[WIP] Add eIDAS support #658
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
@@ Coverage Diff @@
## master #658 +/- ##
==========================================
+ Coverage 65.05% 65.39% +0.33%
==========================================
Files 102 104 +2
Lines 25670 25812 +142
==========================================
+ Hits 16700 16879 +179
+ Misses 8970 8933 -37
Continue to review full report at Codecov.
|
ioparaskev
force-pushed
the
eidas
branch
3 times, most recently
from
2b7867d
to
73c41af
Compare
ioparaskev
commented
Jan 13, 2020
|
test failures are due to a metadata file being valid until some hours ago. will open a different PR for that since it is unrelated to this one |
- Adds schemas and auto-generated .py files for eIDAS NodeCountry and NodeCountryType support - Adds node_country as a recognized attribute in the configuration of an SP/IdP - Adds node_country parsing for the construction of the entity descriptor as an extension element
- Adds configs and test classes for eIDAS support
- Adds validate method in Config class to be used for configuration validation checks - Adds eIDASConfig as base eIDAS config class to host commonly (between IdP and SP) used validations and functions - Adds eIDASSPConfig class and override validate method with endpoint and keydescriptor validations based on eidas v1.2 specs - Adds utility->config module to host config helper classes and functions - Adds new ConfigValidationError for config error signaling - Adds RuleValidator class to be used for config elements validation rule crafting - Adds should_warning and must_error functions for signaling warnings and errors related to element rules using RFC2119 wording
- Adds requirement iso3166 to lookup if a country code is valid (country exists and code is in ISO 3166-1 alpha-2 format) - Adds validator method in eIDASConfig class (since both IdP and SP MUST have the NodeCountry element) - Adds tests related to NodeCountry validation
- Adds support for setting the application identifier based on eIDAS Message Format v1.1-2 document - Adds validator for the existence of the identifier and the correct formatting - Adds tests for configuration validation related to the identifier and test for the existence as an entity attribute element
- Adds support for setting the protocol versions supported based on eIDAS Message Format v1.1-2 document - Adds validator for the existence of the protocol version and issues a warning if it doesn't exist - Adds tests for configuration validation and for the existence of protocol version as an entity attribute element - Adds helper functions `make_type` and `make_list` to make parsing the protocol version easier regardless of it being a single element or a list of elements
- Removes RuleValidator class and uses a dict data structure with key as error message and value as the check - Extracts [endpoint element/protocol version/application identifier/node country] fetching to methods since they are part of the eIDASConfig and will be overriden by the eIDASIdPConfig
- Adds validation for organization info (name or display name or url)
and triggers a warning if none is present
- Adds support and technical contact person validation (both should
exist and have an email address) and triggers a warning if not both
are present
- Adds `not_empty` function to do a shallow truthiness check (aka nested
values like [{}] will be considered not empty)
- Adds test for the above scenarios
- Adds check that entityid is an https url based on eIDAS SAML Message Format v.1.2. There's no way of really validating that the url is correct (there are many scenarios for false positives and negatives) so we only check that the url scheme is https as the specs define - Adds test for the above rule
- Adds validation check to verify that the eIDAS SP has set the authn_requests_signed to True - Adds tests for the above scenario - Extract `assert_validation_errror` test function for config validation tests
- Adds validation check for eIDAS SP to verify that sp_type has been set (MUST be set) and that it is set to a valid value (private/public) as stated in eIDAS SAML Message Format v.1.2 spec - Adds tests for the aforementioned checks
- Extracts common (for SP/IdP) warning and error validators - Moves eIDASSPConfig validate method to eIDASConfig class
- Prints the errors that happened during validation (was only printing a message not the actual errors) - Sets all validators to return True/False instead of values. This ensures consistency for the validators structure and also solves issues were when there were errors/warnings printed out validators that weren't returning True/False as values were also printed as errors in the report (specifically the KeyDescriptor check and the application identifier format check)
- Adds inherited validators for eIDAS IdP config. Specifically the
following rules related to the metadata:
1. entityid MUST be HTTPs URL
2. SingleLogoutElementService SHOULD NOT be declared
3. ArtifactResolutionService SHOULD NOT be declared
4. ManageNameIDService SHOULD NOT be declared
5. KeyDescriptor MUST be declared
6. Organization with minimal info (name/display name/url) SHOULD be
provided
7. Contact Person of contactType technical with an email address SHOULD
be provided
8. Contact Person of contactType support with an email address SHOULD
be provided
9. eIDAS protocol version implemented SHOULD be provided
10. eIDAS application identifier SHOULD be provided and MUST have a
specific format
11. Node country information MUST be declared and MUST follow the ISO
3166-1 alpha-2 format
All the above are specified in eIDAS SAML Message Format v.1.2 spec
document.
- Renames eidas tests config files because there was a clash in paths loaded and it resulted to other irrelevant tests crashing (because they loaded the eidas conf files that had different entity ids)
- Adds error validation rule to require want_authn_requests_signed to be set to True as defined in the eIDAS SAML Message Format v.1.2 spec document - Adds tests for the above scenario
- Adds support for exposing IdP supported attributes in IDPSSODescriptor as Attribute elements. Support is added in the config file under service->idp->provided_attributes. provided_attributes alread existed as a valid option for idp config but was not used. Supported attributes MUST be published as Attribute elements in the metadata of the eIDAS IdP as stated in eIDAS SAML Message Format v.1.2 spec document - Adds error validation rule in eIDASIdPConfig to ensure provided_attributes MUST be set - Adds test to verify the provided_attributes are exposed as Attribute elements under IDPSSODescriptor and for the error validation rule
- Adds support for defining supported LoA for notified and non-notified eIDAS nodes - Exposes LoA as Attribute element and supported LoA as AttributeValue elements to eIDAS IdP metadata
Well there's no defined name for this. The spec calls it supported attributes (as an expression) but I think that the term "provided attributes" is more precise since these are the attributes that the IdP provides. This and the fact that this config option already existed without any use made me use it. I can change it to |
- Adds validation checks for LoA configuration of an eIDAS IdP to verify that notified LoA URIs are not published as non-notified and that notified LoA URIs are only the ones that are officially described in the eIDAS SAML Message Format v.1.2 spec document - Adds tests for the above scenarios
- Adds a config check that warns the user that they SHOULD set the `hide_assertion_consumer_service` to True since the eIDAS SAML Message Format v.1.2 spec document states that during an AssertionConsumerServiceURL attribute SHOULD NOT exist in an AuthnRequest element
- Adds error validation rule to for `sign_response` configuration option to True as the authn responses MUST be signed according to eIDAS SAML Message Format v.1.2 spec document - Adds tests to test the aforementioned validation rule
- Adds error validation rule to for `encrypt_assertion` configuration option to True as the assertions MUST be encrypted according to eIDAS SAML Message Format v.1.2 spec document - Adds tests to test the aforementioned validation rule
- Adds error validation rule to enforce `allow_unsolicited=False` for an eIDAS SP config since the eIDAS SAML Message Format v.1.2 spec document states that unsolicited responses MUST NOT be accepted - Adds tests for the above validation rule
- Extracts the eIDAS LoA prefix for notified eIDs as a variable and constructs a new variable to contain a list of all accepted LoA for notified eIDs - Fixes fallback LoA lookup when `non_notified` or `notified` are unset. Returned None, now returns an empty list - Adds tests to test the aforementioned fixes
- Replaces supported_loa and uses the already existing assurance_certification for setting the supported LoA of an eIDAS IdP - Refactor tests and validation checks to use this config key
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
All Submissions: