Ignore SP if so configured

skoranda · c00kiemon5ter · commit f1075c16b8c9 · 2018-11-29T00:19:15.000+02:00
Add functionality to allow configuration to ignore a particular
SP so that no resolution of attributes from LDAP is attempted
for that SP.

Signed-off-by: Ivan Kanakarakis &lt;ivan.kanak@gmail.com&gt;
diff --git a/example/plugins/microservices/ldap_attribute_store.yaml.example b/example/plugins/microservices/ldap_attribute_store.yaml.example
@@ -53,3 +53,7 @@ config:
       - attribute_names: [eppn]
     user_id_from_attrs:
       - uid
+  # The microservice may be configured to ignore a particular SP.
+  https://another.sp.myserver.edu
+    ignore: true
+  
diff --git a/src/satosa/micro_services/ldap_attribute_store.py b/src/satosa/micro_services/ldap_attribute_store.py
@@ -1,5 +1,5 @@
 """
-SATOSA microservice that uses an identifier asserted by 
+SATOSA microservice that uses an identifier asserted by
 the home organization SAML IdP as a key to search an LDAP
 directory for a record and then consume attributes from
 the record and assert them to the receiving SP.
@@ -33,9 +33,9 @@ def constructFilterValue(self, candidate, data):
         Construct and return a LDAP directory search filter value from the
         candidate identifier.
 
-        Argument 'canidate' is a dictionary with one required key and 
+        Argument 'canidate' is a dictionary with one required key and
         two optional keys:
-            
+
         key              required   value
         ---------------  --------   ---------------------------------
         attribute_names  Y          list of identifier names
@@ -50,7 +50,7 @@ def constructFilterValue(self, candidate, data):
         If the attribute_names list consists of more than one identifier
         name then the values of the identifiers will be concatenated together
         to create the filter value.
-        
+
         If one of the identifier names in the attribute_names is the string
         'name_id' then the NameID value with format name_id_format
         will be concatenated to the filter value.
@@ -87,9 +87,9 @@ def constructFilterValue(self, candidate, data):
                     if candidate['name_id_format'] in name_id:
                         nameid_value = name_id[candidate['name_id_format']]
 
-            # Only add the NameID value asserted by the IdP if it is not already 
+            # Only add the NameID value asserted by the IdP if it is not already
             # in the list of values. This is necessary because some non-compliant IdPs
-            # have been known, for example, to assert the value of eduPersonPrincipalName 
+            # have been known, for example, to assert the value of eduPersonPrincipalName
             # in the value for SAML2 persistent NameID as well as asserting
             # eduPersonPrincipalName.
             if nameid_value not in values:
@@ -132,7 +132,7 @@ def process(self, context, data):
         config = self.config
         configClean = copy.deepcopy(config)
         if 'bind_password' in configClean:
-            configClean['bind_password'] = 'XXXXXXXX'    
+            configClean['bind_password'] = 'XXXXXXXX'
 
         satosa_logging(logger, logging.DEBUG, "{} Using default configuration {}".format(logprefix, configClean), context.state)
 
@@ -150,9 +150,9 @@ def process(self, context, data):
             config = self.config[spEntityID]
             configClean = copy.deepcopy(config)
             if 'bind_password' in configClean:
-                configClean['bind_password'] = 'XXXXXXXX'    
+                configClean['bind_password'] = 'XXXXXXXX'
             satosa_logging(logger, logging.DEBUG, "{} For SP {} using configuration {}".format(logprefix, spEntityID, configClean), context.state)
-        
+
         # Obtain configuration details from the per-SP configuration or the default configuration
         try:
             if 'ldap_url' in config:
@@ -201,11 +201,20 @@ def process(self, context, data):
                 on_ldap_search_result_empty = self.config['on_ldap_search_result_empty']
             else:
                 on_ldap_search_result_empty = None
+            if 'ignore' in config:
+                ignore = True
+            else:
+                ignore = False
 
         except KeyError as err:
             satosa_logging(logger, logging.ERROR, "{} Configuration '{}' is missing".format(logprefix, err), context.state)
             return super().process(context, data)
 
+        # Ignore this SP entirely if so configured.
+        if ignore:
+            satosa_logging(logger, logging.INFO, "{} Ignoring SP {}".format(logprefix, spEntityID), None)
+            return super().process(context, data)
+
         # The list of values for the LDAP search filters that will be tried in order to find the
         # LDAP directory record for the user.
         filterValues = []
@@ -253,7 +262,7 @@ def process(self, context, data):
                         satosa_logging(logger, logging.WARN, "{} LDAP server returned {} records using IdP asserted attribute {}".format(logprefix, len(responses), identifier), context.state)
                     record = responses[0]
                     break
-                        
+
         except Exception as err:
             satosa_logging(logger, logging.ERROR, "{} Caught exception: {}".format(logprefix, err), context.state)
             return super().process(context, data)
