Strengthen XSW tests

Signed-off-by: Ivan Kanakarakis <[email protected]>

MANIFEST.in

@@ -3,7 +3,7 @@ include LICENSE
 include README.rst
 include CHANGELOG.md
 
-include src/saml2/xml_template/template.xml
+include src/saml2/data/templates/*.xml
 
 graft docs
 prune docs/build

tests/test_xsw.py

@@ -14,27 +14,72 @@
 from pathutils import full_path
 
 
-XML_RESPONSE_XSW = full_path("saml2_response_xsw.xml")
+SIGNED_XSW_ASSERTION_WRAPPER = full_path("xsw/signed-xsw-assertion-wrapper.xml")
+SIGNED_XSW_ASSERTION_EXTENSIONS = full_path("xsw/signed-xsw-assertion-extensions.xml")
+SIGNED_XSW_ASSERTION_ASSERTION = full_path("xsw/signed-xsw-assertion-assertion.xml")
 
 
-class TestAuthnResponse:
+
+class TestXSW:
     def setup_class(self):
         self.conf = config_factory("sp", dotname("server_conf"))
-        self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
+        self.ar = authn_response(self.conf, return_addrs="https://example.org/acs/post")
+
+    @patch('saml2.response.validate_on_or_after', return_value=True)
+    def test_signed_xsw_assertion_wrapper_should_fail(self, mock_validate_on_or_after):
+        self.ar.issue_instant_ok = Mock(return_value=True)
+
+        with open(SIGNED_XSW_ASSERTION_WRAPPER) as fp:
+            xml_response = fp.read()
+
+        self.ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"}
+        self.ar.timeslack = 10000
+        self.ar.loads(xml_response, decode=False)
+
+        assert self.ar.came_from == 'http://localhost:8088/sso'
+        assert self.ar.session_id() == "id-abc"
+        assert self.ar.issuer() == 'urn:mace:example.com:saml:roland:idp'
+
+        with raises(SignatureError):
+            self.ar.verify()
+
+        assert self.ar.ava is None
+        assert self.ar.name_id is None
+
+    @patch('saml2.response.validate_on_or_after', return_value=True)
+    def test_signed_xsw_assertion_extensions_should_fail(self, mock_validate_on_or_after):
+        self.ar.issue_instant_ok = Mock(return_value=True)
+
+        with open(SIGNED_XSW_ASSERTION_EXTENSIONS) as fp:
+            xml_response = fp.read()
+
+        self.ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"}
+        self.ar.timeslack = 10000
+        self.ar.loads(xml_response, decode=False)
+
+        assert self.ar.came_from == 'http://localhost:8088/sso'
+        assert self.ar.session_id() == "id-abc"
+        assert self.ar.issuer() == 'urn:mace:example.com:saml:roland:idp'
+
+        with raises(SignatureError):
+            self.ar.verify()
+
+        assert self.ar.ava is None
+        assert self.ar.name_id is None
 
     @patch('saml2.response.validate_on_or_after', return_value=True)
-    def test_verify_signed_xsw(self, mock_validate_on_or_after):
+    def test_signed_xsw_assertion_assertion_should_fail(self, mock_validate_on_or_after):
         self.ar.issue_instant_ok = Mock(return_value=True)
 
-        with open(XML_RESPONSE_XSW) as fp:
+        with open(SIGNED_XSW_ASSERTION_ASSERTION) as fp:
             xml_response = fp.read()
 
-        self.ar.outstanding_queries = {"id12": "http://localhost:8088/sso"}
+        self.ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"}
         self.ar.timeslack = 10000
         self.ar.loads(xml_response, decode=False)
 
         assert self.ar.came_from == 'http://localhost:8088/sso'
-        assert self.ar.session_id() == "id12"
+        assert self.ar.session_id() == "id-abc"
         assert self.ar.issuer() == 'urn:mace:example.com:saml:roland:idp'
 
         with raises(SignatureError):

tests/xsw/signed-xsw-assertion-assertion.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="the-response" IssueInstant="2020-12-04T07:48:09.700Z" InResponseTo="id-abc" Destination="https://example.org/acs/post">
+    <saml:Issuer>urn:mace:example.com:saml:roland:idp</saml:Issuer>
+    <samlp:Status>
+        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+    </samlp:Status>
+    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="the-attack-assertion" IssueInstant="2020-12-04T07:48:09.600Z"><saml:Issuer>urn:mace:example.com:saml:roland:idp</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#the-assertion"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>dOks15WkdjeZbZZE1IuDjmTCmgY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>CCGBBssMsEikFV7mkPw1+/W5O8Q6y2I96LWTOFpa51GpaHbZ48jRVZf1vEp5hmfMa4p3/aFH8kXZuIyqvtlxs7U6j/NI4k9t9aF3TY0VNGJjlh2aC08pzNicV1J8MKtQi4PNmxCdbhVmvrWNcx2JhG4dPqfj5oyv0LpxK2zi2JI=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMDkxMDA2MTk0OTQxWhcNMDkxMTA1MTk0OTQxWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMXE9tXOdqwYCA1cc8vQdzkihscQMXy3iPw2cMggBu6gjMTOSOxECkuvX5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaNefiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABo4GnMIGkMB0GA1UdDgQWBBRePsKHKYJsiojE78ZWXccK9K4aJTB1BgNVHSMEbjBsgBRePsKHKYJsiojE78ZWXccK9K4aJaFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAJrzqSSwmDY9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAJSrKOEzHO7TL5cy6h3qh+3+JAk8HbGBW+cbX6KBCAw/mzU8flK25vnWwXS3dv2FF3Aod0/S7AWNfKib5U/SA9nJaz/mWeF9S0farz9AQFc8/NSzAzaVq7YbM4F6f6N2FRl7GikdXRCed45j6mrPzGzk3ECbupFnqyREH3+ZPSdk=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">attack-name-id</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2020-12-04T07:58:09.600Z" Recipient="https://example.org/acs/post" InResponseTo="id-abc"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2020-12-04T07:48:09.600Z" NotOnOrAfter="2020-12-04T07:58:09.600Z"><saml:AudienceRestriction><saml:Audience>urn:mace:example.com:saml:roland:sp</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2020-12-04T07:48:09.600Z" SessionNotOnOrAfter="2020-12-04T07:58:09.600Z" SessionIndex="id-sessidx"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="the-assertion" IssueInstant="2020-12-04T07:48:09.600Z"><saml:Issuer>urn:mace:example.com:saml:roland:idp</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">name-id</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2020-12-04T07:58:09.600Z" Recipient="https://example.org/acs/post" InResponseTo="id-abc"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2020-12-04T07:48:09.600Z" NotOnOrAfter="2020-12-04T07:58:09.600Z"><saml:AudienceRestriction><saml:Audience>urn:mace:example.com:saml:roland:sp</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2020-12-04T07:48:09.600Z" SessionNotOnOrAfter="2020-12-04T07:58:09.600Z" SessionIndex="id-sessidx"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></saml:Assertion>
+</samlp:Response>