diff options
| author | Ivan Kanakarakis <ivan.kanak@gmail.com> | 2020-10-25 19:54:58 +0200 |
|---|---|---|
| committer | Ivan Kanakarakis <ivan.kanak@gmail.com> | 2020-10-30 17:24:04 +0200 |
| commit | 2987a4e53c4bc9e5c6491733058fc14346c5d734 (patch) | |
| tree | 2406132c8a89536fc3c0633ce4201c83e6f3c7de /tests/test_20_assertion.py | |
| parent | b315bfb772da1f40f7da2254819f5e4004aeb1d8 (diff) | |
| download | pysaml2-2987a4e53c4bc9e5c6491733058fc14346c5d734.tar.gz | |
Refactor Policy to check the registration authority for restrictions
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
Diffstat (limited to 'tests/test_20_assertion.py')
| -rw-r--r-- | tests/test_20_assertion.py | 91 |
1 files changed, 49 insertions, 42 deletions
diff --git a/tests/test_20_assertion.py b/tests/test_20_assertion.py index dc501291..da7e70fd 100644 --- a/tests/test_20_assertion.py +++ b/tests/test_20_assertion.py @@ -218,7 +218,7 @@ def test_ava_filter_1(): "surName": "Jeter", "mail": "derek@example.com"} - ava = r.filter(ava, "urn:mace:umu.se:saml:roland:sp", None, None) + ava = r.filter(ava, "urn:mace:umu.se:saml:roland:sp") assert _eq(list(ava.keys()), ["givenName", "surName"]) ava = {"givenName": "Derek", @@ -247,8 +247,7 @@ def test_ava_filter_2(): ava = {"givenName": "Derek", "sn": "Jeter", "mail": "derek@example.com"} # mail removed because it doesn't match the regular expression - _ava = policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', None, [mail], - [gn, sn]) + _ava = policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', required=[mail], optional=[gn, sn]) assert _eq(sorted(list(_ava.keys())), ["givenName", 'sn']) @@ -256,8 +255,7 @@ def test_ava_filter_2(): # it wasn't there to begin with try: - policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', None, - [gn, sn, mail]) + policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', required=[gn, sn, mail]) except MissingValue: pass @@ -287,8 +285,7 @@ def test_ava_filter_dont_fail(): # mail removed because it doesn't match the regular expression # So it should fail if the 'fail_on_ ...' flag wasn't set - _ava = policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', None, - [mail], [gn, sn]) + _ava = policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', required=[mail], optional=[gn, sn]) assert _ava @@ -296,8 +293,7 @@ def test_ava_filter_dont_fail(): "surName": "Jeter"} # it wasn't there to begin with - _ava = policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', - None, [gn, sn, mail]) + _ava = policy.filter(ava, 'urn:mace:umu.se:saml:roland:sp', required=[gn, sn, mail]) assert _ava @@ -633,7 +629,7 @@ def test_filter_ava_0(): "mail": ["derek@nyy.mlb.com"]} # No restrictions apply - ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", [], []) + ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp") assert _eq(sorted(list(ava.keys())), ["givenName", "mail", "surName"]) assert ava["givenName"] == ["Derek"] @@ -660,7 +656,7 @@ def test_filter_ava_1(): "mail": ["derek@nyy.mlb.com"]} # No restrictions apply - ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", [], []) + ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp") assert _eq(sorted(list(ava.keys())), ["givenName", "surName"]) assert ava["givenName"] == ["Derek"] @@ -685,7 +681,7 @@ def test_filter_ava_2(): "mail": ["derek@nyy.mlb.com"]} # No restrictions apply - ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", [], []) + ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp") assert _eq(list(ava.keys()), ["mail"]) assert ava["mail"] == ["derek@nyy.mlb.com"] @@ -709,7 +705,7 @@ def test_filter_ava_3(): "mail": ["derek@nyy.mlb.com", "dj@example.com"]} # No restrictions apply - ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", [], []) + ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp") assert _eq(list(ava.keys()), ["mail"]) assert ava["mail"] == ["dj@example.com"] @@ -733,7 +729,7 @@ def test_filter_ava_4(): "mail": ["derek@nyy.mlb.com", "dj@example.com"]} # No restrictions apply - ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp", [], []) + ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp") assert _eq(sorted(list(ava.keys())), ['mail', 'givenName', 'surName']) assert _eq(ava["mail"], ["derek@nyy.mlb.com", "dj@example.com"]) @@ -772,7 +768,7 @@ def test_req_opt(): 'uid': 'rohe0002', 'edupersonaffiliation': 'staff'} sp_entity_id = "urn:mace:example.com:saml:curt:sp" - fava = policy.filter(ava, sp_entity_id, None, req, opt) + fava = policy.filter(ava, sp_entity_id, required=req, optional=opt) assert fava @@ -872,22 +868,27 @@ def test_assertion_with_noop_attribute_conv(): def test_filter_ava_5(): - mds = MetadataStore(ATTRCONV, sec_config, - disable_ssl_certificate_validation=True) + mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True) mds.imp(METADATACONF["1"]) - policy = Policy({ + policy_conf = { "default": { "lifetime": {"minutes": 15}, "attribute_restrictions": None, # means all I have "entity_categories": ["swamid", "edugain"] } - }) - - ava = {"givenName": ["Derek"], "surName": ["Jeter"], - "mail": ["derek@nyy.mlb.com", "dj@example.com"]} - - ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp", mdstore=mds, required=[], optional=[]) + } + policy = Policy(restrictions=policy_conf, mds=mds) + + ava = { + "givenName": ["Derek"], + "surName": ["Jeter"], + "mail": [ + "derek@nyy.mlb.com", + "dj@example.com", + ], + } + ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp") # using entity_categories means there *always* are restrictions # in this case the only allowed attribute is eduPersonTargetedID @@ -896,37 +897,40 @@ def test_filter_ava_5(): def test_filter_ava_registration_authority_1(): - mds = MetadataStore(ATTRCONV, sec_config, - disable_ssl_certificate_validation=True) + mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True) mds.imp(METADATACONF["1"]) - config.metadata = mds - policy = Policy({ + policy_conf = { "default": { "lifetime": {"minutes": 15}, "attribute_restrictions": None, }, - "registration_authorities": { - "http://rr.aai.switch.ch/": { - "attribute_restrictions": { - "givenName": None, - "surName": None, - } + "http://rr.aai.switch.ch/": { + "attribute_restrictions": { + "givenName": None, + "surName": None, } } - }, config=config) - - attributes = {"givenName": ["Derek"], "surName": ["Jeter"], - "mail": ["derek@nyy.mlb.com", "dj@example.com"]} + } + policy = Policy(restrictions=policy_conf, mds=mds) + + attributes = { + "givenName": ["Derek"], + "surName": ["Jeter"], + "mail": [ + "derek@nyy.mlb.com", + "dj@example.com", + ], + } # SP registered with http://rr.aai.switch.ch/ - ava = policy.filter(attributes, "https://aai-idp.unibe.ch/idp/shibboleth", mdstore=mds, required=[], optional=[]) + ava = policy.filter(attributes, "https://aai-idp.unibe.ch/idp/shibboleth") assert _eq(sorted(list(ava.keys())), ["givenName", "surName"]) assert ava["givenName"] == ["Derek"] assert ava["surName"] == ["Jeter"] # SP not registered with http://rr.aai.switch.ch/ - ava = policy.filter(attributes, "https://alpha.kib.ki.se/shibboleth", mdstore=mds, required=[], optional=[]) + ava = policy.filter(attributes, "https://alpha.kib.ki.se/shibboleth") assert _eq(sorted(list(ava.keys())), ["givenName", "mail", "surName"]) assert ava["givenName"] == ["Derek"] assert ava["surName"] == ["Jeter"] @@ -936,13 +940,16 @@ def test_filter_ava_registration_authority_1(): def test_assertion_with_zero_attributes(): ava = {} ast = Assertion(ava) - policy = Policy({ + + policy_conf = { "default": { "lifetime": {"minutes": 240}, "attribute_restrictions": None, # means all I have "name_form": NAME_FORMAT_URI }, - }) + } + policy = Policy(policy_conf) + name_id = NameID(format=NAMEID_FORMAT_TRANSIENT, text="foobar") issuer = Issuer(text="entityid", format=NAMEID_FORMAT_ENTITY) farg = add_path( |