Add initial eIDAS support

Author: ivan

src/satosa/backends/saml2.py

@@ -16,6 +16,7 @@
 
 import satosa.util as util
 from satosa.base import SAMLBaseModule
+from satosa.base import SAMLEIDASBaseModule
 from .base import BackendModule
 from ..exception import SATOSAAuthenticationError
 from ..internal_data import (InternalResponse,
@@ -386,6 +387,36 @@ def get_metadata_desc(self):
             entity_descriptions.append(description)
         return entity_descriptions
 
+
+class SAMLEIDASBackend(SAMLBackend, SAMLEIDASBaseModule):
+    """
+    A saml2 eidas backend module (acting as a SP).
+    """
+    VALUE_ACR_CLASS_REF_DEFAULT = 'http://eidas.europa.eu/LoA/high'
+    VALUE_ACR_COMPARISON_DEFAULT = 'minimum'
+
+    def init_config(self, config):
+        config = super().init_config(config)
+
+        spec_eidas_sp = {
+            'acr_mapping': {
+                "": {
+                    'class_ref': self.VALUE_ACR_CLASS_REF_DEFAULT,
+                    'comparison': self.VALUE_ACR_COMPARISON_DEFAULT,
+                },
+            },
+            'sp_config.service.sp.authn_requests_signed': True,
+            'sp_config.service.sp.want_response_signed': True,
+            'sp_config.service.sp.allow_unsolicited': False,
+            'sp_config.service.sp.force_authn': True,
+            'sp_config.service.sp.hide_assertion_consumer_service': True,
+            'sp_config.service.sp.sp_type': ['private', 'public'],
+            'sp_config.service.sp.sp_type_in_metadata': [True, False],
+        }
+
+        return util.check_set_dict_defaults(config, spec_eidas_sp)
+
+
 class SAMLInternalResponse(InternalResponse):
     """
     Like the parent InternalResponse, holds internal representation of
@@ -413,4 +444,3 @@ def to_dict(self):
             _dict['name_id'] = None
 
         return _dict
-

src/satosa/base.py

@@ -3,9 +3,13 @@
 """
 import json
 import logging
-from uuid import uuid4
+import uuid
 
+from saml2.s_utils import UnknownSystemEntity
+
+from satosa import util
 from satosa.micro_services import consent
+
 from .context import Context
 from .exception import SATOSAConfigurationError
 from .exception import SATOSAError, SATOSAAuthenticationError, SATOSAUnknownError
@@ -17,7 +21,6 @@
 from .plugin_loader import load_request_microservices, load_response_microservices
 from .routing import ModuleRouter, SATOSANoBoundEndpointError
 from .state import cookie_to_state, SATOSAStateError, State, state_to_cookie
-from saml2.s_utils import UnknownSystemEntity
 
 
 logger = logging.getLogger(__name__)
@@ -212,7 +215,7 @@ def _run_bound_endpoint(self, context, spec):
         try:
             return spec(context)
         except SATOSAAuthenticationError as error:
-            error.error_id = uuid4().urn
+            error.error_id = uuid.uuid4().urn
             msg = "ERROR_ID [{err_id}]\nSTATE:\n{state}".format(err_id=error.error_id,
                                                                 state=json.dumps(
                                                                     error.state.state_dict,
@@ -298,3 +301,16 @@ def init_config(self, config):
     def expose_entityid_endpoint(self):
         value = self.config.get(self.KEY_ENTITYID_ENDPOINT, False)
         return bool(value)
+
+
+class SAMLEIDASBaseModule(SAMLBaseModule):
+    VALUE_ATTRIBUTE_PROFILE_DEFAULT = 'eidas'
+
+    def init_config(self, config):
+        config = super().init_config(config)
+
+        spec_eidas = {
+            'entityid_endpoint': True,
+        }
+
+        return util.check_set_dict_defaults(config, spec_eidas)

src/satosa/util.py

@@ -5,8 +5,49 @@
 import random
 import string
 
+from satosa.logging_util import satosa_logging
+
+
 logger = logging.getLogger(__name__)
 
+
+def check_set_dict_defaults(dic, spec):
+    for path, value in spec.items():
+        keys = path.split('.')
+        try:
+            _val = dict_get_nested(dic, keys)
+        except KeyError:
+            if type(value) is list:
+                value_default = value[0]
+            else:
+                value_default = value
+            dict_set_nested(dic, keys, value_default)
+        else:
+            if type(value) is list:
+                is_value_valid = _val in value
+            elif type(value) is dict:
+                # do not validate dict
+                is_value_valid = bool(_val)
+            else:
+                is_value_valid = _val == value
+            if not is_value_valid:
+                satosa_logging(
+                    logger, logging.WARNING,
+                    "Incompatible configuration value '{}' for '{}'."
+                    " Value shoud be: {}".format(_val, path, value),
+                    {})
+    return dic
+
+def dict_set_nested(dic, keys, value):
+    for key in keys[:-1]:
+        dic = dic.setdefault(key, {})
+    dic[keys[-1]] = value
+
+def dict_get_nested(dic, keys):
+    for key in keys[:-1]:
+        dic = dic.setdefault(key, {})
+    return dic[keys[-1]]
+
 def get_dict_defaults(d, *keys):
     for key in keys:
        d = d.get(key, d.get("", d.get("default", {})))