# ⁻*- coding: utf-8 -*- # This program is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU General Public License version 3 for # more details. # # You should have received a copy of the GNU General Public License version 3 # along with this program; if not, write to the Free Software Foundation, Inc., 51 # Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # (c) 2016 Valentin Samir """Tests module for views""" from cas_server.default_settings import settings import django from django.test import TestCase, Client from django.test.utils import override_settings from django.utils import timezone import random import json from lxml import etree from six.moves import range from cas_server import models from cas_server import utils from cas_server.tests.utils import ( copy_form, get_login_page_params, get_auth_client, get_user_ticket_request, get_pgt, get_proxy_ticket, get_validated_ticket, HttpParamsHandler, Http404Handler ) from cas_server.tests.mixin import BaseServicePattern, XmlContent @override_settings(CAS_AUTH_CLASS='cas_server.auth.TestAuthUser') class LoginTestCase(TestCase, BaseServicePattern): """Tests for the login view""" def setUp(self): """Prepare the test context:""" # we prepare a bunch a service url and service patterns for tests self.setup_service_patterns() def assert_logged(self, client, response, warn=False, code=200): """Assertions testing that client is well authenticated""" self.assertEqual(response.status_code, code) # this message is displayed to the user upon successful authentication self.assertTrue( ( b"You have successfully logged into " b"the Central Authentication Service" ) in response.content ) # these session variables a set if usccessfully authenticated self.assertTrue(client.session["username"] == settings.CAS_TEST_USER) self.assertTrue(client.session["warn"] is warn) self.assertTrue(client.session["authenticated"] is True) # on successfull authentication, a corresponding user object is created self.assertTrue( models.User.objects.get( username=settings.CAS_TEST_USER, session_key=client.session.session_key ) ) def assert_login_failed(self, client, response, code=200): """Assertions testing a failed login attempt""" self.assertEqual(response.status_code, code) # this message is displayed to the user upon successful authentication, so it should not # appear self.assertFalse( ( b"You have successfully logged into " b"the Central Authentication Service" ) in response.content ) # if authentication has failed, these session variables should not be set self.assertTrue(client.session.get("username") is None) self.assertTrue(client.session.get("warn") is None) self.assertTrue(client.session.get("authenticated") is None) def test_login_view_post_goodpass_goodlt(self): """Test a successul login""" # we get a client who fetch a frist time the login page and the login form default # parameters client, params = get_login_page_params() # we set username/password in the form params["username"] = settings.CAS_TEST_USER params["password"] = settings.CAS_TEST_PASSWORD # the LoginTicket in the form should match a valid LT in the user session self.assertTrue(params['lt'] in client.session['lt']) # we post a login attempt response = client.post('/login', params) # as username/password/lt are all valid, the login should succed self.assert_logged(client, response) # The LoginTicket is conssumed and should no longer be valid self.assertTrue(params['lt'] not in client.session['lt']) def test_login_view_post_goodpass_goodlt_warn(self): """Test a successul login requesting to be warned before creating services tickets""" # get a client and initial login params client, params = get_login_page_params() # set valids usernames/passswords params["username"] = settings.CAS_TEST_USER params["password"] = settings.CAS_TEST_PASSWORD # this time, we check the warn checkbox params["warn"] = "on" # postings login request response = client.post('/login', params) # as username/password/lt are all valid, the login should succed and warn be enabled self.assert_logged(client, response, warn=True) def test_lt_max(self): """Check we only keep the last 100 Login Ticket for a user""" # get a client and initial login params client, params = get_login_page_params() # get a first LT that should be valid current_lt = params["lt"] # we keep the last 100 generated LT by user, so after having generated `i_in_test` we # test if `current_lt` is still valid i_in_test = random.randint(0, 99) # after `i_not_in_test` `current_lt` should be valid not more i_not_in_test = random.randint(101, 150) # start generating 150 LT for i in range(150): if i == i_in_test: # before more than 100 LT generated, the first TL should be valid self.assertTrue(current_lt in client.session['lt']) if i == i_not_in_test: # after more than 100 LT generated, the first LT should be valid no more self.assertTrue(current_lt not in client.session['lt']) # assert that we do not keep more that 100 valid LT self.assertTrue(len(client.session['lt']) <= 100) # generate a new LT by getting the login page client, params = get_login_page_params(client) # in the end, we still have less that 100 valid LT self.assertTrue(len(client.session['lt']) <= 100) def test_login_view_post_badlt(self): """Login attempt with a bad LoginTicket, login should fail""" # get a client and initial login params client, params = get_login_page_params() # set valid username/password params["username"] = settings.CAS_TEST_USER params["password"] = settings.CAS_TEST_PASSWORD # set a bad LT params["lt"] = 'LT-random' # posting the login request response = client.post('/login', params) # as the LT is not valid, login should fail self.assert_login_failed(client, response) # the reason why login has failed is displayed to the user self.assertTrue(b"Invalid login ticket" in response.content) def test_login_view_post_badpass_good_lt(self): """Login attempt with a bad password""" # get a client and initial login params client, params = get_login_page_params() # set valid username but invalid password params["username"] = settings.CAS_TEST_USER params["password"] = "test2" # posting the login request response = client.post('/login', params) # as the password is wrong, login should fail self.assert_login_failed(client, response) # the reason why login has failed is displayed to the user self.assertTrue( ( b"The credentials you provided cannot be " b"determined to be authentic" ) in response.content ) def assert_ticket_attributes(self, client, ticket_value): """check the ticket attributes in the db""" # Get get current session user in the db user = models.User.objects.get( username=settings.CAS_TEST_USER, session_key=client.session.session_key ) # we should find exactly one user self.assertTrue(user) # get the ticker object corresponting to `ticket_value` ticket = models.ServiceTicket.objects.get(value=ticket_value) # chek that the ticket is well attributed to the user self.assertEqual(ticket.user, user) # check that the user attributes match the attributes registered on the ticket self.assertEqual(ticket.attributs, settings.CAS_TEST_ATTRIBUTES) # check that the ticket has not being validated yet self.assertEqual(ticket.validate, False) # check that the service pattern registered on the ticket is the on we use for tests self.assertEqual(ticket.service_pattern, self.service_pattern) def assert_service_ticket(self, client, response): """check that a ticket is well emited when requested on a allowed service""" # On ticket emission, we should be redirected to the service url, setting the ticket # GET parameter self.assertEqual(response.status_code, 302) self.assertTrue(response.has_header('Location')) self.assertTrue( response['Location'].startswith( "https://www.example.com?ticket=%s-" % settings.CAS_SERVICE_TICKET_PREFIX ) ) # check that the value of the ticket GET parameter match the value of the ticket # created in the db ticket_value = response['Location'].split('ticket=')[-1] self.assert_ticket_attributes(client, ticket_value) def test_view_login_get_allowed_service(self): """Request a ticket for an allowed service by an unauthenticated client""" # get a bare new http client client = Client() # we are not authenticated and are asking for a ticket for https://www.example.com # which is a valid service matched by self.service_pattern response = client.get("/login?service=https://www.example.com") # the login page should be displayed self.assertEqual(response.status_code, 200) # we warn the user why it need to authenticated self.assertTrue( ( b"Authentication required by service " b"example (https://www.example.com)" ) in response.content ) def test_view_login_get_denied_service(self): """Request a ticket for an denied service by an unauthenticated client""" # get a bare new http client client = Client() # we are not authenticated and are asking for a ticket for https://www.example.net # which is NOT a valid service response = client.get("/login?service=https://www.example.net") self.assertEqual(response.status_code, 200) # we warn the user that https://www.example.net is not an allowed service url self.assertTrue(b"Service https://www.example.net non allowed" in response.content) def test_view_login_get_auth_allowed_service(self): """Request a ticket for an allowed service by an authenticated client""" # get a client that is already authenticated client = get_auth_client() # ask for a ticket for https://www.example.com response = client.get("/login?service=https://www.example.com") # as https://www.example.com is a valid service a ticket should be created and the # user redirected to the service url self.assert_service_ticket(client, response) def test_view_login_get_auth_allowed_service_warn(self): """Request a ticket for an allowed service by an authenticated client""" # get a client that is already authenticated and has ask to be warned befor we # generated a ticket client = get_auth_client(warn="on") # ask for a ticket for https://www.example.com response = client.get("/login?service=https://www.example.com") # we display a warning to the user, asking him to validate the ticket creation (insted # a generating and redirecting directly to the service url) self.assertEqual(response.status_code, 200) self.assertTrue( ( b"Authentication has been required by service " b"example (https://www.example.com)" ) in response.content ) # get the displayed form parameters params = copy_form(response.context["form"]) # we post, confirming we want a ticket response = client.post("/login", params) # as https://www.example.com is a valid service a ticket should be created and the # user redirected to the service url self.assert_service_ticket(client, response) def test_view_login_get_auth_denied_service(self): """Request a ticket for a not allowed service by an authenticated client""" # get a client that is already authenticated client = get_auth_client() # we are authenticated and are asking for a ticket for https://www.example.org # which is NOT a valid service response = client.get("/login?service=https://www.example.org") self.assertEqual(response.status_code, 200) # we warn the user that https://www.example.net is not an allowed service url # NO ticket are created self.assertTrue(b"Service https://www.example.org non allowed" in response.content) def test_user_logged_not_in_db(self): """If the user is logged but has been delete from the database, it should be logged out""" # get a client that is already authenticated client = get_auth_client() # delete the user in the db models.User.objects.get( username=settings.CAS_TEST_USER, session_key=client.session.session_key ).delete() # fetch the login page response = client.get("/login") # The user should be logged out self.assert_login_failed(client, response, code=302) # and redirected to the login page. We branch depending on the version a django as # the test client behaviour changed after django 1.9 if django.VERSION < (1, 9): # pragma: no cover coverage is computed with dango 1.9 self.assertEqual(response["Location"], "http://testserver/login") else: self.assertEqual(response["Location"], "/login?") def test_service_restrict_user(self): """Testing the restric user capability from a service""" # get a client that is already authenticated client = get_auth_client() # trying to get a ticket from a service url matched by a service pattern having a # restriction on the usernames allowed to get tickets. the test user username is not one # of this username. response = client.get("/login", {'service': self.service_restrict_user_fail}) self.assertEqual(response.status_code, 200) # the ticket is not created and a warning is displayed to the user self.assertTrue(b"Username non allowed" in response.content) # same but with the tes user username being one of the allowed usernames response = client.get("/login", {'service': self.service_restrict_user_success}) # the ticket is created and we are redirected to the service url self.assertEqual(response.status_code, 302) self.assertTrue( response["Location"].startswith("%s?ticket=" % self.service_restrict_user_success) ) def test_service_filter(self): """Test the filtering on user attributes""" # get a client that is already authenticated client = get_auth_client() # trying to get a ticket from a service url matched by a service pattern having # a restriction on the user attributes. The test user if ailing these restrictions # We try first with a single value attribut (aka a string) and then with # a multi values attributs (aka a list of strings) for service in [self.service_filter_fail, self.service_filter_fail_alt]: response = client.get("/login", {'service': service}) # the ticket is not created and a warning is displayed to the user self.assertEqual(response.status_code, 200) self.assertTrue(b"User charateristics non allowed" in response.content) # same but with rectriction that a valid upon the test user attributes response = client.get("/login", {'service': self.service_filter_success}) # the ticket us created and the user redirected to the service url self.assertEqual(response.status_code, 302) self.assertTrue(response["Location"].startswith("%s?ticket=" % self.service_filter_success)) def test_service_user_field(self): """Test using a user attribute as username: case on if the attribute exists or not""" # get a client that is already authenticated client = get_auth_client() # trying to get a ticket from a service url matched by a service pattern that use # a particular attribute has username. The test user do NOT have this attribute response = client.get("/login", {'service': self.service_field_needed_fail}) # the ticket is not created and a warning is displayed to the user self.assertEqual(response.status_code, 200) self.assertTrue(b"The attribut uid is needed to use that service" in response.content) # same but with a attribute that the test user has response = client.get("/login", {'service': self.service_field_needed_success}) # the ticket us created and the user redirected to the service url self.assertEqual(response.status_code, 302) self.assertTrue( response["Location"].startswith("%s?ticket=" % self.service_field_needed_success) ) @override_settings(CAS_TEST_ATTRIBUTES={'alias': []}) def test_service_user_field_evaluate_to_false(self): """ Test using a user attribute as username: case the attribute exists but evaluate to False """ # get a client that is already authenticated client = get_auth_client() # trying to get a ticket from a service url matched by a service pattern that use # a particular attribute has username. The test user have this attribute, but it is # evaluated to False (eg an empty string "" or an empty list []) response = client.get("/login", {"service": self.service_field_needed_success}) # the ticket is not created and a warning is displayed to the user self.assertEqual(response.status_code, 200) self.assertTrue(b"The attribut alias is needed to use that service" in response.content) def test_gateway(self): """test gateway parameter""" # First with an authenticated client that fail to get a ticket for a service service = "https://restrict_user_fail.example.com" # get a client that is already authenticated client = get_auth_client() # the authenticated client fail to get a ticket for some reason response = client.get("/login", {'service': service, 'gateway': 'on'}) # as gateway is set, he is redirected to the service url without any ticket self.assertEqual(response.status_code, 302) self.assertEqual(response["Location"], service) # second for an user not yet authenticated on a valid service client = Client() # the client fail to get a ticket since he is not yep authenticated response = client.get('/login', {'service': service, 'gateway': 'on'}) # as gateway is set, he is redirected to the service url without any ticket self.assertEqual(response.status_code, 302) self.assertEqual(response["Location"], service) def test_renew(self): """test the authentication renewal request from a service""" # use the default test service service = "https://www.example.com" # get a client that is already authenticated client = get_auth_client() # ask for a ticket for the service but aks for authentication renewal response = client.get("/login", {'service': service, 'renew': 'on'}) # we are ask to reauthenticate and tell the user why self.assertEqual(response.status_code, 200) self.assertTrue( ( b"Authentication renewal required by " b"service example (https://www.example.com)" ) in response.content ) # get the form default parameter params = copy_form(response.context["form"]) # set valid username/password params["username"] = settings.CAS_TEST_USER params["password"] = settings.CAS_TEST_PASSWORD # the renew parameter from the form should be True self.assertEqual(params["renew"], True) # post the authentication request response = client.post("/login", params) # the request succed, a ticket is created and we are redirected to the service url self.assertEqual(response.status_code, 302) ticket_value = response['Location'].split('ticket=')[-1] ticket = models.ServiceTicket.objects.get(value=ticket_value) # the created ticket is marked has being gottent after a renew. Futher testing about # renewing authentication is done in the validate and serviceValidate views tests self.assertEqual(ticket.renew, True) @override_settings(CAS_ENABLE_AJAX_AUTH=True) def test_ajax_login_required(self): """ test ajax, login required. The ajax methods allow the log a user in using javascript. For doing so, every 302 redirection a replaced by a 200 returning a json with the url to redirect to. By default, ajax login is disabled. If CAS_ENABLE_AJAX_AUTH is True, ajax login is enable and only page on the same domain as the CAS can do ajax request. To allow pages on other domains, you need to use CORS. You can use the django app corsheaders for that. Be carefull to only allow domains you completly trust as any javascript on these domaine will be able to authenticate as the user. """ # get a bare client client = Client() # fetch the login page setting up the custom header HTTP_X_AJAX to tell we wish to de # ajax requests response = client.get("/login", HTTP_X_AJAX='on') # we get a json as response telling us the user need to be authenticated self.assertEqual(response.status_code, 200) data = json.loads(response.content.decode("utf8")) self.assertEqual(data["status"], "error") self.assertEqual(data["detail"], "login required") self.assertEqual(data["url"], "/login") @override_settings(CAS_ENABLE_AJAX_AUTH=True) def test_ajax_logged_user_deleted(self): """test ajax user logged deleted: login required""" # get a client that is already authenticated client = get_auth_client() # delete the user in the db user = models.User.objects.get( username=settings.CAS_TEST_USER, session_key=client.session.session_key ) user.delete() # fetch the login page with ajax on response = client.get("/login", HTTP_X_AJAX='on') # we get a json telling us that the user need to authenticate self.assertEqual(response.status_code, 200) data = json.loads(response.content.decode("utf8")) self.assertEqual(data["status"], "error") self.assertEqual(data["detail"], "login required") self.assertEqual(data["url"], "/login") @override_settings(CAS_ENABLE_AJAX_AUTH=True) def test_ajax_logged(self): """test ajax user is successfully logged""" # get a client that is already authenticated client = get_auth_client() # fetch the login page with ajax on response = client.get("/login", HTTP_X_AJAX='on') # we get a json telling us that the user is well authenticated self.assertEqual(response.status_code, 200) data = json.loads(response.content.decode("utf8")) self.assertEqual(data["status"], "success") self.assertEqual(data["detail"], "logged") @override_settings(CAS_ENABLE_AJAX_AUTH=True) def test_ajax_get_ticket_success(self): """test ajax retrieve a ticket for an allowed service""" # using the default test service service = "https://www.example.com" # get a client that is already authenticated client = get_auth_client() # fetch the login page with ajax on response = client.get("/login", {'service': service}, HTTP_X_AJAX='on') # we get a json telling us that the ticket has being created # and we get the url to fetch to authenticate the user to the service # contening the ticket has GET parameter self.assertEqual(response.status_code, 200) data = json.loads(response.content.decode("utf8")) self.assertEqual(data["status"], "success") self.assertEqual(data["detail"], "auth") self.assertTrue(data["url"].startswith('%s?ticket=' % service)) def test_ajax_get_ticket_success_alt(self): """ test ajax retrieve a ticket for an allowed service. Same as above but with CAS_ENABLE_AJAX_AUTH=False """ # using the default test service service = "https://www.example.com" # get a client that is already authenticated client = get_auth_client() # fetch the login page with ajax on response = client.get("/login", {'service': service}, HTTP_X_AJAX='on') # as CAS_ENABLE_AJAX_AUTH is False the ajax request is ignored and word normally: # 302 redirect to the service url with ticket as GET parameter. javascript # cannot retieve the ticket info and try follow the redirect to an other domain and fail # silently self.assertEqual(response.status_code, 302) @override_settings(CAS_ENABLE_AJAX_AUTH=True) def test_ajax_get_ticket_fail(self): """test ajax retrieve a ticket for a denied service""" # using a denied service url service = "https://www.example.org" # get a client that is already authenticated client = get_auth_client() # fetch the login page with ajax on response = client.get("/login", {'service': service}, HTTP_X_AJAX='on') # we get a json telling us that the service is not allowed self.assertEqual(response.status_code, 200) data = json.loads(response.content.decode("utf8")) self.assertEqual(data["status"], "error") self.assertEqual(data["detail"], "auth") self.assertEqual(data["messages"][0]["level"], "error") self.assertEqual( data["messages"][0]["message"], "Service https://www.example.org non allowed." ) @override_settings(CAS_ENABLE_AJAX_AUTH=True) def test_ajax_get_ticket_warn(self): """test get a ticket but user asked to be warned""" # using the default test service service = "https://www.example.com" # get a client that is already authenticated wth warn on client = get_auth_client(warn="on") # fetch the login page with ajax on response = client.get("/login", {'service': service}, HTTP_X_AJAX='on') # we get a json telling us that we cannot get a ticket transparently and that the # user has asked to be warned self.assertEqual(response.status_code, 200) data = json.loads(response.content.decode("utf8")) self.assertEqual(data["status"], "error") self.assertEqual(data["detail"], "confirmation needed") @override_settings(CAS_AUTH_CLASS='cas_server.auth.TestAuthUser') class LogoutTestCase(TestCase): """test fot the logout view""" def setUp(self): """Prepare the test context""" # for testing SingleLogOut we need to use a service on localhost were we lanch # a simple one request http server self.service = 'http://127.0.0.1:45678' self.service_pattern = models.ServicePattern.objects.create( name="localhost", pattern="^https?://127\.0\.0\.1(:[0-9]+)?(/.*)?$", single_log_out=True ) # return all user attributes models.ReplaceAttributName.objects.create(name="*", service_pattern=self.service_pattern) def test_logout(self): """logout is idempotent""" # get a bare client client = Client() # call logout client.get("/logout") # we are still not logged self.assertFalse(client.session.get("username")) self.assertFalse(client.session.get("authenticated")) def test_logout_view(self): """test simple logout, logout only an user from one and only one sessions""" # get two authenticated client with the same test user (but two different sessions) client = get_auth_client() client2 = get_auth_client() # fetch login, the first client is well authenticated response = client.get("/login") self.assertEqual(response.status_code, 200) self.assertTrue( ( b"You have successfully logged into " b"the Central Authentication Service" ) in response.content ) # and session variable are well self.assertTrue(client.session["username"] == settings.CAS_TEST_USER) self.assertTrue(client.session["authenticated"] is True) # call logout with the first client response = client.get("/logout") # the client is logged out self.assertEqual(response.status_code, 200) self.assertTrue( ( b"You have successfully logged out from " b"the Central Authentication Service" ) in response.content ) # and session variable a well cleaned self.assertFalse(client.session.get("username")) self.assertFalse(client.session.get("authenticated")) # client2 is still logged self.assertTrue(client2.session["username"] == settings.CAS_TEST_USER) self.assertTrue(client2.session["authenticated"] is True) response = client.get("/login") # fetch login, the second client is well authenticated self.assertEqual(response.status_code, 200) self.assertFalse( ( b"You have successfully logged into " b"the Central Authentication Service" ) in response.content ) def test_logout_from_all_session(self): """test logout from all my session""" # get two authenticated client with the same test user (but two different sessions) client = get_auth_client() client2 = get_auth_client() # call logout with the first client and ask to be logged out from all of this user sessions client.get("/logout?all=1") # both client are logged out self.assertFalse(client.session.get("username")) self.assertFalse(client.session.get("authenticated")) self.assertFalse(client2.session.get("username")) self.assertFalse(client2.session.get("authenticated")) def assert_redirect_to_service(self, client, response): """assert logout redirect to parameter""" # assert a redirection with a service self.assertEqual(response.status_code, 302) self.assertTrue(response.has_header("Location")) self.assertEqual(response["Location"], "https://www.example.com") response = client.get("/login") self.assertEqual(response.status_code, 200) # assert we are not longer logged in self.assertFalse( ( b"You have successfully logged into " b"the Central Authentication Service" ) in response.content ) def test_logout_view_url(self): """test logout redirect to url parameter""" # get a client that is authenticated client = get_auth_client() # logout with an url paramer response = client.get('/logout?url=https://www.example.com') # we are redirected to the addresse of the url parameter self.assert_redirect_to_service(client, response) def test_logout_view_service(self): """test logout redirect to service parameter""" # get a client that is authenticated client = get_auth_client() # logout with a service parameter response = client.get('/logout?service=https://www.example.com') # we are redirected to the addresse of the service parameter self.assert_redirect_to_service(client, response) def test_logout_slo(self): """test logout from a service with SLO support""" parameters = [] # test normal SLO # setup a simple one request http server (httpd, host, port) = HttpParamsHandler.run()[0:3] # build a service url depending on which port the http server has binded service = "http://%s:%s" % (host, port) # get a ticket requested by client and being validated by the service (client, ticket) = get_validated_ticket(service)[:2] # the client logout triggering the send of the SLO requests client.get('/logout') # we store the POST parameters send for this ticket for furthur analisys parameters.append((httpd.PARAMS, ticket)) # text SLO with a single_log_out_callback # setup a simple one request http server (httpd, host, port) = HttpParamsHandler.run()[0:3] # set the default test service pattern to use the http server port for SLO requests. # in fact, this single_log_out_callback parametter is usefull to implement SLO # for non http service like imap or ftp self.service_pattern.single_log_out_callback = "http://%s:%s" % (host, port) self.service_pattern.save() # get a ticket requested by client and being validated by the service (client, ticket) = get_validated_ticket(self.service)[:2] # the client logout triggering the send of the SLO requests client.get('/logout') # we store the POST parameters send for this ticket for furthur analisys parameters.append((httpd.PARAMS, ticket)) # for earch POST parameters and corresponding ticket for (params, ticket) in parameters: # there is a POST parameter 'logoutRequest' self.assertTrue(b'logoutRequest' in params and params[b'logoutRequest']) # it is a valid xml root = etree.fromstring(params[b'logoutRequest'][0]) # contening a tag self.assertTrue( root.xpath( "//samlp:LogoutRequest", namespaces={"samlp": "urn:oasis:names:tc:SAML:2.0:protocol"} ) ) # with a tag enclosing the value of the ticket session_index = root.xpath( "//samlp:SessionIndex", namespaces={"samlp": "urn:oasis:names:tc:SAML:2.0:protocol"} ) self.assertEqual(len(session_index), 1) self.assertEqual(session_index[0].text, ticket.value) # SLO error are displayed on logout page (client, ticket) = get_validated_ticket(self.service)[:2] # the client logout triggering the send of the SLO requests but # not http server are listening response = client.get('/logout') self.assertTrue(b"Error during service logout" in response.content) @override_settings(CAS_ENABLE_AJAX_AUTH=True) def test_ajax_logout(self): """ test ajax logout. These methode are here, but I do not really see an use case for javascript logout """ # get a client that is authenticated client = get_auth_client() # fetch the logout page with ajax on response = client.get('/logout', HTTP_X_AJAX='on') # we get a json telling us the user is well logged out self.assertEqual(response.status_code, 200) data = json.loads(response.content.decode("utf8")) self.assertEqual(data["status"], "success") self.assertEqual(data["detail"], "logout") self.assertEqual(data['session_nb'], 1) @override_settings(CAS_ENABLE_AJAX_AUTH=True) def test_ajax_logout_all_session(self): """test ajax logout from a random number a sessions""" # fire a random int in [2, 10[ nb_client = random.randint(2, 10) # get this much of logged clients all for the test user clients = [get_auth_client() for i in range(nb_client)] # fetch the logout page with ajax on, requesting to logout from all sessions response = clients[0].get('/logout?all=1', HTTP_X_AJAX='on') # we get a json telling us the user is well logged out and the number of session # the user has being logged out self.assertEqual(response.status_code, 200) data = json.loads(response.content.decode("utf8")) self.assertEqual(data["status"], "success") self.assertEqual(data["detail"], "logout") self.assertEqual(data['session_nb'], nb_client) @override_settings(CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT=True) def test_redirect_after_logout(self): """Test redirect to login after logout parameter""" # get a client that is authenticated client = get_auth_client() # fetch the logout page response = client.get('/logout') # as CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT is True, we are redirected to the login page self.assertEqual(response.status_code, 302) if django.VERSION < (1, 9): # pragma: no cover coverage is computed with dango 1.9 self.assertEqual(response["Location"], "http://testserver/login") else: self.assertEqual(response["Location"], "/login") self.assertFalse(client.session.get("username")) self.assertFalse(client.session.get("authenticated")) @override_settings(CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT=True) def test_redirect_after_logout_to_service(self): """test prevalence of redirect url/service parameter over redirect to login after logout""" # get a client that is authenticated client = get_auth_client() # fetch the logout page with an url parameter response = client.get('/logout?url=https://www.example.com') # we are redirected to the url parameter and not to the login page self.assert_redirect_to_service(client, response) # fetch the logout page with an service parameter response = client.get('/logout?service=https://www.example.com') # we are redirected to the service parameter and not to the login page self.assert_redirect_to_service(client, response) @override_settings(CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT=True, CAS_ENABLE_AJAX_AUTH=True) def test_ajax_redirect_after_logout(self): """Test ajax redirect to login after logout parameter""" # get a client that is authenticated client = get_auth_client() # fetch the logout page with ajax on response = client.get('/logout', HTTP_X_AJAX='on') # we get a json telling us the user is well logged out. And url key is added to aks for # redirection to the login page self.assertEqual(response.status_code, 200) data = json.loads(response.content.decode("utf8")) self.assertEqual(data["status"], "success") self.assertEqual(data["detail"], "logout") self.assertEqual(data['session_nb'], 1) self.assertEqual(data['url'], '/login') @override_settings(CAS_AUTH_CLASS='cas_server.auth.TestAuthUser') class AuthTestCase(TestCase): """ Test for the auth view, used for external services to validate (user, pass, service) tuples. """ def setUp(self): """preparing test context""" # setting up a default test service url and pattern self.service = 'https://www.example.com' models.ServicePattern.objects.create( name="example", pattern="^https://www\.example\.com(/.*)?$" ) @override_settings(CAS_AUTH_SHARED_SECRET='test') def test_auth_view_goodpass(self): """successful request are awsered by yes""" # get a bare client client = Client() # post the the auth view a valid (username, password, service) and the shared secret # to test the user again the service, a user is created in the database for the # current session and is then deleted as the user is not authenticated response = client.post( '/auth', { 'username': settings.CAS_TEST_USER, 'password': settings.CAS_TEST_PASSWORD, 'service': self.service, 'secret': 'test' } ) # as (username, password, service) and the hared secret are valid, we get yes as a response self.assertEqual(response.status_code, 200) self.assertEqual(response.content, b'yes\n') @override_settings(CAS_AUTH_SHARED_SECRET='test') def test_auth_view_goodpass_logged(self): """successful request are awsered by yes, using a logged sessions""" # same as above client = get_auth_client() # to test the user again the service, a user is fetch in the database for the # current session and is NOT deleted as the user is currently logged. # Deleting the user from the database would cause the user to be logged out as # showed in the login tests response = client.post( '/auth', { 'username': settings.CAS_TEST_USER, 'password': settings.CAS_TEST_PASSWORD, 'service': self.service, 'secret': 'test' } ) # as (username, password, service) and the hared secret are valid, we get yes as a response self.assertEqual(response.status_code, 200) self.assertEqual(response.content, b'yes\n') @override_settings(CAS_AUTH_SHARED_SECRET='test') def test_auth_view_badpass(self): """ bag user password => no""" client = Client() response = client.post( '/auth', { 'username': settings.CAS_TEST_USER, 'password': 'badpass', 'service': self.service, 'secret': 'test' } ) self.assertEqual(response.status_code, 200) self.assertEqual(response.content, b'no\n') @override_settings(CAS_AUTH_SHARED_SECRET='test') def test_auth_view_badservice(self): """bad service => no""" client = Client() response = client.post( '/auth', { 'username': settings.CAS_TEST_USER, 'password': settings.CAS_TEST_PASSWORD, 'service': 'https://www.example.org', 'secret': 'test' } ) self.assertEqual(response.status_code, 200) self.assertEqual(response.content, b'no\n') @override_settings(CAS_AUTH_SHARED_SECRET='test') def test_auth_view_badsecret(self): """bad api key => no""" client = Client() response = client.post( '/auth', { 'username': settings.CAS_TEST_USER, 'password': settings.CAS_TEST_PASSWORD, 'service': self.service, 'secret': 'badsecret' } ) self.assertEqual(response.status_code, 200) self.assertEqual(response.content, b'no\n') def test_auth_view_badsettings(self): """api not set => error""" client = Client() response = client.post( '/auth', { 'username': settings.CAS_TEST_USER, 'password': settings.CAS_TEST_PASSWORD, 'service': self.service, 'secret': 'test' } ) self.assertEqual(response.status_code, 200) self.assertEqual(response.content, b"no\nplease set CAS_AUTH_SHARED_SECRET") @override_settings(CAS_AUTH_SHARED_SECRET='test') def test_auth_view_missing_parameter(self): """missing parameter in request => no""" client = Client() params = { 'username': settings.CAS_TEST_USER, 'password': settings.CAS_TEST_PASSWORD, 'service': self.service, 'secret': 'test' } for key in ['username', 'password', 'service']: send_params = params.copy() del send_params[key] response = client.post('/auth', send_params) self.assertEqual(response.status_code, 200) self.assertEqual(response.content, b'no\n') @override_settings(CAS_AUTH_CLASS='cas_server.auth.TestAuthUser') class ValidateTestCase(TestCase): """tests for the validate view""" def setUp(self): """preparing test context""" # setting up a default test service url and pattern self.service = 'https://www.example.com' self.service_pattern = models.ServicePattern.objects.create( name="example", pattern="^https://www\.example\.com(/.*)?$" ) models.ReplaceAttributName.objects.create(name="*", service_pattern=self.service_pattern) # setting up a test service and pattern using a multi valued user attribut as username # the first value of the list should be used as username self.service_user_field = "https://user_field.example.com" self.service_pattern_user_field = models.ServicePattern.objects.create( name="user field", pattern="^https://user_field\.example\.com(/.*)?$", user_field="alias" ) # setting up a test service and pattern using a single valued user attribut as username self.service_user_field_alt = "https://user_field_alt.example.com" self.service_pattern_user_field_alt = models.ServicePattern.objects.create( name="user field alt", pattern="^https://user_field_alt\.example\.com(/.*)?$", user_field="nom" ) def test_validate_view_ok(self): """test for a valid (ticket, service)""" # get a ticket waiting to be validated for self.service ticket = get_user_ticket_request(self.service)[1] # get a bare client client = Client() # calling the validate view with this ticket value and service response = client.get('/validate', {'ticket': ticket.value, 'service': self.service}) # get yes as a response and the test user username self.assertEqual(response.status_code, 200) self.assertEqual(response.content, b'yes\ntest\n') def test_validate_view_badservice(self): """test for a valid ticket but bad service""" ticket = get_user_ticket_request(self.service)[1] client = Client() # calling the validate view with this ticket value and another service response = client.get( '/validate', {'ticket': ticket.value, 'service': "https://www.example.org"} ) # the ticket service and validation service do not match, validation should fail self.assertEqual(response.status_code, 200) self.assertEqual(response.content, b'no\n') def test_validate_view_badticket(self): """test for a bad ticket but valid service""" get_user_ticket_request(self.service) client = Client() # calling the validate view with another ticket value and this service response = client.get( '/validate', {'ticket': "%s-RANDOM" % settings.CAS_SERVICE_TICKET_PREFIX, 'service': self.service} ) # as the ticket is bad, validation should fail self.assertEqual(response.status_code, 200) self.assertEqual(response.content, b'no\n') def test_validate_user_field_ok(self): """ test with a good user_field. A bad user_field (that evaluate to False) wont happed cause it is filtered in the login view """ for (service, username) in [ (self.service_user_field, b"demo1"), (self.service_user_field_alt, b"Nymous") ]: ticket = get_user_ticket_request(service)[1] client = Client() response = client.get( '/validate', {'ticket': ticket.value, 'service': service} ) self.assertEqual(response.status_code, 200) # the user attribute is well used as username self.assertEqual(response.content, b'yes\n' + username + b'\n') def test_validate_missing_parameter(self): """test with a missing GET parameter among [service, ticket]""" ticket = get_user_ticket_request(self.service)[1] client = Client() params = {'ticket': ticket.value, 'service': self.service} for key in ['ticket', 'service']: send_params = params.copy() del send_params[key] response = client.get('/validate', send_params) # if the GET request is missing the ticket or # service GET parameter, validation should fail self.assertEqual(response.status_code, 200) self.assertEqual(response.content, b'no\n') @override_settings(CAS_AUTH_CLASS='cas_server.auth.TestAuthUser') class ValidateServiceTestCase(TestCase, XmlContent): """tests for the serviceValidate view""" def setUp(self): """preparing test context""" # for testing SingleLogOut and Proxy GrantingTicket transmission # we need to use a service on localhost were we launch # a simple one request http server self.service = 'http://127.0.0.1:45678' self.service_pattern = models.ServicePattern.objects.create( name="localhost", pattern="^https?://127\.0\.0\.1(:[0-9]+)?(/.*)?$", # allow to request PGT by the service proxy_callback=True ) # tell the service pattern to transmit all the user attributes (* is a joker) models.ReplaceAttributName.objects.create(name="*", service_pattern=self.service_pattern) # test service pattern using the attribute alias as username self.service_user_field = "https://user_field.example.com" self.service_pattern_user_field = models.ServicePattern.objects.create( name="user field", pattern="^https://user_field\.example\.com(/.*)?$", user_field="alias" ) # test service pattern using the attribute nom as username self.service_user_field_alt = "https://user_field_alt.example.com" self.service_pattern_user_field_alt = models.ServicePattern.objects.create( name="user field alt", pattern="^https://user_field_alt\.example\.com(/.*)?$", user_field="nom" ) # test service pattern only transmiting one single attributes self.service_one_attribute = "https://one_attribute.example.com" self.service_pattern_one_attribute = models.ServicePattern.objects.create( name="one_attribute", pattern="^https://one_attribute\.example\.com(/.*)?$" ) models.ReplaceAttributName.objects.create( name="nom", service_pattern=self.service_pattern_one_attribute ) # test service pattern testing attribute name and value replacement self.service_replace_attribute_list = "https://replace_attribute_list.example.com" self.service_pattern_replace_attribute_list = models.ServicePattern.objects.create( name="replace_attribute_list", pattern="^https://replace_attribute_list\.example\.com(/.*)?$", ) models.ReplaceAttributValue.objects.create( attribut="alias", pattern="^demo", replace="truc", service_pattern=self.service_pattern_replace_attribute_list ) models.ReplaceAttributName.objects.create( name="alias", replace="ALIAS", service_pattern=self.service_pattern_replace_attribute_list ) self.service_replace_attribute = "https://replace_attribute.example.com" self.service_pattern_replace_attribute = models.ServicePattern.objects.create( name="replace_attribute", pattern="^https://replace_attribute\.example\.com(/.*)?$", ) models.ReplaceAttributValue.objects.create( attribut="nom", pattern="N", replace="P", service_pattern=self.service_pattern_replace_attribute ) models.ReplaceAttributName.objects.create( name="nom", replace="NOM", service_pattern=self.service_pattern_replace_attribute ) def test_validate_service_view_ok(self): """test with a valid (ticket, service), the username and all attributes are transmited""" # get a ticket from an authenticated user waiting for validation ticket = get_user_ticket_request(self.service)[1] # get a bare client client = Client() # requesting validation with a good (ticket, service) response = client.get('/serviceValidate', {'ticket': ticket.value, 'service': self.service}) # the validation should succes with username settings.CAS_TEST_USER and transmit # the attributes settings.CAS_TEST_ATTRIBUTES self.assert_success(response, settings.CAS_TEST_USER, settings.CAS_TEST_ATTRIBUTES) def test_validate_service_view_ok_one_attribute(self): """ test with a valid (ticket, service), the username and the 'nom' only attribute are transmited """ # get a ticket for a service that transmit only one attribute ticket = get_user_ticket_request(self.service_one_attribute)[1] client = Client() response = client.get( '/serviceValidate', {'ticket': ticket.value, 'service': self.service_one_attribute} ) # the validation should succed, returning settings.CAS_TEST_USER as username and a single # attribute 'nom' self.assert_success( response, settings.CAS_TEST_USER, {'nom': settings.CAS_TEST_ATTRIBUTES['nom']} ) def test_validate_replace_attributes(self): """test with a valid (ticket, service), attributes name and value replacement""" # get a ticket for a service pattern replacing attributes names # nom -> NOM and value nom -> s/^N/P/ for a single valued attribute ticket = get_user_ticket_request(self.service_replace_attribute)[1] client = Client() response = client.get( '/serviceValidate', {'ticket': ticket.value, 'service': self.service_replace_attribute} ) self.assert_success( response, settings.CAS_TEST_USER, {'NOM': 'Pymous'} ) # get a ticket for a service pattern replacing attributes names # alias -> ALIAS and value alias -> s/demo/truc/ for a multi valued attribute ticket = get_user_ticket_request(self.service_replace_attribute_list)[1] client = Client() response = client.get( '/serviceValidate', {'ticket': ticket.value, 'service': self.service_replace_attribute_list} ) self.assert_success( response, settings.CAS_TEST_USER, {'ALIAS': ['truc1', 'truc2']} ) def test_validate_service_view_badservice(self): """test with a valid ticket but a bad service, the validatin should fail""" # get a ticket for service A ticket = get_user_ticket_request(self.service)[1] client = Client() bad_service = "https://www.example.org" # try to validate it for service B response = client.get('/serviceValidate', {'ticket': ticket.value, 'service': bad_service}) # the validation should fail with error code "INVALID_SERVICE" self.assert_error( response, "INVALID_SERVICE", bad_service ) def test_validate_service_view_badticket_goodprefix(self): """ test with a good service but a bad ticket begining with ST-, the validation should fail with the error (INVALID_TICKET, ticket not found) """ get_user_ticket_request(self.service) client = Client() bad_ticket = "%s-RANDOM" % settings.CAS_SERVICE_TICKET_PREFIX response = client.get('/serviceValidate', {'ticket': bad_ticket, 'service': self.service}) self.assert_error( response, "INVALID_TICKET", 'ticket not found' ) def test_validate_service_view_badticket_badprefix(self): """ test with a good service bud a bad ticket not begining with ST-, the validation should fail with the error (INVALID_TICKET, `the ticket`) """ get_user_ticket_request(self.service) client = Client() bad_ticket = "RANDOM" response = client.get('/serviceValidate', {'ticket': bad_ticket, 'service': self.service}) self.assert_error( response, "INVALID_TICKET", bad_ticket ) def test_validate_service_view_ok_pgturl(self): """test the retrieval of a ProxyGrantingTicket""" # start a simple on request http server (httpd, host, port) = HttpParamsHandler.run()[0:3] # construct the service from it service = "http://%s:%s" % (host, port) # get a ticket to be validated ticket = get_user_ticket_request(service)[1] client = Client() # request a PGT ticket then validating the ticket by setting the pgtUrl parameter response = client.get( '/serviceValidate', {'ticket': ticket.value, 'service': service, 'pgtUrl': service} ) # We should have recieved the PGT via a GET request parameter on the simple http server pgt_params = httpd.PARAMS self.assertEqual(response.status_code, 200) root = etree.fromstring(response.content) # the validation response should return a id to match again the request transmitting the PGT pgtiou = root.xpath( "//cas:proxyGrantingTicket", namespaces={'cas': "http://www.yale.edu/tp/cas"} ) self.assertEqual(len(pgtiou), 1) # the matching id for making corresponde one PGT to a validatin response should match self.assertEqual(pgt_params["pgtIou"], pgtiou[0].text) # the PGT is present in the receive GET requests parameters self.assertTrue("pgtId" in pgt_params) def test_validate_service_pgturl_sslerror(self): """test the retrieval of a ProxyGrantingTicket with a SSL error on the pgtUrl""" (host, port) = HttpParamsHandler.run()[1:3] # is fact the service listen on http and not https raisin a SSL Protocol Error # but other SSL/TLS error should behave the same service = "https://%s:%s" % (host, port) ticket = get_user_ticket_request(service)[1] client = Client() response = client.get( '/serviceValidate', {'ticket': ticket.value, 'service': service, 'pgtUrl': service} ) # The pgtUrl is validated: it must be localhost or have valid x509 certificat and # certificat validation should succed. Moreother, pgtUrl should match a service pattern # with proxy_callback set to True self.assert_error( response, "INVALID_PROXY_CALLBACK", ) def test_validate_service_pgturl_404(self): """ test the retrieval on a ProxyGrantingTicket then to pgtUrl return a http error. PGT creation should be aborted but the ticket still be valid """ (host, port) = Http404Handler.run()[1:3] service = "http://%s:%s" % (host, port) ticket = get_user_ticket_request(service)[1] client = Client() response = client.get( '/serviceValidate', {'ticket': ticket.value, 'service': service, 'pgtUrl': service} ) # The ticket is successfully validated root = self.assert_success(response, settings.CAS_TEST_USER, settings.CAS_TEST_ATTRIBUTES) # but no PGT is transmitted pgtiou = root.xpath( "//cas:proxyGrantingTicket", namespaces={'cas': "http://www.yale.edu/tp/cas"} ) self.assertFalse(pgtiou) def test_validate_service_pgturl_bad_proxy_callback(self): """test the retrieval of a ProxyGrantingTicket, not allowed pgtUrl should be denied""" self.service_pattern.proxy_callback = False self.service_pattern.save() ticket = get_user_ticket_request(self.service)[1] client = Client() response = client.get( '/serviceValidate', {'ticket': ticket.value, 'service': self.service, 'pgtUrl': self.service} ) self.assert_error( response, "INVALID_PROXY_CALLBACK", "callback url not allowed by configuration" ) self.service_pattern.proxy_callback = True ticket = get_user_ticket_request(self.service)[1] client = Client() response = client.get( '/serviceValidate', {'ticket': ticket.value, 'service': self.service, 'pgtUrl': "https://www.example.org"} ) self.assert_error( response, "INVALID_PROXY_CALLBACK", "callback url not allowed by configuration" ) def test_validate_user_field_ok(self): """ test with a good user_field. A bad user_field (that evaluate to False) wont happed cause it is filtered in the login view """ for (service, username) in [ (self.service_user_field, settings.CAS_TEST_ATTRIBUTES["alias"][0]), (self.service_user_field_alt, settings.CAS_TEST_ATTRIBUTES["nom"]) ]: # requesting a ticket for a service url matched by a service pattern using a user # attribute as username ticket = get_user_ticket_request(service)[1] client = Client() response = client.get( '/serviceValidate', {'ticket': ticket.value, 'service': service} ) # The validate shoudl be successful with specified username and no attributes transmited self.assert_success( response, username, {} ) def test_validate_missing_parameter(self): """test with a missing GET parameter among [service, ticket]""" ticket = get_user_ticket_request(self.service)[1] client = Client() params = {'ticket': ticket.value, 'service': self.service} for key in ['ticket', 'service']: send_params = params.copy() del send_params[key] response = client.get('/serviceValidate', send_params) # a validation request with a missing GET parameter should fail self.assert_error( response, "INVALID_REQUEST", "you must specify a service and a ticket" ) @override_settings(CAS_AUTH_CLASS='cas_server.auth.TestAuthUser') class ProxyTestCase(TestCase, BaseServicePattern, XmlContent): """tests for the proxy view""" def setUp(self): """preparing test context""" # we prepare a bunch a service url and service patterns for tests self.setup_service_patterns(proxy=True) # set the default service pattern to localhost to be able to retrieve PGT self.service = 'http://127.0.0.1' self.service_pattern = models.ServicePattern.objects.create( name="localhost", pattern="^http://127\.0\.0\.1(:[0-9]+)?(/.*)?$", proxy=True, proxy_callback=True ) # transmit all attributes models.ReplaceAttributName.objects.create(name="*", service_pattern=self.service_pattern) def test_validate_proxy_ok(self): """ Get a PGT, get a proxy ticket, validate it. Validation should succeed and show the proxy service URL. """ # we directrly get a ProxyGrantingTicket params = get_pgt() # We try get a proxy ticket with our PGT client1 = Client() # for what we send a GET request to /proxy with ge PGT and the target service for which # we want a ProxyTicket to. response = client1.get( '/proxy', {'pgt': params['pgtId'], 'targetService': "https://www.example.com"} ) self.assertEqual(response.status_code, 200) # we should sucessfully reteive a PT root = etree.fromstring(response.content) sucess = root.xpath("//cas:proxySuccess", namespaces={'cas': "http://www.yale.edu/tp/cas"}) self.assertTrue(sucess) proxy_ticket = root.xpath( "//cas:proxyTicket", namespaces={'cas': "http://www.yale.edu/tp/cas"} ) self.assertEqual(len(proxy_ticket), 1) proxy_ticket = proxy_ticket[0].text # validate the proxy ticket with the service for which is was emitted client2 = Client() response = client2.get( '/proxyValidate', {'ticket': proxy_ticket, 'service': "https://www.example.com"} ) # validation should succeed and return settings.CAS_TEST_USER as username # and settings.CAS_TEST_ATTRIBUTES as attributes root = self.assert_success( response, settings.CAS_TEST_USER, settings.CAS_TEST_ATTRIBUTES ) # in the PT validation response, it should have the service url of the PGY proxies = root.xpath("//cas:proxies", namespaces={'cas': "http://www.yale.edu/tp/cas"}) self.assertEqual(len(proxies), 1) proxy = proxies[0].xpath("//cas:proxy", namespaces={'cas': "http://www.yale.edu/tp/cas"}) self.assertEqual(len(proxy), 1) self.assertEqual(proxy[0].text, params["service"]) def test_validate_proxy_bad_pgt(self): """Try to get a ProxyTicket with a bad PGT. The PT generation should fail""" # we directrly get a ProxyGrantingTicket params = get_pgt() client = Client() response = client.get( '/proxy', { 'pgt': "%s-RANDOM" % settings.CAS_PROXY_GRANTING_TICKET_PREFIX, 'targetService': params['service'] } ) self.assert_error( response, "INVALID_TICKET", "PGT %s-RANDOM not found" % settings.CAS_PROXY_GRANTING_TICKET_PREFIX ) def test_validate_proxy_bad_service(self): """ Try to get a ProxyTicket for a denied service and a service that do not allow PT. The PT generation should fail. """ # we directrly get a ProxyGrantingTicket params = get_pgt() # try to get a PT for a denied service client1 = Client() response = client1.get( '/proxy', {'pgt': params['pgtId'], 'targetService': "https://www.example.org"} ) self.assert_error( response, "UNAUTHORIZED_SERVICE", "https://www.example.org" ) # try to get a PT for a service that do not allow PT self.service_pattern.proxy = False self.service_pattern.save() client2 = Client() response = client2.get( '/proxy', {'pgt': params['pgtId'], 'targetService': params['service']} ) self.assert_error( response, "UNAUTHORIZED_SERVICE", 'the service %s do not allow proxy ticket' % params['service'] ) self.service_pattern.proxy = True self.service_pattern.save() def test_proxy_unauthorized_user(self): """ Try to get a PT for services that do not allow the current user: * first with a service that restrict allowed username * second with a service requiring somes conditions on the user attributes * third with a service using a particular user attribute as username All this tests should fail """ # we directrly get a ProxyGrantingTicket params = get_pgt() for service in [ # do ot allow the test username self.service_restrict_user_fail, # require the 'nom' attribute to be 'toto' self.service_filter_fail, # want to use the non-exitant 'uid' attribute as username self.service_field_needed_fail ]: client = Client() response = client.get( '/proxy', {'pgt': params['pgtId'], 'targetService': service} ) # PT generation should fail self.assert_error( response, "UNAUTHORIZED_USER", 'User %s not allowed on %s' % (settings.CAS_TEST_USER, service) ) def test_proxy_missing_parameter(self): """Try to get a PGT with some missing GET parameters. The PT should not be emited""" params = get_pgt() base_params = {'pgt': params['pgtId'], 'targetService': "https://www.example.org"} for key in ["pgt", 'targetService']: send_params = base_params.copy() del send_params[key] client = Client() response = client.get("/proxy", send_params) self.assert_error( response, "INVALID_REQUEST", 'you must specify and pgt and targetService' ) @override_settings(CAS_AUTH_CLASS='cas_server.auth.TestAuthUser') class SamlValidateTestCase(TestCase, BaseServicePattern, XmlContent): """tests for the proxy view""" def setUp(self): """preparing test context""" # we prepare a bunch a service url and service patterns for tests self.setup_service_patterns(proxy=True) # special service pattern for retrieving a PGT self.service_pgt = 'http://127.0.0.1' self.service_pattern_pgt = models.ServicePattern.objects.create( name="localhost", pattern="^http://127\.0\.0\.1(:[0-9]+)?(/.*)?$", proxy=True, proxy_callback=True ) models.ReplaceAttributName.objects.create( name="*", service_pattern=self.service_pattern_pgt ) # template for the XML POST need to be send to validate a ticket using SAML 1.1 xml_template = """ %(ticket)s """ def assert_success(self, response, username, original_attributes): """assert ticket validation success""" self.assertEqual(response.status_code, 200) # on validation success, the response should have a StatusCode set to Success root = etree.fromstring(response.content) success = root.xpath( "//samlp:StatusCode", namespaces={'samlp': "urn:oasis:names:tc:SAML:1.0:protocol"} ) self.assertEqual(len(success), 1) self.assertTrue(success[0].attrib['Value'].endswith(":Success")) # the user username should be return whithin tags user = root.xpath( "//samla:NameIdentifier", namespaces={'samla': "urn:oasis:names:tc:SAML:1.0:assertion"} ) self.assertTrue(user) self.assertEqual(user[0].text, username) # the returned attributes should match original_attributes attributes = root.xpath( "//samla:AttributeStatement/samla:Attribute", namespaces={'samla': "urn:oasis:names:tc:SAML:1.0:assertion"} ) attrs = set() for attr in attributes: attrs.add((attr.attrib['AttributeName'], attr.getchildren()[0].text)) original = set() for key, value in original_attributes.items(): if isinstance(value, list): for subval in value: original.add((key, subval)) else: original.add((key, value)) self.assertEqual(original, attrs) def assert_error(self, response, code, msg=None): """assert ticket validation error""" self.assertEqual(response.status_code, 200) # on error the status code value should be the one provider in `code` root = etree.fromstring(response.content) error = root.xpath( "//samlp:StatusCode", namespaces={'samlp': "urn:oasis:names:tc:SAML:1.0:protocol"} ) self.assertEqual(len(error), 1) self.assertTrue(error[0].attrib['Value'].endswith(":%s" % code)) # it may have an error message if msg is not None: self.assertEqual(error[0].text, msg) def test_saml_ok(self): """ test with a valid (ticket, service), with a ST and a PT, the username and all attributes are transmited""" tickets = [ # return a ServiceTicket (standard ticket) waiting for validation get_user_ticket_request(self.service)[1], # return a PT waiting for validation get_proxy_ticket(self.service) ] for ticket in tickets: client = Client() # we send the POST validation requests response = client.post( '/samlValidate?TARGET=%s' % self.service, self.xml_template % { 'ticket': ticket.value, 'request_id': utils.gen_saml_id(), 'issue_instant': timezone.now().isoformat() }, content_type="text/xml; encoding='utf-8'" ) # and it should succeed self.assert_success(response, settings.CAS_TEST_USER, settings.CAS_TEST_ATTRIBUTES) def test_saml_ok_user_field(self): """test with a valid(ticket, service), use a attributes as transmitted username""" for (service, username) in [ (self.service_field_needed_success, settings.CAS_TEST_ATTRIBUTES['alias'][0]), (self.service_field_needed_success_alt, settings.CAS_TEST_ATTRIBUTES['nom']) ]: ticket = get_user_ticket_request(service)[1] client = Client() response = client.post( '/samlValidate?TARGET=%s' % service, self.xml_template % { 'ticket': ticket.value, 'request_id': utils.gen_saml_id(), 'issue_instant': timezone.now().isoformat() }, content_type="text/xml; encoding='utf-8'" ) self.assert_success(response, username, {}) def test_saml_bad_ticket(self): """test validation with a bad ST and a bad PT, validation should fail""" tickets = [utils.gen_st(), utils.gen_pt()] for ticket in tickets: client = Client() response = client.post( '/samlValidate?TARGET=%s' % self.service, self.xml_template % { 'ticket': ticket, 'request_id': utils.gen_saml_id(), 'issue_instant': timezone.now().isoformat() }, content_type="text/xml; encoding='utf-8'" ) self.assert_error( response, "AuthnFailed", 'ticket %s not found' % ticket ) def test_saml_bad_ticket_prefix(self): """test validation with a bad ticket prefix. Validation should fail with 'AuthnFailed'""" bad_ticket = "RANDOM-NOT-BEGINING-WITH-ST-OR-ST" client = Client() response = client.post( '/samlValidate?TARGET=%s' % self.service, self.xml_template % { 'ticket': bad_ticket, 'request_id': utils.gen_saml_id(), 'issue_instant': timezone.now().isoformat() }, content_type="text/xml; encoding='utf-8'" ) self.assert_error( response, "AuthnFailed", 'ticket %s should begin with PT- or ST-' % bad_ticket ) def test_saml_bad_target(self): """test with a valid ticket, but using a bad target, validation should fail""" bad_target = "https://www.example.org" ticket = get_user_ticket_request(self.service)[1] client = Client() response = client.post( '/samlValidate?TARGET=%s' % bad_target, self.xml_template % { 'ticket': ticket.value, 'request_id': utils.gen_saml_id(), 'issue_instant': timezone.now().isoformat() }, content_type="text/xml; encoding='utf-8'" ) self.assert_error( response, "AuthnFailed", 'TARGET %s do not match ticket service' % bad_target ) def test_saml_bad_xml(self): """test validation with a bad xml request, validation should fail""" client = Client() response = client.post( '/samlValidate?TARGET=%s' % self.service, "", content_type="text/xml; encoding='utf-8'" ) self.assert_error(response, 'VersionMismatch')