[Tests/python] add test case for WebSSO with providers using encrypted keys

6 files changed, 171 insertions, 4 deletions

diff --git a/bindings/python/tests/profiles_tests.py b/bindings/python/tests/profiles_tests.py
index c923f87f..45478f02 100755
--- a/bindings/python/tests/profiles_tests.py
+++ b/bindings/python/tests/profiles_tests.py
@@ -43,6 +43,16 @@ except NameError:
     srcdir = os.environ.get('TOP_SRCDIR', '.')
     dataDir = '%s/tests/data' % srcdir
 
+def server(local_name, remote_role, remote_name):
+    pwd = os.path.join(dataDir, local_name, 'password')
+    password = None
+    if os.path.exists(pwd):
+        password = file(pwd).read()
+    s = lasso.Server(os.path.join(dataDir, local_name, 'metadata.xml'),
+            os.path.join(dataDir, local_name, 'private-key.pem'),
+            password)
+    s.addProvider(remote_role, os.path.join(dataDir, remote_name, 'metadata.xml'))
+    return s
 
 class ServerTestCase(unittest.TestCase):
     def test01(self):
@@ -210,7 +220,6 @@ class LoginTestCase(unittest.TestCase):
 
     def test05(self):
         '''SAMLv2 Authn request emitted and received using Artifact binding'''
-
         sp = lasso.Server(
             os.path.join(dataDir, 'sp5-saml2/metadata.xml'),
             os.path.join(dataDir, 'sp5-saml2/private-key.pem'))
@@ -241,10 +250,28 @@ class LoginTestCase(unittest.TestCase):
         try:
             idp_login.processResponseMsg(sp_login2.msgBody)
         except:
-            print idp_login.response
             raise
         assert isinstance(idp_login.request, lasso.Samlp2AuthnRequest)
 
+    def test_06(self):
+        '''Login test between SP and IdP with encrypted private keys'''
+        sp_server = server('sp7-saml2', lasso.PROVIDER_ROLE_IDP, 'idp7-saml2')
+        idp_server = server('idp7-saml2', lasso.PROVIDER_ROLE_SP, 'sp7-saml2')
+
+        sp_login = lasso.Login(sp_server)
+        sp_login.initAuthnRequest()
+        sp_login.request.protocolBinding = lasso.SAML2_METADATA_BINDING_POST;
+        sp_login.buildAuthnRequestMsg()
+        idp_login = lasso.Login(idp_server)
+        idp_login.setSignatureVerifyHint(lasso.PROFILE_SIGNATURE_VERIFY_HINT_FORCE)
+        idp_login.processAuthnRequestMsg(sp_login.msgUrl.split('?')[1])
+        idp_login.validateRequestMsg(True, True)
+        idp_login.buildAssertion("None", "None", "None", "None", "None")
+        idp_login.buildAuthnResponseMsg()
+        sp_login.setSignatureVerifyHint(lasso.PROFILE_SIGNATURE_VERIFY_HINT_FORCE)
+        sp_login.processAuthnResponseMsg(idp_login.msgBody)
+        sp_login.acceptSso()
+
 class LogoutTestCase(unittest.TestCase):
     def test01(self):
         """SP logout without session and identity; testing initRequest."""
@@ -434,7 +461,6 @@ class LogoutTestCase(unittest.TestCase):
 
         node = lasso.Samlp2LogoutRequest.newFromXmlNode(content)
         assert isinstance(node, lasso.Samlp2LogoutRequest)
-        print node.sessionIndex
         assert node.sessionIndex == 'id3'
         assert node.sessionIndexes == ('id1', 'id2', 'id3')
 
diff --git a/tests/data/idp7-saml2/Makefile.am b/tests/data/idp7-saml2/Makefile.am
new file mode 100644
index 00000000..adcdf09d
--- /dev/null
+++ b/tests/data/idp7-saml2/Makefile.am
@@ -0,0 +1,2 @@
+MAINTAINERCLEANFILES = Makefile.in
+EXTRA_DIST = metadata.xml private-key.pem
diff --git a/tests/data/idp7-saml2/metadata.xml b/tests/data/idp7-saml2/metadata.xml
new file mode 100644
index 00000000..9c8963ff
--- /dev/null
+++ b/tests/data/idp7-saml2/metadata.xml
@@ -0,0 +1,108 @@
+<?xml version="1.0"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    entityID="http://idp5/metadata">
+<IDPSSODescriptor
+    WantAuthnRequestsSigned="true"
+    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+<KeyDescriptor use="signing">
+    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+      <ds:X509Data><ds:X509Certificate>
+MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP
+MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczETMBEGA1UEChMKRW50cm91
+dmVydDEPMA0GA1UEAxMGRGFtaWVuMB4XDTA2MTAyNzA5MDc1NFoXDTExMTAyNjA5
+MDc1NFowVDELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkZyYW5jZTEOMAwGA1UEBxMF
+UGFyaXMxEzARBgNVBAoTCkVudHJvdXZlcnQxDzANBgNVBAMTBkRhbWllbjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM06Hx6VgHYR9wUf/tZVVTRkVWNq
+h9x+PvHA2qH4OYMuqGs4Af6lU2YsZvnrmRdcFWv0+UkdAgXhReCWAZgtB1pd/W9m
+6qDRldCCyysow6xPPKRz/pOTwRXm/fM0QGPeXzwzj34BXOIOuFu+n764vKn18d+u
+uVAEzk1576pxTp4pQPzJfdNLrLeQ8vyCshoFU+MYJtp1UA+h2JoO0Y8oGvywbUxH
+ioHN5PvnzObfAM4XaDQohmfxM9Uc7Wp4xKAc1nUq5hwBrHpjFMRSz6UCfMoJSGIi
++3xJMkNCjL0XEw5NKVc5jRKkzSkN5j8KTM/k1jPPsDHPRYzbWWhnNtd6JlkCAwEA
+AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
+ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP2WWMDShux3iF74+SoO1xf6qhqaMB8G
+A1UdIwQYMBaAFGjl6TRXbQDHzSlZu+e8VeBaZMB5MA0GCSqGSIb3DQEBBQUAA4IB
+AQAZ/imK7UMognXbs5RfSB8cMW6iNAI+JZqe9XWjvtmLfIIPbHM96o953SiFvrvQ
+BZjGmmPMK3UH29cjzDx1R/RQaYTyMrHyTePLh3BMd5mpJ/9eeJCSxPzE2ECqWRUa
+pkjukecFXqmRItwgTxSIUE9QkpzvuQRb268PwmgroE0mwtiREADnvTFkLkdiEMew
+fiYxZfJJLPBqwlkw/7f1SyzXoPXnz5QbNwDmrHelga6rKSprYKb3pueqaIe8j/AP
+NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR
+LlTxKnCrWAXftSm1rNtewTsF
+</ds:X509Certificate></ds:X509Data>
+    </ds:KeyInfo>
+  </KeyDescriptor>
+<KeyDescriptor use="encryption">
+    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+      <ds:KeyValue>
+MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP
+MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczETMBEGA1UEChMKRW50cm91
+dmVydDEPMA0GA1UEAxMGRGFtaWVuMB4XDTA2MTAyNzA5MDc1NFoXDTExMTAyNjA5
+MDc1NFowVDELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkZyYW5jZTEOMAwGA1UEBxMF
+UGFyaXMxEzARBgNVBAoTCkVudHJvdXZlcnQxDzANBgNVBAMTBkRhbWllbjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM06Hx6VgHYR9wUf/tZVVTRkVWNq
+h9x+PvHA2qH4OYMuqGs4Af6lU2YsZvnrmRdcFWv0+UkdAgXhReCWAZgtB1pd/W9m
+6qDRldCCyysow6xPPKRz/pOTwRXm/fM0QGPeXzwzj34BXOIOuFu+n764vKn18d+u
+uVAEzk1576pxTp4pQPzJfdNLrLeQ8vyCshoFU+MYJtp1UA+h2JoO0Y8oGvywbUxH
+ioHN5PvnzObfAM4XaDQohmfxM9Uc7Wp4xKAc1nUq5hwBrHpjFMRSz6UCfMoJSGIi
++3xJMkNCjL0XEw5NKVc5jRKkzSkN5j8KTM/k1jPPsDHPRYzbWWhnNtd6JlkCAwEA
+AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
+ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP2WWMDShux3iF74+SoO1xf6qhqaMB8G
+A1UdIwQYMBaAFGjl6TRXbQDHzSlZu+e8VeBaZMB5MA0GCSqGSIb3DQEBBQUAA4IB
+AQAZ/imK7UMognXbs5RfSB8cMW6iNAI+JZqe9XWjvtmLfIIPbHM96o953SiFvrvQ
+BZjGmmPMK3UH29cjzDx1R/RQaYTyMrHyTePLh3BMd5mpJ/9eeJCSxPzE2ECqWRUa
+pkjukecFXqmRItwgTxSIUE9QkpzvuQRb268PwmgroE0mwtiREADnvTFkLkdiEMew
+fiYxZfJJLPBqwlkw/7f1SyzXoPXnz5QbNwDmrHelga6rKSprYKb3pueqaIe8j/AP
+NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR
+LlTxKnCrWAXftSm1rNtewTsF
+</ds:KeyValue>
+    </ds:KeyInfo>
+  </KeyDescriptor>
+
+  <ArtifactResolutionService isDefault="true" index="0"
+    Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+    Location="http://idp5/artifact" />
+  <SingleLogoutService
+    Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+    Location="http://idp5/singleLogoutSOAP" />
+  <SingleLogoutService
+    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+    Location="http://idp5/singleLogout"
+    ResponseLocation="http://idp5/singleLogoutReturn" />
+  <ManageNameIDService
+    Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+    Location="http://idp5/manageNameIdSOAP" />
+  <ManageNameIDService
+    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+    Location="http://idp5/manageNameId"
+    ResponseLocation="http://idp5/manageNameIdReturn" />
+  <SingleSignOnService
+    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+    Location="http://idp5/singleSignOn" />
+  <SingleSignOnService
+    Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+    Location="http://idp5/singleSignOnSOAP" />
+</IDPSSODescriptor>
+<AuthnAuthorityDescriptor
+    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+	<AuthnQueryService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://idp6/authnQueryService"/>
+	<AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://idp6/authnAuthAssertionIDRequestService"/>
+	<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
+</AuthnAuthorityDescriptor>
+<PDPDescriptor
+    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+	<AuthzService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://idp6/authzService"/>
+	<AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://idp6/PDPAuthAssertionIDRequestService"/>
+	<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:kerberos</NameIDFormat>
+</PDPDescriptor>
+<AttributeAuthorityDescriptor
+    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+	<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://idp6/attributeService"/>
+	<AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://idp6/AttributeAuthAssertionIDRequestService"/>
+	<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
+</AttributeAuthorityDescriptor>
+<Organization>
+   <OrganizationName xml:lang="en">Entr'ouvert</OrganizationName>
+</Organization>
+
+</EntityDescriptor>
diff --git a/tests/data/idp7-saml2/password b/tests/data/idp7-saml2/password
new file mode 100644
index 00000000..fcde4cdb
--- /dev/null
+++ b/tests/data/idp7-saml2/password
@@ -0,0 +1 @@
+geronimo
\ No newline at end of file
diff --git a/tests/data/idp7-saml2/private-key.pem b/tests/data/idp7-saml2/private-key.pem
new file mode 100644
index 00000000..45578541
--- /dev/null
+++ b/tests/data/idp7-saml2/private-key.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,41BE9422FBDF1769BFEF03F9116F7A86
+
+qKrThgVCsCb5Lx/7RIpwuvDZi6gvxEFb33QEjIEWdZ+ad0dkGRvxrIqqj+XvHEeW
+V57oPO1sFAlgb+zBrGZpqItCAJEqC4NU55SwKZpKUtT0XdlHFRyfORlBwzb0qW/3
+dZbyhsEm+164MdXsCZiUYS/VAm8b1pYmBIkoPSZMMnPljNYVigRpYttF9dwMYgTQ
+u/FwRS696qGSyo7ko00P8UbtTLgM+ufkCFNld6uxYphSNXAQyRQz4vQs97emNE58
+4JB5//0agCOa9qUz14ZQSpM2JyoevMHUOHyjbGJOLsCMPnQEboKvgj0gsZcgP2Ys
+K4Nf/EQKadBbXpK4olxz50e6ybR0i7nylYsu7YVFyFR9GWbra29OAYEPvQxvBll7
+RIoZ4hI0ZgBY0qFFcyZbKH94Pqk5w0QSjfkHPcH/WL0UjLb+n59KsIUnmZ3dtiF9
+9mdE71wq94jOcqibjVmUy3Gyw4COZKTTjq9ptuLBC6fEPxGh6dfpSSV431Wpvpxy
+OE15vfeT1i/ymH0ckWsQXgUqZ6QTuaTvlu5JpD94Blu7p6Rzj5fxEnLhOtwjXWpq
+k6MAlS9bKhGbPbnzAqm5HkRypgDaNBPRXZhb9LClB5ysfjZRNdxCWrWusEGEtioQ
+TdkPsUZ78d8m3u+FvOM2mTVkQBa6sAEl1l8fuOITuaNCYLBIIhyAvJfXRHhOC+zs
+nvS6DX+3bZupxFJFcMi9fqlmz0QSXj4tKlbHY/xo3dGqQj5BWyibo8tDVhVIYy99
+zo/t8J0LTfSSCIvoV2gFHSoC7RIJ9Q25L0AV6TQiB2F/7FTeznfd7Tk9ZHokmiED
+5VAKGRjDmPCZIJr2pbeEmwzs3r/p53JfLyNProv+ljTJLgdFtG1en5A3MsmymR0c
+LTIxHWZjAwl7ai1yGghzqVYllm+OFjo6LsSusbuQwKs+Bo9qZPCBb10gQGur+ZR8
+r9Vfd3WV/WMJfi8Ciogd+uXhPzVxf5PyBvZh9vwqXHSB9YLxe+NpAxLxF5OuZmJx
+VBdTA5y19XUvyucOOxjcJZaZTP6BYADsaUxhQIQHfyUtk6Y7Iwk2Abf4TQIuC5x6
+XEeRSmbKPCkuKh9L0H4KcK6hmFSyh7AICpUEW7tcMtK9HaZT/K5jsHPkG5q/3GXh
+ed7e0QaA2Qc0uAvoFgGTPkgE6Nym30R6NUlnHl2T3gK9Ei6fQKdTYPYgRXAKmbNO
+Wp0cjQ7w1zUNjoxkACX2Br2xm3DhnLVFPj6AWpnCsTtQA3ecgIzvSZugxpr0muP0
+SIPpBuyko+t0YQjP3DOZxeiLQ5o+3VxI749KfDuaNZsDN7ZPso7Pt1oG34uGgsFl
+UypVEv+CgzTkepPPqJTWgK5VfNrSK3ev7Is90bpiyjwqywlwYaZUOXBm+wBwUmtH
+T+lLtw00R5JGolA4I2MCd4PTauzbj30jLYJWLLW8sZcfMgpwnKUNtVwRaDMnOXIA
+eX0cesfIbMiYF1sgR2Lqar/uqSJf1Kx8xIFdvqYZWsudF0ij4fva4xtCc0bgrnSy
+lz91YgfF95hTd/qcCiO5GQxScG7umtUZLYmZKqtYKDjCkvtvnGFhqB5Ie21DK6OX
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data/sp7-saml2/password b/tests/data/sp7-saml2/password
index 26647829..fcde4cdb 100644
--- a/tests/data/sp7-saml2/password
+++ b/tests/data/sp7-saml2/password
@@ -1 +1 @@
-geronimo
+geronimo
\ No newline at end of file