summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2015-04-09 15:11:39 -0400
committerSimo Sorce <simo@redhat.com>2015-04-10 10:41:22 -0400
commit1055b7bc810139d1e6ee3c225bcfba7b88e7aeab (patch)
treefd846f8573ad95807d8ff0874ffe57c47012a12c
parentcd0a566562d0279d13c3df08366bc38acf53011a (diff)
downloadipsilon-1055b7bc810139d1e6ee3c225bcfba7b88e7aeab.zip
ipsilon-1055b7bc810139d1e6ee3c225bcfba7b88e7aeab.tar.gz
ipsilon-1055b7bc810139d1e6ee3c225bcfba7b88e7aeab.tar.xz
Add test for per-SP allowed and mapping attributes
This buidls up a specific global mapping and allowed attributes then creates an SP-specific configuration which differs enough to confirm that it is in fact overriding the default. It finishes by removing the per-SP configuration and ensuring that it falls back to the IdP-default. https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
-rw-r--r--Makefile1
-rw-r--r--ipsilon/providers/saml2/auth.py2
-rwxr-xr-xtests/helpers/http.py45
-rwxr-xr-xtests/testmapping.py360
4 files changed, 408 insertions, 0 deletions
diff --git a/Makefile b/Makefile
index 49a17d1..dce214a 100644
--- a/Makefile
+++ b/Makefile
@@ -92,6 +92,7 @@ tests: wrappers
PYTHONPATH=./ ./tests/tests.py --test=testlogout
PYTHONPATH=./ ./tests/tests.py --test=testnameid
PYTHONPATH=./ ./tests/tests.py --test=testrest
+ PYTHONPATH=./ ./tests/tests.py --test=testmapping
PYTHONPATH=./ ./tests/tests.py --test=attrs
PYTHONPATH=./ ./tests/tests.py --test=trans
PYTHONPATH=./ ./tests/tests.py --test=pgdb
diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py
index 12af16b..bdcb9b8 100644
--- a/ipsilon/providers/saml2/auth.py
+++ b/ipsilon/providers/saml2/auth.py
@@ -226,6 +226,8 @@ class AuthenticateRequest(ProviderPageBase):
allowed_attributes = provider.allowed_attributes
else:
allowed_attributes = self.cfg.default_allowed_attributes
+ self.debug("Allowed attrs: %s" % allowed_attributes)
+ self.debug("Mapping: %s" % attribute_mappings)
policy = Policy(attribute_mappings, allowed_attributes)
userattrs = us.get_user_attrs()
mappedattrs, _ = policy.map_attributes(userattrs)
diff --git a/tests/helpers/http.py b/tests/helpers/http.py
index d8c56b3..dc7fbd5 100755
--- a/tests/helpers/http.py
+++ b/tests/helpers/http.py
@@ -282,6 +282,51 @@ class HttpSessions(object):
if r.status_code != 200:
raise ValueError('Failed to post SP data [%s]' % repr(r))
+ # pylint: disable=dangerous-default-value
+ def set_attributes_and_mapping(self, idp, mapping=[], attrs=[],
+ spname=None):
+ """
+ Set allowed attributes and mapping in the IDP or the SP. In the
+ case of the SP both allowed attributes and the mapping need to
+ be provided. An empty option for either means delete all values.
+
+ mapping is a list of list of rules of the form:
+ [['from-1', 'to-1'], ['from-2', 'from-2']]
+
+ ex. [['*', '*'], ['fullname', 'namefull']]
+
+ attrs is the list of attributes that will be allowed:
+ ['fullname', 'givenname', 'surname']
+ """
+ idpsrv = self.servers[idp]
+ idpuri = idpsrv['baseuri']
+ if spname: # per-SP setting
+ url = '%s/%s/admin/providers/saml2/admin/sp/%s' % (
+ idpuri, idp, spname)
+ mapname = 'Attribute Mapping'
+ attrname = 'Allowed Attributes'
+ else: # global default
+ url = '%s/%s/admin/providers/saml2' % (idpuri, idp)
+ mapname = 'default attribute mapping'
+ attrname = 'default allowed attributes'
+
+ headers = {'referer': url}
+ headers['content-type'] = 'application/x-www-form-urlencoded'
+ payload = {'submit': 'Submit'}
+ count = 0
+ for m in mapping:
+ payload['%s %s-from' % (mapname, count)] = m[0]
+ payload['%s %s-to' % (mapname, count)] = m[1]
+ count += 1
+ count = 0
+ for attr in attrs:
+ payload['%s %s-name' % (attrname, count)] = attr
+ count += 1
+ r = idpsrv['session'].post(url, headers=headers,
+ data=payload)
+ if r.status_code != 200:
+ raise ValueError('Failed to post IDP data [%s]' % repr(r))
+
def fetch_rest_page(self, idpname, uri):
"""
idpname - the name of the IDP to fetch the page from
diff --git a/tests/testmapping.py b/tests/testmapping.py
new file mode 100755
index 0000000..1bc69ec
--- /dev/null
+++ b/tests/testmapping.py
@@ -0,0 +1,360 @@
+#!/usr/bin/python
+# Copyright (C) 2015 Ipsilon Project Contributors
+
+from helpers.common import IpsilonTestBase # pylint: disable=relative-import
+from helpers.http import HttpSessions # pylint: disable=relative-import
+import os
+import sys
+import pwd
+from string import Template
+
+# Test Attribute Mapping and Allowed Attributes and their per-SP
+# overrides.
+
+
+idp_g = {'TEMPLATES': '${TESTDIR}/templates/install',
+ 'CONFDIR': '${TESTDIR}/etc',
+ 'DATADIR': '${TESTDIR}/lib',
+ 'HTTPDCONFD': '${TESTDIR}/${NAME}/conf.d',
+ 'STATICDIR': '${ROOTDIR}',
+ 'BINDIR': '${ROOTDIR}/ipsilon',
+ 'WSGI_SOCKET_PREFIX': '${TESTDIR}/${NAME}/logs/wsgi'}
+
+
+idp_a = {'hostname': '${ADDRESS}:${PORT}',
+ 'admin_user': '${TEST_USER}',
+ 'system_user': '${TEST_USER}',
+ 'instance': '${NAME}',
+ 'secure': 'no',
+ 'testauth': 'yes',
+ 'pam': 'no',
+ 'krb': 'no',
+ 'ipa': 'no',
+ 'server_debugging': 'True'}
+
+
+sp_g = {'HTTPDCONFD': '${TESTDIR}/${NAME}/conf.d',
+ 'SAML2_TEMPLATE': '${TESTDIR}/templates/install/saml2/sp.conf',
+ 'SAML2_CONFFILE': '${TESTDIR}/${NAME}/conf.d/ipsilon-saml.conf',
+ 'SAML2_HTTPDIR': '${TESTDIR}/${NAME}/saml2'}
+
+
+sp_a = {'hostname': '${ADDRESS}:${PORT}',
+ 'saml_idp_metadata': 'http://127.0.0.10:45080/idp1/saml2/metadata',
+ 'saml_secure_setup': 'False',
+ 'saml_auth': '/sp',
+ 'saml_nameid': '${NAMEID}',
+ 'httpd_user': '${TEST_USER}'}
+
+sp_list = [
+ {'name': 'sp1', 'addr': '127.0.0.11', 'port': '45081'},
+]
+
+
+def convert_to_dict(envlist):
+ values = {}
+ for pair in envlist.split('\n'):
+ if pair.find('=') > 0:
+ (key, value) = pair.split('=', 1)
+ if key.startswith('MELLON_') and not key.endswith('_0'):
+ values[key] = value
+ return values
+
+
+def check_info_plugin(s, idp_name, urlbase, expected):
+ """
+ Logout, login, fetch SP page to get the info variables and
+ compare the MELLON_ ones to what we expect. IDP and NAMEID are
+ ignored. The authtest plugin returns no groups.
+ """
+
+ # Log out
+ page = s.fetch_page(idp_name, '%s/%s?%s' % (
+ urlbase, 'saml2/logout',
+ 'ReturnTo=%s/open/logged_out.html' % urlbase))
+ page.expected_value('text()', 'Logged out')
+
+ # Fetch the page (with implicit login)
+ page = s.fetch_page(idp_name, '%s/sp/' % spurl)
+
+ # Confirm that the expected values are in the output and that there
+ # are no unexpected MELLON_ vars, and drop the _0 version.
+ data = convert_to_dict(page.text)
+
+ data.pop('MELLON_IDP')
+ data.pop('MELLON_NAME_ID')
+
+ for key in expected.keys():
+ item = data.pop('MELLON_' + key)
+ if item != expected[key]:
+ raise ValueError('Expected %s, got %s' % (expected[key], item))
+
+ if len(data) > 0:
+ raise ValueError('Unexpected values %s' % data)
+
+
+def fixup_sp_httpd(httpdir):
+ location = """
+
+AddOutputFilter INCLUDES .html
+
+Alias /sp ${HTTPDIR}/sp
+
+<Directory ${HTTPDIR}/sp>
+ Require all granted
+ Options +Includes
+</Directory>
+
+Alias /open ${HTTPDIR}/open
+
+<Directory ${HTTPDIR}/open>
+</Directory>
+
+"""
+ index = """
+<!--#printenv -->
+"""
+ logged_out = """Logged out"""
+
+ t = Template(location)
+ text = t.substitute({'HTTPDIR': httpdir})
+ with open(httpdir + '/conf.d/ipsilon-saml.conf', 'a') as f:
+ f.write(text)
+
+ os.mkdir(httpdir + '/sp')
+ with open(httpdir + '/sp/index.html', 'w') as f:
+ f.write(index)
+ os.mkdir(httpdir + '/open')
+ with open(httpdir + '/open/logged_out.html', 'w') as f:
+ f.write(logged_out)
+
+
+class IpsilonTest(IpsilonTestBase):
+
+ def __init__(self):
+ super(IpsilonTest, self).__init__('testmapping', __file__)
+
+ def setup_servers(self, env=None):
+ print "Installing IDP server"
+ name = 'idp1'
+ addr = '127.0.0.10'
+ port = '45080'
+ idp = self.generate_profile(idp_g, idp_a, name, addr, port)
+ conf = self.setup_idp_server(idp, name, addr, port, env)
+
+ print "Starting IDP's httpd server"
+ self.start_http_server(conf, env)
+
+ for spdata in sp_list:
+ addr = spdata['addr']
+ port = spdata['port']
+ name = spdata['name']
+
+ print "Installing SP server %s" % name
+ sp_prof = self.generate_profile(sp_g, sp_a, name, addr, str(port))
+ conf = self.setup_sp_server(sp_prof, name, addr, str(port), env)
+ fixup_sp_httpd(os.path.dirname(conf))
+
+ print "Starting SP's httpd server"
+ self.start_http_server(conf, env)
+
+
+if __name__ == '__main__':
+
+ idpname = 'idp1'
+ user = pwd.getpwuid(os.getuid())[0]
+ sp = sp_list[0]
+ spurl = 'http://%s:%s' % (sp['addr'], sp['port'])
+
+ # Set global mapping and allowed attributes, then test fetch from
+ # SP.
+ sess = HttpSessions()
+ sess.add_server(idpname, 'http://127.0.0.10:45080', user, 'ipsilon')
+ sess.add_server(sp['name'], spurl)
+
+ print "testmapping: Authenticate to IDP ...",
+ try:
+ sess.auth_to_idp(idpname)
+ except Exception, e: # pylint: disable=broad-except
+ print >> sys.stderr, " ERROR: %s" % repr(e)
+ sys.exit(1)
+ print " SUCCESS"
+
+ print "testmapping: Add SP Metadata to IDP ...",
+ try:
+ sess.add_sp_metadata(idpname, sp['name'])
+ except Exception, e: # pylint: disable=broad-except
+ print >> sys.stderr, " ERROR: %s" % repr(e)
+ sys.exit(1)
+ print " SUCCESS"
+
+ try:
+ print "testmapping: Test default mapping and attrs ...",
+ expect = {
+ 'fullname': 'Test User %s' % user,
+ 'surname': user,
+ 'givenname': 'Test User',
+ 'email': '%s@example.com' % user,
+ }
+ check_info_plugin(sess, idpname, spurl, expect)
+ except Exception, e: # pylint: disable=broad-except
+ print >> sys.stderr, " ERROR: %s" % repr(e)
+ sys.exit(1)
+ print " SUCCESS"
+
+ print "testmapping: Set default global mapping ...",
+ try:
+ sess.set_attributes_and_mapping(idpname,
+ [['*', '*'],
+ ['fullname', 'namefull']])
+ except Exception, e: # pylint: disable=broad-except
+ print >> sys.stderr, " ERROR: %s" % repr(e)
+ sys.exit(1)
+ else:
+ print " SUCCESS"
+
+ try:
+ print "testmapping: Test global mapping ...",
+ expect = {
+ 'fullname': 'Test User %s' % user,
+ 'namefull': 'Test User %s' % user,
+ 'surname': user,
+ 'givenname': 'Test User',
+ 'email': '%s@example.com' % user,
+ }
+ check_info_plugin(sess, idpname, spurl, expect)
+ except Exception, e: # pylint: disable=broad-except
+ print >> sys.stderr, " ERROR: %s" % repr(e)
+ sys.exit(1)
+ else:
+ print " SUCCESS"
+
+ print "testmapping: Set default allowed attributes ...",
+ try:
+ sess.set_attributes_and_mapping(idpname, [],
+ ['namefull', 'givenname', 'surname'])
+ except Exception, e: # pylint: disable=broad-except
+ print >> sys.stderr, " ERROR: %s" % repr(e)
+ sys.exit(1)
+ else:
+ print " SUCCESS"
+
+ try:
+ print "testmapping: Test global allowed attributes ...",
+ expect = {
+ 'namefull': 'Test User %s' % user,
+ 'surname': user,
+ 'givenname': 'Test User',
+ }
+ check_info_plugin(sess, idpname, spurl, expect)
+ except Exception, e: # pylint: disable=broad-except
+ print >> sys.stderr, " ERROR: %s" % repr(e)
+ sys.exit(1)
+ else:
+ print " SUCCESS"
+
+ print "testmapping: Set SP allowed attributes ...",
+ try:
+ sess.set_attributes_and_mapping(idpname, [['*', '*']],
+ ['wholename', 'givenname', 'surname',
+ 'email', 'fullname'], sp['name'])
+ except Exception, e: # pylint: disable=broad-except
+ print >> sys.stderr, " ERROR: %s" % repr(e)
+ sys.exit(1)
+ else:
+ print " SUCCESS"
+
+ try:
+ print "testmapping: Test SP allowed atributes ...",
+ expect = {
+ 'fullname': 'Test User %s' % user,
+ 'surname': user,
+ 'givenname': 'Test User',
+ 'email': '%s@example.com' % user,
+ }
+ check_info_plugin(sess, idpname, spurl, expect)
+ except Exception, e: # pylint: disable=broad-except
+ print >> sys.stderr, " ERROR: %s" % repr(e)
+ sys.exit(1)
+ else:
+ print " SUCCESS"
+
+ print "testmapping: Set SP attribute mapping ...",
+ try:
+ sess.set_attributes_and_mapping(idpname,
+ [['*', '*'],
+ ['fullname', 'wholename']],
+ ['wholename', 'givenname',
+ 'surname',
+ 'email', 'fullname'],
+ sp['name'])
+ except Exception, e: # pylint: disable=broad-except
+ print >> sys.stderr, " ERROR: %s" % repr(e)
+ sys.exit(1)
+ else:
+ print " SUCCESS"
+
+ try:
+ print "testmapping: Test SP attribute mapping ...",
+ expect = {
+ 'wholename': 'Test User %s' % user,
+ 'fullname': 'Test User %s' % user,
+ 'surname': user,
+ 'givenname': 'Test User',
+ 'email': '%s@example.com' % user,
+ }
+ check_info_plugin(sess, idpname, spurl, expect)
+ except Exception, e: # pylint: disable=broad-except
+ print >> sys.stderr, " ERROR: %s" % repr(e)
+ sys.exit(1)
+ else:
+ print " SUCCESS"
+
+ print "testmapping: Drop SP attribute mapping ...",
+ try:
+ sess.set_attributes_and_mapping(idpname, [],
+ ['givenname', 'surname', 'email',
+ 'fullname'], sp['name'])
+ except Exception, e: # pylint: disable=broad-except
+ print >> sys.stderr, " ERROR: %s" % repr(e)
+ sys.exit(1)
+ else:
+ print " SUCCESS"
+
+ try:
+ print "testmapping: Test SP attr mapping with default allowed...",
+ expect = {
+ 'fullname': 'Test User %s' % user,
+ 'surname': user,
+ 'givenname': 'Test User',
+ 'email': '%s@example.com' % user,
+ }
+ check_info_plugin(sess, idpname, spurl, expect)
+ except Exception, e: # pylint: disable=broad-except
+ print >> sys.stderr, " ERROR: %s" % repr(e)
+ sys.exit(1)
+ else:
+ print " SUCCESS"
+
+ print "testmapping: Drop SP allowed attributes ...",
+ try:
+ sess.set_attributes_and_mapping(idpname, [], [], sp['name'])
+ except Exception, e: # pylint: disable=broad-except
+ print >> sys.stderr, " ERROR: %s" % repr(e)
+ sys.exit(1)
+ else:
+ print " SUCCESS"
+
+ try:
+ print "testmapping: Test mapping, should be back to global...",
+ expect = {
+ 'namefull': 'Test User %s' % user,
+ 'surname': user,
+ 'givenname': 'Test User',
+ }
+ check_info_plugin(sess, idpname, spurl, expect)
+ except Exception, e: # pylint: disable=broad-except
+ print >> sys.stderr, " ERROR: %s" % repr(e)
+ sys.exit(1)
+ else:
+ print " SUCCESS"