SAML Core 2.0 defines value for ForceAuthn as a boolean.
The primitive type xs:boolean as per W3C XML Schema can be true, false, 0, 1

italia/spid-saml-check#93
italia/spid-saml-check#36

Fix here:
italia/spid-saml-check@f5b7159

spid-sp-test should handle different profiles where every profile contains some tests.
Same unique test can be used into more different profiles.
Profiles could be defined into configuration files as for Response Test Suite.
A single profile can be executed as follow, for example:

spid_sp_test --metadata-url http://localhost:8000/spid/metadata --profile spid-sp-metadata-public

As for Avviso SPID n.19 v4,
the element ContactPerson where contactType is "other" and entityType is "aggregated" must contain the element IPACode, if the element contains the attribute Public or PublicOperator. The element IPACode, if present, can not be empty and must be a valid code on IPA

The Destination attribute SHOULD be the address to which the request has been sent but can also be the EnityID of IdP (Av. SPID n.11).
[SPID-QAD-Request-Extra]

According to

I've installed spid_sp_test command but I'm not sure about its version.
There's no --version command line switch and -h does not output any version string.
I think it would be a useful addition.

(yes, I know I can ask pip meanwhile)

move all the warnings in the extra set

the status_code MUST be dynamically configured by response manager, following the ACR valued in the SP authnrequest

The XML of metadata and request should not contains newlines at the beginning.
If that case, spid-sp-test must show a warning.

Missing support for "companyFiscalNumber" attribute, as defined in Avviso SPID n°15

Hi, I was fiddling with Keycloak to see if I could use spid-sp-test to test the SPID Keycloak provider, and it seems like Keycloak emits some redirects before sending an AuthnRequest with HTTP status code 303 See Other (https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/303).

This is the commandline I am using (please ignore OIDC attributes for now):

luca@luca-VirtualBox:~$ spid_sp_test 
  --metadata-url https://login.domain.com:8443/auth/realms/spid/spid-sp-metadata 
  --authn-url "https://login.domain.com:8443/auth/realms/spid/protocol/openid-connect/auth?scope=openid+email+profile+phone+address&state=3bd6JHYXE2br8A0xFNl3DbBJS5xRIqpeRuRRH-6NSRE.11FO_fAw98M.account-console&response_type=code&client_id=keycloak_public&redirect_uri=https%3A%2F%2Flogin.domain.com%3A8443%2Fauth%2Frealms%2Fpublic%2Fbroker%2Fspid%2Fendpoint&ui_locales=en&nonce=CfaxQp3-axms2xe9aoU6xA&kc_idp_hint=spid-sp-test" --extra -tr

The process starts and successfully tests the metadata document. Right after that, it fails with the following message:

Traceback (most recent call last):
  File "/home/luca/.local/bin/spid_sp_test", line 291, in <module>
    authn_check = SpidSpAuthnReqCheck(**data_ac)
  File "/home/luca/.local/lib/python3.9/site-packages/spid_sp_test/authn_request.py", line 204, in __init__
    self.authn_request = get_authn_request(
  File "/home/luca/.local/lib/python3.9/site-packages/spid_sp_test/authn_request.py", line 155, in get_authn_request
    raise Exception(

Exception: Authn Request page returns a HTML error code: 303

Would it be possible and correct to let it automatically follow redirects?

and elements, if present in the AuthnRequest, should be ignored.

I was tying to setup a test environment on my host as a Docker container. I started cloning the repo locally. Then, I built the image typing docker build -t italia/spid-sp-test:0.5.6 ., as reported in doc, and the image was successfully built. Then, I tried to run the image in a local container, but this is the output:

$> docker run -it --name idptest-agid-local italia/spid-sp-test:0.5.6 
/usr/bin/env: 'python3\r': No such file or directory

I am working on a Windows 10 host. It seems like something goes wrong when interpeting the CRLF or the EoL chars in general.

example:

one Organization element can be preset should be one Organization element MUST be present

Every message MUST adopt normative language

These are the default ones:

https://github.com/peppelinux/spid-sp-test/blob/cd49146ffb5a9768c52be4110ec9183c4b9875dc/src/spid_sp_test/responses/settings.py#L10

in argparse we should handle a possible alternative, as json file, with custom attributes

SSL tests (to be implemented), metadata tests and authn request MUST separate https checks in a additional profile called "prod".
this will prevent that a dev CI SHOULD have https url

an additional option, like --proxy saml2|oidc|oauth2 would load a specialized authnrequest loader, for each kind of proxy type.
This will follow the requests if they are saml2 redirect or post or oidc/oauth2 auth code flow.

This is a approach that would be experimental, each tested proxy as working would be referenced in a dedicated section in the README.

the proxy that would drive the first tests are:

SATOSA-Saml2SPID
AgID Login (oidc auth code flow)

here:

avoid any custom tcp port in the validation regexp

Follow-up to #62.

When I test my SP using POST requests to obtain the AuthnRequest, although the AuthRequest checks are executing successfully, adding -tr to perform the response tests causes spid_sp_test to fail with:

Traceback (most recent call last):
  File "/home/mauro/workspace/python-env/spid_sp_test/bin/spid_sp_test", line 7, in <module>
    exec(compile(f.read(), __file__, 'exec'))
  File "/home/mauro/git/spid-sp-test/src/spid_sp_test/spid_sp_test", line 317, in <module>
    selective_run(response_check, profile, args.list)
  File "/home/mauro/git/spid-sp-test/src/spid_sp_test/spid_sp_test", line 31, in selective_run
    method()
  File "/home/mauro/git/spid-sp-test/src/spid_sp_test/../spid_sp_test/response.py", line 320, in test_profile_spid_sp
    self.do_authnrequest()
  File "/home/mauro/git/spid-sp-test/src/spid_sp_test/../spid_sp_test/response.py", line 156, in do_authnrequest
    self.authn_request_data = get_authn_request(
  File "/home/mauro/git/spid-sp-test/src/spid_sp_test/../spid_sp_test/authn_request.py", line 155, in get_authn_request
    raise Exception(
Exception: Authn Request page returns a HTML error code: 405

Example invocation:

spid_sp_test --metadata-url http://mysp.com:8110/path/to/metadata.xml --authn-url http://mysp.com:8110/path/to/login -rm POST -rct data -rb '{"authId": "test", "serviceProviderId": "mysp", "myacs": "cdd", "identityProviderEntityId": "https://localhost:8080"}' --extra -report -o spid -rf html -tr

Buonasera. Sto effettuando i test di validazione col tool spid-saml-check e sono arrivato alla sezione Request->CheckStrict.
Il campo Destination della mia request è "http://localhost:8080" e questo genera l'errore "The Destination attribute must be a valid HTTPS url". Il problema è che l'url contiene una richiesta HTTP e non HTTPS (e quindi devo permettere anche richieste HTTPS a localhost) o l'errore è altrove?
Eventualmente sapreste dirmi a che punto dell'installazione di spid-saml-check viene effettuata l'assegnazione all'attributo Destination o come modificarlo?

https://github.com/peppelinux/spid-sp-test/blob/cd49146ffb5a9768c52be4110ec9183c4b9875dc/src/spid_sp_test/response.py#L38

should be handled in CLI

See the example:

<md:ContactPerson contactType="billing">
     <md:Extensions xmlns:fpa="https://spid.gov.it/invoicing-extensions">
          <fpa:CessionarioCommittente>
               ...
          </fpa:CessionarioCommittente>
     </md:Extensions>
     <md:Company>Destinatario_Fatturazione</md:Company>
     <md:EmailAddress>[email protected]</md:EmailAddress>
     <md:TelephoneNumber>telefono_fatture</md:TelephoneNumber>
</md:ContactPerson>

See italia/spid-saml-check#90

I'm not a python expert. I tried to install spid_sp_test on a Kubuntu 20.04.
First problem: pip install spid_sp_tests fails with:

ERROR: pyopenssl 20.0.1 has requirement cryptography>=3.2, but you'll have cryptography 2.8 which is incompatible

Uninstalling the apt package for python3-requests (in order to reinstall it later with PIP) is a no go: critical s.o. base packages depend on python3-requests.

So, the way to go is using venv (thanks Giuseppe for the tip).

apt install python3-venv
# let myWorkingDir be a folder where you can place python virtual environments
cd myWorkingDir
mkdir spid_sp_test
python3 -m venv spid_sp_test
source spid_sp_test/bin/activate
# important: wheel is needed to install spid_sp_test
pip install wheel
pip install spid_sp_test
# use spid_sp_test as needed...
# ... when you've done, exit the virtual environment with:
deactivate

Then, whenever you need to use spid_sp_test:

cd myWorkingDir
source spid_sp_test/bin/activate
# use spid_sp_test as needed...
# ... when you've done, exit the virtual environment with:
deactivate

Probably obvius steps for a python dev, not for me :-)

Actually we're using python requests to push the SAM2 response to the SP ACS service.
This means that js won't be executed and also that the dumps of the SP HTML response will be stored as raw html.

Even more, authn request url would be handled as a single shot http request to a pure SAML2 SP, in the case which the SP is behind a IAM proxy this feature won't work and, even more, also the response mechanism would be faulty.

For these cases an integration with a test IDP (spid-testenv2 or spid-saml-check) is needed and these should have to adopt spid-sp-test.

Anyway, the possibility to handle these case of IAM proxy or other strange behaviour is the adoption of a real web browser, like the selenium hq webdriver does.

This should be only an option, as an addons, because it would be impossibile to handle that in a CI, it's only for human interaction

https://github.com/italia/spid-compliant-certificates

have:

• https://github.com/italia/spid-compliant-certificates/blob/master/validator/validator.py importable as python package
• a new test category with a brand new CLI parameter to deal with

Right now, with:

spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=https://localhost:8080

I'm telling spid_sp_test to make a GET request to http://localhost:8000/spid/login/?idp=https://localhost:8080 in order to simulate the user browser and get the AuthnRequest aimed to be forwarded to the IdP.

In my environment this request should be made in POST instead. After all, the https://github.com/italia/spid-sp-access-button is offered in two different flavours, GET and POST. So I'm requesting whether this scenario could also be supported in spid-sp-test.

The most straightforward solution that comes into my mind: add two parameters like these:

spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login 
             --authn-method=POST --authn-body="idp=https%3A%2F%2Flocalhost%3A8080&foo=bar"

That is: add a command line parameter to specify the request type (POST/GET... possibly even PUT?) and another parameter to specify the request body as a string (in this case I'm using a application/x-www-form-urlencoded body, but I could write a JSON string or whatever...).
As a plus, perhaps having also a --authn-body-file=path/to/some/file that reads the body contents from a file instead of from the CLI would be nice to have.

I think this project can be useful for purposes not strictly related to SPID. Probably the possibility of dividing pure SAML2 tests from SPID ones could materialize and it should be managed with separate classes.

I think it is convenient to be able to specify which test classes to use, so as to make the SPID class as a child that inherits the SAML2 one, and consider this as a command line option.

Buonasera. Sto effettuando i test di validazione col tool spid-saml-check e sono arrivato alla sezione Request->CheckStrict.
Il campo Destination della mia request è "http://localhost:8080" e questo genera l'errore "The Destination attribute must be a valid HTTPS url". Il problema è che l'url contiene una richiesta HTTP e non HTTPS (e quindi devo permettere anche richieste HTTPS a localhost) o l'errore è altrove?
Eventualmente sapreste dirmi a che punto dell'installazione di spid-saml-check viene effettuata l'assegnazione all'attributo Destination o come modificarlo?

Evaluate if this fix is avaluable for spid-sp-test too:
italia/spid-saml-check@9b29f2b

it would be better to have the same metadata for spid-sp-test and spid-saml-check, so that a SP shouldn't deploy two metadata but simply rely on a single, unified, metadata, for both the platforms

spid-saml-check and consequently spid-sp-test validate the nameid format within the metadata, example

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>

these issues must be checked also in spid-sp-test

• italia/spid-saml-check#32
• sign_Response and sign_assertion must be response parameters in settings.RESPONSE_TESTS
• entityID must be customized via spid_sp_test paramenter

Each response must produce a folder with the HTML dump and the SAML2 Response.
this is needed for human check.

We need a configurable response dumps path, where to create a folder and all the output of the tests in

which to use of these?

https://github.com/google/pybadges
https://github.com/jongracecox/anybadge

@bfabio

See: italia/spid-saml-check#97

A lavoro stiamo cercando di imparere a usare SPID e poterlo integrare su un sito.
Io utilizzo un pc Asus che in origine aveva windows e ci ho installato Ubuntu 20.04.2 LTS.

Ho generato i metadata utilizzando spid-php https://github.com/italia/spid-php

Ho effettuato la validazione utilzzando spid-sp-test e ho incontrato qualche problema con la validazione della signature.

Ho utilizzato spid-sp-test installandolo con pip seguendo le istruzioni nel README
Non risucivo a passare il test sulla validità della signature sui metadata.

Chiedendo aiuto sulla comunity slack developer-italia(grazie dell'aiuto) sono stato prontamente aiutato e mi è stato detto che il file xml che stavo testando era valido ma che sulla mia macchina la validazione falliva probabilmente a causa della versione di xmlsec installata.

Come da suggerimento ho riprovato spid-sp-test però utilizzando l'immagine docker e in questo caso sono stato in grado di verificare la validità dei metadata compresa la signature.

Sono state avanzate due ipotesi:

• fallisce su windows a causa della versione di xmlsec
• fallisce su ubuntu > 18 per una delle dipendenze di xmlsec

L'EntityID dichiarato nel metadata deve essere una URL, preferibilmente https, e deve corrispondere al dominio indicato nel parametro --metadata-url, quando questo è specificato come http o https.

Nel caso in cui non sia https o non corrisponda al dominio sul quale è pubblicato il metadata, il test deve fornire un warning (non errore)

Rif. italia/spid-saml-check#114

Hi,
running a test on the same service provider (spid-express) with different values of SPID level (1 and 2) the number of tests is different but the ForceAuthn is always mandatory.

Probably tests on ForceAuthn must be the same in both scenario.
What do you think?

TODO

a Docker iamge and an example command to build and run the tests, using a volume path to collect html dumps and json report

Following the instruction and launching the command:

sudo pip install spid-sp-test --upgrade --no-cache

I get the following error:

Collecting spid-sp-test
  Downloading https://files.pythonhosted.org/packages/f2/92/4947c4b88ab7aa5fc1974082d7a5b9c2a7b5488ab2706146083aba443456/spid_sp_test-0.5.0.tar.gz (55kB)
    100% |████████████████████████████████| 61kB 4.1MB/s 
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-build-TqWLIA/spid-sp-test/setup.py", line 25
        packages=[f"{_pkg_name}"],
                               ^
    SyntaxError: invalid syntax
    
    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-TqWLIA/spid-sp-test/

Tested on elementary OS 5.1.7 Hera (based on Ubuntu 18.04 LTS)

If AuthnContextClassRef of AuthnRequest is SpidL2 or SpidL3, and the related SP metadata id for public organization (spid:Public/) the SP metadata should be checked for the presence of eIDAS-specific AttributeConsumingServices (index 99 and 100)

Referring to https://www.agid.gov.it/sites/default/files/repository_files/spid-avviso-n29v3-specifiche_sp_pubblici_e_privati.pdf
there are two checks for --profile spid-sp-private that are not correct.

on page 6 of the linked pdf, there is the same structure reported on https://docs.italia.it/italia/spid/spid-regole-tecniche/it/stabile/metadata.html#esempio-contatti-metadata-sp-per-fatturazione that has EmailAddress and TelephoneNumber out of Extensions node:

   <md:ContactPerson contactType="other">
        <md:Extensions>
            <spid:VATNumber>IT12345678901</spid:VATNumber>
            <spid:FiscalCode>XYZABCAAMGGJ000W</spid:FiscalCode>
            <spid:Private/>
        </md:Extensions>
        <md:EmailAddress>[email protected]</md:EmailAddress>
        <md:TelephoneNumber>+390123456789</md:TelephoneNumber>
    </md:ContactPerson>
    <md:ContactPerson contactType="billing">
        <md:Extensions 
               xmlns:fpa="https://spid.gov.it/invoicing-extensions">
            <fpa:CessionarioCommittente>
                <fpa:DatiAnagrafici>
                    <fpa:IdFiscaleIVA>
                        <fpa:IdPaese>IT</fpa:IdPaese>
                        <fpa:IdCodice>02468135791</fpa:IdCodice>
                    </fpa:IdFiscaleIVA>
                    <fpa:Anagrafica>
			           <fpa:Denominazione>
                            Destinatario_Fatturazione
			           </fpa:Denominazione> 
                    </fpa:Anagrafica>
                </fpa:DatiAnagrafici>
                <fpa:Sede>
		             <fpa:Indirizzo>via [...]</fpa:Indirizzo>
		             <fpa:NumeroCivico>99</fpa:NumeroCivico>
		             <fpa:CAP>12345</ fpa:CAP>
		             <fpa:Comune>nome_citta</fpa:Comune>
		             <fpa:Provincia>XY</fpa:Provincia>
                    <fpa:Nazione>IT</fpa:Nazione>
                </fpa:Sede>
            </fpa:CessionarioCommittente>
        </md:Extensions>
        <md:Company>Destinatario_Fatturazione</md:Company>
        <md:EmailAddress>[email protected]</md:EmailAddress>
        <md:TelephoneNumber>telefono_fatture</md:TelephoneNumber>
    </md:ContactPerson>

Inside spid-sp-test/src/spid_sp_test/metadata_private.py there is the check that validate the EmailAddress as child of Extensions as reported into my test run:

INFO:spid_sp_test.metadata:SpidSpMetadataCheckExtra.test_extentions_public
ERROR:spid_sp_test.metadata:The //ContactPerson/Extensions/CessionarioCommittente/EmailAddress element MUST be present

This is not correct like reported into the documentation.

for private service provider there is:

INFO:spid_sp_test.metadata:SpidSpMetadataCheckExtra.test_Contacts_PubPriv
ERROR:spid_sp_test.metadata:Only one Extensions element inside ContactPerson element MUST be present

but probably, having two nodes ContactPerson (other and billing), this test count two times the Extensions and this is not correct.

actually http redirect bindings doesn't validate signature in spid-sp-test

See: italia/spid-saml-check#115

Occorre valutare le seguenti segnalazioni:
italia/spid-saml-check#91

https://github.com/peppelinux/spid-sp-test/blob/cd49146ffb5a9768c52be4110ec9183c4b9875dc/src/spid_sp_test/responses/settings.py#L81

We need a argparse inline parameter to specificy which tests (by key dict) we want to execute

Actually we have a default set of responses

https://github.com/peppelinux/spid-sp-test/blob/cd49146ffb5a9768c52be4110ec9183c4b9875dc/src/spid_sp_test/responses/settings.py#L81

we must handle an alternative json definition file, through CLI, so that we can create and customize our own tests in a project folder, without touching the src tree

Actually report have a json format, there would be the need to have also HTML