test(saml): Add SAML2 provider integration tests

evanpurkhiser · web-flow · commit f993270865cd · 2017-10-06T13:04:16.000-07:00
diff --git a/tests/fixtures/saml2_auth_response.xml b/tests/fixtures/saml2_auth_response.xml
@@ -0,0 +1,60 @@
+<?xml version="1.0"?>
+<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="pfx01a16805-19b6-c6b8-6206-715754b4da77" Version="2.0" IssueInstant="2017-10-04T00:21:43Z" Destination="http://testserver.com/auth/sso/" InResponseTo="mock_response">
+  <saml:Issuer>https://example.com/saml/metadata/1234</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="#pfx01a16805-19b6-c6b8-6206-715754b4da77">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue>none</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>none</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        <ds:X509Certificate>none</ds:X509Certificate>
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </samlp:Status>
+  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="A1337f0b68ad3cc03d1a782f9a9b049ac663fbc54" IssueInstant="2017-10-04T00:21:43Z">
+    <saml:Issuer>https://example.com/saml/metadata/1234</saml:Issuer>
+    <saml:Subject>
+      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">rick@onehundredyears.com</saml:NameID>
+      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+        <saml:SubjectConfirmationData NotOnOrAfter="2099-01-01T00:00:00Z" Recipient="http://testserver.com/auth/sso/" InResponseTo="mock_response"/>
+      </saml:SubjectConfirmation>
+    </saml:Subject>
+    <saml:Conditions NotBefore="2017-01-01T00:00:00Z" NotOnOrAfter="2099-01-01T00:00:00Z">
+      <saml:AudienceRestriction>
+        <saml:Audience>http://testserver.com/saml/metadata/saml2-org/</saml:Audience>
+      </saml:AudienceRestriction>
+    </saml:Conditions>
+    <saml:AuthnStatement AuthnInstant="2017-01-01T00:00:00Z" SessionNotOnOrAfter="2099-01-01T00:00:00Z" SessionIndex="_cded8ad0-8a91-0135-96f1-0687370acf48">
+      <saml:AuthnContext>
+        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
+      </saml:AuthnContext>
+    </saml:AuthnStatement>
+    <saml:AttributeStatement>
+      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="user_id">
+        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1234</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="first_name">
+        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Rick</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="email">
+        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">rick@onehundredyears.com</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="last_name">
+        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Sanchez</saml:AttributeValue>
+      </saml:Attribute>
+    </saml:AttributeStatement>
+  </saml:Assertion>
+</samlp:Response>
diff --git a/tests/fixtures/saml2_slo_request.xml b/tests/fixtures/saml2_slo_request.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0"?>
+<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" IssueInstant="2017-10-04T21:53:53" ID="_6f99ca80-8b7c-0135-3652-02d733713b04">
+  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://example.com/saml/metadata/1234</saml:Issuer>
+  <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">rick@onehundredyears.com</saml:NameID>
+</samlp:LogoutRequest>
diff --git a/tests/sentry/auth/providers/test_saml2.py b/tests/sentry/auth/providers/test_saml2.py
@@ -0,0 +1,75 @@
+from __future__ import absolute_import, print_function
+
+import pytest
+import mock
+
+from sentry.auth.providers.saml2 import SAML2Provider, Attributes
+
+from sentry.auth.exceptions import IdentityNotValid
+from sentry.models import AuthProvider
+from sentry.testutils import TestCase
+
+dummy_provider_config = {
+    'attribute_mapping': {
+        Attributes.IDENTIFIER: 'id',
+        Attributes.USER_EMAIL: 'email',
+        Attributes.FIRST_NAME: 'first',
+        Attributes.LAST_NAME: 'last',
+    }
+}
+
+
+class SAML2ProviderTest(TestCase):
+    def setUp(self):
+        self.org = self.create_organization()
+        self.auth_provider = AuthProvider.objects.create(
+            provider='saml2',
+            organization=self.org,
+        )
+        self.provider = SAML2Provider(key=self.auth_provider.provider)
+        super(SAML2ProviderTest, self).setUp()
+
+    def test_build_config_adds_attributes(self):
+        config = self.provider.build_config({})
+
+        assert 'attribute_mapping' in config
+
+    def test_buld_config_with_provider_attributes(self):
+        with mock.patch.object(self.provider, 'attribute_mapping') as attribute_mapping:
+            config = self.provider.build_config({})
+
+            assert 'attribute_mapping' in config
+            assert config['attribute_mapping'] == attribute_mapping.return_value
+
+    def test_build_identity_invalid(self):
+        self.provider.config = dummy_provider_config
+        state = {'auth_attributes': {}}
+
+        with pytest.raises(IdentityNotValid):
+            self.provider.build_identity(state)
+
+        state = {'auth_attributes': {'id': [''], 'email': ['valid@example.com']}}
+
+        with pytest.raises(IdentityNotValid):
+            self.provider.build_identity(state)
+
+        state = {'auth_attributes': {'id': ['1234'], 'email': ['']}}
+
+        with pytest.raises(IdentityNotValid):
+            self.provider.build_identity(state)
+
+    def test_build_identity(self):
+        self.provider.config = dummy_provider_config
+        attrs = {
+            'id': ['123'],
+            'email': ['valid@example.com'],
+            'first': ['Morty'],
+            'last': ['Smith'],
+        }
+
+        state = {'auth_attributes': attrs}
+        identity = self.provider.build_identity(state)
+
+        assert identity['id'] == '123'
+        assert identity['email'] == 'valid@example.com'
+        assert identity['name'] == 'Morty Smith'
diff --git a/tests/sentry/web/frontend/test_auth_saml2.py b/tests/sentry/web/frontend/test_auth_saml2.py
@@ -0,0 +1,130 @@
+from __future__ import absolute_import
+
+import pytest
+import base64
+import mock
+from exam import fixture
+from six.moves.urllib.parse import urlencode, urlparse, parse_qs
+
+from django.conf import settings
+from django.core.urlresolvers import reverse
+
+from sentry.auth.providers.saml2 import SAML2Provider, Attributes, HAS_SAML2
+from sentry.models import AuthProvider
+from sentry.testutils import AuthProviderTestCase
+
+
+dummy_provider_config = {
+    'idp': {
+        'entity_id': 'https://example.com/saml/metadata/1234',
+        'x509cert': 'foo_x509_cert',
+        'sso_url': 'http://example.com/sso_url',
+        'slo_url': 'http://example.com/slo_url',
+    },
+    'attribute_mapping': {
+        Attributes.IDENTIFIER: 'user_id',
+        Attributes.USER_EMAIL: 'email',
+        Attributes.FIRST_NAME: 'first_name',
+        Attributes.LAST_NAME: 'last_name',
+    },
+}
+
+
+class DummySAML2Provider(SAML2Provider):
+    strict_mode = False
+
+    def get_saml_setup_pipeline(self):
+        return []
+
+
+@pytest.mark.skipif(not HAS_SAML2, reason='SAML2 library is not installed')
+class AuthSAML2Test(AuthProviderTestCase):
+    provider = DummySAML2Provider
+    provider_name = 'saml2_dummy'
+
+    def setUp(self):
+        self.user = self.create_user('rick@onehundredyears.com')
+        self.org = self.create_organization(owner=self.user, name='saml2-org')
+        self.auth_provider = AuthProvider.objects.create(
+            provider=self.provider_name,
+            config=dummy_provider_config,
+            organization=self.org,
+        )
+
+        # The system.url-prefix, which is used to generate absolute URLs, must
+        # have a TLD for the SAML2 library to consider the URL generated for
+        # the ACS endpoint valid.
+        self.url_prefix = settings.SENTRY_OPTIONS.get('system.url-prefix')
+
+        settings.SENTRY_OPTIONS.update({
+            'system.url-prefix': 'http://testserver.com',
+        })
+
+        super(AuthSAML2Test, self).setUp()
+
+    def tearDown(self):
+        # restore url-prefix config
+        settings.SENTRY_OPTIONS.update({
+            'system.url-prefix': self.url_prefix,
+        })
+
+        super(AuthSAML2Test, self).tearDown()
+
+    @fixture
+    def login_path(self):
+        return reverse('sentry-auth-organization', args=['saml2-org'])
+
+    @fixture
+    def sso_path(self):
+        return reverse('sentry-auth-sso')
+
+    def test_redirects_to_idp(self):
+        resp = self.client.post(self.login_path, {'init': True})
+
+        assert resp.status_code == 302
+        redirect = urlparse(resp.get('Location', ''))
+        query = parse_qs(redirect.query)
+
+        assert redirect.path == '/sso_url'
+        assert 'SAMLRequest' in query
+
+    def test_auth_from_idp(self):
+        # Start auth process
+        self.client.post(self.login_path, {'init': True})
+
+        saml_response = self.load_fixture('saml2_auth_response.xml')
+        saml_response = base64.b64encode(saml_response)
+
+        # Disable validation of the SAML2 mock response
+        is_valid = 'onelogin.saml2.response.OneLogin_Saml2_Response.is_valid'
+
+        with mock.patch(is_valid, return_value=True):
+            resp = self.client.post(self.sso_path, {'SAMLResponse': saml_response})
+
+        assert resp.status_code == 200
+        assert resp.context['existing_user'] == self.user
+
+    def test_saml_metadata(self):
+        path = reverse('sentry-auth-organization-saml-metadata', args=['saml2-org'])
+        resp = self.client.get(path)
+
+        assert resp.status_code == 200
+        assert resp.get('content-type') == 'text/xml'
+
+    def test_logout_request(self):
+        saml_request = self.load_fixture('saml2_slo_request.xml')
+        saml_request = base64.b64encode(saml_request)
+
+        self.login_as(self.user)
+
+        path = reverse('sentry-auth-organization-saml-sls', args=['saml2-org'])
+        path = path + '?' + urlencode({'SAMLRequest': saml_request})
+        resp = self.client.get(path)
+
+        assert resp.status_code == 302
+
+        redirect = urlparse(resp.get('Location', ''))
+        query = parse_qs(redirect.query)
+
+        assert redirect.path == '/slo_url'
+        assert 'SAMLResponse' in query
