def parse_metadata(self, fn, key=None, base_url=None, fail_on_error=False, filter_invalid=True):
"""Parse a piece of XML and split it up into EntityDescriptor elements. Each such element
is stored in the MDRepository instance.
:param fn: a file-like object containing SAML metadata
:param key: a certificate (file) or a SHA1 fingerprint to use for signature verification
:param base_url: use this base url to resolve relative URLs for XInclude processing
"""
try:
t = etree.parse(fn, base_url=base_url,
parser=etree.XMLParser(resolve_entities=False))
t.xinclude()
if filter_invalid:
for e in t.findall('{%s}EntityDescriptor' % NS['md']):
if not schema().validate(e):
error = _e(schema().error_log, m=base_url)
log.debug("removing '%s': schema validation failed (%s)" % (
e.get('entityID'), error))
e.getparent().remove(e)
self.fire(type=EVENT_DROP_ENTITY, url=base_url,
entityID=e.get('entityID'), error=error)
else:
# Having removed the invalid entities this should now never
# happen...
schema().assertValid(t)
except DocumentInvalid, ex:
traceback.print_exc()
log.debug("schema validation failed on '%s': %s" % (
base_url, _e(ex.error_log, m=base_url)))
raise MetadataException("schema validation failed")
def parse_metadata(self, fn, key=None, base_url=None, fail_on_error=False, filter_invalid=True):
"""Parse a piece of XML and split it up into EntityDescriptor elements. Each such element
is stored in the MDRepository instance.
:param fn: a file-like object containing SAML metadata
:param key: a certificate (file) or a SHA1 fingerprint to use for signature verification
:param base_url: use this base url to resolve relative URLs for XInclude processing
"""
try:
t = etree.parse(fn, base_url=base_url, parser=etree.XMLParser(resolve_entities=False))
t.xinclude()
if filter_invalid:
for e in t.findall('{%s}EntityDescriptor' % NS['md']):
if not schema().validate(e):
error = _e(schema().error_log, m=base_url)
log.debug("removing '%s': schema validation failed (%s)" % (e.get('entityID'), error))
e.getparent().remove(e)
self.fire(type=EVENT_DROP_ENTITY, url=base_url, entityID=e.get('entityID'), error=error)
else:
# Having removed the invalid entities this should now never happen...
schema().assertValid(t)
except DocumentInvalid, ex:
traceback.print_exc()
log.debug("schema validation failed on '%s': %s" % (base_url, _e(ex.error_log, m=base_url)))
raise MetadataException("schema validation failed")
def publish(req, *opts):
"""
Publish the working document in XML form.
:param req: The request
:param opts: Options (unused)
:return: None
Publish takes one argument: path to a file where the document tree will be written.
**Examples**
.. code-block:: yaml
- publish: /tmp/idp.xml
"""
if req.t is None:
raise PipeException("Empty document submitted for publication")
try:
schema().assertValid(req.t)
except DocumentInvalid, ex:
log.error(ex.error_log)
raise PipeException("XML schema validation failed")
def parse_metadata(self,
fn,
key=None,
base_url=None,
fail_on_error=False,
filter_invalid=True,
validate=True,
post=None):
"""Parse a piece of XML and split it up into EntityDescriptor elements. Each such element
is stored in the MDRepository instance.
:param fn: a file-like object containing SAML metadata
:param key: a certificate (file) or a SHA1 fingerprint to use for signature verification
:param base_url: use this base url to resolve relative URLs for XInclude processing
:param fail_on_error: (default: False)
:param filter_invalid: (default True) remove invalid EntityDescriptor elements rather than raise an errror
:param validate: (default: True) set to False to turn off all XML schema validation
:param post: A callable that will be called to modify the parse-tree before any validation
(but after xinclude processing)
"""
try:
t = etree.parse(fn, base_url=base_url, parser=etree.XMLParser(resolve_entities=False))
t.xinclude()
if key is not None:
try:
log.debug("verifying signature using %s" % key)
refs = xmlsec.verified(t, key)
if len(refs) != 1:
raise MetadataException("XML metadata contains %d signatures - exactly 1 is required" % len(refs))
t = refs[0] # prevent wrapping attacks
except Exception, ex:
tb = traceback.format_exc()
print tb
log.error(ex)
return None
if post is not None:
t = post(t)
if validate:
if filter_invalid:
for e in t.findall('{%s}EntityDescriptor' % NS['md']):
if not schema().validate(e):
error = _e(schema().error_log, m=base_url)
log.debug("removing '%s': schema validation failed (%s)" % (e.get('entityID'), error))
e.getparent().remove(e)
self.fire(type=EVENT_DROP_ENTITY, url=base_url, entityID=e.get('entityID'), error=error)
else:
# Having removed the invalid entities this should now never happen...
schema().assertValid(t)
def parse_metadata(self, fn, key=None, base_url=None, fail_on_error=False):
"""Parse a piece of XML and split it up into EntityDescriptor elements. Each such element
is stored in the MDRepository instance.
:param fn: a file-like object containing SAML metadata
:param key: a certificate (file) or a SHA1 fingerprint to use for signature verification
:param base_url: use this base url to resolve relative URLs for XInclude processing
"""
try:
t = etree.parse(fn, base_url=base_url, parser=etree.XMLParser(resolve_entities=False))
t.xinclude()
schema().assertValid(t)
except DocumentInvalid, ex:
log.debug(_e(ex.error_log))
raise ValueError("XML schema validation failed")
def validate(req, *opts):
"""
Validate the working document
:param req: The request
:param opts: Not used
:return: The unmodified tree
Generate an exception unless the working tree validates. Validation is done automatically during publication and
loading of metadata so this call is seldom needed.
"""
if req.t is not None:
schema().assertValid(req.t)
return req.t
def entity_set(self,
entities,
name,
cacheDuration=None,
validUntil=None,
validate=True):
"""
:param entities: a set of entities specifiers (lookup is used to find entities from this set)
:param name: the @Name attribute
:param cacheDuration: an XML timedelta expression, eg PT1H for 1hr
:param validUntil: a relative time eg 2w 4d 1h for 2 weeks, 4 days and 1hour from now.
Produce an EntityDescriptors set from a list of entities. Optional Name, cacheDuration and validUntil are affixed.
"""
attrs = dict(Name=name, nsmap=NS)
if cacheDuration is not None:
attrs['cacheDuration'] = cacheDuration
if validUntil is not None:
attrs['validUntil'] = validUntil
t = etree.Element("{%s}EntitiesDescriptor" % NS['md'], **attrs)
nent = 0
seen = {} # TODO make better de-duplication
for member in entities:
for ent in self.lookup(member):
entityID = ent.get('entityID', None)
if (ent is not None) and (entityID is not None) and (
not seen.get(entityID, False)):
t.append(deepcopy(ent))
seen[entityID] = True
nent += 1
log.debug(
"selecting %d entities from %d entity set(s) before validation" %
(nent, len(entities)))
if not nent:
return None
if validate:
try:
schema().assertValid(t)
except DocumentInvalid, ex:
log.debug(_e(ex.error_log))
def filter_invalids_from_document(t: ElementTree, base_url,
validation_errors) -> ElementTree:
xsd = schema()
for e in iter_entities(t):
if not xsd.validate(e):
error = xml_error(xsd.error_log, m=base_url)
entity_id = e.get("entityID", "(Missing entityID)")
log.warning('removing \'%s\': schema validation failed: %s' %
(entity_id, xsd.error_log))
validation_errors[entity_id] = "{}".format(xsd.error_log)
if e.getparent() is None:
return None
e.getparent().remove(e)
return t
def entity_set(self, entities, name, cacheDuration=None, validUntil=None, validate=True):
"""
:param entities: a set of entities specifiers (lookup is used to find entities from this set)
:param name: the @Name attribute
:param cacheDuration: an XML timedelta expression, eg PT1H for 1hr
:param validUntil: a relative time eg 2w 4d 1h for 2 weeks, 4 days and 1hour from now.
Produce an EntityDescriptors set from a list of entities. Optional Name, cacheDuration and validUntil are affixed.
"""
attrs = dict(Name=name, nsmap=NS)
if cacheDuration is not None:
attrs['cacheDuration'] = cacheDuration
if validUntil is not None:
attrs['validUntil'] = validUntil
t = etree.Element("{%s}EntitiesDescriptor" % NS['md'], **attrs)
nent = 0
seen = {} # TODO make better de-duplication
for member in entities:
for ent in self.lookup(member):
entityID = ent.get('entityID', None)
if (ent is not None) and (entityID is not None) and (not seen.get(entityID, False)):
t.append(deepcopy(ent))
seen[entityID] = True
nent += 1
log.debug("selecting %d entities from %d entity set(s) before validation" % (
nent, len(entities)))
if not nent:
return None
if validate:
try:
schema().assertValid(t)
except DocumentInvalid, ex:
log.debug(_e(ex.error_log))
"""Parse a piece of XML and split it up into EntityDescriptor elements. Each such element
is stored in the MDRepository instance.
:param fn: a file-like object containing SAML metadata
:param key: a certificate (file) or a SHA1 fingerprint to use for signature verification
:param base_url: use this base url to resolve relative URLs for XInclude processing
"""
try:
t = etree.parse(fn, base_url=base_url, parser=etree.XMLParser(resolve_entities=False))
t.xinclude()
schema().assertValid(t)
except DocumentInvalid, ex:
log.debug(_e(ex.error_log))
raise ValueError("XML schema validation failed")
except Exception, ex:
log.debug(_e(schema().error_log))
log.error(ex)
if fail_on_error:
raise ex
return None
if key is not None:
try:
log.debug("verifying signature using %s" % key)
xmlsec.verify(t, key)
except Exception, ex:
tb = traceback.format_exc()
print tb
log.error(ex)
return None
return t
def _s(e):
try:
schema()
except BaseException as ex:
e[current_thread()] = ex
def test_schema_100_times(self):
for i in range(1, 100):
assert(schema())
def test_schema(self):
assert(schema())
