Generalize per-SP override for LDAP attribute authority

Generalize the per-SP override for the LDAP attribute authority
microservice so that the override can be per-SP, per-IdP, or per-
CO virtual IdP. This enhancement does not allow for nested overrides,
which may be included in future work.

Author: skoranda

example/plugins/microservices/ldap_attribute_store.yaml.example

@@ -2,10 +2,11 @@ module: LdapAttributeStore
 name: LdapAttributeStore
 config:
 
-  # The microservice may be configured per SP.
-  # The configuration key is the entityID of the SP.
-  # The empty key ("") specifies the default configuration
-  "":
+  # The microservice may be configured per entityID.
+  # The configuration key is the entityID of the requesting SP,
+  # the authenticating IdP, or the entityID of the CO virtual IdP.
+  # The key "default" specifies the default configuration
+  default:
       ldap_url: ldaps://ldap.example.org
       bind_dn: cn=admin,dc=example,dc=org
       # Obtain bind password from environment variable LDAP_BIND_PASSWORD.
@@ -96,9 +97,13 @@ config:
       # from LDAP. The default is not to redirect.
       on_ldap_search_result_empty: https://my.vo.org/please/go/enroll
 
-  # The microservice may be configured per SP.
-  # The configuration key is the entityID of the SP.
-  # Αny missing parameters are looked up from the default configuration.
+  # The microservice may be configured per entityID.
+  # The configuration key is the entityID of the requesting SP,
+  # the authenticating IdP, or the entityID of the CO virtual IdP.
+  # When more than one configured entityID matches during a flow
+  # the priority ordering is requesting SP, then authenticating IdP, then
+  # CO virtual IdP. Αny missing parameters are taken from the
+  # default configuration.
   https://sp.myserver.edu/shibboleth-sp:
     search_base: ou=People,o=MyVO,dc=example,dc=org
     search_return_attributes:
@@ -109,6 +114,9 @@ config:
     user_id_from_attrs:
       - uid
 
-  # The microservice may be configured to ignore a particular SP.
+  https://federation-proxy.my.edu/satosa/idp/proxy/some_co
+    search_base: ou=People,o=some_co,dc=example,dc=org
+
+  # The microservice may be configured to ignore a particular entityID.
   https://another.sp.myserver.edu:
     ignore: true

src/satosa/micro_services/ldap_attribute_store.py

@@ -18,6 +18,8 @@
 from satosa.exception import SATOSAError
 from satosa.micro_services.base import ResponseMicroService
 from satosa.response import Redirect
+from satosa.frontends.saml2 import SAMLVirtualCoFrontend
+from satosa.routing import STATE_KEY as ROUTING_STATE_KEY
 
 
 logger = logging.getLogger(__name__)
@@ -399,23 +401,35 @@ def process(self, context, data):
         Default interface for microservices. Process the input data for
         the input context.
         """
-        session_id = lu.get_session_id(context.state)
+        state = context.state
+        session_id = lu.get_session_id(state)
 
-        issuer = data.auth_info.issuer
         requester = data.requester
-        config = self.config.get(requester) or self.config["default"]
+        issuer = data.auth_info.issuer
+
+        frontend_name = state.get(ROUTING_STATE_KEY)
+        co_entity_id_key = SAMLVirtualCoFrontend.KEY_CO_ENTITY_ID
+        co_entity_id = state.get(frontend_name, {}).get(co_entity_id_key)
+
+        entity_ids = [requester, issuer, co_entity_id, "default"]
+
+        config, entity_id = next((self.config.get(e), e)
+                                 for e in entity_ids if self.config.get(e))
+
         msg = {
             "message": "entityID for the involved entities",
             "requester": requester,
             "issuer": issuer,
             "config": self._filter_config(config),
         }
+        if co_entity_id:
+            msg["co_entity_id"] = co_entity_id
         logline = lu.LOG_FMT.format(id=session_id, message=msg)
         logger.debug(logline)
 
-        # Ignore this SP entirely if so configured.
+        # Ignore this entityID entirely if so configured.
         if config["ignore"]:
-            msg = "Ignoring SP {}".format(requester)
+            msg = "Ignoring entityID {}".format(entity_id)
             logline = lu.LOG_FMT.format(id=session_id, message=msg)
             logger.info(logline)
             return super().process(context, data)