Merge pull request #2 from IdentityPython/master

merge

Author: peppelinux

example/plugins/frontends/saml2_virtualcofrontend.yaml.example

@@ -24,6 +24,15 @@ config:
         - contact_type: technical
           email_address: [email protected]
           given_name MESS Technical Support
+      # SAML attributes and static values about the CO to be asserted for each user.
+      # The key is the SATOSA internal attribute name.
+      co_static_saml_attributes:
+        organization: Medium Engergy Synchrotron Source
+        countryname: US
+        friendlycountryname: United States
+        noreduorgacronym:
+          - MESS
+          - MeSyncS
     - encodeable_name: MTS
       organization:
         display_name: Milwaukee Theological Seminary

src/satosa/backends/saml2.py

@@ -40,6 +40,8 @@ class SAMLBackend(BackendModule, SAMLBaseModule):
     A saml2 backend module (acting as a SP).
     """
     KEY_DISCO_SRV = 'disco_srv'
+    KEY_SAML_DISCOVERY_SERVICE_URL = 'saml_discovery_service_url'
+    KEY_SAML_DISCOVERY_SERVICE_POLICY = 'saml_discovery_service_policy'
     KEY_SP_CONFIG = 'sp_config'
     VALUE_ACR_COMPARISON_DEFAULT = 'exact'
 
@@ -102,9 +104,9 @@ def start_auth(self, context, internal_req):
             entity_id = idps[0]
             return self.authn_request(context, entity_id)
 
-        return self.disco_query()
+        return self.disco_query(context)
 
-    def disco_query(self):
+    def disco_query(self, context):
         """
         Makes a request to the discovery server
 
@@ -116,8 +118,21 @@ def disco_query(self):
         :param internal_req: The request
         :return: Response
         """
-        return_url = self.sp.config.getattr("endpoints", "sp")["discovery_response"][0][0]
-        loc = self.sp.create_discovery_service_request(self.discosrv, self.sp.config.entityid, **{"return": return_url})
+        endpoints = self.sp.config.getattr("endpoints", "sp")
+        return_url = endpoints["discovery_response"][0][0]
+
+        disco_url = (
+            context.get_decoration(self.KEY_SAML_DISCOVERY_SERVICE_URL) or self.discosrv
+        )
+        disco_policy = context.get_decoration(self.KEY_SAML_DISCOVERY_SERVICE_POLICY)
+
+        args = {"return": return_url}
+        if disco_policy:
+            args["policy"] = disco_policy
+
+        loc = self.sp.create_discovery_service_request(
+            disco_url, self.sp.config.entityid, **args
+        )
         return SeeOther(loc)
 
     def construct_requested_authn_context(self, entity_id):

src/satosa/frontends/saml2.py

@@ -697,6 +697,7 @@ class SAMLVirtualCoFrontend(SAMLFrontend):
     """
     KEY_CO = 'collaborative_organizations'
     KEY_CO_NAME = 'co_name'
+    KEY_CO_ATTRIBUTES = 'co_static_saml_attributes'
     KEY_CONTACT_PERSON = 'contact_person'
     KEY_ENCODEABLE_NAME = 'encodeable_name'
     KEY_ORGANIZATION = 'organization'
@@ -726,11 +727,33 @@ def handle_authn_response(self, context, internal_response):
         :return:
         """
 
+        return self._handle_authn_response(context, internal_response)
+
+    def _handle_authn_response(self, context, internal_response):
+        """
+        """
         # Using the context of the current request and saved state from the
-        # authentication request dynamically create an IdP instance and then
-        # use it to handle the authentication response.
+        # authentication request dynamically create an IdP instance.
         idp = self._create_co_virtual_idp(context)
-        return self._handle_authn_response(context, internal_response, idp)
+
+        # Add any static attributes for the CO.
+        co_config = self._get_co_config(context)
+
+        if self.KEY_CO_ATTRIBUTES in co_config:
+            attributes = internal_response.attributes
+            for attribute, value in co_config[self.KEY_CO_ATTRIBUTES].items():
+                # XXX This should be refactored when Python 3.4 support is
+                # XXX no longer required to use isinstance(value, Iterable).
+                try:
+                    if iter(value) and not isinstance(value, str):
+                        attributes[attribute] = value
+                    else:
+                        attributes[attribute] = [value]
+                except TypeError:
+                        attributes[attribute] = [value]
+
+        # Handle the authentication response.
+        return super()._handle_authn_response(context, internal_response, idp)
 
     def _create_state_data(self, context, resp_args, relay_state):
         """
@@ -747,6 +770,22 @@ def _create_state_data(self, context, resp_args, relay_state):
 
         return state
 
+    def _get_co_config(self, context):
+        """
+        Obtain the configuration for the CO.
+
+        :type context: The current context
+        :rtype: dict
+
+        :param context: The current context
+        :return: CO configuration
+
+        """
+        co_name = self._get_co_name(context)
+        for co in self.config[self.KEY_CO]:
+            if co[self.KEY_ENCODEABLE_NAME] == co_name:
+                return co
+
     def _get_co_name_from_path(self, context):
         """
         The CO name is URL encoded and obtained from the request path
@@ -866,21 +905,19 @@ def _overlay_for_saml_metadata(self, config, co_name):
 
         :return: config with updated details for SAML metadata
         """
-        for co in self.config[self.KEY_CO]:
-            if co[self.KEY_ENCODEABLE_NAME] == co_name:
-                break
+        co_config = self._get_co_config(co_name)
 
         key = self.KEY_ORGANIZATION
-        if key in co:
+        if key in co_config:
             if key not in config:
                 config[key] = {}
             for org_key in self.KEY_ORGANIZATION_KEYS:
-                if org_key in co[key]:
-                    config[key][org_key] = co[key][org_key]
+                if org_key in co_config[key]:
+                    config[key][org_key] = co_config[key][org_key]
 
         key = self.KEY_CONTACT_PERSON
-        if key in co:
-            config[key] = co[key]
+        if key in co_config:
+            config[key] = co_config[key]
 
         return config
 

tests/satosa/backends/test_saml2.py

@@ -47,11 +47,13 @@ def assert_redirect_to_idp(self, redirect_response, idp_conf):
         assert redirect_location == idp_conf["service"]["idp"]["endpoints"]["single_sign_on_service"][0][0]
         assert "SAMLRequest" in parse_qs(parsed.query)
 
-    def assert_redirect_to_discovery_server(self, redirect_response, sp_conf):
+    def assert_redirect_to_discovery_server(
+        self, redirect_response, sp_conf, expected_discosrv_url
+    ):
         assert redirect_response.status == "303 See Other"
         parsed = urlparse(redirect_response.message)
         redirect_location = "{parsed.scheme}://{parsed.netloc}{parsed.path}".format(parsed=parsed)
-        assert redirect_location == DISCOSRV_URL
+        assert redirect_location == expected_discosrv_url
 
         request_params = dict(parse_qsl(parsed.query))
         assert request_params["return"] == sp_conf["service"]["sp"]["endpoints"]["discovery_response"][0][0]
@@ -99,7 +101,15 @@ def get_path_from_url(url):
 
     def test_start_auth_defaults_to_redirecting_to_discovery_server(self, context, sp_conf):
         resp = self.samlbackend.start_auth(context, InternalData())
-        self.assert_redirect_to_discovery_server(resp, sp_conf)
+        self.assert_redirect_to_discovery_server(resp, sp_conf, DISCOSRV_URL)
+
+    def test_discovery_server_set_in_context(self, context, sp_conf):
+        discosrv_url = 'https://my.org/saml_discovery_service'
+        context.decorate(
+            SAMLBackend.KEY_SAML_DISCOVERY_SERVICE_URL, discosrv_url
+        )
+        resp = self.samlbackend.start_auth(context, InternalData())
+        self.assert_redirect_to_discovery_server(resp, sp_conf, discosrv_url)
 
     def test_full_flow(self, context, idp_conf, sp_conf):
         test_state_key = "test_state_key_456afgrh"
@@ -110,7 +120,7 @@ def test_full_flow(self, context, idp_conf, sp_conf):
 
         # start auth flow (redirecting to discovery server)
         resp = self.samlbackend.start_auth(context, InternalData())
-        self.assert_redirect_to_discovery_server(resp, sp_conf)
+        self.assert_redirect_to_discovery_server(resp, sp_conf, DISCOSRV_URL)
 
         # fake response from discovery server
         disco_resp = parse_qs(urlparse(resp.message).query)
@@ -166,7 +176,7 @@ def test_always_redirect_to_discovery_service_if_using_mdq(self, context, sp_con
         samlbackend = SAMLBackend(None, INTERNAL_ATTRIBUTES, {"sp_config": sp_conf, "disco_srv": DISCOSRV_URL,},
                                   "base_url", "saml_backend")
         resp = samlbackend.start_auth(context, InternalData())
-        self.assert_redirect_to_discovery_server(resp, sp_conf)
+        self.assert_redirect_to_discovery_server(resp, sp_conf, DISCOSRV_URL)
 
     def test_authn_request(self, context, idp_conf):
         resp = self.samlbackend.authn_request(context, idp_conf["entityid"])