diff options
author | Roland Hedberg <roland.hedberg@adm.umu.se> | 2015-12-11 13:02:49 +0100 |
---|---|---|
committer | Roland Hedberg <roland.hedberg@adm.umu.se> | 2015-12-11 13:02:49 +0100 |
commit | 6200f158dbad1acf9bf6982a738c58620452f813 (patch) | |
tree | 3fd0a53efa2cc70cae8b72289fa5cb7f39bdea7f /tests | |
parent | 82d3b4da6ebd19f556d2f4d377236a05bb64cd75 (diff) | |
download | pysaml2-6200f158dbad1acf9bf6982a738c58620452f813.tar.gz |
Reworked the security backend so you should now be able to use a HSM again for XML security. Support for non-XML crypto using HSMs are on the way.
Diffstat (limited to 'tests')
-rw-r--r-- | tests/test_31_config.py | 39 | ||||
-rw-r--r-- | tests/test_40_sigver.py | 3 | ||||
-rw-r--r-- | tests/test_51_client.py | 11 | ||||
-rw-r--r-- | tests/test_70_redirect_signing.py | 10 |
4 files changed, 49 insertions, 14 deletions
diff --git a/tests/test_31_config.py b/tests/test_31_config.py index 570f321d..623c944f 100644 --- a/tests/test_31_config.py +++ b/tests/test_31_config.py @@ -12,6 +12,7 @@ from py.test import raises from saml2 import root_logger from pathutils import dotname, full_path +from saml2.sigver import security_context, CryptoBackendXMLSecurity sp1 = { "entityid": "urn:mace:umu.se:saml:roland:sp", @@ -166,6 +167,33 @@ ECP_SP = { #"xmlsec_binary" : "/opt/local/bin/xmlsec1", } +IDP_XMLSECURITY = { + "entityid": "urn:mace:umu.se:saml:roland:idp", + "name": "Rolands IdP", + "service": { + "idp": { + "endpoints": { + "single_sign_on_service": ["http://localhost:8088/"], + "single_logout_service": [ + ("http://localhost:8088/", BINDING_HTTP_REDIRECT)], + }, + "policy": { + "default": { + "attribute_restrictions": { + "givenName": None, + "surName": None, + "eduPersonAffiliation": ["(member|staff)"], + "mail": [".*@example.com"], + } + }, + "urn:mace:umu.se:saml:roland:sp": None + }, + } + }, + "key_file": "pkcs11:///usr/lunasa/lib/libCryptoki2_64.so:1/eduID dev SAML signing key?pin=123456", + "crypto_backend": "XMLSecurity" +} + def _eq(l1, l2): return set(l1) == set(l2) @@ -371,5 +399,14 @@ def test_assertion_consumer_service(): assert acs[0][ "location"] == 'https://www.zimride.com/Shibboleth.sso/SAML2/POST' + +def test_crypto_backend(): + idpc = IdPConfig() + idpc.load(IDP_XMLSECURITY) + + assert idpc.crypto_backend == 'XMLSecurity' + sec = security_context(idpc) + assert isinstance(sec.crypto, CryptoBackendXMLSecurity) + if __name__ == "__main__": - test_2() + test_crypto_backend() diff --git a/tests/test_40_sigver.py b/tests/test_40_sigver.py index d3b65501..801454d7 100644 --- a/tests/test_40_sigver.py +++ b/tests/test_40_sigver.py @@ -112,6 +112,9 @@ class FakeConfig(): tmp_key_file = None validate_certificate = False + def getattr(self, attr, default): + return getattr(self, attr, default) + class TestSecurity(): def setup_class(self): diff --git a/tests/test_51_client.py b/tests/test_51_client.py index d6db4c90..be250fac 100644 --- a/tests/test_51_client.py +++ b/tests/test_51_client.py @@ -1176,11 +1176,9 @@ class TestClient: msg_str = "%s" % self.client.create_authn_request( "http://localhost:8088/sso", message_id="id1")[1] - key = self.client.signkey - info = self.client.apply_binding( BINDING_HTTP_REDIRECT, msg_str, destination="", - relay_state="relay2", sigalg=SIG_RSA_SHA256, key=key) + relay_state="relay2", sigalg=SIG_RSA_SHA256) loc = info["headers"][0][1] qs = parse_qs(loc[1:]) @@ -1188,7 +1186,7 @@ class TestClient: ['SigAlg', 'SAMLRequest', 'RelayState', 'Signature']) assert verify_redirect_signature(list_values2simpletons(qs), - sigkey=key) + self.client.sec.sec_backend) res = self.server.parse_authn_request(qs["SAMLRequest"][0], BINDING_HTTP_REDIRECT) @@ -1198,7 +1196,6 @@ class TestClient: conf = config.SPConfig() conf.load_file("sp_slo_redirect_conf") client = Saml2Client(conf) - key = client.signkey # information about the user from an IdP session_info = { @@ -1229,10 +1226,10 @@ class TestClient: ['SigAlg', 'SAMLRequest', 'RelayState', 'Signature']) assert verify_redirect_signature(list_values2simpletons(qs), - sigkey=key) + client.sec.sec_backend) res = self.server.parse_logout_request(qs["SAMLRequest"][0], - BINDING_HTTP_REDIRECT) + BINDING_HTTP_REDIRECT) print(res) def test_do_logout_post(self): diff --git a/tests/test_70_redirect_signing.py b/tests/test_70_redirect_signing.py index 58a2fdbb..a079d6cb 100644 --- a/tests/test_70_redirect_signing.py +++ b/tests/test_70_redirect_signing.py @@ -30,14 +30,11 @@ def test(): destination = srvs[0]["location"] req_id, req = sp.create_authn_request(destination, id="id1") - try: - key = sp.sec.key - except AttributeError: - key = import_rsa_key_from_file(sp.sec.key_file) + signer = sp.sec.sec_backend.get_signer(SIG_RSA_SHA1) info = http_redirect_message(req, destination, relay_state="RS", typ="SAMLRequest", sigalg=SIG_RSA_SHA1, - key=key) + signer=signer) verified_ok = False @@ -47,7 +44,8 @@ def test(): _certs = idp.metadata.certs(sp.config.entityid, "any", "signing") for cert in _certs: if verify_redirect_signature( - list_values2simpletons(_dict), cert): + list_values2simpletons(_dict), sp.sec.sec_backend, + cert): verified_ok = True assert verified_ok |