diff --git a/tests/satosa/backends/test_saml2.py b/tests/satosa/backends/test_saml2.py index e5e2d905c..76057f22f 100644 --- a/tests/satosa/backends/test_saml2.py +++ b/tests/satosa/backends/test_saml2.py @@ -179,6 +179,159 @@ def test_authn_request(self, context, idp_conf): req_params = dict(parse_qsl(urlparse(resp.message).query)) assert context.state[self.samlbackend.name]["relay_state"] == req_params["RelayState"] + def test_authn_request_requested_attributes( + self, context, idp_conf, sp_conf + ): + requested_attributes = [ + {"friendly_name": "cn", "required": True}, + {"friendly_name": "sn", "required": False} + ] + + backend = SAMLBackend( + None, + INTERNAL_ATTRIBUTES, + { + SAMLBackend.KEY_DYNAMIC_REQUESTED_ATTRIBUTES: requested_attributes, + "sp_config": sp_conf + }, + "base_url", + "saml_backend" + ) + + with patch.object( + backend.sp, + "create_authn_request", + wraps=backend.sp.create_authn_request + ) as mock: + backend.authn_request( + context, + idp_conf["entityid"], + requested_attributes=["name", "surname"] + ) + + kwargs = mock.call_args[1] + assert "requested_attributes" in kwargs + assert kwargs["requested_attributes"] == [ + {"friendly_name": "cn", "required": True}, + {"friendly_name": "sn", "required": False} + ] + + def test_authn_request_requested_attributes_ignore_extra( + self, context, idp_conf, sp_conf + ): + """ + Extra internal attributes should be ignored + """ + requested_attributes = [ + {"friendly_name": "cn", "required": True}, + {"friendly_name": "sn", "required": False} + ] + + backend = SAMLBackend( + None, + INTERNAL_ATTRIBUTES, + { + SAMLBackend.KEY_DYNAMIC_REQUESTED_ATTRIBUTES: requested_attributes, + "sp_config": sp_conf + }, + "base_url", + "saml_backend" + ) + + with patch.object( + backend.sp, + "create_authn_request", + wraps=backend.sp.create_authn_request + ) as mock: + backend.authn_request( + context, + idp_conf["entityid"], + requested_attributes=["name", "surname", "email"] + ) + + kwargs = mock.call_args[1] + assert "requested_attributes" in kwargs + assert kwargs["requested_attributes"] == [ + {"friendly_name": "cn", "required": True}, + {"friendly_name": "sn", "required": False} + ] + + def test_authn_request_requested_attributes_not_present( + self, context, idp_conf, sp_conf + ): + """ + If some requested attributes are not in the requested don't add them to + the request + """ + requested_attributes = [ + {"friendly_name": "cn", "required": True}, + {"friendly_name": "sn", "required": False} + ] + + backend = SAMLBackend( + None, + INTERNAL_ATTRIBUTES, + { + SAMLBackend.KEY_DYNAMIC_REQUESTED_ATTRIBUTES: requested_attributes, + "sp_config": sp_conf + }, + "base_url", + "saml_backend" + ) + + with patch.object( + backend.sp, + "create_authn_request", + wraps=backend.sp.create_authn_request + ) as mock: + backend.authn_request( + context, + idp_conf["entityid"], + requested_attributes=["name"] + ) + + kwargs = mock.call_args[1] + assert "requested_attributes" in kwargs + assert kwargs["requested_attributes"] == [ + {"friendly_name": "cn", "required": True}, + ] + + def test_authn_request_no_requested_attributes( + self, context, idp_conf, sp_conf + ): + """ + If none attributes are requested don't add the extention + """ + requested_attributes = [ + {"friendly_name": "cn", "required": True}, + {"friendly_name": "sn", "required": False} + ] + + backend = SAMLBackend( + None, + INTERNAL_ATTRIBUTES, + { + SAMLBackend.KEY_DYNAMIC_REQUESTED_ATTRIBUTES: requested_attributes, + "sp_config": sp_conf + }, + "base_url", + "saml_backend" + ) + + with patch.object( + backend.sp, + "create_authn_request", + wraps=backend.sp.create_authn_request + ) as mock: + backend.authn_request( + context, + idp_conf["entityid"], + requested_attributes=["email"] + ) + + kwargs = mock.call_args[1] + assert "requested_attributes" not in kwargs + def test_authn_response(self, context, idp_conf, sp_conf): response_binding = BINDING_HTTP_REDIRECT fakesp = FakeSP(SPConfig().load(sp_conf, metadata_construction=False))