create_name_id_policy_transient()
state = State()
context = Context()
context.state = state
user_id_hash_type = UserIdHashType.transient
internal_data = InternalRequest(user_id_hash_type, None)
resp = samlbackend.start_auth(context, internal_data)
assert resp.status == "303 See Other", "Must be a redirect to the discovery server."
def run_server(self, environ, start_response, debug=False):
path = environ.get('PATH_INFO', '').lstrip('/')
if ".." in path:
resp = Unauthorized()
return resp(environ, start_response)
context = Context()
context.path = path
# copy wsgi.input stream to allow it to be re-read later by satosa plugins
# see: http://stackoverflow.com/questions/1783383/how-do-i-copy-wsgi-input-if-i-want-to-process-post-data-more-than-once
content_length = int(environ.get('CONTENT_LENGTH', '0') or '0')
body = io.BytesIO(environ['wsgi.input'].read(content_length))
environ['wsgi.input'] = body
context.request = unpack_either(environ)
environ['wsgi.input'].seek(0)
context.wsgi_environ = environ
context.cookie = environ.get("HTTP_COOKIE", "")
try:
resp = self.run(context)
if isinstance(resp, Exception):
raise resp
return resp(environ, start_response)
except SATOSANoBoundEndpointError:
resp = NotFound("Couldn't find the side you asked for!")
return resp(environ, start_response)
except Exception as err:
logger.exception("%s" % err)
if debug:
raise
resp = ServiceError("%s" % err)
return resp(environ, start_response)
def test_consent_not_given(self, context, consent_config,
internal_response, internal_request,
consent_verify_endpoint_regex,
consent_registration_endpoint_regex):
expected_ticket = "my_ticket"
responses.add(responses.GET, consent_verify_endpoint_regex, status=401)
responses.add(responses.GET,
consent_registration_endpoint_regex,
status=200,
body=expected_ticket)
requester_name = internal_response.requester_name
context.state[consent.STATE_KEY] = {}
resp = self.consent_module.process(context, internal_response)
self.assert_redirect(resp, expected_ticket)
self.assert_registration_req(responses.calls[1].request,
internal_response,
consent_config["sign_key"],
self.consent_module.base_url,
requester_name)
new_context = Context()
new_context.state = context.state
# Verify endpoint of consent service still gives 401 (no consent given)
context, internal_response = self.consent_module._handle_consent_response(
context)
assert not internal_response.attributes
def test_start_auth_name_id_policy(self, sp_conf):
"""
Performs a complete test for the module satosa.backends.saml2. The flow should be accepted.
"""
samlbackend = SamlBackend(
None, INTERNAL_ATTRIBUTES, {
"config": sp_conf,
"disco_srv": "https://my.dicso.com/role/idp.ds",
"state_id": "saml_backend_test_id"
})
test_state_key = "sauyghj34589fdh"
state = State()
state.add(test_state_key, "my_state")
context = Context()
context.state = state
internal_req = InternalRequest(UserIdHashType.transient, None)
resp = samlbackend.start_auth(context, internal_req)
assert resp.status == "303 See Other", "Must be a redirect to the discovery server."
disco_resp = parse_qs(urlparse(resp.message).query)
sp_disco_resp = \
sp_conf["service"]["sp"]["endpoints"]["discovery_response"][0][0]
assert "return" in disco_resp and disco_resp["return"][0].startswith(sp_disco_resp), \
"Not a valid return url in the call to the discovery server"
assert "entityID" in disco_resp and disco_resp["entityID"][0] == sp_conf["entityid"], \
"Not a valid entity id in the call to the discovery server"
request_info_tmp = context.state
assert request_info_tmp.get(
test_state_key) == "my_state", "Wrong state!"
def test_attributes_general(self, ldap_attribute_store):
ldap_to_internal_map = (self.ldap_attribute_store_config['default']
['ldap_to_internal_map'])
for dn, attributes in self.ldap_person_records:
# Mock up the internal response the LDAP attribute store is
# expecting to receive.
response = InternalData(auth_info=AuthenticationInformation())
# The LDAP attribute store configuration and the mock records
# expect to use a LDAP search filter for the uid attribute.
uid = attributes['uid']
response.attributes = {'uid': uid}
context = Context()
context.state = dict()
ldap_attribute_store.process(context, response)
# Verify that the LDAP attribute store has retrieved the mock
# records from the mock LDAP server and has added the appropriate
# internal attributes.
for ldap_attr, ldap_value in attributes.items():
if ldap_attr in ldap_to_internal_map:
internal_attr = ldap_to_internal_map[ldap_attr]
response_attr = response.attributes[internal_attr]
assert(ldap_value in response_attr)
def setup(self, signing_key_path):
self.account_linking_config = {
"enable": True,
"rest_uri": "https://localhost:8167",
"redirect": "https://localhost:8167/approve",
"endpoint": "handle_account_linking",
"sign_key": signing_key_path,
"verify_ssl": False
}
self.satosa_config = {
"BASE": "https://proxy.example.com",
"USER_ID_HASH_SALT": "qwerty",
"COOKIE_STATE_NAME": "SATOSA_SATE",
"STATE_ENCRYPTION_KEY": "ASDasd123",
"PLUGIN_PATH": "",
"BACKEND_MODULES": "",
"FRONTEND_MODULES": "",
"INTERNAL_ATTRIBUTES": {},
"ACCOUNT_LINKING": self.account_linking_config
}
self.callback_func = MagicMock()
self.context = Context()
state = State()
self.context.state = state
auth_info = AuthenticationInformation("auth_class_ref", "timestamp",
"issuer")
self.internal_response = InternalResponse(auth_info=auth_info)
def test_endpoint_routing_to_frontend(self, url_path, expected_frontend,
expected_backend):
context = Context()
context.path = url_path
self.router.endpoint_routing(context)
assert context.target_frontend == expected_frontend
assert context.target_backend == expected_backend
def test_with_pyoidc(self):
responses.add(responses.POST,
"https://graph.facebook.com/v2.5/oauth/access_token",
body=json.dumps({
"access_token": "qwerty",
"token_type": "bearer",
"expires_in": 9999999999999
}),
adding_headers={"set-cookie": "TEST=testing; path=/"},
status=200,
content_type='application/json')
responses.add(responses.GET,
"https://graph.facebook.com/v2.5/me",
match_querystring=False,
body=json.dumps(FB_RESPONSE),
status=200,
content_type='application/json')
context = Context()
context.path = 'facebook/sso/redirect'
context.state = State()
internal_request = InternalRequest(UserIdHashType.transient,
'http://localhost:8087/sp.xml')
get_state = Mock()
get_state.return_value = STATE
resp = self.fb_backend.start_auth(context, internal_request, get_state)
context.cookie = resp.headers[0][1]
context.request = {"code": FB_RESPONSE_CODE, "state": STATE}
self.fb_backend.auth_callback_func = self.verify_callback
self.fb_backend.authn_response(context)
def test_backend(path, provider, endpoint):
context = Context()
context.path = path
spec = router.endpoint_routing(context)
assert spec[0] == provider
assert spec[1] == endpoint
assert context.target_backend == provider
assert context.target_frontend is None
def test_redirect_to_login_at_auth_endpoint(self):
self.fake_op.setup_webfinger_endpoint()
self.fake_op.setup_opienid_config_endpoint()
self.fake_op.setup_client_registration_endpoint()
context = Context()
context.state = State()
auth_response = self.openid_backend.start_auth(context, None)
assert auth_response._status == Redirect._status
def test_full_flow(self, context, idp_conf, sp_conf):
test_state_key = "test_state_key_456afgrh"
response_binding = BINDING_HTTP_REDIRECT
fakeidp = FakeIdP(USERS,
config=IdPConfig().load(idp_conf,
metadata_construction=False))
context.state[test_state_key] = "my_state"
# start auth flow (redirecting to discovery server)
resp = self.samlbackend.start_auth(context,
InternalRequest(None, None))
self.assert_redirect_to_discovery_server(resp, sp_conf)
# fake response from discovery server
disco_resp = parse_qs(urlparse(resp.message).query)
info = parse_qs(urlparse(disco_resp["return"][0]).query)
info["entityID"] = idp_conf["entityid"]
request_context = Context()
request_context.request = info
request_context.state = context.state
# pass discovery response to backend and check that it redirects to the selected IdP
resp = self.samlbackend.disco_response(request_context)
self.assert_redirect_to_idp(resp, idp_conf)
# fake auth response to the auth request
req_params = dict(parse_qsl(urlparse(resp.message).query))
url, fake_idp_resp = fakeidp.handle_auth_req(
req_params["SAMLRequest"],
req_params["RelayState"],
BINDING_HTTP_REDIRECT,
"testuser1",
response_binding=response_binding)
response_context = Context()
response_context.request = fake_idp_resp
response_context.state = request_context.state
# pass auth response to backend and verify behavior
self.samlbackend.authn_response(response_context, response_binding)
context, internal_resp = self.samlbackend.auth_callback_func.call_args[
0]
assert self.samlbackend.name not in context.state
assert context.state[test_state_key] == "my_state"
self.assert_authn_response(internal_resp)
def test_set_state_in_start_auth_and_use_in_redirect_endpoint(self):
self.fake_op.setup_webfinger_endpoint()
self.fake_op.setup_opienid_config_endpoint()
self.fake_op.setup_client_registration_endpoint()
context = Context()
context.state = State()
self.openid_backend.start_auth(context, None)
context = self.setup_fake_op_endpoints(FakeOP.STATE)
self.openid_backend.redirect_endpoint(context)
def test_endpoint_routing_to_microservice(self, url_path,
expected_micro_service):
context = Context()
context.path = url_path
microservice_callable = self.router.endpoint_routing(context)
assert context.target_micro_service == expected_micro_service
assert microservice_callable == self.router.micro_services[
expected_micro_service]["instance"].callback
assert context.target_backend is None
assert context.target_frontend is None
def test_path():
context = Context()
with pytest.raises(ValueError):
context.path = None
with pytest.raises(ValueError):
context.path = "/babal"
valid_path = "Saml2/sso/redirect"
context.path = valid_path
assert context.path == valid_path
def test_routing(path, provider, receiver, _):
context = Context()
context.path = path
context.state = state
router.endpoint_routing(context)
backend = router.backend_routing(context)
assert backend == backends[provider]
frontend = router.frontend_routing(context)
assert frontend == frontends[receiver]
assert context.target_frontend == receiver
def test_consent_full_flow(self, internal_response, internal_request,
consent_verify_endpoint_regex,
consent_registration_endpoint_regex):
consent_config = SATOSAConfig(self.satosa_config)
consent_module = ConsentModule(consent_config, identity_callback)
expected_ticket = "my_ticket"
context = Context()
state = State()
context.state = state
consent_module.save_state(internal_request, state)
with responses.RequestsMock() as rsps:
rsps.add(responses.GET, consent_verify_endpoint_regex, status=401)
rsps.add(responses.GET,
consent_registration_endpoint_regex,
status=200,
body=expected_ticket)
resp = consent_module.manage_consent(context, internal_response)
self.assert_redirect(resp, expected_ticket)
self.assert_registstration_req(rsps.calls[1].request,
consent_config.CONSENT["sign_key"])
with responses.RequestsMock() as rsps:
# Now consent has been given, consent service returns 200 OK
rsps.add(responses.GET,
consent_verify_endpoint_regex,
status=200,
body=json.dumps(FILTER))
context = Context()
context.state = state
context, internal_response = consent_module._handle_consent_response(
context)
assert internal_response.get_attributes()["displayName"] == ["Test"]
assert internal_response.get_attributes()["co"] == ["example"]
assert "sn" not in internal_response.get_attributes(
) # 'sn' should be filtered
def setup_authentication_response(self, state=None):
context = Context()
context.path = 'openid/authz_cb'
op_base = TestConfiguration.get_instance().rp_config.OP_URL
if not state:
state = rndstr()
context.request = {
'code': 'F+R4uWbN46U+Bq9moQPC4lEvRd2De4o=',
'scope': 'openid profile email address phone',
'state': state
}
context.state = self.generate_state(op_base)
return context
def test_generate_static(self):
synthetic_attributes = {"": {"default": {"a0": "value1;value2"}}}
authz_service = self.create_syn_service(synthetic_attributes)
resp = InternalData(auth_info=AuthenticationInformation())
resp.attributes = {
"a1": ["*****@*****.**"],
}
ctx = Context()
ctx.state = dict()
authz_service.process(ctx, resp)
assert ("value1" in resp.attributes['a0'])
assert ("value2" in resp.attributes['a0'])
assert ("*****@*****.**" in resp.attributes['a1'])
def test_acr_mapping_per_idp_in_authn_response(self, idp_conf, sp_conf):
expected_loa = "LoA1"
loa = {
"": "http://eidas.europa.eu/LoA/low",
idp_conf["entityid"]: expected_loa
}
base = self.construct_base_url_from_entity_id(idp_conf["entityid"])
conf = {
"idp_config": idp_conf,
"endpoints": ENDPOINTS,
"base": base,
"state_id": "state_id",
"acr_mapping": loa
}
samlfrontend = SamlFrontend(None, INTERNAL_ATTRIBUTES, conf)
samlfrontend.register_endpoints(["foo"])
idp_metadata_str = create_metadata_from_config_dict(
samlfrontend.config)
sp_conf["metadata"]["inline"].append(idp_metadata_str)
fakesp = FakeSP(None,
config=SPConfig().load(sp_conf,
metadata_construction=False))
auth_info = AuthenticationInformation(PASSWORD, "2015-09-30T12:21:37Z",
idp_conf["entityid"])
internal_response = InternalResponse(auth_info=auth_info)
context = Context()
context.state = State()
resp_args = {
"name_id_policy": NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT),
"in_response_to": None,
"destination": "",
"sp_entity_id": None,
"binding": BINDING_HTTP_REDIRECT
}
request_state = samlfrontend.save_state(context, resp_args, "")
context.state.add(conf["state_id"], request_state)
resp = samlfrontend.handle_authn_response(context, internal_response)
resp_dict = parse_qs(urlparse(resp.message).query)
resp = fakesp.parse_authn_request_response(
resp_dict['SAMLResponse'][0], BINDING_HTTP_REDIRECT)
assert len(resp.assertion.authn_statement) == 1
authn_context_class_ref = resp.assertion.authn_statement[
0].authn_context.authn_context_class_ref
assert authn_context_class_ref.text == expected_loa
def _handle_satosa_authentication_error(self, error):
"""
Sends a response to the requestor about the error
:type error: satosa.exception.SATOSAAuthenticationError
:rtype: satosa.response.Response
:param error: The exception
:return: response
"""
context = Context()
context.state = error.state
frontend = self.module_router.frontend_routing(context)
return frontend.handle_backend_error(error)
def test_authz_allow_second(self):
attribute_allow = {"": {"default": {"a0": ['foo1', 'foo2']}}}
attribute_deny = {}
authz_service = self.create_authz_service(attribute_allow,
attribute_deny)
resp = InternalData(auth_info=AuthenticationInformation())
resp.attributes = {
"a0": ["foo2", "kaka"],
}
try:
ctx = Context()
ctx.state = dict()
authz_service.process(ctx, resp)
except SATOSAAuthenticationError as ex:
assert False
def test_authz_deny_fail(self):
attribute_deny = {"": {"default": {"a0": ['foo1', 'foo2']}}}
attribute_allow = {}
authz_service = self.create_authz_service(attribute_allow,
attribute_deny)
resp = InternalResponse(AuthenticationInformation(None, None, None))
resp.attributes = {
"a0": ["foo3"],
}
try:
ctx = Context()
ctx.state = dict()
authz_service.process(ctx, resp)
except SATOSAAuthenticationError as ex:
assert False
def test_test_restore_state_with_separate_backends(self):
openid_backend_1 = OpenIdBackend(
MagicMock, INTERNAL_ATTRIBUTES,
TestConfiguration.get_instance().config)
openid_backend_2 = OpenIdBackend(
MagicMock, INTERNAL_ATTRIBUTES,
TestConfiguration.get_instance().config)
self.fake_op.setup_webfinger_endpoint()
self.fake_op.setup_opienid_config_endpoint()
self.fake_op.setup_client_registration_endpoint()
context = Context()
context.state = State()
openid_backend_1.start_auth(context, None)
context = self.setup_fake_op_endpoints(FakeOP.STATE)
openid_backend_2.redirect_endpoint(context)
def test_consent_prev_given(self, internal_response, internal_request,
consent_verify_endpoint_regex):
consent_config = SATOSAConfig(self.satosa_config)
consent_module = ConsentModule(consent_config, identity_callback)
responses.add(responses.GET,
consent_verify_endpoint_regex,
status=200,
body=json.dumps(FILTER))
context = Context()
state = State()
context.state = state
consent_module.save_state(internal_request, state)
context, internal_response = consent_module.manage_consent(
context, internal_response)
assert context
assert "displayName" in internal_response.get_attributes()
def test_attribute_policy(self):
requester = "requester"
attribute_policies = {
"attribute_policy": {
"requester_everything_allowed": {},
"requester_nothing_allowed": {
"allowed": {}
},
"requester_subset_allowed": {
"allowed": {
"attr1",
"attr2",
},
},
},
}
attributes = {
"attr1": ["foo"],
"attr2": ["foo", "bar"],
"attr3": ["foo"]
}
results = {
"requester_everything_allowed": attributes.keys(),
"requester_nothing_allowed": set(),
"requester_subset_allowed": {"attr1", "attr2"},
}
for requester, result in results.items():
attribute_policy_service = self.create_attribute_policy_service(
attribute_policies)
ctx = Context()
ctx.state = dict()
resp = InternalData(auth_info=AuthenticationInformation())
resp.requester = requester
resp.attributes = {
"attr1": ["foo"],
"attr2": ["foo", "bar"],
"attr3": ["foo"]
}
filtered = attribute_policy_service.process(ctx, resp)
assert (filtered.attributes.keys() == result)
def test_authn_response(self):
context = Context()
context.path = 'facebook/sso/redirect'
context.state = State()
internal_request = InternalRequest(UserIdHashType.transient,
'http://localhost:8087/sp.xml')
get_state = Mock()
get_state.return_value = STATE
resp = self.fb_backend.start_auth(context, internal_request, get_state)
context.cookie = resp.headers[0][1]
context.request = {"code": FB_RESPONSE_CODE, "state": STATE}
# context.request = json.dumps(context.request)
self.fb_backend.auth_callback_func = self.verify_callback
tmp_consumer = self.fb_backend.get_consumer()
tmp_consumer.do_access_token_request = self.verify_do_access_token_request
self.fb_backend.get_consumer = Mock()
self.fb_backend.get_consumer.return_value = tmp_consumer
self.fb_backend.request_fb = self.verify_request_fb
self.fb_backend.authn_response(context)
def setUp(self):
context = Context()
context.state = State()
config = {
'disco_endpoints': [
'.*/disco',
],
}
plugin = DiscoToTargetIssuer(
config=config,
name='test_disco_to_target_issuer',
base_url='https://satosa.example.org',
)
plugin.next = lambda ctx, data: (ctx, data)
self.config = config
self.context = context
self.plugin = plugin
def test_generate_mustache_empty_attribute(self):
synthetic_attributes = {
"": {
"default": {
"a0": "{{kaka.first}}#{{eppn.scope}}"
}
}
}
authz_service = self.create_syn_service(synthetic_attributes)
resp = InternalData(auth_info=AuthenticationInformation())
resp.attributes = {
"kaka": ["kaka1", "kaka2"],
"eppn": None,
}
ctx = Context()
ctx.state = dict()
authz_service.process(ctx, resp)
assert ("kaka1#" in resp.attributes['a0'])
assert ("kaka1" in resp.attributes['kaka'])
assert ("kaka2" in resp.attributes['kaka'])
def test_consent_handles_connection_error(self, internal_response,
internal_request,
consent_verify_endpoint_regex):
consent_config = SATOSAConfig(self.satosa_config)
consent_module = ConsentModule(consent_config, identity_callback)
state = State()
context = Context()
context.state = state
consent_module.save_state(internal_request, state)
with responses.RequestsMock(
assert_all_requests_are_fired=True) as rsps:
rsps.add(responses.GET,
consent_verify_endpoint_regex,
body=requests.ConnectionError("No connection"))
context, internal_response = consent_module.manage_consent(
context, internal_response)
assert context
assert not internal_response.get_attributes()
