Add validator for NodeCountry element

- Adds requirement iso3166 to lookup if a country code is valid (country
  exists and code is in ISO 3166-1 alpha-2 format)
- Adds validator method in eIDASConfig class (since both IdP and SP MUST
  have the NodeCountry element)
- Adds tests related to NodeCountry validation

Author: ioparaskev

setup.cfg

@@ -51,6 +51,7 @@ install_requires =
     pytz
     requests >= 1.0.0
     six
+    iso3166
 
 
 [options.packages.find]

src/saml2/config.py

@@ -8,6 +8,7 @@
 import re
 import sys
 from functools import partial
+from iso3166 import countries
 
 import six
 
@@ -587,30 +588,47 @@ def assert_declared(cls, error_signal):
         return (lambda x: x is not None,
                 partial(error_signal, message="be declared"))
 
+    @staticmethod
+    def validate_node_country_format(node_country):
+        try:
+            return countries.get(node_country).alpha2 == node_country
+        except KeyError:
+            return False
+
 
 class eIDASSPConfig(SPConfig, eIDASConfig):
+    def get_endpoint_element(self, element):
+        return getattr(self, "_sp_endpoints", {}).get(element, None)
+
     def validate(self):
         validators = [
             RuleValidator(
                 "single_logout_service",
-                self._sp_endpoints.get("single_logout_service"),
+                self.get_endpoint_element("single_logout_service"),
                 *self.assert_not_declared(should_warning)
             ),
             RuleValidator(
                 "artifact_resolution_service",
-                self._sp_endpoints.get("artifact_resolution_service"),
+                self.get_endpoint_element("artifact_resolution_service"),
                 *self.assert_not_declared(should_warning)
             ),
             RuleValidator(
                 "manage_name_id_service",
-                self._sp_endpoints.get("manage_name_id_service"),
+                self.get_endpoint_element("manage_name_id_service"),
                 *self.assert_not_declared(should_warning)
             ),
             RuleValidator(
                 "KeyDescriptor",
                 self.cert_file or self.encryption_keypairs,
                 *self.assert_declared(must_error)
-            )
+            ),
+            RuleValidator(
+                "node_country",
+                getattr(self, "_sp_node_country", None),
+                self.validate_node_country_format,
+                partial(must_error,
+                        message="be declared in ISO 3166-1 alpha-2 format")
+            ),
         ]
 
         for validator in validators:

tests/eidas/test_sp.py

@@ -112,3 +112,19 @@ def test_no_keydescriptor(self, config):
 
         with pytest.raises(ConfigValidationError):
             conf.validate()
+
+    def test_no_nodecountry(self, config):
+        del config["service"]["sp"]["node_country"]
+        conf = eIDASSPConfig()
+        conf.load(config)
+
+        with pytest.raises(ConfigValidationError):
+            conf.validate()
+
+    def test_nodecountry_wrong_format(self, config):
+        config["service"]["sp"]["node_country"] = "gr"
+        conf = eIDASSPConfig()
+        conf.load(config)
+
+        with pytest.raises(ConfigValidationError):
+            conf.validate()