Merge pull request #191 from c00kiemon5ter/refactor-target-entity-id

Decouple SAMLBackend from SAMLMirrorFrontend

Author: c00kiemon5ter

src/satosa/backends/saml2.py

@@ -5,7 +5,7 @@
 import functools
 import json
 import logging
-from base64 import urlsafe_b64encode, urlsafe_b64decode
+from base64 import urlsafe_b64encode
 from urllib.parse import urlparse
 
 from saml2.client_base import Base
@@ -88,18 +88,18 @@ def start_auth(self, context, internal_req):
         :rtype: satosa.response.Response
         """
 
+        target_entity_id = context.get_decoration(Context.KEY_TARGET_ENTITYID)
+        if target_entity_id:
+            entity_id = target_entity_id
+            return self.authn_request(context, entity_id)
+
         # if there is only one IdP in the metadata, bypass the discovery service
         idps = self.sp.metadata.identity_providers()
         if len(idps) == 1 and "mdq" not in self.config["sp_config"]["metadata"]:
-            return self.authn_request(context, idps[0])
-
-        entity_id = context.get_decoration(
-                Context.KEY_MIRROR_TARGET_ENTITYID)
-        if None is entity_id:
-            return self.disco_query()
+            entity_id = idps[0]
+            return self.authn_request(context, entity_id)
 
-        entity_id = urlsafe_b64decode(entity_id).decode("utf-8")
-        return self.authn_request(context, entity_id)
+        return self.disco_query()
 
     def disco_query(self):
         """

src/satosa/context.py

@@ -16,7 +16,7 @@ class Context(object):
     Holds information about the current request.
     """
     KEY_BACKEND_METADATA_STORE = 'metadata_store'
-    KEY_MIRROR_TARGET_ENTITYID = 'mirror_target_entity_id'
+    KEY_TARGET_ENTITYID = 'target_entity_id'
 
     def __init__(self):
         self._path = None
@@ -63,6 +63,10 @@ def path(self, p):
             raise ValueError("path can't start with '/'")
         self._path = p
 
+    def target_entity_id_from_path(self):
+        target_entity_id = self.path.split("/")[1]
+        return target_entity_id
+
     def decorate(self, key, value):
         """
         Add information to the context

src/satosa/frontends/saml2.py

@@ -5,6 +5,7 @@
 import functools
 import json
 import logging
+from base64 import urlsafe_b64decode
 from urllib.parse import urlparse
 
 from saml2 import SAMLError, xmldsig
@@ -199,27 +200,27 @@ def _handle_authn_request(self, context, binding_in, idp):
             satosa_logging(logger, logging.ERROR, "Could not find necessary info about entity: %s" % e, context.state)
             return ServiceError("Incorrect request from requester: %s" % e)
 
+        requester = resp_args["sp_entity_id"]
         context.state[self.name] = self._create_state_data(context, idp.response_args(authn_req),
                                                            context.request.get("RelayState"))
 
         if authn_req.name_id_policy and authn_req.name_id_policy.format:
             name_format = saml_name_id_format_to_hash_type(authn_req.name_id_policy.format)
         else:
             # default to name id format from metadata, or just transient name id
-            name_format_from_metadata = idp.metadata[resp_args["sp_entity_id"]]["spsso_descriptor"][0].get(
-                "name_id_format")
+            name_format_from_metadata = idp.metadata[requester]["spsso_descriptor"][0].get("name_id_format")
             if name_format_from_metadata:
                 name_format = saml_name_id_format_to_hash_type(name_format_from_metadata[0]["text"])
             else:
                 name_format = UserIdHashType.transient
 
-        requester_name = self._get_sp_display_name(idp, resp_args["sp_entity_id"])
-        internal_req = InternalRequest(name_format, resp_args["sp_entity_id"], requester_name)
+        requester_name = self._get_sp_display_name(idp, requester)
+        internal_req = InternalRequest(name_format, requester, requester_name)
 
         idp_policy = idp.config.getattr("policy", "idp")
         if idp_policy:
-            approved_attributes = self._get_approved_attributes(idp, idp_policy, internal_req.requester, context.state)
-            internal_req.approved_attributes = approved_attributes
+            internal_req.approved_attributes = self._get_approved_attributes(
+                    idp, idp_policy, requester, context.state)
 
         return self.auth_req_callback_func(context, internal_req)
 
@@ -504,8 +505,7 @@ def _load_idp_dynamic_endpoints(self, context):
         :param context:
         :return: An idp server
         """
-        target_entity_id = context.path.split("/")[1]
-        context.decorate(Context.KEY_MIRROR_TARGET_ENTITYID, target_entity_id)
+        target_entity_id = context.target_entity_id_from_path()
         idp_conf_file = self._load_endpoints_to_config(context.target_backend, target_entity_id)
         idp_config = IdPConfig().load(idp_conf_file, metadata_construction=False)
         return Server(config=idp_config)
@@ -535,6 +535,10 @@ def handle_authn_request(self, context, binding_in):
         :type binding_in: str
         :rtype: satosa.response.Response
         """
+        target_entity_id = context.target_entity_id_from_path()
+        target_entity_id = urlsafe_b64decode(target_entity_id).decode()
+        context.decorate(Context.KEY_TARGET_ENTITYID, target_entity_id)
+
         idp = self._load_idp_dynamic_endpoints(context)
         return self._handle_authn_request(context, binding_in, idp)
 
@@ -549,7 +553,7 @@ def _create_state_data(self, context, resp_args, relay_state):
         :rtype: dict[str, dict[str, str] | str]
         """
         state = super()._create_state_data(context, resp_args, relay_state)
-        state["target_entity_id"] = context.path.split("/")[1]
+        state["target_entity_id"] = context.target_entity_id_from_path()
         return state
 
     def handle_backend_error(self, exception):

src/satosa/micro_services/custom_routing.py

@@ -39,7 +39,9 @@ class DecideIfRequesterIsAllowed(RequestMicroService):
     """
     Decide whether a requester is allowed to send an authentication request to the target entity.
 
-    This micro service currently only works with `SAMLMirrorFrontend`.
+    This micro service currently only works when a target entityid is set.
+    Currently, a target entityid is set only when the `SAMLMirrorFrontend` is
+    used.
     """
     def __init__(self, config, *args, **kwargs):
         super().__init__(*args, **kwargs)
@@ -58,11 +60,12 @@ def _b64_url(self, data):
         return urlsafe_b64encode(data.encode("utf-8")).decode("utf-8")
 
     def process(self, context, data):
-        target_entity_id = context.get_decoration(
-                Context.KEY_MIRROR_TARGET_ENTITYID)
+        target_entity_id = context.get_decoration(Context.KEY_TARGET_ENTITYID)
         if None is target_entity_id:
-            logger.error("DecideIfRequesterIsAllowed can only be used with SAMLMirrorFrontend")
-            raise SATOSAError("DecideIfRequesterIsAllowed can only be used with SAMLMirrorFrontend")
+            msg_tpl = "{name} can only be used when a target entityid is set"
+            msg = msg_tpl.format(name=self.__class__.__name__)
+            logger.error(msg)
+            raise SATOSAError(msg)
 
         target_specific_rules = self.rules.get(target_entity_id)
         # default to allowing everything if there are no specific rules

tests/satosa/backends/test_saml2.py

@@ -144,9 +144,7 @@ def test_full_flow(self, context, idp_conf, sp_conf):
     def test_start_auth_redirects_directly_to_mirrored_idp(
             self, context, idp_conf):
         entityid = idp_conf["entityid"]
-        entityid_bytes = entityid.encode("utf-8")
-        entityid_b64_str = urlsafe_b64encode(entityid_bytes).decode("utf-8")
-        context.decorate(Context.KEY_MIRROR_TARGET_ENTITYID, entityid_b64_str)
+        context.decorate(Context.KEY_TARGET_ENTITYID, entityid)
 
         resp = self.samlbackend.start_auth(context, InternalRequest(None, None))
         self.assert_redirect_to_idp(resp, idp_conf)

tests/satosa/micro_services/test_custom_routing.py

@@ -14,7 +14,7 @@
 def target_context(context):
     entityid_bytes = TARGET_ENTITY.encode("utf-8")
     entityid_b64_str = urlsafe_b64encode(entityid_bytes).decode("utf-8")
-    context.decorate(Context.KEY_MIRROR_TARGET_ENTITYID, entityid_b64_str)
+    context.decorate(Context.KEY_TARGET_ENTITYID, entityid_b64_str)
     return context