spid-sp-test is a SAML2 SPID/CIE Service Provider validation tool that can be executed from the command line.

Overview

spid-sp-test

CI build License Python version Downloads Downloads

spid-sp-test is a SAML2 SPID/CIE Service Provider validation tool that can be executed from the command line. This tool was born by separating the test library already present in spid-saml-check.

Features

spid-sp-test can:

  • test a SAML2 SPID/CIE Metadata file or http url
  • test a SAML2 SPID/CIE AuthnRequest file or or http url
  • test ACS behaviour, how a SP replies to a SAML2 Response
  • test many kinds of SP, see Profiles
  • dump the responses sent to an ACS and the HTML of the SP response
  • handle Attributes to send in Responses or test configurations of the Responses via json configuration files
  • configure response template with Jinja2
  • get new test-suite via multiple json files
  • fully integrable in CI
  • export a detailed report in json format, in stdout or in a file

Generally it's:

  • extremely faster in execution time than spid-saml-check
  • extremely easy to setup

Check metadata

Command line with metadata checking

Authentication requests, JSON output

Command line with more flag demoed

Full test set with metadata, authn request and responses

Command line with test responses

Profiles

Each profile loads a set of test. Use --profile $profile-name with one of the following profile name:

  • saml2-sp: Pure SAML2 SP with some best practises
  • spid-sp-public: Public Spid SP
  • spid-sp-private: Private Spid SP
  • spid-sp-ag-public-full: Public Spid SP Aggregatore Full
  • spid-sp-ag-public-lite: Public Spid SP Aggregatore Lite
  • spid-sp-op-public-full: Public Spid SP Gestore Full
  • spid-sp-op-public-lite: Public Spid SP Gestore Lite
  • cie-sp-public: Public CIE SP
  • cie-sp-private: Private CIE SP

Setup

apt install libxml2-dev libxmlsec1-dev libxmlsec1-openssl xmlsec1 python3-pip python3-virtualenv
virtualenv -p python3 env
source env/bin/activate

pip install spid-sp-test --upgrade --no-cache

Overview

spid-sp-test can test a SP metadata file, you just have to give the Metadata URL, if http/http or file, eg: file://path/to/metadata.xml. At the same way it can test an Authentication Request.

In a different manner spid-sp-test can send a huge numer of fake SAML Response, for each of them it needs to trigger a real Authentication Request to the target SP.

If you want to test also the Response, you must give the spid-sp-test fake idp metadata xml file to the target SP. Get fake IdP metadata (--idp-metadata) and copy it to your SP metadatastore folder.

spid_sp_test --idp-metadata > /path/to/spid-django/example/spid_config/metadata/spid-sp-test.xml

To get spid-sp-test in a CI you have to:

  • configure an example project in your application
  • register the spid-sp-test fake idp metadata in your SP and execute the example project, with its development server in background
  • launch the spid-sp-test commands

An example of CI is here

Examples

Run spid_sp_test -h for inline documentation.

usage: spid_sp_test [-h] [--metadata-url METADATA_URL] [--idp-metadata] [-l [LIST [LIST ...]]] [--extra] [--authn-url AUTHN_URL] [-tr] [-nsr]
                    [-tp TEMPLATE_PATH] [-tn [TEST_NAMES [TEST_NAMES ...]]] [-tj [TEST_JSONS [TEST_JSONS ...]]] [-aj ATTR_JSON]
                    [-o REPORT_OUTPUT_FILE] [-rf {json,html}] [-d {CRITICAL,ERROR,WARNING,INFO,DEBUG}] [-xp XMLSEC_PATH] [--production]
                    [--response-html-dumps RESPONSE_HTML_DUMPS] [--exit-zero]
                    [-pr {saml2-sp,spid-sp-public,spid-sp-private,spid-sp-ag-public-full,spid-sp-ag-public-lite,spid-sp-op-public-full,spid-sp-op-public-lite,cie-sp-public,cie-sp-private}]
                    [-ap AUTHN_PLUGIN] [-rm REQUEST_METHOD] [-rb REQUEST_BODY] [-rct REQUEST_CONTENT_TYPE]


src/spid_sp_test/spid_sp_test -h for help

Test metadata passing a file

spid_sp_test --metadata-url file://metadata.xml

Test metadata from a URL

spid_sp_test --metadata-url http://localhost:8000/spid/metadata

A quite standard test

spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=http://localhost:8088 --extra

Print only ERRORs

spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=https://localhost:8080 --extra --debug ERROR

JSON report, add -o filename.json to write to a file, -rf html -o html_report/ to export to a HTML page

spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=https://localhost:8080 --extra -rf json

Given a metadata file and a authn file (see tests/metadata and tests/authn for example) export all the test response without sending them to SP:

spid_sp_test --metadata-url file://tests/metadata/spid-django-other.xml --authn-url file://tests/authn/spid_django_post.html --extra --debug ERROR -tr -nsr

Get the response (test 1) that would have to be sent to a SP with a custom set of attributes, without sending it for real. It will just print it to stdout

spid_sp_test --metadata-url file://tests/metadata/spid-django-other.xml --authn-url file://tests/authn/spid_django_post.html --extra --debug ERROR -tr -nsr -tn 1 -aj tests/example.attributes.json

Common usages

Test a Shibboleth SP with a SAMLDS (DiscoveryService). In this example target points to the target service and entityID is the selected IdP. This example works also a Shibboleth IdP-SP proxy/gateway.

spid_sp_test --metadata-url https://sp.testunical.it/pymetadata_signed.xml --authn-url "https://sp.testunical.it/Shibboleth.sso/Login?target=https://sp.testunical.it/secure/index.php&entityID=https://localhost:8080" --debug ERROR --extra -tr

Test Satosa-Saml2Spid using its authn plugin and a SP that supports idp hinting

spid_sp_test --metadata-url https://localhost:10000/spidSaml2/metadata --authn-url "http://sp1.testunical.it:8000/saml2/login/?idp=https://localhost:10000/Saml2IDP/metadata&next=/saml2/echo_attributes&idphint=https%253A%252F%252Flocalhost%253A8080" -ap spid_sp_test.plugins.authn_request.SatosaSaml2Spid --extra -tr

Examples with Docker

Before starting you have to obtain the italia/spid-sp-test image. You can pull it from Docker Hub

$ export SSTVER=0.9.0
$ docker pull italia/spid-sp-test:$SSTVER

or build locally

$ docker build --tag italia/spid-sp-test:$SSTVER .

The container working directory is set to /spid therefore, local files should be mounted relatively to /spid path.

$ docker run -ti --rm \
    -v "$(pwd)/tests/metadata:/spid/mymetadata:ro" \
    -v "$(pwd)/tests/metadata:/spid/dumps:rw" \
    italia/spid-sp-test:$SSTVER --metadata-url file://mymetadata/spid-django-other.xml

Test Responses and html dumps

By enabling the response dump with the --response-html-dumps HTML_PATH option, you will get N html files (page of your SP) as follows:

  • test description, commented
  • SAML Response sent, commented
  • SP html page, with absolute src and href (god bless lxml)

Here an example of 1_True.html, where 1 is the test name and True is the status.

Extending tests

spid-sp-test offers the possibility to extend and configure new response tests to be performed. The user can:

  • customize the test suite to run by configuring a json file similar to tests/example.test-suite.json and passing this as an argument with --test-jsons option. More than one json file can be entered by separating it by a space

  • customize the attributes to be returned by configuring these in a json file similar to example/example.attributes.json and passing this with the --attr-json option

  • customize xml templates to be used in tests, indicating them in each test entry in the configuration file configured via --test-jsons and also the templates directory with the option --template-path. The templates are Jinja2 powered, so it's possible to extend src/spid_sp_test/responses/templates/base.xml with our preferred values

  • customize the way to get the SAML2 Authn Request, using plugins wrote by your own. If you're using a IAM Proxy with some OAuth2/OIDC frontends of a custom API, you can write your plugin and use it in the cli arguments, eg: spid_sp_test --metadata-url https://localhost:8000/spid/metadata --extra --authn-url https://localhost:8000/spid/login/?idp=https://localhost:8080 --debug INFO -tr --authn-plugin spid_sp_test.plugins.authn_request.Dummy

  • customize entityid and certificates path runtime, using ENV variables. The files MUST be named private.key and public.cert:

    IDP_ENTITYID=https://your.idp.eid/ IDP_CERT_PATH=../spid-django/example/certificates spid_sp_test --idp-metadata
    

Looking at src/spid_sp_test/responses/settings.py or tests/example.test-suite.json we found that every test have a response attribute. Each element configured in would overload the value that will be rendered in the template. Each template can load these variable from its template context or use which ones was statically defined in it.

Finally you have batteries included and some options as well, at your taste.

Unit tests

That's for developers.

pip install requirements-dev.txt
pytest -v --cov=spid_sp_test --cov-report term  tests/

If you need a docker, you can do:

  1. create the developer image
docker build -f Dockerfile-devenv --no-cache . --tag italia/spid-sp-test-devenv
  1. run coverage tests on the development image
docker run italia/spid-sp-test-devenv
  1. if you need to use the image as a developer machine or inspect the enviroment, you can access in it with
docker run -it --entrypoint /bin/bash italia/spid-sp-test-devenv
  1. The final step is a live coding from your host machine and the development docker instance, using volumes
docker run -it -v $(pwd):/tmp/src --entrypoint /bin/bash italia/spid-sp-test-devenv

Authors

References

TLS/SSL tests

Comments
  • Regression in authentication level validation

    Regression in authentication level validation

    #111 introduced a regression. If my SP sends an AuthnRequest with this:

    <samlp:RequestedAuthnContext Comparison="exact">
      <saml:AuthnContextClassRef>https://www.spid.gov.it/SpidL1</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
    

    and the IdP response states that the authentication has been established with L2, the SP must consider the response valid, even if SAML 2.0 says otherwise. This is what SPID specification says in 1.2.2.1 section:

    N.B. L’Identity Provider ha facoltà di utilizzare per l’autenticazione un livello SPID più alto rispetto a quelli risultanti dall’indicazione del richiedente mediante l’attributo Comparison. Tale scelta non deve comportare un esito negativo della richiesta.

    So, currently tests 95 and 96 are failing for me with current spid-sp-test for this reason, in the above scenario.

    opened by mauromol 12
  • Checking for signature wrapping attacks resilience?

    Checking for signature wrapping attacks resilience?

    I was wondering whether, along with that long list of (often useless, although necessary for onboarding) checks for SPID compliance, spid-sp-test could also check for the resilience of the SP implementation against Signature Wrapping attacks, as described, for instance, at: https://www.netspi.com/blog/technical/web-application-penetration-testing/attacking-sso-common-saml-vulnerabilities-ways-find/ (see "Common Implementation Mistakes & Testing Tips" - "Signature Wrapping" section) A more thorough source of information might be: https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf

    This is just an idea, probably worth more in-depth analysis.

    enhancement already done 
    opened by mauromol 8
  • Problematiche relative alla firma dei metadata

    Problematiche relative alla firma dei metadata

    Buongiorno, stiamo provando ad implementare SPID su un nostro portale per un cliente che è un ente pubblico, ma siamo ancora nella fase di generazione / firma del certificato. Tramite questo tool, abbiamo generato i tre file (crt.pem csr.pem key.pem) Una volta ottenuti, con openssl tramite il comando pkcs12 -export -out cert.pfx -inkey key.pem -in crt.pem abbiamo generato il file .pfx. Una volta fatto questo, tramite uno script abbiamo ottenuto il base64 del .pfx. A questo punto, avendo i certificati ci siamo un po' bloccati perché non ci è chiarissimo il da farsi. Ci è stato suggerito di prendere come spunto un file presente all'interno di questo progetto per ente pubblico public-sp.xml. Abbiamo quindi preso questo file e abbiamo modificato i dati con i nostri. Abbiamo creato il virtual enviroment di pyhton, e quindi installato spid-sp-test.

    Lanciando il comando spid_sp_test --metadata-url file://cndcec_metadata.xml o anche lanciando il comando xmlsec1 --sign --insecure --privkey-pem key.pem --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor cndcec_metadata.xml > cndcec_metadata_signed.xml solo per la parte relativa alla signature, ci viene triggerato questo errore (tra l'altro l'unico)

    func=xmlSecOpenSSLX509CertificateNodeRead:file=x509.c:line=956:obj=x509:subj=xmlSecOpenSSLX509CertBase64DerRead:error=1:xmlsec library function failed:
    func=xmlSecOpenSSLX509DataNodeRead:file=x509.c:line=886:obj=x509:subj=xmlSecOpenSSLX509CertificateNodeRead:error=1:xmlsec library function failed:node=X509Certificate
    func=xmlSecOpenSSLKeyDataX509XmlRead:file=x509.c:line=663:obj=x509:subj=xmlSecOpenSSLX509DataNodeRead:error=1:xmlsec library function failed:
    func=xmlSecKeyInfoNodeRead:file=keyinfo.c:line=121:obj=x509:subj=xmlSecKeyDataXmlRead:error=1:xmlsec library function failed:node=X509Data
    func=xmlSecKeysMngrGetKey:file=keys.c:line=1234:obj=unknown:subj=xmlSecKeyInfoNodeRead:error=1:xmlsec library function failed:node=KeyInfo
    func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=793:obj=unknown:subj=unknown:error=45:key is not found:details=NULL
    func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=508:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed:
    func=xmlSecDSigCtxVerify:file=xmldsig.c:line=346:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec library function failed:
    Error: signature failed
    

    Che sembra essere relativo proprio al base64 del certificato che abbiamo generato. Ed effettivamente ci sono delle incongruenze tra l'xml di esempio e quello nostro. Nell'xml di esempio, i due parametri <KeyInfo> hanno base64 differenti, inoltre nel secondo parametro <KeyInfo> all'interno del segmento <KeyDescriptor> i base 64 sono diversi, separati da spazi, come se fossero una lista.

    Noi nel nostro file in entrambi i segmenti abbiamo inserito sempre lo stesso base64 che abbiamo generato. nella documentazione che abbiamo letto su https://docs.italia.it/italia/spid/spid-regole-tecniche/it/stabile/metadata.html ci viene detto che l’elementoche contiene l’elenco dei certificati e delle corrispondenti chiavi pubbliche dell’entità, utili per la verifica della firma dei messaggi prodotti da tale entità nelle sue interazioni con le altre (SAMLMetadata, par. 2.4.1.1)

    A questo punto non sappiamo oltre a quello generato da noi, quali siano gli altri certificati dell'elenco di cui si parla. Lanciando il tool sembra proprio che l'unica failure sia proprio questa, non vengono riportati altri errori.

    Questo il nostro file xml

    <?xml version="1.0" encoding="UTF-8" standalone="no"?>
    <md:EntityDescriptor
        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
        xmlns:spid="https://spid.gov.it/saml-extensions" ID="a088bc6e-33c5-4ff2-b35b-d9c3ff9a2c9e" entityID="https://publicsp.it/">
    
    <ds:Signature Id="Signature1">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
    <ds:Reference URI="#a088bc6e-33c5-4ff2-b35b-d9c3ff9a2c9e">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
    <ds:DigestValue />
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue />
    <ds:KeyInfo>
    <ds:X509Data>
    <ds:X509Certificate>MIIQDQIBAzCCD8kGCSqGSIb3DQEHAaCCD7oEgg+...[HASH INCOMPLETO]</ds:X509Certificate>
    </ds:X509Data>
    </ds:KeyInfo>
    </ds:Signature>
    
        <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
            <md:KeyDescriptor use="signing">
                <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>MIIQDQIBAzCCD8kGCSqGSIb3DQEHAaCCD7oEgg+...[HASH INCOMPLETO]</ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </md:KeyDescriptor>
            <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://eventi.commercialisti.it/slo"/>
            <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
            <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://publicsp.it/sso" index="0" isDefault="true"/>
            <md:AttributeConsumingService index="0">
                <md:ServiceName xml:lang="it">ServiceName</md:ServiceName>
                <md:RequestedAttribute Name="spidCode"/>
                <md:RequestedAttribute Name="familyName"/>
                <md:RequestedAttribute Name="name"/>
                <md:RequestedAttribute Name="companyName"/>
                <md:RequestedAttribute Name="fiscalNumber"/>
                <md:RequestedAttribute Name="ivaCode"/>
                <md:RequestedAttribute Name="email"/>
                <md:RequestedAttribute Name="gender"/>
                <md:RequestedAttribute Name="placeOfBirth"/>
                <md:RequestedAttribute Name="countyOfBirth"/>
                <md:RequestedAttribute Name="dateOfBirth"/>
            </md:AttributeConsumingService>
        </md:SPSSODescriptor>
        <md:Organization>
            <md:OrganizationName xml:lang="it">publicsp</md:OrganizationName>
            <md:OrganizationDisplayName xml:lang="it">Consiglio Nazionale dei Dottori Commercialisti e degli Esperti Contabil</md:OrganizationDisplayName>
            <md:OrganizationURL xml:lang="it">https://publicsp.it</md:OrganizationURL>
        </md:Organization>
        <md:ContactPerson contactType="other">
            <md:Extensions>
                <spid:IPACode>ipa</spid:IPACode>
                <spid:Public/>
            </md:Extensions>
            <md:EmailAddress>[email protected]</md:EmailAddress>
        </md:ContactPerson>
    </md:EntityDescriptor>
    

    Quali possono essere i nostri errori/mancanze che non permettono la signature del nostro xml? Grazie mille in anticipo

    opened by mperu92 7
  • Problems installing and running spid_sp_test in virtual env

    Problems installing and running spid_sp_test in virtual env

    I followed the instructions to create a python3 virtual env and install spid_sp_test. However, when I do pip install spid_sp_test after activating the virtual env, I get this:

    ERROR: spid-compliant-certificates 0.4.1 has requirement cryptography==35.0.0, but you'll have cryptography 36.0.2 which is incompatible.
    

    Then, I retried to install with pip install spid_sp_test --upgrade and then it seems like it gets installed:

    [...]
    Collecting cryptography==35.0.0
      Downloading cryptography-35.0.0-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (3.7 MB)
         |████████████████████████████████| 3.7 MB 4.8 MB/s
    [...]
    Installing collected packages: cryptography
      Attempting uninstall: cryptography
        Found existing installation: cryptography 36.0.2
        Uninstalling cryptography-36.0.2:
          Successfully uninstalled cryptography-36.0.2
    Successfully installed cryptography-35.0.0
    

    So, it seems like the second time it has installed the older version of the cryptography package without complaining, I don't know why it doesn't do this on the first attempt.

    However, spid_sp_test does not start yet. I get the following exception:

    (spid_sp_test) mauro@hppb ~/workspace/python-env $ spid_sp_test
    Traceback (most recent call last):
      File "/home/mauro/workspace/python-env/spid_sp_test/bin/spid_sp_test", line 17, in <module>
        from spid_sp_test.response import SpidSpResponseCheck
      File "/home/mauro/workspace/python-env/spid_sp_test/lib/python3.8/site-packages/spid_sp_test/response.py", line 14, in <module>
        from jinja2 import Environment, Markup, FileSystemLoader, Template, select_autoescape
    ImportError: cannot import name 'Markup' from 'jinja2' (/home/mauro/workspace/python-env/spid_sp_test/lib/python3.8/site-packages/jinja2/__init__.py)
    

    What can I do?

    I'm running Ubuntu 20.04.

    opened by mauromol 6
  • Profiles management

    Profiles management

    spid-sp-test should handle different profiles where every profile contains some tests. Same unique test can be used into more different profiles. Profiles could be defined into configuration files as for Response Test Suite. A single profile can be executed as follow, for example:

    spid_sp_test --metadata-url http://localhost:8000/spid/metadata --profile spid-sp-metadata-public

    enhancement 
    opened by damikael 6
  • ACR reponse check should consider

    ACR reponse check should consider "Comparison" attribute

    According to the documentation, the accepted AuthnContextClassRef depends on the attribute "Comparison". Currently, the method https://github.com/italia/spid-sp-test/blob/6a9302a210c6f6b80a172ad876716433787857f3/src/spid_sp_test/responses/response_mods.py#L5 takes for granted that Comparison=="minimum", which makes e.g. test n. 96 fail for the case when Comparison="exact".

    Valid Comparison values are

    exact minimum better maximum

    Not sure how "better" and "maximum" should be handled. I propose to at least add handling "exact".

    enhancement help wanted 
    opened by ewedlund 5
  • Invalid check on private service provider

    Invalid check on private service provider

    Referring to https://www.agid.gov.it/sites/default/files/repository_files/spid-avviso-n29v3-specifiche_sp_pubblici_e_privati.pdf there are two checks for --profile spid-sp-private that are not correct.

    on page 6 of the linked pdf, there is the same structure reported on https://docs.italia.it/italia/spid/spid-regole-tecniche/it/stabile/metadata.html#esempio-contatti-metadata-sp-per-fatturazione that has EmailAddress and TelephoneNumber out of Extensions node:

       <md:ContactPerson contactType="other">
            <md:Extensions>
                <spid:VATNumber>IT12345678901</spid:VATNumber>
                <spid:FiscalCode>XYZABCAAMGGJ000W</spid:FiscalCode>
                <spid:Private/>
            </md:Extensions>
            <md:EmailAddress>[email protected]</md:EmailAddress>
            <md:TelephoneNumber>+390123456789</md:TelephoneNumber>
        </md:ContactPerson>
        <md:ContactPerson contactType="billing">
            <md:Extensions 
                   xmlns:fpa="https://spid.gov.it/invoicing-extensions">
                <fpa:CessionarioCommittente>
                    <fpa:DatiAnagrafici>
                        <fpa:IdFiscaleIVA>
                            <fpa:IdPaese>IT</fpa:IdPaese>
                            <fpa:IdCodice>02468135791</fpa:IdCodice>
                        </fpa:IdFiscaleIVA>
                        <fpa:Anagrafica>
    			           <fpa:Denominazione>
                                Destinatario_Fatturazione
    			           </fpa:Denominazione> 
                        </fpa:Anagrafica>
                    </fpa:DatiAnagrafici>
                    <fpa:Sede>
    		             <fpa:Indirizzo>via [...]</fpa:Indirizzo>
    		             <fpa:NumeroCivico>99</fpa:NumeroCivico>
    		             <fpa:CAP>12345</ fpa:CAP>
    		             <fpa:Comune>nome_citta</fpa:Comune>
    		             <fpa:Provincia>XY</fpa:Provincia>
                        <fpa:Nazione>IT</fpa:Nazione>
                    </fpa:Sede>
                </fpa:CessionarioCommittente>
            </md:Extensions>
            <md:Company>Destinatario_Fatturazione</md:Company>
            <md:EmailAddress>[email protected]</md:EmailAddress>
            <md:TelephoneNumber>telefono_fatture</md:TelephoneNumber>
        </md:ContactPerson>
    

    Inside spid-sp-test/src/spid_sp_test/metadata_private.py there is the check that validate the EmailAddress as child of Extensions as reported into my test run:

    INFO:spid_sp_test.metadata:SpidSpMetadataCheckExtra.test_extentions_public
    ERROR:spid_sp_test.metadata:The //ContactPerson/Extensions/CessionarioCommittente/EmailAddress element MUST be present
    

    This is not correct like reported into the documentation.

    for private service provider there is:

    INFO:spid_sp_test.metadata:SpidSpMetadataCheckExtra.test_Contacts_PubPriv
    ERROR:spid_sp_test.metadata:Only one Extensions element inside ContactPerson element MUST be present
    

    but probably, having two nodes ContactPerson (other and billing), this test count two times the Extensions and this is not correct.

    opened by matfur92 5
  • Private Spid SP Aggregatore Full/Light check missing

    Private Spid SP Aggregatore Full/Light check missing

    I'm trying to validate medatata for private service full aggregator, but it seems that relevant profile is not still implemented in both spid-saml-check and spid-sp-test

    I've opened this issue as suggested by @peppelinux

    enhancement 
    opened by ExperianDev 4
  • [Metadata] Mysterious non-unique ContactPerson constraint check failure

    [Metadata] Mysterious non-unique ContactPerson constraint check failure

    Hi,

    not a Python expert at all, firstly. I am experiencing a strange validation error, possibile related to the line in [1] but I am confused. For v. 1.1.5 of spid_sp_test I am getting the following:

    ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: Only one ContactPerson element of contactType "other" MUST be present
    ERROR:spid_sp_test.metadata:Only one ContactPerson element of contactType "other" MUST be `present`
    
    

    for a pub-ag-full SP with this kind of structure (Contacts section, edited here):

     <md:ContactPerson contactType="other" spid:entityType="spid:**aggregator**">
                    <md:Extensions>
                            <spid:VATNumber>IT02770800000</spid:VATNumber>
                            <spid:PublicServicesFullAggregator/>
                    </md:Extensions>
                    <md:Company>myCompany Ltd</md:Company>
                    <md:EmailAddress>[email protected]</md:EmailAddress>
            </md:ContactPerson>
            <md:ContactPerson contactType="other" spid:entityType="spid:**aggregated**">
                    <md:Extensions>
                            <spid:IPACode>COM678</spid:IPACode>
                            <spid:Public/>
                    </md:Extensions>
                    <md:Company>Comune di Topolinia</md:Company>
            </md:ContactPerson>
    
    

    This structure should be supported and non error-flagged... Actually I identified [1] but I am NOT entirely convinced it is there the problem (supposing my XML metadata is fine).. because the function defintion uses (apparently...) some default parameter values, here's the signature: def test_Contacts_PubPriv(self, contact_type="other", entity_type="")

    and entityType..seems to be set correctly... which makes me wonder.. why is the Xpath/code triggering the error? Seems like.. this section is triggered:

    if not entity_type:
               self._assertTrue(
                   len(entity_desc) == 1,
                   "Only one ContactPerson element of contactType "
                   f'"{contact_type}" MUST be present',
                   test_id = ['1.10.0'], **_data,
               )
    

    which.. looks impossible if I understand correctly the call from [1]... Also strange... immediately following [1] there's another call with another entityType.. so.. I would expect 2 (two) errors... (one for aggregated and one for aggregator)..

    Is this XML structure really incorrect? or there's some..ghost call around or I don't know exactly how to say it.

    Thank you.

    Diego

    [1] https://github.com/italia/spid-sp-test/blob/58afa3fa0b3dd1a3f7accbb085975943c1e31588/src/spid_sp_test/metadata.py#L962

    opened by longstoned 4
  • Fix for finding nested input elements in SAML HTML form

    Fix for finding nested input elements in SAML HTML form

    Example of not retrieved input elements wrapped in a div element:

    <form action="https://goolex.okta.com/app/goolex_a1_1/exk1hi6xl2jFdGu7A669/sso/saml" method="post">
        <div>
            <input type="hidden" name="SAMLRequest" value="PD9..."/>
            <input type="hidden" name="RelayState" value="RS1"/>
        </div>
        <noscript>
            <div>
                <input type="submit" value="Continue"/>
            </div>
        </noscript>
    </form>
    
    opened by aritgithub 4
  • Corretta gestione Authn

    Corretta gestione Authn

    Chiudo questo thread Apriamome un altro eventualmente per gestire gli altri argomenti emersi

    Originally posted by @peppelinux in https://github.com/italia/spid-sp-test/issues/90#issuecomment-893865087

    Ciao, essendo riusciti a farci prendere il metadata, adesso stiamo facendo le prove di Authn. Stiamo riscontrando delle problematiche con questo comando: --authn-url http://localhost:8000/spid/login/?idp=http://localhost:8088 --extra.

    Questo il comando che lanciamo noi (abbiamo pubblicato online in un ambiente di stage) spid_sp_test --metadata-url https://sitosppubblico-spid.azurewebsites.net/spid/metadata/metadata.xml --authn-url https://sitosppubblico-spid.azurewebsites.net/home/login/?idp=https://sitosppubblico-spid.azurewebsites.net/ --extra -tr

    Riceviamo come response:

    spid_sp_test.exceptions.SAMLRequestNotFound:
    

    A questo punto ci stiamo ponendo domande su come lanciare correttamente il comando. Ci siamo concentrati sui questa porzione dell'xml:

            <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sitosppubblico-spid.azurewebsites.net/Home/TestLogOut"/>
            <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
            <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sitosppubblico-spid.azurewebsites.net/Home/Test" index="0" isDefault="true"/>
    

    All'interno della nostra app abbiamo creato gli endpoint istanziati nell'xml e anche quello per la login. ("/Home/Test/", "Home/TestLogOut/" e "/Home/Login/" )

    Volevamo sapere a questo punto qual'è la correlazione tra i tre endpoint e qual'è la maniera corretta per utilizzarli in modo tale da effettuare correttamente il test sulla login con i giusti redirect/path

    Inoltre, il parametro querystring idp è il riferimento al servizio a cui ci si appoggia? (es poste, tim...) Giusto per prova, ho provato a mettere appunto in idp, sia la url di login delle poste, sia proprio http://localhost:8088. Debuggando online, addirittura si evince che la chiamata entra correttamente nell'endpoint, è poi quando effettua la redirect a http://localhost:8088 o anche al sito poste da il messaggio: HTTP-REDIRECT without any SAMLRequest in. Is this SP behind a Proxy or is there any DiscoveryService enabled? {} A questo punto, se ho capito bene la logica credo che sia solo da capire bene dentro il nostro endpoint login da gestire bene, ho capito bene?

    Grazie mille ancora per il supporto datoci!

    enhancement 
    opened by mperu92 4
  • How to install on Windows

    How to install on Windows

    Hi! Is there a way to install the environment in a Windows machine (which doesn't have apt install/pip)? If yes, a guide on how to do that would be amazing.

    Thanks, Valentino

    opened by valentinoavon 0
  • Comparison

    Comparison "better" fails in some tests

    When I set better as comparison, tests of comparison go well but some tests use the same level of the request for the response and so the SP errors. Here's an output with debug. I understand that better with L3 is not possible, but should be for L2 and L1.

    https://justpaste.it/6b2ei

    opened by random42 0
  • Extend Responses Test in CLI with json file

    Extend Responses Test in CLI with json file

    Buongiorno @peppelinux, abbiamo un problema su tutte le response che attendono il risultato OK (1,31,94,95,96,109 e 110).

    Lanciando il validator AgID da interfaccia web e selezionando i check elencati di sopra il risultato del flusso di login è quello atteso, quindi ogni volta che ci aspettiamo di atterrare sulla pagina finale del SP è effettivamente così. Se invece lanciamo il tool spid_sp_test le risposte sono dei falsi positivi, quindi per tutti i check che dovrebbero avere 200 OK riceviamo un errore, anche se le risposte HTTP sono quelle attese ovvero un 200 OK dopo un 302.

    Utilizzando il flag --test-json e modificando il risultato atteso dalle response notiamo che l'output del tool è sempre lo stesso.

    Abbiamo quindi lo stesso risultato dai test, sia che ci nel file json impostiamo un 200 OK sia che impostiamo tutti gli altri codici di errore il tool ci risponde sempre con errore.

    Il flag --test-json quindi funziona parzialmente, ovvero esegue i test elencati del file ma non modifica il comportamento del tool in base ai codici HTTP che noi impostiamo nel json.

    Si richiede cortesemente supporto non appena possibile, grazie in anticipo.

    question 
    opened by K3V1981 1
  • Updated CIE schema to avoid issue on tag order in ContactPerson

    Updated CIE schema to avoid issue on tag order in ContactPerson

    Fixes #115

    • added some missing tag to PublicGroup
    • make mandatory VATNumber and FiscalCode in PrivateGroup (I'm not sure about that but here says both are mandatory)
    • removed some extra code
    opened by PiemP 2
  • Specifiche SPID e HTTP status code del validatore

    Specifiche SPID e HTTP status code del validatore

    Buongiorno, mi risulta che vengano segnalati errori sebbene il SP sembra rispettare le specifiche. Un esempio fra tutti è il test 111.

    Sebbene alla richiesta annullata dall'utente (segnalata correttamente con errore n25) il SP mostri una pagina di cortesia con indicazione dell'errore ricevuto dall'IdP, il test fallisce ugualmente.

    Dando uno sguardo al codice sembrerebbe che spid-sp-test si stia aspetando un HTTP error code, cosa che non è richiesta dalle specifiche.

    Nel caso in esame (test 111) sarebbe possibile capire cosa ci si aspetta esattamente e se questo è in linea con quanto richiesto dalle specifiche?

    documentation 
    opened by fmartelli 6
  • Errore sul validatore dell'organizationIdentifier

    Errore sul validatore dell'organizationIdentifier

    Il controllo sull'organizationIdentifier ( OID, 2.5.4.97] ) ha almeno 2 controlli come descritto nel avviso n19v4, ma il validatore ne valida solo 1 SPID Compliant Certificates Value for name attribute [Unknown OID, 2.5.4.97] must match ^PA:IT-\S{1,11}$, tralasciando quello per i soggetti aggregatori.

    wontfix 
    opened by lmeloni21 1
Releases(v1.2.11)
  • v1.2.11(Dec 14, 2022)

  • v1.2.8(Nov 21, 2022)

  • v1.2.7(Sep 12, 2022)

  • v1.2.6(Aug 22, 2022)

    Release notes

    • Correctly support all comparisons as per SPID specs @mauromol (#146)
    • Fix typos "if present" -> "is present" @mauromol (#147)
    Source code(tar.gz)
    Source code(zip)
  • v1.2.5(Aug 11, 2022)

  • v1.2.4(Aug 11, 2022)

  • v1.2.3(Aug 4, 2022)

  • v1.2.2(Jul 7, 2022)

  • v1.2.1(Jul 5, 2022)

    Release notes

    • Added "__aggrsint" compatibility for aggregator first metadata @nunzionapoli (#135)
    • fix: [Response] AssertionConsumerServiceURL in authnrequest #137 @fmartelli (#138)
    Source code(tar.gz)
    Source code(zip)
  • v1.2.0(May 20, 2022)

    Release notes

    • v1.2.0 @peppelinux (#132)
    • chore: added checks uids (#132)
    • fix: several improuvements for soggetti aggregatori privati (#132)
    • feat: OrgaizationName check is more relaxed with trailing new line symbols (#132)
    • chore: small refactor on metadata AG (#132)
    • chore: refactor of metadata profile checks (#132)
    • fix: several exceptions handling (#132)
    • feat: added profiles for Soggetti Aggregatori Privati Full and Light (#132)
    • fix: logging issues and exception handled @peppelinux (#131)
    • Fix tests @Einlar (#128)
    • feat: additional argument to several check methods @nunzionapoli (#129)

    What's Changed

    • feat: additional argument to several check methods by @nunzionapoli in https://github.com/italia/spid-sp-test/pull/129
    • Fix tests by @Einlar in https://github.com/italia/spid-sp-test/pull/128
    • fix: logging issues and exception handled by @peppelinux in https://github.com/italia/spid-sp-test/pull/131
    • v1.2.0 by @peppelinux in https://github.com/italia/spid-sp-test/pull/132

    New Contributors

    • @Einlar made their first contribution in https://github.com/italia/spid-sp-test/pull/128

    Full Changelog: https://github.com/italia/spid-sp-test/compare/v1.1.6...v1.2.0

    Source code(tar.gz)
    Source code(zip)
  • v1.1.6(May 12, 2022)

    Release notes

    • feat: more eloquent error message on faulty certificates https://github.com/italia/spid-sp-test/commit/b925a235429ef751192889e64493fe373d2b868a
    • Added "X509Certificate" response configuration parameter and XSW/XSLT pentest @peppelinux (#99)

    What's Changed

    • Added "X509Certificate" response configuration parameter and XSW/XSLT pentest by @peppelinux in https://github.com/italia/spid-sp-test/pull/99
    • aggiunti metadata test per aggregatori privati by @nunzionapoli in https://github.com/italia/spid-sp-test/pull/127

    New Contributors

    • @nunzionapoli made their first contribution in https://github.com/italia/spid-sp-test/pull/127

    Full Changelog: https://github.com/italia/spid-sp-test/compare/v1.1.5...v1.1.6

    Source code(tar.gz)
    Source code(zip)
  • v1.1.5(Mar 28, 2022)

  • v1.1.4(Jan 25, 2022)

    Release notes

    • fix: spid_compliant_certificates dep
    • feat: validate if a cert is expired

    Full Changelog: https://github.com/italia/spid-sp-test/compare/v1.1.3...v1.1.4

    Source code(tar.gz)
    Source code(zip)
  • v1.1.3(Jan 18, 2022)

    Release notes

    • Updated help message @MdreW (#119)
    • Added prerequisite section in setup chapter @MdreW (#120)

    What's Changed

    • Added prerequisite section in setup chapter by @MdreW in https://github.com/italia/spid-sp-test/pull/120
    • Updated help message by @MdreW in https://github.com/italia/spid-sp-test/pull/119

    New Contributors

    • @MdreW made their first contribution in https://github.com/italia/spid-sp-test/pull/120

    Full Changelog: https://github.com/italia/spid-sp-test/compare/v1.1.2...v1.1.3

    Source code(tar.gz)
    Source code(zip)
  • v1.1.2(Jan 14, 2022)

  • v1.1.1(Nov 18, 2021)

    Release notes

    • fix: minor bug on missing signature
    • chore: moved certs check to --production

    Full Changelog: https://github.com/italia/spid-sp-test/compare/v1.1.0...v1.1.1

    Source code(tar.gz)
    Source code(zip)
  • v1.1.0(Nov 15, 2021)

    Release notes

    • Metadata certificates checks up to Avviso 29v3 by @peppelinux in https://github.com/italia/spid-sp-test/pull/114

    Full Changelog: https://github.com/italia/spid-sp-test/compare/v1.0.0...v1.1.0

    Source code(tar.gz)
    Source code(zip)
  • v1.0.0(Nov 15, 2021)

    Release notes

    • v1.0.0: additional checks on void x509 elements

    Full Changelog: https://github.com/italia/spid-sp-test/compare/v0.9.25...v1.0.1

    Source code(tar.gz)
    Source code(zip)
  • v1.0.0-rc1(Nov 10, 2021)

  • v1.0.0-rc(Nov 10, 2021)

  • v0.9.25(Nov 10, 2021)

    Release notes

    • feat: official cie metadata tests
    • fix: metadata exception on missing values
    • fix: xsd exception on missing values
    • feat: added xsd_files_path in CLI

    Full Changelog: https://github.com/italia/spid-sp-test/compare/v0.9.24...v0.9.25

    Source code(tar.gz)
    Source code(zip)
  • v0.9.24(Nov 5, 2021)

    What's Changed

    • Add minimal check for Comparison #111 by @ewedlund in https://github.com/italia/spid-sp-test/pull/112

    New Contributors

    • @ewedlund made their first contribution in https://github.com/italia/spid-sp-test/pull/112

    Full Changelog: https://github.com/italia/spid-sp-test/compare/v0.9.23...v0.9.24

    Source code(tar.gz)
    Source code(zip)
  • v0.9.23(Oct 29, 2021)

    Release notes

    • fix: HTTP-REDIRECT certificates validation in AuthnRequests (https://github.com/italia/spid-sp-test/commit/de400bde96193198922b2ecc70cf03382906d2ec )
    • chore: authn request unit tests - faulty AssertionConsumerServiceURL (https://github.com/italia/spid-sp-test/commit/93d64b208fdda0c944bcbc6ad27b2242e86a0d15 )
    • feat: metadata unit test entity descriptor

    Full Changelog: https://github.com/italia/spid-sp-test/compare/v0.9.22...v0.9.23

    Source code(tar.gz)
    Source code(zip)
  • v0.9.22(Sep 28, 2021)

  • v0.9.21(Sep 28, 2021)

  • v0.9.20(Sep 24, 2021)

    Release notes

    • chore: improve DEBUG messages for Authn Request signature validation (https://github.com/italia/spid-sp-test/commit/bc818e0ca18303b761a1f4e9aa7b6bd5c48ed0be)
    • fix: auth request signature error message (https://github.com/italia/spid-sp-test/commit/0440e4b546e00cc618211990dfbff12f4aa5a6bb)
    Source code(tar.gz)
    Source code(zip)
  • v0.9.19(Sep 21, 2021)

  • v0.9.18(Sep 21, 2021)

Owner
Developers Italia
Open source code and developers community of the Italian government
Developers Italia
AML Command Transfer. A lightweight tool to transfer any command line to Azure Machine Learning Services

AML Command Transfer (ACT) ACT is a lightweight tool to transfer any command from the local machine to AML or ITP, both of which are Azure Machine Lea

Microsoft 11 Aug 10, 2022
img-proof (IPA) provides a command line utility to test images in the Public Cloud

overview img-proof (IPA) provides a command line utility to test images in the Public Cloud (AWS, Azure, GCE, etc.). With img-proof you can now test c

null 13 Jan 7, 2022
Aurornis - The Command Line Program Test Helper

Aurornis - The Command Line Program Test Helper Aurornis is a small, yet powerful library designed to help testing command line programs. The name is

Jérôme Deuchnord 1 Mar 8, 2022
A cd command that learns - easily navigate directories from the command line

NAME autojump - a faster way to navigate your filesystem DESCRIPTION autojump is a faster way to navigate your filesystem. It works by maintaining a d

William Ting 14.5k Jan 3, 2023
Ros command - Unifying the ROS command line tools

Unifying the ROS command line tools One impairment to ROS 2 adoption is that all

null 37 Dec 15, 2022
Shortcut-Maker - It is a tool that can be set to run any tool with a single command

Shortcut-Maker It is a tool that can be set to run any tool with a single command Coded by Dave Smith(Owner of Sl Cyber Warriors) Command list ?? pkg

Dave Smith 10 Sep 14, 2022
A very simple and lightweight ToDo app using python that can be used from the command line

A very simple and lightweight ToDo app using python that can be used from the command line

Nilesh Sengupta 2 Jul 20, 2022
AthenaCLI is a CLI tool for AWS Athena service that can do auto-completion and syntax highlighting.

Introduction AthenaCLI is a command line interface (CLI) for the Athena service that can do auto-completion and syntax highlighting, and is a proud me

dbcli 192 Jan 7, 2023
Command-line tool for looking up colors and palettes.

Colorpedia Colorpedia is a command-line tool for looking up colors, shades and palettes. Supported color models: HEX, RGB, HSL, HSV, CMYK. Requirement

Joohwan Oh 282 Dec 27, 2022
Simple command line tool for text to image generation using OpenAI's CLIP and Siren (Implicit neural representation network)

Simple command line tool for text to image generation using OpenAI's CLIP and Siren (Implicit neural representation network)

Phil Wang 4.4k Jan 9, 2023
Free and Open-Source Command Line tool for Text Replacement

Sniplet Free and Open Source Text Replacement Tool Description: Sniplet is a work in progress CLI tool which can do text replacement globally in Linux

Veeraraghavan Narasimhan 13 Nov 28, 2022
PwnWiki command line searching tool & bindings written in Python

pwsearch PwnWiki 数据库搜索命令行工具。 安装 您可以直接用 pip 命令从 PyPI 安装 pwsearch: pip3 install -U pwsearch 您也可以 clone 该仓库并直接从源码启动

PwnWiki 20 Jun 21, 2021
Official AIdea command line tool

AIdea CLI Official AIdea command line tool for https://aidea-web.tw. Installation Make sure you have installed both Python 3 and pip package manager.

AIdea 5 Dec 15, 2021
PyArmor is a command line tool used to obfuscate python scripts

PyArmor is a command line tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine or expire obfuscated scripts.

Dashingsoft 2k Jan 7, 2023
A command line tool to remove background from video and image

A command line tool to remove background from video and image, brought to you by BackgroundRemover.app which is an app made by nadermx powered by this tool

Johnathan Nader 1.7k Jan 1, 2023
Amazon Scraper: A command-line tool for scraping Amazon product data

Amazon Product Scraper: 2021 Description A command-line tool for scraping Amazon product data to CSV or JSON format(s). Requirements Python 3 pip3 Ins

null 49 Nov 15, 2021
A command line tool (and Python library) for archiving Twitter JSON

A command line tool (and Python library) for archiving Twitter JSON

Documenting the Now 1.3k Dec 28, 2022
command line tool for frequent nmigen tasks (generate sources, show design)

nmigen-tool command line tool for frequent nmigen tasks (generate sources, show design) Usage: generate verilog: nmigen generate verilog nmigen_librar

Hans Baier 8 Nov 27, 2022