[ceph.git] / ceph / src / pybind / mgr / dashboard / tests / test_sso.py

# -*- coding: utf-8 -*-
# pylint: disable=dangerous-default-value,too-many-public-methods
from __future__ import absolute_import

import errno
import unittest

from ..services.sso import handle_sso_command, load_sso_db
from . import CmdException  # pylint: disable=no-name-in-module
from . import KVStoreMockMixin  # pylint: disable=no-name-in-module
from . import exec_dashboard_cmd  # pylint: disable=no-name-in-module


class AccessControlTest(unittest.TestCase, KVStoreMockMixin):
    IDP_METADATA = '''<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                     entityID="https://testidp.ceph.com/simplesamlphp/saml2/idp/metadata.php"
                     ID="pfx8ca6fbd7-6062-d4a9-7995-0730aeb8114f">
  <ds:Signature>
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
      <ds:Reference URI="#pfx8ca6fbd7-6062-d4a9-7995-0730aeb8114f">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <ds:DigestValue>v6V8fooEUeq/LO/59JCfJF69Tw3ohN52OGAY6X3jX8w=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>IDP_SIGNATURE_VALUE</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>IDP_X509_CERTIFICATE</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>IDP_X509_CERTIFICATE</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>IDP_X509_CERTIFICATE</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                            Location="https://testidp.ceph.com/simplesamlphp/saml2/idp/SingleLogoutService.php"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                            Location="https://testidp.ceph.com/simplesamlphp/saml2/idp/SSOService.php"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>'''

    def setUp(self):
        self.mock_kv_store()
        load_sso_db()

    @classmethod
    def exec_cmd(cls, cmd, **kwargs):
        return exec_dashboard_cmd(handle_sso_command, cmd, **kwargs)

    def validate_onelogin_settings(self, onelogin_settings, ceph_dashboard_base_url, uid,
                                   sp_x509cert, sp_private_key, signature_enabled):
        self.assertIn('sp', onelogin_settings)
        self.assertIn('entityId', onelogin_settings['sp'])
        self.assertEqual(onelogin_settings['sp']['entityId'],
                         '{}/auth/saml2/metadata'.format(ceph_dashboard_base_url))

        self.assertIn('assertionConsumerService', onelogin_settings['sp'])
        self.assertIn('url', onelogin_settings['sp']['assertionConsumerService'])
        self.assertEqual(onelogin_settings['sp']['assertionConsumerService']['url'],
                         '{}/auth/saml2'.format(ceph_dashboard_base_url))

        self.assertIn('attributeConsumingService', onelogin_settings['sp'])
        attribute_consuming_service = onelogin_settings['sp']['attributeConsumingService']
        self.assertIn('requestedAttributes', attribute_consuming_service)
        requested_attributes = attribute_consuming_service['requestedAttributes']
        self.assertEqual(len(requested_attributes), 1)
        self.assertIn('name', requested_attributes[0])
        self.assertEqual(requested_attributes[0]['name'], uid)

        self.assertIn('singleLogoutService', onelogin_settings['sp'])
        self.assertIn('url', onelogin_settings['sp']['singleLogoutService'])
        self.assertEqual(onelogin_settings['sp']['singleLogoutService']['url'],
                         '{}/auth/saml2/logout'.format(ceph_dashboard_base_url))

        self.assertIn('x509cert', onelogin_settings['sp'])
        self.assertEqual(onelogin_settings['sp']['x509cert'], sp_x509cert)

        self.assertIn('privateKey', onelogin_settings['sp'])
        self.assertEqual(onelogin_settings['sp']['privateKey'], sp_private_key)

        self.assertIn('security', onelogin_settings)
        self.assertIn('authnRequestsSigned', onelogin_settings['security'])
        self.assertEqual(onelogin_settings['security']['authnRequestsSigned'], signature_enabled)

        self.assertIn('logoutRequestSigned', onelogin_settings['security'])
        self.assertEqual(onelogin_settings['security']['logoutRequestSigned'], signature_enabled)

        self.assertIn('logoutResponseSigned', onelogin_settings['security'])
        self.assertEqual(onelogin_settings['security']['logoutResponseSigned'], signature_enabled)

        self.assertIn('wantMessagesSigned', onelogin_settings['security'])
        self.assertEqual(onelogin_settings['security']['wantMessagesSigned'], signature_enabled)

        self.assertIn('wantAssertionsSigned', onelogin_settings['security'])
        self.assertEqual(onelogin_settings['security']['wantAssertionsSigned'], signature_enabled)

    def test_sso_saml2_setup(self):
        result = self.exec_cmd('sso setup saml2',
                               ceph_dashboard_base_url='https://cephdashboard.local',
                               idp_metadata=self.IDP_METADATA)
        self.validate_onelogin_settings(result, 'https://cephdashboard.local', 'uid', '', '',
                                        False)

    def test_sso_enable_saml2(self):
        with self.assertRaises(CmdException) as ctx:
            self.exec_cmd('sso enable saml2')

        self.assertEqual(ctx.exception.retcode, -errno.EPERM)
        self.assertEqual(str(ctx.exception), 'Single Sign-On is not configured: '
                                             'use `ceph dashboard sso setup saml2`')

        self.exec_cmd('sso setup saml2',
                      ceph_dashboard_base_url='https://cephdashboard.local',
                      idp_metadata=self.IDP_METADATA)

        result = self.exec_cmd('sso enable saml2')
        self.assertEqual(result, 'SSO is "enabled" with "SAML2" protocol.')

    def test_sso_disable(self):
        result = self.exec_cmd('sso disable')
        self.assertEqual(result, 'SSO is "disabled".')

    def test_sso_status(self):
        result = self.exec_cmd('sso status')
        self.assertEqual(result, 'SSO is "disabled".')

        self.exec_cmd('sso setup saml2',
                      ceph_dashboard_base_url='https://cephdashboard.local',
                      idp_metadata=self.IDP_METADATA)

        result = self.exec_cmd('sso status')
        self.assertEqual(result, 'SSO is "enabled" with "SAML2" protocol.')

    def test_sso_show_saml2(self):
        result = self.exec_cmd('sso show saml2')
        self.assertEqual(result, {
            'onelogin_settings': {}
        })
Commit	Line	Data
11fdf7f2 TL	1	# -- coding: utf-8 --
	2	# pylint: disable=dangerous-default-value,too-many-public-methods
	3	from __future__ import absolute_import
	4
	5	import errno
	6	import unittest
	7
11fdf7f2	8	from ..services.sso import handle_sso_command, load_sso_db
f67539c2 TL	9	from . import CmdException # pylint: disable=no-name-in-module
	10	from . import KVStoreMockMixin # pylint: disable=no-name-in-module
	11	from . import exec_dashboard_cmd # pylint: disable=no-name-in-module
11fdf7f2 TL	12
	13
	14	class AccessControlTest(unittest.TestCase, KVStoreMockMixin):
	15	IDP_METADATA = '''<?xml version="1.0"?>
	16	<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
	17	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
	18	entityID="https://testidp.ceph.com/simplesamlphp/saml2/idp/metadata.php"
	19	ID="pfx8ca6fbd7-6062-d4a9-7995-0730aeb8114f">
	20	<ds:Signature>
	21	<ds:SignedInfo>
	22	<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
	23	<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
	24	<ds:Reference URI="#pfx8ca6fbd7-6062-d4a9-7995-0730aeb8114f">
	25	<ds:Transforms>
	26	<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
	27	<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
	28	</ds:Transforms>
	29	<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
	30	<ds:DigestValue>v6V8fooEUeq/LO/59JCfJF69Tw3ohN52OGAY6X3jX8w=</ds:DigestValue>
	31	</ds:Reference>
	32	</ds:SignedInfo>
	33	<ds:SignatureValue>IDP_SIGNATURE_VALUE</ds:SignatureValue>
	34	<ds:KeyInfo>
	35	<ds:X509Data>
	36	<ds:X509Certificate>IDP_X509_CERTIFICATE</ds:X509Certificate>
	37	</ds:X509Data>
	38	</ds:KeyInfo>
	39	</ds:Signature>
	40	<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
	41	<md:KeyDescriptor use="signing">
	42	<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
	43	<ds:X509Data>
	44	<ds:X509Certificate>IDP_X509_CERTIFICATE</ds:X509Certificate>
	45	</ds:X509Data>
	46	</ds:KeyInfo>
	47	</md:KeyDescriptor>
	48	<md:KeyDescriptor use="encryption">
	49	<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
	50	<ds:X509Data>
	51	<ds:X509Certificate>IDP_X509_CERTIFICATE</ds:X509Certificate>
	52	</ds:X509Data>
	53	</ds:KeyInfo>
	54	</md:KeyDescriptor>
	55	<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
	56	Location="https://testidp.ceph.com/simplesamlphp/saml2/idp/SingleLogoutService.php"/>
	57	<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
	58	<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
	59	Location="https://testidp.ceph.com/simplesamlphp/saml2/idp/SSOService.php"/>
	60	</md:IDPSSODescriptor>
	61	</md:EntityDescriptor>'''
	62
	63	def setUp(self):
	64	self.mock_kv_store()
	65	load_sso_db()
	66
	67	@classmethod
	68	def exec_cmd(cls, cmd, **kwargs):
	69	return exec_dashboard_cmd(handle_sso_command, cmd, **kwargs)
	70
	71	def validate_onelogin_settings(self, onelogin_settings, ceph_dashboard_base_url, uid,
	72	sp_x509cert, sp_private_key, signature_enabled):
	73	self.assertIn('sp', onelogin_settings)
	74	self.assertIn('entityId', onelogin_settings['sp'])
	75	self.assertEqual(onelogin_settings['sp']['entityId'],
76	'{}/auth/saml2/metadata'.format(ceph_dashboard_base_url))
77
78	self.assertIn('assertionConsumerService', onelogin_settings['sp'])
79	self.assertIn('url', onelogin_settings['sp']['assertionConsumerService'])
80	self.assertEqual(onelogin_settings['sp']['assertionConsumerService']['url'],
81	'{}/auth/saml2'.format(ceph_dashboard_base_url))
82
83	self.assertIn('attributeConsumingService', onelogin_settings['sp'])
84	attribute_consuming_service = onelogin_settings['sp']['attributeConsumingService']
85	self.assertIn('requestedAttributes', attribute_consuming_service)
86	requested_attributes = attribute_consuming_service['requestedAttributes']
87	self.assertEqual(len(requested_attributes), 1)
88	self.assertIn('name', requested_attributes[0])
89	self.assertEqual(requested_attributes[0]['name'], uid)
90
91	self.assertIn('singleLogoutService', onelogin_settings['sp'])
92	self.assertIn('url', onelogin_settings['sp']['singleLogoutService'])
93	self.assertEqual(onelogin_settings['sp']['singleLogoutService']['url'],
94	'{}/auth/saml2/logout'.format(ceph_dashboard_base_url))
95
96	self.assertIn('x509cert', onelogin_settings['sp'])
97	self.assertEqual(onelogin_settings['sp']['x509cert'], sp_x509cert)
98
99	self.assertIn('privateKey', onelogin_settings['sp'])
100	self.assertEqual(onelogin_settings['sp']['privateKey'], sp_private_key)
101
102	self.assertIn('security', onelogin_settings)
103	self.assertIn('authnRequestsSigned', onelogin_settings['security'])
104	self.assertEqual(onelogin_settings['security']['authnRequestsSigned'], signature_enabled)
105
106	self.assertIn('logoutRequestSigned', onelogin_settings['security'])
107	self.assertEqual(onelogin_settings['security']['logoutRequestSigned'], signature_enabled)
108
109	self.assertIn('logoutResponseSigned', onelogin_settings['security'])
110	self.assertEqual(onelogin_settings['security']['logoutResponseSigned'], signature_enabled)
111
112	self.assertIn('wantMessagesSigned', onelogin_settings['security'])
113	self.assertEqual(onelogin_settings['security']['wantMessagesSigned'], signature_enabled)
114
115	self.assertIn('wantAssertionsSigned', onelogin_settings['security'])
116	self.assertEqual(onelogin_settings['security']['wantAssertionsSigned'], signature_enabled)
117
118	def test_sso_saml2_setup(self):
119	result = self.exec_cmd('sso setup saml2',
120	ceph_dashboard_base_url='https://cephdashboard.local',
121	idp_metadata=self.IDP_METADATA)
122	self.validate_onelogin_settings(result, 'https://cephdashboard.local', 'uid', '', '',
123	False)
124
125	def test_sso_enable_saml2(self):
126	with self.assertRaises(CmdException) as ctx:
127	self.exec_cmd('sso enable saml2')
128
129	self.assertEqual(ctx.exception.retcode, -errno.EPERM)
130	self.assertEqual(str(ctx.exception), 'Single Sign-On is not configured: '
131	'use `ceph dashboard sso setup saml2`')
132
133	self.exec_cmd('sso setup saml2',
134	ceph_dashboard_base_url='https://cephdashboard.local',
135	idp_metadata=self.IDP_METADATA)
136
137	result = self.exec_cmd('sso enable saml2')
138	self.assertEqual(result, 'SSO is "enabled" with "SAML2" protocol.')
139
140	def test_sso_disable(self):
141	result = self.exec_cmd('sso disable')
142	self.assertEqual(result, 'SSO is "disabled".')
143
144	def test_sso_status(self):
145	result = self.exec_cmd('sso status')
146	self.assertEqual(result, 'SSO is "disabled".')
147
148	self.exec_cmd('sso setup saml2',
149	ceph_dashboard_base_url='https://cephdashboard.local',
150	idp_metadata=self.IDP_METADATA)
151
152	result = self.exec_cmd('sso status')
153	self.assertEqual(result, 'SSO is "enabled" with "SAML2" protocol.')
154
155	def test_sso_show_saml2(self):
156	result = self.exec_cmd('sso show saml2')
157	self.assertEqual(result, {
158	'onelogin_settings': {}
159	})