Merge pull request #68 from open-craft/edx3-expiry-settings

Allow configuration of metadata caching/expiry via settings

Author: pitbulk

src/onelogin/saml2/metadata.py

@@ -41,11 +41,11 @@ def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=N
         :param wsign: wantAssertionsSigned attribute
         :type wsign: string
 
-        :param valid_until: Metadata's valid time
-        :type valid_until: string|DateTime
+        :param valid_until: Metadata's expiry date
+        :type valid_until: string|DateTime|Timestamp
 
         :param cache_duration: Duration of the cache in seconds
-        :type cache_duration: string|Timestamp
+        :type cache_duration: int|string
 
         :param contacts: Contacts info
         :type contacts: dict
@@ -56,15 +56,18 @@ def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=N
         if valid_until is None:
             valid_until = int(datetime.now().strftime("%s")) + OneLogin_Saml2_Metadata.TIME_VALID
         if not isinstance(valid_until, basestring):
-            valid_until_time = gmtime(valid_until)
-            valid_until_time = strftime(r'%Y-%m-%dT%H:%M:%SZ', valid_until_time)
+            if isinstance(valid_until, datetime):
+                valid_until_time = valid_until
+            else:
+                valid_until_time = gmtime(valid_until)
+            valid_until_str = strftime(r'%Y-%m-%dT%H:%M:%SZ', valid_until_time)
         else:
-            valid_until_time = valid_until
+            valid_until_str = valid_until
 
         if cache_duration is None:
-            cache_duration = int(datetime.now().strftime("%s")) + OneLogin_Saml2_Metadata.TIME_CACHED
+            cache_duration = OneLogin_Saml2_Metadata.TIME_CACHED
         if not isinstance(cache_duration, basestring):
-            cache_duration_str = 'PT%sS' % cache_duration
+            cache_duration_str = 'PT%sS' % cache_duration  # 'P'eriod of 'T'ime x 'S'econds
         else:
             cache_duration_str = cache_duration
 
@@ -121,8 +124,8 @@ def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=N
 
         metadata = """<?xml version="1.0"?>
 <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-                     validUntil="%(valid)s"
-                     cacheDuration="%(cache)s"
+                     %(valid)s
+                     %(cache)s
                      entityID="%(entity_id)s">
     <md:SPSSODescriptor AuthnRequestsSigned="%(authnsign)s" WantAssertionsSigned="%(wsign)s" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
 %(sls)s        <md:NameIDFormat>%(name_id_format)s</md:NameIDFormat>
@@ -134,8 +137,8 @@ def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=N
 %(contacts)s
 </md:EntityDescriptor>""" % \
             {
-                'valid': valid_until_time,
-                'cache': cache_duration_str,
+                'valid': ('validUntil="%s"' % valid_until_str) if valid_until_str else '',
+                'cache': ('cacheDuration="%s"' % cache_duration_str) if cache_duration_str else '',
                 'entity_id': sp['entityId'],
                 'authnsign': str_authnsign,
                 'wsign': str_wsign,

src/onelogin/saml2/settings.py

@@ -266,6 +266,12 @@ def __add_default_values(self):
         if 'nameIdEncrypted' not in self.__security:
             self.__security['nameIdEncrypted'] = False
 
+        # Metadata format
+        if 'metadataValidUntil' not in self.__security.keys():
+            self.__security['metadataValidUntil'] = None  # None means use default
+        if 'metadataCacheDuration' not in self.__security.keys():
+            self.__security['metadataCacheDuration'] = None  # None means use default
+
         # Sign provided
         if 'authnRequestsSigned' not in self.__security.keys():
             self.__security['authnRequestsSigned'] = False
@@ -548,7 +554,9 @@ def get_sp_metadata(self):
         """
         metadata = OneLogin_Saml2_Metadata.builder(
             self.__sp, self.__security['authnRequestsSigned'],
-            self.__security['wantAssertionsSigned'], None, None,
+            self.__security['wantAssertionsSigned'],
+            self.__security['metadataValidUntil'],
+            self.__security['metadataCacheDuration'],
             self.get_contacts(), self.get_organization()
         )
         cert = self.get_sp_cert()

tests/src/OneLogin/saml2_tests/metadata_test.py

@@ -84,15 +84,43 @@ def testBuilder(self):
             sp_data, security['authnRequestsSigned'],
             security['wantAssertionsSigned'],
             '2014-10-01T11:04:29Z',
-            'PT1412593469S',
+            'P1Y',
             contacts,
             organization
         )
         self.assertIsNotNone(metadata3)
         self.assertIn('<md:SPSSODescriptor', metadata3)
-        self.assertIn('cacheDuration="PT1412593469S"', metadata3)
+        self.assertIn('cacheDuration="P1Y"', metadata3)
         self.assertIn('validUntil="2014-10-01T11:04:29Z"', metadata3)
 
+        # Test no validUntil, only cacheDuration:
+        metadata4 = OneLogin_Saml2_Metadata.builder(
+            sp_data, security['authnRequestsSigned'],
+            security['wantAssertionsSigned'],
+            '',
+            86400 * 10,  # 10 days
+            contacts,
+            organization
+        )
+        self.assertIsNotNone(metadata4)
+        self.assertIn('<md:SPSSODescriptor', metadata4)
+        self.assertIn('cacheDuration="PT864000S"', metadata4)
+        self.assertNotIn('validUntil', metadata4)
+
+        # Test no cacheDuration, only validUntil:
+        metadata5 = OneLogin_Saml2_Metadata.builder(
+            sp_data, security['authnRequestsSigned'],
+            security['wantAssertionsSigned'],
+            '2014-10-01T11:04:29Z',
+            '',
+            contacts,
+            organization
+        )
+        self.assertIsNotNone(metadata5)
+        self.assertIn('<md:SPSSODescriptor', metadata5)
+        self.assertNotIn('cacheDuration', metadata5)
+        self.assertIn('validUntil="2014-10-01T11:04:29Z"', metadata5)
+
     def testSignMetadata(self):
         """
         Tests the signMetadata method of the OneLogin_Saml2_Metadata