added new tests category between "pre" and "post: "mid". added new test cases

Author: rhoerbe

src/saml2test/check.py

@@ -213,6 +213,28 @@ def _func(self, conv):
         return res
 
 
+class CheckSpHttpResponse500(Error):
+    """ Checks that the SP's HTTP response status is >= 500. This is useful
+        to check if the SP correctly flags errors such as an invalid signature
+    """
+    cid = "check-sp-http-response-500"
+    msg = "SP does not return a HTTP 5xx status when it shold do so."
+
+    def _func(self, conv):
+        _response = conv.last_response
+        _content = conv.last_response.content
+
+        res = {}
+        if _response.status_code < 500:
+            self._status = self.status
+            self._message = self.msg
+            #res["content"] = _content   #too big + charset converstion needed
+            res["url"] = conv.position
+            res["http_status"] = _response.status_code
+
+        return res
+
+
 class MissingRedirect(CriticalError):
     """ At this point in the flow a redirect back to the client was expected.
     """

src/sp_test/base.py

@@ -282,13 +282,6 @@ def send_idp_response(self, req_flow, resp_flow):
         :param resp_flow: The flow to prepare the response
         :return: The SP's HTTP response on receiving the SAML response
         """
-        # make sure I got the request I expected
-        assert isinstance(self.saml_request.message, req._class)
-
-        try:
-            self.test_sequence(req.tests["post"])
-        except KeyError:
-            pass
 
         # Pick information from the request that should be in the response
         args = self.instance.response_args(self.saml_request.message,
@@ -381,7 +374,7 @@ def send_idp_response(self, req_flow, resp_flow):
 
         self._log_response(self.last_response)
 
-    def do_flow(self, flow):
+    def do_flow(self, flow, mid_tests):
         """
         Solicited or 'un-solicited' flows.
 
@@ -392,21 +385,28 @@ def do_flow(self, flow):
             self.wb_send_GET_startpage()
             self.intermit(flow[0]._interaction)
             self.parse_saml_message()
+        # make sure I got the request I expected
+        assert isinstance(self.saml_request.message, flow[1]._class)
+        try:
+            self.test_sequence(mid_tests)
+        except KeyError:
+            pass
         self.send_idp_response(flow[1], flow[2])
         if len(flow) == 4:
             self.handle_result(flow[3])
         else:
             self.handle_result()
 
     def do_sequence_and_tests(self, oper, tests=None):
+        self.current_oper = oper
         try:
             self.test_sequence(tests["pre"])
         except KeyError:
             pass
 
         for flow in oper:
             try:
-                self.do_flow(flow)
+                self.do_flow(flow, tests["mid"])
             except InteractionNeeded:
                 self.test_output.append({"status": INTERACTION,
                                          "message": "see detail log for response content",

src/sp_test/check.py

@@ -3,7 +3,7 @@
 import re
 import sys
 
-from saml2 import BINDING_HTTP_REDIRECT
+from saml2 import BINDING_HTTP_POST, BINDING_HTTP_REDIRECT
 from saml2test.check import Check
 from saml2test.check import ERROR, INFORMATION, WARNING
 from saml2test import check
@@ -86,6 +86,15 @@ def _func(self, conv):
         if request.signature:
             if not self._digest_algo(request.signature, _algs):
                 return {}
+        elif conv._binding == BINDING_HTTP_REDIRECT:
+            self._message = "no digest with redirect binding"
+            self._status = INFORMATION
+            return {}
+        elif conv._binding == BINDING_HTTP_POST:
+            self._message = "cannot verify digest algorithm: request not signed"
+            self._status = WARNING
+            return {}
+
 
         return {}
 
@@ -204,6 +213,29 @@ def call_on_redirect(self):
         return False
 
 
+class SetResponseAndAssertionSignaturesFalse(Check):
+    """ Prepare config to suppress signatures of both response and assertion"""
+    cid = "set-response-and-assertion-signature-false"
+    msg = "Prepare config to suppress signatures of both response and assertion"
+
+    def _func(self, conv):
+        conv.json_config['args']['AuthnResponse']['sign_assertion'] = 'never'
+        conv.json_config['args']['AuthnResponse']['sign_response'] = 'never'
+        self._status = INFORMATION
+        return {}
+
+
+#class SetInvalidIdpKey(Check):
+#    """ Prepare config to set IDP signing key to some useless key"""
+#    cid = "set-idp-key-invalid"
+#    msg = "Prepare config to set IDP signing key invalid"
+#
+#    def _func(self, conv):
+#        conv.instance.sec.cert_file = conv.instance.config.invalid_idp_cert_file
+#        conv.instance.sec.key_file = conv.instance.config.invalid_idp_key_file
+#        return {}
+
+
 # =============================================================================