2 # Copyright (C) 2015 Ipsilon Project Contributors
4 from helpers.common import IpsilonTestBase # pylint: disable=relative-import
5 from helpers.http import HttpSessions # pylint: disable=relative-import
6 from ipsilon.tools.saml2metadata import SAML2_NAMEID_MAP
11 from string import Template
14 idp_g = {'TEMPLATES': '${TESTDIR}/templates/install',
15 'CONFDIR': '${TESTDIR}/etc',
16 'DATADIR': '${TESTDIR}/lib',
17 'HTTPDCONFD': '${TESTDIR}/${NAME}/conf.d',
18 'STATICDIR': '${ROOTDIR}',
19 'BINDIR': '${ROOTDIR}/ipsilon',
20 'WSGI_SOCKET_PREFIX': '${TESTDIR}/${NAME}/logs/wsgi'}
23 idp_a = {'hostname': '${ADDRESS}:${PORT}',
24 'admin_user': '${TEST_USER}',
25 'system_user': '${TEST_USER}',
26 'instance': '${NAME}',
32 'server_debugging': 'True'}
35 sp_g = {'HTTPDCONFD': '${TESTDIR}/${NAME}/conf.d',
36 'SAML2_TEMPLATE': '${TESTDIR}/templates/install/saml2/sp.conf',
37 'SAML2_CONFFILE': '${TESTDIR}/${NAME}/conf.d/ipsilon-saml.conf',
38 'SAML2_HTTPDIR': '${TESTDIR}/${NAME}/saml2'}
41 sp_a = {'hostname': '${ADDRESS}:${PORT}',
42 'saml_idp_metadata': 'http://127.0.0.10:45080/idp1/saml2/metadata',
43 'saml_secure_setup': 'False',
45 'saml_nameid': '${NAMEID}',
46 'httpd_user': '${TEST_USER}'}
49 def generate_sp_list():
53 for nameid in SAML2_NAMEID_MAP.keys():
55 spdata = {'nameid': nameid, 'addr': '127.0.0.11', 'port': str(spport)}
62 def get_sp_by_nameid(splist, nameid):
64 if server['nameid'] == nameid:
70 def convert_to_dict(envlist):
72 for pair in envlist.split('\n'):
73 if pair.find('=') > 0:
74 (key, value) = pair.split('=', 1)
79 def fixup_sp_httpd(httpdir):
82 AddOutputFilter INCLUDES .html
84 Alias /sp ${HTTPDIR}/sp
86 <Directory ${HTTPDIR}/sp>
91 index = """<!--#echo var="REMOTE_USER" -->"""
93 t = Template(location)
94 text = t.substitute({'HTTPDIR': httpdir})
95 with open(httpdir + '/conf.d/ipsilon-saml.conf', 'a') as f:
98 os.mkdir(httpdir + '/sp')
99 with open(httpdir + '/sp/index.html', 'w') as f:
103 class IpsilonTest(IpsilonTestBase):
106 super(IpsilonTest, self).__init__('testnameid', __file__)
108 def setup_servers(self, env=None):
109 print "Installing IDP server"
113 idp = self.generate_profile(idp_g, idp_a, name, addr, port)
114 conf = self.setup_idp_server(idp, name, addr, port, env)
116 print "Starting IDP's httpd server"
117 self.start_http_server(conf, env)
119 for spdata in generate_sp_list():
120 nameid = spdata['nameid']
121 addr = spdata['addr']
122 port = spdata['port']
123 print "Installing SP server %s" % nameid
124 sp_prof = self.generate_profile(
125 sp_g, sp_a, nameid, addr, str(port), nameid
127 conf = self.setup_sp_server(sp_prof, nameid, addr, str(port), env)
128 fixup_sp_httpd(os.path.dirname(conf))
130 print "Starting SP's httpd server"
131 self.start_http_server(conf, env)
134 if __name__ == '__main__':
137 user = pwd.getpwuid(os.getuid())[0]
140 'x509': False, # not supported
143 'windows': False, # not supported
144 'encrypted': False, # not supported
145 'kerberos': False, # no auth with kerberos, no princ
148 'entity': False, # not supported
152 'x509': None, # not supported
153 'transient': '_[0-9a-f]{32}',
154 'persistent': '_[0-9a-f]{128}',
155 'windows': None, # not supported
156 'encrypted': None, # not supported
157 'kerberos': False, # no auth with kerberos, no princ
158 'email': '%s@.*' % user,
160 'entity': False, # not supported
163 sp_list = generate_sp_list()
165 spname = sp['nameid']
166 spurl = 'http://%s:%s' % (sp['addr'], sp['port'])
167 sess = HttpSessions()
168 sess.add_server(idpname, 'http://127.0.0.10:45080', user, 'ipsilon')
169 sess.add_server(spname, spurl)
172 print "testnameid: Testing NameID format %s ..." % spname
174 print "testnameid: Authenticate to IDP ...",
176 sess.auth_to_idp(idpname)
177 except Exception, e: # pylint: disable=broad-except
178 print >> sys.stderr, " ERROR: %s" % repr(e)
182 print "testnameid: Add SP Metadata to IDP ...",
184 sess.add_sp_metadata(idpname, spname)
185 except Exception, e: # pylint: disable=broad-except
186 print >> sys.stderr, " ERROR: %s" % repr(e)
190 print "testnameid: Set supported Name ID formats ...",
192 sess.set_sp_default_nameids(idpname, spname, [spname])
193 except Exception, e: # pylint: disable=broad-except
194 print >> sys.stderr, " ERROR: %s" % repr(e)
198 print "testnameid: Access SP Protected Area ...",
200 page = sess.fetch_page(idpname, '%s/sp/' % spurl)
201 if not re.match(expected_re[spname], page.text):
203 'id %s did not match expression %s' %
204 (id, expected_re[spname])
206 except ValueError, e:
208 print >> sys.stderr, " ERROR: %s" % repr(e)
210 print " OK, EXPECTED TO FAIL"
214 print "testnameid: Try authentication failure ...",
215 newsess = HttpSessions()
216 newsess.add_server(idpname, 'http://127.0.0.10:45080', user, 'wrong')
218 newsess.auth_to_idp(idpname)
219 print >> sys.stderr, " ERROR: Authentication should have failed"
221 except Exception, e: # pylint: disable=broad-except
224 # Ensure that transient names change with each authentication
225 sp = get_sp_by_nameid(sp_list, 'transient')
226 spname = sp['nameid']
227 spurl = 'http://%s:%s' % (sp['addr'], sp['port'])
230 print "testnameid: Testing NameID format %s ..." % spname
234 sess = HttpSessions()
235 sess.add_server(idpname, 'http://127.0.0.10:45080', user, 'ipsilon')
236 sess.add_server(spname, spurl)
237 print "testnameid: Authenticate to IDP ...",
239 sess.auth_to_idp(idpname)
240 except Exception, e: # pylint: disable=broad-except
241 print >> sys.stderr, " ERROR: %s" % repr(e)
246 print "testnameid: Access SP ...",
248 page = sess.fetch_page(idpname, '%s/sp/' % spurl)
250 except ValueError, e:
251 print >> sys.stderr, " ERROR: %s" % repr(e)
256 print "testnameid: Access SP again ...",
258 page = sess.fetch_page(idpname, '%s/sp/' % spurl)
260 except ValueError, e:
261 print >> sys.stderr, " ERROR: %s" % repr(e)
266 print "testnameid: Ensure ID is consistent between requests ...",
268 print >> sys.stderr, " ERROR: New ID between reqeusts"
274 print "testnameid: Ensure uniqueness across sessions ...",
275 if len(ids) != len(set(ids)):
276 print >> sys.stderr, " ERROR: IDs are not unique between sessions"
281 # Ensure that persistent names remain the same with each authentication
282 sp = get_sp_by_nameid(sp_list, 'persistent')
283 spname = sp['nameid']
284 spurl = 'http://%s:%s' % (sp['addr'], sp['port'])
287 print "testnameid: Testing NameID format %s ..." % spname
291 sess = HttpSessions()
292 sess.add_server(idpname, 'http://127.0.0.10:45080', user, 'ipsilon')
293 sess.add_server(spname, spurl)
294 print "testnameid: Authenticate to IDP ...",
296 sess.auth_to_idp(idpname)
297 except Exception, e: # pylint: disable=broad-except
298 print >> sys.stderr, " ERROR: %s" % repr(e)
303 print "testnameid: Access SP ...",
305 page = sess.fetch_page(idpname, '%s/sp/' % spurl)
307 except ValueError, e:
308 print >> sys.stderr, " ERROR: %s" % repr(e)
313 print "testnameid: Access SP again ...",
315 page = sess.fetch_page(idpname, '%s/sp/' % spurl)
317 except ValueError, e:
318 print >> sys.stderr, " ERROR: %s" % repr(e)
323 print "testnameid: Ensure ID is consistent between requests ...",
325 print >> sys.stderr, " ERROR: New ID between reqeusts"
331 print "testnameid: Ensure same ID across sessions ...",
332 if len(set(ids)) != 1:
333 print >> sys.stderr, " ERROR: IDs are not the same between sessions"