authentik/e2e/test_provider_saml.py

"""test SAML Provider flow"""
from sys import platform
from time import sleep
from unittest.case import skipUnless

from docker import DockerClient, from_env
from docker.models.containers import Container
from docker.types import Healthcheck
from selenium.webdriver.common.by import By
from selenium.webdriver.common.keys import Keys
from selenium.webdriver.support import expected_conditions as ec
from structlog import get_logger

from e2e.utils import USER, SeleniumTestCase
from passbook.core.models import Application
from passbook.crypto.models import CertificateKeyPair
from passbook.flows.models import Flow
from passbook.policies.expression.models import ExpressionPolicy
from passbook.policies.models import PolicyBinding
from passbook.providers.saml.models import (
    SAMLBindings,
    SAMLPropertyMapping,
    SAMLProvider,
)

LOGGER = get_logger()


@skipUnless(platform.startswith("linux"), "requires local docker")
class TestProviderSAML(SeleniumTestCase):
    """test SAML Provider flow"""

    container: Container

    def setup_client(self, provider: SAMLProvider) -> Container:
        """Setup client saml-sp container which we test SAML against"""
        client: DockerClient = from_env()
        container = client.containers.run(
            image="beryju/saml-test-sp",
            detach=True,
            network_mode="host",
            auto_remove=True,
            healthcheck=Healthcheck(
                test=["CMD", "wget", "--spider", "http://localhost:9009/health"],
                interval=5 * 100 * 1000000,
                start_period=1 * 100 * 1000000,
            ),
            environment={
                "SP_ENTITY_ID": provider.issuer,
                "SP_SSO_BINDING": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
                "SP_METADATA_URL": (
                    self.url(
                        "passbook_providers_saml:metadata",
                        application_slug=provider.application.slug,
                    )
                ),
            },
        )
        while True:
            container.reload()
            status = container.attrs.get("State", {}).get("Health", {}).get("Status")
            if status == "healthy":
                return container
            LOGGER.info("Container failed healthcheck")
            sleep(1)

    def test_sp_initiated_implicit(self):
        """test SAML Provider flow SP-initiated flow (implicit consent)"""
        # Bootstrap all needed objects
        authorization_flow = Flow.objects.get(
            slug="default-provider-authorization-implicit-consent"
        )
        provider: SAMLProvider = SAMLProvider.objects.create(
            name="saml-test",
            acs_url="http://localhost:9009/saml/acs",
            audience="passbook-e2e",
            issuer="passbook-e2e",
            sp_binding=SAMLBindings.POST,
            authorization_flow=authorization_flow,
            signing_kp=CertificateKeyPair.objects.first(),
        )
        provider.property_mappings.set(SAMLPropertyMapping.objects.all())
        provider.save()
        Application.objects.create(
            name="SAML", slug="passbook-saml", provider=provider,
        )
        self.container = self.setup_client(provider)
        self.driver.get("http://localhost:9009")
        self.driver.find_element(By.ID, "id_uid_field").click()
        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
        self.wait_for_url("http://localhost:9009/")
        self.assertEqual(
            self.driver.find_element(By.XPATH, "/html/body/pre").text,
            f"Hello, {USER().name}!",
        )

    def test_sp_initiated_explicit(self):
        """test SAML Provider flow SP-initiated flow (explicit consent)"""
        # Bootstrap all needed objects
        authorization_flow = Flow.objects.get(
            slug="default-provider-authorization-explicit-consent"
        )
        provider: SAMLProvider = SAMLProvider.objects.create(
            name="saml-test",
            acs_url="http://localhost:9009/saml/acs",
            audience="passbook-e2e",
            issuer="passbook-e2e",
            sp_binding=SAMLBindings.POST,
            authorization_flow=authorization_flow,
            signing_kp=CertificateKeyPair.objects.first(),
        )
        provider.property_mappings.set(SAMLPropertyMapping.objects.all())
        provider.save()
        app = Application.objects.create(
            name="SAML", slug="passbook-saml", provider=provider,
        )
        self.container = self.setup_client(provider)
        self.driver.get("http://localhost:9009")
        self.driver.find_element(By.ID, "id_uid_field").click()
        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
        self.assertIn(
            app.name,
            self.driver.find_element(
                By.XPATH, "/html/body/div[2]/div/main/div/form/div[2]/p[1]"
            ).text,
        )
        sleep(1)
        self.driver.find_element(By.CSS_SELECTOR, "[type=submit]").click()
        self.wait_for_url("http://localhost:9009/")
        self.assertEqual(
            self.driver.find_element(By.XPATH, "/html/body/pre").text,
            f"Hello, {USER().name}!",
        )

    def test_idp_initiated_implicit(self):
        """test SAML Provider flow IdP-initiated flow (implicit consent)"""
        # Bootstrap all needed objects
        authorization_flow = Flow.objects.get(
            slug="default-provider-authorization-implicit-consent"
        )
        provider: SAMLProvider = SAMLProvider.objects.create(
            name="saml-test",
            acs_url="http://localhost:9009/saml/acs",
            audience="passbook-e2e",
            issuer="passbook-e2e",
            sp_binding=SAMLBindings.POST,
            authorization_flow=authorization_flow,
            signing_kp=CertificateKeyPair.objects.first(),
        )
        provider.property_mappings.set(SAMLPropertyMapping.objects.all())
        provider.save()
        Application.objects.create(
            name="SAML", slug="passbook-saml", provider=provider,
        )
        self.container = self.setup_client(provider)
        self.driver.get(
            self.url(
                "passbook_providers_saml:sso-init",
                application_slug=provider.application.slug,
            )
        )
        self.driver.find_element(By.ID, "id_uid_field").click()
        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
        self.wait_for_url("http://localhost:9009/")
        self.assertEqual(
            self.driver.find_element(By.XPATH, "/html/body/pre").text,
            f"Hello, {USER().name}!",
        )

    def test_sp_initiated_denied(self):
        """test SAML Provider flow SP-initiated flow (Policy denies access)"""
        # Bootstrap all needed objects
        authorization_flow = Flow.objects.get(
            slug="default-provider-authorization-implicit-consent"
        )
        negative_policy = ExpressionPolicy.objects.create(
            name="negative-static", expression="return False"
        )
        provider: SAMLProvider = SAMLProvider.objects.create(
            name="saml-test",
            acs_url="http://localhost:9009/saml/acs",
            audience="passbook-e2e",
            issuer="passbook-e2e",
            sp_binding=SAMLBindings.POST,
            authorization_flow=authorization_flow,
            signing_kp=CertificateKeyPair.objects.first(),
        )
        provider.property_mappings.set(SAMLPropertyMapping.objects.all())
        provider.save()
        app = Application.objects.create(
            name="SAML", slug="passbook-saml", provider=provider,
        )
        PolicyBinding.objects.create(target=app, policy=negative_policy, order=0)
        self.container = self.setup_client(provider)
        self.driver.get("http://localhost:9009/")
        self.driver.find_element(By.ID, "id_uid_field").click()
        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)

        self.wait.until(
            ec.presence_of_element_located((By.CSS_SELECTOR, "header > h1"))
        )
        self.assertEqual(
            self.driver.find_element(By.CSS_SELECTOR, "header > h1").text,
            "Permission denied",
        )
e2e: add tests for oauth and saml provider 2020-06-20 21:53:05 +00:00			`"""test SAML Provider flow"""`
pytest (#209) 2020-09-11 21:21:11 +00:00			`from sys import platform`
e2e: add tests for oauth and saml provider 2020-06-20 21:53:05 +00:00			`from time import sleep`
pytest (#209) 2020-09-11 21:21:11 +00:00			`from unittest.case import skipUnless`
e2e: add tests for oauth and saml provider 2020-06-20 21:53:05 +00:00
root: automate system migrations, move docker to lifecycle folder 2020-09-09 22:14:59 +00:00			`from docker import DockerClient, from_env`
			`from docker.models.containers import Container`
			`from docker.types import Healthcheck`
e2e: add tests for oauth and saml provider 2020-06-20 21:53:05 +00:00			`from selenium.webdriver.common.by import By`
			`from selenium.webdriver.common.keys import Keys`
e2e: update e2e tests for new AccessDenied response 2020-09-15 08:29:59 +00:00			`from selenium.webdriver.support import expected_conditions as ec`
e2e: fix typo, log when docker healthcheck fails 2020-08-14 16:09:49 +00:00			`from structlog import get_logger`
e2e: add tests for oauth and saml provider 2020-06-20 21:53:05 +00:00
			`from e2e.utils import USER, SeleniumTestCase`
			`from passbook.core.models import Application`
			`from passbook.crypto.models import CertificateKeyPair`
			`from passbook.flows.models import Flow`
e2e/provider/saml: add negative case 2020-07-02 11:48:21 +00:00			`from passbook.policies.expression.models import ExpressionPolicy`
			`from passbook.policies.models import PolicyBinding`
e2e: add tests for oauth and saml provider 2020-06-20 21:53:05 +00:00			`from passbook.providers.saml.models import (`
			`SAMLBindings,`
			`SAMLPropertyMapping,`
			`SAMLProvider,`
			`)`

e2e: fix typo, log when docker healthcheck fails 2020-08-14 16:09:49 +00:00			`LOGGER = get_logger()`

e2e: add tests for oauth and saml provider 2020-06-20 21:53:05 +00:00
pytest (#209) 2020-09-11 21:21:11 +00:00			`@skipUnless(platform.startswith("linux"), "requires local docker")`
e2e: add tests for oauth and saml provider 2020-06-20 21:53:05 +00:00			`class TestProviderSAML(SeleniumTestCase):`
			`"""test SAML Provider flow"""`

			`container: Container`

			`def setup_client(self, provider: SAMLProvider) -> Container:`
			`"""Setup client saml-sp container which we test SAML against"""`
			`client: DockerClient = from_env()`
			`container = client.containers.run(`
			`image="beryju/saml-test-sp",`
			`detach=True,`
			`network_mode="host",`
			`auto_remove=True,`
			`healthcheck=Healthcheck(`
			`test=["CMD", "wget", "--spider", "http://localhost:9009/health"],`
			`interval=5 * 100 * 1000000,`
			`start_period=1 * 100 * 1000000,`
			`),`
			`environment={`
			`"SP_ENTITY_ID": provider.issuer,`
			`"SP_SSO_BINDING": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",`
			`"SP_METADATA_URL": (`
e2e: SeleniumTestCase: add url() to reverse into full URL 2020-06-20 21:56:35 +00:00			`self.url(`
e2e: add tests for oauth and saml provider 2020-06-20 21:53:05 +00:00			`"passbook_providers_saml:metadata",`
e2e: SeleniumTestCase: add url() to reverse into full URL 2020-06-20 21:56:35 +00:00			`application_slug=provider.application.slug,`
e2e: add tests for oauth and saml provider 2020-06-20 21:53:05 +00:00			`)`
			`),`
			`},`
			`)`
			`while True:`
			`container.reload()`
			`status = container.attrs.get("State", {}).get("Health", {}).get("Status")`
			`if status == "healthy":`
			`return container`
e2e: fix typo, log when docker healthcheck fails 2020-08-14 16:09:49 +00:00			`LOGGER.info("Container failed healthcheck")`
e2e: add tests for oauth and saml provider 2020-06-20 21:53:05 +00:00			`sleep(1)`

			`def test_sp_initiated_implicit(self):`
			`"""test SAML Provider flow SP-initiated flow (implicit consent)"""`
			`# Bootstrap all needed objects`
			`authorization_flow = Flow.objects.get(`
			`slug="default-provider-authorization-implicit-consent"`
			`)`
			`provider: SAMLProvider = SAMLProvider.objects.create(`
			`name="saml-test",`
			`acs_url="http://localhost:9009/saml/acs",`
			`audience="passbook-e2e",`
			`issuer="passbook-e2e",`
			`sp_binding=SAMLBindings.POST,`
			`authorization_flow=authorization_flow,`
			`signing_kp=CertificateKeyPair.objects.first(),`
			`)`
			`provider.property_mappings.set(SAMLPropertyMapping.objects.all())`
			`provider.save()`
			`Application.objects.create(`
			`name="SAML", slug="passbook-saml", provider=provider,`
			`)`
			`self.container = self.setup_client(provider)`
			`self.driver.get("http://localhost:9009")`
			`self.driver.find_element(By.ID, "id_uid_field").click()`
			`self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)`
			`self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)`
			`self.driver.find_element(By.ID, "id_password").send_keys(USER().username)`
			`self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)`
e2e: saml provider: wait for URL 2020-06-29 20:11:50 +00:00			`self.wait_for_url("http://localhost:9009/")`
e2e: add tests for oauth and saml provider 2020-06-20 21:53:05 +00:00			`self.assertEqual(`
			`self.driver.find_element(By.XPATH, "/html/body/pre").text,`
			`f"Hello, {USER().name}!",`
			`)`

			`def test_sp_initiated_explicit(self):`
			`"""test SAML Provider flow SP-initiated flow (explicit consent)"""`
			`# Bootstrap all needed objects`
			`authorization_flow = Flow.objects.get(`
			`slug="default-provider-authorization-explicit-consent"`
			`)`
			`provider: SAMLProvider = SAMLProvider.objects.create(`
			`name="saml-test",`
			`acs_url="http://localhost:9009/saml/acs",`
			`audience="passbook-e2e",`
			`issuer="passbook-e2e",`
			`sp_binding=SAMLBindings.POST,`
			`authorization_flow=authorization_flow,`
			`signing_kp=CertificateKeyPair.objects.first(),`
			`)`
			`provider.property_mappings.set(SAMLPropertyMapping.objects.all())`
			`provider.save()`
			`app = Application.objects.create(`
			`name="SAML", slug="passbook-saml", provider=provider,`
			`)`
			`self.container = self.setup_client(provider)`
			`self.driver.get("http://localhost:9009")`
			`self.driver.find_element(By.ID, "id_uid_field").click()`
			`self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)`
			`self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)`
			`self.driver.find_element(By.ID, "id_password").send_keys(USER().username)`
			`self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)`
			`self.assertIn(`
			`app.name,`
			`self.driver.find_element(`
			`By.XPATH, "/html/body/div[2]/div/main/div/form/div[2]/p[1]"`
			`).text,`
			`)`
stages/otp_*: update user setting design 2020-06-30 19:23:37 +00:00			`sleep(1)`
e2e: add tests for oauth and saml provider 2020-06-20 21:53:05 +00:00			`self.driver.find_element(By.CSS_SELECTOR, "[type=submit]").click()`
e2e: saml provider: wait for URL 2020-06-29 20:11:50 +00:00			`self.wait_for_url("http://localhost:9009/")`
e2e: add tests for oauth and saml provider 2020-06-20 21:53:05 +00:00			`self.assertEqual(`
			`self.driver.find_element(By.XPATH, "/html/body/pre").text,`
			`f"Hello, {USER().name}!",`
			`)`

			`def test_idp_initiated_implicit(self):`
			`"""test SAML Provider flow IdP-initiated flow (implicit consent)"""`
			`# Bootstrap all needed objects`
			`authorization_flow = Flow.objects.get(`
			`slug="default-provider-authorization-implicit-consent"`
			`)`
			`provider: SAMLProvider = SAMLProvider.objects.create(`
			`name="saml-test",`
			`acs_url="http://localhost:9009/saml/acs",`
			`audience="passbook-e2e",`
			`issuer="passbook-e2e",`
			`sp_binding=SAMLBindings.POST,`
			`authorization_flow=authorization_flow,`
			`signing_kp=CertificateKeyPair.objects.first(),`
			`)`
			`provider.property_mappings.set(SAMLPropertyMapping.objects.all())`
			`provider.save()`
			`Application.objects.create(`
			`name="SAML", slug="passbook-saml", provider=provider,`
			`)`
			`self.container = self.setup_client(provider)`
			`self.driver.get(`
e2e: SeleniumTestCase: add url() to reverse into full URL 2020-06-20 21:56:35 +00:00			`self.url(`
e2e: add tests for oauth and saml provider 2020-06-20 21:53:05 +00:00			`"passbook_providers_saml:sso-init",`
e2e: SeleniumTestCase: add url() to reverse into full URL 2020-06-20 21:56:35 +00:00			`application_slug=provider.application.slug,`
e2e: add tests for oauth and saml provider 2020-06-20 21:53:05 +00:00			`)`
			`)`
			`self.driver.find_element(By.ID, "id_uid_field").click()`
			`self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)`
			`self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)`
			`self.driver.find_element(By.ID, "id_password").send_keys(USER().username)`
			`self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)`
e2e: saml provider: wait for URL 2020-06-29 20:11:50 +00:00			`self.wait_for_url("http://localhost:9009/")`
e2e: add tests for oauth and saml provider 2020-06-20 21:53:05 +00:00			`self.assertEqual(`
			`self.driver.find_element(By.XPATH, "/html/body/pre").text,`
			`f"Hello, {USER().name}!",`
			`)`
e2e/provider/saml: add negative case 2020-07-02 11:48:21 +00:00
			`def test_sp_initiated_denied(self):`
			`"""test SAML Provider flow SP-initiated flow (Policy denies access)"""`
			`# Bootstrap all needed objects`
			`authorization_flow = Flow.objects.get(`
			`slug="default-provider-authorization-implicit-consent"`
			`)`
			`negative_policy = ExpressionPolicy.objects.create(`
			`name="negative-static", expression="return False"`
			`)`
			`provider: SAMLProvider = SAMLProvider.objects.create(`
			`name="saml-test",`
			`acs_url="http://localhost:9009/saml/acs",`
			`audience="passbook-e2e",`
			`issuer="passbook-e2e",`
			`sp_binding=SAMLBindings.POST,`
			`authorization_flow=authorization_flow,`
			`signing_kp=CertificateKeyPair.objects.first(),`
			`)`
			`provider.property_mappings.set(SAMLPropertyMapping.objects.all())`
			`provider.save()`
			`app = Application.objects.create(`
			`name="SAML", slug="passbook-saml", provider=provider,`
			`)`
			`PolicyBinding.objects.create(target=app, policy=negative_policy, order=0)`
			`self.container = self.setup_client(provider)`
			`self.driver.get("http://localhost:9009/")`
			`self.driver.find_element(By.ID, "id_uid_field").click()`
			`self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)`
			`self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)`
			`self.driver.find_element(By.ID, "id_password").send_keys(USER().username)`
			`self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)`
e2e: update e2e tests for new AccessDenied response 2020-09-15 08:29:59 +00:00
			`self.wait.until(`
			`ec.presence_of_element_located((By.CSS_SELECTOR, "header > h1"))`
			`)`
e2e/provider/saml: add negative case 2020-07-02 11:48:21 +00:00			`self.assertEqual(`
e2e: add tests for OAuth Source, update tests for new base templates 2020-07-08 22:41:14 +00:00			`self.driver.find_element(By.CSS_SELECTOR, "header > h1").text,`
e2e/provider/saml: add negative case 2020-07-02 11:48:21 +00:00			`"Permission denied",`
			`)`