summaryrefslogtreecommitdiff
path: root/tests
Commit message (Collapse)AuthorAgeFilesLines
* Format codeIvan Kanakarakis2019-05-292-54/+72
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Use `extension_elements` to extract `KeyInfo`Alex Bublichenko2019-05-282-4/+8
| | | | Instead of explicitly declaring `KeyInfo` as child of `SubjectConfirmationData`, use `extension_elements` to extract `KeyInfo` element(s).
* Gracefully handle invalid HOK assertionsAlex Bublichenko2019-05-242-9/+54
|
* Clean up and fix tests for python 3.* versionsAlex Bublichenko2019-05-242-35/+46
|
* Parse assertions with Holder-of-Key profileAlex Bublichenko2019-05-234-16/+162
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Problem: Holder-of-Key assertions are used to achieve higher levels of federation security, compared to bearer assertions, by having Relying Party challenge subscriber to prove possession of the key specified in the assertion that represents subscriber in addition to verifying the assertion itself signed by Identity Provider. More information about it can be found in https://pages.nist.gov/800-63-3/sp800-63c.html This library fails to parase SAML respones containing assertions with Holder-of-Key profile, for example: ``` <ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"> <ns1:SubjectConfirmationData InResponseTo="id-KHlas49TtW2VdC8WN" NotOnOrAfter="2019-05-14T20:36:13Z" Recipient="https://sp:443/.auth/saml/login"> <ns2:KeyInfo> <ns2:X509Data> <ns2:X509Certificate>MIICITCCAYoCAQEwDQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMCenoxCzAJBgNVBAgMAnp6MQ0wCwYDVQQHDAR6enp6MQ4wDAYDVQQKDAVaenp6ejEOMAwGA1UECwwFWnp6enoxDTALBgNVBAMMBHRlc3QwIBcNMTkwNDEyMTk1MDM0WhgPMzAxODA4MTMxOTUwMzRaMFgxCzAJBgNVBAYTAnp6MQswCQYDVQQIDAJ6ejENMAsGA1UEBwwEenp6ejEOMAwGA1UECgwFWnp6enoxDjAMBgNVBAsMBVp6enp6MQ0wCwYDVQQDDAR0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHcj80WU/XBsd9FlyQmfjPUdfmedhCFDd6TEQmZNNqP/UG+VkGa+BXjRIHMfic/WxPTbGhCjv68ci0UDNomUXagFexLGNpkwa7+CRVtoc/1xgq+ySE6M4nhcCutScoxNvWNn5eSQ66i3U0sTv91MgsXxqEdTaiZg0BIufEc3dueQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAGUV5B+USHvaRa8kgCNJSuNpo6ARlv0ekrk8bbdNRBiEUdCMyoGJFfuM9K0zybX6Vr25wai3nvaog294Vx/jWjX2g5SDbjItH6VGy6C9GCGf1A07VxFRCfJn5tA9HuJjPKiE+g/BmrV5N4CealzFxPHWYkNOzoRU8qI7OqUai1kL</ns2:X509Certificate> </ns2:X509Data> </ns2:KeyInfo> </ns1:SubjectConfirmationData> </ns1:SubjectConfirmation> ``` fails to be parsed with the following error: ``` ERROR saml2.response:response.py:836 get subject Traceback (most recent call last): File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/response.py", line 828, in _assertion self.get_subject() File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/response.py", line 753, in get_subject if not self._holder_of_key_confirmed(_data): File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/response.py", line 730, in _holder_of_key_confirmed [samlp, saml, xenc, ds]): File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/__init__.py", line 1004, in extension_elements_to_elements for extension_element in extension_elements: TypeError: 'SubjectConfirmationData' object is not iterable ``` The root cause is two-fold: 1. The type SubjectConfirmationDataType_ does not declare KeyInfo as child element. 2. The bug in function _holder_of_key_confirmed: it should check KeyInfo child element of SubjectConfirmationData instead of SubjectConfirmationData itself. Solution: Fixed the root cause and added new unit tests that verify successful parsing of Holder-of-Key assertions.
* Merge pull request #606 from bmwiedemann/fix2025Ivan Kanakarakis2019-05-147-48/+60
|\ | | | | Make tests pass after 2024
| * Make tests pass after 2024Bernhard M. Wiedemann2019-04-127-48/+60
| | | | | | | | | | | | | | | | | | | | | | Background: As part of my work on reproducible builds for openSUSE, I check that software still gives identical build results in the future. The usual offset is +15 years, because that is how long I expect some software will be used in some places. This showed up failing tests in our package build. See https://reproducible-builds.org/ for why this matters. This patch made tests pass in 2037
* | Merge pull request #613 from skoranda/more_flexible_entity_category_importIvan Kanakarakis2019-05-143-0/+139
|\ \ | | | | | | Make entity category imports more flexible
| * | Added tests for new entity category import functionalityScott Koranda2019-05-073-0/+139
| |/ | | | | | | | | | | Added tests for the new entity category import functionality that searches for entity category modules on the general import path before searching in saml2.entity_category.<module>.
* | update tests with regards to AllowCreateFredrik Thulin2019-05-082-4/+4
|/ | | | AllowCreate is not supposed to be present for transient Name IDs.
* Merge pull request #581 from bmwiedemann/test2020Ivan Kanakarakis2019-02-024-4/+4
|\ | | | | Allow tests to pass after 2020
| * Allow tests to pass after 2020Bernhard M. Wiedemann2019-01-074-4/+4
| | | | | | | | | | This helps to verify reproducible builds. See https://reproducible-builds.org/ for why this matters.
* | Convert exception expectation to with-raises idiomIvan Kanakarakis2019-01-142-60/+33
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Reformat code for test_40_sigverIvan Kanakarakis2019-01-141-49/+74
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Raise XmlsecError if xmlsec1 returns an errorIvan Kanakarakis2019-01-141-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When xmlsec1 fails, it returns a non-zero returncode. The returncode was checked only for values less than zero, and not greater than zero. This results in situations where xmlsec1 fails to run a command, but the executation continues as nothing failed. This happens to be ok, because, the result we depend upon is coupled to xmlsec1's output stream. When xmlsec1 fails, the output stream is empty and the error stream will have information relevant to the failure cause. Now, the check expects a returncode with value zero, otherwise an XmlsecError exception is raised, to be handled by the caller up the stack. This could have been a major security issue, but we stood lucky. Special thanks to @pjsg for bringing this to our attention. Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Remove validate_output parameter from _run_xmlsecIvan Kanakarakis2019-01-111-3/+1
| | | | | | | | | | | | | | All callers set it to false, but one which calls the validation method itself after the call to _run_xmlsec (which means that validation is done twice). Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Remove configurable exception typeIvan Kanakarakis2019-01-101-1/+2
|/ | | | | | | | _run_xmlsec function allowed to pass the kind of exception that would be raised in case of error. This was parameter was ignored. As such, it is not needed and is removed completely. Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Remove the python-future module and use sixIvan Kanakarakis2018-12-062-18/+16
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Handle non standard response error status codesJohan Lundberg2018-12-051-1/+32
|
* Add a test that client raises the proper exception when parsing an error ↵Andrew Wason2018-11-281-1/+32
| | | | | status response. This test passes in v4.6.3 but is failing in v4.6.4 due to IdentityPython/pysaml2#571
* Pass sign information when calling apply_bindingIvan Kanakarakis2018-11-211-2/+2
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Add tests for client signature requirementsScott Koranda2018-11-211-0/+155
| | | | | | Add logic to test client configuration options want_response_signed, want_assertions_signed, and want_assertions_or_response_signed.
* Remove unused code from test_65_authn_queryIvan Kanakarakis2018-10-231-5/+0
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Merge pull request #550 from johanlundberg/non_ascii_ava_encryption_decryptionIvan Kanakarakis2018-10-103-6/+2883
|\ | | | | Support non-ascii attribute values for encryption and decryption
| * Duplicated tests and added non ascii charactersJohan Lundberg2018-10-043-6/+2883
| |
* | Fix test_mixed_attributes_1Martin van Es2018-10-031-1/+1
|/
* Use raises as a context managerIvan Kanakarakis2018-09-041-5/+7
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Update test cases for set_text methodIvan Kanakarakis2018-09-041-10/+43
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Add test for multiple attribute statementsIvan Kanakarakis2018-08-291-7/+77
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Fix test that depended on actual datetimeIvan Kanakarakis2018-08-291-2/+8
| | | | | | | Mock utcnow call used by time_util module to return the same date as the IssueInstant date of the response. Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Merge pull request #539 from cmurphy/fix-exceptionIvan Kanakarakis2018-08-241-0/+4
|\ | | | | Raise ValueError for invalid attribute type
| * Raise ValueError for invalid attribute typeColleen Murphy2018-08-151-0/+4
| | | | | | | | | | | | | | | | | | | | | | Without this patch, the AttributeValueBase set_text method checks for a valid xsi:type before setting the text value, but when it gets to the catchall case, instead of raising an exception it simply creates an unassigned ValueError instance and does nothing with it. This is clearly not intentional, and it is a problem because it means it is possible to set an invalid xsi:type for an AttributeValue. This patch corrects the error by raising the ValueError exception rather than letting it disappear into the ether.
* | Test parsing of authentication response with no NameIDScott Koranda2018-08-171-0/+57
|/ | | | | Added a test to test the parsing of an authentication response that does not contain a <NameID> element.
* Add test for okta integrationDaniel Wang2018-08-043-0/+75
| | | | | | | Okta integration requires decryption id_attr to be set to 'Id'. Add SAML2 response generated from okta into test directory, and test that this is successfully decrypted using a properly configured SecurityContext
* Formatting and cleanupIvan Kanakarakis2018-08-041-3/+1
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Retrieve SLO endpoint by the appropriate service typeIvan Kanakarakis2018-08-031-0/+37
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Cleanup Entity _parse_responseIvan Kanakarakis2018-08-031-40/+4
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Add tests for AES cipherIvan Kanakarakis2018-08-021-0/+74
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Fix deprecation and resource warnings.Ivan Kanakarakis2018-08-021-13/+15
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Add test coverage reportIvan Kanakarakis2018-06-291-0/+2
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Sort test requirementsIvan Kanakarakis2018-06-291-5/+5
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Rename test requirements fileIvan Kanakarakis2018-06-291-0/+0
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Added test for response relay state for HTTP-POST bindingScott Koranda2018-05-251-0/+100
| | | | | | | | Added tests to check the relay state in the HTML that is returned for a response with the HTTP-POST binding. The tests check that if a relay state is input then it appears in the HTML with the correct value, and that if no relay state or an empty relay state is input that no relay state appears in the HTML.
* Clean up unclosed files causing ResourceWarnings in testsJon Dufresne2017-10-115-9/+21
| | | | | | | * Use better subprocess functions to correctly close pipes. * When opening files, use a context manager to ensure file is closed in a deterministic way. * Close logging handlers
* Removed unused importRoland Hedberg2017-10-111-1/+1
|
* Ordered way to find a local name of an attribute.Roland Hedberg2017-10-111-8/+17
|
* Merge pull request #439 from jkakavas/fix_sane_defaultsRoland Hedberg2017-10-115-3/+17
|\ | | | | Ensure signature checking for SAML Responses is enabled by default
| * Fix failing testIoannis Kakavas2017-09-281-1/+1
| |
| * Merge branch 'master' into fix_sane_defaultsRoland Hedberg2017-09-283-7/+7
| |\
| * | Fix whitespaceIoannis Kakavas2017-08-021-1/+1
| | |
View Lorry Controller Status