Merge pull request #888 from johanlundberg/lundberg_treat_requested_subject_id_as_attribute

Add support for subject-id requirements signalling in metadata

Author: c00kiemon5ter

src/saml2/assertion.py

@@ -556,11 +556,16 @@ def restrict(self, ava, sp_entity_id, metadata=None):
 
         metadata_store = metadata or self.metadata_store
         spec = metadata_store.attribute_requirement(sp_entity_id) or {} if metadata_store else {}
+        required_attributes = spec.get("required", [])
+        optional_attributes = spec.get("optional", [])
+        required_subject_id = metadata_store.subject_id_requirement(sp_entity_id) if metadata_store else None
+        if required_subject_id and required_subject_id not in required_attributes:
+            required_attributes.append(required_subject_id)
         return self.filter(
             ava,
             sp_entity_id,
-            required=spec.get("required"),
-            optional=spec.get("optional"),
+            required=required_attributes or None,
+            optional=optional_attributes or None,
         )
 
     def conditions(self, sp_entity_id):

src/saml2/mdstore.py

@@ -418,6 +418,17 @@ def attribute_requirement(self, entity_id, index=None):
         """
         raise NotImplementedError
 
+    def subject_id_requirement(self, entity_id):
+        """
+        Returns what subject identifier the SP requires if any
+
+        :param entity_id: The entity id of the SP
+        :type entity_id: str
+        :return: RequestedAttribute dict or None
+        :rtype: Optional[dict]
+        """
+        raise NotImplementedError
+
     def dumps(self):
         return json.dumps(list(self.items()), indent=2)
 
@@ -1290,6 +1301,32 @@ def attribute_requirement(self, entity_id, index=None):
             if entity_id in _md:
                 return _md.attribute_requirement(entity_id, index)
 
+    def subject_id_requirement(self, entity_id):
+        try:
+            entity_attributes = self.entity_attributes(entity_id)
+        except KeyError:
+            return None
+
+        if "urn:oasis:names:tc:SAML:profiles:subject-id:req" in entity_attributes:
+            subject_id_req = entity_attributes["urn:oasis:names:tc:SAML:profiles:subject-id:req"][0]
+            if subject_id_req == "any" or subject_id_req == "pairwise-id":
+                return {
+                    "__class__": "urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute",
+                    "name": "urn:oasis:names:tc:SAML:attribute:pairwise-id",
+                    "name_format": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+                    "friendly_name": "pairwise-id",
+                    "is_required": "true",
+                }
+            elif subject_id_req == "subject-id":
+                return {
+                    "__class__": "urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute",
+                    "name": "urn:oasis:names:tc:SAML:attribute:subject-id",
+                    "name_format": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+                    "friendly_name": "subject-id",
+                    "is_required": "true",
+                }
+        return None
+
     def keys(self):
         res = []
         for _md in self.metadata.values():

tests/entity_esi_and_coco_sp.xml

@@ -7,6 +7,9 @@
               <saml:AttributeValue>https://myacademicid.org/entity-categories/esi</saml:AttributeValue>
               <saml:AttributeValue>http://www.geant.net/uri/dataprotection-code-of-conduct/v1</saml:AttributeValue>
           </saml:Attribute>
+          <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="urn:oasis:names:tc:SAML:profiles:subject-id:req" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+              <saml:AttributeValue>any</saml:AttributeValue>
+          </saml:Attribute>
       </mdattr:EntityAttributes></ns0:Extensions>
   <ns0:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <ns0:KeyDescriptor use="encryption">
@@ -65,7 +68,7 @@ wHyaxzYldWmVC5omkgZeAdCGpJ316GQF8Zwg/yDOUzm4cvGeIESf1Q6ZxBwI6zGE
     </ns0:KeyDescriptor>
     <ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://esi-coco.example.edu/saml2/ls/"/>
     <ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://esi-coco.example.edu/saml2/acs/" index="1"/>
-    <!-- Require eduPersonTargetedID -->
+    <!-- Require schacHomeOrganization and eduPersonScopedAffiliation -->
     <ns0:AttributeConsumingService index="0">
         <ns0:ServiceName xml:lang="en">esi-coco-SP</ns0:ServiceName>
         <ns0:ServiceDescription xml:lang="en">ESI and COCO SP</ns0:ServiceDescription>

tests/entity_personalized_sp.xml

@@ -64,7 +64,6 @@ wHyaxzYldWmVC5omkgZeAdCGpJ316GQF8Zwg/yDOUzm4cvGeIESf1Q6ZxBwI6zGE
     </ns0:KeyDescriptor>
     <ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://personalized.example.edu/saml2/ls/"/>
     <ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://personalized.example.edu/saml2/acs/" index="1"/>
-    <!-- Require eduPersonTargetedID -->
     <ns0:AttributeConsumingService index="0">
        <ns0:ServiceName xml:lang="en">personalized-SP</ns0:ServiceName>
         <ns0:ServiceDescription xml:lang="en">refeds personalized access SP</ns0:ServiceDescription>

tests/test_30_mdstore.py

@@ -189,6 +189,12 @@
             "metadata": [(full_path("empty_metadata_file.xml"),)],
         }
     ],
+    "17": [
+        {
+            "class": "saml2.mdstore.MetaDataFile",
+            "metadata": [(full_path("entity_esi_and_coco_sp.xml"),)],
+        }
+    ],
 }
 
 
@@ -654,6 +660,17 @@ def test_registration_info_no_policy():
     assert registration_info["registration_policy"] == {}
 
 
+def test_subject_id_requirement():
+    mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True)
+    mds.imp(METADATACONF["17"])
+    required_subject_id = mds.subject_id_requirement(entity_id="https://esi-coco.example.edu/saml2/metadata/")
+    assert required_subject_id["__class__"] == "urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute"
+    assert required_subject_id["name"] == "urn:oasis:names:tc:SAML:attribute:pairwise-id"
+    assert required_subject_id["name_format"] == "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+    assert required_subject_id["friendly_name"] == "pairwise-id"
+    assert required_subject_id["is_required"] == "true"
+
+
 def test_extension():
     mds = MetadataStore(ATTRCONV, None)
     # use ordered dict to force expected entity to be last