SAML2 SPID Service Provider validation tool that can be run from the command line
Project description
spid-sp-test
spid-sp-test is a SAML2 SPID Service Provider validation tool that can be executed from the command line. This tool was born by separating the test library already present in spid-saml-check.
Features
spid-sp-test is:
- extremely faster in execution time than spid-saml-check
- extremely easy to setup
- able to test a SAML2 SPID Metadata file
- able to test a SAML2 SPID AuthnRequest
- able to test ACS behaviour, how a SP reply to a SAML2 Response
- able to dump the response sent to an ACS and the HTML of the SP's response
- able to handle Attributes to send in Responses or test configurations of the Responses via json configuration files
- integrable in CI
- able to export a detailed report in json format, in stdout or in a file.
Setup
apt install libxml2-dev libxmlsec1-dev libxmlsec1-openssl
pip install spid-sp-test --upgrade --no-cache
Overview
spid-sp-test can test a SP metadata file, you just have to give the Metadata URL, if http/http or file, eg: file://path/to/metadata.xml
.
At the same way it can test an Authentication Request.
In a different manner spid-sp-test can send a huge numer of fake SAML Response, for each of them it needs to tigger a real Authentication Request to the target SP.
If you want to test also the Response, you must give the spid-sp-test fake idp metadata file to the target SP. Get fake IdP metadata and copy it to your SP metadatastore folder
spid_sp_test --idp-metadata > /path/to/spid-django/example/spid_config/metadata/spid-sp-test.xml
To get spid-sp-test in a CI you have to:
- configure an example project to your application
- use the spid-sp-test fake idp metadata, configure it in your application and execute the example project, with its development server in background
- launch the spid-sp-test commands
An example of CI is here
Examples
Run spid_sp_test -h
for inline documentation.
usage: spid_sp_test [-h] [--metadata-url METADATA_URL] [--idp-metadata] [-l [LIST [LIST ...]]] [--extra] [--authn-url AUTHN_URL] [-tr] [-tp TEMPLATE_PATH] [-tn [TEST_NAMES [TEST_NAMES ...]]]
[-tj [TEST_JSONS [TEST_JSONS ...]]] [-aj ATTR_JSON] [-report] [-o O] [-d {CRITICAL,ERROR,WARNING,INFO,DEBUG}] [-xp XMLSEC_PATH] [--production] [--html-path HTML_PATH] [--exit-zero]
src/spid_sp_test/spid_sp_test -h for help
optional arguments:
-h, --help show this help message and exit
--metadata-url METADATA_URL
URL where SAML2 Metadata resides: it can be file://path or https://fqdn
--idp-metadata get example IdP metadata
-l [LIST [LIST ...]], --list [LIST [LIST ...]]
esecute only selected checks
--extra execute extra checks
--authn-url AUTHN_URL
URL where the SP initializes the Authentication Request to this IDP,it can also be a file:///
-tr, --test-response execute SAML2 responses
-tp TEMPLATE_PATH, --template-path TEMPLATE_PATH
templates containing SAML2 xml templates for response tests
-tn [TEST_NAMES [TEST_NAMES ...]], --test-names [TEST_NAMES [TEST_NAMES ...]]
response test to be executed, eg: 01 02 03
-tj [TEST_JSONS [TEST_JSONS ...]], --test-jsons [TEST_JSONS [TEST_JSONS ...]]
custom test via json file, eg: tests/example.test-suite.json
-aj ATTR_JSON, --attr-json ATTR_JSON
loads user attributes via json, eg: tests/example.attributes.json
-report json report in stdout
-o O json report to file, -report is required
-d {CRITICAL,ERROR,WARNING,INFO,DEBUG}, --debug {CRITICAL,ERROR,WARNING,INFO,DEBUG}
Debug level, see python logging
-xp XMLSEC_PATH, --xmlsec-path XMLSEC_PATH
xmlsec1 executable path, eg: /usr/bin/xmlsec1
--production, -p execute tests for system in production, eg: https and TLS quality
--html-path HTML_PATH, -hp HTML_PATH
Only works with Response tests activated. Path where the html response pages will be dumped after by the SP
--exit-zero, -ez exit with 0 even if tests fails
examples:
src/spid_sp_test/spid_sp_test --metadata-url file://metadata.xml
src/spid_sp_test/spid_sp_test --metadata-url http://localhost:8000/spid/metadata --extra
src/spid_sp_test/spid_sp_test --metadata-url http://localhost:8000/spid/metadata -l test_Organization test_Signature
# export idp metadata
src/spid_sp_test/spid_sp_test --idp-metadata
# test an authentication request made by a SP
src/spid_sp_test/spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=spid-idp-test
# select which tests to execute
src/spid_sp_test/spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=http://localhost:8080 --extra -debug ERROR -json -l xsd_check
# execute Response tests
src/spid_sp_test/spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=http://localhost:54321 --extra -debug ERROR -tr
# select which response test to execute
src/spid_sp_test/spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=http://localhost:54321 --extra --debug INFO -tr -tn 1 8 9 24 63
# run a test suite configured in a json file
src/spid_sp_test/spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=http://localhost:54321 --extra --debug INFO -tr -tj tests/example.test-suite.json
# select which user attribute to return in response via json file
src/spid_sp_test/spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=http://localhost:54321 --extra --debug DEBUG -aj tests/example.attributes.json
# dump SP response as html page
src/spid_sp_test/spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=http://localhost:54321 --extra --debug ERROR -tr --html-path dumps
Test metadata passing a file
spid_sp_test --metadata-url file://metadata.xml
Test metadata from a URL
spid_sp_test --metadata-url http://localhost:8000/spid/metadata
A quite standard test
spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=http://localhost:8088 --extra
Print only ERRORs
spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=http://localhost:8080 --extra -debug ERROR
JSON report (add -o filename.json
to write to a file)
spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=http://localhost:8080 --extra -debug CRITICAL -json
Authors
References
TLS/SSL tests
- https://github.com/nabla-c0d3/sslyze
pip install --upgrade sslyze sslyze www.that-sp.org --json_out ssl.log
- https://testssl.sh/
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
File details
Details for the file spid_sp_test-0.4.6.tar.gz
.
File metadata
- Download URL: spid_sp_test-0.4.6.tar.gz
- Upload date:
- Size: 84.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.3.0 pkginfo/1.7.0 requests/2.25.1 setuptools/51.3.3 requests-toolbelt/0.9.1 tqdm/4.58.0 CPython/3.8.5
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 83775aff8082314698848354adad2754c308374b3982727fd9b5cd4a7773b49e |
|
MD5 | a427ceeeb7446e1920722588c4a4e37d |
|
BLAKE2b-256 | 3b9faba2083ca13081dc6359763bf4e253632293f9632f49f99222474627c1e2 |