2019-06-07 21:43:23 +02:00
|
|
|
# django-mellon - SAML2 authentication for Django
|
|
|
|
# Copyright (C) 2014-2019 Entr'ouvert
|
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU Affero General Public License as
|
|
|
|
# published by the Free Software Foundation, either version 3 of the
|
|
|
|
# License, or (at your option) any later version.
|
|
|
|
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU Affero General Public License for more details.
|
|
|
|
|
|
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
2019-06-14 15:13:54 +02:00
|
|
|
|
2016-02-26 13:30:24 +01:00
|
|
|
import datetime
|
2019-06-14 15:13:54 +02:00
|
|
|
from unittest import mock
|
2016-02-26 13:30:24 +01:00
|
|
|
|
|
|
|
import lasso
|
|
|
|
from xml_utils import assert_xml_constraints
|
|
|
|
|
2021-09-14 21:34:50 +02:00
|
|
|
from mellon.models import Issuer
|
|
|
|
from mellon.models_utils import get_issuer
|
2022-10-03 16:06:03 +02:00
|
|
|
from mellon.utils import create_metadata, flatten_datetime, iso8601_to_datetime, make_session_dump
|
2019-06-14 15:13:54 +02:00
|
|
|
from mellon.views import check_next_url
|
2016-02-26 13:30:24 +01:00
|
|
|
|
|
|
|
|
|
|
|
def test_create_metadata(rf, private_settings, caplog):
|
|
|
|
ns = {
|
|
|
|
'sm': 'urn:oasis:names:tc:SAML:2.0:metadata',
|
|
|
|
'ds': 'http://www.w3.org/2000/09/xmldsig#',
|
2016-03-04 11:05:01 +01:00
|
|
|
'idpdisc': 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol',
|
2016-02-26 13:30:24 +01:00
|
|
|
}
|
|
|
|
private_settings.MELLON_PUBLIC_KEYS = ['xxx', '/yyy']
|
|
|
|
private_settings.MELLON_NAME_ID_FORMATS = [lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED]
|
|
|
|
private_settings.MELLON_DEFAULT_ASSERTION_CONSUMER_BINDING = 'artifact'
|
|
|
|
request = rf.get('/')
|
2019-10-01 00:20:13 +02:00
|
|
|
with mock.patch('mellon.utils.open', mock.mock_open(read_data='BEGIN\nyyy\nEND'), create=True):
|
|
|
|
metadata = create_metadata(request)
|
|
|
|
assert_xml_constraints(
|
|
|
|
metadata.encode('utf-8'),
|
|
|
|
(
|
|
|
|
'/sm:EntityDescriptor[@entityID="http://testserver/metadata/"]',
|
|
|
|
1,
|
|
|
|
('/*', 1),
|
|
|
|
(
|
|
|
|
'/sm:SPSSODescriptor',
|
|
|
|
1,
|
2020-04-24 13:01:17 +02:00
|
|
|
('/*', 7),
|
2019-10-01 00:20:13 +02:00
|
|
|
('/sm:NameIDFormat', 1),
|
2020-04-24 13:01:17 +02:00
|
|
|
('/sm:SingleLogoutService', 2),
|
2019-10-01 00:20:13 +02:00
|
|
|
(
|
|
|
|
'/sm:AssertionConsumerService[@isDefault=\'true\'][@Binding=\'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\']',
|
|
|
|
1,
|
|
|
|
),
|
|
|
|
(
|
|
|
|
'/sm:AssertionConsumerService[@isDefault=\'true\'][@Binding=\'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\']',
|
|
|
|
0,
|
|
|
|
),
|
|
|
|
(
|
|
|
|
'/sm:AssertionConsumerService[@Binding=\'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\']',
|
|
|
|
1,
|
|
|
|
),
|
|
|
|
(
|
|
|
|
'/sm:KeyDescriptor/ds:KeyInfo/ds:X509Data',
|
|
|
|
2,
|
|
|
|
('/ds:X509Certificate', 2),
|
|
|
|
('/ds:X509Certificate[text()=\'xxx\']', 1),
|
|
|
|
('/ds:X509Certificate[text()=\'yyy\']', 1),
|
2021-03-02 14:50:18 +01:00
|
|
|
),
|
|
|
|
),
|
|
|
|
),
|
2019-10-01 00:20:13 +02:00
|
|
|
namespaces=ns,
|
|
|
|
)
|
|
|
|
|
|
|
|
private_settings.MELLON_METADATA_PUBLISH_DISCOVERY_RESPONSE = True
|
2018-03-25 09:57:01 +02:00
|
|
|
with mock.patch('mellon.utils.open', mock.mock_open(read_data='BEGIN\nyyy\nEND'), create=True):
|
2016-02-26 13:30:24 +01:00
|
|
|
metadata = create_metadata(request)
|
|
|
|
assert_xml_constraints(
|
|
|
|
metadata.encode('utf-8'),
|
|
|
|
(
|
|
|
|
'/sm:EntityDescriptor[@entityID="http://testserver/metadata/"]',
|
|
|
|
1,
|
|
|
|
('/*', 1),
|
|
|
|
(
|
|
|
|
'/sm:SPSSODescriptor',
|
|
|
|
1,
|
2020-04-24 13:01:17 +02:00
|
|
|
('/*', 8),
|
2016-03-04 11:05:01 +01:00
|
|
|
('/sm:Extensions', 1, ('/idpdisc:DiscoveryResponse', 1)),
|
2016-02-26 13:30:24 +01:00
|
|
|
('/sm:NameIDFormat', 1),
|
2020-04-24 13:01:17 +02:00
|
|
|
('/sm:SingleLogoutService', 2),
|
2016-02-26 13:30:24 +01:00
|
|
|
(
|
|
|
|
'/sm:AssertionConsumerService[@isDefault=\'true\'][@Binding=\'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\']',
|
|
|
|
1,
|
|
|
|
),
|
|
|
|
(
|
|
|
|
'/sm:AssertionConsumerService[@isDefault=\'true\'][@Binding=\'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\']',
|
|
|
|
0,
|
|
|
|
),
|
|
|
|
(
|
|
|
|
'/sm:AssertionConsumerService[@Binding=\'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\']',
|
|
|
|
1,
|
|
|
|
),
|
|
|
|
(
|
|
|
|
'/sm:KeyDescriptor/ds:KeyInfo/ds:X509Data',
|
|
|
|
2,
|
|
|
|
('/ds:X509Certificate', 2),
|
|
|
|
('/ds:X509Certificate[text()=\'xxx\']', 1),
|
|
|
|
('/ds:X509Certificate[text()=\'yyy\']', 1),
|
2021-03-02 14:50:18 +01:00
|
|
|
),
|
|
|
|
),
|
|
|
|
),
|
2016-02-26 13:30:24 +01:00
|
|
|
namespaces=ns,
|
|
|
|
)
|
|
|
|
|
2021-08-05 13:34:59 +02:00
|
|
|
private_settings.MELLON_ASSERTION_CONSUMER_BINDINGS = ['post']
|
|
|
|
with mock.patch('mellon.utils.open', mock.mock_open(read_data='BEGIN\nyyy\nEND'), create=True):
|
|
|
|
metadata = create_metadata(request)
|
|
|
|
assert 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
|
|
|
|
assert_xml_constraints(
|
|
|
|
metadata.encode('utf-8'),
|
|
|
|
(
|
|
|
|
'/sm:EntityDescriptor/sm:SPSSODescriptor',
|
|
|
|
1,
|
|
|
|
(
|
|
|
|
'/sm:AssertionConsumerService[@Binding=\'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\']',
|
|
|
|
0,
|
|
|
|
),
|
|
|
|
(
|
|
|
|
'/sm:AssertionConsumerService[@Binding=\'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\']',
|
|
|
|
1,
|
|
|
|
),
|
|
|
|
),
|
|
|
|
namespaces=ns,
|
|
|
|
)
|
|
|
|
|
|
|
|
private_settings.MELLON_ASSERTION_CONSUMER_BINDINGS = ['artifact']
|
|
|
|
with mock.patch('mellon.utils.open', mock.mock_open(read_data='BEGIN\nyyy\nEND'), create=True):
|
|
|
|
metadata = create_metadata(request)
|
|
|
|
assert 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
|
|
|
|
assert_xml_constraints(
|
|
|
|
metadata.encode('utf-8'),
|
|
|
|
(
|
|
|
|
'/sm:EntityDescriptor/sm:SPSSODescriptor',
|
|
|
|
1,
|
|
|
|
(
|
|
|
|
'/sm:AssertionConsumerService[@Binding=\'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\']',
|
|
|
|
1,
|
|
|
|
),
|
|
|
|
(
|
|
|
|
'/sm:AssertionConsumerService[@Binding=\'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\']',
|
|
|
|
0,
|
|
|
|
),
|
|
|
|
),
|
|
|
|
namespaces=ns,
|
|
|
|
)
|
|
|
|
|
2016-02-26 13:30:24 +01:00
|
|
|
|
|
|
|
def test_iso8601_to_datetime(private_settings):
|
|
|
|
import django.utils.timezone
|
|
|
|
import pytz
|
|
|
|
|
|
|
|
private_settings.TIME_ZONE = 'UTC'
|
2016-02-26 15:57:45 +01:00
|
|
|
if hasattr(django.utils.timezone.get_default_timezone, 'cache_clear'):
|
|
|
|
django.utils.timezone.get_default_timezone.cache_clear()
|
2016-02-26 13:30:24 +01:00
|
|
|
django.utils.timezone._localtime = None
|
2016-02-26 15:57:45 +01:00
|
|
|
private_settings.USE_TZ = False
|
2016-02-26 13:30:24 +01:00
|
|
|
# UTC ISO8601 -> naive datetime UTC
|
|
|
|
assert iso8601_to_datetime('2010-10-01T10:10:34Z') == datetime.datetime(2010, 10, 1, 10, 10, 34)
|
|
|
|
# NAIVE ISO8601 -> naive datetime UTC
|
|
|
|
assert iso8601_to_datetime('2010-10-01T10:10:34') == datetime.datetime(2010, 10, 1, 10, 10, 34)
|
|
|
|
private_settings.USE_TZ = True
|
|
|
|
# UTC+1h ISO8601 -> Aware datetime UTC
|
|
|
|
assert iso8601_to_datetime('2010-10-01T10:10:34+01:00') == datetime.datetime(
|
2018-03-27 09:05:15 +02:00
|
|
|
2010, 10, 1, 9, 10, 34, tzinfo=pytz.utc
|
|
|
|
)
|
2016-02-26 13:30:24 +01:00
|
|
|
# Naive ISO8601 -> Aware datetime UTC
|
|
|
|
assert iso8601_to_datetime('2010-10-01T10:10:34') == datetime.datetime(
|
2018-03-27 09:05:15 +02:00
|
|
|
2010, 10, 1, 10, 10, 34, tzinfo=pytz.utc
|
|
|
|
)
|
2016-02-26 13:30:24 +01:00
|
|
|
|
|
|
|
|
|
|
|
def test_flatten_datetime():
|
|
|
|
d = {
|
|
|
|
'x': datetime.datetime(2010, 10, 10, 10, 10, 34),
|
|
|
|
'y': 1,
|
2019-06-14 15:13:54 +02:00
|
|
|
'z': 'u',
|
2016-02-26 13:30:24 +01:00
|
|
|
}
|
|
|
|
assert set(flatten_datetime(d).keys()) == {'x', 'y', 'z'}
|
|
|
|
assert flatten_datetime(d)['x'] == '2010-10-10T10:10:34'
|
|
|
|
assert flatten_datetime(d)['y'] == 1
|
2019-06-14 15:13:54 +02:00
|
|
|
assert flatten_datetime(d)['z'] == 'u'
|
|
|
|
|
|
|
|
|
|
|
|
def test_check_next_url(rf):
|
|
|
|
assert not check_next_url(rf.get('/'), '')
|
|
|
|
assert not check_next_url(rf.get('/'), None)
|
|
|
|
assert not check_next_url(rf.get('/'), '\x00')
|
|
|
|
assert not check_next_url(rf.get('/'), '\u010e')
|
|
|
|
assert not check_next_url(rf.get('/'), 'https://example.invalid/')
|
|
|
|
# default hostname is testserver
|
|
|
|
assert check_next_url(rf.get('/'), 'http://testserver/ok/')
|
2021-09-14 21:34:50 +02:00
|
|
|
|
|
|
|
|
|
|
|
def test_get_issuer_entity_id_migration(db, settings, metadata):
|
|
|
|
entity_id1 = 'http://idp5/metadata'
|
|
|
|
entity_id2 = 'http://idp6/metadata'
|
|
|
|
settings.MELLON_IDENTITY_PROVIDERS = [
|
|
|
|
{
|
|
|
|
'METADATA': metadata,
|
|
|
|
},
|
|
|
|
]
|
|
|
|
issuer1 = get_issuer(entity_id1)
|
|
|
|
assert issuer1.entity_id == entity_id1
|
|
|
|
assert issuer1.slug is None
|
|
|
|
|
|
|
|
settings.MELLON_IDENTITY_PROVIDERS = [
|
|
|
|
{
|
|
|
|
'METADATA': metadata,
|
|
|
|
'SLUG': 'idp',
|
|
|
|
},
|
|
|
|
]
|
|
|
|
issuer2 = get_issuer(entity_id1)
|
|
|
|
assert issuer2.id == issuer1.id
|
|
|
|
assert issuer2.entity_id == entity_id1
|
|
|
|
assert issuer2.slug == 'idp'
|
|
|
|
|
|
|
|
settings.MELLON_IDENTITY_PROVIDERS = [
|
|
|
|
{
|
|
|
|
'METADATA': metadata.replace(entity_id1, entity_id2),
|
|
|
|
'SLUG': 'idp',
|
|
|
|
},
|
|
|
|
]
|
|
|
|
issuer3 = get_issuer(entity_id2)
|
|
|
|
assert issuer3.id == issuer1.id
|
|
|
|
assert issuer3.entity_id == entity_id2
|
|
|
|
assert issuer3.slug == 'idp'
|
2022-10-03 16:06:03 +02:00
|
|
|
|
|
|
|
|
|
|
|
def test_make_session_dump(db, django_user_model):
|
|
|
|
from mellon.models import SessionIndex, UserSAMLIdentifier
|
|
|
|
|
|
|
|
user = django_user_model.objects.create(username='user')
|
|
|
|
issuer = Issuer.objects.create(entity_id='https://idp.example.com/metadata', slug='idp')
|
|
|
|
saml_identifier = UserSAMLIdentifier.objects.create(
|
|
|
|
user=user, name_id='1234', issuer=issuer, nid_format=lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
|
|
|
|
)
|
|
|
|
|
|
|
|
for i in range(2):
|
|
|
|
SessionIndex.objects.create(session_index=str(i), saml_identifier=saml_identifier, session_key='abcd')
|
|
|
|
|
|
|
|
assert (
|
|
|
|
make_session_dump(saml_identifier.sessionindex_set.all())
|
|
|
|
== '''\
|
|
|
|
<ns0:Session xmlns:ns0="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" Version="2">
|
|
|
|
<ns0:NidAndSessionIndex AssertionID="" ProviderID="https://idp.example.com/metadata" SessionIndex="0">
|
|
|
|
<ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">1234</ns1:NameID>
|
|
|
|
</ns0:NidAndSessionIndex>
|
|
|
|
<ns0:NidAndSessionIndex AssertionID="" ProviderID="https://idp.example.com/metadata" SessionIndex="1">
|
|
|
|
<ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">1234</ns1:NameID>
|
|
|
|
</ns0:NidAndSessionIndex>
|
|
|
|
</ns0:Session>
|
|
|
|
'''
|
|
|
|
)
|