Merge pull request #1 from jimmyislive/feature/requested_attrib_support

Feature/requested attrib support, feature branch -> master branch

Author: jimmyislive

demo-django/saml/settings_with_req_attributes_example.json

@@ -0,0 +1,46 @@
+{
+    "strict": true,
+    "debug": true,
+    "sp": {
+        "entityId": "https://<sp_domain>/metadata/",
+        "assertionConsumerService": {
+            "url": "https://<sp_domain>/?acs",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        },
+        "attributeConsumingService": [
+            {
+                "isDefault": false,
+                "serviceName": "Django Demo",
+                "serviceDescription": "Django Name",
+                "requestedAttributes": [ {
+                        "name": "",
+                        "nameFormat": "",
+                        "friendlyName": "",
+                        "isRequired": false,
+                        "attributeValue": [
+                        ]
+                    }
+                ]
+            }
+        ],
+        "singleLogoutService": {
+            "url": "https://<sp_domain>/?sls",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified",
+        "x509cert": "",
+        "privateKey": ""
+    },
+    "idp": {
+        "entityId": "https://app.onelogin.com/saml/metadata/<onelogin_connector_id>",
+        "singleSignOnService": {
+            "url": "https://app.onelogin.com/trust/saml2/http-post/sso/<onelogin_connector_id>",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "singleLogoutService": {
+            "url": "https://app.onelogin.com/trust/saml2/http-redirect/slo/<onelogin_connector_id>",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "x509cert": "<onelogin_connector_cert>"
+    }
+}

setup.py

@@ -9,7 +9,7 @@
 
 setup(
     name='python-saml',
-    version='2.1.5',
+    version='2.2.5',
     description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 4 - Beta',

src/onelogin/saml2/authn_request.py

@@ -88,6 +88,12 @@ def __init__(self, settings, force_authn=False, is_passive=False):
                     requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % authn_context
                 requested_authn_context_str += '    </samlp:RequestedAuthnContext>'
 
+        attr_consuming_service_str = ''
+        if 'attributeConsumingService' in sp_data and sp_data['attributeConsumingService']:
+            # TODO: Do we have to account for the case when we have multiple attributeconsumers?
+            # like will the index be > 1?
+            attr_consuming_service_str = 'AttributeConsumingServiceIndex="1"'
+
         request = """<samlp:AuthnRequest
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
@@ -99,7 +105,8 @@ def __init__(self, settings, force_authn=False, is_passive=False):
     IssueInstant="%(issue_instant)s"
     Destination="%(destination)s"
     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-    AssertionConsumerServiceURL="%(assertion_url)s">
+    AssertionConsumerServiceURL="%(assertion_url)s"
+    %(attr_consuming_service_str)s>
     <saml:Issuer>%(entity_id)s</saml:Issuer>
     <samlp:NameIDPolicy
         Format="%(name_id_policy)s"
@@ -117,6 +124,7 @@ def __init__(self, settings, force_authn=False, is_passive=False):
                 'entity_id': sp_data['entityId'],
                 'name_id_policy': name_id_policy_format,
                 'requested_authn_context_str': requested_authn_context_str,
+                'attr_consuming_service_str': attr_consuming_service_str
             }
 
         self.__authn_request = request

src/onelogin/saml2/constants.py

@@ -21,6 +21,9 @@ class OneLogin_Saml2_Constants(object):
     # Value added to the current time in time condition validations
     ALLOWED_CLOCK_DRIFT = 300
 
+    XML = 'http://www.w3.org/XML/1998/namespace'
+    XSI = 'http://www.w3.org/2001/XMLSchema-instance'
+
     # NameID Formats
     NAMEID_EMAIL_ADDRESS = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
     NAMEID_X509_SUBJECT_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName'

src/onelogin/saml2/metadata.py

@@ -12,6 +12,7 @@
 from time import gmtime, strftime
 from datetime import datetime
 from defusedxml.minidom import parseString
+from lxml import etree
 
 from onelogin.saml2.constants import OneLogin_Saml2_Constants
 from onelogin.saml2.utils import OneLogin_Saml2_Utils
@@ -27,6 +28,63 @@ class OneLogin_Saml2_Metadata(object):
     TIME_VALID = 172800   # 2 days
     TIME_CACHED = 604800  # 1 week
 
+    @staticmethod
+    def add_attribute_consuming_service(root, attr_consuming_service):
+        """Helper function to add the AttributeConsumingService nodes"""
+        attrib_index = 1
+        spso_node = root.find('{%s}SPSSODescriptor' % OneLogin_Saml2_Constants.NS_MD)
+
+        # iterate through all the consuming services listed
+        for acs in attr_consuming_service:
+            acs_node = etree.SubElement(spso_node, "{%s}AttributeConsumingService" % OneLogin_Saml2_Constants.NS_MD)
+            acs_node.set('index', str(attrib_index))
+            try:
+                acs_node.set('isDefault', str(acs['isDefault']).lower())
+            except KeyError:
+                pass
+
+            svc_name = etree.SubElement(acs_node, "{%s}ServiceName" % OneLogin_Saml2_Constants.NS_MD)
+            svc_name.set('{%s}lang' % OneLogin_Saml2_Constants.XML, 'en')
+            svc_name.text = acs['serviceName']
+            try:
+                svc_description = etree.SubElement(acs_node, "{%s}ServiceDescription" % OneLogin_Saml2_Constants.NS_MD)
+                svc_description.set('{%s}lang' % OneLogin_Saml2_Constants.XML, 'en')
+                svc_description.text = acs['serviceDescription']
+            except KeyError:
+                # serviceDescription is optional
+                pass
+
+            # iterate through all the requested attributes of each service
+            for req_attribs in acs['requestedAttributes']:
+
+                requested_attribute = etree.SubElement(acs_node, "{%s}RequestedAttribute" % OneLogin_Saml2_Constants.NS_MD)
+                # construct the permissible attrib values, if present
+                try:
+                    for attrib_val in req_attribs['attributeValue']:
+                        val = etree.SubElement(requested_attribute, "{%s}AttributeValue" % OneLogin_Saml2_Constants.NS_SAML)
+                        val.text = attrib_val
+                except KeyError:
+                    # it's fine, attributeValue is an optional element
+                    pass
+
+                requested_attribute.set('Name', req_attribs['name'])
+                try:
+                    requested_attribute.set('NameFormat', req_attribs['nameFormat'])
+                except KeyError:
+                    pass
+
+                try:
+                    requested_attribute.set('FriendlyName', req_attribs['friendlyName'])
+                except KeyError:
+                    pass
+
+                try:
+                    requested_attribute.set('isRequired', str(req_attribs['isRequired']).lower())
+                except KeyError:
+                    pass
+
+            attrib_index += 1
+
     @staticmethod
     def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=None, contacts=None, organization=None):
         """
@@ -50,7 +108,7 @@ def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=N
         :param contacts: Contacts info
         :type contacts: dict
 
-        :param organization: Organization ingo
+        :param organization: Organization info
         :type organization: dict
         """
         if valid_until is None:
@@ -76,6 +134,11 @@ def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=N
         if organization is None:
             organization = {}
 
+        try:
+            attr_consuming_service = sp['attributeConsumingService']
+        except KeyError:
+            attr_consuming_service = []
+
         sls = ''
         if 'singleLogoutService' in sp and 'url' in sp['singleLogoutService']:
             sls = """        <md:SingleLogoutService Binding="%(binding)s"
@@ -119,7 +182,7 @@ def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=N
             str_contacts = '\n'.join(contacts_info)
 
         metadata = """<?xml version="1.0"?>
-<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                      %(valid)s
                      %(cache)s
                      entityID="%(entity_id)s">
@@ -145,7 +208,14 @@ def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=N
                 'organization': str_organization,
                 'contacts': str_contacts,
             }
-        return metadata
+
+        # i'm not sure why the above xml was build by hand. Building via lxml is way easier,
+        # especially for conditional attributes etc..
+        # So as a work around, i'm creating a xml dom, insert the attibute_consumer_service
+        # nodes into it and then return the serialized xml
+        root = etree.fromstring(metadata)
+        OneLogin_Saml2_Metadata.add_attribute_consuming_service(root, attr_consuming_service)
+        return etree.tostring(root, pretty_print=True)
 
     @staticmethod
     def sign_metadata(metadata, key, cert, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1):

src/onelogin/saml2/settings.py

@@ -257,6 +257,10 @@ def __add_default_values(self):
         if 'binding' not in self.__sp['assertionConsumerService'].keys():
             self.__sp['assertionConsumerService']['binding'] = OneLogin_Saml2_Constants.BINDING_HTTP_POST
 
+        # attributeConsumingService is optional
+        if 'attributeConsumingService' not in self.__sp:
+            self.__sp['attributeConsumingService'] = []
+
         if 'singleLogoutService' not in self.__sp.keys():
             self.__sp['singleLogoutService'] = {}
         if 'binding' not in self.__sp['singleLogoutService']:
@@ -436,6 +440,51 @@ def check_sp_settings(self, settings):
                 elif not validate_url(sp['assertionConsumerService']['url']):
                     errors.append('sp_acs_url_invalid')
 
+                if 'attributeConsumingService' in sp and len(sp['attributeConsumingService']):
+                    # so we have a attributeConsumingService element...
+
+                    # serviceName and requestedAttrib are required
+                    attribute_consuming_service = sp['attributeConsumingService']
+                    for attrib in attribute_consuming_service:
+                        if 'serviceName' not in attrib:
+                            errors.append('sp_attributeConsumingService_serviceName_not_found')
+                        if 'requestedAttributes' not in attrib:
+                            errors.append('sp_attributeConsumingService_requestedAttributes_not_found')
+
+                        # verify that tags are of the correct types
+                        try:
+                            if type(attrib['isDefault']) != bool:
+                                errors.append('sp_attributeConsumingService_isDefault_type_invalid')
+                        except KeyError:
+                            # isDefault attribute is optional
+                            pass
+
+                        if 'serviceName' in attrib and not isinstance(attrib['serviceName'], basestring):
+                            errors.append('sp_attributeConsumingService_serviceName_type_invalid')
+
+                        try:
+                            if not isinstance(attrib['serviceDescription'], basestring):
+                                errors.append('sp_attributeConsumingService_serviceDescription_type_invalid')
+                        except KeyError:
+                            # serviceDescription attribute is optional
+                            pass
+
+                        if 'requestedAttributes' in attrib:
+                            if type(attrib['requestedAttributes']) != list:
+                                errors.append('sp_attributeConsumingService_requestedAttributes_type_invalid')
+
+                            for req_attrib in attrib['requestedAttributes']:
+                                if 'name' not in req_attrib:
+                                    errors.append('sp_attributeConsumingService_requestedAttributes_name_not_found')
+                                if 'name' in req_attrib and not req_attrib['name'].strip():
+                                    # name cannot be empty
+                                    errors.append('sp_attributeConsumingService_requestedAttributes_name_invalid')
+                                if 'attributeValue' in req_attrib and type(req_attrib['attributeValue']) != list:
+                                    errors.append('sp_attributeConsumingService_requestedAttributes_attributeValue_type_invalid')
+                                if 'isRequired' in req_attrib and type(req_attrib['isRequired']) != bool:
+                                    errors.append('sp_attributeConsumingService_requestedAttributes_isRequired_type_invalid')
+
+
                 if 'singleLogoutService' in sp and \
                     'url' in sp['singleLogoutService'] and \
                     len(sp['singleLogoutService']['url']) > 0 and \

tests/src/OneLogin/saml2_tests/authn_request_test.py

@@ -255,7 +255,7 @@ def testCreateEncSAMLRequest(self):
         inflated = decompress(decoded, -15)
 
         self.assertRegexpMatches(inflated, '^<samlp:AuthnRequest')
-        self.assertRegexpMatches(inflated, 'AssertionConsumerServiceURL="http://stuff.com/endpoints/endpoints/acs.php">')
+        self.assertRegexpMatches(inflated, 'AssertionConsumerServiceURL="http://stuff.com/endpoints/endpoints/acs.php"(\s)*>')
         self.assertRegexpMatches(inflated, '<saml:Issuer>http://stuff.com/endpoints/metadata.php</saml:Issuer>')
         self.assertRegexpMatches(inflated, 'Format="urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted"')
         self.assertRegexpMatches(inflated, 'ProviderName="SP prueba"')