Updated tests to working with separate signature verifications of response and assertions.

Author: Roland Hedberg

tests/saml_false_signed.xml

@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<ns0:Response xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://xenosmilus.umdc.umu.se:8087/login" ID="_5271694c3be6883137377fb076355c4bc97f28b3c1" InResponseTo="bahigehogffohiphlfmplepdpcohkhhmheppcdie" IssueInstant="2009-10-25T18:12:39Z" Version="2.0">
-  <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php</ns1:Issuer>
+<ns0:Response xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://lingon.catalogix.se:8087/" ID="_5271694c3be6883137377fb076355c4bc97f28b3c1" InResponseTo="bahigehogffohiphlfmplepdpcohkhhmheppcdie" IssueInstant="2014-05-04T09:59:39Z" Version="2.0">
+  <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">urn:mace:example.com:saml:roland:idp</ns1:Issuer>
   <ns0:Status>
     <ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
   </ns0:Status>
-  <ns1:Assertion xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx9e022535-4b38-cc7f-41ec-9a01bcd2936d" IssueInstant="2009-10-25T18:12:39Z" Version="2.0">
-    <ns1:Issuer>http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php</ns1:Issuer>
+  <ns1:Assertion xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx9e022535-4b38-cc7f-41ec-9a01bcd2936d" IssueInstant="2014-05-04T09:59:39Z" Version="2.0">
+    <ns1:Issuer>urn:mace:example.com:saml:roland:idp</ns1:Issuer>
     <ns2:Signature xmlns:ns2="http://www.w3.org/2000/09/xmldsig#">
       <ns2:SignedInfo>
         <ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
@@ -49,15 +49,15 @@ OmuMZY0K6ERY4fNVnGEAoUZeieehC6/ljmfk14xCAlE=</ns2:SignatureValue>
         _cddc88563d433f556d4cc70c3162deabddea3b5019
       </ns1:NameID>
       <ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-        <ns1:SubjectConfirmationData InResponseTo="bahigehogffohiphlfmplepdpcohkhhmheppcdie" NotOnOrAfter="2009-10-25T18:17:39Z" Recipient="http://xenosmilus.umdc.umu.se:8087/login"/>
+        <ns1:SubjectConfirmationData InResponseTo="bahigehogffohiphlfmplepdpcohkhhmheppcdie" NotOnOrAfter="2014-05-04T09:59:39Z" Recipient="http://xenosmilus.umdc.umu.se:8087/login"/>
       </ns1:SubjectConfirmation>
     </ns1:Subject>
-    <ns1:Conditions NotBefore="2009-10-25T18:12:09Z" NotOnOrAfter="2009-10-26T02:12:39Z">
+    <ns1:Conditions NotBefore="2014-05-04T09:59:39Z" NotOnOrAfter="2024-05-04T09:59:39Z">
       <ns1:AudienceRestriction>
-        <ns1:Audience>xenosmilus.umdc.umu.se</ns1:Audience>
+        <ns1:Audience>urn:mace:example.com:saml:roland:sp</ns1:Audience>
       </ns1:AudienceRestriction>
     </ns1:Conditions>
-    <ns1:AuthnStatement AuthnInstant="2009-10-25T18:12:39Z" SessionIndex="_788db107b9bb1b6ab94f00deebbfe3d92c999b3041">
+    <ns1:AuthnStatement AuthnInstant="2014-05-04T09:59:39Z" SessionIndex="_788db107b9bb1b6ab94f00deebbfe3d92c999b3041">
       <ns1:AuthnContext>                      
         <ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns1:AuthnContextClassRef>
       </ns1:AuthnContext>

tests/test_40_sigver.py

@@ -19,7 +19,6 @@
 
 SIGNED = full_path("saml_signed.xml")
 UNSIGNED = full_path("saml_unsigned.xml")
-FALSE_SIGNED = full_path("saml_false_signed.xml")
 SIMPLE_SAML_PHP_RESPONSE = full_path("simplesamlphp_authnresponse.xml")
 
 PUB_KEY = full_path("test.pem")
@@ -143,11 +142,6 @@ def test_non_verify_1(self):
         response = self.sec.correctly_signed_response(xml_response)
         assert response
 
-    def test_non_verify_2(self):
-        xml_response = open(FALSE_SIGNED).read()
-        raises(sigver.SignatureError, self.sec.correctly_signed_response,
-               xml_response)
-
     def test_sign_assertion(self):
         ass = self._assertion
         print ass
@@ -478,7 +472,6 @@ def test_xbox():
 
 
 if __name__ == "__main__":
-    #t = TestSecurity()
-    #t.setup_class()
-    #t.test_sign_then_encrypt_assertion()
-    test_xbox()
+    t = TestSecurity()
+    t.setup_class()
+    t.test_non_verify_2()

tests/test_41_response.py

@@ -8,13 +8,12 @@
 from saml2.response import response_factory
 from saml2.response import StatusResponse
 from saml2.response import AuthnResponse
-from saml2.sigver import security_context
+from saml2.sigver import security_context, SignatureError
 from saml2.sigver import MissingKey
 
 from pytest import raises
 
-XML_RESPONSE_FILE = "saml_signed.xml"
-XML_RESPONSE_FILE2 = "saml2_response.xml"
+FALSE_ASSERT_SIGNED = "saml_false_signed.xml"
 
 
 def _eq(l1, l2):
@@ -91,8 +90,26 @@ def test_2(self):
         assert isinstance(resp, StatusResponse)
         assert isinstance(resp, AuthnResponse)
 
+    def test_false_sign(self):
+        xml_response = open(FALSE_ASSERT_SIGNED).read()
+        resp = response_factory(
+            xml_response, self.conf,
+            return_addrs=["http://lingon.catalogix.se:8087/"],
+            outstanding_queries={
+                "bahigehogffohiphlfmplepdpcohkhhmheppcdie":
+                    "http://localhost:8088/sso"},
+            timeslack=10000, decode=False)
+
+        assert isinstance(resp, StatusResponse)
+        assert isinstance(resp, AuthnResponse)
+        try:
+            resp.verify()
+        except SignatureError:
+            pass
+        else:
+            assert False
 
 if __name__ == "__main__":
     t = TestResponse()
     t.setup_class()
-    t.test_1()
+    t.test_false_sign()

tests/test_44_authnresp.py

@@ -125,3 +125,7 @@ def test_verify_w_authn(self):
         session_info = self.ar.session_info()
         assert session_info["authn_info"] == authn_info
 
+if __name__ == "__main__":
+    t = TestAuthnResponse()
+    t.setup_class()
+    t.test_verify_1()