spid-sp-test is a SAML2 SPID/CIE Service Provider validation tool that can be executed from the command line.

Last update: Nov 8, 2022

Overview

spid-sp-test

spid-sp-test is a SAML2 SPID/CIE Service Provider validation tool that can be executed from the command line. This tool was born by separating the test library already present in spid-saml-check.

Features

spid-sp-test can:

test a SAML2 SPID/CIE Metadata file or http url
test a SAML2 SPID/CIE AuthnRequest file or or http url
test ACS behaviour, how a SP replies to a SAML2 Response
test many kinds of SP, see Profiles
dump the responses sent to an ACS and the HTML of the SP response
handle Attributes to send in Responses or test configurations of the Responses via json configuration files
configure response template with Jinja2
get new test-suite via multiple json files
fully integrable in CI
export a detailed report in json format, in stdout or in a file

Generally it's:

extremely faster in execution time than spid-saml-check
extremely easy to setup

Check metadata

Authentication requests, JSON output

Full test set with metadata, authn request and responses

Profiles

Each profile loads a set of test. Use --profile $profile-name with one of the following profile name:

saml2-sp: Pure SAML2 SP with some best practises
spid-sp-public: Public Spid SP
spid-sp-private: Private Spid SP
spid-sp-ag-public-full: Public Spid SP Aggregatore Full
spid-sp-ag-public-lite: Public Spid SP Aggregatore Lite
spid-sp-op-public-full: Public Spid SP Gestore Full
spid-sp-op-public-lite: Public Spid SP Gestore Lite
cie-sp-public: Public CIE SP
cie-sp-private: Private CIE SP

Setup

apt install libxml2-dev libxmlsec1-dev libxmlsec1-openssl xmlsec1 python3-pip python3-virtualenv
virtualenv -p python3 env
source env/bin/activate

pip install spid-sp-test --upgrade --no-cache

Overview

spid-sp-test can test a SP metadata file, you just have to give the Metadata URL, if http/http or file, eg: file://path/to/metadata.xml. At the same way it can test an Authentication Request.

In a different manner spid-sp-test can send a huge numer of fake SAML Response, for each of them it needs to trigger a real Authentication Request to the target SP.

If you want to test also the Response, you must give the spid-sp-test fake idp metadata xml file to the target SP. Get fake IdP metadata (--idp-metadata) and copy it to your SP metadatastore folder.

spid_sp_test --idp-metadata > /path/to/spid-django/example/spid_config/metadata/spid-sp-test.xml

To get spid-sp-test in a CI you have to:

configure an example project in your application
register the spid-sp-test fake idp metadata in your SP and execute the example project, with its development server in background
launch the spid-sp-test commands

An example of CI is here

Examples

Run spid_sp_test -h for inline documentation.

usage: spid_sp_test [-h] [--metadata-url METADATA_URL] [--idp-metadata] [-l [LIST [LIST ...]]] [--extra] [--authn-url AUTHN_URL] [-tr] [-nsr]
                    [-tp TEMPLATE_PATH] [-tn [TEST_NAMES [TEST_NAMES ...]]] [-tj [TEST_JSONS [TEST_JSONS ...]]] [-aj ATTR_JSON]
                    [-o REPORT_OUTPUT_FILE] [-rf {json,html}] [-d {CRITICAL,ERROR,WARNING,INFO,DEBUG}] [-xp XMLSEC_PATH] [--production]
                    [--response-html-dumps RESPONSE_HTML_DUMPS] [--exit-zero]
                    [-pr {saml2-sp,spid-sp-public,spid-sp-private,spid-sp-ag-public-full,spid-sp-ag-public-lite,spid-sp-op-public-full,spid-sp-op-public-lite,cie-sp-public,cie-sp-private}]
                    [-ap AUTHN_PLUGIN] [-rm REQUEST_METHOD] [-rb REQUEST_BODY] [-rct REQUEST_CONTENT_TYPE]


src/spid_sp_test/spid_sp_test -h for help

Test metadata passing a file

spid_sp_test --metadata-url file://metadata.xml

Test metadata from a URL

spid_sp_test --metadata-url http://localhost:8000/spid/metadata

A quite standard test

spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=http://localhost:8088 --extra

Print only ERRORs

spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=https://localhost:8080 --extra --debug ERROR

JSON report, add -o filename.json to write to a file, -rf html -o html_report/ to export to a HTML page

spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=https://localhost:8080 --extra -rf json

Given a metadata file and a authn file (see tests/metadata and tests/authn for example) export all the test response without sending them to SP:

spid_sp_test --metadata-url file://tests/metadata/spid-django-other.xml --authn-url file://tests/authn/spid_django_post.html --extra --debug ERROR -tr -nsr

Get the response (test 1) that would have to be sent to a SP with a custom set of attributes, without sending it for real. It will just print it to stdout

spid_sp_test --metadata-url file://tests/metadata/spid-django-other.xml --authn-url file://tests/authn/spid_django_post.html --extra --debug ERROR -tr -nsr -tn 1 -aj tests/example.attributes.json

Common usages

Test a Shibboleth SP with a SAMLDS (DiscoveryService). In this example target points to the target service and entityID is the selected IdP. This example works also a Shibboleth IdP-SP proxy/gateway.

spid_sp_test --metadata-url https://sp.testunical.it/pymetadata_signed.xml --authn-url "https://sp.testunical.it/Shibboleth.sso/Login?target=https://sp.testunical.it/secure/index.php&entityID=https://localhost:8080" --debug ERROR --extra -tr

Test Satosa-Saml2Spid using its authn plugin and a SP that supports idp hinting

spid_sp_test --metadata-url https://localhost:10000/spidSaml2/metadata --authn-url "http://sp1.testunical.it:8000/saml2/login/?idp=https://localhost:10000/Saml2IDP/metadata&next=/saml2/echo_attributes&idphint=https%253A%252F%252Flocalhost%253A8080" -ap spid_sp_test.plugins.authn_request.SatosaSaml2Spid --extra -tr

Examples with Docker

Before starting you have to obtain the italia/spid-sp-test image. You can pull it from Docker Hub

$ export SSTVER=0.9.0
$ docker pull italia/spid-sp-test:$SSTVER

or build locally

$ docker build --tag italia/spid-sp-test:$SSTVER .

The container working directory is set to /spid therefore, local files should be mounted relatively to /spid path.

$ docker run -ti --rm \
    -v "$(pwd)/tests/metadata:/spid/mymetadata:ro" \
    -v "$(pwd)/tests/metadata:/spid/dumps:rw" \
    italia/spid-sp-test:$SSTVER --metadata-url file://mymetadata/spid-django-other.xml

Test Responses and html dumps

By enabling the response dump with the --response-html-dumps HTML_PATH option, you will get N html files (page of your SP) as follows:

test description, commented
SAML Response sent, commented
SP html page, with absolute src and href (god bless lxml)

Here an example of 1_True.html, where 1 is the test name and True is the status.

Extending tests

spid-sp-test offers the possibility to extend and configure new response tests to be performed. The user can:

customize the test suite to run by configuring a json file similar to tests/example.test-suite.json and passing this as an argument with --test-jsons option. More than one json file can be entered by separating it by a space
customize the attributes to be returned by configuring these in a json file similar to example/example.attributes.json and passing this with the --attr-json option
customize xml templates to be used in tests, indicating them in each test entry in the configuration file configured via --test-jsons and also the templates directory with the option --template-path. The templates are Jinja2 powered, so it's possible to extend src/spid_sp_test/responses/templates/base.xml with our preferred values
customize the way to get the SAML2 Authn Request, using plugins wrote by your own. If you're using a IAM Proxy with some OAuth2/OIDC frontends of a custom API, you can write your plugin and use it in the cli arguments, eg: spid_sp_test --metadata-url https://localhost:8000/spid/metadata --extra --authn-url https://localhost:8000/spid/login/?idp=https://localhost:8080 --debug INFO -tr --authn-plugin spid_sp_test.plugins.authn_request.Dummy
customize entityid and certificates path runtime, using ENV variables. The files MUST be named private.key and public.cert:
```
IDP_ENTITYID=https://your.idp.eid/ IDP_CERT_PATH=../spid-django/example/certificates spid_sp_test --idp-metadata
```

Looking at src/spid_sp_test/responses/settings.py or tests/example.test-suite.json we found that every test have a response attribute. Each element configured in would overload the value that will be rendered in the template. Each template can load these variable from its template context or use which ones was statically defined in it.

Finally you have batteries included and some options as well, at your taste.

Unit tests

That's for developers.

pip install requirements-dev.txt
pytest -v --cov=spid_sp_test --cov-report term  tests/

If you need a docker, you can do:

create the developer image

docker build -f Dockerfile-devenv --no-cache . --tag italia/spid-sp-test-devenv

run coverage tests on the development image

docker run italia/spid-sp-test-devenv

if you need to use the image as a developer machine or inspect the enviroment, you can access in it with

docker run -it --entrypoint /bin/bash italia/spid-sp-test-devenv

The final step is a live coding from your host machine and the development docker instance, using volumes

docker run -it -v $(pwd):/tmp/src --entrypoint /bin/bash italia/spid-sp-test-devenv

Authors

References

TLS/SSL tests

https://github.com/nabla-c0d3/sslyze

pip install --upgrade sslyze
sslyze www.that-sp.org --json_out ssl.log

https://testssl.sh/

Comments

Regression in authentication level validation
#111 introduced a regression. If my SP sends an AuthnRequest with this:

<samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef>https://www.spid.gov.it/SpidL1</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext>

and the IdP response states that the authentication has been established with L2, the SP must consider the response valid, even if SAML 2.0 says otherwise. This is what SPID specification says in 1.2.2.1 section:

N.B. L’Identity Provider ha facoltà di utilizzare per l’autenticazione un livello SPID più alto rispetto a quelli risultanti dall’indicazione del richiedente mediante l’attributo Comparison. Tale scelta non deve comportare un esito negativo della richiesta.

So, currently tests 95 and 96 are failing for me with current spid-sp-test for this reason, in the above scenario.
opened by mauromol 12
Checking for signature wrapping attacks resilience?

I was wondering whether, along with that long list of (often useless, although necessary for onboarding) checks for SPID compliance, spid-sp-test could also check for the resilience of the SP implementation against Signature Wrapping attacks, as described, for instance, at: https://www.netspi.com/blog/technical/web-application-penetration-testing/attacking-sso-common-saml-vulnerabilities-ways-find/ (see "Common Implementation Mistakes & Testing Tips" - "Signature Wrapping" section) A more thorough source of information might be: https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf

This is just an idea, probably worth more in-depth analysis.
enhancement already done

opened by mauromol 8

Problematiche relative alla firma dei metadata

Buongiorno, stiamo provando ad implementare SPID su un nostro portale per un cliente che è un ente pubblico, ma siamo ancora nella fase di generazione / firma del certificato. Tramite questo tool, abbiamo generato i tre file (crt.pem csr.pem key.pem) Una volta ottenuti, con openssl tramite il comando pkcs12 -export -out cert.pfx -inkey key.pem -in crt.pem abbiamo generato il file .pfx. Una volta fatto questo, tramite uno script abbiamo ottenuto il base64 del .pfx. A questo punto, avendo i certificati ci siamo un po' bloccati perché non ci è chiarissimo il da farsi. Ci è stato suggerito di prendere come spunto un file presente all'interno di questo progetto per ente pubblico public-sp.xml. Abbiamo quindi preso questo file e abbiamo modificato i dati con i nostri. Abbiamo creato il virtual enviroment di pyhton, e quindi installato spid-sp-test.

Lanciando il comando spid_sp_test --metadata-url file://cndcec_metadata.xml o anche lanciando il comando xmlsec1 --sign --insecure --privkey-pem key.pem --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor cndcec_metadata.xml > cndcec_metadata_signed.xml solo per la parte relativa alla signature, ci viene triggerato questo errore (tra l'altro l'unico)

func=xmlSecOpenSSLX509CertificateNodeRead:file=x509.c:line=956:obj=x509:subj=xmlSecOpenSSLX509CertBase64DerRead:error=1:xmlsec library function failed:
func=xmlSecOpenSSLX509DataNodeRead:file=x509.c:line=886:obj=x509:subj=xmlSecOpenSSLX509CertificateNodeRead:error=1:xmlsec library function failed:node=X509Certificate
func=xmlSecOpenSSLKeyDataX509XmlRead:file=x509.c:line=663:obj=x509:subj=xmlSecOpenSSLX509DataNodeRead:error=1:xmlsec library function failed:
func=xmlSecKeyInfoNodeRead:file=keyinfo.c:line=121:obj=x509:subj=xmlSecKeyDataXmlRead:error=1:xmlsec library function failed:node=X509Data
func=xmlSecKeysMngrGetKey:file=keys.c:line=1234:obj=unknown:subj=xmlSecKeyInfoNodeRead:error=1:xmlsec library function failed:node=KeyInfo
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=793:obj=unknown:subj=unknown:error=45:key is not found:details=NULL
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=508:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=346:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec library function failed:
Error: signature failed

Che sembra essere relativo proprio al base64 del certificato che abbiamo generato. Ed effettivamente ci sono delle incongruenze tra l'xml di esempio e quello nostro. Nell'xml di esempio, i due parametri <KeyInfo> hanno base64 differenti, inoltre nel secondo parametro <KeyInfo> all'interno del segmento <KeyDescriptor> i base 64 sono diversi, separati da spazi, come se fossero una lista.

Noi nel nostro file in entrambi i segmenti abbiamo inserito sempre lo stesso base64 che abbiamo generato. nella documentazione che abbiamo letto su https://docs.italia.it/italia/spid/spid-regole-tecniche/it/stabile/metadata.html ci viene detto che l’elementoche contiene l’elenco dei certificati e delle corrispondenti chiavi pubbliche dell’entità, utili per la verifica della firma dei messaggi prodotti da tale entità nelle sue interazioni con le altre (SAMLMetadata, par. 2.4.1.1)

A questo punto non sappiamo oltre a quello generato da noi, quali siano gli altri certificati dell'elenco di cui si parla. Lanciando il tool sembra proprio che l'unica failure sia proprio questa, non vengono riportati altri errori.

Questo il nostro file xml

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    xmlns:spid="https://spid.gov.it/saml-extensions" ID="a088bc6e-33c5-4ff2-b35b-d9c3ff9a2c9e" entityID="https://publicsp.it/">

<ds:Signature Id="Signature1">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#a088bc6e-33c5-4ff2-b35b-d9c3ff9a2c9e">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue />
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue />
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIQDQIBAzCCD8kGCSqGSIb3DQEHAaCCD7oEgg+...[HASH INCOMPLETO]</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>

    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIQDQIBAzCCD8kGCSqGSIb3DQEHAaCCD7oEgg+...[HASH INCOMPLETO]</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://eventi.commercialisti.it/slo"/>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://publicsp.it/sso" index="0" isDefault="true"/>
        <md:AttributeConsumingService index="0">
            <md:ServiceName xml:lang="it">ServiceName</md:ServiceName>
            <md:RequestedAttribute Name="spidCode"/>
            <md:RequestedAttribute Name="familyName"/>
            <md:RequestedAttribute Name="name"/>
            <md:RequestedAttribute Name="companyName"/>
            <md:RequestedAttribute Name="fiscalNumber"/>
            <md:RequestedAttribute Name="ivaCode"/>
            <md:RequestedAttribute Name="email"/>
            <md:RequestedAttribute Name="gender"/>
            <md:RequestedAttribute Name="placeOfBirth"/>
            <md:RequestedAttribute Name="countyOfBirth"/>
            <md:RequestedAttribute Name="dateOfBirth"/>
        </md:AttributeConsumingService>
    </md:SPSSODescriptor>
    <md:Organization>
        <md:OrganizationName xml:lang="it">publicsp</md:OrganizationName>
        <md:OrganizationDisplayName xml:lang="it">Consiglio Nazionale dei Dottori Commercialisti e degli Esperti Contabil</md:OrganizationDisplayName>
        <md:OrganizationURL xml:lang="it">https://publicsp.it</md:OrganizationURL>
    </md:Organization>
    <md:ContactPerson contactType="other">
        <md:Extensions>
            <spid:IPACode>ipa</spid:IPACode>
            <spid:Public/>
        </md:Extensions>
        <md:EmailAddress>[email protected]</md:EmailAddress>
    </md:ContactPerson>
</md:EntityDescriptor>

Quali possono essere i nostri errori/mancanze che non permettono la signature del nostro xml? Grazie mille in anticipo

opened by mperu92 7

Problems installing and running spid_sp_test in virtual env

I followed the instructions to create a python3 virtual env and install spid_sp_test. However, when I do pip install spid_sp_test after activating the virtual env, I get this:

ERROR: spid-compliant-certificates 0.4.1 has requirement cryptography==35.0.0, but you'll have cryptography 36.0.2 which is incompatible.

Then, I retried to install with pip install spid_sp_test --upgrade and then it seems like it gets installed:

[...]
Collecting cryptography==35.0.0
  Downloading cryptography-35.0.0-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (3.7 MB)
     |████████████████████████████████| 3.7 MB 4.8 MB/s
[...]
Installing collected packages: cryptography
  Attempting uninstall: cryptography
    Found existing installation: cryptography 36.0.2
    Uninstalling cryptography-36.0.2:
      Successfully uninstalled cryptography-36.0.2
Successfully installed cryptography-35.0.0

So, it seems like the second time it has installed the older version of the cryptography package without complaining, I don't know why it doesn't do this on the first attempt.

However, spid_sp_test does not start yet. I get the following exception:

(spid_sp_test) mauro@hppb ~/workspace/python-env $ spid_sp_test
Traceback (most recent call last):
  File "/home/mauro/workspace/python-env/spid_sp_test/bin/spid_sp_test", line 17, in <module>
    from spid_sp_test.response import SpidSpResponseCheck
  File "/home/mauro/workspace/python-env/spid_sp_test/lib/python3.8/site-packages/spid_sp_test/response.py", line 14, in <module>
    from jinja2 import Environment, Markup, FileSystemLoader, Template, select_autoescape
ImportError: cannot import name 'Markup' from 'jinja2' (/home/mauro/workspace/python-env/spid_sp_test/lib/python3.8/site-packages/jinja2/__init__.py)

What can I do?

I'm running Ubuntu 20.04.

opened by mauromol 6

Profiles management

spid-sp-test should handle different profiles where every profile contains some tests. Same unique test can be used into more different profiles. Profiles could be defined into configuration files as for Response Test Suite. A single profile can be executed as follow, for example:

spid_sp_test --metadata-url http://localhost:8000/spid/metadata --profile spid-sp-metadata-public
enhancement

opened by damikael 6
ACR reponse check should consider "Comparison" attribute

According to the documentation, the accepted AuthnContextClassRef depends on the attribute "Comparison". Currently, the method https://github.com/italia/spid-sp-test/blob/6a9302a210c6f6b80a172ad876716433787857f3/src/spid_sp_test/responses/response_mods.py#L5 takes for granted that Comparison=="minimum", which makes e.g. test n. 96 fail for the case when Comparison="exact".

Valid Comparison values are

exact minimum better maximum

Not sure how "better" and "maximum" should be handled. I propose to at least add handling "exact".
enhancement help wanted

opened by ewedlund 5

Invalid check on private service provider

Referring to https://www.agid.gov.it/sites/default/files/repository_files/spid-avviso-n29v3-specifiche_sp_pubblici_e_privati.pdf there are two checks for --profile spid-sp-private that are not correct.

on page 6 of the linked pdf, there is the same structure reported on https://docs.italia.it/italia/spid/spid-regole-tecniche/it/stabile/metadata.html#esempio-contatti-metadata-sp-per-fatturazione that has EmailAddress and TelephoneNumber out of Extensions node:

   <md:ContactPerson contactType="other">
        <md:Extensions>
            <spid:VATNumber>IT12345678901</spid:VATNumber>
            <spid:FiscalCode>XYZABCAAMGGJ000W</spid:FiscalCode>
            <spid:Private/>
        </md:Extensions>
        <md:EmailAddress>[email protected]</md:EmailAddress>
        <md:TelephoneNumber>+390123456789</md:TelephoneNumber>
    </md:ContactPerson>
    <md:ContactPerson contactType="billing">
        <md:Extensions 
               xmlns:fpa="https://spid.gov.it/invoicing-extensions">
            <fpa:CessionarioCommittente>
                <fpa:DatiAnagrafici>
                    <fpa:IdFiscaleIVA>
                        <fpa:IdPaese>IT</fpa:IdPaese>
                        <fpa:IdCodice>02468135791</fpa:IdCodice>
                    </fpa:IdFiscaleIVA>
                    <fpa:Anagrafica>
			           <fpa:Denominazione>
                            Destinatario_Fatturazione
			           </fpa:Denominazione> 
                    </fpa:Anagrafica>
                </fpa:DatiAnagrafici>
                <fpa:Sede>
		             <fpa:Indirizzo>via [...]</fpa:Indirizzo>
		             <fpa:NumeroCivico>99</fpa:NumeroCivico>
		             <fpa:CAP>12345</ fpa:CAP>
		             <fpa:Comune>nome_citta</fpa:Comune>
		             <fpa:Provincia>XY</fpa:Provincia>
                    <fpa:Nazione>IT</fpa:Nazione>
                </fpa:Sede>
            </fpa:CessionarioCommittente>
        </md:Extensions>
        <md:Company>Destinatario_Fatturazione</md:Company>
        <md:EmailAddress>[email protected]</md:EmailAddress>
        <md:TelephoneNumber>telefono_fatture</md:TelephoneNumber>
    </md:ContactPerson>

Inside spid-sp-test/src/spid_sp_test/metadata_private.py there is the check that validate the EmailAddress as child of Extensions as reported into my test run:

INFO:spid_sp_test.metadata:SpidSpMetadataCheckExtra.test_extentions_public
ERROR:spid_sp_test.metadata:The //ContactPerson/Extensions/CessionarioCommittente/EmailAddress element MUST be present

This is not correct like reported into the documentation.

for private service provider there is:

INFO:spid_sp_test.metadata:SpidSpMetadataCheckExtra.test_Contacts_PubPriv
ERROR:spid_sp_test.metadata:Only one Extensions element inside ContactPerson element MUST be present

but probably, having two nodes ContactPerson (other and billing), this test count two times the Extensions and this is not correct.

opened by matfur92 5

Private Spid SP Aggregatore Full/Light check missing

I'm trying to validate medatata for private service full aggregator, but it seems that relevant profile is not still implemented in both spid-saml-check and spid-sp-test

I've opened this issue as suggested by @peppelinux
enhancement

opened by ExperianDev 4
[Metadata] Mysterious non-unique ContactPerson constraint check failure
Hi,

not a Python expert at all, firstly. I am experiencing a strange validation error, possibile related to the line in [1] but I am confused. For v. 1.1.5 of spid_sp_test I am getting the following:

ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: Only one ContactPerson element of contactType "other" MUST be present ERROR:spid_sp_test.metadata:Only one ContactPerson element of contactType "other" MUST be `present`

for a pub-ag-full SP with this kind of structure (Contacts section, edited here):

<md:ContactPerson contactType="other" spid:entityType="spid:**aggregator**"> <md:Extensions> <spid:VATNumber>IT02770800000</spid:VATNumber> <spid:PublicServicesFullAggregator/> </md:Extensions> <md:Company>myCompany Ltd</md:Company> <md:EmailAddress>[email protected]</md:EmailAddress> </md:ContactPerson> <md:ContactPerson contactType="other" spid:entityType="spid:**aggregated**"> <md:Extensions> <spid:IPACode>COM678</spid:IPACode> <spid:Public/> </md:Extensions> <md:Company>Comune di Topolinia</md:Company> </md:ContactPerson>

This structure should be supported and non error-flagged... Actually I identified [1] but I am NOT entirely convinced it is there the problem (supposing my XML metadata is fine).. because the function defintion uses (apparently...) some default parameter values, here's the signature: def test_Contacts_PubPriv(self, contact_type="other", entity_type="")

and entityType..seems to be set correctly... which makes me wonder.. why is the Xpath/code triggering the error? Seems like.. this section is triggered:

if not entity_type: self._assertTrue( len(entity_desc) == 1, "Only one ContactPerson element of contactType " f'"{contact_type}" MUST be present', test_id = ['1.10.0'], **_data, )

which.. looks impossible if I understand correctly the call from [1]... Also strange... immediately following [1] there's another call with another entityType.. so.. I would expect 2 (two) errors... (one for aggregated and one for aggregator)..

Is this XML structure really incorrect? or there's some..ghost call around or I don't know exactly how to say it.

Thank you.

Diego

[1] https://github.com/italia/spid-sp-test/blob/58afa3fa0b3dd1a3f7accbb085975943c1e31588/src/spid_sp_test/metadata.py#L962
opened by longstoned 4

Fix for finding nested input elements in SAML HTML form

Example of not retrieved input elements wrapped in a div element:

<form action="https://goolex.okta.com/app/goolex_a1_1/exk1hi6xl2jFdGu7A669/sso/saml" method="post">
    <div>
        <input type="hidden" name="SAMLRequest" value="PD9..."/>
        <input type="hidden" name="RelayState" value="RS1"/>
    </div>
    <noscript>
        <div>
            <input type="submit" value="Continue"/>
        </div>
    </noscript>
</form>

opened by aritgithub 4

Corretta gestione Authn
Chiudo questo thread Apriamome un altro eventualmente per gestire gli altri argomenti emersi

Originally posted by @peppelinux in https://github.com/italia/spid-sp-test/issues/90#issuecomment-893865087

Ciao, essendo riusciti a farci prendere il metadata, adesso stiamo facendo le prove di Authn. Stiamo riscontrando delle problematiche con questo comando: --authn-url http://localhost:8000/spid/login/?idp=http://localhost:8088 --extra.

Questo il comando che lanciamo noi (abbiamo pubblicato online in un ambiente di stage) spid_sp_test --metadata-url https://sitosppubblico-spid.azurewebsites.net/spid/metadata/metadata.xml --authn-url https://sitosppubblico-spid.azurewebsites.net/home/login/?idp=https://sitosppubblico-spid.azurewebsites.net/ --extra -tr

Riceviamo come response:

spid_sp_test.exceptions.SAMLRequestNotFound:

A questo punto ci stiamo ponendo domande su come lanciare correttamente il comando. Ci siamo concentrati sui questa porzione dell'xml:

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sitosppubblico-spid.azurewebsites.net/Home/TestLogOut"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sitosppubblico-spid.azurewebsites.net/Home/Test" index="0" isDefault="true"/>

All'interno della nostra app abbiamo creato gli endpoint istanziati nell'xml e anche quello per la login. ("/Home/Test/", "Home/TestLogOut/" e "/Home/Login/" )

Volevamo sapere a questo punto qual'è la correlazione tra i tre endpoint e qual'è la maniera corretta per utilizzarli in modo tale da effettuare correttamente il test sulla login con i giusti redirect/path

Inoltre, il parametro querystring idp è il riferimento al servizio a cui ci si appoggia? (es poste, tim...) Giusto per prova, ho provato a mettere appunto in idp, sia la url di login delle poste, sia proprio http://localhost:8088. Debuggando online, addirittura si evince che la chiamata entra correttamente nell'endpoint, è poi quando effettua la redirect a http://localhost:8088 o anche al sito poste da il messaggio: HTTP-REDIRECT without any SAMLRequest in. Is this SP behind a Proxy or is there any DiscoveryService enabled? {} A questo punto, se ho capito bene la logica credo che sia solo da capire bene dentro il nostro endpoint login da gestire bene, ho capito bene?

Grazie mille ancora per il supporto datoci!
enhancement
opened by mperu92 4
How to install on Windows

Hi! Is there a way to install the environment in a Windows machine (which doesn't have apt install/pip)? If yes, a guide on how to do that would be amazing.

Thanks, Valentino

opened by valentinoavon 0
Comparison "better" fails in some tests

When I set better as comparison, tests of comparison go well but some tests use the same level of the request for the response and so the SP errors. Here's an output with debug. I understand that better with L3 is not possible, but should be for L2 and L1.

https://justpaste.it/6b2ei

opened by random42 0
Extend Responses Test in CLI with json file

Buongiorno @peppelinux, abbiamo un problema su tutte le response che attendono il risultato OK (1,31,94,95,96,109 e 110).

Lanciando il validator AgID da interfaccia web e selezionando i check elencati di sopra il risultato del flusso di login è quello atteso, quindi ogni volta che ci aspettiamo di atterrare sulla pagina finale del SP è effettivamente così. Se invece lanciamo il tool spid_sp_test le risposte sono dei falsi positivi, quindi per tutti i check che dovrebbero avere 200 OK riceviamo un errore, anche se le risposte HTTP sono quelle attese ovvero un 200 OK dopo un 302.

Utilizzando il flag --test-json e modificando il risultato atteso dalle response notiamo che l'output del tool è sempre lo stesso.

Abbiamo quindi lo stesso risultato dai test, sia che ci nel file json impostiamo un 200 OK sia che impostiamo tutti gli altri codici di errore il tool ci risponde sempre con errore.

Il flag --test-json quindi funziona parzialmente, ovvero esegue i test elencati del file ma non modifica il comportamento del tool in base ai codici HTTP che noi impostiamo nel json.

Si richiede cortesemente supporto non appena possibile, grazie in anticipo.
question

opened by K3V1981 1
Updated CIE schema to avoid issue on tag order in ContactPerson
Fixes #115

added some missing tag to PublicGroup

make mandatory VATNumber and FiscalCode in PrivateGroup (I'm not sure about that but here says both are mandatory)

removed some extra code
opened by PiemP 2
Specifiche SPID e HTTP status code del validatore

Buongiorno, mi risulta che vengano segnalati errori sebbene il SP sembra rispettare le specifiche. Un esempio fra tutti è il test 111.

Sebbene alla richiesta annullata dall'utente (segnalata correttamente con errore n25) il SP mostri una pagina di cortesia con indicazione dell'errore ricevuto dall'IdP, il test fallisce ugualmente.

Dando uno sguardo al codice sembrerebbe che spid-sp-test si stia aspetando un HTTP error code, cosa che non è richiesta dalle specifiche.

Nel caso in esame (test 111) sarebbe possibile capire cosa ci si aspetta esattamente e se questo è in linea con quanto richiesto dalle specifiche?
documentation

opened by fmartelli 6
Errore sul validatore dell'organizationIdentifier

Il controllo sull'organizationIdentifier ( OID, 2.5.4.97] ) ha almeno 2 controlli come descritto nel avviso n19v4, ma il validatore ne valida solo 1 SPID Compliant Certificates Value for name attribute [Unknown OID, 2.5.4.97] must match ^PA:IT-\S{1,11}$, tralasciando quello per i soggetti aggregatori.
wontfix

opened by lmeloni21 1

Releases(v1.2.11)

v1.2.11(Dec 14, 2022)
Release notes

fix: CIE xsd files (https://github.com/italia/spid-sp-test/commit/406b517ff62955b6afdf50c8f259bcd29f8fb7b4)

Source code(tar.gz)
Source code(zip)
v1.2.10(Dec 14, 2022)
Release notes

fix: authn request signature not fails anymore if relaystate is missing

Source code(tar.gz)
Source code(zip)
v1.2.9(Dec 14, 2022)
Release notes

fix: email with first level domain up to 8 digits

Source code(tar.gz)
Source code(zip)
v1.2.8(Nov 21, 2022)
Release notes

fix: certificates updates and xmlsec-path param removed (3c3ef06433f4efef3c353db605a70ec6d3127608)

Source code(tar.gz)
Source code(zip)
v1.2.7(Sep 12, 2022)
Release notes

fix: [CIE] xsd updated @peppelinux (#148) - thanks to IPZS

Source code(tar.gz)
Source code(zip)
v1.2.6(Aug 22, 2022)
Release notes

Correctly support all comparisons as per SPID specs @mauromol (#146)

Fix typos "if present" -> "is present" @mauromol (#147)

Source code(tar.gz)
Source code(zip)
v1.2.5(Aug 11, 2022)
Release notes

fix: ipa code check input value cleanup cceb61d01f4793cfeda89f93787cf5867134bca4

Source code(tar.gz)
Source code(zip)
v1.2.4(Aug 11, 2022)
Release notes

fix: __aggrsint regression @nunzionapoli (#145)

Source code(tar.gz)
Source code(zip)
v1.2.3(Aug 4, 2022)
Release notes

fix: removed response test 70 and 71 for CIE id @fmartelli (#142)

Source code(tar.gz)
Source code(zip)
v1.2.2(Jul 7, 2022)
Release notes

fix: missing ipacode on public/private sp @peppelinux (#140)

Source code(tar.gz)
Source code(zip)
v1.2.1(Jul 5, 2022)
Release notes

Added "__aggrsint" compatibility for aggregator first metadata @nunzionapoli (#135)

fix: [Response] AssertionConsumerServiceURL in authnrequest #137 @fmartelli (#138)

Source code(tar.gz)
Source code(zip)
v1.2.0(May 20, 2022)
Release notes

v1.2.0 @peppelinux (#132)

chore: added checks uids (#132)

fix: several improuvements for soggetti aggregatori privati (#132)

feat: OrgaizationName check is more relaxed with trailing new line symbols (#132)

chore: small refactor on metadata AG (#132)

chore: refactor of metadata profile checks (#132)

fix: several exceptions handling (#132)

feat: added profiles for Soggetti Aggregatori Privati Full and Light (#132)

fix: logging issues and exception handled @peppelinux (#131)

Fix tests @Einlar (#128)

feat: additional argument to several check methods @nunzionapoli (#129)

What's Changed

feat: additional argument to several check methods by @nunzionapoli in https://github.com/italia/spid-sp-test/pull/129

Fix tests by @Einlar in https://github.com/italia/spid-sp-test/pull/128

fix: logging issues and exception handled by @peppelinux in https://github.com/italia/spid-sp-test/pull/131

v1.2.0 by @peppelinux in https://github.com/italia/spid-sp-test/pull/132

New Contributors

@Einlar made their first contribution in https://github.com/italia/spid-sp-test/pull/128

Full Changelog: https://github.com/italia/spid-sp-test/compare/v1.1.6...v1.2.0
Source code(tar.gz)
Source code(zip)
v1.1.6(May 12, 2022)
Release notes

feat: more eloquent error message on faulty certificates https://github.com/italia/spid-sp-test/commit/b925a235429ef751192889e64493fe373d2b868a

Added "X509Certificate" response configuration parameter and XSW/XSLT pentest @peppelinux (#99)

What's Changed

Added "X509Certificate" response configuration parameter and XSW/XSLT pentest by @peppelinux in https://github.com/italia/spid-sp-test/pull/99

aggiunti metadata test per aggregatori privati by @nunzionapoli in https://github.com/italia/spid-sp-test/pull/127

New Contributors

@nunzionapoli made their first contribution in https://github.com/italia/spid-sp-test/pull/127

Full Changelog: https://github.com/italia/spid-sp-test/compare/v1.1.5...v1.1.6
Source code(tar.gz)
Source code(zip)
v1.1.5(Mar 28, 2022)
Release notes

fix: Jinja2 3.0.1 dep

Source code(tar.gz)
Source code(zip)
v1.1.4(Jan 25, 2022)
Release notes

fix: spid_compliant_certificates dep

feat: validate if a cert is expired

Full Changelog: https://github.com/italia/spid-sp-test/compare/v1.1.3...v1.1.4
Source code(tar.gz)
Source code(zip)
v1.1.3(Jan 18, 2022)
Release notes

Updated help message @MdreW (#119)

Added prerequisite section in setup chapter @MdreW (#120)

What's Changed

Added prerequisite section in setup chapter by @MdreW in https://github.com/italia/spid-sp-test/pull/120

Updated help message by @MdreW in https://github.com/italia/spid-sp-test/pull/119

New Contributors

@MdreW made their first contribution in https://github.com/italia/spid-sp-test/pull/120

Full Changelog: https://github.com/italia/spid-sp-test/compare/v1.1.2...v1.1.3
Source code(tar.gz)
Source code(zip)
v1.1.2(Jan 14, 2022)
Release notes

fix: spid-compliant-certificates-python dep

Full Changelog: https://github.com/italia/spid-sp-test/compare/v1.1.1...v1.1.2
Source code(tar.gz)
Source code(zip)
v1.1.1(Nov 18, 2021)
Release notes

fix: minor bug on missing signature

chore: moved certs check to --production

Full Changelog: https://github.com/italia/spid-sp-test/compare/v1.1.0...v1.1.1
Source code(tar.gz)
Source code(zip)
v1.1.0(Nov 15, 2021)
Release notes

Metadata certificates checks up to Avviso 29v3 by @peppelinux in https://github.com/italia/spid-sp-test/pull/114

Full Changelog: https://github.com/italia/spid-sp-test/compare/v1.0.0...v1.1.0
Source code(tar.gz)
Source code(zip)
v1.0.0(Nov 15, 2021)
Release notes

v1.0.0: additional checks on void x509 elements

Full Changelog: https://github.com/italia/spid-sp-test/compare/v0.9.25...v1.0.1
Source code(tar.gz)
Source code(zip)
v1.0.0-rc1(Nov 10, 2021)
Release notes

minor metadata code cleanup

Full Changelog: https://github.com/italia/spid-sp-test/compare/v0.9.25...v1.0.1
Source code(tar.gz)
Source code(zip)
v1.0.0-rc(Nov 10, 2021)
Release notes

Ficep eIDAS SP checks

Full Changelog: https://github.com/italia/spid-sp-test/compare/v0.9.25...v1.0.0-rc
Source code(tar.gz)
Source code(zip)
v0.9.25(Nov 10, 2021)
Release notes

feat: official cie metadata tests

fix: metadata exception on missing values

fix: xsd exception on missing values

feat: added xsd_files_path in CLI

Full Changelog: https://github.com/italia/spid-sp-test/compare/v0.9.24...v0.9.25
Source code(tar.gz)
Source code(zip)
v0.9.24(Nov 5, 2021)
What's Changed

Add minimal check for Comparison #111 by @ewedlund in https://github.com/italia/spid-sp-test/pull/112

New Contributors

@ewedlund made their first contribution in https://github.com/italia/spid-sp-test/pull/112

Full Changelog: https://github.com/italia/spid-sp-test/compare/v0.9.23...v0.9.24
Source code(tar.gz)
Source code(zip)
v0.9.23(Oct 29, 2021)
Release notes

fix: HTTP-REDIRECT certificates validation in AuthnRequests (https://github.com/italia/spid-sp-test/commit/de400bde96193198922b2ecc70cf03382906d2ec )

chore: authn request unit tests - faulty AssertionConsumerServiceURL (https://github.com/italia/spid-sp-test/commit/93d64b208fdda0c944bcbc6ad27b2242e86a0d15 )

feat: metadata unit test entity descriptor

Full Changelog: https://github.com/italia/spid-sp-test/compare/v0.9.22...v0.9.23
Source code(tar.gz)
Source code(zip)
v0.9.22(Sep 28, 2021)
Release notes

feat: handling CRITICAL errors when checks are loaded

Source code(tar.gz)
Source code(zip)
v0.9.21(Sep 28, 2021)
Release notes

fix: handle possible xml schema exceptions in Mentadata and AuthnRequest .init

thanks to @amusarra to given hints
Source code(tar.gz)
Source code(zip)
v0.9.20(Sep 24, 2021)
Release notes

chore: improve DEBUG messages for Authn Request signature validation (https://github.com/italia/spid-sp-test/commit/bc818e0ca18303b761a1f4e9aa7b6bd5c48ed0be)

fix: auth request signature error message (https://github.com/italia/spid-sp-test/commit/0440e4b546e00cc618211990dfbff12f4aa5a6bb)

Source code(tar.gz)
Source code(zip)
v0.9.19(Sep 21, 2021)
Release notes

fix: testConditions, fixed https://github.com/italia/spid-sp-test/issues/104

Source code(tar.gz)
Source code(zip)
v0.9.18(Sep 21, 2021)
Release notes

fix: get_indicepa_by_ipacode fails if result contains more AOO, fixed https://github.com/italia/spid-sp-test/issues/103

Source code(tar.gz)
Source code(zip)