Idp Metadata parser

Author: pitbulk

README.md

@@ -894,6 +894,16 @@ Auxiliary class that contains several methods
 * ***validate_sign*** Validates a signature (Message or Assertion).
 * ***validate_binary_sign*** Validates signed bynary data (Used to validate GET Signature).
 
+####OneLogin_Saml2_IdPMetadataParser - idp_metadata_parser.py####
+
+A class that contains methods to obtain and parse metadata from IdP
+
+* ***get_metadata*** Get the metadata XML from the provided URL
+* ***parse_remote*** Get the metadata XML from the provided URL and parse it, returning a dict with extracted data
+* ***parse*** Parse the Identity Provider metadata and returns a dict with extracted data
+* ***merge_settings*** Will update the settings with the provided new settings data extracted from the IdP metadata
+        
+
 For more info, look at the source code; each method is documented and details about what does and how to use it are provided. Make sure to also check the doc folder where HTML documentation about the classes and methods is provided.
 
 Demos included in the toolkit

src/onelogin/saml2/idp_metadata_parser.py

@@ -0,0 +1,144 @@
+# -*- coding: utf-8 -*-
+
+""" OneLogin_Saml2_IdPMetadataParser class
+Copyright (c) 2014, OneLogin, Inc.
+All rights reserved.
+Metadata class of OneLogin's Python Toolkit.
+"""
+
+try:
+    import urllib.request as urllib2
+except ImportError:
+    import urllib2
+
+from onelogin.saml2.constants import OneLogin_Saml2_Constants
+from onelogin.saml2.xml_utils import OneLogin_Saml2_XML
+
+
+class OneLogin_Saml2_IdPMetadataParser(object):
+    """
+    A class that contains methods to obtain and parse metadata from IdP
+    """
+
+    @staticmethod
+    def get_metadata(url):
+        """
+        Get the metadata XML from the provided URL
+        :param url: Url where the XML of the Identity Provider Metadata is published.
+        :type url: string
+        :returns: metadata XML
+        :rtype: string
+        """
+        valid = False
+        response = urllib2.urlopen(url)
+        xml = response.read()
+
+        if xml:
+            try:
+                dom = OneLogin_Saml2_XML.to_etree(xml)
+                idp_descriptor_nodes = OneLogin_Saml2_XML.query(dom, '//md:IDPSSODescriptor')
+                if idp_descriptor_nodes:
+                    valid = True
+            except:
+                pass
+
+        if not valid:
+            raise Exception('Not valid IdP XML found from URL: %s' % (url))
+
+        return xml
+
+    @staticmethod
+    def parse_remote(url):
+        """
+        Get the metadata XML from the provided URL and parse it, returning a dict with extracted data
+        :param url: Url where the XML of the Identity Provider Metadata is published.
+        :type url: string
+        :returns: settings dict with extracted data
+        :rtype: dict
+        """
+        idp_metadata = OneLogin_Saml2_IdPMetadataParser.get_metadata(url)
+        return OneLogin_Saml2_IdPMetadataParser.parse(idp_metadata)
+
+    @staticmethod
+    def parse(idp_metadata):
+        """
+        Parse the Identity Provider metadata and returns a dict with extracted data
+        If there are multiple IDPSSODescriptor it will only parse the first
+        :param idp_metadata: XML of the Identity Provider Metadata.
+        :type idp_metadata: string
+        :param url: If true and the URL is HTTPs, the cert of the domain is checked.
+        :type url: bool
+        :returns: settings dict with extracted data
+        :rtype: string
+        """
+        data = {}
+
+        dom = OneLogin_Saml2_XML.to_etree(idp_metadata)
+        entity_descriptor_nodes = OneLogin_Saml2_XML.query(dom, '//md:EntityDescriptor')
+
+        idp_entity_id = want_authn_requests_signed = idp_name_id_format = idp_sso_url = idp_slo_url = idp_x509_cert = None
+
+        if len(entity_descriptor_nodes) > 0:
+            for entity_descriptor_node in entity_descriptor_nodes:
+                idp_descriptor_nodes = OneLogin_Saml2_XML.query(entity_descriptor_node, './md:IDPSSODescriptor')
+                if len(idp_descriptor_nodes) > 0:
+                    idp_descriptor_node = idp_descriptor_nodes[0]
+
+                    idp_entity_id = entity_descriptor_node.get('entityID', None)
+
+                    want_authn_requests_signed = entity_descriptor_node.get('WantAuthnRequestsSigned', None)
+
+                    name_id_format_nodes = OneLogin_Saml2_XML.query(idp_descriptor_node, './md:NameIDFormat')
+                    if len(name_id_format_nodes) > 0:
+                        idp_name_id_format = name_id_format_nodes[0].text
+
+                    sso_nodes = OneLogin_Saml2_XML.query(idp_descriptor_node, "./md:SingleSignOnService[@Binding='%s']" % OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT)
+                    if len(sso_nodes) > 0:
+                        idp_sso_url = sso_nodes[0].get('Location', None)
+
+                    slo_nodes = OneLogin_Saml2_XML.query(idp_descriptor_node, "./md:SingleLogoutService[@Binding='%s']" % OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT)
+                    if len(slo_nodes) > 0:
+                        idp_slo_url = slo_nodes[0].get('Location', None)
+
+                    cert_nodes = OneLogin_Saml2_XML.query(idp_descriptor_node, "./md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate")
+                    if len(cert_nodes) > 0:
+                        idp_x509_cert = cert_nodes[0].text
+
+                    data['idp'] = {}
+
+                    if idp_entity_id is not None:
+                        data['idp']['entityId'] = idp_entity_id
+                    if idp_sso_url is not None:
+                        data['idp']['singleLogoutService'] = {}
+                        data['idp']['singleLogoutService']['url'] = idp_sso_url
+                    if idp_slo_url is not None:
+                        data['idp']['singleLogoutService'] = {}
+                        data['idp']['singleLogoutService']['url'] = idp_slo_url
+                    if idp_x509_cert is not None:
+                        data['idp']['x509cert'] = idp_x509_cert
+
+                    if want_authn_requests_signed is not None:
+                        data['security'] = {}
+                        data['security']['authnRequestsSigned'] = want_authn_requests_signed
+
+                    if idp_name_id_format:
+                        data['sp'] = {}
+                        data['sp']['NameIDFormat'] = idp_name_id_format
+
+                    break
+        return data
+
+    @staticmethod
+    def merge_settings(settings, new_metadata_settings):
+        """
+        Will update the settings with the provided new settings data extracted from the IdP metadata
+        :param settings: Current settings dict data
+        :type settings: string
+        :param new_metadata_settings: Settings to be merged (extracted from IdP metadata after parsing)
+        :type new_metadata_settings: string
+        :returns: merged settings
+        :rtype: dict
+        """
+        result_settings = settings.copy()
+        result_settings.update(new_metadata_settings)
+        return result_settings

tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py

@@ -0,0 +1,92 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2014, OneLogin, Inc.
+# All rights reserved.
+
+
+import json
+from os.path import dirname, join, exists
+from lxml.etree import XMLSyntaxError
+import unittest
+
+from onelogin.saml2.idp_metadata_parser import OneLogin_Saml2_IdPMetadataParser
+
+
+class OneLogin_Saml2_IdPMetadataParser_Test(unittest.TestCase):
+    data_path = join(dirname(dirname(dirname(dirname(__file__)))), 'data')
+    settings_path = join(dirname(dirname(dirname(dirname(__file__)))), 'settings')
+
+    def loadSettingsJSON(self, filename='settings1.json'):
+        filename = join(self.settings_path, filename)
+        if exists(filename):
+            stream = open(filename, 'r')
+            settings = json.load(stream)
+            stream.close()
+            return settings
+        else:
+            raise Exception('Settings json file does not exist')
+
+    def file_contents(self, filename):
+        f = open(filename, 'r')
+        content = f.read()
+        f.close()
+        return content
+
+    def testGetMetadata(self):
+        """
+        Tests the get_metadata method of the OneLogin_Saml2_IdPMetadataParser
+        """
+        with self.assertRaises(Exception):
+            data = OneLogin_Saml2_IdPMetadataParser.get_metadata('http://google.es')
+
+        data = OneLogin_Saml2_IdPMetadataParser.get_metadata('https://www.testshib.org/metadata/testshib-providers.xml')
+        self.assertTrue(data is not None and data is not {})
+
+    def testParseRemote(self):
+        """
+        Tests the parse_remote method of the OneLogin_Saml2_IdPMetadataParser
+        """
+        with self.assertRaises(Exception):
+            data = OneLogin_Saml2_IdPMetadataParser.parse_remote('http://google.es')
+
+        data = OneLogin_Saml2_IdPMetadataParser.parse_remote('https://www.testshib.org/metadata/testshib-providers.xml')
+        self.assertTrue(data is not None and data is not {})
+        expected_data = {'sp': {'NameIDFormat': 'urn:mace:shibboleth:1.0:nameIdentifier'}, 'idp': {'singleLogoutService': {'url': 'https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO'}, 'entityId': 'https://idp.testshib.org/idp/shibboleth'}}
+        self.assertEqual(expected_data, data)
+
+    def testParse(self):
+        """
+        Tests the parse method of the OneLogin_Saml2_IdPMetadataParser
+        """
+        with self.assertRaises(XMLSyntaxError):
+            data = OneLogin_Saml2_IdPMetadataParser.parse('')
+
+        xml_sp_metadata = self.file_contents(join(self.data_path, 'metadata', 'metadata_settings1.xml'))
+        data = OneLogin_Saml2_IdPMetadataParser.parse(xml_sp_metadata)
+        self.assertEqual({}, data)
+
+        xml_idp_metadata = self.file_contents(join(self.data_path, 'metadata', 'idp_metadata.xml'))
+        data = OneLogin_Saml2_IdPMetadataParser.parse(xml_idp_metadata)
+        expected_data = {'sp': {'NameIDFormat': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'}, 'idp': {'singleLogoutService': {'url': 'https://app.onelogin.com/trust/saml2/http-post/sso/383123'}, 'entityId': 'https://app.onelogin.com/saml/metadata/383123', 'x509cert': 'MIIEHjCCAwagAwIBAgIBATANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzET\nMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMREwDwYD\nVQQKDAhPbmVMb2dpbjEZMBcGA1UEAwwQYXBwLm9uZWxvZ2luLmNvbTAeFw0xMzA2\nMDUxNzE2MjBaFw0xODA2MDUxNzE2MjBaMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQI\nDApDYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9u\nZUxvZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEAse8rnep4qL2GmhH10pMQyJ2Jae+AQHyfgVjaQZ7Z\n0QQog5jX91vcJRSMi0XWJnUtOr6lF0dq1+yckjZ92wyLrH+7fvngNO1aV4Mjk9sT\ngf+iqMrae6y6fRxDt9PXrEFVjvd3vv7QTJf2FuIPy4vVP06Dt8EMkQIr8rmLmU0m\nTr1k2DkrdtdlCuNFTXuAu3QqfvNCRrRwfNObn9MP6JeOUdcGLJsBjGF8exfcN1SF\nzRF0JFr3dmOlx761zK5liD0T1sYWnDquatj/JD9fZMbKecBKni1NglH/LVd+b6aJ\nUAr5LulERULUjLqYJRKW31u91/4Qazdo9tbvwqyFxaoUrwIDAQABo4HUMIHRMAwG\nA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPWcXvQSlTXnzZD2xziuoUvrrDedMIGRBgNV\nHSMEgYkwgYaAFPWcXvQSlTXnzZD2xziuoUvrrDedoWukaTBnMQswCQYDVQQGEwJV\nUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMREw\nDwYDVQQKDAhPbmVMb2dpbjEZMBcGA1UEAwwQYXBwLm9uZWxvZ2luLmNvbYIBATAO\nBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADggEBAB/8xe3rzqXQVxzHyAHu\nAuPa73ClDoL1cko0Fp8CGcqEIyj6Te9gx5z6wyfv+Lo8RFvBLlnB1lXqbC+fTGcV\ngG/4oKLJ5UwRFxInqpZPnOAudVNnd0PYOODn9FWs6u+OTIQIaIcPUv3MhB9lwHIJ\nsTk/bs9xcru5TPyLIxLLd6ib/pRceKH2mTkzUd0DYk9CQNXXeoGx/du5B9nh3ClP\nTbVakRzl3oswgI5MQIphYxkW70SopEh4kOFSRE1ND31NNIq1YrXlgtkguQBFsZWu\nQOPR6cEwFZzP0tHTYbI839WgxX6hfhIUTUz6mLqq4+3P4BG3+1OXeVDg63y8Uh78\n1sE='}}
+        self.assertEqual(expected_data, data)
+
+    def testMergeSettings(self):
+        """
+        Tests the merge_settings method of the OneLogin_Saml2_IdPMetadataParser
+        """
+        with self.assertRaises(AttributeError):
+            settings_result = OneLogin_Saml2_IdPMetadataParser.merge_settings(None, {})
+
+        with self.assertRaises(TypeError):
+            settings_result = OneLogin_Saml2_IdPMetadataParser.merge_settings({}, None)
+
+        xml_idp_metadata = self.file_contents(join(self.data_path, 'metadata', 'idp_metadata.xml'))
+        data = OneLogin_Saml2_IdPMetadataParser.parse(xml_idp_metadata)
+        settings = self.loadSettingsJSON()
+        settings_result = OneLogin_Saml2_IdPMetadataParser.merge_settings(settings, data)
+        expected_data = {u'sp': {'NameIDFormat': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'}, u'idp': {'singleLogoutService': {'url': 'https://app.onelogin.com/trust/saml2/http-post/sso/383123'}, 'entityId': 'https://app.onelogin.com/saml/metadata/383123', 'x509cert': 'MIIEHjCCAwagAwIBAgIBATANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzET\nMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMREwDwYD\nVQQKDAhPbmVMb2dpbjEZMBcGA1UEAwwQYXBwLm9uZWxvZ2luLmNvbTAeFw0xMzA2\nMDUxNzE2MjBaFw0xODA2MDUxNzE2MjBaMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQI\nDApDYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9u\nZUxvZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEAse8rnep4qL2GmhH10pMQyJ2Jae+AQHyfgVjaQZ7Z\n0QQog5jX91vcJRSMi0XWJnUtOr6lF0dq1+yckjZ92wyLrH+7fvngNO1aV4Mjk9sT\ngf+iqMrae6y6fRxDt9PXrEFVjvd3vv7QTJf2FuIPy4vVP06Dt8EMkQIr8rmLmU0m\nTr1k2DkrdtdlCuNFTXuAu3QqfvNCRrRwfNObn9MP6JeOUdcGLJsBjGF8exfcN1SF\nzRF0JFr3dmOlx761zK5liD0T1sYWnDquatj/JD9fZMbKecBKni1NglH/LVd+b6aJ\nUAr5LulERULUjLqYJRKW31u91/4Qazdo9tbvwqyFxaoUrwIDAQABo4HUMIHRMAwG\nA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPWcXvQSlTXnzZD2xziuoUvrrDedMIGRBgNV\nHSMEgYkwgYaAFPWcXvQSlTXnzZD2xziuoUvrrDedoWukaTBnMQswCQYDVQQGEwJV\nUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMREw\nDwYDVQQKDAhPbmVMb2dpbjEZMBcGA1UEAwwQYXBwLm9uZWxvZ2luLmNvbYIBATAO\nBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADggEBAB/8xe3rzqXQVxzHyAHu\nAuPa73ClDoL1cko0Fp8CGcqEIyj6Te9gx5z6wyfv+Lo8RFvBLlnB1lXqbC+fTGcV\ngG/4oKLJ5UwRFxInqpZPnOAudVNnd0PYOODn9FWs6u+OTIQIaIcPUv3MhB9lwHIJ\nsTk/bs9xcru5TPyLIxLLd6ib/pRceKH2mTkzUd0DYk9CQNXXeoGx/du5B9nh3ClP\nTbVakRzl3oswgI5MQIphYxkW70SopEh4kOFSRE1ND31NNIq1YrXlgtkguQBFsZWu\nQOPR6cEwFZzP0tHTYbI839WgxX6hfhIUTUz6mLqq4+3P4BG3+1OXeVDg63y8Uh78\n1sE='}, u'strict': False, u'contactPerson': {u'technical': {u'givenName': u'technical_name', u'emailAddress': u'technical@example.com'}, u'support': {u'givenName': u'support_name', u'emailAddress': u'support@example.com'}}, u'debug': False, u'organization': {u'en-US': {u'url': u'http://sp.example.com', u'displayname': u'SP test', u'name': u'sp_test'}}, u'security': {u'signMetadata': False, u'wantAssertionsSigned': False, u'authnRequestsSigned': False}, u'custom_base_path': u'../../../tests/data/customPath/'}
+        self.assertEqual(expected_data, settings_result)
+
+        expected_data2 = {'sp': {u'singleLogoutService': {u'url': u'http://stuff.com/endpoints/endpoints/sls.php'}, u'assertionConsumerService': {u'url': u'http://stuff.com/endpoints/endpoints/acs.php'}, u'entityId': u'http://stuff.com/endpoints/metadata.php', u'NameIDFormat': u'urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified'}, 'idp': {u'singleLogoutService': {u'url': u'http://idp.example.com/SingleLogoutService.php'}, u'entityId': u'http://idp.example.com/', u'x509cert': u'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo', u'singleSignOnService': {u'url': u'http://idp.example.com/SSOService.php'}}, u'strict': False, u'contactPerson': {u'technical': {u'givenName': u'technical_name', u'emailAddress': u'technical@example.com'}, u'support': {u'givenName': u'support_name', u'emailAddress': u'support@example.com'}}, u'debug': False, u'organization': {u'en-US': {u'url': u'http://sp.example.com', u'displayname': u'SP test', u'name': u'sp_test'}}, u'security': {u'signMetadata': False, u'wantAssertionsSigned': False, u'authnRequestsSigned': False}, u'custom_base_path': u'../../../tests/data/customPath/'}
+        settings_result2 = OneLogin_Saml2_IdPMetadataParser.merge_settings(data, settings)
+        self.assertEqual(expected_data2, settings_result2)