Adds multiple validators for eIDAS IdP config

ioparaskev · ioparaskev · commit 2e54657d98eb · 2020-02-11T12:30:02.000+02:00
- Adds inherited validators for eIDAS IdP config. Specifically the
  following rules related to the metadata:
1. entityid MUST be HTTPs URL
2. SingleLogoutElementService SHOULD NOT be declared
3. ArtifactResolutionService SHOULD NOT be declared
4. ManageNameIDService SHOULD NOT be declared
5. KeyDescriptor MUST be declared
6. Organization with minimal info (name/display name/url) SHOULD be
   provided
7. Contact Person of contactType technical with an email address SHOULD
   be provided
8. Contact Person of contactType support with an email address SHOULD
   be provided
9. eIDAS protocol version implemented SHOULD be provided
10. eIDAS application identifier SHOULD be provided and MUST have a
    specific format
11. Node country information MUST be declared and MUST follow the ISO
    3166-1 alpha-2 format
All the above are specified in eIDAS SAML Message Format v.1.2 spec
document.
diff --git a/src/saml2/config.py b/src/saml2/config.py
@@ -128,7 +128,7 @@
     "name_qualifier",
     "edu_person_targeted_id",
     "node_country",
-    "application_identifier"
+    "application_identifier",
     "protocol_version"
 ]
 
@@ -717,8 +717,28 @@ def __init__(self):
         Config.__init__(self)
 
 
-class eIDASIdPConfig(IdPConfig):
-    pass
+class eIDASIdPConfig(IdPConfig, eIDASConfig):
+    def get_endpoint_element(self, element):
+        return getattr(self, "_idp_endpoints", {}).get(element, None)
+
+    def get_application_identifier(self):
+        return getattr(self, "_idp_application_identifier", None)
+
+    def get_protocol_version(self):
+        return getattr(self, "_idp_protocol_version", None)
+
+    def get_node_country(self):
+        return getattr(self, "_idp_node_country", None)
+
+    @property
+    def warning_validators(self):
+        idp_warning_validators = {}
+        return {**super().warning_validators, **idp_warning_validators}
+
+    @property
+    def error_validators(self):
+        idp_error_validators = {}
+        return {**super().error_validators, **idp_error_validators}
 
 
 def config_factory(_type, config):
diff --git a/tests/eidas/idp_conf.py b/tests/eidas/idp_conf.py
@@ -10,16 +10,13 @@
 BASE = "http://localhost:8088"
 
 CONFIG = {
-    "entityid": "urn:mace:example.com:saml:roland:idp",
+    "entityid": "https://example.org",
     "name": "Rolands IdP",
     "service": {
         "idp": {
             "endpoints": {
                 "single_sign_on_service": [
                     ("%s/sso" % BASE, BINDING_HTTP_REDIRECT)],
-                "single_logout_service": [
-                    ("%s/slo" % BASE, BINDING_SOAP),
-                    ("%s/slop" % BASE, BINDING_HTTP_POST)]
             },
             "policy": {
                 "default": {
@@ -38,7 +35,9 @@
                 }
             },
             "subject_data": full_path("subject_data.db"),
-            "node_country": "GR"
+            "node_country": "GR",
+            "application_identifier": "CEF:eIDAS-ref:2.0",
+            "protocol_version": [1.1, 2.2]
         },
     },
     "debug": 1,
@@ -53,16 +52,25 @@
     }],
     "attribute_map_dir": full_path("attributemaps"),
     "organization": {
-        "name": "Exempel AB",
-        "display_name": [("Exempel AB", "se"), ("Example Co.", "en")],
-        "url": "http://www.example.com/roland",
+        "name": ("AB Exempel", "se"),
+        "display_name": ("AB Exempel", "se"),
+        "url": "http://www.example.org",
     },
     "contact_person": [
         {
-            "given_name": "John",
-            "sur_name": "Smith",
-            "email_address": ["john.smith@example.com"],
-            "contact_type": "technical",
+            "given_name": "Roland",
+            "sur_name": "Hedberg",
+            "telephone_number": "+46 70 100 0000",
+            "email_address": ["tech@eample.com",
+                              "tech@example.org"],
+            "contact_type": "technical"
         },
+        {
+            "given_name": "Roland",
+            "sur_name": "Hedberg",
+            "telephone_number": "+46 70 100 0000",
+            "email_address": ["tech@eample.com",
+                              "tech@example.org"],
+            "contact_type": "support"}
     ],
 }
diff --git a/tests/eidas/test_idp.py b/tests/eidas/test_idp.py
@@ -1,13 +1,242 @@
+import pytest
+import copy
+from saml2 import BINDING_HTTP_POST
 from saml2 import metadata
-from saml2.config import IdPConfig
+from saml2 import samlp
+from saml2.client import Saml2Client
+from saml2.server import Server
+from saml2.config import eIDASSPConfig, eIDASIdPConfig
+from eidas.idp_conf import CONFIG
+from saml2.utility.config import ConfigValidationError
 
 
 class TestIdP:
     def setup_class(self):
-        self.conf = IdPConfig()
+        self.server = Server("idp_conf")
+
+        self.conf = eIDASIdPConfig()
         self.conf.load_file("idp_conf")
 
+        sp_conf = eIDASSPConfig()
+        sp_conf.load_file("sp_conf")
+
+        self.client = Saml2Client(sp_conf)
+
+    def teardown_class(self):
+        self.server.close()
+
+    @pytest.fixture(scope="function")
+    def config(self):
+        return copy.deepcopy(CONFIG)
+
     def test_node_country_in_metadata(self):
         entd = metadata.entity_descriptor(self.conf)
         assert any(filter(lambda x: x.tag == "NodeCountry",
                           entd.extensions.extension_elements))
+
+    def test_application_identifier_in_metadata(self):
+        entd = metadata.entity_descriptor(self.conf)
+        entity_attributes = next(filter(lambda x: x.tag == "EntityAttributes",
+                                        entd.extensions.extension_elements))
+        app_identifier = [
+            x for x in entity_attributes.children
+            if getattr(x, "attributes", {}).get("Name") ==
+               "http://eidas.europa.eu/entity-attributes/application-identifier"
+        ]
+        assert len(app_identifier) == 1
+        assert self.conf._idp_application_identifier \
+               == next(x.text for y in app_identifier for x in y.children)
+
+    def test_multiple_protocol_version_in_metadata(self):
+        entd = metadata.entity_descriptor(self.conf)
+        entity_attributes = next(filter(lambda x: x.tag == "EntityAttributes",
+                                        entd.extensions.extension_elements))
+        protocol_version = next(
+            x for x in entity_attributes.children
+            if getattr(x, "name", "") ==
+            "http://eidas.europa.eu/entity-attributes/protocol-version"
+        )
+        assert len(protocol_version.attribute_value) == 2
+        assert set(str(x) for x in self.conf._idp_protocol_version) \
+               == set([x.text for x in protocol_version.attribute_value])
+
+    def test_protocol_version_in_metadata(self, config):
+        config["service"]["idp"]["protocol_version"] = 1.2
+
+        conf = eIDASIdPConfig()
+        conf.load(config)
+
+        entd = metadata.entity_descriptor(conf)
+        entity_attributes = next(filter(lambda x: x.tag == "EntityAttributes",
+                                        entd.extensions.extension_elements))
+        protocol_version = next(
+            x for x in entity_attributes.children
+            if getattr(x, "name", "") ==
+            "http://eidas.europa.eu/entity-attributes/protocol-version"
+        )
+        assert len(protocol_version.attribute_value) == 1
+        assert {str(conf._idp_protocol_version)} \
+               == set([x.text for x in protocol_version.attribute_value])
+
+
+class TestIdPConfig:
+    @staticmethod
+    def assert_validation_error(config):
+        conf = eIDASIdPConfig()
+        conf.load(config)
+        with pytest.raises(ConfigValidationError):
+            conf.validate()
+
+    @pytest.fixture(scope="function")
+    def technical_contacts(self, config):
+        return [
+            x for x in config["contact_person"]
+            if x["contact_type"] == "technical"
+        ]
+
+    @pytest.fixture(scope="function")
+    def support_contacts(self, config):
+        return [
+            x for x in config["contact_person"]
+            if x["contact_type"] == "support"
+        ]
+
+    @pytest.fixture(scope="function")
+    def raise_error_on_warning(self, monkeypatch):
+        def r(*args, **kwargs):
+            raise ConfigValidationError()
+        monkeypatch.setattr("saml2.config.logger.warning", r)
+
+    @pytest.fixture(scope="function")
+    def config(self):
+        return copy.deepcopy(CONFIG)
+
+    def test_singlelogout_declared(self, config, raise_error_on_warning):
+        config["service"]["idp"]["endpoints"]["single_logout_service"] = \
+            [("https://example.com", BINDING_HTTP_POST)]
+        self.assert_validation_error(config)
+
+    def test_artifact_resolution_declared(self, config, raise_error_on_warning):
+        config["service"]["idp"]["endpoints"]["artifact_resolution_service"] = \
+            [("https://example.com", BINDING_HTTP_POST)]
+        self.assert_validation_error(config)
+
+    def test_manage_nameid_service_declared(self, config, raise_error_on_warning):
+        config["service"]["idp"]["endpoints"]["manage_name_id_service"] = \
+            [("https://example.com", BINDING_HTTP_POST)]
+        self.assert_validation_error(config)
+
+    def test_no_keydescriptor(self, config):
+        del config["cert_file"]
+        self.assert_validation_error(config)
+
+    def test_no_nodecountry(self, config):
+        del config["service"]["idp"]["node_country"]
+        self.assert_validation_error(config)
+
+    def test_nodecountry_wrong_format(self, config):
+        config["service"]["idp"]["node_country"] = "gr"
+        self.assert_validation_error(config)
+
+    def test_no_application_identifier_warning(self, config, raise_error_on_warning):
+        del config["service"]["idp"]["application_identifier"]
+
+        self.assert_validation_error(config)
+
+    def test_empty_application_identifier_warning(self, config, raise_error_on_warning):
+        config["service"]["idp"]["application_identifier"] = ""
+
+        self.assert_validation_error(config)
+
+    def test_application_identifier_wrong_format(self, config):
+        config["service"]["idp"]["application_identifier"] = "TEST:Node.1"
+
+        self.assert_validation_error(config)
+
+    def test_application_identifier_ok_format(self, config, raise_error_on_warning):
+        conf = eIDASIdPConfig()
+        conf.load(config)
+        conf.validate()
+
+    def test_no_protocol_version_warning(self, config, raise_error_on_warning):
+        del config["service"]["idp"]["protocol_version"]
+
+        self.assert_validation_error(config)
+
+    def test_empty_protocol_version_warning(self, config, raise_error_on_warning):
+        config["service"]["idp"]["protocol_version"] = ""
+
+        self.assert_validation_error(config)
+
+    def test_no_organization_info_warning(self, config, raise_error_on_warning):
+        del config["organization"]
+
+        self.assert_validation_error(config)
+
+    def test_empty_organization_info_warning(self, config, raise_error_on_warning):
+        config["organization"] = {}
+
+        self.assert_validation_error(config)
+
+    def test_no_technical_contact_person(self,
+                                         config,
+                                         technical_contacts,
+                                         raise_error_on_warning):
+        for contact in technical_contacts:
+            contact["contact_type"] = "other"
+
+        self.assert_validation_error(config)
+
+    def test_technical_contact_person_no_email(self,
+                                               config,
+                                               technical_contacts,
+                                               raise_error_on_warning):
+
+        for contact in technical_contacts:
+            del contact["email_address"]
+
+        self.assert_validation_error(config)
+
+    def test_technical_contact_person_empty_email(self,
+                                                  config,
+                                                  technical_contacts,
+                                                  raise_error_on_warning):
+
+        for contact in technical_contacts:
+            del contact["email_address"]
+
+        self.assert_validation_error(config)
+
+    def test_no_support_contact_person(self,
+                                       config,
+                                       support_contacts,
+                                       raise_error_on_warning):
+        for contact in support_contacts:
+            contact["contact_type"] = "other"
+
+        self.assert_validation_error(config)
+
+    def test_support_contact_person_no_email(self,
+                                             config,
+                                             support_contacts,
+                                             raise_error_on_warning):
+
+        for contact in support_contacts:
+            del contact["email_address"]
+
+        self.assert_validation_error(config)
+
+    def test_support_contact_person_empty_email(self,
+                                                config,
+                                                support_contacts,
+                                                raise_error_on_warning):
+
+        for contact in support_contacts:
+            del contact["email_address"]
+
+        self.assert_validation_error(config)
+
+    def test_entityid_no_https(self, config):
+        config["entityid"] = "urn:mace:example.com:saml:roland:idp"
+
+        self.assert_validation_error(config)
