From e311ae82cf4c90b441e13adc55cd3f5074161bf8 Mon Sep 17 00:00:00 2001
From: Johan Lundberg <lundberg@sunet.se>
Date: Tue, 7 Dec 2021 18:20:49 +0100
Subject: implement entity category
 https://myacademicid.org/entity-categories/esi for swamid

---
 src/saml2/entity_category/swamid.py |  5 ++
 tests/entity_esi_and_coco_sp.xml    | 95 +++++++++++++++++++++++++++++++++++++
 tests/test_37_entity_categories.py  | 48 +++++++++++++++++++
 3 files changed, 148 insertions(+)
 create mode 100644 tests/entity_esi_and_coco_sp.xml

diff --git a/src/saml2/entity_category/swamid.py b/src/saml2/entity_category/swamid.py
index 00066d21..61525b70 100644
--- a/src/saml2/entity_category/swamid.py
+++ b/src/saml2/entity_category/swamid.py
@@ -58,11 +58,14 @@ GEANT_COCO = [
     'schacHomeOrganizationType',
 ]
 
+MYACADEMICID_ESI = ['schacPersonalUniqueCode']
+
 # These give you access to information
 RESEARCH_AND_EDUCATION = 'http://www.swamid.se/category/research-and-education'  # Deprecated from 2021-03-31
 SFS_1993_1153 = 'http://www.swamid.se/category/sfs-1993-1153'                    # Deprecated from 2021-03-31
 RESEARCH_AND_SCHOLARSHIP = 'http://refeds.org/category/research-and-scholarship'
 COCO = 'http://www.geant.net/uri/dataprotection-code-of-conduct/v1'
+ESI = 'https://myacademicid.org/entity-categories/esi'
 
 # presently these don't by themself
 EU = 'http://www.swamid.se/category/eu-adequate-protection'  # Deprecated from 2021-03-31
@@ -77,6 +80,8 @@ RELEASE = {
     (RESEARCH_AND_EDUCATION, HEI): NAME + STATIC_ORG_INFO + OTHER,
     RESEARCH_AND_SCHOLARSHIP: R_AND_S,
     COCO: GEANT_COCO,
+    ESI: MYACADEMICID_ESI,
+    (ESI, COCO): MYACADEMICID_ESI + GEANT_COCO,
 }
 
 ONLY_REQUIRED = {COCO: True}
diff --git a/tests/entity_esi_and_coco_sp.xml b/tests/entity_esi_and_coco_sp.xml
new file mode 100644
index 00000000..db2fe474
--- /dev/null
+++ b/tests/entity_esi_and_coco_sp.xml
@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ns1="http://www.w3.org/2000/09/xmldsig#" xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi" entityID="https://esi-coco.example.edu/saml2/metadata/">
+  <ns0:Extensions>
+      <mdrpi:RegistrationInfo registrationAuthority="http://geant.example.eu/" registrationInstant="2018-05-10T09:45:00Z" />
+      <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
+          <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+              <saml:AttributeValue>https://myacademicid.org/entity-categories/esi</saml:AttributeValue>
+              <saml:AttributeValue>http://www.geant.net/uri/dataprotection-code-of-conduct/v1</saml:AttributeValue>
+          </saml:Attribute>
+      </mdattr:EntityAttributes></ns0:Extensions>
+  <ns0:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <ns0:KeyDescriptor use="encryption">
+      <ns1:KeyInfo>
+        <ns1:X509Data>
+          <ns1:X509Certificate>MIIDvDCCAqQCCQDXVjecpE8ibTANBgkqhkiG9w0BAQUFADCBnzELMAkGA1UEBhMC
+U0UxEjAQBgNVBAgMCVN0b2NraG9sbTESMBAGA1UEBwwJU3RvY2tob2xtMQ4wDAYD
+VQQKDAVFRFVJRDEaMBgGA1UECwwRZWR1aWQuZXhhbXBsZS5jb20xGjAYBgNVBAMM
+EWVkdWlkLmV4YW1wbGUuY29tMSAwHgYJKoZIhvcNAQkBFhFlZHVpZEBleGFtcGxl
+LmNvbTAeFw0xMzA2MTIxMTU5NTdaFw0yMzA2MTAxMTU5NTdaMIGfMQswCQYDVQQG
+EwJTRTESMBAGA1UECAwJU3RvY2tob2xtMRIwEAYDVQQHDAlTdG9ja2hvbG0xDjAM
+BgNVBAoMBUVEVUlEMRowGAYDVQQLDBFlZHVpZC5leGFtcGxlLmNvbTEaMBgGA1UE
+AwwRZWR1aWQuZXhhbXBsZS5jb20xIDAeBgkqhkiG9w0BCQEWEWVkdWlkQGV4YW1w
+bGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwHzXvBlv+DN1
+0tV9z6M79RFKJEE1HoBpo/vuQzcIP8SZZNhzwQpYxTVTQ9ocagX1onfJn2ZjoWsi
+p45tSMnwLM9a9+UETYAV8O/AUq3gNDp+Mu6sS3smNhdykVR4STscIiP/hWMkZbJ4
+4dmJ2ccT3H6VosXR/OIVTjyalanmvMpDb6ZkKqmuQCDvRMii/R0HhbYUCytToDiy
+Bxw1tQG946g8pe5RhZxxzmxVwAGwOyDn1dwi+j4wH2eCDyLu8hLanPHNFNiy5hiN
+5B40N24V5YixlksgdT0pF46DfkJRrOCsNWHWnMSN+Xvo1oXLRFXEnfsCB1cw0EAp
+SMMGX4dhSwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQA8+faeCQVTadTrXpB8jzfE
+MJq6+V4oajnWb0LJ5ZZcKSlQZ5sfYJ1385CaXGh60Tg4uhtwTOgpRi1R1cZMLTz9
+ST6WPF+2vDJv7dGPuglzyQLvA2fd6BLnyGV6kLUc2XNOyCmD/tWuMvKvW62j4Y3B
+XZvRFZZdHNgay4Wgvs8D6wyozWpkWpawXkQ3LqbXO6GChYC4VLru+uJuMKvvKCd/
+I125dzkP2nf9zkGV0cil3oIVSBPBtSRTF/M+oZhkHTwoM6hhonRvdOLuvobKfZ2Q
+wHyaxzYldWmVC5omkgZeAdCGpJ316GQF8Zwg/yDOUzm4cvGeIESf1Q6ZxBwI6zGE
+</ns1:X509Certificate>
+        </ns1:X509Data>
+      </ns1:KeyInfo>
+    </ns0:KeyDescriptor>
+    <ns0:KeyDescriptor use="signing">
+      <ns1:KeyInfo>
+        <ns1:X509Data>
+          <ns1:X509Certificate>MIIDvDCCAqQCCQDXVjecpE8ibTANBgkqhkiG9w0BAQUFADCBnzELMAkGA1UEBhMC
+U0UxEjAQBgNVBAgMCVN0b2NraG9sbTESMBAGA1UEBwwJU3RvY2tob2xtMQ4wDAYD
+VQQKDAVFRFVJRDEaMBgGA1UECwwRZWR1aWQuZXhhbXBsZS5jb20xGjAYBgNVBAMM
+EWVkdWlkLmV4YW1wbGUuY29tMSAwHgYJKoZIhvcNAQkBFhFlZHVpZEBleGFtcGxl
+LmNvbTAeFw0xMzA2MTIxMTU5NTdaFw0yMzA2MTAxMTU5NTdaMIGfMQswCQYDVQQG
+EwJTRTESMBAGA1UECAwJU3RvY2tob2xtMRIwEAYDVQQHDAlTdG9ja2hvbG0xDjAM
+BgNVBAoMBUVEVUlEMRowGAYDVQQLDBFlZHVpZC5leGFtcGxlLmNvbTEaMBgGA1UE
+AwwRZWR1aWQuZXhhbXBsZS5jb20xIDAeBgkqhkiG9w0BCQEWEWVkdWlkQGV4YW1w
+bGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwHzXvBlv+DN1
+0tV9z6M79RFKJEE1HoBpo/vuQzcIP8SZZNhzwQpYxTVTQ9ocagX1onfJn2ZjoWsi
+p45tSMnwLM9a9+UETYAV8O/AUq3gNDp+Mu6sS3smNhdykVR4STscIiP/hWMkZbJ4
+4dmJ2ccT3H6VosXR/OIVTjyalanmvMpDb6ZkKqmuQCDvRMii/R0HhbYUCytToDiy
+Bxw1tQG946g8pe5RhZxxzmxVwAGwOyDn1dwi+j4wH2eCDyLu8hLanPHNFNiy5hiN
+5B40N24V5YixlksgdT0pF46DfkJRrOCsNWHWnMSN+Xvo1oXLRFXEnfsCB1cw0EAp
+SMMGX4dhSwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQA8+faeCQVTadTrXpB8jzfE
+MJq6+V4oajnWb0LJ5ZZcKSlQZ5sfYJ1385CaXGh60Tg4uhtwTOgpRi1R1cZMLTz9
+ST6WPF+2vDJv7dGPuglzyQLvA2fd6BLnyGV6kLUc2XNOyCmD/tWuMvKvW62j4Y3B
+XZvRFZZdHNgay4Wgvs8D6wyozWpkWpawXkQ3LqbXO6GChYC4VLru+uJuMKvvKCd/
+I125dzkP2nf9zkGV0cil3oIVSBPBtSRTF/M+oZhkHTwoM6hhonRvdOLuvobKfZ2Q
+wHyaxzYldWmVC5omkgZeAdCGpJ316GQF8Zwg/yDOUzm4cvGeIESf1Q6ZxBwI6zGE
+</ns1:X509Certificate>
+        </ns1:X509Data>
+      </ns1:KeyInfo>
+    </ns0:KeyDescriptor>
+    <ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://esi-coco.example.edu/saml2/ls/"/>
+    <ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://esi-coco.example.edu/saml2/acs/" index="1"/>
+    <!-- Require eduPersonTargetedID -->
+    <ns0:AttributeConsumingService index="0">
+        <ns0:ServiceName xml:lang="en">esi-coco-SP</ns0:ServiceName>
+        <ns0:ServiceDescription xml:lang="en">ESI and COCO SP</ns0:ServiceDescription>
+        <ns0:RequestedAttribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true" />
+    </ns0:AttributeConsumingService>
+  </ns0:SPSSODescriptor>
+  <ns0:Organization>
+    <ns0:OrganizationName xml:lang="es">Example CO</ns0:OrganizationName>
+    <ns0:OrganizationName xml:lang="en">Example CO</ns0:OrganizationName>
+    <ns0:OrganizationDisplayName xml:lang="es">Example</ns0:OrganizationDisplayName>
+    <ns0:OrganizationDisplayName xml:lang="en">Example</ns0:OrganizationDisplayName>
+    <ns0:OrganizationURL xml:lang="es">http://www.example.edu</ns0:OrganizationURL>
+    <ns0:OrganizationURL xml:lang="en">http://www.example.com</ns0:OrganizationURL>
+  </ns0:Organization>
+  <ns0:ContactPerson contactType="technical">
+    <ns0:Company>Example CO</ns0:Company>
+    <ns0:GivenName>Sysadmin</ns0:GivenName>
+    <ns0:SurName/>
+    <ns0:EmailAddress>sysadmin@example.com</ns0:EmailAddress>
+  </ns0:ContactPerson>
+  <ns0:ContactPerson contactType="administrative">
+    <ns0:Company>Example CO</ns0:Company>
+    <ns0:GivenName>Admin</ns0:GivenName>
+    <ns0:SurName>CEO</ns0:SurName>
+    <ns0:EmailAddress>admin@example.com</ns0:EmailAddress>
+  </ns0:ContactPerson>
+</ns0:EntityDescriptor>
diff --git a/tests/test_37_entity_categories.py b/tests/test_37_entity_categories.py
index 64b674d1..c988d72c 100644
--- a/tests/test_37_entity_categories.py
+++ b/tests/test_37_entity_categories.py
@@ -278,3 +278,51 @@ def test_filter_ava_required_attributes_with_no_friendly_name():
 
     ava = policy.filter(ava, entity_id, required=required, optional=optional)
     assert _eq(list(ava.keys()), ["eduPersonTargetedID"])
+
+
+def test_filter_ava_esi_coco():
+    entity_id = "https://esi-coco.example.edu/saml2/metadata/"
+    mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True)
+    mds.imp(
+        [
+            {
+                "class": "saml2.mdstore.MetaDataFile",
+                "metadata": [(full_path("entity_esi_and_coco_sp.xml"),)]
+            }
+        ]
+    )
+
+    policy_conf = {
+        "default": {
+            "lifetime": {"minutes": 15},
+            "entity_categories": ["swamid"]
+        }
+    }
+    policy = Policy(policy_conf, mds)
+
+    ava = {
+        "givenName": ["Test"],
+        "sn": ["Testsson"],
+        "mail": ["test@example.com"],
+        "c": ["SE"],
+        "schacHomeOrganization": ["example.com"],
+        "eduPersonScopedAffiliation": ["student@example.com"],
+        "schacPersonalUniqueCode": [
+            "urn:schac:personalUniqueCode:int:esi:ladok.se:externtstudentuid-00000000-1111-2222-3333-444444444444"
+        ]
+    }
+
+    ava = policy.filter(ava, entity_id)
+
+    assert _eq(list(ava.keys()), [
+        'mail',
+        'givenName',
+        'sn',
+        'c',
+        'schacHomeOrganization',
+        'eduPersonScopedAffiliation',
+        'schacPersonalUniqueCode'
+    ])
+    assert _eq(ava["mail"], ["test@example.com"])
+    assert _eq(ava["schacPersonalUniqueCode"],
+               ["urn:schac:personalUniqueCode:int:esi:ladok.se:externtstudentuid-00000000-1111-2222-3333-444444444444"])
-- 
cgit v1.2.1