From dccaab137d8c479c8f94db5fff12d999d6a028ef Mon Sep 17 00:00:00 2001 From: Paul Marillonnet Date: Thu, 21 Jun 2018 11:29:18 +0200 Subject: [PATCH] WIP support federation file loading (#19396) --- README | 13 + mellon/adapters.py | 136 +++++++-- mellon/app_settings.py | 16 +- mellon/federation_utils.py | 233 +++++++++++++++ mellon/utils.py | 175 ++++++++--- mellon/views.py | 148 ++++++--- setup.py | 1 + tests/conftest.py | 7 + tests/dummy_md.xml | 367 +++++++++++++++++++++++ tests/federation-sample.xml | 530 +++++++++++++++++++++++++++++++++ tests/test_federation_utils.py | 35 +++ tests/test_sso_slo.py | 88 +++++- tests/test_utils.py | 112 +++++-- tests/utils.py | 12 +- 14 files changed, 1731 insertions(+), 142 deletions(-) create mode 100644 mellon/federation_utils.py create mode 100644 tests/dummy_md.xml create mode 100644 tests/federation-sample.xml create mode 100644 tests/test_federation_utils.py diff --git a/README b/README index a06e1e9..c9bc481 100644 --- a/README +++ b/README @@ -82,6 +82,19 @@ metadata file of the identity provider or if it starts with a slash the absolute path toward a metadata file. All other keys are override of generic settings. +MELLON_FEDERATIONS +------------------ + +A list of dictionaries, only one key 'FEDERATION' is mandatory in those +dictionaries. It should contain the local path or the remote URL for the +metadata file describing the SAML-based federation to be loaded in mellon. Both +relative and absolute paths are supported. +Additional parameters can be given as key/value pairs in the dictionaries, on +a similar basis as the aforementioned MELLON_IDENTITY_PROVIDERS config. +For each dictionary describing a federation, these parameters will apply to +any successfully-loaded provider belonging to that federation. +These parameters also override the global settings. + MELLON_PUBLIC_KEYS ------------------ diff --git a/mellon/adapters.py b/mellon/adapters.py index 460d1a6..2a755cf 100644 --- a/mellon/adapters.py +++ b/mellon/adapters.py @@ -11,8 +11,12 @@ from django.contrib import auth from django.contrib.auth.models import Group from django.utils import six from django.utils.encoding import force_text +from django.utils.text import slugify from . import utils, app_settings, models +from mellon.federation_utils import idp_metadata_store, url2filename, \ + idp_metadata_extract_entity_id, idp_metadata_is_cached, \ + idp_metadata_load, idp_settings_store, idp_settings_load class UserCreationError(Exception): @@ -25,48 +29,114 @@ class DefaultAdapter(object): def get_idp(self, entity_id): '''Find the first IdP definition matching entity_id''' - for idp in self.get_idps(): - if entity_id == idp['ENTITY_ID']: - return idp + idp = {} + + # First, check whether the provider is cached + if idp_metadata_is_cached(entity_id): + metadata_content = idp_metadata_load(entity_id) + idp.update({'METADATA': metadata_content, + 'ENTITY_ID': entity_id}) + # Extra settings loaded if the provider comes from a federation + idp.update(idp_settings_load(entity_id) or {}) + + # If not, try to fetch it from the mellon settings + else: + for idp in self.get_identity_providers_setting(): + if not idp.get('METADATA_URL') and not idp.get('METADATA'): + self.logger.error(u'missing METADATA or METADATA_URL in idp %s', idp or '') + continue + + elif 'METADATA_URL' in idp and 'METADATA' not in idp: + metadata = utils.get_metadata_from_url(idp) + if not metadata: + continue + idp['METADATA'] = metadata + + if 'ENTITY_ID' not in idp: + if idp['METADATA'].startswith('/') or idp['METADATA'].startswith('./'): + # In case the entity ID isn't provided in the settings, it + # needs to be fetched from the content of the metadata file + metadata_path = idp['METADATA'] + if 'FEDERATION' in idp: + metadata_path = default_storage.path(metadata_path) + content = open(metadata_path, 'r').read() + else: + content = idp['METADATA'] + idp['ENTITY_ID'] = idp_metadata_extract_entity_id(content) + + if idp['ENTITY_ID'] == entity_id: + break + + return idp.copy() def get_identity_providers_setting(self): - return app_settings.IDENTITY_PROVIDERS + # First, providers from federation as declared in the mellon settings + for federation_data in self.get_federations(): + if not isinstance(federation_data, dict) or \ + 'FEDERATION' not in federation_data: + continue + fed_extra_attrs = federation_data.copy() + # Federation can be declared as URLs. If so, their content needs + # to be fetched and cached + fed_filepath, _ = utils.get_federation_metadata(federation_data.get('FEDERATION')) + + try: + tree = ET.parse(fed_filepath) + root = tree.getroot() + for child in root: + provider = {} + entity_id = idp_metadata_extract_entity_id(ET.tostring(child)) + if not entity_id: + # The XML tag wasn't an IDPSSODescriptor + continue + # Store the metadata content in cache + provider['METADATA'] = idp_metadata_store(ET.tostring(child).decode('utf-8')) + provider['ENTITY_ID'] = entity_id + # Add in each provider the federation-wise configuration + provider.update(fed_extra_attrs) + idp_settings_store(provider) + yield provider + except: + self.logger.error('Couldn\'t load federation metadata file %r', + fed_filepath) + continue + + # Then, the non-federated providers + for extra_provider in app_settings.IDENTITY_PROVIDERS: + yield extra_provider + + def get_federations(self): + for federation in getattr(app_settings, 'FEDERATIONS', []): + yield federation def get_idps(self): for i, idp in enumerate(self.get_identity_providers_setting()): if 'METADATA_URL' in idp and 'METADATA' not in idp: - verify_ssl_certificate = utils.get_setting( - idp, 'VERIFY_SSL_CERTIFICATE') - try: - response = requests.get(idp['METADATA_URL'], verify=verify_ssl_certificate) - response.raise_for_status() - except requests.exceptions.RequestException as e: - self.logger.error( - u'retrieval of metadata URL %r failed with error %s for %d-th idp', - idp['METADATA_URL'], e, i) + md_content = utils.get_metadata_from_url(idp) + + if not md_content: continue - idp['METADATA'] = response.text - elif 'METADATA' in idp: - if idp['METADATA'].startswith('/'): - idp['METADATA'] = open(idp['METADATA']).read() - else: + + if 'FEDERATION' in idp: + # IdPs from federation are cached on filesystem + # only the filename is kept in memory + idp['METADATA'] = idp_metadata_store(md_content) + entity_id = idp.get('ENTITY_ID') + if not entity_id: + idp['ENTITY_ID'] = idp_metadata_extract_entity_id(md_content) + # load federation-specific configuration + idp.update(idp_settings_load(idp.get('ENTITY_ID'))) + else: + idp['METADATA'] = md_content + + elif idp.get('METADATA', '').startswith('/') or \ + idp.get('METADATA', '').startswith('./') and \ + 'FEDERATION' not in idp: + idp['METADATA'] = open(idp['METADATA'], 'r').read() + + elif not idp.get('METADATA'): self.logger.error(u'missing METADATA or METADATA_URL in %d-th idp', i) continue - if 'ENTITY_ID' not in idp: - try: - doc = ET.fromstring(idp['METADATA']) - except (TypeError, ET.ParseError): - self.logger.error(u'METADATA of %d-th idp is invalid', i) - continue - if doc.tag != '{%s}EntityDescriptor' % lasso.SAML2_METADATA_HREF: - self.logger.error(u'METADATA of %d-th idp has no EntityDescriptor root tag', i) - continue - - if not 'entityID' in doc.attrib: - self.logger.error( - u'METADATA of %d-th idp has no entityID attribute on its root tag', i) - continue - idp['ENTITY_ID'] = doc.attrib['entityID'] yield idp def authorize(self, idp, saml_attributes): diff --git a/mellon/app_settings.py b/mellon/app_settings.py index 2355e8a..54a82ea 100644 --- a/mellon/app_settings.py +++ b/mellon/app_settings.py @@ -38,13 +38,27 @@ class AppSettings(object): 'LOGIN_URL': 'mellon_login', 'LOGOUT_URL': 'mellon_logout', 'ARTIFACT_RESOLVE_TIMEOUT': 10.0, + 'FEDERATIONS': [], } + @property + def FEDERATIONS(self): + from django.conf import settings + if settings.hasattr('MELLON_FEDERATIONS'): + federations = settings.MELLON_FEDERATIONS + if isinstance(federations, dict): + federations = [federations] + return federations + @property def IDENTITY_PROVIDERS(self): from django.conf import settings + idps = [] try: - idps = settings.MELLON_IDENTITY_PROVIDERS + if hasattr(settings, 'MELLON_IDENTITY_PROVIDERS'): + idps = settings.MELLON_IDENTITY_PROVIDERS + elif not hasattr(settings, 'MELLON_FEDERATIONS'): + raise AttributeError except AttributeError: return [] if isinstance(idps, dict): diff --git a/mellon/federation_utils.py b/mellon/federation_utils.py new file mode 100644 index 0000000..16823ed --- /dev/null +++ b/mellon/federation_utils.py @@ -0,0 +1,233 @@ +import fcntl +import json +import lasso +import logging +import tempfile +from datetime import timedelta + +from django.utils.text import slugify +from datetime import datetime + +import requests +from xml.etree import ElementTree as ET +import os +import hashlib +import os.path + +from django.core.files.storage import default_storage + + +def truncate_unique(s, length=250): + if len(s) < length: + return s + md5 = hashlib.md5(s.encode('ascii')).hexdigest() + # we should be the first and last characters from the URL + l = (length - len(md5)) / 2 - 2 # four additional characters + assert l > 20 + return s[:l] + '...' + s[-l:] + '_' + md5 + + +def url2filename(url): + return truncate_unique(slugify(url), 230) + + +def load_federation_cache(url): + logger = logging.getLogger(__name__) + try: + filename = url2filename(url) + path = os.path.join('metadata-cache', filename) + + unix_path = default_storage.path(path) + dirname = os.path.dirname(unix_path) + if not os.path.exists(dirname): + os.makedirs(dirname) + f = open(unix_path, 'w') + try: + fcntl.lockf(f, fcntl.LOCK_EX | fcntl.LOCK_NB) + except IOError: + return + else: + with tempfile.NamedTemporaryFile(dir=os.path.dirname(unix_path), delete=False) as temp: + try: + # increase modified time by one hour to prevent too many updates + st = os.stat(unix_path) + os.utime(unix_path, (st.st_atime, st.st_mtime + 3600)) + response = requests.get(url) + response.raise_for_status() + temp.write(response.content) + temp.flush() + os.rename(temp.name, unix_path) + except: + logger.error('Could\'nt fetch %r', url) + os.unlink(temp.name) + finally: + fcntl.lockf(f, fcntl.LOCK_UN) + finally: + f.close() + except OSError: + logger.exception(u"could create the intermediary 'metadata-cache' " + "folder") + return + except: + logger.exception(u'failed to load federation from %s', url) + + +def get_federation_from_url(url, update_cache=False): + logger = logging.getLogger(__name__) + filename = url2filename(url) + filepath = os.path.join('metadata-cache', filename) + if not default_storage.exists(filepath) or update_cache or \ + default_storage.created_time(filepath) < datetime.now() - timedelta(days=1): + load_federation_cache(url) + else: + logger.warning('federation %s has not been loaded', url) + return default_storage.path(filepath) + + +def idp_metadata_filepath(entity_id): + filename = url2filename(entity_id) + filepath = os.path.join('./metadata-cache', filename) + return filepath + + +def idp_settings_filepath(entity_id): + filename = url2filename(entity_id) + "_settings.json" + filepath = os.path.join('./metadata-cache', filename) + return filepath + + +def idp_metadata_is_cached(entity_id): + filepath = idp_metadata_filepath(entity_id) + if not default_storage.exists(filepath): + return False + return True + + +def idp_metadata_is_file(metadata): + # XXX too restrictive (e.g. 'metadata/http-somemetadataserver-com-md00.xml' + # could be a file too...) + # On the opposite, `if "http://" in metadata or "https://" in metadata:" is + # equally restrictive. + # Using a URLValidator doesn't seem adequate either. + if metadata.startswith('/') or metadata.startswith('./'): + return True + + +def idp_metadata_needs_refresh(entity_id, update_cache=False): + filepath = idp_metadata_filepath(entity_id) + if not default_storage.exists(filepath) or update_cache or \ + default_storage.created_time(filepath) < datetime.now() - timedelta(days=1): + return True + return False + + +def idp_settings_needs_refresh(entity_id, update_cache=False): + filepath = idp_settings_filepath(entity_id) + if not default_storage.exists(filepath) or update_cache or \ + default_storage.created_time(filepath) < datetime.now() - timedelta(days=1): + return True + return False + + +def idp_metadata_store(metadata_content): + entity_id = idp_metadata_extract_entity_id(metadata_content) + if not entity_id: + return + logger = logging.getLogger(__name__) + filepath = idp_metadata_filepath(entity_id) + + dirname = os.path.dirname(filepath) + if not default_storage.exists(dirname): + os.makedirs(default_storage.path(dirname)) + + if idp_metadata_needs_refresh(entity_id): + with open(default_storage.path(filepath), 'w') as f: + try: + fcntl.lockf(f, fcntl.LOCK_EX | fcntl.LOCK_NB) + f.write(metadata_content) + fcntl.lockf(f, fcntl.LOCK_UN) + except: + logger.error('Couldn\'t store metadata for EntityID %r', + entity_id) + return + return default_storage.path(filepath) + + +def idp_metadata_load(entity_id): + logger = logging.getLogger(__name__) + filepath = idp_metadata_filepath(entity_id) + if default_storage.exists(filepath): + logger.info('Loading metadata for EntityID %r', entity_id) + with open(default_storage.path(filepath), 'r') as f: + return f.read() + else: + logger.warning('No metadata file for EntityID %r', entity_id) + + +def idp_settings_store(idp): + """ + Stores an IDP settings when loaded from a federation. + """ + logger = logging.getLogger(__name__) + entity_id = idp.get('ENTITY_ID') + filepath = idp_settings_filepath(entity_id) + idp_settings = {} + + if not entity_id: + return + + dirname = os.path.dirname(filepath) + if not default_storage.exists(dirname): + os.makedirs(default_storage.path(dirname)) + + for key, value in idp.items(): + if key not in ('METADATA', 'ENTITY_ID'): + idp_settings.update({key: value}) + + if idp_settings_needs_refresh(entity_id) and idp_settings: + with open(default_storage.path(filepath), 'w') as f: + try: + fcntl.lockf(f, fcntl.LOCK_EX | fcntl.LOCK_NB) + f.write(json.dumps(idp_settings)) + fcntl.lockf(f, fcntl.LOCK_UN) + except: + logger.error('Couldn\'t store settings for EntityID %r', + entity_id) + + +def idp_settings_load(entity_id): + logger = logging.getLogger(__name__) + filepath = idp_settings_filepath(entity_id) + if default_storage.exists(filepath): + logger.info('Loading JSON settings for EntityID %r', entity_id) + with open(default_storage.path(filepath), 'r') as f: + try: + idp_settings = json.loads(f.read()) + except: + logger.warning('Couldn\'t load JSON settings for EntityID %r', + entity_id) + else: + return idp_settings + else: + logger.warning('No JSON settings file for EntityID %r', entity_id) + + return {} + + +def idp_metadata_extract_entity_id(metadata_content): + logger = logging.getLogger(__name__) + try: + doc = ET.fromstring(metadata_content) + except (TypeError, ET.ParseError): + logger.error(u'METADATA of idp %r is invalid', metadata_content) + return + if doc.tag != '{%s}EntityDescriptor' % lasso.SAML2_METADATA_HREF: + logger.error(u'METADATA of idp %r has no EntityDescriptor root tag', + metadata_content) + return + if not 'entityID' in doc.attrib: + logger.error( + u'METADATA of idp %r has no entityID attribute on its root tag', + metadata_content) + return + return doc.attrib['entityID'] diff --git a/mellon/utils.py b/mellon/utils.py index 524f402..aa0d5f5 100644 --- a/mellon/utils.py +++ b/mellon/utils.py @@ -3,10 +3,14 @@ import datetime import importlib from functools import wraps import isodate +import requests +import requests.exceptions from xml.parsers import expat from django.contrib import auth +from django.core.exceptions import ValidationError from django.core.urlresolvers import reverse +from django.core.validators import URLValidator from django.template.loader import render_to_string from django.utils.timezone import make_aware, now, make_naive, is_aware, get_default_timezone from django.conf import settings @@ -14,6 +18,8 @@ from django.utils.six.moves.urllib.parse import urlparse import lasso from . import app_settings +from .federation_utils import get_federation_from_url, idp_metadata_is_file, \ + idp_metadata_load, idp_metadata_extract_entity_id def create_metadata(request): @@ -48,49 +54,63 @@ SERVERS = {} def create_server(request): logger = logging.getLogger(__name__) - root = request.build_absolute_uri('/') - cache = getattr(settings, '_MELLON_SERVER_CACHE', {}) - if root not in cache: - metadata = create_metadata(request) - if app_settings.PRIVATE_KEY: - private_key = app_settings.PRIVATE_KEY - private_key_password = app_settings.PRIVATE_KEY_PASSWORD - elif app_settings.PRIVATE_KEYS: - private_key = app_settings.PRIVATE_KEYS[0] - private_key_password = None - if isinstance(private_key, (tuple, list)): - private_key_password = private_key[1] - private_key = private_key[0] - else: # no signature - private_key = None - private_key_password = None - server = lasso.Server.newFromBuffers(metadata, private_key_content=private_key, - private_key_password=private_key_password) - server.setEncryptionPrivateKeyWithPassword(private_key, private_key_password) - private_keys = app_settings.PRIVATE_KEYS - # skip first key if it is already loaded - if not app_settings.PRIVATE_KEY: - private_keys = app_settings.PRIVATE_KEYS[1:] - for key in private_keys: - password = None - if isinstance(key, (tuple, list)): - password = key[1] - key = key[0] - server.setEncryptionPrivateKeyWithPassword(key, password) - for idp in get_idps(): - try: - server.addProviderFromBuffer(lasso.PROVIDER_ROLE_IDP, idp['METADATA']) - except lasso.Error as e: - logger.error(u'bad metadata in idp %r', idp['ENTITY_ID']) - logger.debug(u'lasso error: %s', e) - continue - cache[root] = server - settings._MELLON_SERVER_CACHE = cache - return settings._MELLON_SERVER_CACHE.get(root) - - -def create_login(request): - server = create_server(request) + metadata = create_metadata(request) + if app_settings.PRIVATE_KEY: + private_key = app_settings.PRIVATE_KEY + private_key_password = app_settings.PRIVATE_KEY_PASSWORD + elif app_settings.PRIVATE_KEYS: + private_key = app_settings.PRIVATE_KEYS[0] + private_key_password = None + if isinstance(private_key, (tuple, list)): + private_key_password = private_key[1] + private_key = private_key[0] + else: # no signature + private_key = None + private_key_password = None + server = lasso.Server.newFromBuffers(metadata, private_key_content=private_key, + private_key_password=private_key_password) + server.setEncryptionPrivateKeyWithPassword(private_key, private_key_password) + private_keys = app_settings.PRIVATE_KEYS + # skip first key if it is already loaded + if not app_settings.PRIVATE_KEY: + private_keys = app_settings.PRIVATE_KEYS[1:] + for key in private_keys: + password = None + if isinstance(key, (tuple, list)): + password = key[1] + key = key[0] + server.setEncryptionPrivateKeyWithPassword(key, password) + return server + + +def get_federation_metadata(federation): + logger = logging.getLogger(__name__) + fedmd = None + pemcert = None + if (isinstance(federation, tuple) and len(federation) == 2): + logger.info('Loading local cert-based federation %r', + federation) + if federation[1].endswith('.pem'): + fedmd = federation[0] + pemcert = federation[1] + else: + urlval = URLValidator() + try: + urlval(federation) + except ValidationError: + logger.info('Loading file-based federation %s', + federation) + fedmd = federation + else: + logger.info('Fetching and loading url-based federation %s', + federation) + fedmd = get_federation_from_url(federation) + return (fedmd, pemcert) + + +def create_login(request, server=None): + if not server: + server = create_server(request) login = lasso.Login(server) if not app_settings.PRIVATE_KEY and not app_settings.PRIVATE_KEYS: login.setSignatureHint(lasso.PROFILE_SIGNATURE_HINT_FORBID) @@ -113,6 +133,13 @@ def get_idps(): yield idp +def get_federations(): + for adapter in get_adapters(): + if hasattr(adapter, 'get_federations'): + for federation in adapter.get_federations(): + yield federation + + def flatten_datetime(d): d = d.copy() for key, value in d.items(): @@ -180,9 +207,10 @@ def get_setting(idp, name, default=None): return idp.get(name) or getattr(app_settings, name, default) -def create_logout(request): +def create_logout(request, server=None): logger = logging.getLogger(__name__) - server = create_server(request) + if not server: + server = create_server(request) mellon_session = request.session.get('mellon_session', {}) entity_id = mellon_session.get('issuer') session_index = mellon_session.get('session_index') @@ -259,3 +287,60 @@ def get_xml_encoding(content): parser.XmlDeclHandler = xmlDeclHandler parser.Parse(content, True) return xml_encoding + + +def recreate_server(request, remote_provider_id=None): + + def add_provider_from_idp(server, idp): + logger = logging.getLogger(__name__) + metadata = idp.get('METADATA') + entity_id = idp.get('ENTITY_ID') + try: + if 'FEDERATION' in idp and idp_metadata_is_file(metadata): + # Federated IdPs have their own cache management: + if idp_metadata_is_file(metadata): + if not entity_id: + entity_id = idp_metadata_extract_entity_id(metadata) + server.addProviderFromBuffer( + lasso.PROVIDER_ROLE_IDP, + idp_metadata_load(entity_id)) + elif metadata.startswith('/') or metadata.startswith('./'): + # Simply call the adequate built-in lasso routine + server.addProvider(lasso.PROVIDER_ROLE_IDP, metadata) + else: + # The metadata supplied is directly the content buffer: + server.addProviderFromBuffer(lasso.PROVIDER_ROLE_IDP, metadata) + except lasso.ServerAddProviderFailedError as e: + logger.error('Error %s: Failed to load idp %s', e, metadata) + + if remote_provider_id: + server = create_server(request) + idp = get_idp(remote_provider_id) + idp_metadata = idp.get('METADATA') + if not idp_metadata: + return server + add_provider_from_idp(server, idp) + else: + # No remote provider identifier was provided, but the server still needs + # to be recreated: + server = create_server(request) + for idp in get_idps(): + add_provider_from_idp(server, idp) + + return server + +def get_metadata_from_url(idp): + logger = logging.getLogger(__name__) + + verify_ssl_certificate = get_setting( + idp, 'VERIFY_SSL_CERTIFICATE') + + try: + response = requests.get(idp['METADATA_URL'], verify=verify_ssl_certificate) + response.raise_for_status() + except requests.exceptions.RequestException as e: + logger.error( + u'retrieval of metadata URL %r failed with error %s', + idp['METADATA_URL'], e) + else: + return response.content.decode('utf-8') diff --git a/mellon/views.py b/mellon/views.py index 5b193f8..604eee2 100644 --- a/mellon/views.py +++ b/mellon/views.py @@ -19,7 +19,7 @@ from django.contrib.auth import REDIRECT_FIELD_NAME from django.db import transaction from django.utils.translation import ugettext as _ -from . import app_settings, utils +from . import app_settings, utils, federation_utils lasso.setFlag('thin-sessions') @@ -115,24 +115,37 @@ class LoginView(ProfileMixin, LogMixin, View): idp_message = None status_codes = [] # prevent null characters in SAMLResponse - try: - login.processAuthnResponseMsg(request.POST['SAMLResponse']) - login.acceptSso() - except lasso.ProfileCannotVerifySignatureError: - self.log.warning('SAML authentication failed: signature validation failed for %r', - login.remoteProviderId) - except lasso.ParamError: - self.log.exception('lasso param error') - except (lasso.LoginStatusNotSuccessError, - lasso.ProfileStatusNotSuccessError, - lasso.ProfileRequestDeniedError): - self.show_message_status_is_not_success(login, 'SAML authentication failed') - except lasso.Error as e: - return HttpResponseBadRequest('error processing the authentication response: %r' % e) - else: - if 'RelayState' in request.POST and utils.is_nonnull(request.POST['RelayState']): - login.msgRelayState = request.POST['RelayState'] - return self.sso_success(request, login) + worth_trying_again = True + num_tries = 0 + while worth_trying_again: + try: + login.processAuthnResponseMsg(request.POST['SAMLResponse']) + login.acceptSso() + except lasso.ProfileCannotVerifySignatureError: + worth_trying_again = False + self.log.warning('SAML authentication failed: signature validation failed for %r', + login.remoteProviderId) + except lasso.ParamError: + worth_trying_again = False + self.log.exception('lasso param error') + except (lasso.LoginStatusNotSuccessError, + lasso.ProfileStatusNotSuccessError, + lasso.ProfileRequestDeniedError): + worth_trying_again = False + self.show_message_status_is_not_success(login, 'SAML authentication failed') + except (lasso.ProfileUnknownProviderError, + lasso.ServerProviderNotFoundError) as e: + if num_tries == 1: + raise e + server = utils.recreate_server(request, login.remoteProviderId) + self.profile = login = utils.create_login(request, server) + num_tries += 1 + except lasso.Error as e: + return HttpResponseBadRequest('error processing the authentication response: %r' % e) + else: + if 'RelayState' in request.POST and utils.is_nonnull(request.POST['RelayState']): + login.msgRelayState = request.POST['RelayState'] + return self.sso_success(request, login) return self.sso_failure(request, login, idp_message, status_codes) def sso_failure(self, request, login, idp_message, status_codes): @@ -247,15 +260,30 @@ class LoginView(ProfileMixin, LogMixin, View): self.profile = login = utils.create_login(request) if relay_state and utils.is_nonnull(relay_state): login.msgRelayState = relay_state - try: - login.initRequest(message, method) - except lasso.ProfileInvalidArtifactError: - self.log.warning(u'artifact is malformed %r', artifact) - return HttpResponseBadRequest(u'artifact is malformed %r' % artifact) - except lasso.ServerProviderNotFoundError: - self.log.warning('no entity id found for artifact %s', artifact) - return HttpResponseBadRequest( - 'no entity id found for this artifact %r' % artifact) + num_tries = 0 + while num_tries < 2: + try: + login.initRequest(message, method) + except lasso.ProfileInvalidArtifactError: + self.log.warning(u'artifact is malformed %r', artifact) + return HttpResponseBadRequest(u'artifact is malformed %r' % artifact) + except (lasso.ProfileUnknownProviderError, + lasso.ServerProviderNotFoundError, + lasso.ProfileInvalidArtifactError) as e: + if num_tries == 1: + raise e + server = utils.recreate_server(request, login.remoteProviderId) + self.profile = login = utils.create_login(request, server) + if relay_state and utils.is_nonnull(relay_state): + login.msgRelayState = relay_state + except lasso.ProfileInvalidArtifactError: + self.log.warning(u'artifact is malformed %r', artifact) + return HttpResponseBadRequest(u'artifact is malformed %r' % artifact) + except lasso.ServerProviderNotFoundError: + self.log.warning('no entity id found for artifact %s', artifact) + return HttpResponseBadRequest( + 'no entity id found for this artifact %r' % artifact) + num_tries += 1 idp = utils.get_idp(login.remoteProviderId) if not idp: self.log.warning('entity id %r is unknown', login.remoteProviderId) @@ -350,9 +378,22 @@ class LoginView(ProfileMixin, LogMixin, View): if idp is None: return HttpResponseBadRequest('no idp found') self.profile = login = utils.create_login(request) - self.log.debug('authenticating to %r', idp['ENTITY_ID']) + self.log.debug('authenticating to %r', idp.get('ENTITY_ID') or idp['METADATA']) + entity_id = idp.get('ENTITY_ID') or federation_utils.idp_metadata_extract_entity_id(idp.get('METADATA')) + num_tries = 0 + while num_tries < 2: + try: + login.initAuthnRequest(entity_id, lasso.HTTP_METHOD_REDIRECT) + except (lasso.ProfileUnknownProviderError, + lasso.ServerProviderNotFoundError) as e: + if num_tries == 1: + raise e + server = utils.recreate_server(request, login.remoteProviderId) + self.profile = login = utils.create_login(request, server) + except lasso.Error as e: + return HttpResponseBadRequest('error initializing the authentication request: %r' % e) + num_tries += 1 try: - login.initAuthnRequest(idp['ENTITY_ID'], lasso.HTTP_METHOD_REDIRECT) authn_request = login.request # configure NameID policy policy = authn_request.nameIdPolicy @@ -410,10 +451,19 @@ class LogoutView(ProfileMixin, LogMixin, View): def idp_logout(self, request): '''Handle logout request emitted by the IdP''' self.profile = logout = utils.create_logout(request) - try: - logout.processRequestMsg(request.META['QUERY_STRING']) - except lasso.Error as e: - return HttpResponseBadRequest('error processing logout request: %r' % e) + num_tries = 0 + while num_tries < 2: + try: + logout.processRequestMsg(request.META['QUERY_STRING']) + except (lasso.ProfileUnknownProviderError, + lasso.ServerProviderNotFoundError) as e: + if num_tries == 1: + raise e + server = utils.recreate_server(request, logout.remoteProviderId) + self.profile = logout = utils.create_logout(request, server) + except lasso.Error as e: + return HttpResponseBadRequest('error processing logout request: %r' % e) + num_tries += 1 try: logout.validateRequest() except lasso.Error as e: @@ -469,15 +519,27 @@ class LogoutView(ProfileMixin, LogMixin, View): # that a concurrent SSO happened in the meantime, so we do another # logout to make sure. auth.logout(request) - try: - logout.processResponseMsg(request.META['QUERY_STRING']) - except lasso.ProfileStatusNotSuccessError: - self.show_message_status_is_not_success(logout, 'SAML logout failed') - except lasso.LogoutPartialLogoutError: - self.log.warning('partial logout') - except lasso.Error as e: - self.log.warning('unable to process a logout response: %s', e) - return HttpResponseRedirect(resolve_url(settings.LOGIN_REDIRECT_URL)) + num_tries = 0 + worth_trying_again = True + while worth_trying_again: + try: + logout.processResponseMsg(request.META['QUERY_STRING']) + except lasso.ProfileStatusNotSuccessError: + self.show_message_status_is_not_success(logout, 'SAML logout failed') + worth_trying_again = False + except lasso.LogoutPartialLogoutError: + self.log.warning('partial logout') + worth_trying_again = False + except (lasso.ProfileUnknownProviderError, + lasso.ServerProviderNotFoundError) as e: + if num_tries == 1: + raise e + server = utils.recreate_server(request, logout.remoteProviderId) + self.profile = logout = utils.create_logout(request, server) + except lasso.Error as e: + self.log.warning('unable to process a logout response: %s', e) + return HttpResponseRedirect(resolve_url(settings.LOGIN_REDIRECT_URL)) + num_tries += 1 next_url = self.get_next_url(default=resolve_url(settings.LOGIN_REDIRECT_URL)) return HttpResponseRedirect(next_url) diff --git a/setup.py b/setup.py index fb0fc00..2186277 100755 --- a/setup.py +++ b/setup.py @@ -94,6 +94,7 @@ setup(name="django-mellon", 'django>=1.5,<2.0', 'requests', 'isodate', + 'pytz', ], setup_requires=[ 'django>=1.5,<2.0', diff --git a/tests/conftest.py b/tests/conftest.py index bfa8788..82a7fb9 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -42,3 +42,10 @@ def caplog(caplog): caplog.handler.stream = py.io.TextIO() caplog.handler.records = [] return caplog + + +# XXX temporary workaround +# non-federated IdPs shouldn't have their MD cached +@pytest.fixture(autouse=True) +def mellon_settings(settings, tmpdir): + settings.MEDIA_ROOT = str(tmpdir) diff --git a/tests/dummy_md.xml b/tests/dummy_md.xml new file mode 100644 index 0000000..dc16725 --- /dev/null +++ b/tests/dummy_md.xml @@ -0,0 +1,367 @@ + + + + + + + + + + +JKdLdd5yGvkFdb1fCAByMMnurIKYhZepRouZfOjIUrg= + + + +OTexfi8c63TsP1V9j5m6digA2NomUfqBtT8pPKhwdqEDQS5qLh6fxvT+wWkP6JaIhkP8nxwpbArl +7cUHkRv5ibZzcknIAjXYMhsSTtFQUq89OMcDHtZHG54jiKyHPhu2+XEbvv6DsAYanYC6SHEnGjNG +opnOEUB2XqeycsvvTQQIuWZEoABTVcKYyk2CW7Ij5EUmPOAPiidtbt8lzrtkV6dwLbkyoEbChAyj +emrL/oS01aJgT9sQoJxR8lyRMGiZ/BwQqYTareiKwOXLPdGThzsfZXD8de9T1xuysILaAM7sHPJV +QfrQJm80Zo2MM/GnhJTO9rc4m3kRnRhqmA6qMw== + + + + + +71+vTf66BPgYUF7sm4T++W69qMVyGQn9wNqpBLc6sp53eq/JRTOUD26Yehjsld5qN52Bv2r5QG7o +4VU123akXUYzupvq1f+tmF9NwYa7MPEPFzCzJHhNXjZNRxcsW1WLW34fhQCm0oak3oSPoNo5qeGi +jNsTSkgSt1mPH0P8d95af2VJnT6zbrclxvH4emqpT9oGLsWqKWLlIbZ7u1PUjuNVwLHuj909/apm +C13RBIpV52fey4qey34bnRHdCTknZeN/TJLTJ9hMWzz9TbdjfIFaiF7MeY+OYRXzUJeQuHHMu/2I +emkoR26mYi6irvmx8AdPcPCwcRKw2Ca4xLhbNw== + +AQAB + + + + +MIIC9zCCAd+gAwIBAgIEfe6j3jANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFTQU1MIE1ldGFk +YXRhIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTYwNzI5MDczNjM4WhcNMjYwNjA3MDczNjM4WjAs +MSowKAYDVQQDEyFTQU1MIE1ldGFkYXRhIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDvX69N/roE+BhQXuybhP75br2oxXIZCf3A2qkEtzqynnd6r8lF +M5QPbph6GOyV3mo3nYG/avlAbujhVTXbdqRdRjO6m+rV/62YX03Bhrsw8Q8XMLMkeE1eNk1HFyxb +VYtbfh+FAKbShqTehI+g2jmp4aKM2xNKSBK3WY8fQ/x33lp/ZUmdPrNutyXG8fh6aqlP2gYuxaop +YuUhtnu7U9SO41XAse6P3T39qmYLXdEEilXnZ97Lip7LfhudEd0JOSdl439MktMn2ExbPP1Nt2N8 +gVqIXsx5j45hFfNQl5C4ccy7/Yh6aShHbqZiLqKu+bHwB09w8LBxErDYJrjEuFs3AgMBAAGjITAf +MB0GA1UdDgQWBBTT88iZzWO+hN9SBUkpx871lmTuLTANBgkqhkiG9w0BAQsFAAOCAQEABoPpODry +XwiM5jjtqk6veR02FevCKHpZP6Od7Kqcfs6lg5LcQmGUOgpmW3Gg4UMjBYkgARsT2Nsnah1CJqa8 +cjvv8p5KEIhY0hVS8iMJnrb3PDeiFSeP4xSfct/6z/ebV4+QFl22bsm2zpAC6BpFz8+IJ/jAmQzT +Vob4MAUeQPnwwzm3xz6yanLZx7BK5cfrTCa+hrarNQCboRjXPwiejF8WRCxpgRHH6yNs5QH/Z6o5 +e3tUP7uEpn2Ob+kcLsEMGb9DghkoDAgkHCOZeTy+7hgxt+/T94cLTa58gVtvEOnd0GuL7Vfd+IVd +XgSard8RfR3OyZlf6M4aSGQA73sskQ== + + + + + + + https://services.renater.fr/federation/en/metadata_registration_practice_statement + + + + + agropolis.fr + + + + Agropolis International + + data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAAACXBIWXMAAABIAAAASABGyWs+AAAACXZwQWcAAAAQAAAAEABcxq3DAAACPUlEQVQoz21SPW8TQRR8u7d3ju34Er6UCHACRqK4Bjk0oDSEjiYSBQVS8k9AkWgp+AuUASGEaCASkoPcgARVMF8iTnxJwMFJfL47397u3u6jsGVFwLzmFTN6ozdDEBEAAOD4kiRJsVgkhMA/YMfZzc3NVstnzGq1/KXlJfgf2Ii9XquVZ2YWbi5Io4MsbfPeZK4wRm0AOH6KICIivq2tV6/O5cYLHztbW9FvYTKuZaLk7PjpW+UrJXtspCHGmGazCQBnZ8svtj/0tbAINYhcy1DyThpRhHtztyedwkBDAWBnZ6dSqbzZ+7THu0IraTJplDSZ0JnQ2Y+482jj1cgSRUTHdrhW9fa3SKaxErFKIyUiKaIsjVQaKf5s631HxP1+X2vNwjB0J9zd+OgnD044Ra4lI5ZBw7XqyeRQREciaqe9xoE/K/OFfIENnqBM1uZBqlWBOYxQjYZnqieTThru8zCU3AASIAjIXNellGLePkjCUPICy1mEDAShSg7SqCsTBtQ7WfY3vlarVUYpdUsuAs5PXV7dfpe3HEYtjSbNZJwJoRUi3rl4fSrvfufctm0ySA0RD0V84+WDL1EbCCDCYIDApeKZ+uKK6faDIPA8jw7jIORUbry2eH+5Mu8ARTSAkCPW3QvX6osrE+B8bjQ8zxu2aACDaIwxxuzzsLbbePj88a8k0Mb4vr/2ei3LMoOIiGRU0iGGVuDp6pNz5fNSiKnpac/zgAABMuzSXwIggIjdbrdUKjHGYGQaAAD+AJBJecXxnEvWAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE1LTA3LTIwVDEwOjQ4OjE1KzAyOjAwpWiGMQAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxNS0wNy0yMFQxMDo0ODoxNSswMjowMNQ1Po0AAAAASUVORK5CYII= + http://www.agropolis.fr + + Agropolis International + + + + + + + + + MIIDNzCCAh+gAwIBAgIUYY3sGXwChkj2CRy6QFDvkdj2zlAwDQYJKoZIhvcNAQEF +BQAwHjEcMBoGA1UEAxMTYWlzaGliLmFncm9wb2xpcy5mcjAeFw0xMzA1MTUxMzM3 +MTJaFw0zMzA1MTUxMzM3MTJaMB4xHDAaBgNVBAMTE2Fpc2hpYi5hZ3JvcG9saXMu +ZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxrDy6lrhIBjcxv16n +4UJ2cEMYPO4wSmfDwhO6feoSIEuIblYRHE2nQKirMokwD6seF4rbDHyxLXg/ColL +VLv+0CJteIOZjSCgSN90WzQRrC1Ex5sJfPu6yPEXvW8H1906gEg6ok8rlCIHRGfE +15pHK5eqxQS5f2n8c2t/Uk33/FBj79/hb3Cd7vE4mdlvReD3AFswC0lV4bPmj3Ka +KUuMj9xwipwnfWCu6p2/ZJF4M3ADU5grXHJ2Vqmd8DWm5raaObKjYwJddbRBByI8 +bJJLIwAQQmX4Dh4hf1QKlf2oqWPWVQxLQp0erL1U8IWmj1RG8TTH9xOJl6kkEhYq +Z2gfAgMBAAGjbTBrMEoGA1UdEQRDMEGCE2Fpc2hpYi5hZ3JvcG9saXMuZnKGKmh0 +dHBzOi8vYWlzaGliLmFncm9wb2xpcy5mci9pZHAvc2hpYmJvbGV0aDAdBgNVHQ4E +FgQU9A7iQ8Qo+t2JCpKuOOV9YBoYs4MwDQYJKoZIhvcNAQEFBQADggEBAG0LOW6I +F+M8n2NpzyQjfVCJCA6QhWjbXrfemiPJFZGZZb2dVmHof4yCpCUYgHOBoZaXPOlB +nLYsUWvFZ6V2GELZpLHzHSSrYidieW07qQkh1DwcIYpvtZgLviOtT/tCEGsk925f +DUoGdeIqpqt54WZcW9+TbKicvjg3JT4BFOQ17bFNwPW+YjTbvsWYxen+e0mRp4vM +V0yMu2f3bccVhePASSZGL3yod3sJ1dPvlrJO9c35BekhtirolVjZqMQ0AYPVifua +yIU0dWXsZkAOcBL9kZFbJcYRUIxMgvp8U2Zdv1+ZlwOyXnnWDOOh9wjuT7FAyObU +ChvjHlgZHkvLwJI= + + + + + + + + + + + urn:mace:shibboleth:1.0:nameIdentifier + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + + + + + + + + + + + + + + + + + Agropolis International + Agropolis International + http://www.agropolis.fr + + + + + + + Jean Cerda + cerda@agropolis.fr + + + + + + Jean-Pierre Allano + allano@agropolis.fr + + + + + + + + + https://services.renater.fr/federation/en/metadata_registration_practice_statement + + + + + vetagro-sup.fr + + + + Vetagro Sup + + data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAABIAAAASABGyWs+AAAACXZwQWcAAAAQAAAAEABcxq3DAAAB/klEQVQ4y2NkQAP///+X+/jxI/PO7dujP3/7kf7v778ffDzciw2MDFaqq6t/Y2RkfIysngndAEZGxkezZ8/25xEQqVDTs5eRVrNU4RQUL7x9+7YtumasBjAwMDBISIgbcvBKct998p7h1fvfDKyc4nz//jF6yjAwSBNlwM+fP3/9/PmT4dbl4wysrCwMf//9Z/r7959UcFISD1EGPH107xgfD9sbTg52hrcvHjDw87Aw/Pz+7tLEefNuEmWAm6ffxvu3Ll4zMjZleHz/KsO7lw+f3bh+czs2tVgNsLS0fPfs4b3VnKy//wrycW84e2L/uobmtg0MpIKurt6N////Z8jPzxcnWTMDAwPD79//tbq7+9bhU8OMTfD//8cMP79L1X/8tjxMQYHXT0Uh88aBgyuvEW3Aly+8ntw8jLU3bx20cnH/xPz2jTyvk9OGpTt3NhIOxP//GRgkJGR8tPVeyElIvWA4dfIqg57Bff0nD+eHExULIb5dqkYmYgYm5r8YPH3vMzx//omBk+edpI4+vxVRBnz5zPqbi4vt7a9fv//9+cvAYG79jIGZmZWBg4NJiCgDdh4sfHD/7u9j714Z/BYWiGBQVkxjePNK8+erV5+uYDOABTMM/nP09y9Z8+OHgNjli9ahf//++8vGwrlAS0tp/v///7kYGRm/IasHAIVTy8DG/VpJAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE1LTA3LTIwVDEwOjUwOjA5KzAyOjAwfDtz7wAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxNS0wNy0yMFQxMDo1MDowOSswMjowMA1my1MAAAAASUVORK5CYII= + http://www.vetagro-sup.fr + + Vetagro Sup + + + + + + + + + MIIDPDCCAiSgAwIBAgIVAL9PsuadPSIZcMHNxlK/oevezmzWMA0GCSqGSIb3DQEB +BQUAMB8xHTAbBgNVBAMTFGFtYnJlLnZldGFncm8tc3VwLmZyMB4XDTEyMTEwODEw +MTQwNFoXDTMyMTEwODEwMTQwNFowHzEdMBsGA1UEAxMUYW1icmUudmV0YWdyby1z +dXAuZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc/ptfpmkomwmT +4RsID+1Ce1dX0eUjcLgSOZN8hVpHWLag2ERWkpmvB5aK7BAFcI5i//Gk80tAiasu +JtlZhBnEw54aTJRGpyL2CVkHyl6SMRxprIi1Ji67IoGqEgUeGaheAxo+tG5e1WSc +bIbldcSKdwvjAV+7HSB4C6NqLsAzJH25++yaRH2uf2LTD0TDzNR9Q2hVj/VyYWR+ +K3HWI1Snjn/i7aFfZZhYmBkwHuQOaPhwCM+khikg5XicMsxUhHCMi93UgHGIsdkr +IEGj4xydBTUKsLaykeuFS8EgXbWwCLGkeX76w8xDoFIpnppU/yFd9v7Zg3EBfn4p +kTW3GdIjAgMBAAGjbzBtMEwGA1UdEQRFMEOCFGFtYnJlLnZldGFncm8tc3VwLmZy +hitodHRwczovL2FtYnJlLnZldGFncm8tc3VwLmZyL2lkcC9zaGliYm9sZXRoMB0G +A1UdDgQWBBTPTqWkVHrHXFjmxMWkNt/sp2h5ozANBgkqhkiG9w0BAQUFAAOCAQEA +FvXMtfBUmRZCzz8CjanGzr1TBUPmnkrKci5AtkseKw9YlfUmBXTHB01y697nYq6m +RB6KhvfW212h9CF0IOEEjoadgDhXqGYhq8PnAOtT4Ty3XDy8SbRh8aQWfvnfSngv +FdpHRiSpj5UXXuT5zTtkf59h58XKtEfCkMbUzvdOgUobJzpD0WISmQHPQnx+Neg6 +9j7oMRrDiZjS39Om8Imu9xvsnddDM3PlsDBIsvrr1o7K5iLkEdR1YYX0ZNDbiFuw +QXXl2dwQPB8KrScPUvCe57slU2gFQvvIBzjQysxC6V6TPSuM3A/ee56lACuB3jKj +oYkHQc5Gj/1rSMLmu9aLMg== + + + + + + + + + + + urn:mace:shibboleth:1.0:nameIdentifier + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + + + + + + + + + + + + + + + + + Vetagro Sup + Vetagro Sup + http://www.vetagro-sup.fr + + + + + + + Nicolas Aulas + nicolas.aulas@vetagro-sup.fr + + + + + + + + + + + https://services.renater.fr/federation/en/metadata_registration_practice_statement + + + + + insa-strasbourg.fr + + + + INSA Strasbourg + + data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAAq1BMVEXeAACEhoTWz87nQTn3oqXnIBjvgnvWlpT/5+fnEAjvZWOltrXnNDH3mpT/9/fnCAD/4+fvioz3x8bnVVL3qq3nKCnvkpTnHBjvcXP3sq3vgoT/7+/nFBDnODH3mpz////nDAj3z87vlpTveXv3vr3nAACMmpznRUL3pqXnJCHnFAj/+//nDADvjoz3y87vXVr3rq3nLCnvdXP3srXvhoT/8/fvODH3npz3lpQaie6kAAAACXBIWXMAAABIAAAASABGyWs+AAAACXZwQWcAAAAQAAAAEABcxq3DAAAAe0lEQVQY053OwQqCQBhF4VM22VSMMWrFGP2kkIpUQ1nz/m8Ws20TeFeHb3WRnzEBBjO8xRjZrURi0TFiy+UITjTpjIKaOndZuDSGxF0j9G1+e7CuLN1nE2F7VI28tAoqMMezP1ieFOOp7RPueBXKSqdnMq8Wg66nPP0LX4uIG4jEwJ0sAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE1LTA3LTIwVDEwOjQ5OjA0KzAyOjAwIHfmJQAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxNS0wNy0yMFQxMDo0OTowNCswMjowMFEqXpkAAAAASUVORK5CYII= + http://www.insa-strasbourg.fr + + INSA Strasbourg + + + + + + + + + MIIDUDCCAjigAwIBAgIVAIbX8U0uAqAhuXm1jWxiFpggtDTDMA0GCSqGSIb3DQEB +CwUAMCQxIjAgBgNVBAMMGXNvdWZyZS5pbnNhLXN0cmFzYm91cmcuZnIwHhcNMTYw +OTI3MTIzNjIxWhcNMzYwOTI3MTIzNjIxWjAkMSIwIAYDVQQDDBlzb3VmcmUuaW5z +YS1zdHJhc2JvdXJnLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +sEE02sLRPAG5N81DMHEeGpI2MYF8yG/RiwH07cFIlLqgV80ewOmi0FWPYijxMb8A +bmx0RwUMvJBVI6WMxtT9fykhID20k8rWOuYOzvaynzVqCktqVgKoEAxP1PFE9b0n +iGKFprjjNl9ZD90GOUsxbAO7yXG9Q4WBa/eThl6XkUvNkSaZp5hcdWrgcAdsae3q +iD/uxFa38NXNNeRLGyfxjd2K5qYSzbwBza9s9TOq1+pfw7sxu3/4BnfQ0RLGO6co +4tH4Mufh0ome4cyYk4pvW5DOd1AznxDb8HpqvE0zwEsa69c/FDX0akgFZydmc77a +j6USn6JKjjbO49yGtG1gVQIDAQABo3kwdzAdBgNVHQ4EFgQUjzMsxZYiokPYxper +9zadM8J0F0kwVgYDVR0RBE8wTYIZc291ZnJlLmluc2Etc3RyYXNib3VyZy5mcoYw +aHR0cHM6Ly9zb3VmcmUuaW5zYS1zdHJhc2JvdXJnLmZyL2lkcC9zaGliYm9sZXRo +MA0GCSqGSIb3DQEBCwUAA4IBAQBFJKsiS3yfWuDB/E+iqQ0TuQJzL5+JIcloN0dw +BFxW3VZOju15zeQ7LwRBg9S4SGLMPJU+LM1lvr68cK9brut/FjF51SETIXEeCWo3 +7+PIqgOCzraLNinmpU/OtN8ENalOPvpS6Jvbd23qB2t+IqOtZ+j15b0Yq4/on1E3 +W2F9CVzKpe4EwmmtCPQbe7U1wvhgFylEx797pex8veWs79YSYwqvcKMh79dzl8Fo +/CgsO5pDrfKmc6SGMkByq75dZj+PqhZDzZ9EFTxbrXOTaS08VRN6a5Rh2iYRnGxq +yZl66tPcaIm5PHgOEmu5X4lPkUoY+Jt36Gj3SGCbYt8qH5S0 + + + + + + + + + + + + + MIIDXDCCAkSgAwIBAgIVAKI+qiqDCk9wTTqn7OVAoZrvj/CpMA0GCSqGSIb3DQEB +BQUAMCcxJTAjBgNVBAMTHGFudGltb2luZS5pbnNhLXN0cmFzYm91cmcuZnIwHhcN +MTQwMTEzMTAzOTU4WhcNMzQwMTEzMTAzOTU4WjAnMSUwIwYDVQQDExxhbnRpbW9p +bmUuaW5zYS1zdHJhc2JvdXJnLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAtuM8lRjlVjjmrHq9VtguaOMQL+Wd99BiOs56kL3Mbctg1FwH69LYThCW +6dOz6WJg/jU/naF7jEikXKc71xGyu7Ph7Iqa9S5hoXXAT8u/0q2nZDeTOraJqKe1 +FMF2RzXhEEMyQO3CiKNK9b+tbKoNZS7FQCixMZklWZPt4EcEKd6jyRq1WYX3dpnb +r9I/aCdhtK/PGvGe5gKTDoTR2HKyWKJTc/obf8x/vlYIEwiaGgdlqI2KiBE0x48n +zQdP6XVi3T8ZWbnkLmCfgJtP2C8PtEJuwDRAy0Z9N4DSwvxn5YCVYgBLSi0TLa10 +B/lUqqBezZrTrA9p9Lt8JtGXW5YGHwIDAQABo38wfTBcBgNVHREEVTBTghxhbnRp +bW9pbmUuaW5zYS1zdHJhc2JvdXJnLmZyhjNodHRwczovL2FudGltb2luZS5pbnNh +LXN0cmFzYm91cmcuZnIvaWRwL3NoaWJib2xldGgwHQYDVR0OBBYEFLFkjPZUc9JY +qrWjldJ/iGGkKAt4MA0GCSqGSIb3DQEBBQUAA4IBAQBSk/wU1mRn4VF2ifmy261K +DK7uX+t1H1hh8S38fKSFU7HoNXJTV3vQnmBOpYIGC1gtvmb+qjqpNtikU2zO84Gq +Q0bXHxYF2d9RUP89mKaFxE5uNcXFmlOA3ChZY3pMT5zwAPI/T60tGrex7zci7OLn +JDAQj/q4Yk9ejx6JTFggQSCCVh+oV/SDIMd2p5AY6H3mto3b6XCk7Lssa8a/D30k +pEkZnhTKdN82eRyynuOR7UDU4tasV4d7Mi/j53f5ihnRcsvwh/pYodjoVYY8cEcZ +JLnAXYF8coSwh8UN4D/0NHsvTuSOFQc85hGrqacMsvxiQiw9mv01AX5+A5YLEbVQ + + + + + + + + + + + + + + + urn:mace:shibboleth:1.0:nameIdentifier + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + + + + + + + + + + + + + + + + + INSA Strasbourg + INSA Strasbourg + http://www.insa-strasbourg.fr + + + + + + + Lahsen BOUZID + lahsen.bouzid@insa-strasbourg.fr + + + + + + Simon SCHERRER + simon.scherrer@insa-strasbourg.fr + + + + + + diff --git a/tests/federation-sample.xml b/tests/federation-sample.xml new file mode 100644 index 0000000..180f6e1 --- /dev/null +++ b/tests/federation-sample.xml @@ -0,0 +1,530 @@ + + + + + + + + + + +JKdLdd5yGvkFdb1fCAByMMnurIKYhZepRouZfOjIUrg= + + + +OTexfi8c63TsP1V9j5m6digA2NomUfqBtT8pPKhwdqEDQS5qLh6fxvT+wWkP6JaIhkP8nxwpbArl +7cUHkRv5ibZzcknIAjXYMhsSTtFQUq89OMcDHtZHG54jiKyHPhu2+XEbvv6DsAYanYC6SHEnGjNG +opnOEUB2XqeycsvvTQQIuWZEoABTVcKYyk2CW7Ij5EUmPOAPiidtbt8lzrtkV6dwLbkyoEbChAyj +emrL/oS01aJgT9sQoJxR8lyRMGiZ/BwQqYTareiKwOXLPdGThzsfZXD8de9T1xuysILaAM7sHPJV +QfrQJm80Zo2MM/GnhJTO9rc4m3kRnRhqmA6qMw== + + + + + +71+vTf66BPgYUF7sm4T++W69qMVyGQn9wNqpBLc6sp53eq/JRTOUD26Yehjsld5qN52Bv2r5QG7o +4VU123akXUYzupvq1f+tmF9NwYa7MPEPFzCzJHhNXjZNRxcsW1WLW34fhQCm0oak3oSPoNo5qeGi +jNsTSkgSt1mPH0P8d95af2VJnT6zbrclxvH4emqpT9oGLsWqKWLlIbZ7u1PUjuNVwLHuj909/apm +C13RBIpV52fey4qey34bnRHdCTknZeN/TJLTJ9hMWzz9TbdjfIFaiF7MeY+OYRXzUJeQuHHMu/2I +emkoR26mYi6irvmx8AdPcPCwcRKw2Ca4xLhbNw== + +AQAB + + + + +MIIC9zCCAd+gAwIBAgIEfe6j3jANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFTQU1MIE1ldGFk +YXRhIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTYwNzI5MDczNjM4WhcNMjYwNjA3MDczNjM4WjAs +MSowKAYDVQQDEyFTQU1MIE1ldGFkYXRhIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDvX69N/roE+BhQXuybhP75br2oxXIZCf3A2qkEtzqynnd6r8lF +M5QPbph6GOyV3mo3nYG/avlAbujhVTXbdqRdRjO6m+rV/62YX03Bhrsw8Q8XMLMkeE1eNk1HFyxb +VYtbfh+FAKbShqTehI+g2jmp4aKM2xNKSBK3WY8fQ/x33lp/ZUmdPrNutyXG8fh6aqlP2gYuxaop +YuUhtnu7U9SO41XAse6P3T39qmYLXdEEilXnZ97Lip7LfhudEd0JOSdl439MktMn2ExbPP1Nt2N8 +gVqIXsx5j45hFfNQl5C4ccy7/Yh6aShHbqZiLqKu+bHwB09w8LBxErDYJrjEuFs3AgMBAAGjITAf +MB0GA1UdDgQWBBTT88iZzWO+hN9SBUkpx871lmTuLTANBgkqhkiG9w0BAQsFAAOCAQEABoPpODry +XwiM5jjtqk6veR02FevCKHpZP6Od7Kqcfs6lg5LcQmGUOgpmW3Gg4UMjBYkgARsT2Nsnah1CJqa8 +cjvv8p5KEIhY0hVS8iMJnrb3PDeiFSeP4xSfct/6z/ebV4+QFl22bsm2zpAC6BpFz8+IJ/jAmQzT +Vob4MAUeQPnwwzm3xz6yanLZx7BK5cfrTCa+hrarNQCboRjXPwiejF8WRCxpgRHH6yNs5QH/Z6o5 +e3tUP7uEpn2Ob+kcLsEMGb9DghkoDAgkHCOZeTy+7hgxt+/T94cLTa58gVtvEOnd0GuL7Vfd+IVd +XgSard8RfR3OyZlf6M4aSGQA73sskQ== + + + + + + + https://services.renater.fr/federation/en/metadata_registration_practice_statement + + + + + access-check.edugain.org + + + + eduGAIN Access Check + + data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAAACXBIWXMAAABIAAAASABGyWs+AAAACXZwQWcAAAAQAAAAEABcxq3DAAABbUlEQVQoz52RPW4UQRCFv6ru6fnZNSxCJuVKpFwAicR3IUI+AakvhQhI7JU8M/1T3QQzsg1sAhWV3qtPVaonfPrCX9W+fpTP3y7otzceGJKJxCiujpVUkCv0+m3K967hixUfWgWSHwAPxG6UqtIFbEFHGoCqR721BX+wirO8LVGg+a6amEXXjqxhM5ZxNFPvX1Odocn5ZwB7HCn4hWI42wxD6KWUBVfIZxXd9J2zNhHFmro2Gx3QPKSReGCiV40ESM/A1NcxTDnn7HvLFViXBRZ6MKJnmwaktca/lFzO4fZG7n5e0D9cK4DjFI69yrGbwvhqP7KWp7kR99QrQAn3cW5N5/SQ1rivDgdUCUegFfkDkKF26TG7FijzZoS0sM7kM7D6gncvgG5d7cEdu6wN+v3R/cRwQgaAdnA2vACQvn9Tk6NNqjtwjis1Iyp4JOpafwvu3ZAYa3TV2fBjBnjfe8uLKErOZLk6fU//lcMvhuSrh7MzMwcAAAAldEVYdGRhdGU6Y3JlYXRlADIwMTUtMDctMjBUMTA6NTA6MTErMDI6MDCDfj0WAAAAJXRFWHRkYXRlOm1vZGlmeQAyMDE1LTA3LTIwVDEwOjUwOjExKzAyOjAw8iOFqgAAAABJRU5ErkJggg== + http://www.renater.fr + eduGAIN Access Check allows administrators of a Service Provider (SP) registered in eduGAIN to create test accounts with different profiles to validate the behaviour and test federated login. The test accounts can only be used to access own services. + eduGAIN Access Check + eduGAIN Access Check allows administrators of a Service Provider (SP) registered in eduGAIN to create test accounts with different profiles to validate the behaviour and test federated login. The test accounts can only be used to access own services. + + + + + + + + MIID2zCCAsOgAwIBAgIJAJpdV2MFitUqMA0GCSqGSIb3DQEBBQUAMIGDMQswCQYD +VQQGEwJGUjEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MQ4wDAYDVQQKDAVHRUFOVDEd +MBsGA1UEAwwUdGVzdC1pZHAuZWR1Z2Fpbi5vcmcxLjAsBgkqhkiG9w0BCQEWH3Rl +c3RpZHBhY2NvdW50bWFuYWdlckBnZWFudC5uZXQwHhcNMTQxMjE4MTAxODU5WhcN +MjQxMjE3MTAxODU5WjCBgzELMAkGA1UEBhMCRlIxFTATBgNVBAcMDERlZmF1bHQg +Q2l0eTEOMAwGA1UECgwFR0VBTlQxHTAbBgNVBAMMFHRlc3QtaWRwLmVkdWdhaW4u +b3JnMS4wLAYJKoZIhvcNAQkBFh90ZXN0aWRwYWNjb3VudG1hbmFnZXJAZ2VhbnQu +bmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo48FFP0P/81e3WHb +U91F/TYDZC/JypEqO2XQNH50baXpk2JrJFVFOWdgdK6qWHsLznuxngRsfOasAaVA +Ob1Bf3g2xgPUd2htSLxds+o/Y24DOM6ZairxbWJk2rOvLhJFchlrcNWCpMtUCkfJ +xmqGmeo93XAud5byj3wQ1NuH2o8rjTPAkMgQdr8D2b8EG1NYEH00AqRlXZTFCWGL +KDEuZwyta6vgMQYT4K6UF/F+HWF2wzbmVgRTHguJ0rzNqz6t+9CtLkhyZO+/57Ro +4U0ikshVWkUOENPKCnB1t+ebs/AsNozbIGA/HcdtwUwDgIowv/K0hdnLDC1vz6/S +F3rnGQIDAQABo1AwTjAdBgNVHQ4EFgQUgWN9jmJxOEHYU5m8D0atl895HxowHwYD +VR0jBBgwFoAUgWN9jmJxOEHYU5m8D0atl895HxowDAYDVR0TBAUwAwEB/zANBgkq +hkiG9w0BAQUFAAOCAQEAXvlBHMaBK6m0PQNanTqGBRdRAFt8Xkr5texD5mPTmS/7 +nqnxlN0orqYWGCaARmQE+T77EB2a2n9g2s130pUXwJxcbUwIOdPKH6CMKEHT/512 +bndJXQ3DyhkuVSLtRFOdfleIhi8qUkNC9FWxM4jDHDTTQtNEHnCjFxlhxw+ri5QJ +AVKpH9MkcuIkM6Jx+QhNwTDwCRIJffoDOH420yR5EWx/sQ4tjKQGiFOPv/WHFjXd +LqHU+X8ErzxeNmUHHST6pHePWRCMtoPTdCPhEroJhou6NMHh8ylQOIVHt6gggc7r +kUWMUybDUxPp49qMeNkdKqFPby2aW7ouKRoOXuxZhg== + + + + + + + + + + + + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + + + + + + + + + + + + + + eduGAIN Access Check + eduGAIN Access Check + http://www.renater.fr + + + + + + edugain-integration@geant.net + + + + + + + https://services.renater.fr/federation/en/metadata_registration_practice_statement + + + + + agropolis.fr + + + + Agropolis International + + data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAAACXBIWXMAAABIAAAASABGyWs+AAAACXZwQWcAAAAQAAAAEABcxq3DAAACPUlEQVQoz21SPW8TQRR8u7d3ju34Er6UCHACRqK4Bjk0oDSEjiYSBQVS8k9AkWgp+AuUASGEaCASkoPcgARVMF8iTnxJwMFJfL47397u3u6jsGVFwLzmFTN6ozdDEBEAAOD4kiRJsVgkhMA/YMfZzc3NVstnzGq1/KXlJfgf2Ii9XquVZ2YWbi5Io4MsbfPeZK4wRm0AOH6KICIivq2tV6/O5cYLHztbW9FvYTKuZaLk7PjpW+UrJXtspCHGmGazCQBnZ8svtj/0tbAINYhcy1DyThpRhHtztyedwkBDAWBnZ6dSqbzZ+7THu0IraTJplDSZ0JnQ2Y+482jj1cgSRUTHdrhW9fa3SKaxErFKIyUiKaIsjVQaKf5s631HxP1+X2vNwjB0J9zd+OgnD044Ra4lI5ZBw7XqyeRQREciaqe9xoE/K/OFfIENnqBM1uZBqlWBOYxQjYZnqieTThru8zCU3AASIAjIXNellGLePkjCUPICy1mEDAShSg7SqCsTBtQ7WfY3vlarVUYpdUsuAs5PXV7dfpe3HEYtjSbNZJwJoRUi3rl4fSrvfufctm0ySA0RD0V84+WDL1EbCCDCYIDApeKZ+uKK6faDIPA8jw7jIORUbry2eH+5Mu8ARTSAkCPW3QvX6osrE+B8bjQ8zxu2aACDaIwxxuzzsLbbePj88a8k0Mb4vr/2ei3LMoOIiGRU0iGGVuDp6pNz5fNSiKnpac/zgAABMuzSXwIggIjdbrdUKjHGYGQaAAD+AJBJecXxnEvWAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE1LTA3LTIwVDEwOjQ4OjE1KzAyOjAwpWiGMQAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxNS0wNy0yMFQxMDo0ODoxNSswMjowMNQ1Po0AAAAASUVORK5CYII= + http://www.agropolis.fr + + Agropolis International + + + + + + + + + MIIDNzCCAh+gAwIBAgIUYY3sGXwChkj2CRy6QFDvkdj2zlAwDQYJKoZIhvcNAQEF +BQAwHjEcMBoGA1UEAxMTYWlzaGliLmFncm9wb2xpcy5mcjAeFw0xMzA1MTUxMzM3 +MTJaFw0zMzA1MTUxMzM3MTJaMB4xHDAaBgNVBAMTE2Fpc2hpYi5hZ3JvcG9saXMu +ZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxrDy6lrhIBjcxv16n +4UJ2cEMYPO4wSmfDwhO6feoSIEuIblYRHE2nQKirMokwD6seF4rbDHyxLXg/ColL +VLv+0CJteIOZjSCgSN90WzQRrC1Ex5sJfPu6yPEXvW8H1906gEg6ok8rlCIHRGfE +15pHK5eqxQS5f2n8c2t/Uk33/FBj79/hb3Cd7vE4mdlvReD3AFswC0lV4bPmj3Ka +KUuMj9xwipwnfWCu6p2/ZJF4M3ADU5grXHJ2Vqmd8DWm5raaObKjYwJddbRBByI8 +bJJLIwAQQmX4Dh4hf1QKlf2oqWPWVQxLQp0erL1U8IWmj1RG8TTH9xOJl6kkEhYq +Z2gfAgMBAAGjbTBrMEoGA1UdEQRDMEGCE2Fpc2hpYi5hZ3JvcG9saXMuZnKGKmh0 +dHBzOi8vYWlzaGliLmFncm9wb2xpcy5mci9pZHAvc2hpYmJvbGV0aDAdBgNVHQ4E +FgQU9A7iQ8Qo+t2JCpKuOOV9YBoYs4MwDQYJKoZIhvcNAQEFBQADggEBAG0LOW6I +F+M8n2NpzyQjfVCJCA6QhWjbXrfemiPJFZGZZb2dVmHof4yCpCUYgHOBoZaXPOlB +nLYsUWvFZ6V2GELZpLHzHSSrYidieW07qQkh1DwcIYpvtZgLviOtT/tCEGsk925f +DUoGdeIqpqt54WZcW9+TbKicvjg3JT4BFOQ17bFNwPW+YjTbvsWYxen+e0mRp4vM +V0yMu2f3bccVhePASSZGL3yod3sJ1dPvlrJO9c35BekhtirolVjZqMQ0AYPVifua +yIU0dWXsZkAOcBL9kZFbJcYRUIxMgvp8U2Zdv1+ZlwOyXnnWDOOh9wjuT7FAyObU +ChvjHlgZHkvLwJI= + + + + + + + + + + + urn:mace:shibboleth:1.0:nameIdentifier + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + + + + + + + + + + + + + + + + + Agropolis International + Agropolis International + http://www.agropolis.fr + + + + + + + Jean Cerda + cerda@agropolis.fr + + + + + + Jean-Pierre Allano + allano@agropolis.fr + + + + + + + + + https://services.renater.fr/federation/en/metadata_registration_practice_statement + + + + + vetagro-sup.fr + + + + Vetagro Sup + + data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAABIAAAASABGyWs+AAAACXZwQWcAAAAQAAAAEABcxq3DAAAB/klEQVQ4y2NkQAP///+X+/jxI/PO7dujP3/7kf7v778ffDzciw2MDFaqq6t/Y2RkfIysngndAEZGxkezZ8/25xEQqVDTs5eRVrNU4RQUL7x9+7YtumasBjAwMDBISIgbcvBKct998p7h1fvfDKyc4nz//jF6yjAwSBNlwM+fP3/9/PmT4dbl4wysrCwMf//9Z/r7959UcFISD1EGPH107xgfD9sbTg52hrcvHjDw87Aw/Pz+7tLEefNuEmWAm6ffxvu3Ll4zMjZleHz/KsO7lw+f3bh+czs2tVgNsLS0fPfs4b3VnKy//wrycW84e2L/uobmtg0MpIKurt6N////Z8jPzxcnWTMDAwPD79//tbq7+9bhU8OMTfD//8cMP79L1X/8tjxMQYHXT0Uh88aBgyuvEW3Aly+8ntw8jLU3bx20cnH/xPz2jTyvk9OGpTt3NhIOxP//GRgkJGR8tPVeyElIvWA4dfIqg57Bff0nD+eHExULIb5dqkYmYgYm5r8YPH3vMzx//omBk+edpI4+vxVRBnz5zPqbi4vt7a9fv//9+cvAYG79jIGZmZWBg4NJiCgDdh4sfHD/7u9j714Z/BYWiGBQVkxjePNK8+erV5+uYDOABTMM/nP09y9Z8+OHgNjli9ahf//++8vGwrlAS0tp/v///7kYGRm/IasHAIVTy8DG/VpJAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE1LTA3LTIwVDEwOjUwOjA5KzAyOjAwfDtz7wAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxNS0wNy0yMFQxMDo1MDowOSswMjowMA1my1MAAAAASUVORK5CYII= + http://www.vetagro-sup.fr + + Vetagro Sup + + + + + + + + + MIIDPDCCAiSgAwIBAgIVAL9PsuadPSIZcMHNxlK/oevezmzWMA0GCSqGSIb3DQEB +BQUAMB8xHTAbBgNVBAMTFGFtYnJlLnZldGFncm8tc3VwLmZyMB4XDTEyMTEwODEw +MTQwNFoXDTMyMTEwODEwMTQwNFowHzEdMBsGA1UEAxMUYW1icmUudmV0YWdyby1z +dXAuZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc/ptfpmkomwmT +4RsID+1Ce1dX0eUjcLgSOZN8hVpHWLag2ERWkpmvB5aK7BAFcI5i//Gk80tAiasu +JtlZhBnEw54aTJRGpyL2CVkHyl6SMRxprIi1Ji67IoGqEgUeGaheAxo+tG5e1WSc +bIbldcSKdwvjAV+7HSB4C6NqLsAzJH25++yaRH2uf2LTD0TDzNR9Q2hVj/VyYWR+ +K3HWI1Snjn/i7aFfZZhYmBkwHuQOaPhwCM+khikg5XicMsxUhHCMi93UgHGIsdkr +IEGj4xydBTUKsLaykeuFS8EgXbWwCLGkeX76w8xDoFIpnppU/yFd9v7Zg3EBfn4p +kTW3GdIjAgMBAAGjbzBtMEwGA1UdEQRFMEOCFGFtYnJlLnZldGFncm8tc3VwLmZy +hitodHRwczovL2FtYnJlLnZldGFncm8tc3VwLmZyL2lkcC9zaGliYm9sZXRoMB0G +A1UdDgQWBBTPTqWkVHrHXFjmxMWkNt/sp2h5ozANBgkqhkiG9w0BAQUFAAOCAQEA +FvXMtfBUmRZCzz8CjanGzr1TBUPmnkrKci5AtkseKw9YlfUmBXTHB01y697nYq6m +RB6KhvfW212h9CF0IOEEjoadgDhXqGYhq8PnAOtT4Ty3XDy8SbRh8aQWfvnfSngv +FdpHRiSpj5UXXuT5zTtkf59h58XKtEfCkMbUzvdOgUobJzpD0WISmQHPQnx+Neg6 +9j7oMRrDiZjS39Om8Imu9xvsnddDM3PlsDBIsvrr1o7K5iLkEdR1YYX0ZNDbiFuw +QXXl2dwQPB8KrScPUvCe57slU2gFQvvIBzjQysxC6V6TPSuM3A/ee56lACuB3jKj +oYkHQc5Gj/1rSMLmu9aLMg== + + + + + + + + + + + urn:mace:shibboleth:1.0:nameIdentifier + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + + + + + + + + + + + + + + + + + Vetagro Sup + Vetagro Sup + http://www.vetagro-sup.fr + + + + + + + Nicolas Aulas + nicolas.aulas@vetagro-sup.fr + + + + + + + + + + + https://services.renater.fr/federation/en/metadata_registration_practice_statement + + + + + insa-strasbourg.fr + + + + INSA Strasbourg + + data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAAq1BMVEXeAACEhoTWz87nQTn3oqXnIBjvgnvWlpT/5+fnEAjvZWOltrXnNDH3mpT/9/fnCAD/4+fvioz3x8bnVVL3qq3nKCnvkpTnHBjvcXP3sq3vgoT/7+/nFBDnODH3mpz////nDAj3z87vlpTveXv3vr3nAACMmpznRUL3pqXnJCHnFAj/+//nDADvjoz3y87vXVr3rq3nLCnvdXP3srXvhoT/8/fvODH3npz3lpQaie6kAAAACXBIWXMAAABIAAAASABGyWs+AAAACXZwQWcAAAAQAAAAEABcxq3DAAAAe0lEQVQY053OwQqCQBhF4VM22VSMMWrFGP2kkIpUQ1nz/m8Ws20TeFeHb3WRnzEBBjO8xRjZrURi0TFiy+UITjTpjIKaOndZuDSGxF0j9G1+e7CuLN1nE2F7VI28tAoqMMezP1ieFOOp7RPueBXKSqdnMq8Wg66nPP0LX4uIG4jEwJ0sAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE1LTA3LTIwVDEwOjQ5OjA0KzAyOjAwIHfmJQAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxNS0wNy0yMFQxMDo0OTowNCswMjowMFEqXpkAAAAASUVORK5CYII= + http://www.insa-strasbourg.fr + + INSA Strasbourg + + + + + + + + + MIIDUDCCAjigAwIBAgIVAIbX8U0uAqAhuXm1jWxiFpggtDTDMA0GCSqGSIb3DQEB +CwUAMCQxIjAgBgNVBAMMGXNvdWZyZS5pbnNhLXN0cmFzYm91cmcuZnIwHhcNMTYw +OTI3MTIzNjIxWhcNMzYwOTI3MTIzNjIxWjAkMSIwIAYDVQQDDBlzb3VmcmUuaW5z +YS1zdHJhc2JvdXJnLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +sEE02sLRPAG5N81DMHEeGpI2MYF8yG/RiwH07cFIlLqgV80ewOmi0FWPYijxMb8A +bmx0RwUMvJBVI6WMxtT9fykhID20k8rWOuYOzvaynzVqCktqVgKoEAxP1PFE9b0n +iGKFprjjNl9ZD90GOUsxbAO7yXG9Q4WBa/eThl6XkUvNkSaZp5hcdWrgcAdsae3q +iD/uxFa38NXNNeRLGyfxjd2K5qYSzbwBza9s9TOq1+pfw7sxu3/4BnfQ0RLGO6co +4tH4Mufh0ome4cyYk4pvW5DOd1AznxDb8HpqvE0zwEsa69c/FDX0akgFZydmc77a +j6USn6JKjjbO49yGtG1gVQIDAQABo3kwdzAdBgNVHQ4EFgQUjzMsxZYiokPYxper +9zadM8J0F0kwVgYDVR0RBE8wTYIZc291ZnJlLmluc2Etc3RyYXNib3VyZy5mcoYw +aHR0cHM6Ly9zb3VmcmUuaW5zYS1zdHJhc2JvdXJnLmZyL2lkcC9zaGliYm9sZXRo +MA0GCSqGSIb3DQEBCwUAA4IBAQBFJKsiS3yfWuDB/E+iqQ0TuQJzL5+JIcloN0dw +BFxW3VZOju15zeQ7LwRBg9S4SGLMPJU+LM1lvr68cK9brut/FjF51SETIXEeCWo3 +7+PIqgOCzraLNinmpU/OtN8ENalOPvpS6Jvbd23qB2t+IqOtZ+j15b0Yq4/on1E3 +W2F9CVzKpe4EwmmtCPQbe7U1wvhgFylEx797pex8veWs79YSYwqvcKMh79dzl8Fo +/CgsO5pDrfKmc6SGMkByq75dZj+PqhZDzZ9EFTxbrXOTaS08VRN6a5Rh2iYRnGxq +yZl66tPcaIm5PHgOEmu5X4lPkUoY+Jt36Gj3SGCbYt8qH5S0 + + + + + + + + + + + + + MIIDXDCCAkSgAwIBAgIVAKI+qiqDCk9wTTqn7OVAoZrvj/CpMA0GCSqGSIb3DQEB +BQUAMCcxJTAjBgNVBAMTHGFudGltb2luZS5pbnNhLXN0cmFzYm91cmcuZnIwHhcN +MTQwMTEzMTAzOTU4WhcNMzQwMTEzMTAzOTU4WjAnMSUwIwYDVQQDExxhbnRpbW9p +bmUuaW5zYS1zdHJhc2JvdXJnLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAtuM8lRjlVjjmrHq9VtguaOMQL+Wd99BiOs56kL3Mbctg1FwH69LYThCW +6dOz6WJg/jU/naF7jEikXKc71xGyu7Ph7Iqa9S5hoXXAT8u/0q2nZDeTOraJqKe1 +FMF2RzXhEEMyQO3CiKNK9b+tbKoNZS7FQCixMZklWZPt4EcEKd6jyRq1WYX3dpnb +r9I/aCdhtK/PGvGe5gKTDoTR2HKyWKJTc/obf8x/vlYIEwiaGgdlqI2KiBE0x48n +zQdP6XVi3T8ZWbnkLmCfgJtP2C8PtEJuwDRAy0Z9N4DSwvxn5YCVYgBLSi0TLa10 +B/lUqqBezZrTrA9p9Lt8JtGXW5YGHwIDAQABo38wfTBcBgNVHREEVTBTghxhbnRp +bW9pbmUuaW5zYS1zdHJhc2JvdXJnLmZyhjNodHRwczovL2FudGltb2luZS5pbnNh +LXN0cmFzYm91cmcuZnIvaWRwL3NoaWJib2xldGgwHQYDVR0OBBYEFLFkjPZUc9JY +qrWjldJ/iGGkKAt4MA0GCSqGSIb3DQEBBQUAA4IBAQBSk/wU1mRn4VF2ifmy261K +DK7uX+t1H1hh8S38fKSFU7HoNXJTV3vQnmBOpYIGC1gtvmb+qjqpNtikU2zO84Gq +Q0bXHxYF2d9RUP89mKaFxE5uNcXFmlOA3ChZY3pMT5zwAPI/T60tGrex7zci7OLn +JDAQj/q4Yk9ejx6JTFggQSCCVh+oV/SDIMd2p5AY6H3mto3b6XCk7Lssa8a/D30k +pEkZnhTKdN82eRyynuOR7UDU4tasV4d7Mi/j53f5ihnRcsvwh/pYodjoVYY8cEcZ +JLnAXYF8coSwh8UN4D/0NHsvTuSOFQc85hGrqacMsvxiQiw9mv01AX5+A5YLEbVQ + + + + + + + + + + + + + + + urn:mace:shibboleth:1.0:nameIdentifier + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + + + + + + + + + + + + + + + + + INSA Strasbourg + INSA Strasbourg + http://www.insa-strasbourg.fr + + + + + + + Lahsen BOUZID + lahsen.bouzid@insa-strasbourg.fr + + + + + + Simon SCHERRER + simon.scherrer@insa-strasbourg.fr + + + + + + + + + + + + +MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP +MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczETMBEGA1UEChMKRW50cm91 +dmVydDEPMA0GA1UEAxMGRGFtaWVuMB4XDTA2MTAyNzA5MDc1NFoXDTExMTAyNjA5 +MDc1NFowVDELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkZyYW5jZTEOMAwGA1UEBxMF +UGFyaXMxEzARBgNVBAoTCkVudHJvdXZlcnQxDzANBgNVBAMTBkRhbWllbjCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM06Hx6VgHYR9wUf/tZVVTRkVWNq +h9x+PvHA2qH4OYMuqGs4Af6lU2YsZvnrmRdcFWv0+UkdAgXhReCWAZgtB1pd/W9m +6qDRldCCyysow6xPPKRz/pOTwRXm/fM0QGPeXzwzj34BXOIOuFu+n764vKn18d+u +uVAEzk1576pxTp4pQPzJfdNLrLeQ8vyCshoFU+MYJtp1UA+h2JoO0Y8oGvywbUxH +ioHN5PvnzObfAM4XaDQohmfxM9Uc7Wp4xKAc1nUq5hwBrHpjFMRSz6UCfMoJSGIi ++3xJMkNCjL0XEw5NKVc5jRKkzSkN5j8KTM/k1jPPsDHPRYzbWWhnNtd6JlkCAwEA +AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0 +ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP2WWMDShux3iF74+SoO1xf6qhqaMB8G +A1UdIwQYMBaAFGjl6TRXbQDHzSlZu+e8VeBaZMB5MA0GCSqGSIb3DQEBBQUAA4IB +AQAZ/imK7UMognXbs5RfSB8cMW6iNAI+JZqe9XWjvtmLfIIPbHM96o953SiFvrvQ +BZjGmmPMK3UH29cjzDx1R/RQaYTyMrHyTePLh3BMd5mpJ/9eeJCSxPzE2ECqWRUa +pkjukecFXqmRItwgTxSIUE9QkpzvuQRb268PwmgroE0mwtiREADnvTFkLkdiEMew +fiYxZfJJLPBqwlkw/7f1SyzXoPXnz5QbNwDmrHelga6rKSprYKb3pueqaIe8j/AP +NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR +LlTxKnCrWAXftSm1rNtewTsF + + + + + + + + + + + + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:kerberos + + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName + + + Entr'ouvert + + + + diff --git a/tests/test_federation_utils.py b/tests/test_federation_utils.py new file mode 100644 index 0000000..f939c70 --- /dev/null +++ b/tests/test_federation_utils.py @@ -0,0 +1,35 @@ +import os +import time + +from django.core.files.storage import default_storage +from django.utils.text import slugify +from httmock import HTTMock + +from mellon.federation_utils import get_federation_from_url, truncate_unique +from utils import sample_federation_response + + +def test_mock_fedmd_caching(): + url = u'https://dummy.mdserver/metadata.xml' + filepath = default_storage.path(os.path.join('metadata-cache/', truncate_unique(slugify(url)))) + + with HTTMock(sample_federation_response): + tmp = get_federation_from_url(url) + + assert default_storage.path(tmp) == filepath + + st = os.stat(filepath) + + assert os.path.isfile(filepath) + assert st.st_mtime < time.time() + 3600 + + with HTTMock(sample_federation_response): + get_federation_from_url(url) + stnew = os.stat(filepath) + + assert stnew.st_ctime == st.st_ctime + assert stnew.st_mtime == st.st_mtime + + storig = os.stat(os.path.join('tests', 'federation-sample.xml')) + + assert storig.st_size == st.st_size diff --git a/tests/test_sso_slo.py b/tests/test_sso_slo.py index b85e7c4..958e8be 100644 --- a/tests/test_sso_slo.py +++ b/tests/test_sso_slo.py @@ -9,7 +9,8 @@ from django.core.urlresolvers import reverse from django.utils import six from django.utils.six.moves.urllib import parse as urlparse -from mellon.utils import create_metadata +from mellon.utils import create_metadata, create_server +from django.utils.http import urlencode from httmock import all_requests, HTTMock, response as mock_response @@ -21,6 +22,11 @@ def idp_metadata(): return open('tests/metadata.xml').read() +@fixture +def federation_metadata(): + return './tests/federation-sample.xml' + + @fixture def idp_private_key(): return open('tests/idp-private-key.pem').read() @@ -48,12 +54,30 @@ def sp_settings(private_settings, idp_metadata, sp_private_key, public_key): return private_settings +@fixture +def federated_sp_settings(private_settings, federation_metadata, sp_private_key, public_key): + private_settings.MELLON_FEDERATIONS = [{ + 'FEDERATION': federation_metadata, + }] + private_settings.MELLON_PUBLIC_KEYS = [public_key] + private_settings.MELLON_PRIVATE_KEYS = [sp_private_key] + private_settings.MELLON_NAME_ID_POLICY_FORMAT = lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT + private_settings.LOGIN_REDIRECT_URL = '/' + return private_settings + + @fixture def sp_metadata(sp_settings, rf): request = rf.get('/') return create_metadata(request) +@fixture +def federated_sp_metadata(federated_sp_settings, rf): + request = rf.get('/') + return create_metadata(request) + + class MockIdp(object): def __init__(self, idp_metadata, private_key, sp_metadata): self.server = server = lasso.Server.newFromBuffers(idp_metadata, private_key) @@ -120,6 +144,11 @@ def idp(sp_settings, idp_metadata, idp_private_key, sp_metadata): return MockIdp(idp_metadata, idp_private_key, sp_metadata) +@fixture +def federated_idp(federated_sp_settings, idp_metadata, idp_private_key, federated_sp_metadata): + return MockIdp(idp_metadata, idp_private_key, federated_sp_metadata) + + def test_sso_slo(db, app, idp, caplog, sp_settings): response = app.get(reverse('mellon_login') + '?next=/whatever/') url, body, relay_state = idp.process_authn_request_redirect(response['Location']) @@ -210,3 +239,60 @@ def test_sso_slo_pass_next_url(db, app, idp, caplog, sp_settings): assert 'created new user' in caplog.text assert 'logged in using SAML' in caplog.text assert response['Location'].endswith('/whatever/') + + +def test_login_federation(db, app, federated_idp, caplog, federated_sp_settings): + qs = urlencode({ + 'entityID': 'http://idp5/metadata', + }) + response = app.get('/login/?' + qs) + url, body, _ = federated_idp.process_authn_request_redirect(response['Location']) + assert url.endswith(reverse('mellon_login')) + response = app.post(reverse('mellon_login'), params={'SAMLResponse': body}) + assert 'created new user' in caplog.text + assert 'logged in using SAML' in caplog.text + assert response['Location'].endswith(federated_sp_settings.LOGIN_REDIRECT_URL) + + +def test_sso_artifact_federation(db, app, caplog, federated_sp_settings, idp_metadata, idp_private_key, rf): + qs = urlencode({ + 'entityID': 'http://idp5/metadata', + }) + federated_sp_settings.MELLON_DEFAULT_ASSERTION_CONSUMER_BINDING = 'artifact' + request = rf.get('/') + federated_sp_metadata = create_metadata(request) + idp = MockIdp(idp_metadata, idp_private_key, federated_sp_metadata) + response = app.get('/login/?' + qs) + url, body, _ = idp.process_authn_request_redirect(response['Location']) + assert body is None + assert reverse('mellon_login') in url + assert 'SAMLart' in url + acs_artifact_url = url.split('testserver', 1)[1] + with HTTMock(idp.mock_artifact_resolver()): + response = app.get(acs_artifact_url) + assert 'created new user' in caplog.text + assert 'logged in using SAML' in caplog.text + assert response['Location'].endswith(federated_sp_settings.LOGIN_REDIRECT_URL) + # force delog + app.session.flush() + assert 'dead artifact' not in caplog.text + with HTTMock(idp.mock_artifact_resolver()): + response = app.get(acs_artifact_url) + # verify retry login was asked + assert 'dead artifact' in caplog.text + assert response.status_code == 302 + assert reverse('mellon_login') in url + response = response.follow() + url, body, _ = idp.process_authn_request_redirect(response['Location']) + reset_caplog(caplog) + # verify caplog has been cleaned + assert 'created new user' not in caplog.text + assert body is None + assert reverse('mellon_login') in url + assert 'SAMLart' in url + acs_artifact_url = url.split('testserver', 1)[1] + with HTTMock(idp.mock_artifact_resolver()): + response = app.get(acs_artifact_url) + assert 'created new user' in caplog.text + assert 'logged in using SAML' in caplog.text + assert response['Location'].endswith(federated_sp_settings.LOGIN_REDIRECT_URL) diff --git a/tests/test_utils.py b/tests/test_utils.py index f984b86..98cf9f0 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -1,19 +1,23 @@ -import re import datetime +import logging +import os +import re import mock import lasso import requests.exceptions from httmock import HTTMock -from mellon.utils import create_server, create_metadata, iso8601_to_datetime, flatten_datetime +from mellon.utils import create_server, create_metadata, iso8601_to_datetime, \ + flatten_datetime, get_idp, recreate_server import mellon.utils from xml_utils import assert_xml_constraints -from utils import error_500, metadata_response +from utils import error_500, metadata_response, sample_federation_response, \ + html_response, dummy_md_response -def test_create_server_connection_error(mocker, rf, private_settings, caplog): +def test_create_server_connection_error_lazy(mocker, rf, private_settings, caplog): mocker.patch('requests.get', side_effect=requests.exceptions.ConnectionError('connection error')) private_settings.MELLON_IDENTITY_PROVIDERS = [ @@ -23,23 +27,80 @@ def test_create_server_connection_error(mocker, rf, private_settings, caplog): ] request = rf.get('/') create_server(request) - assert 'connection error' in caplog.text + assert 'failed with error' not in caplog.text + recreate_server(request, 'whatever') + assert 'failed with error' in caplog.text -def test_create_server_internal_server_error(mocker, rf, private_settings, caplog): +def test_create_server_internal_server_error_lazy(mocker, rf, private_settings, caplog): private_settings.MELLON_IDENTITY_PROVIDERS = [ { 'METADATA_URL': 'http://example.com/metadata', } ] request = rf.get('/') - assert not 'failed with error' in caplog.text + assert 'failed with error' not in caplog.text with HTTMock(error_500): create_server(request) + assert 'failed with error' not in caplog.text + with HTTMock(error_500): + recreate_server(request, 'whatever') assert 'failed with error' in caplog.text -def test_create_server_invalid_metadata(mocker, rf, private_settings, caplog): +def test_load_federation_file_lazy(mocker, rf, private_settings, caplog, tmpdir): + private_settings.MELLON_FEDERATIONS = [ + {'FEDERATION': 'tests/federation-sample.xml'}, + ] + request = rf.get('/') + assert 'failed with error' not in caplog.text + with HTTMock(html_response): + server = create_server(request) + assert len(server.providers) == 0 + with HTTMock(html_response): + server = recreate_server(request, "https://aishib.agropolis.fr/idp/shibboleth") + assert len(server.providers) == 1 + + +def test_load_federation_url_lazy(mocker, rf, private_settings, caplog, tmpdir): + private_settings.MELLON_FEDERATIONS = [ + {'FEDERATION': 'https://dummy.server/metadata.xml'}, + ] + request = rf.get('/') + assert 'failed with error' not in caplog.text + with HTTMock(dummy_md_response): + server = create_server(request) + assert len(server.providers) == 0 + with HTTMock(dummy_md_response): + server = recreate_server(request, "https://ambre.vetagro-sup.fr/idp/shibboleth") + assert len(server.providers) == 1 + + +def test_federation_parameters_lazy(mocker, rf, private_settings, caplog, tmpdir): + private_settings.MELLON_FEDERATIONS = [{ + 'FEDERATION': 'tests/federation-sample.xml', + 'VERIFY_SSL_CERTIFICATE': False, + 'ERROR_REDIRECT_AFTER_TIMEOUT': 150, + 'PROVISION': True + }] + request = rf.get('/') + assert 'failed with error' not in caplog.text + with HTTMock(html_response): + server = create_server(request) + assert len(server.providers) == 0 + with HTTMock(dummy_md_response): + server = recreate_server(request, "https://ambre.vetagro-sup.fr/idp/shibboleth") + assert len(server.providers) == 1 + for entity_id in server.providers.keys(): + idp = get_idp(entity_id) + assert idp + assert idp['VERIFY_SSL_CERTIFICATE'] is False + assert idp['ERROR_REDIRECT_AFTER_TIMEOUT'] == 150 + assert idp['PROVISION'] is True + + +def test_create_server_invalid_metadata_lazy(mocker, rf, private_settings, caplog): + caplog.set_level(logging.DEBUG) private_settings.MELLON_IDENTITY_PROVIDERS = [ { 'METADATA': 'xxx', @@ -49,8 +110,14 @@ def test_create_server_invalid_metadata(mocker, rf, private_settings, caplog): assert not 'failed with error' in caplog.text with HTTMock(error_500): create_server(request) - assert len(caplog.records) == 1 - assert re.search('METADATA.*is invalid', caplog.text) + assert len(caplog.records) == 0 + assert not re.search('METADATA.*is invalid|bad metadata in idp', caplog.text) + + # Server recreated for one single provider: + with HTTMock(error_500): + recreate_server(request, "whatever") + assert len(caplog.records) == 3 + assert re.search('METADATA.*is invalid|bad metadata in idp', caplog.text) def test_create_server_invalid_metadata_file(mocker, rf, private_settings, caplog): @@ -67,22 +134,23 @@ def test_create_server_invalid_metadata_file(mocker, rf, private_settings, caplo assert len(server.providers) == 0 -def test_create_server_good_metadata_file(mocker, rf, private_settings, caplog): +def test_create_server_good_metadata_file_lazy(mocker, rf, private_settings, caplog): private_settings.MELLON_IDENTITY_PROVIDERS = [ { - 'METADATA': '/xxx', + 'METADATA': './tests/metadata.xml', } ] request = rf.get('/') - with mock.patch( - 'mellon.adapters.open', mock.mock_open(read_data=open('tests/metadata.xml').read()), - create=True): + with HTTMock(html_response): server = create_server(request) assert 'ERROR' not in caplog.text + assert len(server.providers) == 0 + with HTTMock(html_response): + server = recreate_server(request, "http://idp5/metadata") assert len(server.providers) == 1 -def test_create_server_good_metadata(mocker, rf, private_settings, caplog): +def test_create_server_good_metadata_lazy(mocker, rf, private_settings, caplog): private_settings.MELLON_IDENTITY_PROVIDERS = [ { 'METADATA': open('tests/metadata.xml').read(), @@ -92,10 +160,12 @@ def test_create_server_good_metadata(mocker, rf, private_settings, caplog): assert not 'failed with error' in caplog.text server = create_server(request) assert 'ERROR' not in caplog.text + assert len(server.providers) == 0 + server = recreate_server(request, "http://idp5/metadata") assert len(server.providers) == 1 -def test_create_server_invalid_idp_dict(mocker, rf, private_settings, caplog): +def test_create_server_invalid_idp_dict_lazy(mocker, rf, private_settings, caplog): private_settings.MELLON_IDENTITY_PROVIDERS = [ { } @@ -103,10 +173,12 @@ def test_create_server_invalid_idp_dict(mocker, rf, private_settings, caplog): request = rf.get('/') assert not 'failed with error' in caplog.text create_server(request) + assert 'missing METADATA' not in caplog.text + recreate_server(request, "whatever") assert 'missing METADATA' in caplog.text -def test_create_server_good_metadata_url(mocker, rf, private_settings, caplog): +def test_create_server_good_metadata_url_lazy(mocker, rf, private_settings, caplog): private_settings.MELLON_IDENTITY_PROVIDERS = [ { 'METADATA_URL': 'http://example.com/metadata', @@ -118,6 +190,10 @@ def test_create_server_good_metadata_url(mocker, rf, private_settings, caplog): with HTTMock(metadata_response): server = create_server(request) assert 'ERROR' not in caplog.text + assert len(server.providers) == 0 + + with HTTMock(dummy_md_response): + server = recreate_server(request, "http://idp5/metadata") assert len(server.providers) == 1 diff --git a/tests/utils.py b/tests/utils.py index 388e6c0..ba0ee4c 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -13,7 +13,17 @@ def html_response(url, request): @all_requests def metadata_response(url, request): - return response(200, content=open('tests/metadata.xml').read()) + return response(200, content=open('tests/metadata.xml', 'r').read()) + + +@all_requests +def dummy_md_response(url, request): + return response(200, content=open('tests/dummy_md.xml', 'r').read()) + + +@all_requests +def sample_federation_response(url, request): + return response(200, content=open('tests/federation-sample.xml', 'r').read()) def reset_caplog(cap): -- 2.18.0