Add eIDAs protocol version suppert in config

ioparaskev · ioparaskev · commit a44587014d2a · 2020-01-30T12:11:51.000+02:00
- Adds support for setting the protocol versions supported based on
  eIDAS Message Format v1.1-2 document
- Adds validator for the existence of the protocol version and issues a
  warning if it doesn't exist
- Adds tests for configuration validation and for the existence of
  protocol version as an entity attribute element
- Adds helper functions `make_type` and `make_list` to make parsing the
  protocol version easier regardless of it being a single element or a
list of elements
diff --git a/src/saml2/config.py b/src/saml2/config.py
@@ -102,7 +102,8 @@
     "sp_type_in_metadata",
     "requested_attributes",
     "node_country",
-    "application_identifier"
+    "application_identifier",
+    "protocol_version"
 ]
 
 AA_IDP_ARGS = [
@@ -126,6 +127,7 @@
     "edu_person_targeted_id",
     "node_country",
     "application_identifier"
+    "protocol_version"
 ]
 
 PDP_ARGS = ["endpoints", "name_form", "name_id_format"]
@@ -652,6 +654,11 @@ def validate(self):
                 partial(must_error,
                         message="be in the form <vendor name>:<software identifier>"
                                 ":<major-version>.<minor-version>[.<patch-version>]”")
+            ),
+            RuleValidator(
+                "protocol_version",
+                getattr(self, "_sp_protocol_version", None),
+                *self.assert_declared(should_warning)
             )
         ]
 
diff --git a/src/saml2/metadata.py b/src/saml2/metadata.py
@@ -21,6 +21,7 @@
 from saml2 import BINDING_SOAP
 from saml2 import samlp
 from saml2 import class_name
+from saml2.utility import make_list
 
 from saml2 import xmldsig as ds
 import six
@@ -788,6 +789,16 @@ def entity_descriptor(confd):
         )
         _add_attr_to_entity_attributes(entd.extensions, attr)
 
+    protocol_version = confd.getattr("protocol_version", confd.context)
+    if protocol_version:
+        entd.extensions = entd.extensions or md.Extensions()
+        ava = [AttributeValue(text=str(c)) for c in make_list(protocol_version)]
+        attr = Attribute(
+            attribute_value=ava,
+            name="http://eidas.europa.eu/entity-attributes/protocol-version"
+        )
+        _add_attr_to_entity_attributes(entd.extensions, attr)
+
     return entd
 
 
diff --git a/src/saml2/utility/__init__.py b/src/saml2/utility/__init__.py
@@ -0,0 +1,10 @@
+def make_type(mtype, *args):
+    t_args = []
+    similar_type = tuple if mtype is list else list
+    for x in args:
+        t_args.extend([x] if not isinstance(x, (list, tuple)) else similar_type(x))
+    return mtype(t_args)
+
+
+def make_list(*args):
+    return make_type(list, *args)
diff --git a/tests/eidas/sp_conf.py b/tests/eidas/sp_conf.py
@@ -31,7 +31,8 @@
             "sp_type_in_metadata": False,
             "force_authn": True,
             "node_country": "GR",
-            "application_identifier": "CEF:eIDAS-ref:2.0"
+            "application_identifier": "CEF:eIDAS-ref:2.0",
+            "protocol_version": [1.1, 2.2]
         }
     },
     "debug": 1,
diff --git a/tests/eidas/test_sp.py b/tests/eidas/test_sp.py
@@ -71,13 +71,43 @@ def test_application_identifier_in_metadata(self):
                                         entd.extensions.extension_elements))
         app_identifier = [
             x for x in entity_attributes.children
-            if x.attributes["Name"] ==
+            if getattr(x, "attributes", {}).get("Name") ==
                "http://eidas.europa.eu/entity-attributes/application-identifier"
         ]
         assert len(app_identifier) == 1
         assert self.conf._sp_application_identifier \
                == next(x.text for y in app_identifier for x in y.children)
 
+    def test_multiple_protocol_version_in_metadata(self):
+        entd = metadata.entity_descriptor(self.conf)
+        entity_attributes = next(filter(lambda x: x.tag == "EntityAttributes",
+                                        entd.extensions.extension_elements))
+        protocol_version = next(
+            x for x in entity_attributes.children
+            if getattr(x, "name", "") ==
+               "http://eidas.europa.eu/entity-attributes/protocol-version"
+        )
+        assert len(protocol_version.attribute_value) == 2
+        assert set(str(x) for x in self.conf._sp_protocol_version) \
+               == set([x.text for x in protocol_version.attribute_value])
+
+    def test_protocol_version_in_metadata(self, config):
+        config["service"]["sp"]["protocol_version"] = 1.2
+
+        conf = eIDASSPConfig()
+        conf.load(config)
+
+        entd = metadata.entity_descriptor(conf)
+        entity_attributes = next(filter(lambda x: x.tag == "EntityAttributes",
+                                        entd.extensions.extension_elements))
+        protocol_version = next(
+            x for x in entity_attributes.children
+            if getattr(x, "name", "") ==
+            "http://eidas.europa.eu/entity-attributes/protocol-version"
+        )
+        assert len(protocol_version.attribute_value) == 1
+        assert {str(conf._sp_protocol_version)} \
+               == set([x.text for x in protocol_version.attribute_value])
 
 class TestSPConfig:
     @pytest.fixture(scope="function")
@@ -164,3 +194,12 @@ def test_application_identifier_ok_format(self, config):
         conf = eIDASSPConfig()
         conf.load(config)
         conf.validate()
+
+    def test_no_protocol_version_warning(self, config, raise_error_on_warning):
+        del config["service"]["sp"]["protocol_version"]
+
+        conf = eIDASSPConfig()
+        conf.load(config)
+
+        with pytest.raises(ConfigValidationError):
+            conf.validate()
