diff options
author | Ivan Kanakarakis <ivan.kanak@gmail.com> | 2020-09-29 12:27:22 +0300 |
---|---|---|
committer | Ivan Kanakarakis <ivan.kanak@gmail.com> | 2020-10-28 00:01:45 +0200 |
commit | 59913a155ce06c6fe4e43ea1b15586e3d59bafb3 (patch) | |
tree | 8accb74f2350925b0593a806c481b767bd432203 /src/saml2/mdstore.py | |
parent | 524b70d3ef4523b40b999ee2cd0008f41a31c437 (diff) | |
download | pysaml2-59913a155ce06c6fe4e43ea1b15586e3d59bafb3.tar.gz |
Return the ResponseLocation before falling back to Locationfeature-logout-response-location
ResponseLocation [Optional]
Optionally specifies a different location to which response messages sent as part of
the protocol or profile should be sent. The allowable syntax of this URI depends on
the protocol binding.
The ResponseLocation attribute is used to enable different endpoints to be specified for
receiving request and response messages associated with a protocol or profile, not as a
means of load-balancing or redundancy (multiple elements of this type can be included
for this purpose). When a role contains an element of this type pertaining to a protocol
or profile for which only a single type of message (request or response) is applicable,
then the ResponseLocation attribute is unused. [E41]If the ResponseLocation attribute is
omitted, any response messages associated with a protocol or profile may be assumed to
be handled at the URI indicated by the Location attribute.
ArtifactResolutionService, SingleSignOnService and NameIDMappingService MUST omit the
ResponseLocation attribute. This is enforced here, but metadata with such service
declarations and such attributes should not have been part of the metadata store in the
first place.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
Diffstat (limited to 'src/saml2/mdstore.py')
-rw-r--r-- | src/saml2/mdstore.py | 66 |
1 files changed, 55 insertions, 11 deletions
diff --git a/src/saml2/mdstore.py b/src/saml2/mdstore.py index 41e521ec..3dfd0e5a 100644 --- a/src/saml2/mdstore.py +++ b/src/saml2/mdstore.py @@ -5,6 +5,8 @@ import json import logging import os import sys +from itertools import chain +from warnings import warn as _warn from hashlib import sha1 from os.path import isfile @@ -26,7 +28,11 @@ from saml2 import BINDING_SOAP from saml2.httpbase import HTTPBase from saml2.extension.idpdisc import BINDING_DISCO from saml2.extension.idpdisc import DiscoveryResponse +from saml2.md import NAMESPACE as NS_MD from saml2.md import EntitiesDescriptor +from saml2.md import ArtifactResolutionService +from saml2.md import NameIDMappingService +from saml2.md import SingleSignOnService from saml2.mdie import to_dict from saml2.s_utils import UnsupportedBinding from saml2.s_utils import UnknownSystemEntity @@ -70,6 +76,9 @@ classnames = { ns=NS_MDUI, tag=PrivacyStatementURL.c_tag ), "mdui_uiinfo_logo": "{ns}&{tag}".format(ns=NS_MDUI, tag=Logo.c_tag), + "service_artifact_resolution": "{ns}&{tag}".format(ns=NS_MD, tag=ArtifactResolutionService.c_tag), + "service_single_sign_on": "{ns}&{tag}".format(ns=NS_MD, tag=SingleSignOnService.c_tag), + "service_nameid_mapping": "{ns}&{tag}".format(ns=NS_MD, tag=NameIDMappingService.c_tag), } ENTITY_CATEGORY = "http://macedir.org/entity-category" @@ -79,8 +88,6 @@ ASSURANCE_CERTIFICATION = "urn:oasis:names:tc:SAML:attribute:assurance-certifica SAML_METADATA_CONTENT_TYPE = "application/samlmetadata+xml" DEFAULT_FRESHNESS_PERIOD = "P0Y0M0DT12H0M0S" - - REQ2SRV = { # IDP "authn_request": "single_sign_on_service", @@ -149,17 +156,54 @@ def metadata_modules(): return _res -def response_destinations(srvs): - _res = [] - for s in srvs: - if "response_location" in s: - _res.append(s["response_location"]) - else: - _res.append(s["location"]) - return _res +def response_locations(srvs): + """ + Return the ResponseLocation attributes mapped to the services. + + ArtifactResolutionService, SingleSignOnService and NameIDMappingService MUST omit + the ResponseLocation attribute. This is enforced here, but metadata with such + service declarations and such attributes should not have been part of the metadata + store in the first place. + """ + values = ( + s["response_location"] + for s in srvs + if "response_location" in s + if s["__class__"] not in [ + classnames["service_artifact_resolution"], + classnames["service_single_sign_on"], + classnames["service_nameid_mapping"], + ] + ) + return values + + +def locations(srvs): + values = ( + s["location"] + for s in srvs + if "location" in s + ) + return values + def destinations(srvs): - return [s["location"] for s in srvs] + warn_msg = ( + "`saml2.mdstore.destinations` function is deprecated; " + "instead, use `saml2.mdstore.locations` or `saml2.mdstore.all_locations`." + ) + logger.warning(warn_msg) + _warn(warn_msg) + values = list(locations(srvs)) + return values + + +def all_locations(srvs): + values = chain( + response_locations(srvs), + locations(srvs), + ) + return values def attribute_requirement(entity, index=None): |