File: test_xmlsec1_key_data.py

package info (click to toggle)
python-pysaml2 7.5.0-4
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 39,604 kB
  • sloc: xml: 388,184; python: 66,155; makefile: 148; sh: 80
file content (78 lines) | stat: -rw-r--r-- 3,065 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
 
from unittest.mock import Mock
from unittest.mock import patch

from pathutils import dotname
from pathutils import full_path
from pytest import raises

from saml2.config import config_factory
from saml2.response import authn_response
from saml2.sigver import SignatureError


SIGNED_RESPONSE_HMAC = full_path("xmlsec1-keydata/signed-response-with-hmac.xml")
SIGNED_ASSERTION_HMAC = full_path("xmlsec1-keydata/signed-assertion-with-hmac.xml")
SIGNED_ASSERTION_RANDOM_EMBEDDED_CERT = full_path("xmlsec1-keydata/signed-assertion-random-embedded-cert.xml")


class TestAuthnResponse:
    @patch("saml2.response.validate_on_or_after", return_value=True)
    def test_signed_response_with_hmac_should_fail(self, mock_validate_on_or_after):
        conf = config_factory("sp", dotname("server_conf"))
        ar = authn_response(conf, return_addrs="https://example.org/acs/post")
        ar.issue_instant_ok = Mock(return_value=True)

        with open(SIGNED_RESPONSE_HMAC) as fp:
            xml_response = fp.read()

        ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"}
        ar.timeslack = 10000

        # .loads checks the response signature
        with raises(SignatureError):
            ar.loads(xml_response, decode=False)

        assert ar.ava is None
        assert ar.name_id is None

    @patch("saml2.response.validate_on_or_after", return_value=True)
    def test_signed_assertion_with_hmac_should_fail(self, mock_validate_on_or_after):
        conf = config_factory("sp", dotname("server_conf"))
        ar = authn_response(conf, return_addrs="https://example.org/acs/post")
        ar.issue_instant_ok = Mock(return_value=True)

        with open(SIGNED_ASSERTION_HMAC) as fp:
            xml_response = fp.read()

        ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"}
        ar.timeslack = 10000

        # .loads does not check the assertion, only the response signature
        # use .verify to verify the contents of the response
        assert ar.loads(xml_response, decode=False)
        with raises(SignatureError):
            ar.verify()

        assert ar.ava is None
        assert ar.name_id is None

    @patch("saml2.response.validate_on_or_after", return_value=True)
    def test_signed_assertion_with_random_embedded_cert_should_be_ignored(self, mock_validate_on_or_after):
        """
        if the embedded cert is not ignored then verification will fail
        """

        conf = config_factory("sp", dotname("server_conf"))
        ar = authn_response(conf, return_addrs="https://51.15.251.81.xip.io/acs/post")
        ar.issue_instant_ok = Mock(return_value=True)

        with open(SIGNED_ASSERTION_RANDOM_EMBEDDED_CERT) as fp:
            xml_response = fp.read()

        ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"}
        ar.timeslack = 10000

        # .loads does not check the assertion, only the response signature
        # use .verify to verify the contents of the response
        assert ar.loads(xml_response, decode=False)
        assert ar.verify()