new: FilterAttributeValues: add tests for shibmdscope_match_scope and shibmdscope_match_value filters

Author: vladimir-mencl-eresearch

tests/satosa/micro_services/test_attribute_modifications.py

@@ -1,4 +1,8 @@
 import pytest
+from tests.util import FakeIdP, create_metadata_from_config_dict, FakeSP
+from saml2.mdstore import MetadataStore
+from saml2.config import Config
+from satosa.context import Context
 from satosa.exception import SATOSAError
 from satosa.internal import AuthenticationInformation
 from satosa.internal import InternalData
@@ -12,6 +16,22 @@ def create_filter_service(self, attribute_filters):
         filter_service.next = lambda ctx, data: data
         return filter_service
 
+    def create_idp_metadata_conf_with_shibmd_scopes(self, idp_entityid, shibmd_scopes):
+        idp_conf = {
+            "entityid": idp_entityid,
+            "service": {
+                "idp":{}
+            }
+        }
+
+        if shibmd_scopes is not None:
+            idp_conf["service"]["idp"]["scope"] = shibmd_scopes
+
+        metadata_conf = {
+            "inline": [create_metadata_from_config_dict(idp_conf)]
+        }
+        return metadata_conf
+
     def test_filter_all_attributes_from_all_target_providers_for_all_requesters(self):
         attribute_filters = {
             "": {  # all providers
@@ -158,3 +178,223 @@ def test_invalid_filter_type(self):
         }
         with pytest.raises(SATOSAError):
             filtered = filter_service.process(None, resp)
+
+    def test_shibmdscope_match_value_filter_with_no_md_store_in_context(self):
+        attribute_filters = {
+            "": {
+                "": {
+                    "a2": {
+                        "shibmdscope_match_value": None
+                    }
+                }
+            }
+        }
+        filter_service = self.create_filter_service(attribute_filters)
+
+        resp = InternalData(AuthenticationInformation())
+        resp.attributes = {
+            "a1": ["abc:xyz"],
+            "a2": ["foo:bar", "1:foo:bar:2"],
+        }
+        ctx = Context()
+        filtered = filter_service.process(ctx, resp)
+        assert filtered.attributes == {"a1": ["abc:xyz"], "a2": []}
+
+    def test_shibmdscope_match_value_filter_with_empty_md_store_in_context(self):
+        attribute_filters = {
+            "": {
+                "": {
+                    "a2": {
+                        "shibmdscope_match_value": None
+                    }
+                }
+            }
+        }
+        filter_service = self.create_filter_service(attribute_filters)
+
+        resp = InternalData(AuthenticationInformation())
+        resp.attributes = {
+            "a1": ["abc:xyz"],
+            "a2": ["foo:bar", "1:foo:bar:2"],
+        }
+        ctx = Context()
+        mdstore = MetadataStore(None, None)
+        ctx.decorate(Context.KEY_METADATA_STORE, mdstore)
+        filtered = filter_service.process(ctx, resp)
+        assert filtered.attributes == {"a1": ["abc:xyz"], "a2": []}
+
+    def test_shibmdscope_match_value_filter_with_idp_md_with_no_scope(self):
+        attribute_filters = {
+            "": {
+                "": {
+                    "a2": {
+                        "shibmdscope_match_value": None
+                    }
+                }
+            }
+        }
+        filter_service = self.create_filter_service(attribute_filters)
+
+        resp = InternalData(AuthenticationInformation())
+        resp.attributes = {
+            "a1": ["abc:xyz"],
+            "a2": ["foo.bar", "1.foo.bar.2"],
+        }
+
+        idp_entityid = 'https://idp.example.org/'
+        resp.auth_info.issuer = idp_entityid
+
+        mdstore = MetadataStore(None, Config())
+        mdstore.imp(self.create_idp_metadata_conf_with_shibmd_scopes(idp_entityid, None))
+        ctx = Context()
+        ctx.decorate(Context.KEY_METADATA_STORE, mdstore)
+
+        filtered = filter_service.process(ctx, resp)
+        assert filtered.attributes == {"a1": ["abc:xyz"], "a2": []}
+
+    def test_shibmdscope_match_value_filter_with_idp_md_with_single_scope(self):
+        attribute_filters = {
+            "": {
+                "": {
+                    "a2": {
+                        "shibmdscope_match_value": None
+                    }
+                }
+            }
+        }
+        filter_service = self.create_filter_service(attribute_filters)
+
+        resp = InternalData(AuthenticationInformation())
+        resp.attributes = {
+            "a1": ["abc:xyz"],
+            "a2": ["foo.bar", "1.foo.bar.2"],
+        }
+
+        idp_entityid = 'https://idp.example.org/'
+        resp.auth_info.issuer = idp_entityid
+
+        mdstore = MetadataStore(None, Config())
+        mdstore.imp(self.create_idp_metadata_conf_with_shibmd_scopes(idp_entityid, ["foo.bar"]))
+        ctx = Context()
+        ctx.decorate(Context.KEY_METADATA_STORE, mdstore)
+
+        filtered = filter_service.process(ctx, resp)
+        assert filtered.attributes == {"a1": ["abc:xyz"], "a2": ["foo.bar"]}
+
+    def test_shibmdscope_match_value_filter_with_idp_md_with_single_regexp_scope(self):
+        attribute_filters = {
+            "": {
+                "": {
+                    "a2": {
+                        "shibmdscope_match_value": None
+                    }
+                }
+            }
+        }
+        filter_service = self.create_filter_service(attribute_filters)
+
+        resp = InternalData(AuthenticationInformation())
+        resp.attributes = {
+            "a1": ["abc:xyz"],
+            "a2": ["test.foo.bar", "1.foo.bar.2"],
+        }
+
+        idp_entityid = 'https://idp.example.org/'
+        resp.auth_info.issuer = idp_entityid
+
+        mdstore = MetadataStore(None, Config())
+        mdstore.imp(self.create_idp_metadata_conf_with_shibmd_scopes(idp_entityid, ["[^.]*\.foo\.bar$"]))
+        mdstore[idp_entityid]['idpsso_descriptor'][0]['extensions']['extension_elements'][0]['regexp'] = 'true'
+        ctx = Context()
+        ctx.decorate(Context.KEY_METADATA_STORE, mdstore)
+
+        filtered = filter_service.process(ctx, resp)
+        assert filtered.attributes == {"a1": ["abc:xyz"], "a2": ["test.foo.bar"]}
+
+    def test_shibmdscope_match_value_filter_with_idp_md_with_multiple_scopes(self):
+        attribute_filters = {
+            "": {
+                "": {
+                    "a2": {
+                        "shibmdscope_match_value": None
+                    }
+                }
+            }
+        }
+        filter_service = self.create_filter_service(attribute_filters)
+
+        resp = InternalData(AuthenticationInformation())
+        resp.attributes = {
+            "a1": ["abc:xyz"],
+            "a2": ["foo.bar", "1.foo.bar.2", "foo.baz", "foo.baz.com"],
+        }
+
+        idp_entityid = 'https://idp.example.org/'
+        resp.auth_info.issuer = idp_entityid
+
+        mdstore = MetadataStore(None, Config())
+        mdstore.imp(self.create_idp_metadata_conf_with_shibmd_scopes(idp_entityid, ["foo.bar", "foo.baz"]))
+        ctx = Context()
+        ctx.decorate(Context.KEY_METADATA_STORE, mdstore)
+
+        filtered = filter_service.process(ctx, resp)
+        assert filtered.attributes == {"a1": ["abc:xyz"], "a2": ["foo.bar", "foo.baz"]}
+
+    def test_shibmdscope_match_scope_filter_with_single_scope(self):
+        attribute_filters = {
+            "": {
+                "": {
+                    "a2": {
+                        "shibmdscope_match_scope": None
+                    }
+                }
+            }
+        }
+        filter_service = self.create_filter_service(attribute_filters)
+
+        resp = InternalData(AuthenticationInformation())
+        resp.attributes = {
+            "a1": ["abc:xyz"],
+            "a2": ["foo.bar", "[email protected]", "1.foo.bar.2", "[email protected]", "value@[email protected]"],
+        }
+
+        idp_entityid = 'https://idp.example.org/'
+        resp.auth_info.issuer = idp_entityid
+
+        mdstore = MetadataStore(None, Config())
+        mdstore.imp(self.create_idp_metadata_conf_with_shibmd_scopes(idp_entityid, ["foo.bar"]))
+        ctx = Context()
+        ctx.decorate(Context.KEY_METADATA_STORE, mdstore)
+
+        filtered = filter_service.process(ctx, resp)
+        assert filtered.attributes == {"a1": ["abc:xyz"], "a2": ["[email protected]"]}
+
+    def test_multiple_filters_for_single_attribute(self):
+        attribute_filters = {
+            "": {
+                "": {
+                    "a2": {
+                        "regexp": "^value1@",
+                        "shibmdscope_match_scope": None
+                    }
+                }
+            }
+        }
+        filter_service = self.create_filter_service(attribute_filters)
+
+        resp = InternalData(AuthenticationInformation())
+        resp.attributes = {
+            "a1": ["abc:xyz"],
+            "a2": ["foo.bar", "[email protected]", "[email protected]", "1.foo.bar.2", "[email protected]", "value@[email protected]"],
+        }
+
+        idp_entityid = 'https://idp.example.org/'
+        resp.auth_info.issuer = idp_entityid
+
+        mdstore = MetadataStore(None, Config())
+        mdstore.imp(self.create_idp_metadata_conf_with_shibmd_scopes(idp_entityid, ["foo.bar"]))
+        ctx = Context()
+        ctx.decorate(Context.KEY_METADATA_STORE, mdstore)
+
+        filtered = filter_service.process(ctx, resp)
+        assert filtered.attributes == {"a1": ["abc:xyz"], "a2": ["[email protected]"]}