diff options
| author | Emmanuel Raviart <eraviart@entrouvert.com> | 2004-08-06 20:48:24 +0000 |
|---|---|---|
| committer | Emmanuel Raviart <eraviart@entrouvert.com> | 2004-08-06 20:48:24 +0000 |
| commit | f71f68877fb706158493fba8c8102b8d03b51430 (patch) | |
| tree | 1cf4f96648acf33cecf012b0edf3ce66d498c222 /python | |
| parent | e1c8d45f13552ebfbbc33763a8fcca96078eab45 (diff) | |
| download | lasso-f71f68877fb706158493fba8c8102b8d03b51430.tar.gz lasso-f71f68877fb706158493fba8c8102b8d03b51430.tar.xz lasso-f71f68877fb706158493fba8c8102b8d03b51430.zip | |
Added Python simulation for isPassive and corrected some simulation bugs.
Added isPassive tests.
Diffstat (limited to 'python')
| -rw-r--r-- | python/tests/IdentityProvider.py | 59 | ||||
| -rw-r--r-- | python/tests/ServiceProvider.py | 15 | ||||
| -rw-r--r-- | python/tests/login_tests.py | 36 | ||||
| -rw-r--r-- | python/tests/websimulator.py | 32 |
4 files changed, 109 insertions, 33 deletions
diff --git a/python/tests/IdentityProvider.py b/python/tests/IdentityProvider.py index 248f5879..e1cfef5b 100644 --- a/python/tests/IdentityProvider.py +++ b/python/tests/IdentityProvider.py @@ -41,17 +41,22 @@ class IdentityProvider(Provider): def singleSignOn(self, httpRequest): server = self.getServer() login = lasso.Login.new(server) - identityDump = self.getIdentityDump(httpRequest.client) - if identityDump is not None: - login.set_identity_from_dump(identityDump) - sessionDump = self.getSessionDump(httpRequest.client) - if sessionDump is not None: - login.set_session_from_dump(sessionDump) - authnRequestQuery = self.extractQueryFromUrl(httpRequest.url) - login.init_from_authn_request_msg(authnRequestQuery, lasso.httpMethodRedirect) - - self.failUnless(login.must_authenticate()) # FIXME: To improve. webSession = self.getWebSession(httpRequest.client) + webUser = None + if webSession is not None: + if webSession.sessionDump is not None: + login.set_session_from_dump(webSession.sessionDump) + webUser = self.getWebUserFromWebSession(webSession) + if webUser is not None and webUser.identityDump is not None: + login.set_identity_from_dump(webUser.identityDump) + login.init_from_authn_request_msg(httpRequest.query, lasso.httpMethodRedirect) + + if not login.must_authenticate(): + userAuthenticated = webUser is not None + authenticationMethod = lasso.samlAuthenticationMethodPassword # FIXME + return self.singleSignOn_part2( + httpRequest, login, webSession, webUser, userAuthenticated, authenticationMethod) + if webSession is None: webSession = self.createWebSession(httpRequest.client) webSession.loginDump = login.dump() @@ -70,18 +75,22 @@ class IdentityProvider(Provider): del webSession.loginDump login = lasso.Login.new_from_dump(server, loginDump) # Set identity & session in login, because loginDump doesn't contain them. - identityDump = self.getIdentityDump(httpRequest.client) - if identityDump is not None: - login.set_identity_from_dump(identityDump) - sessionDump = self.getSessionDump(httpRequest.client) - if sessionDump is not None: - login.set_session_from_dump(sessionDump) + if webSession.sessionDump is not None: + login.set_session_from_dump(webSession.sessionDump) + webUser = self.getWebUserFromWebSession(webSession) + if webUser is not None and webUser.identityDump is not None: + login.set_identity_from_dump(webUser.identityDump) + + return self.singleSignOn_part2( + httpRequest, login, webSession, webUser, userAuthenticated, authenticationMethod) + + def singleSignOn_part2(self, httpRequest, login, webSession, webUser, userAuthenticated, + authenticationMethod): self.failUnlessEqual(login.protocolProfile, lasso.loginProtocolProfileBrwsArt) # FIXME login.build_artifact_msg( userAuthenticated, authenticationMethod, 'FIXME: reauthenticateOnOrAfter', lasso.httpMethodRedirect) if userAuthenticated: - webUser = self.getWebUserFromWebSession(webSession) if login.is_identity_dirty(): identityDump = login.get_identity().dump() self.failUnless(identityDump) @@ -151,13 +160,15 @@ class IdentityProvider(Provider): identityDump = identity.dump() self.failUnless(identityDump) self.failUnless(logout.is_session_dirty()) - session = logout.get_session() - if session is None: - del webSession.sessionDump - else: - sessionDump = session.dump() - self.failUnless(sessionDump) - webSession.sessionDump = sessionDump + + # Log the user out. + # It is done before logout from other service providers, since we don't want to + # accept passive login connections inbetween. + del webSession.sessionDump + del webSession.webUserId + # We also delete the session, but it is not mandantory, since the user is logged out + # anyway. + del self.webSessions[webSession.uniqueId] nameIdentifier = logout.nameIdentifier self.failUnless(nameIdentifier) del self.webSessionIdsByNameIdentifier[nameIdentifier] diff --git a/python/tests/ServiceProvider.py b/python/tests/ServiceProvider.py index 77520734..699c96b3 100644 --- a/python/tests/ServiceProvider.py +++ b/python/tests/ServiceProvider.py @@ -37,8 +37,7 @@ class ServiceProvider(Provider): def assertionConsumer(self, httpRequest): server = self.getServer() login = lasso.Login.new(server) - responseQuery = self.extractQueryFromUrl(httpRequest.url) - login.init_request(responseQuery, lasso.httpMethodRedirect) + login.init_request(httpRequest.query, lasso.httpMethodRedirect) login.build_request_msg() soapEndpoint = login.msg_url @@ -102,13 +101,15 @@ class ServiceProvider(Provider): userAuthenticated = webUserId in self.webUsers if not userAuthenticated: return HttpResponse(401, 'Access Unauthorized: User has no account.') - webSession.webUserId = webUserId webUser = self.webUsers[webUserId] + webSession.webUserId = webUser.uniqueId + # Store the updated identity dump and session dump. if login.is_identity_dirty(): webUser.identityDump = identityDump webSession.sessionDump = sessionDump + self.webUserIdsByNameIdentifier[nameIdentifier] = webUser.uniqueId self.webSessionIdsByNameIdentifier[nameIdentifier] = webSession.uniqueId @@ -119,7 +120,7 @@ class ServiceProvider(Provider): login = lasso.Login.new(server) login.init_authn_request(self.idpSite.providerId) self.failUnlessEqual(login.request_type, lasso.messageTypeAuthnRequest) - login.request.set_isPassive(False) + login.request.set_isPassive(httpRequest.getQueryBoolean('isPassive', False)) login.request.set_nameIDPolicy(lasso.libNameIDPolicyTypeFederated) login.request.set_consent(lasso.libConsentObtained) relayState = 'fake' @@ -164,8 +165,14 @@ class ServiceProvider(Provider): self.failUnless(logout.is_session_dirty()) session = logout.get_session() if session is None: + # The user is no more authenticated on any identity provider. Log him out. del webSession.sessionDump + del webSession.webUserId + # We also delete the session, but it is not mandantory, since the user is logged out + # anyway. + del self.webSessions[webSession.uniqueId] else: + # The user is still logged in on some other identity providers. sessionDump = session.dump() self.failUnless(sessionDump) webSession.sessionDump = sessionDump diff --git a/python/tests/login_tests.py b/python/tests/login_tests.py index e5f4e405..ff25037d 100644 --- a/python/tests/login_tests.py +++ b/python/tests/login_tests.py @@ -109,9 +109,11 @@ class LoginTestCase(unittest.TestCase): self.failUnlessEqual(httpResponse.statusCode, 200) httpResponse = spSite.doHttpRequest(HttpRequest(principal, 'GET', '/logoutUsingSoap')) self.failUnlessEqual(httpResponse.statusCode, 200) + self.failIf(spSite.webSessions) + self.failIf(idpSite.webSessions) def test02(self): - """Service provider initiated login using HTTP redirect and service provider initiated logout using SOAP. Done twice.""" + """Service provider initiated login using HTTP redirect and service provider initiated logout using SOAP. Done three times.""" internet = Internet() idpSite = self.generateIdpSite(internet) @@ -126,12 +128,27 @@ class LoginTestCase(unittest.TestCase): httpResponse = spSite.doHttpRequest(HttpRequest(principal, 'GET', '/logoutUsingSoap')) self.failUnlessEqual(httpResponse.statusCode, 200) - # Once again, but now the principal already has a federation between spSite and idpSite. + # Once again. Now the principal already has a federation between spSite and idpSite. httpResponse = spSite.doHttpRequest(HttpRequest(principal, 'GET', '/loginUsingRedirect')) self.failUnlessEqual(httpResponse.statusCode, 200) httpResponse = spSite.doHttpRequest(HttpRequest(principal, 'GET', '/logoutUsingSoap')) self.failUnlessEqual(httpResponse.statusCode, 200) + # Once again. Do a new passive login between normal login and logout. + httpResponse = spSite.doHttpRequest(HttpRequest(principal, 'GET', '/loginUsingRedirect')) + self.failUnlessEqual(httpResponse.statusCode, 200) + del principal.keyring[idpSite.url] # Ensure identity provider will be really passive. + httpResponse = spSite.doHttpRequest(HttpRequest( + principal, 'GET', '/loginUsingRedirect?isPassive=1')) + self.failUnlessEqual(httpResponse.statusCode, 200) + httpResponse = spSite.doHttpRequest(HttpRequest(principal, 'GET', '/logoutUsingSoap')) + self.failUnlessEqual(httpResponse.statusCode, 200) + + # Once again, with isPassive and the user having no web session. + httpResponse = spSite.doHttpRequest(HttpRequest( + principal, 'GET', '/loginUsingRedirect?isPassive=1')) + self.failUnlessEqual(httpResponse.statusCode, 401) + def test03(self): """Service provider initiated login using HTTP redirect, but user fail to authenticate himself on identity provider. Then logout, with same problem.""" @@ -165,6 +182,21 @@ class LoginTestCase(unittest.TestCase): httpResponse = spSite.doHttpRequest(HttpRequest(principal, 'GET', '/logoutUsingSoap')) self.failUnlessEqual(httpResponse.statusCode, 401) + def test05(self): + """Service provider initiated login using HTTP redirect with isPassive for a user without federation yet.""" + + internet = Internet() + idpSite = self.generateIdpSite(internet) + spSite = self.generateSpSite(internet) + spSite.idpSite = idpSite + principal = Principal(internet, 'Romain Chantereau') + principal.keyring[idpSite.url] = 'Chantereau' + principal.keyring[spSite.url] = 'Romain' + + httpResponse = spSite.doHttpRequest(HttpRequest( + principal, 'GET', '/loginUsingRedirect?isPassive=1')) + self.failUnlessEqual(httpResponse.statusCode, 401) + ## def test06(self): ## """Service provider LECP login.""" diff --git a/python/tests/websimulator.py b/python/tests/websimulator.py index f663623a..806b5dd5 100644 --- a/python/tests/websimulator.py +++ b/python/tests/websimulator.py @@ -43,6 +43,35 @@ class HttpRequest(object): webSite = self.client.internet.getWebSite(self.url) return webSite.doHttpRequest(self) + def getQueryBoolean(self, name, default = 'none'): + try: + fieldValue = self.getQueryField(name) + except KeyError: + if default == 'none': + raise + return default + return fieldValue.lower not in ('', '0', 'false') + + def getQuery(self): + splitedUrl = self.url.split('?', 1) + if len(splitedUrl) > 1: + return splitedUrl[1] + else: + return '' + + def getQueryField(self, name, default = 'none'): + query = self.query + if query: + for field in self.query.split('&'): + fieldName, fieldValue = field.split('=') + if name == fieldName: + return fieldValue + if default == 'none': + raise KeyError(name) + return default + + query = property(getQuery) + class HttpResponse(object): body = None @@ -195,9 +224,6 @@ class WebSite(WebClient, Simulation): method = getattr(self, methodName) return method(httpRequest) - def extractQueryFromUrl(self, url): - return url.split('?', 1)[1] - def getIdentityDump(self, principal): webSession = self.getWebSession(principal) webUser = self.getWebUserFromWebSession(webSession) |