| 61 |
61 |
self.server = server = lasso.Server.newFromBuffers(idp_metadata, private_key)
|
| 62 |
62 |
server.addProviderFromBuffer(lasso.PROVIDER_ROLE_SP, sp_metadata)
|
| 63 |
63 |
|
| 64 |
|
def process_authn_request_redirect(self, url, auth_result=True, consent=True):
|
|
64 |
def process_authn_request_redirect(self, url, auth_result=True, consent=True, msg=None):
|
| 65 |
65 |
login = lasso.Login(self.server)
|
| 66 |
66 |
login.processAuthnRequestMsg(url.split('?', 1)[1])
|
| 67 |
67 |
# See
|
| ... | ... | |
| 86 |
86 |
"FIXME",
|
| 87 |
87 |
"FIXME",
|
| 88 |
88 |
"FIXME")
|
|
89 |
if not auth_result and msg:
|
|
90 |
login.response.status.statusMessage = msg
|
| 89 |
91 |
if login.protocolProfile == lasso.LOGIN_PROTOCOL_PROFILE_BRWS_ART:
|
| 90 |
92 |
login.buildArtifactMsg(lasso.HTTP_METHOD_ARTIFACT_GET)
|
| 91 |
93 |
self.artifact = login.artifact
|
| ... | ... | |
| 147 |
149 |
|
| 148 |
150 |
def test_sso_request_denied(db, app, idp, caplog, sp_settings):
|
| 149 |
151 |
response = app.get(reverse('mellon_login'))
|
| 150 |
|
url, body, relay_state = idp.process_authn_request_redirect(response['Location'], auth_result=False)
|
|
152 |
url, body, relay_state = idp.process_authn_request_redirect(
|
|
153 |
response['Location'],
|
|
154 |
auth_result=False,
|
|
155 |
msg=u'User is not allowed to login')
|
| 151 |
156 |
assert not relay_state
|
| 152 |
157 |
assert url.endswith(reverse('mellon_login'))
|
| 153 |
158 |
response = app.post(reverse('mellon_login'), params={'SAMLResponse': body, 'RelayState': relay_state})
|
| ... | ... | |
| 159 |
164 |
u'urn:oasis:names:tc:SAML:2.0:status:RequestDenied']" in caplog.text
|
| 160 |
165 |
|
| 161 |
166 |
|
|
167 |
def test_sso_request_denied_artifact(db, app, caplog, sp_settings, idp_metadata, idp_private_key, rf):
|
|
168 |
sp_settings.MELLON_DEFAULT_ASSERTION_CONSUMER_BINDING = 'artifact'
|
|
169 |
request = rf.get('/')
|
|
170 |
sp_metadata = create_metadata(request)
|
|
171 |
idp = MockIdp(idp_metadata, idp_private_key, sp_metadata)
|
|
172 |
response = app.get(reverse('mellon_login'))
|
|
173 |
url, body, relay_state = idp.process_authn_request_redirect(
|
|
174 |
response['Location'],
|
|
175 |
auth_result=False,
|
|
176 |
msg=u'User is not allowed to login')
|
|
177 |
assert not relay_state
|
|
178 |
assert body is None
|
|
179 |
assert reverse('mellon_login') in url
|
|
180 |
assert 'SAMLart' in url
|
|
181 |
acs_artifact_url = url.split('testserver', 1)[1]
|
|
182 |
with HTTMock(idp.mock_artifact_resolver()):
|
|
183 |
response = app.get(acs_artifact_url, params={'RelayState': relay_state})
|
|
184 |
assert "status is not success codes: ['urn:oasis:names:tc:SAML:2.0:status:Responder',\
|
|
185 |
'urn:oasis:names:tc:SAML:2.0:status:RequestDenied']" in caplog.text
|
|
186 |
assert 'User is not allowed to login' in response
|
|
187 |
|
|
188 |
|
| 162 |
189 |
def test_sso_artifact(db, app, caplog, sp_settings, idp_metadata, idp_private_key, rf):
|
| 163 |
190 |
sp_settings.MELLON_DEFAULT_ASSERTION_CONSUMER_BINDING = 'artifact'
|
| 164 |
191 |
request = rf.get('/')
|
| 165 |
|
-
|