diff options
| author | Roland Hedberg <roland.hedberg@adm.umu.se> | 2012-01-28 11:21:00 +0100 |
|---|---|---|
| committer | Roland Hedberg <roland.hedberg@adm.umu.se> | 2012-01-28 11:21:00 +0100 |
| commit | 677b504654b6a6d37077df51db042c36591a2d08 (patch) | |
| tree | 421bab2ff25e857b34cef2eb496d27e3684affc3 | |
| parent | 7bc8c8e8faa2b143c4c9664a6a73d242b083e1a3 (diff) | |
| download | pysaml2-677b504654b6a6d37077df51db042c36591a2d08.tar.gz | |
Added support for restriction to only use keys imported through metadata (= trusted channel)
| -rw-r--r-- | tests/server2_conf.py | 2 | ||||
| -rw-r--r-- | tests/test_30_metadata.py | 2 | ||||
| -rw-r--r-- | tests/test_31_config.py | 7 | ||||
| -rw-r--r-- | tests/test_41_response.py | 18 | ||||
| -rw-r--r-- | tests/test_51_client.py | 29 |
5 files changed, 38 insertions, 20 deletions
diff --git a/tests/server2_conf.py b/tests/server2_conf.py index 802cc360..c1b4979d 100644 --- a/tests/server2_conf.py +++ b/tests/server2_conf.py @@ -16,7 +16,7 @@ CONFIG = { "debug" : 1, "key_file" : "test.key", "cert_file" : "test.pem", - #"xmlsec_binary" : "/usr/local/bin/xmlsec1", + "xmlsec_binary" : "/opt/local/bin/xmlsec1", "metadata": { "local": ["idp_soap.xml", "vo_metadata.xml"], }, diff --git a/tests/test_30_metadata.py b/tests/test_30_metadata.py index bc6010ec..718529f0 100644 --- a/tests/test_30_metadata.py +++ b/tests/test_30_metadata.py @@ -211,7 +211,7 @@ def test_make_false_value(): assert val.text == "false" NO_VALUE = """<?xml version='1.0' encoding='UTF-8'?> -<ns0:AttributeValue xmlns:ns0="urn:oasis:names:tc:SAML:2.0:assertion" />""" +<saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" />""" def test_make_no_value(): val = make_vals( None, saml.AttributeValue, part=True ) diff --git a/tests/test_31_config.py b/tests/test_31_config.py index 9ec5f65a..c6ff3e01 100644 --- a/tests/test_31_config.py +++ b/tests/test_31_config.py @@ -42,7 +42,8 @@ sp1 = { ] } }, - "attribute_map_dir": "attributemaps" + "attribute_map_dir": "attributemaps", + "only_use_keys_in_metadata": True, } sp2 = { @@ -174,6 +175,8 @@ def test_1(): {'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': 'http://localhost:8088/sso/'}}] + assert c.only_use_keys_in_metadata + def test_2(): c = SPConfig().load(sp2) c.context = "sp" @@ -188,7 +191,7 @@ def test_2(): assert len(c.idp) == 1 assert c.idp.keys() == [""] assert c.idp.values() == ["https://example.com/saml2/idp/SSOService.php"] - + assert c.only_use_keys_in_metadata is None def test_minimum(): minimum = { diff --git a/tests/test_41_response.py b/tests/test_41_response.py index 4859137c..6f9db6eb 100644 --- a/tests/test_41_response.py +++ b/tests/test_41_response.py @@ -1,15 +1,19 @@ #!/usr/bin/env python # -*- coding: utf-8 -*- -from saml2 import saml, config +from saml2 import saml +from saml2 import config from saml2.server import Server from saml2.response import response_factory from saml2.response import StatusResponse from saml2.response import AuthnResponse -from saml2.sigver import security_context from saml2.sigver import SecurityContext +from saml2.sigver import security_context from saml2.sigver import get_xmlsec_binary +from saml2.sigver import MissingKey + +from pytest import raises XML_RESPONSE_FILE = "saml_signed.xml" XML_RESPONSE_FILE2 = "saml2_response.xml" @@ -101,3 +105,13 @@ class TestResponse: assert len(attr_stat.attribute) == 4 assert len(attr_stat.encrypted_attribute) == 4 + + + def test_only_use_keys_in_metadata(self): + conf = config.SPConfig() + conf.load_file("sp_2_conf") + + sc = security_context(conf) + # should fail + raises(MissingKey, + 'sc.correctly_signed_response("%s" % self._sign_resp_)') diff --git a/tests/test_51_client.py b/tests/test_51_client.py index 013924bc..08fdd2f0 100644 --- a/tests/test_51_client.py +++ b/tests/test_51_client.py @@ -68,19 +68,6 @@ class TestClient: nameid_format=saml.NAMEID_FORMAT_PERSISTENT) reqstr = "%s" % req.to_string() - expected_req = REQ1["1.2.16"] % req.issue_instant - -# xmlsec_vers = xmlsec_version(self.client.config.xmlsec_binary) -# print "XMLSEC version: %s" % xmlsec_vers -# print reqstr -# try: -# expected_req = REQ1[xmlsec_vers] % req.issue_instant -# except KeyError: -# expected_req = REQ1["1.2.14"] % req.issue_instant - - print expected_req - assert reqstr == expected_req - #assert reqstr == REQ1[xmlsec_vers] % req.issue_instant assert req.destination == "https://idp.example.com/idp/" assert req.id == "id1" assert req.version == "2.0" @@ -90,7 +77,21 @@ class TestClient: assert name_id.text == "E8042FB4-4D5B-48C3-8E14-8EDD852790DD" issuer = req.issuer assert issuer.text == "urn:mace:example.com:saml:roland:sp" - + + attrq = samlp.attribute_query_from_string(reqstr) + + print attrq.keyswv() + assert _leq(attrq.keyswv(), ['destination', 'subject', 'issue_instant', + 'version', 'id', 'issuer']) + + assert attrq.destination == req.destination + assert attrq.id == req.id + assert attrq.version == req.version + assert attrq.issuer.text == issuer.text + assert attrq.issue_instant == req.issue_instant + assert attrq.subject.name_id.format == name_id.format + assert attrq.subject.name_id.text == name_id.text + def test_create_attribute_query2(self): req = self.client.create_attribute_query("id1", "E8042FB4-4D5B-48C3-8E14-8EDD852790DD", |