diff options
author | Vishal Kadam <vishal.kadam@cengage.com> | 2021-03-26 17:56:20 -0400 |
---|---|---|
committer | Ivan Kanakarakis <ivan.kanak@gmail.com> | 2021-11-15 14:07:20 +0200 |
commit | 058cc801b7867c3e42588a9d57d81f9350b01238 (patch) | |
tree | 3b2059bfe7d44255dd8eefd6d9b2c562214aea41 /tests | |
parent | 5caf6da27bd81b0e191254a329c4dd3c67458f8e (diff) | |
download | pysaml2-058cc801b7867c3e42588a9d57d81f9350b01238.tar.gz |
633: Support for redirect binding signature check using query param values
Diffstat (limited to 'tests')
-rw-r--r-- | tests/test_51_client.py | 92 |
1 files changed, 90 insertions, 2 deletions
diff --git a/tests/test_51_client.py b/tests/test_51_client.py index 0fbf63f8..7e46ccaa 100644 --- a/tests/test_51_client.py +++ b/tests/test_51_client.py @@ -11,7 +11,7 @@ from pytest import raises from saml2.argtree import add_path from saml2.cert import OpenSSLWrapper from saml2.xmldsig import sig_default -from saml2.xmldsig import SIG_RSA_SHA256 +from saml2.xmldsig import SIG_RSA_SHA256, SIG_RSA_SHA1 from saml2 import BINDING_HTTP_POST from saml2 import BINDING_HTTP_REDIRECT from saml2 import config @@ -29,7 +29,8 @@ from saml2.extension.requested_attributes import RequestedAttribute from saml2.authn_context import INTERNETPROTOCOLPASSWORD from saml2.client import Saml2Client from saml2.pack import parse_soap_enveloped_saml -from saml2.response import LogoutResponse, StatusInvalidNameidPolicy, StatusError +from saml2.response import LogoutResponse, StatusInvalidNameidPolicy, StatusError, \ + IncorrectlySigned from saml2.saml import NAMEID_FORMAT_PERSISTENT, EncryptedAssertion, Advice from saml2.saml import NAMEID_FORMAT_TRANSIENT from saml2.saml import NameID @@ -172,6 +173,9 @@ class TestClient: conf.load_file("server_conf") self.client = Saml2Client(conf) + def setup_method(self): + self.server.config.setattr("idp", "want_authn_requests_signed", None) + def teardown_class(self): self.server.close() @@ -1524,6 +1528,90 @@ class TestClient: qs["SAMLRequest"][0], BINDING_HTTP_REDIRECT ) + def test_signed_redirect_passes_if_needs_signed_requests(self): + # Revert configuration change to disallow unsinged responses + self.client.want_response_signed = True + self.server.config.setattr("idp", "want_authn_requests_signed", True) + + reqid, req = self.client.create_authn_request( + "http://localhost:8088/sso", message_id="id1" + ) + + info = self.client.apply_binding( + BINDING_HTTP_REDIRECT, + str(req), + destination="", + relay_state="relay2", + sign=True, + sigalg=SIG_RSA_SHA256, + ) + loc = info["headers"][0][1] + qs = list_values2simpletons(parse.parse_qs(loc[1:])) + + res = self.server.parse_authn_request( + qs["SAMLRequest"], + BINDING_HTTP_REDIRECT, + relay_state=qs["RelayState"], + sigalg=qs["SigAlg"], + signature=qs["Signature"] + ) + assert res.message.destination == "http://localhost:8088/sso" + assert res.message.id == "id1" + + def test_signed_redirect_fail_if_needs_signed_request_but_received_unsigned(self): + # Revert configuration change to disallow unsinged responses + self.client.want_response_signed = True + self.server.config.setattr("idp", "want_authn_requests_signed", True) + + reqid, req = self.client.create_authn_request( + "http://localhost:8088/sso", message_id="id1" + ) + + info = self.client.apply_binding( + BINDING_HTTP_REDIRECT, + str(req), + destination="", + relay_state="relay2", + sign=True, + sigalg=SIG_RSA_SHA256, + ) + loc = info["headers"][0][1] + qs = list_values2simpletons(parse.parse_qs(loc[1:])) + + with raises(IncorrectlySigned): + self.server.parse_authn_request( + qs["SAMLRequest"], BINDING_HTTP_REDIRECT + ) + + def test_signed_redirect_fail_if_needs_signed_request_but_sigalg_not_matches(self): + # Revert configuration change to disallow unsinged responses + self.client.want_response_signed = True + self.server.config.setattr("idp", "want_authn_requests_signed", True) + + reqid, req = self.client.create_authn_request( + "http://localhost:8088/sso", message_id="id1" + ) + + info = self.client.apply_binding( + BINDING_HTTP_REDIRECT, + str(req), + destination="", + relay_state="relay2", + sign=True, + sigalg=SIG_RSA_SHA256, + ) + loc = info["headers"][0][1] + qs = list_values2simpletons(parse.parse_qs(loc[1:])) + + with raises(IncorrectlySigned): + self.server.parse_authn_request( + qs["SAMLRequest"], + BINDING_HTTP_REDIRECT, + relay_state=qs["RelayState"], + sigalg=SIG_RSA_SHA1, + signature=qs["Signature"] + ) + def test_do_logout_signed_redirect(self): conf = config.SPConfig() conf.load_file("sp_slo_redirect_conf") |