From: Rob Crittenden Date: Thu, 9 Apr 2015 19:11:39 +0000 (-0400) Subject: Add test for per-SP allowed and mapping attributes X-Git-Tag: v0.6.0~4 X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=commitdiff_plain;h=1055b7bc810139d1e6ee3c225bcfba7b88e7aeab Add test for per-SP allowed and mapping attributes This buidls up a specific global mapping and allowed attributes then creates an SP-specific configuration which differs enough to confirm that it is in fact overriding the default. It finishes by removing the per-SP configuration and ensuring that it falls back to the IdP-default. https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Rob Crittenden Reviewed-by: Simo Sorce --- diff --git a/Makefile b/Makefile index 49a17d1..dce214a 100644 --- a/Makefile +++ b/Makefile @@ -92,6 +92,7 @@ tests: wrappers PYTHONPATH=./ ./tests/tests.py --test=testlogout PYTHONPATH=./ ./tests/tests.py --test=testnameid PYTHONPATH=./ ./tests/tests.py --test=testrest + PYTHONPATH=./ ./tests/tests.py --test=testmapping PYTHONPATH=./ ./tests/tests.py --test=attrs PYTHONPATH=./ ./tests/tests.py --test=trans PYTHONPATH=./ ./tests/tests.py --test=pgdb diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py index 12af16b..bdcb9b8 100644 --- a/ipsilon/providers/saml2/auth.py +++ b/ipsilon/providers/saml2/auth.py @@ -226,6 +226,8 @@ class AuthenticateRequest(ProviderPageBase): allowed_attributes = provider.allowed_attributes else: allowed_attributes = self.cfg.default_allowed_attributes + self.debug("Allowed attrs: %s" % allowed_attributes) + self.debug("Mapping: %s" % attribute_mappings) policy = Policy(attribute_mappings, allowed_attributes) userattrs = us.get_user_attrs() mappedattrs, _ = policy.map_attributes(userattrs) diff --git a/tests/helpers/http.py b/tests/helpers/http.py index d8c56b3..dc7fbd5 100755 --- a/tests/helpers/http.py +++ b/tests/helpers/http.py @@ -282,6 +282,51 @@ class HttpSessions(object): if r.status_code != 200: raise ValueError('Failed to post SP data [%s]' % repr(r)) + # pylint: disable=dangerous-default-value + def set_attributes_and_mapping(self, idp, mapping=[], attrs=[], + spname=None): + """ + Set allowed attributes and mapping in the IDP or the SP. In the + case of the SP both allowed attributes and the mapping need to + be provided. An empty option for either means delete all values. + + mapping is a list of list of rules of the form: + [['from-1', 'to-1'], ['from-2', 'from-2']] + + ex. [['*', '*'], ['fullname', 'namefull']] + + attrs is the list of attributes that will be allowed: + ['fullname', 'givenname', 'surname'] + """ + idpsrv = self.servers[idp] + idpuri = idpsrv['baseuri'] + if spname: # per-SP setting + url = '%s/%s/admin/providers/saml2/admin/sp/%s' % ( + idpuri, idp, spname) + mapname = 'Attribute Mapping' + attrname = 'Allowed Attributes' + else: # global default + url = '%s/%s/admin/providers/saml2' % (idpuri, idp) + mapname = 'default attribute mapping' + attrname = 'default allowed attributes' + + headers = {'referer': url} + headers['content-type'] = 'application/x-www-form-urlencoded' + payload = {'submit': 'Submit'} + count = 0 + for m in mapping: + payload['%s %s-from' % (mapname, count)] = m[0] + payload['%s %s-to' % (mapname, count)] = m[1] + count += 1 + count = 0 + for attr in attrs: + payload['%s %s-name' % (attrname, count)] = attr + count += 1 + r = idpsrv['session'].post(url, headers=headers, + data=payload) + if r.status_code != 200: + raise ValueError('Failed to post IDP data [%s]' % repr(r)) + def fetch_rest_page(self, idpname, uri): """ idpname - the name of the IDP to fetch the page from diff --git a/tests/testmapping.py b/tests/testmapping.py new file mode 100755 index 0000000..1bc69ec --- /dev/null +++ b/tests/testmapping.py @@ -0,0 +1,360 @@ +#!/usr/bin/python +# Copyright (C) 2015 Ipsilon Project Contributors + +from helpers.common import IpsilonTestBase # pylint: disable=relative-import +from helpers.http import HttpSessions # pylint: disable=relative-import +import os +import sys +import pwd +from string import Template + +# Test Attribute Mapping and Allowed Attributes and their per-SP +# overrides. + + +idp_g = {'TEMPLATES': '${TESTDIR}/templates/install', + 'CONFDIR': '${TESTDIR}/etc', + 'DATADIR': '${TESTDIR}/lib', + 'HTTPDCONFD': '${TESTDIR}/${NAME}/conf.d', + 'STATICDIR': '${ROOTDIR}', + 'BINDIR': '${ROOTDIR}/ipsilon', + 'WSGI_SOCKET_PREFIX': '${TESTDIR}/${NAME}/logs/wsgi'} + + +idp_a = {'hostname': '${ADDRESS}:${PORT}', + 'admin_user': '${TEST_USER}', + 'system_user': '${TEST_USER}', + 'instance': '${NAME}', + 'secure': 'no', + 'testauth': 'yes', + 'pam': 'no', + 'krb': 'no', + 'ipa': 'no', + 'server_debugging': 'True'} + + +sp_g = {'HTTPDCONFD': '${TESTDIR}/${NAME}/conf.d', + 'SAML2_TEMPLATE': '${TESTDIR}/templates/install/saml2/sp.conf', + 'SAML2_CONFFILE': '${TESTDIR}/${NAME}/conf.d/ipsilon-saml.conf', + 'SAML2_HTTPDIR': '${TESTDIR}/${NAME}/saml2'} + + +sp_a = {'hostname': '${ADDRESS}:${PORT}', + 'saml_idp_metadata': 'http://127.0.0.10:45080/idp1/saml2/metadata', + 'saml_secure_setup': 'False', + 'saml_auth': '/sp', + 'saml_nameid': '${NAMEID}', + 'httpd_user': '${TEST_USER}'} + +sp_list = [ + {'name': 'sp1', 'addr': '127.0.0.11', 'port': '45081'}, +] + + +def convert_to_dict(envlist): + values = {} + for pair in envlist.split('\n'): + if pair.find('=') > 0: + (key, value) = pair.split('=', 1) + if key.startswith('MELLON_') and not key.endswith('_0'): + values[key] = value + return values + + +def check_info_plugin(s, idp_name, urlbase, expected): + """ + Logout, login, fetch SP page to get the info variables and + compare the MELLON_ ones to what we expect. IDP and NAMEID are + ignored. The authtest plugin returns no groups. + """ + + # Log out + page = s.fetch_page(idp_name, '%s/%s?%s' % ( + urlbase, 'saml2/logout', + 'ReturnTo=%s/open/logged_out.html' % urlbase)) + page.expected_value('text()', 'Logged out') + + # Fetch the page (with implicit login) + page = s.fetch_page(idp_name, '%s/sp/' % spurl) + + # Confirm that the expected values are in the output and that there + # are no unexpected MELLON_ vars, and drop the _0 version. + data = convert_to_dict(page.text) + + data.pop('MELLON_IDP') + data.pop('MELLON_NAME_ID') + + for key in expected.keys(): + item = data.pop('MELLON_' + key) + if item != expected[key]: + raise ValueError('Expected %s, got %s' % (expected[key], item)) + + if len(data) > 0: + raise ValueError('Unexpected values %s' % data) + + +def fixup_sp_httpd(httpdir): + location = """ + +AddOutputFilter INCLUDES .html + +Alias /sp ${HTTPDIR}/sp + + + Require all granted + Options +Includes + + +Alias /open ${HTTPDIR}/open + + + + +""" + index = """ + +""" + logged_out = """Logged out""" + + t = Template(location) + text = t.substitute({'HTTPDIR': httpdir}) + with open(httpdir + '/conf.d/ipsilon-saml.conf', 'a') as f: + f.write(text) + + os.mkdir(httpdir + '/sp') + with open(httpdir + '/sp/index.html', 'w') as f: + f.write(index) + os.mkdir(httpdir + '/open') + with open(httpdir + '/open/logged_out.html', 'w') as f: + f.write(logged_out) + + +class IpsilonTest(IpsilonTestBase): + + def __init__(self): + super(IpsilonTest, self).__init__('testmapping', __file__) + + def setup_servers(self, env=None): + print "Installing IDP server" + name = 'idp1' + addr = '127.0.0.10' + port = '45080' + idp = self.generate_profile(idp_g, idp_a, name, addr, port) + conf = self.setup_idp_server(idp, name, addr, port, env) + + print "Starting IDP's httpd server" + self.start_http_server(conf, env) + + for spdata in sp_list: + addr = spdata['addr'] + port = spdata['port'] + name = spdata['name'] + + print "Installing SP server %s" % name + sp_prof = self.generate_profile(sp_g, sp_a, name, addr, str(port)) + conf = self.setup_sp_server(sp_prof, name, addr, str(port), env) + fixup_sp_httpd(os.path.dirname(conf)) + + print "Starting SP's httpd server" + self.start_http_server(conf, env) + + +if __name__ == '__main__': + + idpname = 'idp1' + user = pwd.getpwuid(os.getuid())[0] + sp = sp_list[0] + spurl = 'http://%s:%s' % (sp['addr'], sp['port']) + + # Set global mapping and allowed attributes, then test fetch from + # SP. + sess = HttpSessions() + sess.add_server(idpname, 'http://127.0.0.10:45080', user, 'ipsilon') + sess.add_server(sp['name'], spurl) + + print "testmapping: Authenticate to IDP ...", + try: + sess.auth_to_idp(idpname) + except Exception, e: # pylint: disable=broad-except + print >> sys.stderr, " ERROR: %s" % repr(e) + sys.exit(1) + print " SUCCESS" + + print "testmapping: Add SP Metadata to IDP ...", + try: + sess.add_sp_metadata(idpname, sp['name']) + except Exception, e: # pylint: disable=broad-except + print >> sys.stderr, " ERROR: %s" % repr(e) + sys.exit(1) + print " SUCCESS" + + try: + print "testmapping: Test default mapping and attrs ...", + expect = { + 'fullname': 'Test User %s' % user, + 'surname': user, + 'givenname': 'Test User', + 'email': '%s@example.com' % user, + } + check_info_plugin(sess, idpname, spurl, expect) + except Exception, e: # pylint: disable=broad-except + print >> sys.stderr, " ERROR: %s" % repr(e) + sys.exit(1) + print " SUCCESS" + + print "testmapping: Set default global mapping ...", + try: + sess.set_attributes_and_mapping(idpname, + [['*', '*'], + ['fullname', 'namefull']]) + except Exception, e: # pylint: disable=broad-except + print >> sys.stderr, " ERROR: %s" % repr(e) + sys.exit(1) + else: + print " SUCCESS" + + try: + print "testmapping: Test global mapping ...", + expect = { + 'fullname': 'Test User %s' % user, + 'namefull': 'Test User %s' % user, + 'surname': user, + 'givenname': 'Test User', + 'email': '%s@example.com' % user, + } + check_info_plugin(sess, idpname, spurl, expect) + except Exception, e: # pylint: disable=broad-except + print >> sys.stderr, " ERROR: %s" % repr(e) + sys.exit(1) + else: + print " SUCCESS" + + print "testmapping: Set default allowed attributes ...", + try: + sess.set_attributes_and_mapping(idpname, [], + ['namefull', 'givenname', 'surname']) + except Exception, e: # pylint: disable=broad-except + print >> sys.stderr, " ERROR: %s" % repr(e) + sys.exit(1) + else: + print " SUCCESS" + + try: + print "testmapping: Test global allowed attributes ...", + expect = { + 'namefull': 'Test User %s' % user, + 'surname': user, + 'givenname': 'Test User', + } + check_info_plugin(sess, idpname, spurl, expect) + except Exception, e: # pylint: disable=broad-except + print >> sys.stderr, " ERROR: %s" % repr(e) + sys.exit(1) + else: + print " SUCCESS" + + print "testmapping: Set SP allowed attributes ...", + try: + sess.set_attributes_and_mapping(idpname, [['*', '*']], + ['wholename', 'givenname', 'surname', + 'email', 'fullname'], sp['name']) + except Exception, e: # pylint: disable=broad-except + print >> sys.stderr, " ERROR: %s" % repr(e) + sys.exit(1) + else: + print " SUCCESS" + + try: + print "testmapping: Test SP allowed atributes ...", + expect = { + 'fullname': 'Test User %s' % user, + 'surname': user, + 'givenname': 'Test User', + 'email': '%s@example.com' % user, + } + check_info_plugin(sess, idpname, spurl, expect) + except Exception, e: # pylint: disable=broad-except + print >> sys.stderr, " ERROR: %s" % repr(e) + sys.exit(1) + else: + print " SUCCESS" + + print "testmapping: Set SP attribute mapping ...", + try: + sess.set_attributes_and_mapping(idpname, + [['*', '*'], + ['fullname', 'wholename']], + ['wholename', 'givenname', + 'surname', + 'email', 'fullname'], + sp['name']) + except Exception, e: # pylint: disable=broad-except + print >> sys.stderr, " ERROR: %s" % repr(e) + sys.exit(1) + else: + print " SUCCESS" + + try: + print "testmapping: Test SP attribute mapping ...", + expect = { + 'wholename': 'Test User %s' % user, + 'fullname': 'Test User %s' % user, + 'surname': user, + 'givenname': 'Test User', + 'email': '%s@example.com' % user, + } + check_info_plugin(sess, idpname, spurl, expect) + except Exception, e: # pylint: disable=broad-except + print >> sys.stderr, " ERROR: %s" % repr(e) + sys.exit(1) + else: + print " SUCCESS" + + print "testmapping: Drop SP attribute mapping ...", + try: + sess.set_attributes_and_mapping(idpname, [], + ['givenname', 'surname', 'email', + 'fullname'], sp['name']) + except Exception, e: # pylint: disable=broad-except + print >> sys.stderr, " ERROR: %s" % repr(e) + sys.exit(1) + else: + print " SUCCESS" + + try: + print "testmapping: Test SP attr mapping with default allowed...", + expect = { + 'fullname': 'Test User %s' % user, + 'surname': user, + 'givenname': 'Test User', + 'email': '%s@example.com' % user, + } + check_info_plugin(sess, idpname, spurl, expect) + except Exception, e: # pylint: disable=broad-except + print >> sys.stderr, " ERROR: %s" % repr(e) + sys.exit(1) + else: + print " SUCCESS" + + print "testmapping: Drop SP allowed attributes ...", + try: + sess.set_attributes_and_mapping(idpname, [], [], sp['name']) + except Exception, e: # pylint: disable=broad-except + print >> sys.stderr, " ERROR: %s" % repr(e) + sys.exit(1) + else: + print " SUCCESS" + + try: + print "testmapping: Test mapping, should be back to global...", + expect = { + 'namefull': 'Test User %s' % user, + 'surname': user, + 'givenname': 'Test User', + } + check_info_plugin(sess, idpname, spurl, expect) + except Exception, e: # pylint: disable=broad-except + print >> sys.stderr, " ERROR: %s" % repr(e) + sys.exit(1) + else: + print " SUCCESS"