Fix #94 Idp Metadata parser

Author: pitbulk

src/onelogin/saml2/idp_metadata_parser.py

@@ -0,0 +1,155 @@
+# -*- coding: utf-8 -*-
+
+""" OneLogin_Saml2_IdPMetadataParser class
+
+Copyright (c) 2014, OneLogin, Inc.
+All rights reserved.
+
+Metadata class of OneLogin's Python Toolkit.
+
+"""
+
+import urllib2
+from defusedxml.lxml import fromstring
+
+from onelogin.saml2.constants import OneLogin_Saml2_Constants
+from onelogin.saml2.utils import OneLogin_Saml2_Utils
+
+
+class OneLogin_Saml2_IdPMetadataParser(object):
+    """
+    A class that contains methods related to obtain and parse metadata from IdP
+    """
+
+    @staticmethod
+    def get_metadata(url):
+        """
+        Get the metadata XML from the provided URL
+
+        :param url: Url where the XML of the Identity Provider Metadata is published.
+        :type url: string
+
+        :returns: metadata XML
+        :rtype: string
+        """
+        valid = False
+        response = urllib2.urlopen(url)
+        xml = response.read()
+
+        if xml:
+            try:
+                dom = fromstring(xml)
+                idp_descriptor_nodes = OneLogin_Saml2_Utils.query(dom, '//md:IDPSSODescriptor')
+                if idp_descriptor_nodes:
+                    valid = True
+            except:
+                pass
+
+        if not valid:
+            raise Exception('Not valid IdP XML found from URL: %s' % (url))
+
+        return xml
+
+    @staticmethod
+    def parse_remote(url):
+        """
+        Get the metadata XML from the provided URL and parse it, returning a dict with extracted data
+
+        :param url: Url where the XML of the Identity Provider Metadata is published.
+        :type url: string
+
+        :returns: settings dict with extracted data
+        :rtype: dict
+        """
+        idp_metadata = OneLogin_Saml2_IdPMetadataParser.get_metadata(url)
+        return OneLogin_Saml2_IdPMetadataParser.parse(idp_metadata)
+
+    @staticmethod
+    def parse(idp_metadata):
+        """
+        Parse the Identity Provider metadata and returns a dict with extracted data
+        If there are multiple IDPSSODescriptor it will only parse the first
+
+        :param idp_metadata: XML of the Identity Provider Metadata.
+        :type idp_metadata: string
+
+        :param url: If true and the URL is HTTPs, the cert of the domain is checked.
+        :type url: bool
+
+        :returns: settings dict with extracted data
+        :rtype: string
+        """
+        data = {}
+
+        dom = fromstring(idp_metadata)
+        entity_descriptor_nodes = OneLogin_Saml2_Utils.query(dom, '//md:EntityDescriptor')
+
+        idp_entity_id = want_authn_requests_signed = idp_name_id_format = idp_sso_url = idp_slo_url = idp_x509_cert = None
+
+        if len(entity_descriptor_nodes) > 0:
+            for entity_descriptor_node in entity_descriptor_nodes:
+                idp_descriptor_nodes = OneLogin_Saml2_Utils.query(entity_descriptor_node, './md:IDPSSODescriptor')
+                if len(idp_descriptor_nodes) > 0:
+                    idp_descriptor_node = idp_descriptor_nodes[0]
+
+                    idp_entity_id = entity_descriptor_node.get('entityID', None)
+
+                    want_authn_requests_signed = entity_descriptor_node.get('WantAuthnRequestsSigned', None)
+
+                    name_id_format_nodes = OneLogin_Saml2_Utils.query(idp_descriptor_node, './md:NameIDFormat')
+                    if len(name_id_format_nodes) > 0:
+                        idp_name_id_format = name_id_format_nodes[0].text
+
+                    sso_nodes = OneLogin_Saml2_Utils.query(idp_descriptor_node, "./md:SingleSignOnService[@Binding='%s']" % OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT)
+                    if len(sso_nodes) > 0:
+                        idp_sso_url = sso_nodes[0].get('Location', None)
+
+                    slo_nodes = OneLogin_Saml2_Utils.query(idp_descriptor_node, "./md:SingleLogoutService[@Binding='%s']" % OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT)
+                    if len(slo_nodes) > 0:
+                        idp_slo_url = slo_nodes[0].get('Location', None)
+
+                    cert_nodes = OneLogin_Saml2_Utils.query(idp_descriptor_node, "./md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate")
+                    if len(cert_nodes) > 0:
+                        idp_x509_cert = cert_nodes[0].text
+
+                    data['idp'] = {}
+
+                    if idp_entity_id is not None:
+                        data['idp']['entityId'] = idp_entity_id
+                    if idp_sso_url is not None:
+                        data['idp']['singleLogoutService'] = {}
+                        data['idp']['singleLogoutService']['url'] = idp_sso_url
+                    if idp_slo_url is not None:
+                        data['idp']['singleLogoutService'] = {}
+                        data['idp']['singleLogoutService']['url'] = idp_slo_url
+                    if idp_x509_cert is not None:
+                        data['idp']['x509cert'] = idp_x509_cert
+
+                    if want_authn_requests_signed is not None:
+                        data['security'] = {}
+                        data['security']['authnRequestsSigned'] = want_authn_requests_signed
+
+                    if idp_name_id_format:
+                        data['sp'] = {}
+                        data['sp']['NameIDFormat'] = idp_name_id_format
+
+                    break
+        return data
+
+    @staticmethod
+    def merge_settings(settings, new_metadata_settings):
+        """
+        Will update the settings with the provided new settings data extracted from the IdP metadata
+
+        :param settings: Current settings dict data
+        :type settings: string
+
+        :param new_metadata_settings: Settings to be merged (extracted from IdP metadata after parsing)
+        :type new_metadata_settings: string
+
+        :returns: merged settings
+        :rtype: dict
+        """
+        result_settings = settings.copy()
+        result_settings.update(new_metadata_settings)
+        return result_settings

tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py

@@ -0,0 +1,102 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2014, OneLogin, Inc.
+# All rights reserved.
+
+
+import json
+from os.path import dirname, join, exists
+from lxml.etree import XMLSyntaxError
+import unittest
+from teamcity import is_running_under_teamcity
+from teamcity.unittestpy import TeamcityTestRunner
+
+from onelogin.saml2.idp_metadata_parser import OneLogin_Saml2_IdPMetadataParser
+
+
+class OneLogin_Saml2_IdPMetadataParser_Test(unittest.TestCase):
+    data_path = join(dirname(dirname(dirname(dirname(__file__)))), 'data')
+    settings_path = join(dirname(dirname(dirname(dirname(__file__)))), 'settings')
+
+    def loadSettingsJSON(self, filename='settings1.json'):
+        filename = join(self.settings_path, filename)
+        if exists(filename):
+            stream = open(filename, 'r')
+            settings = json.load(stream)
+            stream.close()
+            return settings
+        else:
+            raise Exception('Settings json file does not exist')
+
+    def file_contents(self, filename):
+        f = open(filename, 'r')
+        content = f.read()
+        f.close()
+        return content
+
+    def testGetMetadata(self):
+        """
+        Tests the get_metadata method of the OneLogin_Saml2_IdPMetadataParser
+        """
+        with self.assertRaises(Exception):
+            data = OneLogin_Saml2_IdPMetadataParser.get_metadata('http://google.es')
+
+        data = OneLogin_Saml2_IdPMetadataParser.get_metadata('https://www.testshib.org/metadata/testshib-providers.xml')
+        self.assertTrue(data is not None and data is not {})
+
+    def testParseRemote(self):
+        """
+        Tests the parse_remote method of the OneLogin_Saml2_IdPMetadataParser
+        """
+        with self.assertRaises(Exception):
+            data = OneLogin_Saml2_IdPMetadataParser.parse_remote('http://google.es')
+
+        data = OneLogin_Saml2_IdPMetadataParser.parse_remote('https://www.testshib.org/metadata/testshib-providers.xml')
+        self.assertTrue(data is not None and data is not {})
+        expected_data = {'sp': {'NameIDFormat': 'urn:mace:shibboleth:1.0:nameIdentifier'}, 'idp': {'singleLogoutService': {'url': 'https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO'}, 'entityId': 'https://idp.testshib.org/idp/shibboleth'}}
+        self.assertEqual(expected_data, data)
+
+    def testParse(self):
+        """
+        Tests the parse method of the OneLogin_Saml2_IdPMetadataParser
+        """
+        with self.assertRaises(XMLSyntaxError):
+            data = OneLogin_Saml2_IdPMetadataParser.parse('')
+
+        xml_sp_metadata = self.file_contents(join(self.data_path, 'metadata', 'metadata_settings1.xml'))
+        data = OneLogin_Saml2_IdPMetadataParser.parse(xml_sp_metadata)
+        self.assertEqual({}, data)
+
+        xml_idp_metadata = self.file_contents(join(self.data_path, 'metadata', 'idp_metadata.xml'))
+        data = OneLogin_Saml2_IdPMetadataParser.parse(xml_idp_metadata)
+        expected_data = {'sp': {'NameIDFormat': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'}, 'idp': {'singleLogoutService': {'url': 'https://app.onelogin.com/trust/saml2/http-post/sso/383123'}, 'entityId': 'https://app.onelogin.com/saml/metadata/383123', 'x509cert': 'MIIEHjCCAwagAwIBAgIBATANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzET\nMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMREwDwYD\nVQQKDAhPbmVMb2dpbjEZMBcGA1UEAwwQYXBwLm9uZWxvZ2luLmNvbTAeFw0xMzA2\nMDUxNzE2MjBaFw0xODA2MDUxNzE2MjBaMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQI\nDApDYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9u\nZUxvZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEAse8rnep4qL2GmhH10pMQyJ2Jae+AQHyfgVjaQZ7Z\n0QQog5jX91vcJRSMi0XWJnUtOr6lF0dq1+yckjZ92wyLrH+7fvngNO1aV4Mjk9sT\ngf+iqMrae6y6fRxDt9PXrEFVjvd3vv7QTJf2FuIPy4vVP06Dt8EMkQIr8rmLmU0m\nTr1k2DkrdtdlCuNFTXuAu3QqfvNCRrRwfNObn9MP6JeOUdcGLJsBjGF8exfcN1SF\nzRF0JFr3dmOlx761zK5liD0T1sYWnDquatj/JD9fZMbKecBKni1NglH/LVd+b6aJ\nUAr5LulERULUjLqYJRKW31u91/4Qazdo9tbvwqyFxaoUrwIDAQABo4HUMIHRMAwG\nA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPWcXvQSlTXnzZD2xziuoUvrrDedMIGRBgNV\nHSMEgYkwgYaAFPWcXvQSlTXnzZD2xziuoUvrrDedoWukaTBnMQswCQYDVQQGEwJV\nUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMREw\nDwYDVQQKDAhPbmVMb2dpbjEZMBcGA1UEAwwQYXBwLm9uZWxvZ2luLmNvbYIBATAO\nBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADggEBAB/8xe3rzqXQVxzHyAHu\nAuPa73ClDoL1cko0Fp8CGcqEIyj6Te9gx5z6wyfv+Lo8RFvBLlnB1lXqbC+fTGcV\ngG/4oKLJ5UwRFxInqpZPnOAudVNnd0PYOODn9FWs6u+OTIQIaIcPUv3MhB9lwHIJ\nsTk/bs9xcru5TPyLIxLLd6ib/pRceKH2mTkzUd0DYk9CQNXXeoGx/du5B9nh3ClP\nTbVakRzl3oswgI5MQIphYxkW70SopEh4kOFSRE1ND31NNIq1YrXlgtkguQBFsZWu\nQOPR6cEwFZzP0tHTYbI839WgxX6hfhIUTUz6mLqq4+3P4BG3+1OXeVDg63y8Uh78\n1sE='}}
+        self.assertEqual(expected_data, data)
+
+    def testMergeSettings(self):
+        """
+        Tests the merge_settings method of the OneLogin_Saml2_IdPMetadataParser
+        """
+        with self.assertRaises(AttributeError):
+            settings_result = OneLogin_Saml2_IdPMetadataParser.merge_settings(None, {})
+
+        with self.assertRaises(TypeError):
+            settings_result = OneLogin_Saml2_IdPMetadataParser.merge_settings({}, None)
+
+        xml_idp_metadata = self.file_contents(join(self.data_path, 'metadata', 'idp_metadata.xml'))
+        data = OneLogin_Saml2_IdPMetadataParser.parse(xml_idp_metadata)
+        settings = self.loadSettingsJSON()
+        settings_result = OneLogin_Saml2_IdPMetadataParser.merge_settings(settings, data)
+        expected_data = {u'sp': {'NameIDFormat': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'}, u'idp': {'singleLogoutService': {'url': 'https://app.onelogin.com/trust/saml2/http-post/sso/383123'}, 'entityId': 'https://app.onelogin.com/saml/metadata/383123', 'x509cert': 'MIIEHjCCAwagAwIBAgIBATANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzET\nMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMREwDwYD\nVQQKDAhPbmVMb2dpbjEZMBcGA1UEAwwQYXBwLm9uZWxvZ2luLmNvbTAeFw0xMzA2\nMDUxNzE2MjBaFw0xODA2MDUxNzE2MjBaMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQI\nDApDYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9u\nZUxvZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEAse8rnep4qL2GmhH10pMQyJ2Jae+AQHyfgVjaQZ7Z\n0QQog5jX91vcJRSMi0XWJnUtOr6lF0dq1+yckjZ92wyLrH+7fvngNO1aV4Mjk9sT\ngf+iqMrae6y6fRxDt9PXrEFVjvd3vv7QTJf2FuIPy4vVP06Dt8EMkQIr8rmLmU0m\nTr1k2DkrdtdlCuNFTXuAu3QqfvNCRrRwfNObn9MP6JeOUdcGLJsBjGF8exfcN1SF\nzRF0JFr3dmOlx761zK5liD0T1sYWnDquatj/JD9fZMbKecBKni1NglH/LVd+b6aJ\nUAr5LulERULUjLqYJRKW31u91/4Qazdo9tbvwqyFxaoUrwIDAQABo4HUMIHRMAwG\nA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPWcXvQSlTXnzZD2xziuoUvrrDedMIGRBgNV\nHSMEgYkwgYaAFPWcXvQSlTXnzZD2xziuoUvrrDedoWukaTBnMQswCQYDVQQGEwJV\nUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMREw\nDwYDVQQKDAhPbmVMb2dpbjEZMBcGA1UEAwwQYXBwLm9uZWxvZ2luLmNvbYIBATAO\nBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADggEBAB/8xe3rzqXQVxzHyAHu\nAuPa73ClDoL1cko0Fp8CGcqEIyj6Te9gx5z6wyfv+Lo8RFvBLlnB1lXqbC+fTGcV\ngG/4oKLJ5UwRFxInqpZPnOAudVNnd0PYOODn9FWs6u+OTIQIaIcPUv3MhB9lwHIJ\nsTk/bs9xcru5TPyLIxLLd6ib/pRceKH2mTkzUd0DYk9CQNXXeoGx/du5B9nh3ClP\nTbVakRzl3oswgI5MQIphYxkW70SopEh4kOFSRE1ND31NNIq1YrXlgtkguQBFsZWu\nQOPR6cEwFZzP0tHTYbI839WgxX6hfhIUTUz6mLqq4+3P4BG3+1OXeVDg63y8Uh78\n1sE='}, u'strict': False, u'contactPerson': {u'technical': {u'givenName': u'technical_name', u'emailAddress': u'technical@example.com'}, u'support': {u'givenName': u'support_name', u'emailAddress': u'support@example.com'}}, u'debug': False, u'organization': {u'en-US': {u'url': u'http://sp.example.com', u'displayname': u'SP test', u'name': u'sp_test'}}, u'security': {u'signMetadata': False, u'wantAssertionsSigned': False, u'authnRequestsSigned': False}, u'custom_base_path': u'../../../tests/data/customPath/'}
+        self.assertEqual(expected_data, settings_result)
+
+        expected_data2 = {'sp': {u'singleLogoutService': {u'url': u'http://stuff.com/endpoints/endpoints/sls.php'}, u'assertionConsumerService': {u'url': u'http://stuff.com/endpoints/endpoints/acs.php'}, u'entityId': u'http://stuff.com/endpoints/metadata.php', u'NameIDFormat': u'urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified'}, 'idp': {u'singleLogoutService': {u'url': u'http://idp.example.com/SingleLogoutService.php'}, u'entityId': u'http://idp.example.com/', u'x509cert': u'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo', u'singleSignOnService': {u'url': u'http://idp.example.com/SSOService.php'}}, u'strict': False, u'contactPerson': {u'technical': {u'givenName': u'technical_name', u'emailAddress': u'technical@example.com'}, u'support': {u'givenName': u'support_name', u'emailAddress': u'support@example.com'}}, u'debug': False, u'organization': {u'en-US': {u'url': u'http://sp.example.com', u'displayname': u'SP test', u'name': u'sp_test'}}, u'security': {u'signMetadata': False, u'wantAssertionsSigned': False, u'authnRequestsSigned': False}, u'custom_base_path': u'../../../tests/data/customPath/'}
+        settings_result2 = OneLogin_Saml2_IdPMetadataParser.merge_settings(data, settings)
+        self.assertEqual(expected_data2, settings_result2)
+
+
+if __name__ == '__main__':
+    if is_running_under_teamcity():
+        runner = TeamcityTestRunner()
+    else:
+        runner = unittest.TextTestRunner()
+    unittest.main(testRunner=runner)