From 0dde360db03f13954a6e31b3ac3f5f435ed65f55 Mon Sep 17 00:00:00 2001
From: Roland Hedberg <roland.hedberg@adm.umu.se>
Date: Mon, 9 Jun 2014 18:05:29 +0200
Subject: [PATCH] Fixed problem with signing metadata.

---
 src/saml2/config.py    |  9 +++++--
 src/saml2/metadata.py  | 53 +++++++++++++++++++++++++++++++-----------
 tools/make_metadata.py | 14 +++++++----
 3 files changed, 56 insertions(+), 20 deletions(-)

diff --git a/src/saml2/config.py b/src/saml2/config.py
index 4dc6f21..11ef785 100644
--- a/src/saml2/config.py
+++ b/src/saml2/config.py
@@ -116,14 +116,17 @@ PDP_ARGS = ["endpoints", "name_form", "name_id_format"]
 
 AQ_ARGS = ["endpoints"]
 
+AA_ARGS = ["attribute", "attribute_profile"]
+
 COMPLEX_ARGS = ["attribute_converters", "metadata", "policy"]
-ALL = set(COMMON_ARGS + SP_ARGS + AA_IDP_ARGS + PDP_ARGS + COMPLEX_ARGS)
+ALL = set(COMMON_ARGS + SP_ARGS + AA_IDP_ARGS + PDP_ARGS + COMPLEX_ARGS +
+          AA_ARGS)
 
 SPEC = {
     "": COMMON_ARGS + COMPLEX_ARGS,
     "sp": COMMON_ARGS + COMPLEX_ARGS + SP_ARGS,
     "idp": COMMON_ARGS + COMPLEX_ARGS + AA_IDP_ARGS,
-    "aa": COMMON_ARGS + COMPLEX_ARGS + AA_IDP_ARGS,
+    "aa": COMMON_ARGS + COMPLEX_ARGS + AA_IDP_ARGS + AA_ARGS,
     "pdp": COMMON_ARGS + COMPLEX_ARGS + PDP_ARGS,
     "aq": COMMON_ARGS + COMPLEX_ARGS + AQ_ARGS,
 }
@@ -222,6 +225,8 @@ class Config(object):
         self.tmp_key_file = None
         self.validate_certificate = None
         self.extensions = {}
+        self.attribute = []
+        self.attribute_profile = []
 
     def setattr(self, context, attr, val):
         if context == "":
diff --git a/src/saml2/metadata.py b/src/saml2/metadata.py
index d75bd00..3491bef 100644
--- a/src/saml2/metadata.py
+++ b/src/saml2/metadata.py
@@ -1,4 +1,5 @@
 #!/usr/bin/env python
+from saml2.md import AttributeProfile, entity_descriptor_from_string
 from saml2.sigver import security_context
 from saml2.config import Config
 from saml2.validate import valid_instance
@@ -52,11 +53,13 @@ ORG_ATTR_TRANSL = {
     "organization_url": ("url", md.OrganizationURL)
 }
 
+MDNS = '"urn:oasis:names:tc:SAML:2.0:metadata"'
+XMLNSXS = " xmlns:xs=\"http://www.w3.org/2001/XMLSchema\""
 
-def metadata_tostring_fix(desc, nspair):
-    MDNS = '"urn:oasis:names:tc:SAML:2.0:metadata"'
-    XMLNSXS = " xmlns:xs=\"http://www.w3.org/2001/XMLSchema\""
-    xmlstring = desc.to_string(nspair)
+
+def metadata_tostring_fix(desc, nspair, xmlstring=""):
+    if not xmlstring:
+        xmlstring = desc.to_string(nspair)
     if "\"xs:string\"" in xmlstring and XMLNSXS not in xmlstring:
         xmlstring = xmlstring.replace(MDNS, MDNS+XMLNSXS)
     return xmlstring
@@ -94,13 +97,15 @@ def create_metadata_string(configfile, config, valid, cert, keyfile, mid, name,
 
         return metadata_tostring_fix(desc, nspair)
     else:
-        for eid in eds:
-            if sign:
-                desc = sign_entity_descriptor(eid, mid, secc)
-            else:
-                desc = eid
-            valid_instance(desc)
-            return metadata_tostring_fix(desc, nspair)
+        eid = eds[0]
+        if sign:
+            eid, xmldoc = sign_entity_descriptor(eid, mid, secc)
+        else:
+            xmldoc = None
+
+        valid_instance(eid)
+        xmldoc = metadata_tostring_fix(eid, nspair, xmldoc)
+        return xmldoc
 
 
 def _localized_name(val, klass):
@@ -598,6 +603,16 @@ def do_aa_descriptor(conf, cert):
     if cert:
         aad.key_descriptor = do_key_descriptor(cert)
 
+    attributes = conf.getattr("attribute", "aa")
+    if attributes:
+        for attribute in attributes:
+            aad.attribute.append(Attribute(text=attribute))
+
+    attribute_profiles = conf.getattr("attribute_profile", "aa")
+    if attribute_profiles:
+        for attribute_profile in attribute_profiles:
+            aad.attribute.append(AttributeProfile(text=attribute_profile))
+
     return aad
 
 
@@ -712,14 +727,26 @@ def entities_descriptor(eds, valid_for, name, ident, sign, secc):
         entities.id = ident
         xmldoc = secc.sign_statement("%s" % entities, class_name(entities))
         entities = md.entities_descriptor_from_string(xmldoc)
-    return entities
+    else:
+        xmldoc = None
+
+    return entities, xmldoc
 
 
 def sign_entity_descriptor(edesc, ident, secc):
+    """
+
+    :param edesc: EntityDescriptor instance
+    :param ident: EntityDescriptor identifier
+    :param secc: Security context
+    :return: Tuple with EntityDescriptor instance and Signed XML document
+    """
+
     if not ident:
         ident = sid()
 
     edesc.signature = pre_signature_part(ident, secc.my_cert, 1)
     edesc.id = ident
     xmldoc = secc.sign_statement("%s" % edesc, class_name(edesc))
-    return md.entity_descriptor_from_string(xmldoc)
+    edesc = md.entity_descriptor_from_string(xmldoc)
+    return edesc, xmldoc
\ No newline at end of file
diff --git a/tools/make_metadata.py b/tools/make_metadata.py
index 37f24ee..aa83cc2 100755
--- a/tools/make_metadata.py
+++ b/tools/make_metadata.py
@@ -2,7 +2,8 @@
 import argparse
 import os
 import sys
-from saml2.metadata import entity_descriptor
+from saml2.s_utils import rndstr
+from saml2.metadata import entity_descriptor, metadata_tostring_fix
 from saml2.metadata import entities_descriptor
 from saml2.metadata import sign_entity_descriptor
 
@@ -71,9 +72,12 @@ if args.id:
 else:
     for eid in eds:
         if args.sign:
-            desc = sign_entity_descriptor(eid, id, secc)
+            assert conf.key_file
+            assert conf.cert_file
+            eid, xmldoc = sign_entity_descriptor(eid, args.id, secc)
         else:
-            desc = eid
-        valid_instance(desc)
-        print desc.to_string(nspair)
+            xmldoc = None
 
+        valid_instance(eid)
+        xmldoc = metadata_tostring_fix(eid, nspair, xmldoc)
+        print xmldoc