Add more test. Fix bug getting last response on process_slo

pitbulk · pitbulk · commit f428b727f358 · 2016-11-30T16:03:51.000+01:00
diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
@@ -128,7 +128,7 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_
 
         if 'get_data' in self.__request_data and 'SAMLResponse' in self.__request_data['get_data']:
             logout_response = OneLogin_Saml2_Logout_Response(self.__settings, self.__request_data['get_data']['SAMLResponse'])
-            self.__logout_response = logout_response.get_xml()
+            self.__last_response = logout_response.get_xml()
             if not logout_response.is_valid(self.__request_data, request_id):
                 self.__errors.append('invalid_logout_response')
                 self.__error_reason = logout_response.get_error()
@@ -150,7 +150,7 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_
                 in_response_to = logout_request.id
                 response_builder = OneLogin_Saml2_Logout_Response(self.__settings)
                 response_builder.build(in_response_to)
-                self.__logout_response = response_builder.get_xml()
+                self.__last_response = response_builder.get_xml()
                 logout_response = response_builder.get_response()
 
                 parameters = {'SAMLResponse': logout_response}
@@ -465,7 +465,7 @@ def get_last_response_xml(self, pretty_print_if_possible=False):
         :rtype: string|None
         """
         response = None
-        if self.__last_response:
+        if self.__last_response is not None:
             if isinstance(self.__last_response, basestring):
                 response = self.__last_response
             else:
diff --git a/tests/data/responses/pretty_signed_message_response.xml b/tests/data/responses/pretty_signed_message_response.xml
@@ -0,0 +1,48 @@
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxc3d2b542-0f7e-8767-8e87-5b0dc6913375" Version="2.0" IssueInstant="2014-03-21T13:41:09Z" Destination="https://pitbulk.no-ip.org/newonelogin/demo1/index.php?acs" InResponseTo="ONELOGIN_5d9e319c1b8a67da48227964c28d280e7860f804">
+  <saml:Issuer>https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#pfxc3d2b542-0f7e-8767-8e87-5b0dc6913375"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>1dQFiYU0o2OF7c/RVV8Gpgb4u3I=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>wRgBXOq/FiLZc2mureTC/j6zY709OikJ5HeUSruHTdYjEg9aZy1RbxlKIYEIfXpnX7NBoKxfAMm+O0fsrqOjgcYxTVkqZjOr71qiXNbtwjeAkdYSpk5brsAcnfcPdv8QReYr3D7t5ZVCgYuvXQ+dNELKeag7e1ASOzVqOdp5Z9Y=</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
+  <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </samlp:Status>
+  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_cccd6024116641fe48e0ae2c51220d02755f96c98d" Version="2.0" IssueInstant="2014-03-21T13:41:09Z">
+    <saml:Issuer>https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php</saml:Issuer>
+    <saml:Subject>
+      <saml:NameID SPNameQualifier="https://pitbulk.no-ip.org/newonelogin/demo1/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_b98f98bb1ab512ced653b58baaff543448daed535d</saml:NameID>
+      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+        <saml:SubjectConfirmationData NotOnOrAfter="2023-09-22T19:01:09Z" Recipient="https://pitbulk.no-ip.org/newonelogin/demo1/index.php?acs" InResponseTo="ONELOGIN_5d9e319c1b8a67da48227964c28d280e7860f804"/>
+      </saml:SubjectConfirmation>
+    </saml:Subject>
+    <saml:Conditions NotBefore="2014-03-21T13:40:39Z" NotOnOrAfter="2023-09-22T19:01:09Z">
+      <saml:AudienceRestriction>
+        <saml:Audience>https://pitbulk.no-ip.org/newonelogin/demo1/metadata.php</saml:Audience>
+      </saml:AudienceRestriction>
+    </saml:Conditions>
+    <saml:AuthnStatement AuthnInstant="2014-03-21T13:41:09Z" SessionNotOnOrAfter="2014-03-21T21:41:09Z" SessionIndex="_9fe0c8dcd3302e7364fcab22a52748ebf2224df0aa">
+      <saml:AuthnContext>
+        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
+      </saml:AuthnContext>
+    </saml:AuthnStatement>
+    <saml:AttributeStatement>
+      <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+        <saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+        <saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name="cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+        <saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name="sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+        <saml:AttributeValue xsi:type="xs:string">waa2</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+        <saml:AttributeValue xsi:type="xs:string">user</saml:AttributeValue>
+        <saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue>
+      </saml:Attribute>
+    </saml:AttributeStatement>
+  </saml:Assertion>
+</samlp:Response>
diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -910,18 +910,26 @@ def testBuildResponseSignature(self):
         except Exception as e:
             self.assertIn("Trying to sign the SAMLResponse but can't load the SP private key", e.message)
 
-    def testGetLastDecryptedResponse(self):
+    def testGetLastSAMLResponse(self):
         settings = self.loadSettingsJSON()
+        message = self.file_contents(join(self.data_path, 'responses', 'signed_message_response.xml.base64'))
+        message_wrapper = {'post_data': {'SAMLResponse': message}}
+        auth = OneLogin_Saml2_Auth(message_wrapper, old_settings=settings)
+        auth.process_response()
+        expected_message = self.file_contents(join(self.data_path, 'responses', 'pretty_signed_message_response.xml'))
+        self.assertEqual(auth.get_last_response_xml(True), expected_message)
+
+        # with encrypted assertion
         message = self.file_contents(join(self.data_path, 'responses', 'valid_encrypted_assertion.xml.base64'))
         message_wrapper = {'post_data': {'SAMLResponse': message}}
         auth = OneLogin_Saml2_Auth(message_wrapper, old_settings=settings)
         auth.process_response()
         decrypted_response = self.file_contents(join(self.data_path, 'responses', 'decrypted_valid_encrypted_assertion.xml'))
         self.assertEqual(auth.get_last_response_xml(False), decrypted_response)
-        decrypted_response = self.file_contents(join(self.data_path, 'responses', 'pretty_decrypted_valid_encrypted_assertion.xml'))
-        self.assertEqual(auth.get_last_response_xml(True), decrypted_response)
+        pretty_decrypted_response = self.file_contents(join(self.data_path, 'responses', 'pretty_decrypted_valid_encrypted_assertion.xml'))
+        self.assertEqual(auth.get_last_response_xml(True), pretty_decrypted_response)
 
-    def testGetLastSentRequest(self):
+    def testGetLastAuthnRequest(self):
         settings = self.loadSettingsJSON()
         auth = OneLogin_Saml2_Auth({'http_host': 'localhost', 'script_name': 'thing'}, old_settings=settings)
         auth.login()
@@ -940,6 +948,51 @@ def testGetLastSentRequest(self):
         )
         self.assertIn(expectedFragment, auth.get_last_request_xml())
 
+    def testGetLastLogoutRequest(self):
+        settings = self.loadSettingsJSON()
+        auth = OneLogin_Saml2_Auth({'http_host': 'localhost', 'script_name': 'thing'}, old_settings=settings)
+        auth.logout()
+        expectedFragment = (
+            '        Destination="http://idp.example.com/SingleLogoutService.php">\n'
+            '        <saml:Issuer>http://stuff.com/endpoints/metadata.php</saml:Issuer>\n'
+            '        <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" SPNameQualifier="http://stuff.com/endpoints/metadata.php">http://idp.example.com/</saml:NameID>\n'
+            '        \n    </samlp:LogoutRequest>'
+        )
+        self.assertIn(expectedFragment, auth.get_last_request_xml())
+
+        request = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request.xml'))
+        message = OneLogin_Saml2_Utils.deflate_and_base64_encode(request)
+        message_wrapper = {'get_data': {'SAMLRequest': message}}
+        auth = OneLogin_Saml2_Auth(message_wrapper, old_settings=settings)
+        auth.process_slo()
+        self.assertEqual(request, auth.get_last_request_xml())
+
+    def testGetLastLogoutResponse(self):
+        settings = self.loadSettingsJSON()
+        request = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request.xml'))
+        message = OneLogin_Saml2_Utils.deflate_and_base64_encode(request)
+        message_wrapper = {'get_data': {'SAMLRequest': message}}
+        auth = OneLogin_Saml2_Auth(message_wrapper, old_settings=settings)
+        auth.process_slo()
+        expectedFragment = (
+            'Destination="http://idp.example.com/SingleLogoutService.php"\n'
+            '                      InResponseTo="ONELOGIN_21584ccdfaca36a145ae990442dcd96bfe60151e"\n>\n'
+            '    <saml:Issuer>http://stuff.com/endpoints/metadata.php</saml:Issuer>\n'
+            '    <samlp:Status>\n'
+            '        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />\n'
+            '    </samlp:Status>\n'
+            '</samlp:LogoutResponse>'
+        )
+        self.assertIn(expectedFragment, auth.get_last_response_xml())
+
+        response = self.file_contents(join(self.data_path, 'logout_responses', 'logout_response.xml'))
+        message = OneLogin_Saml2_Utils.deflate_and_base64_encode(response)
+        message_wrapper = {'get_data': {'SAMLResponse': message}}
+        auth = OneLogin_Saml2_Auth(message_wrapper, old_settings=settings)
+        auth.process_slo()
+        self.assertEqual(response, auth.get_last_response_xml())
+
+
 if __name__ == '__main__':
     if is_running_under_teamcity():
         runner = TeamcityTestRunner()
diff --git a/tests/src/OneLogin/saml2_tests/authn_request_test.py b/tests/src/OneLogin/saml2_tests/authn_request_test.py
@@ -64,25 +64,25 @@ def testCreateRequest(self):
         self.assertRegexpMatches(inflated, '^<samlp:AuthnRequest')
         self.assertNotIn('ProviderName="SP test"', inflated)
 
-    def testGetRequestXML(self):
+    def testGetXML(self):
         """
         Tests that we can get the request XML directly without
         going through intermediate steps
         """
-
         saml_settings = self.loadSettingsJSON()
-        settings = OneLogin_Saml2_Settings(saml_settings)
-        settings._OneLogin_Saml2_Settings__organization = {
+        saml_settings['organization'] = {
             u'en-US': {
                 u'url': u'http://sp.example.com',
-                u'name': u'sp_test'
+                u'name': u'sp_test',
+                u'displayname': u'SP test',
             }
         }
+        settings = OneLogin_Saml2_Settings(saml_settings)
 
         authn_request = OneLogin_Saml2_Authn_Request(settings)
         inflated = authn_request.get_xml()
         self.assertRegexpMatches(inflated, '^<samlp:AuthnRequest')
-        self.assertNotIn('ProviderName="SP test"', inflated)
+        self.assertIn('ProviderName="SP test"', inflated)
 
         saml_settings['organization'] = {}
         settings = OneLogin_Saml2_Settings(saml_settings)
diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py
@@ -442,6 +442,27 @@ def testIsValidSign(self):
         except Exception as e:
             self.assertIn('In order to validate the sign on the Logout Request, the x509cert of the IdP is required', e.message)
 
+    def testGetXML(self):
+        """
+        Tests that we can get the logout request XML directly without
+        going through intermediate steps
+        """
+        request = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request.xml'))
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+
+        logout_request_generated = OneLogin_Saml2_Logout_Request(settings)
+
+        expectedFragment = (
+            'Destination="http://idp.example.com/SingleLogoutService.php">\n'
+            '        <saml:Issuer>http://stuff.com/endpoints/metadata.php</saml:Issuer>\n'
+            '        <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" SPNameQualifier="http://stuff.com/endpoints/metadata.php">http://idp.example.com/</saml:NameID>\n'
+            '        \n    </samlp:LogoutRequest>'
+        )
+        self.assertIn(expectedFragment, logout_request_generated.get_xml())
+
+        logout_request_processed = OneLogin_Saml2_Logout_Request(settings, b64encode(request))
+        self.assertEqual(request, logout_request_processed.get_xml())
+
 
 if __name__ == '__main__':
     if is_running_under_teamcity():
diff --git a/tests/src/OneLogin/saml2_tests/logout_response_test.py b/tests/src/OneLogin/saml2_tests/logout_response_test.py
@@ -385,6 +385,31 @@ def testIsValid(self):
         response_3 = OneLogin_Saml2_Logout_Response(settings, message_3)
         self.assertTrue(response_3.is_valid(request_data))
 
+    def testGetXML(self):
+        """
+        Tests that we can get the logout response XML directly without
+        going through intermediate steps
+        """
+        response = self.file_contents(join(self.data_path, 'logout_responses', 'logout_response.xml'))
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+
+        logout_response_generated = OneLogin_Saml2_Logout_Response(settings)
+        logout_response_generated.build("InResponseValue")
+
+        expectedFragment = (
+            'Destination="http://idp.example.com/SingleLogoutService.php"\n'
+            '                      InResponseTo="InResponseValue"\n>\n'
+            '    <saml:Issuer>http://stuff.com/endpoints/metadata.php</saml:Issuer>\n'
+            '    <samlp:Status>\n'
+            '        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />\n'
+            '    </samlp:Status>\n'
+            '</samlp:LogoutResponse>'
+        )
+        self.assertIn(expectedFragment, logout_response_generated.get_xml())
+
+        logout_response_processed = OneLogin_Saml2_Logout_Response(settings, OneLogin_Saml2_Utils.deflate_and_base64_encode(response))
+        self.assertEqual(response, logout_response_processed.get_xml())
+
 
 if __name__ == '__main__':
     if is_running_under_teamcity():
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -60,18 +60,23 @@ def testConstruct(self):
 
         self.assertIsInstance(response_enc, OneLogin_Saml2_Response)
 
-    def test_get_decrypted_xml(self):
+    def test_get_xml_document(self):
         """
         Tests that we can retrieve the raw text of an encrypted XML response
         without going through intermediate steps
         """
         json_settings = self.loadSettingsJSON()
-
         settings = OneLogin_Saml2_Settings(json_settings)
-        xml = self.file_contents(join(self.data_path, 'responses', 'valid_encrypted_assertion.xml.base64'))
+
+        xml = self.file_contents(join(self.data_path, 'responses', 'signed_message_response.xml.base64'))
         response = OneLogin_Saml2_Response(settings, xml)
+        prety_xml = self.file_contents(join(self.data_path, 'responses', 'pretty_signed_message_response.xml'))
+        self.assertEqual(etree.tostring(response.get_xml_document(), pretty_print=True), prety_xml)
+
+        xml_2 = self.file_contents(join(self.data_path, 'responses', 'valid_encrypted_assertion.xml.base64'))
+        response_2 = OneLogin_Saml2_Response(settings, xml_2)
         decrypted = self.file_contents(join(self.data_path, 'responses', 'decrypted_valid_encrypted_assertion.xml'))
-        self.assertEqual(etree.tostring(response.get_xml_document()), decrypted)
+        self.assertEqual(etree.tostring(response_2.get_xml_document()), decrypted)
 
     def testReturnNameId(self):
         """
