Editorial
This commit is contained in:
Roland Hedberg
@@ -22,6 +22,7 @@ SIMPLE_SAML_PHP_RESPONSE = "simplesamlphp_authnresponse.xml"
|
|||||||
PUB_KEY = "test.pem"
|
PUB_KEY = "test.pem"
|
||||||
PRIV_KEY = "test.key"
|
PRIV_KEY = "test.key"
|
||||||
|
|
||||||
|
|
||||||
def _eq(l1,l2):
|
def _eq(l1,l2):
|
||||||
return set(l1) == set(l2)
|
return set(l1) == set(l2)
|
||||||
|
|
||||||
@@ -77,25 +78,27 @@ def test_cert_from_instance_ssp():
|
|||||||
assert len(certs) == 1
|
assert len(certs) == 1
|
||||||
assert certs[0] == CERT_SSP
|
assert certs[0] == CERT_SSP
|
||||||
der = base64.b64decode(certs[0])
|
der = base64.b64decode(certs[0])
|
||||||
print str(decoder.decode(der)).replace('.',"\n.")
|
print str(decoder.decode(der)).replace('.', "\n.")
|
||||||
assert decoder.decode(der)
|
assert decoder.decode(der)
|
||||||
|
|
||||||
|
|
||||||
class TestSecurity():
|
class TestSecurity():
|
||||||
def setup_class(self):
|
def setup_class(self):
|
||||||
crypto = get_xmlsec_cryptobackend()
|
crypto = get_xmlsec_cryptobackend()
|
||||||
self.sec = sigver.SecurityContext(crypto, key_file=PRIV_KEY,
|
self.sec = sigver.SecurityContext(crypto, key_file=PRIV_KEY,
|
||||||
cert_file=PUB_KEY, debug=1)
|
cert_file=PUB_KEY, debug=1)
|
||||||
|
|
||||||
self._assertion = factory( saml.Assertion,
|
self._assertion = factory(
|
||||||
|
saml.Assertion,
|
||||||
version="2.0",
|
version="2.0",
|
||||||
id="11111",
|
id="11111",
|
||||||
issue_instant="2009-10-30T13:20:28Z",
|
issue_instant="2009-10-30T13:20:28Z",
|
||||||
signature=sigver.pre_signature_part("11111", self.sec.my_cert, 1),
|
signature=sigver.pre_signature_part("11111", self.sec.my_cert, 1),
|
||||||
attribute_statement=do_attribute_statement({
|
attribute_statement=do_attribute_statement({
|
||||||
("","","surName"): ("Foo",""),
|
("", "", "surName"): ("Foo", ""),
|
||||||
("","","givenName") :("Bar",""),
|
("", "", "givenName"): ("Bar", ""),
|
||||||
})
|
})
|
||||||
)
|
)
|
||||||
|
|
||||||
def test_verify_1(self):
|
def test_verify_1(self):
|
||||||
xml_response = open(SIGNED).read()
|
xml_response = open(SIGNED).read()
|
||||||
@@ -111,7 +114,7 @@ class TestSecurity():
|
|||||||
def test_non_verify_2(self):
|
def test_non_verify_2(self):
|
||||||
xml_response = open(FALSE_SIGNED).read()
|
xml_response = open(FALSE_SIGNED).read()
|
||||||
raises(sigver.SignatureError,self.sec.correctly_signed_response,
|
raises(sigver.SignatureError,self.sec.correctly_signed_response,
|
||||||
xml_response)
|
xml_response)
|
||||||
|
|
||||||
def test_sign_assertion(self):
|
def test_sign_assertion(self):
|
||||||
ass = self._assertion
|
ass = self._assertion
|
||||||
@@ -133,6 +136,65 @@ class TestSecurity():
|
|||||||
|
|
||||||
assert isinstance(item, saml.Assertion)
|
assert isinstance(item, saml.Assertion)
|
||||||
|
|
||||||
|
def test_multiple_signatures_assertion(self):
|
||||||
|
ass = self._assertion
|
||||||
|
# basic test with two of the same
|
||||||
|
to_sign = [(ass, ass.id, ''),
|
||||||
|
(ass, ass.id, '')
|
||||||
|
]
|
||||||
|
sign_ass = self.sec.multiple_signatures("%s" % ass, to_sign)
|
||||||
|
sass = saml.assertion_from_string(sign_ass)
|
||||||
|
assert _eq(sass.keyswv(), ['attribute_statement', 'issue_instant',
|
||||||
|
'version', 'signature', 'id'])
|
||||||
|
assert sass.version == "2.0"
|
||||||
|
assert sass.id == "11111"
|
||||||
|
assert time_util.str_to_time(sass.issue_instant)
|
||||||
|
|
||||||
|
print xmlsec_version(get_xmlsec_binary())
|
||||||
|
|
||||||
|
item = self.sec.check_signature(sass, class_name(sass),
|
||||||
|
sign_ass, must=True)
|
||||||
|
|
||||||
|
assert isinstance(item, saml.Assertion)
|
||||||
|
|
||||||
|
def test_multiple_signatures_response(self):
|
||||||
|
response = factory(samlp.Response,
|
||||||
|
assertion=self._assertion,
|
||||||
|
id="22222",
|
||||||
|
signature=sigver.pre_signature_part(
|
||||||
|
"22222", self.sec.my_cert))
|
||||||
|
|
||||||
|
# order is important, we can't validate if the signatures are made
|
||||||
|
# in the reverse order
|
||||||
|
to_sign = [(self._assertion, self._assertion.id, ''),
|
||||||
|
(response, response.id, '')]
|
||||||
|
|
||||||
|
s_response = self.sec.multiple_signatures("%s" % response, to_sign)
|
||||||
|
assert s_response is not None
|
||||||
|
response = response_from_string(s_response)
|
||||||
|
|
||||||
|
item = self.sec.check_signature(response, class_name(response),
|
||||||
|
s_response, must=True)
|
||||||
|
assert item == response
|
||||||
|
assert item.id == "22222"
|
||||||
|
|
||||||
|
s_assertion = item.assertion[0]
|
||||||
|
assert isinstance(s_assertion, saml.Assertion)
|
||||||
|
# make sure the assertion was modified when we supposedly signed it
|
||||||
|
assert s_assertion != self._assertion
|
||||||
|
|
||||||
|
ci = "".join(sigver.cert_from_instance(s_assertion)[0].split())
|
||||||
|
assert ci == self.sec.my_cert
|
||||||
|
|
||||||
|
res = self.sec.check_signature(s_assertion, class_name(s_assertion),
|
||||||
|
s_response, must=True)
|
||||||
|
assert res == s_assertion
|
||||||
|
assert s_assertion.id == "11111"
|
||||||
|
assert s_assertion.version == "2.0"
|
||||||
|
assert _eq(s_assertion.keyswv(), ['attribute_statement',
|
||||||
|
'issue_instant',
|
||||||
|
'version', 'signature', 'id'])
|
||||||
|
|
||||||
def test_sign_response(self):
|
def test_sign_response(self):
|
||||||
response = factory(samlp.Response,
|
response = factory(samlp.Response,
|
||||||
assertion=self._assertion,
|
assertion=self._assertion,
|
||||||
|
|||||||
Reference in New Issue
Block a user