Remove the metadata_construction param

Additionally, the saml2.assertion.Policy object can be initialized with
a metadata store and thus the .restrict and .filter methods do not need
such a param. This will remain as it was, until some time has passed and
confidence is built that peolpe are using a recent enough version of
pysaml2, before dropping the param from the .restrict method. Up to that
point, warnings will be output, but functionality is preserved.

Signed-off-by: Ivan Kanakarakis <[email protected]>

Author: c00kiemon5ter

src/satosa/backends/saml2.py

@@ -104,9 +104,7 @@ def __init__(self, outgoing, internal_attributes, config, base_url, name):
         super().__init__(outgoing, internal_attributes, base_url, name)
         self.config = self.init_config(config)
 
-        sp_config = SPConfig().load(copy.deepcopy(
-            config[SAMLBackend.KEY_SP_CONFIG]), False
-        )
+        sp_config = SPConfig().load(copy.deepcopy(config[SAMLBackend.KEY_SP_CONFIG]))
         self.sp = Base(sp_config)
 
         self.discosrv = config.get(SAMLBackend.KEY_DISCO_SRV)

src/satosa/frontends/saml2.py

@@ -116,7 +116,7 @@ def register_endpoints(self, backend_names):
         self.idp_config = self._build_idp_config_endpoints(
             self.config[self.KEY_IDP_CONFIG], backend_names)
         # Create the idp
-        idp_config = IdPConfig().load(copy.deepcopy(self.idp_config), metadata_construction=False)
+        idp_config = IdPConfig().load(copy.deepcopy(self.idp_config))
         self.idp = Server(config=idp_config)
         return self._register_endpoints(backend_names)
 
@@ -290,9 +290,14 @@ def _filter_attributes(self, idp, internal_response, context,):
         idp_policy = idp.config.getattr("policy", "idp")
         attributes = {}
         if idp_policy:
-            approved_attributes = self._get_approved_attributes(idp, idp_policy, internal_response.requester,
-                                                                context.state)
-            attributes = {k: v for k, v in internal_response.attributes.items() if k in approved_attributes}
+            approved_attributes = self._get_approved_attributes(
+                idp, idp_policy, internal_response.requester, context.state
+            )
+            attributes = {
+                k: v
+                for k, v in internal_response.attributes.items()
+                if k in approved_attributes
+            }
 
         return attributes
 
@@ -637,7 +642,7 @@ def _load_idp_dynamic_endpoints(self, context):
         """
         target_entity_id = context.target_entity_id_from_path()
         idp_conf_file = self._load_endpoints_to_config(context.target_backend, target_entity_id)
-        idp_config = IdPConfig().load(idp_conf_file, metadata_construction=False)
+        idp_config = IdPConfig().load(idp_conf_file)
         return Server(config=idp_config)
 
     def _load_idp_dynamic_entity_id(self, state):
@@ -653,7 +658,7 @@ def _load_idp_dynamic_entity_id(self, state):
         # Change the idp entity id dynamically
         idp_config_file = copy.deepcopy(self.idp_config)
         idp_config_file["entityid"] = "{}/{}".format(self.idp_config["entityid"], state[self.name]["target_entity_id"])
-        idp_config = IdPConfig().load(idp_config_file, metadata_construction=False)
+        idp_config = IdPConfig().load(idp_config_file)
         return Server(config=idp_config)
 
     def handle_authn_request(self, context, binding_in):
@@ -1033,8 +1038,7 @@ def _create_co_virtual_idp(self, context):
 
         # Use the overwritten IdP config to generate a pysaml2 config object
         # and from it a server object.
-        pysaml2_idp_config = IdPConfig().load(idp_config,
-                                              metadata_construction=False)
+        pysaml2_idp_config = IdPConfig().load(idp_config)
 
         server = Server(config=pysaml2_idp_config)
 

src/satosa/metadata_creation/saml_metadata.py

@@ -17,7 +17,7 @@
 
 
 def _create_entity_descriptor(entity_config):
-    cnf = Config().load(copy.deepcopy(entity_config), metadata_construction=True)
+    cnf = Config().load(copy.deepcopy(entity_config))
     return entity_descriptor(cnf)
 
 

tests/flows/test_oidc-saml.py

@@ -78,7 +78,7 @@ def test_full_flow(self, satosa_config_dict, oidc_frontend_config, saml_backend_
         # config test IdP
         backend_metadata_str = str(backend_metadata[saml_backend_config["name"]][0])
         idp_conf["metadata"]["inline"].append(backend_metadata_str)
-        fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf, metadata_construction=False))
+        fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf))
 
         # create auth resp
         req_params = dict(parse_qsl(urlparse(proxied_auth_req.data.decode("utf-8")).query))

tests/flows/test_saml-oidc.py

@@ -32,7 +32,7 @@ def run_test(self, satosa_config_dict, sp_conf, oidc_backend_config, frontend_co
         # config test SP
         frontend_metadata_str = str(frontend_metadata[frontend_config["name"]][0])
         sp_conf["metadata"]["inline"].append(frontend_metadata_str)
-        fakesp = FakeSP(SPConfig().load(sp_conf, metadata_construction=False))
+        fakesp = FakeSP(SPConfig().load(sp_conf))
 
         # create auth req
         destination, req_args = fakesp.make_auth_req(frontend_metadata[frontend_config["name"]][0].entity_id)

tests/flows/test_saml-saml.py

@@ -28,7 +28,7 @@ def run_test(self, satosa_config_dict, sp_conf, idp_conf, saml_backend_config, f
         # config test SP
         frontend_metadata_str = str(frontend_metadata[frontend_config["name"]][0])
         sp_conf["metadata"]["inline"].append(frontend_metadata_str)
-        fakesp = FakeSP(SPConfig().load(sp_conf, metadata_construction=False))
+        fakesp = FakeSP(SPConfig().load(sp_conf))
 
         # create auth req
         destination, req_args = fakesp.make_auth_req(frontend_metadata[frontend_config["name"]][0].entity_id)
@@ -41,7 +41,7 @@ def run_test(self, satosa_config_dict, sp_conf, idp_conf, saml_backend_config, f
         # config test IdP
         backend_metadata_str = str(backend_metadata[saml_backend_config["name"]][0])
         idp_conf["metadata"]["inline"].append(backend_metadata_str)
-        fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf, metadata_construction=False))
+        fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf))
 
         # create auth resp
         req_params = dict(parse_qsl(urlparse(proxied_auth_req.data.decode("utf-8")).query))

tests/satosa/backends/test_saml2.py

@@ -118,7 +118,7 @@ def test_discovery_server_set_in_context(self, context, sp_conf):
     def test_full_flow(self, context, idp_conf, sp_conf):
         test_state_key = "test_state_key_456afgrh"
         response_binding = BINDING_HTTP_REDIRECT
-        fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf, metadata_construction=False))
+        fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf))
 
         context.state[test_state_key] = "my_state"
 
@@ -181,8 +181,8 @@ def test_authn_request(self, context, idp_conf):
 
     def test_authn_response(self, context, idp_conf, sp_conf):
         response_binding = BINDING_HTTP_REDIRECT
-        fakesp = FakeSP(SPConfig().load(sp_conf, metadata_construction=False))
-        fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf, metadata_construction=False))
+        fakesp = FakeSP(SPConfig().load(sp_conf))
+        fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf))
         destination, request_params = fakesp.make_auth_req(idp_conf["entityid"])
         url, auth_resp = fakeidp.handle_auth_req(request_params["SAMLRequest"], request_params["RelayState"],
                                                  BINDING_HTTP_REDIRECT,
@@ -202,10 +202,10 @@ def test_authn_response(self, context, idp_conf, sp_conf):
     def test_authn_response_no_name_id(self, context, idp_conf, sp_conf):
         response_binding = BINDING_HTTP_REDIRECT
 
-        fakesp_conf = SPConfig().load(sp_conf, metadata_construction=False)
+        fakesp_conf = SPConfig().load(sp_conf)
         fakesp = FakeSP(fakesp_conf)
 
-        fakeidp_conf = IdPConfig().load(idp_conf, metadata_construction=False)
+        fakeidp_conf = IdPConfig().load(idp_conf)
         fakeidp = FakeIdP(USERS, config=fakeidp_conf)
 
         destination, request_params = fakesp.make_auth_req(

tests/satosa/frontends/test_saml2.py

@@ -75,7 +75,7 @@ def setup_for_authn_req(self, context, idp_conf, sp_conf, nameid_format=None, re
         idp_metadata_str = create_metadata_from_config_dict(samlfrontend.idp_config)
         sp_conf["metadata"]["inline"].append(idp_metadata_str)
 
-        fakesp = FakeSP(SPConfig().load(sp_conf, metadata_construction=False))
+        fakesp = FakeSP(SPConfig().load(sp_conf))
         destination, auth_req = fakesp.make_auth_req(
             samlfrontend.idp_config["entityid"],
             nameid_format,
@@ -94,7 +94,7 @@ def setup_for_authn_req(self, context, idp_conf, sp_conf, nameid_format=None, re
         return samlfrontend
 
     def get_auth_response(self, samlfrontend, context, internal_response, sp_conf, idp_metadata_str):
-        sp_config = SPConfig().load(sp_conf, metadata_construction=False)
+        sp_config = SPConfig().load(sp_conf)
         resp_args = {
             "name_id_policy": NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT),
             "in_response_to": None,
@@ -150,7 +150,7 @@ def test_handle_authn_request(self, context, idp_conf, sp_conf, internal_respons
         resp = samlfrontend.handle_authn_response(context, internal_response)
         resp_dict = parse_qs(urlparse(resp.message).query)
 
-        fakesp = FakeSP(SPConfig().load(sp_conf, metadata_construction=False))
+        fakesp = FakeSP(SPConfig().load(sp_conf))
         resp = fakesp.parse_authn_request_response(resp_dict["SAMLResponse"][0],
                                                    BINDING_HTTP_REDIRECT)
         for key in resp.ava:
@@ -189,7 +189,7 @@ def test_handle_authn_response_without_relay_state(self, context, idp_conf, sp_c
         resp = samlfrontend.handle_authn_response(context, internal_response)
         resp_dict = parse_qs(urlparse(resp.message).query)
 
-        fakesp = FakeSP(SPConfig().load(sp_conf, metadata_construction=False))
+        fakesp = FakeSP(SPConfig().load(sp_conf))
         resp = fakesp.parse_authn_request_response(resp_dict["SAMLResponse"][0],
                                                    BINDING_HTTP_REDIRECT)
 
@@ -213,7 +213,7 @@ def test_handle_authn_response_without_name_id(
         resp = samlfrontend.handle_authn_response(context, internal_response)
         resp_dict = parse_qs(urlparse(resp.message).query)
 
-        fakesp = FakeSP(SPConfig().load(sp_conf, metadata_construction=False))
+        fakesp = FakeSP(SPConfig().load(sp_conf))
         resp = fakesp.parse_authn_request_response(
                            resp_dict["SAMLResponse"][0], BINDING_HTTP_REDIRECT)
 
@@ -548,7 +548,7 @@ def test_co_static_attributes(self, frontend, context, internal_response,
         # SP configuration fixture with the metadata.
         idp_metadata_str = create_metadata_from_config_dict(idp_conf)
         sp_conf["metadata"]["inline"].append(idp_metadata_str)
-        sp_config = SPConfig().load(sp_conf, metadata_construction=False)
+        sp_config = SPConfig().load(sp_conf)
 
         # Use the updated sp_config fixture to generate a fake SP and then
         # use the fake SP to generate an authentication request aimed at the

tests/satosa/metadata_creation/test_saml_metadata.py

@@ -236,7 +236,7 @@ def test_create_mirrored_metadata_does_not_contain_target_contact_info(self, sat
 class TestCreateSignedEntitiesDescriptor:
     @pytest.fixture
     def entity_desc(self, sp_conf):
-        return entity_descriptor(SPConfig().load(sp_conf, metadata_construction=True))
+        return entity_descriptor(SPConfig().load(sp_conf))
 
     @pytest.fixture
     def verification_security_context(self, cert_and_key):
@@ -274,7 +274,7 @@ def test_valid_for(self, entity_desc, signature_security_context):
 class TestCreateSignedEntityDescriptor:
     @pytest.fixture
     def entity_desc(self, sp_conf):
-        return entity_descriptor(SPConfig().load(sp_conf, metadata_construction=True))
+        return entity_descriptor(SPConfig().load(sp_conf))
 
     @pytest.fixture
     def verification_security_context(self, cert_and_key):

tests/util.py

@@ -231,7 +231,7 @@ def handle_auth_req_no_name_id(self, saml_request, relay_state, binding,
 
 def create_metadata_from_config_dict(config):
     nspair = {"xs": "http://www.w3.org/2001/XMLSchema"}
-    conf = Config().load(config, metadata_construction=True)
+    conf = Config().load(config)
     return entity_descriptor(conf).to_string(nspair).decode("utf-8")