Add eIDAS application identifier support in config

ioparaskev · ioparaskev · commit cc925cf3d44f · 2020-01-30T12:11:51.000+02:00
- Adds support for setting the application identifier based on eIDAS
  Message Format v1.1-2 document
- Adds validator for the existence of the identifier and the correct
  formatting
- Adds tests for configuration validation related to the identifier and
  test for the existence as an entity attribute element
diff --git a/src/saml2/config.py b/src/saml2/config.py
@@ -8,6 +8,7 @@
 import re
 import sys
 from functools import partial
+import re
 from iso3166 import countries
 
 import six
@@ -101,6 +102,7 @@
     "sp_type_in_metadata",
     "requested_attributes",
     "node_country",
+    "application_identifier"
 ]
 
 AA_IDP_ARGS = [
@@ -123,6 +125,7 @@
     "name_qualifier",
     "edu_person_targeted_id",
     "node_country",
+    "application_identifier"
 ]
 
 PDP_ARGS = ["endpoints", "name_form", "name_id_format"]
@@ -595,6 +598,14 @@ def validate_node_country_format(node_country):
         except KeyError:
             return False
 
+    @staticmethod
+    def validate_application_identifier_format(application_identifier):
+        if not application_identifier:
+            return True
+
+        return re.search(r"([a-zA-Z0-9])+:([a-zA-Z0-9():_\-])+:([0-9])+"
+                         r"(\.([0-9])+){1,2}", application_identifier)
+
 
 class eIDASSPConfig(SPConfig, eIDASConfig):
     def get_endpoint_element(self, element):
@@ -629,6 +640,19 @@ def validate(self):
                 partial(must_error,
                         message="be declared in ISO 3166-1 alpha-2 format")
             ),
+            RuleValidator(
+                "application_identifier",
+                getattr(self, "_sp_application_identifier", None),
+                *self.assert_declared(should_warning)
+            ),
+            RuleValidator(
+                "application_identifier",
+                getattr(self, "_sp_application_identifier", None),
+                self.validate_application_identifier_format,
+                partial(must_error,
+                        message="be in the form <vendor name>:<software identifier>"
+                                ":<major-version>.<minor-version>[.<patch-version>]”")
+            )
         ]
 
         for validator in validators:
diff --git a/src/saml2/metadata.py b/src/saml2/metadata.py
@@ -778,6 +778,16 @@ def entity_descriptor(confd):
         item = node_country.NodeCountry(text=conf_node_country)
         entd.extensions.add_extension_element(item)
 
+    app_identifer = confd.getattr("application_identifier", confd.context)
+    if app_identifer:
+        entd.extensions = entd.extensions or md.Extensions()
+        ava = AttributeValue(text=app_identifer)
+        attr = Attribute(
+            attribute_value=ava,
+            name="http://eidas.europa.eu/entity-attributes/application-identifier"
+        )
+        _add_attr_to_entity_attributes(entd.extensions, attr)
+
     return entd
 
 
diff --git a/tests/eidas/sp_conf.py b/tests/eidas/sp_conf.py
@@ -30,7 +30,8 @@
             "sp_type": "public",
             "sp_type_in_metadata": False,
             "force_authn": True,
-            "node_country": "GR"
+            "node_country": "GR",
+            "application_identifier": "CEF:eIDAS-ref:2.0"
         }
     },
     "debug": 1,
diff --git a/tests/eidas/test_sp.py b/tests/eidas/test_sp.py
@@ -65,6 +65,19 @@ def test_node_country_in_metadata(self):
         assert any(filter(lambda x: x.tag == "NodeCountry",
                           entd.extensions.extension_elements))
 
+    def test_application_identifier_in_metadata(self):
+        entd = metadata.entity_descriptor(self.conf)
+        entity_attributes = next(filter(lambda x: x.tag == "EntityAttributes",
+                                        entd.extensions.extension_elements))
+        app_identifier = [
+            x for x in entity_attributes.children
+            if x.attributes["Name"] ==
+               "http://eidas.europa.eu/entity-attributes/application-identifier"
+        ]
+        assert len(app_identifier) == 1
+        assert self.conf._sp_application_identifier \
+               == next(x.text for y in app_identifier for x in y.children)
+
 
 class TestSPConfig:
     @pytest.fixture(scope="function")
@@ -128,3 +141,26 @@ def test_nodecountry_wrong_format(self, config):
 
         with pytest.raises(ConfigValidationError):
             conf.validate()
+
+    def test_no_application_identifier_warning(self, config, raise_error_on_warning):
+        del config["service"]["sp"]["application_identifier"]
+
+        conf = eIDASSPConfig()
+        conf.load(config)
+
+        with pytest.raises(ConfigValidationError):
+            conf.validate()
+
+    def test_application_identifier_wrong_format(self, config):
+        config["service"]["sp"]["application_identifier"] = "TEST:Node.1"
+
+        conf = eIDASSPConfig()
+        conf.load(config)
+
+        with pytest.raises(ConfigValidationError):
+            conf.validate()
+
+    def test_application_identifier_ok_format(self, config):
+        conf = eIDASSPConfig()
+        conf.load(config)
+        conf.validate()
