chore: pyff example

italia · Jul 23, 2021 · b104ae0 · b104ae0
1 parent 9320f6a
commit b104ae0
Show file tree

Hide file tree

Showing 3 changed files with 122 additions and 9 deletions.
diff --git a/pyFF_example/README.pyFF.md → pyFF_example/README.md b/pyFF_example/README.pyFF.md → pyFF_example/README.md
@@ -16,7 +16,12 @@ pip install git+https://github.com/IdentityPython/pyFF.git
 ## First run
 
 The following command will print in stdout all the pyFF's execution log, if you want to put it in a file just add `--log=pyff.log` after `--loglevel`.
-It seems that pyff is sensible to arguments order, unfortunately it doesn't use arparse...
+
+Run as batch (recommended!)
+
+````
+pyff  pipelines/spid_idp.fd
+````
 
 This command will run a MDX server instance, see `main()` in `pyff.mdx`
 ````
@@ -28,7 +33,8 @@ When it complete the downloads of all the metadata then exposes all the SAML ent
 Useful things that we need to know
 1. pyFF uses by default a local sqllite db, it's automatically created in the working directory on run.
 
-## how does it works
+
+## how does it work
 You need also to read:
 - https://pythonhosted.org/pyFF/
 - https://github.com/IdentityPython/pyFF
@@ -125,15 +131,14 @@ These for example will let us understand how the things works, easily.
 /role/idp.xml
 ````
 
-## Advanced Topics
-I think that pyFF would a be a real _stop-application_ for the followings:
+## Production
 
-1. Downloader, validatore avanzato per federare entità saml2
-2. Store su RDBMS interrogabile da remoto
-3. Metadata Query Resolver per entità interne alla home organization, in questo caso i nostri IDP non dovrebbero scaricare i metadatati degli SP ma interrogarli da remoto
-4. DiscoveryService Integrato
+The best implementation would be a pure httpd static serve, see `production_setup/` examples.
+Otherwise you can use a real MDQ/X server like the followings
 
-Italian isn't so difficult to be read, isn't it?
+- pyffd (discouraged)
+- [Django-MDQ](https://developers.italia.it/it/software/unical-universitadellacalabria-django-mdq.html)
+- [mdq-server](https://github.com/iay/mdq-server)
 
 
 ## Playing MDX service
@@ -196,6 +201,7 @@ When it start the only content available on its embedded webserver is a loading
 
 Additional resources
 --------------------
+
 - [pyFF Roadmap](https://github.com/IdentityPython/pyFF/wiki/Roadmap)
 - Using MDX with pySAML2, [read source](https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/mdstore.py#L781)
 - [Metadata Query Protocol](https://github.com/iay/md-query)

diff --git a/pyFF_example/pipelines/spid_idp.fd b/pyFF_example/pipelines/spid_idp.fd
@@ -0,0 +1,41 @@
+# load) download SAML Metadatas configured in these files
+- load xrd ./spid_idp.xrd:
+  - pipelines/spid_idp.xrd
+
+# select) this could, or not, specify a selection filter for EntityDescriptors in the metadata repository.
+# it could be a XPATH selection to get for example only the IDP as: "http://mds.edugain.org!//md:EntityDescriptor[md:IDPSSODescriptor]"
+# in this case it will take all of them
+- select
+
+# the folder where single entities will be stored
+- store:
+     directory: ./md-idp
+
+# publish) causes the active document to be stored in an XML file.
+- publish:
+     output: ./md-idp/md-loaded.xml
+
+# stats) prints out some information about the metadata repository.
+- stats
+
+# MDX server, see: https://pythonhosted.org/pyFF/examples.html#example-5-mdx
+- when request:
+    - select
+    - pipe:
+        - when accept application/xml:
+             - xslt:
+                 stylesheet: tidy.xsl
+             - first
+             - finalize:
+                cacheDuration: PT5H
+                validUntil: P10D
+             - sign:
+                 key: ./certificates/key.pem
+                 cert: ./certificates/cert.pem
+             - emit application/xml
+             - break
+        - when accept application/json:
+             - xslt:
+                 stylesheet: discojson.xsl
+             - emit application/json:
+             - break
diff --git a/pyFF_example/pipelines/spid_idp.xrd b/pyFF_example/pipelines/spid_idp.xrd
@@ -0,0 +1,66 @@
+<?xml version="1.0"?>
+<XRDS xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0">
+<!-- SPID -->
+<!-- includere i certificati di validazione per ogni entità, vedi esempio EDUGAIN -->
+  <XRD>
+    <Link rel="urn:oasis:names:tc:SAML:2.0:metadata" href="https://loginspid.aruba.it/metadata"/>
+  </XRD>
+  <XRD>
+    <Link rel="urn:oasis:names:tc:SAML:2.0:metadata" href="https://identity.infocert.it/metadata/metadata.xml"/>
+  </XRD>
+  <XRD>
+    <Link rel="urn:oasis:names:tc:SAML:2.0:metadata" href="https://spid.intesa.it/metadata/metadata.xml"/>
+  </XRD>
+  <XRD>
+    <Link rel="urn:oasis:names:tc:SAML:2.0:metadata" href="https://id.lepida.it/idp/shibboleth"/>
+  </XRD>
+  <XRD>
+    <Link rel="urn:oasis:names:tc:SAML:2.0:metadata" href="https://idp.namirialtsp.com/idp/metadata"/>
+  </XRD>
+  <XRD>
+    <Link rel="urn:oasis:names:tc:SAML:2.0:metadata" href="http://posteid.poste.it/jod-fs/metadata/metadata.xml"/>
+  </XRD>
+  <XRD>
+    <Link rel="urn:oasis:names:tc:SAML:2.0:metadata" href="https://identity.sieltecloud.it/simplesaml/metadata.xml"/>
+  </XRD>
+  <XRD>
+    <Link rel="urn:oasis:names:tc:SAML:2.0:metadata" href="https://spid.register.it/login/metadata"/>
+  </XRD>
+  <XRD>
+    <Link rel="urn:oasis:names:tc:SAML:2.0:metadata" href="https://login.id.tim.it/spid-services/MetadataBrowser/idp"/>
+  </XRD>
+<!-- END SPID -->
+<!-- ESEMPIO CON CERTIFICATO DI CONVALIDA - eg: EDUGAIN  -->
+<!--
+  <XRD>
+    <Subject>http://md.idem.garr.it/metadata/edugain2idem-metadata-sha256.xml</Subject>
+    <Link rel="urn:oasis:names:tc:SAML:2.0:metadata" href="http://md.idem.garr.it/metadata/edugain2idem-metadata-sha256.xml">
+        <Title>IDEM+eduGAIN</Title>
+        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+            <ds:X509Data>
+                <ds:X509Certificate>
+                MIIDWzCCAkOgAwIBAgIJALo/EGIq8rgNMA0GCSqGSIb3DQEBCwUAMEQxCzAJBgNV
+                BAYTAklUMRYwFAYDVQQKDA1JREVNIEdBUlIgQUFJMR0wGwYDVQQDDBRJREVNIE1l
+                dGFkYXRhIFNpZ25lcjAeFw0xOTAxMjIxNjA5MjBaFw0yMjAxMjExNjA5MjBaMEQx
+                CzAJBgNVBAYTAklUMRYwFAYDVQQKDA1JREVNIEdBUlIgQUFJMR0wGwYDVQQDDBRJ
+                REVNIE1ldGFkYXRhIFNpZ25lcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+                ggEBAMay3N21fswu3AE6hqCPUVjvCyol5OKTHs9CXDIFyAoigP+YSdloLSGwx6n6
+                ks9aBbJqlzRBIEd3CpByvX7GmBuITl3ElhxMY40Cv/ULok1GbDmQMhPScU6J1f9b
+                526R9Ks+BbYZYmBRX9gqmpX1R867IES4z+JhXnXr5K8HTPjfaDGh2xORL6msXjww
+                DJgaJCOpBCctLvCWcmUp0ucpl8VHGjFAAI5Eb6pwQEEPj1yqW52ggM+AHNFY6bAC
+                9RX7Qv8MonQZwXpNNBNL+UcnGLVBXtBftd4zq7XxPNN9F/Ele3YJGaOVk8cCEJt5
+                SfTeguzUaAyh8f/BfEs6CwucCSsCAwEAAaNQME4wHQYDVR0OBBYEFCZQVW7g6mc9
+                3zaJP/p0lGbVQ4O6MB8GA1UdIwQYMBaAFCZQVW7g6mc93zaJP/p0lGbVQ4O6MAwG
+                A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAF6OKKdWyeI385ZS5i29mSMA
+                4BoPCVAhyXDMLMdqTQqvZp3PAL/zjLYRYKgGH53d4uN/EztWM8YBdyzBzdbpFWpd
+                wRGzwyfXzt6l2luElWb59PacNqHbBkyFO2YZmgqLzgrVX1gA3/3ij9zrLqd1lHVH
+                MHPUpqv98KYXnttyzhacdYaRGDO/2A28U9QeRq2/HgVScklhJvoySeNyXNspYfte
+                ePRxeHBj21DgiQb+X1+ovKASM+RULa6cA1TJBCop+VqZMZiRJ3Rj6RML63ckEO8H
+                Md/XFvxlr+P2JcVKzHaZEEUGGINUCCuDABqKBZOqykGWXDastVw6/I0OIdLmWNI=
+                </ds:X509Certificate>
+            </ds:X509Data>
+      </ds:KeyInfo>
+    </Link>
+  </XRD>
+-->
+</XRDS>