File: test_37_entity_categories.py

package info (click to toggle)
python-pysaml2 7.5.0-4
links: PTS, VCS
area: main
in suites: forky, sid, trixie
size: 39,604 kB
sloc: xml: 388,184; python: 66,155; makefile: 148; sh: 80
file content (402 lines) | stat: -rw-r--r-- 14,453 bytes
from contextlib import closing

import pytest

from pathutils import full_path

from saml2 import config
from saml2 import sigver
from saml2.assertion import Policy
from saml2.attribute_converter import ac_factory
from saml2.extension import mdattr
from saml2.md import RequestedAttribute
from saml2.mdie import to_dict
from saml2.mdstore import MetadataStore
from saml2.saml import NAME_FORMAT_URI
from saml2.server import Server


ATTRCONV = ac_factory(full_path("attributemaps"))
sec_config = config.Config()
sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])

__author__ = "rolandh"

MDS = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True)
MDS.imp([{"class": "saml2.mdstore.MetaDataMD", "metadata": [(full_path("swamid.md"),)]}])


def _eq(l1, l2):
    return set(l1) == set(l2)


def test_filter_ava():
    policy_conf = {
        "default": {
            "lifetime": {"minutes": 15},
            # "attribute_restrictions": None  # means all I have
            "entity_categories": ["swamid"],
        }
    }
    policy = Policy(policy_conf, MDS)

    ava = {"givenName": ["Derek"], "sn": ["Jeter"], "mail": ["derek@nyy.mlb.com", "dj@example.com"], "c": ["USA"]}

    ava = policy.filter(ava, "https://connect.sunet.se/shibboleth")

    assert _eq(list(ava.keys()), ["mail", "givenName", "sn", "c"])
    assert _eq(ava["mail"], ["derek@nyy.mlb.com", "dj@example.com"])


def test_filter_ava2():
    policy_conf = {
        "default": {
            "lifetime": {"minutes": 15},
            # "attribute_restrictions": None  # means all I have
            "entity_categories": ["refeds", "edugain"],
        }
    }
    policy = Policy(policy_conf, MDS)

    ava = {
        "givenName": ["Derek"],
        "sn": ["Jeter"],
        "mail": ["derek@nyy.mlb.com"],
        "c": ["USA"],
        "eduPersonTargetedID": "foo!bar!xyz",
    }

    ava = policy.filter(ava, "https://connect.sunet.se/shibboleth")

    # Mismatch, policy deals with eduGAIN, metadata says SWAMID
    # So only minimum should come out
    assert _eq(list(ava.keys()), ["eduPersonTargetedID"])


def test_filter_ava3():
    mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True)
    mds.imp([{"class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_cat_sfs_hei.xml"),)]}])

    policy_conf = {
        "default": {
            "lifetime": {"minutes": 15},
            # "attribute_restrictions": None  # means all I have
            "entity_categories": ["swamid"],
        }
    }
    policy = Policy(policy_conf, mds)

    ava = {
        "givenName": ["Derek"],
        "sn": ["Jeter"],
        "mail": ["derek@nyy.mlb.com"],
        "c": ["USA"],
        "eduPersonTargetedID": "foo!bar!xyz",
        "norEduPersonNIN": "19800101134",
    }

    ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp")
    assert _eq(list(ava.keys()), ["norEduPersonNIN"])


def test_filter_ava4():
    mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True)
    mds.imp([{"class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_cat_re_nren.xml"),)]}])

    policy_conf = {
        "default": {
            "lifetime": {"minutes": 15},
            # "attribute_restrictions": None  # means all I have
            "entity_categories": ["swamid"],
        }
    }
    policy = Policy(policy_conf, mds)

    ava = {
        "givenName": ["Derek"],
        "sn": ["Jeter"],
        "mail": ["derek@nyy.mlb.com"],
        "c": ["USA"],
        "eduPersonTargetedID": "foo!bar!xyz",
        "norEduPersonNIN": "19800101134",
    }

    ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp")
    assert _eq(list(ava.keys()), ["givenName", "c", "mail", "sn"])


def test_filter_ava5():
    mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True)
    mds.imp([{"class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_cat_re.xml"),)]}])

    policy = Policy(
        {
            "default": {
                "lifetime": {"minutes": 15},
                # "attribute_restrictions": None  # means all I have
                "entity_categories": ["swamid"],
            }
        },
        mds,
    )

    ava = {
        "givenName": ["Derek"],
        "sn": ["Jeter"],
        "mail": ["derek@nyy.mlb.com"],
        "c": ["USA"],
        "eduPersonTargetedID": "foo!bar!xyz",
        "norEduPersonNIN": "19800101134",
    }

    ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp")

    assert _eq(list(ava.keys()), [])


def test_idp_policy_filter():
    with closing(Server("idp_conf_ec")) as idp:
        ava = {
            "givenName": ["Derek"],
            "sn": ["Jeter"],
            "mail": ["derek@nyy.mlb.com"],
            "c": ["USA"],
            "eduPersonTargetedID": "foo!bar!xyz",
            "norEduPersonNIN": "19800101134",
        }

        policy = idp.config.getattr("policy", "idp")
        ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp")
        # because no entity category
        assert list(ava.keys()) == ["eduPersonTargetedID"]


def test_entity_category_import_from_path():
    mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True)
    # The file entity_cat_rs.xml contains the SAML metadata for an SP
    # tagged with the REFEDs R&S entity category.
    mds.imp([{"class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_cat_rs.xml"),)]}])

    # The entity category module myentitycategory.py is in the tests
    # directory which is on the standard module search path.
    # The module uses a custom interpretation of the REFEDs R&S entity category
    # by adding eduPersonUniqueId.
    policy = Policy({"default": {"lifetime": {"minutes": 15}, "entity_categories": ["myentitycategory"]}}, mds)

    ava = {
        "givenName": ["Derek"],
        "sn": ["Jeter"],
        "displayName": "Derek Jeter",
        "mail": ["derek@nyy.mlb.com"],
        "c": ["USA"],
        "eduPersonTargetedID": "foo!bar!xyz",
        "eduPersonUniqueId": "R13ET7UD68K0HGR153KE@my.org",
        "eduPersonScopedAffiliation": "member@my.org",
        "eduPersonPrincipalName": "user01@my.org",
        "norEduPersonNIN": "19800101134",
    }

    ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp")

    # We expect c and norEduPersonNIN to be filtered out since they are not
    # part of the custom entity category.
    assert _eq(
        list(ava.keys()),
        [
            "eduPersonTargetedID",
            "eduPersonPrincipalName",
            "eduPersonUniqueId",
            "displayName",
            "givenName",
            "eduPersonScopedAffiliation",
            "mail",
            "sn",
        ],
    )


def test_filter_ava_required_attributes_with_no_friendly_name():
    entity_id = "https://no-friendly-name.example.edu/saml2/metadata/"
    mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True)
    mds.imp([{"class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_no_friendly_name_sp.xml"),)]}])

    policy_conf = {"default": {"lifetime": {"minutes": 15}, "entity_categories": ["swamid"]}}
    policy = Policy(policy_conf, mds)

    ava = {
        "givenName": ["Derek"],
        "sn": ["Jeter"],
        "mail": ["derek@nyy.mlb.com"],
        "c": ["USA"],
        "eduPersonTargetedID": "foo!bar!xyz",
        "norEduPersonNIN": "19800101134",
    }

    attribute_requirements = mds.attribute_requirement(entity_id)
    required = attribute_requirements.get("required", [])
    optional = attribute_requirements.get("optional", [])

    # ensure the requirements define the eduPersonTargetedID
    # without the friendlyName attribute
    oid_eptid = "urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
    requested_attribute_eptid = RequestedAttribute(name=oid_eptid, name_format=NAME_FORMAT_URI, is_required="true")
    assert required == [to_dict(requested_attribute_eptid, onts=[mdattr])]

    ava = policy.filter(ava, entity_id, required=required, optional=optional)
    assert _eq(list(ava.keys()), ["eduPersonTargetedID"])


def test_filter_ava_esi_coco():
    entity_id = "https://esi-coco.example.edu/saml2/metadata/"
    mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True)
    mds.imp([{"class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_esi_and_coco_sp.xml"),)]}])

    policy_conf = {"default": {"lifetime": {"minutes": 15}, "entity_categories": ["swamid"]}}

    policy = Policy(policy_conf, mds)

    ava = {
        "givenName": ["Test"],
        "sn": ["Testsson"],
        "mail": ["test@example.com"],
        "c": ["SE"],
        "schacHomeOrganization": ["example.com"],
        "eduPersonScopedAffiliation": ["student@example.com"],
        "schacPersonalUniqueCode": [
            "urn:schac:personalUniqueCode:int:esi:ladok.se:externtstudentuid-00000000-1111-2222-3333-444444444444"
        ],
    }

    requested_attributes = [
        {
            "friendly_name": "eduPersonScopedAffiliation",
            "name": "1.3.6.1.4.1.5923.1.1.1.9",
            "name_format": NAME_FORMAT_URI,
            "is_required": "true",
        },
        {
            "friendly_name": "schacHomeOrganization",
            "name": "1.3.6.1.4.1.25178.1.2.9",
            "name_format": NAME_FORMAT_URI,
            "is_required": "true",
        },
    ]

    ava = policy.filter(ava, entity_id, required=requested_attributes)

    assert _eq(list(ava.keys()), ["eduPersonScopedAffiliation", "schacHomeOrganization", "schacPersonalUniqueCode"])
    assert _eq(ava["eduPersonScopedAffiliation"], ["student@example.com"])
    assert _eq(ava["schacHomeOrganization"], ["example.com"])
    assert _eq(
        ava["schacPersonalUniqueCode"],
        ["urn:schac:personalUniqueCode:int:esi:ladok.se:externtstudentuid-00000000-1111-2222-3333-444444444444"],
    )


@pytest.mark.skip("Temporarily disabled")
def test_filter_ava_refeds_anonymous_access():
    entity_id = "https://anonymous.example.edu/saml2/metadata/"
    mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True)
    mds.imp([{"class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_anonymous_sp.xml"),)]}])

    policy_conf = {"default": {"lifetime": {"minutes": 15}, "entity_categories": ["swamid"]}}

    policy = Policy(policy_conf, mds)
    ava = {
        "displayName": ["Test Testsson"],
        "eduPersonAssurance": ["http://www.swamid.se/policy/assurance/al1"],
        "eduPersonScopedAffiliation": ["student@example.com"],
        "eduPersonTargetedID": "foo!bar!xyz",
        "givenName": ["Test"],
        "mail": ["test@example.com"],
        "pairwise-id": ["pairwise-id@example.com"],
        "schacHomeOrganization": ["example.com"],
        "sn": ["Testsson"],
        "subject-id": ["subject-id@example.com"],
    }

    ava = policy.filter(ava, entity_id)

    assert _eq(list(ava.keys()), ["eduPersonScopedAffiliation", "schacHomeOrganization"])
    assert _eq(ava["eduPersonScopedAffiliation"], ["student@example.com"])
    assert _eq(ava["schacHomeOrganization"], ["example.com"])


@pytest.mark.skip("Temporarily disabled")
def test_filter_ava_refeds_pseudonymous_access():
    entity_id = "https://pseudonymous.example.edu/saml2/metadata/"
    mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True)
    mds.imp([{"class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_pseudonymous_sp.xml"),)]}])

    policy_conf = {"default": {"lifetime": {"minutes": 15}, "entity_categories": ["swamid"]}}

    policy = Policy(policy_conf, mds)
    ava = {
        "displayName": ["Test Testsson"],
        "eduPersonAssurance": ["http://www.swamid.se/policy/assurance/al1"],
        "eduPersonScopedAffiliation": ["student@example.com"],
        "eduPersonTargetedID": "foo!bar!xyz",
        "givenName": ["Test"],
        "mail": ["test@example.com"],
        "pairwise-id": ["pairwise-id@example.com"],
        "schacHomeOrganization": ["example.com"],
        "sn": ["Testsson"],
        "subject-id": ["subject-id@example.com"],
    }

    ava = policy.filter(ava, entity_id)

    assert _eq(
        list(ava.keys()), ["pairwise-id", "eduPersonScopedAffiliation", "eduPersonAssurance", "schacHomeOrganization"]
    )
    assert _eq(ava["pairwise-id"], ["pairwise-id@example.com"])
    assert _eq(ava["eduPersonScopedAffiliation"], ["student@example.com"])
    assert _eq(ava["eduPersonAssurance"], ["http://www.swamid.se/policy/assurance/al1"])
    assert _eq(ava["schacHomeOrganization"], ["example.com"])


@pytest.mark.skip("Temporarily disabled")
def test_filter_ava_refeds_personalized_access():
    entity_id = "https://personalized.example.edu/saml2/metadata/"
    mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True)
    mds.imp([{"class": "saml2.mdstore.MetaDataFile", "metadata": [(full_path("entity_personalized_sp.xml"),)]}])

    policy_conf = {"default": {"lifetime": {"minutes": 15}, "entity_categories": ["swamid"]}}

    policy = Policy(policy_conf, mds)
    ava = {
        "displayName": ["Test Testsson"],
        "eduPersonAssurance": ["http://www.swamid.se/policy/assurance/al1"],
        "eduPersonScopedAffiliation": ["student@example.com"],
        "eduPersonTargetedID": "foo!bar!xyz",
        "givenName": ["Test"],
        "mail": ["test@example.com"],
        "pairwise-id": ["pairwise-id@example.com"],
        "schacHomeOrganization": ["example.com"],
        "sn": ["Testsson"],
        "subject-id": ["subject-id@example.com"],
    }

    ava = policy.filter(ava, entity_id)

    assert _eq(
        list(ava.keys()),
        [
            "subject-id",
            "mail",
            "displayName",
            "givenName",
            "sn",
            "eduPersonScopedAffiliation",
            "eduPersonAssurance",
            "schacHomeOrganization",
        ],
    )
    assert _eq(ava["subject-id"], ["subject-id@example.com"])
    assert _eq(ava["mail"], ["test@example.com"])
    assert _eq(ava["displayName"], ["Test Testsson"])
    assert _eq(ava["givenName"], ["Test"])
    assert _eq(ava["sn"], ["Testsson"])
    assert _eq(ava["eduPersonScopedAffiliation"], ["student@example.com"])
    assert _eq(ava["eduPersonAssurance"], ["http://www.swamid.se/policy/assurance/al1"])
    assert _eq(ava["schacHomeOrganization"], ["example.com"])