menu di navigazione del network

Errore in verifica SAMLRequest sul validator - spid-saml-check

Salve a tutti.
Premetto che ho installato l’ultima release dello spid-saml-check, attraverso il quale ho validato perfettamente i metadata generati, coperti da un certificato SSL rilasciato da una vera CA (non self signed).
Effettuando le operazioni di Check Strict - Check Certificates e Check Extra sulla Request SAML ottengo il seguente errore nei log del docker:

cd …/specs-compliance-tests && DATA_DIR=./data/https___spid_comunecatanzaro_it SSLLABS_SKIP=1 SP_METADATA=./data/https___spid_comunecatanzaro_it/sp-metadata.xml AUTHN_REQUEST=./data/https___spid_comunecatanzaro_it/authn-request.xml tox -e cleanup,sp-metadata-strict,sp-metadata-certs,sp-authn-request-strict,sp-authn-request-certs
cleanup run-test-pre: PYTHONHASHSEED=‘1680345370’
cleanup run-test: commands[0] | find ./data/https___spid_comunecatanzaro_it -type f -name ‘.json’ -delete
cleanup run-test: commands[1] | find ./data/https___spid_comunecatanzaro_it -type f -name '
.pem’ -delete
cleanup run-test: commands[2] | find ./data/https___spid_comunecatanzaro_it -type f -name ‘.request.txt’ -delete
cleanup run-test: commands[3] | find ./data/https___spid_comunecatanzaro_it -type f -name '
.response.txt’ -delete
sp-metadata-strict installed: certifi==2020.12.5,cffi==1.14.4,chardet==4.0.0,cryptography==3.4.3,decorator==4.4.2,idna==2.10,lxml==4.6.2,pycparser==2.20,pyOpenSSL==20.0.1,requests==2.25.1,six==1.15.0,urllib3==1.26.3,validators==0.18.2
sp-metadata-strict run-test-pre: PYTHONHASHSEED=‘1680345370’
sp-metadata-strict run-test: commands[0] | python -m unittest --verbose test/sp/metadata_strict.py
test_AssertionConsumerService (test.sp.metadata_strict.TestSPMetadata)
Test the compliance of AssertionConsumerService element(s) … ok
test_AttributeConsumingService (test.sp.metadata_strict.TestSPMetadata)
Test the compliance of AttributeConsumingService element(s) … ok
test_EntityDescriptor (test.sp.metadata_strict.TestSPMetadata)
Test the compliance of EntityDescriptor element … ok
test_KeyDescriptor (test.sp.metadata_strict.TestSPMetadata)
Test the compliance of KeyDescriptor element(s) … ok
test_Organization (test.sp.metadata_strict.TestSPMetadata)
Test the compliance of Organization element … ok
test_SPSSODescriptor (test.sp.metadata_strict.TestSPMetadata)
Test the compliance of SPSSODescriptor element … ok
test_Signature (test.sp.metadata_strict.TestSPMetadata)
Test the compliance of Signature element … ok
test_SingleLogoutService (test.sp.metadata_strict.TestSPMetadata)
Test the compliance of SingleLogoutService element(s) … ok
test_TLS12Support (test.sp.metadata_strict.TestSPMetadata)
Test the support of TLS 1.2 for Locations URL … skipped ‘x’
test_xmldsig (test.sp.metadata_strict.TestSPMetadata)
Verify the SP metadata signature … ok


Ran 10 tests in 0.027s

OK (skipped=1)
sp-metadata-certs installed: certifi==2020.12.5,cffi==1.14.4,chardet==4.0.0,cryptography==3.4.3,decorator==4.4.2,idna==2.10,lxml==4.6.2,pycparser==2.20,pyOpenSSL==20.0.1,requests==2.25.1,six==1.15.0,urllib3==1.26.3,validators==0.18.2
sp-metadata-certs run-test-pre: PYTHONHASHSEED=‘1680345370’
sp-metadata-certs run-test: commands[0] | python -m unittest --verbose test/sp/metadata_certs.py
test_encryption_certificates (test.sp.metadata_certs.TestSPMetadataCertificates)
Test the compliance of encryption certificate(s) … ok
test_signature_certificates (test.sp.metadata_certs.TestSPMetadataCertificates)
Test the compliance of signature certificate(s) … ok
test_signing_certificates (test.sp.metadata_certs.TestSPMetadataCertificates)
Test the compliance of signing certificate(s) … ok


Ran 3 tests in 0.136s

OK
sp-authn-request-strict installed: certifi==2020.12.5,cffi==1.14.4,chardet==4.0.0,cryptography==3.4.3,decorator==4.4.2,idna==2.10,lxml==4.6.2,pycparser==2.20,pyOpenSSL==20.0.1,requests==2.25.1,six==1.15.0,urllib3==1.26.3,validators==0.18.2
sp-authn-request-strict run-test-pre: PYTHONHASHSEED=‘1680345370’
sp-authn-request-strict run-test: commands[0] | python ./script/parse-request.py authn ./data/https___spid_comunecatanzaro_it/authn-request.xml ./data/https___spid_comunecatanzaro_it/sp-metadata.xml
sp-authn-request-strict run-test: commands[1] | python -m unittest --verbose test/sp/authn_request_strict.py
test_AuthnRequest (test.sp.authn_request_strict.TestAuthnRequest)
Test the compliance of AuthnRequest element … FAIL
test_Conditions (test.sp.authn_request_strict.TestAuthnRequest)
Test the compliance of Conditions element … ok
test_Issuer (test.sp.authn_request_strict.TestAuthnRequest)
Test the compliance of Issuer element … ok
test_NameIDPolicy (test.sp.authn_request_strict.TestAuthnRequest)
Test the compliance of NameIDPolicy element … ok
test_RelayState (test.sp.authn_request_strict.TestAuthnRequest)
Test the compliance of RelayState parameter … ok
test_RequestedAuthnContext (test.sp.authn_request_strict.TestAuthnRequest)
Test the compliance of RequestedAuthnContext element … ok
test_RequesterID (test.sp.authn_request_strict.TestAuthnRequest)
Test the compliance of RequesterID element … ok
test_Scoping (test.sp.authn_request_strict.TestAuthnRequest)
Test the compliance of Scoping element … ok
test_Signature (test.sp.authn_request_strict.TestAuthnRequest)
Test the compliance of Signature element … ok
test_Subject (test.sp.authn_request_strict.TestAuthnRequest)
Test the compliance of Subject element … ok
test_xsd_and_xmldsig (test.sp.authn_request_strict.TestAuthnRequest)
Test if the XSD validates and if the signature is valid … ok

======================================================================
FAIL: test_AuthnRequest (test.sp.authn_request_strict.TestAuthnRequest)
Test the compliance of AuthnRequest element

Traceback (most recent call last):
File “/spid-saml-check/specs-compliance-tests/test/sp/authn_request_strict.py”, line 112, in tearDown
self.fail(common.helpers.dump_failures(self.failures))
AssertionError:


/ Hey, there was an error! Take a look in
\ the list below… /

      \
       \
        \          __---__
                _-       /--______
           __--( /     \ )XXXXXXXXXXX\v.
         .-XXX(   O   O  )XXXXXXXXXXXXXXX-
        /XXX(       U     )        XXXXXXX\
      /XXXXX(              )--_  XXXXXXXXXXX\
     /XXXXX/ (      O     )   XXXXXX   \XXXXX\
     XXXXX/   /            XXXXXX   \__ \XXXXX
     XXXXXX__/          XXXXXX         \__---->

—___ XXX__/ XXXXXX __ /
- --__/ ___/\ XXXXXX / ___–/=
-\ _/ XXXXXX '— XXXXXX
-/XXX\ XXXXXX /XXXXX
\XXXXXXXXX \ /XXXXX/
\XXXXXX > _/XXXXX/
\XXXXX–
/ __-- XXXX/
-XXXXXXXX--------------- XXXXXX-
\XXXXXXXXXXXXXXXXXXXXXXXXXX/
““VXXXXXXXXXXXXXXXXXXV””

[FAIL] The Destination attribute must be a valid HTTPS url - TR pag. 8


Ran 11 tests in 0.227s

FAILED (failures=1)
ERROR: InvocationError for command /spid-saml-check/specs-compliance-tests/.tox/sp-authn-request-strict/bin/python -m unittest --verbose test/sp/authn_request_strict.py (exited with code 1)
sp-authn-request-certs installed: certifi==2020.12.5,cffi==1.14.4,chardet==4.0.0,cryptography==3.4.3,decorator==4.4.2,idna==2.10,lxml==4.6.2,pycparser==2.20,pyOpenSSL==20.0.1,requests==2.25.1,six==1.15.0,urllib3==1.26.3,validators==0.18.2
sp-authn-request-certs run-test-pre: PYTHONHASHSEED=‘1680345370’
sp-authn-request-certs run-test: commands[0] | python -m unittest --verbose test/sp/authn_request_certs.py
test_signature_certificates (test.sp.authn_request_certs.TestAuthnRequestCertificates)
Test the compliance of signature certificate(s) … ok


Ran 1 test in 0.052s

OK
___________________________________ summary ____________________________________
cleanup: commands succeeded
sp-metadata-strict: commands succeeded
sp-metadata-certs: commands succeeded
ERROR: sp-authn-request-strict: commands failed
sp-authn-request-certs: commands succeeded

DATABASE : QUERY
“SELECT store FROM store WHERE user=‘validator’ AND entity_id=‘https://spid.comunecatanzaro.it’ AND type=‘main’”

DATABASE : QUERY
“SELECT organization FROM store WHERE user=‘validator’ AND entity_id=‘https://spid.comunecatanzaro.it’ AND type=‘main’”

DATABASE EXCEPTION (saveStore)
“TypeError [ERR_INVALID_ARG_TYPE]: The first argument must be of type string or an instance of Buffer, ArrayBuffer, or Array or an Array-like Object. Received undefined”

DATABASE EXCEPTION (setMetadataValidation)
“TypeError [ERR_INVALID_ARG_TYPE]: The first argument must be of type string or an instance of Buffer, ArrayBuffer, or Array or an Array-like Object. Received undefined”
(node:19) UnhandledPromiseRejectionWarning: TypeError [ERR_INVALID_ARG_TYPE]: The first argument must be of type string or an instance of Buffer, ArrayBuffer, or Array or an Array-like Object. Received undefined
at Function.from (buffer.js:330:9)
at Function.btoa (/spid-saml-check/spid-validator/server/lib/utils.js:120:23)
at Database.saveStore (/spid-saml-check/spid-validator/server/lib/database.js:98:45)
at Database.setRequestValidation (/spid-saml-check/spid-validator/server/lib/database.js:387:18)
at /spid-saml-check/spid-validator/server/api/request.js:118:34
at runMicrotasks ()
at processTicksAndRejections (internal/process/task_queues.js:97:5)
(node:19) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag --unhandled-rejections=strict (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 15)

A qualcuno è capitato ? Sa quale potrebbe essere il problema ?
Grazie mille

Io invece riscontro un errore nell’ultima validazione della sezione Check Strict.
Ho installato docker su Windows e tutte le altre validazioni funzionano correttamente.

strict : Test if the XSD validates and if the signature is valid

Errore:

The AuthnRequest must validate against XSD and must have a valid signature stderr: ./script/check-request-xsd-and-signature.sh: line 17: $’\r’: command not found stderr: ./script/check-request-xsd-and-signature.sh: line 19: $’\r’: command not found stderr: ./script/check-request-xsd-and-signature.sh: line 22: $’\r’: command not found stderr: ./script/check-request-xsd-and-signature.sh: line 25: $’\r’: command not found stderr: cat: ‘./data/http___pc94’$’\r’’/SAMLRequest.authn’$’\r’’.request.txt’: No such file or directory stderr: ./script/check-request-xsd-and-signature.sh: line 70: syntax error near unexpected token elif' stderr: ./script/check-request-xsd-and-signature.sh: line 70: elif [ “${CTX}” == “logout” ]; then ’

e in sul log docker:

FAIL: test_xsd_and_xmldsig (test.sp.authn_request_strict.TestAuthnRequest)

Test if the XSD validates and if the signature is valid

----------------------------------------------------------------------

Traceback (most recent call last):

File "/spid-saml-check/specs-compliance-tests/test/sp/authn_request_strict.py", line 112, in tearDown

self.fail(common.helpers.dump_failures(self.failures))

AssertionError:

``

_________________________________________

/ Hey, there was an error! Take a look in \

\ the list below... /

-----------------------------------------

\

\

.--.

|o_o |

|:_/ |

// \ \

(| | )

/'\_ _/`

\___)=(___/

``

``

``

``

[FAIL] The AuthnRequest must validate against XSD and must have a valid signature

stderr: ./script/check-request-xsd-and-signature.sh: line 17:

stderr: ./script/check-request-xsd-and-signature.sh: line 19:

stderr: ./script/check-request-xsd-and-signature.sh: line 22:

stderr: ./script/check-request-xsd-and-signature.sh: line 25:

stderr: cat: './data/http___pc94'

stderr: ./script/check-request-xsd-and-signature.sh: line 70: syntax error near unexpected token elif’`

'tderr: ./script/check-request-xsd-and-signature.sh: line 70: elif [ “${CTX}” == “logout” ]; then`

``

----------------------------------------------------------------------

Ran 11 tests in 0.033s

``

FAILED (failures=2)

ERROR: InvocationError for command /spid-saml-check/specs-compliance-tests/.tox/sp-authn-request-strict/bin/python -m unittest --verbose test/sp/authn_request_strict.py (exited with code 1)

Stesso identico problema… e non ne vengo a capo. Suggerimenti?

Nonostante il problema di validazione della SAMLRequest (e non del metadata) con il self-validator, il metadata era corretto ed è stato validato con successo da AgID che ha successivamente sottomesso lo stesso ai vari IDP.
Probabilmente è un problema del tool ma al momento non posso indagare …