tests: add check for idp initiated logout
This commit is contained in:
parent
342e82e5f0
commit
66711f97c8
|
@ -12,7 +12,9 @@ except ImportError:
|
|||
import pytest
|
||||
|
||||
from quixote import cleanup
|
||||
from quixote import get_session, get_session_manager
|
||||
from wcs.qommon.http_request import HTTPRequest
|
||||
from wcs.qommon.misc import get_lasso_server
|
||||
from wcs.qommon.saml2 import Saml2Directory
|
||||
from wcs.qommon.ident.idp import MethodAdminDirectory, AdminIDPDir
|
||||
from wcs.qommon import sessions, x509utils
|
||||
|
@ -178,8 +180,8 @@ def get_assertion_consumer_request(pub, ni_format=lasso.SAML2_NAME_IDENTIFIER_FO
|
|||
'PATH_INFO': '/saml/assertionConsumerPost',
|
||||
})
|
||||
pub._set_request(req)
|
||||
sessions.Session.wipe()
|
||||
req.session = sessions.Session(id=1)
|
||||
pub.session_class.wipe()
|
||||
req.session = pub.session_class(id=1)
|
||||
assert req.session.user is None
|
||||
req.form['SAMLResponse'] = get_authn_response_msg(pub, ni_format=ni_format)
|
||||
return req
|
||||
|
@ -257,7 +259,7 @@ def test_assertion_consumer_existing_federation(pub, caplog):
|
|||
'PATH_INFO': '/saml/assertionConsumerPost',
|
||||
})
|
||||
pub._set_request(req)
|
||||
req.session = sessions.Session(id=2) # another session
|
||||
req.session = pub.session_class(id=2) # another session
|
||||
req.session.message = ('error', 'blah')
|
||||
req.form['SAMLResponse'] = saml_response_body
|
||||
assert req.session.user is None
|
||||
|
@ -369,3 +371,55 @@ def test_saml_logout(pub):
|
|||
body = saml2.slo_sp()
|
||||
assert req.response.headers['location'].startswith('http://sso.example.net/saml2/slo?SAMLRequest=')
|
||||
assert req.session.user is None
|
||||
|
||||
def test_saml_idp_logout(pub):
|
||||
req = get_assertion_consumer_request(pub)
|
||||
saml2 = Saml2Directory()
|
||||
saml2.assertionConsumerPost()
|
||||
assert req.session.user is not None
|
||||
get_session_manager().maintain_session(req.session)
|
||||
|
||||
# get id from existing assertion
|
||||
server = get_lasso_server()
|
||||
login = lasso.Login(server)
|
||||
login.setSessionFromDump(req.session.lasso_session_dump)
|
||||
assertion_id = login.session.assertions['http://sso.example.net/saml2/metadata'].id
|
||||
name_id = req.session.name_identifier
|
||||
|
||||
# and recreate an idp session
|
||||
idp_metadata_filepath = os.path.join(pub.app_dir,
|
||||
'idp-http-sso.example.net-saml2-metadata-metadata.xml')
|
||||
idp_key_filepath = os.path.join(pub.app_dir,
|
||||
'idp-http-sso.example.net-saml2-metadata-privatekey.pem')
|
||||
idp = lasso.Server(idp_metadata_filepath, idp_key_filepath, None, None)
|
||||
idp.addProvider(lasso.PROVIDER_ROLE_SP,
|
||||
os.path.join(pub.app_dir, 'saml2-metadata.xml'),
|
||||
os.path.join(pub.app_dir, 'public-key.pem'))
|
||||
|
||||
login = lasso.Login(idp)
|
||||
login.initIdpInitiatedAuthnRequest(pub.cfg['sp']['saml2_providerid'])
|
||||
login.request.nameIDPolicy.format = lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
|
||||
login.request.nameIDPolicy.allowCreate = True
|
||||
login.request.protocolBinding = lasso.SAML2_METADATA_BINDING_POST
|
||||
login.processAuthnRequestMsg(None)
|
||||
login.validateRequestMsg(True, True)
|
||||
login.buildAssertion(lasso.SAML2_AUTHN_CONTEXT_PASSWORD,
|
||||
datetime.datetime.now().isoformat(),
|
||||
'unused',
|
||||
(datetime.datetime.now() - datetime.timedelta(3600)).isoformat(),
|
||||
(datetime.datetime.now() + datetime.timedelta(3600)).isoformat())
|
||||
login.assertion.subject.nameID.content = name_id
|
||||
login.assertion.id = assertion_id
|
||||
login.assertion.authnStatement[0].sessionIndex = assertion_id
|
||||
login.buildAuthnResponseMsg()
|
||||
session_dump = login.session.dump()
|
||||
|
||||
logout = lasso.Logout(idp)
|
||||
logout.setSessionFromDump(session_dump)
|
||||
logout.initRequest(pub.cfg['sp']['saml2_providerid'], lasso.HTTP_METHOD_REDIRECT)
|
||||
logout.buildRequestMsg()
|
||||
|
||||
# process logout message
|
||||
saml2.slo_idp(urlparse.urlparse(logout.msgUrl).query)
|
||||
assert req.response.headers['location'].startswith('http://sso.example.net/saml2/slo_return?SAMLResponse=')
|
||||
assert req.session is None
|
||||
|
|
Loading…
Reference in New Issue