From 8dcc324fa8618a47ae79f45fc9cf44a90d0e0049 Mon Sep 17 00:00:00 2001
From: Roland Hedberg <roland.hedberg@adm.umu.se>
Date: Mon, 18 Apr 2011 22:07:26 +0200
Subject: [PATCH] When producing metadata you might want to produce just an
 entitydescriptor and not an entitiesdescriptor

---
 src/saml2/metadata.py     | 12 ++++++++++++
 src/saml2/sigver.py       | 11 ++++++-----
 tests/test_30_metadata.py | 14 ++++++++++----
 tools/make_metadata.py    | 32 ++++++++++++++++++++++++++------
 4 files changed, 54 insertions(+), 15 deletions(-)

diff --git a/src/saml2/metadata.py b/src/saml2/metadata.py
index 23585a8..869146d 100644
--- a/src/saml2/metadata.py
+++ b/src/saml2/metadata.py
@@ -986,3 +986,15 @@ def entities_descriptor(eds, valid_for, name, ident, sign, secc):
                                                         class_name(entities))
         entities = md.entities_descriptor_from_string(xmldoc)
     return entities
+
+def sign_entity_descriptor(edesc, valid_for, ident, secc):
+    if valid_for:
+        edesc.valid_until = in_a_while(hours=valid_for)
+
+    if not ident:
+        ident = sid()
+
+    edesc.signature = pre_signature_part(ident, secc.my_cert, 1)
+    edesc.id = ident
+    xmldoc = secc.sign_statement_using_xmlsec("%s" % edesc, class_name(edesc))
+    return md.entity_descriptor_from_string(xmldoc)
diff --git a/src/saml2/sigver.py b/src/saml2/sigver.py
index 7e81fac..15f7664 100644
--- a/src/saml2/sigver.py
+++ b/src/saml2/sigver.py
@@ -484,11 +484,12 @@ class SecurityContext(object):
         except AttributeError:
             issuer = None
 
-        certs = []
-        # if self.metadata:
-        #     certs = self.metadata.certs(issuer, "signing")
-        # else:
-            
+        # More trust in certs from metadata then certs in the XML document
+        if self.metadata:
+             certs = self.metadata.certs(issuer, "signing")
+        else:
+            certs = []
+
         if not certs:
             #print "==== Certs from instance ===="
             certs = [make_temp(pem_format(cert), ".pem", False) \
diff --git a/tests/test_30_metadata.py b/tests/test_30_metadata.py
index bd6753f..42a3f56 100644
--- a/tests/test_30_metadata.py
+++ b/tests/test_30_metadata.py
@@ -425,7 +425,13 @@ def test_attributes():
     assert ra[0].name == 'urn:oid:2.5.4.4'
     
 
-# TODO
-#def test_extend():
-#    md = metadata.MetaData(attrconv=ATTRCONV)
-#    md.import_metadata(_fix_valid_until(_read_file("extended.xml")), "-")
+def test_extend():
+    md = metadata.MetaData(attrconv=ATTRCONV)
+    md.import_metadata(_fix_valid_until(_read_file("extended.xml")), "-")
+
+    signcerts = md.certs("https://coip-test.sunet.se/shibboleth", "signing")
+    assert len(signcerts) == 1
+    enccerts = md.certs("https://coip-test.sunet.se/shibboleth", "encryption")
+    assert len(enccerts) == 1
+    assert signcerts[0] == enccerts[0]
+    
\ No newline at end of file
diff --git a/tools/make_metadata.py b/tools/make_metadata.py
index b6a06b2..87c889e 100755
--- a/tools/make_metadata.py
+++ b/tools/make_metadata.py
@@ -4,7 +4,9 @@ import getopt
 import sys
 
 from saml2.metadata import entity_descriptor, entities_descriptor
+from saml2.metadata import sign_entity_descriptor
 from saml2.sigver import SecurityContext
+from saml2.sigver import get_xmlsec_binary
 from saml2.validate import valid_instance
 from saml2.config import Config
 
@@ -29,9 +31,9 @@ class Usage(Exception):
     
 def main(args):
     try:
-        opts, args = getopt.getopt(args, "c:hi:k:sv:x:",
+        opts, args = getopt.getopt(args, "c:ehi:k:p:sv:x:",
                         ["help", "name", "id", "keyfile", "sign", 
-                        "valid", "xmlsec"])
+                        "valid", "xmlsec", "entityid", "path"])
     except getopt.GetoptError, err:
         # print help information and exit:
         raise Usage(err) # will print something like "option -a not recognized"
@@ -45,6 +47,8 @@ def main(args):
     xmlsec = ""
     keyfile = ""
     pubkeyfile = ""
+    entitiesid = True
+    path = []
     
     try:
         for o, a in opts:
@@ -64,6 +68,10 @@ def main(args):
                 keyfile = a
             elif o in ("-c", "--certfile"):
                 pubkeyfile = a
+            elif o in ("-e", "--entityid"):
+                entitiesid = False
+            elif o in ("-p", "--path"):
+                path = [x.strip() for x in a.split(":")]
             else:
                 assert False, "unhandled option %s" % o
     except Usage, err:
@@ -71,6 +79,9 @@ def main(args):
         print >> sys.stderr, "\t for help use --help"
         return 2
 
+    if not xmlsec:
+        xmlsec = get_xmlsec_binary(path)
+        
     eds = []
     for filespec in args:
         bas, fil = os.path.split(filespec)
@@ -82,10 +93,19 @@ def main(args):
         eds.append(entity_descriptor(cnf, valid_for))
 
     secc = SecurityContext(xmlsec, keyfile, cert_file=pubkeyfile)
-    desc = entities_descriptor(eds, valid_for, name, id, sign, secc)
-    valid_instance(desc)
-    print desc
-    
+    if entitiesid:
+        desc = entities_descriptor(eds, valid_for, name, id, sign, secc)
+        valid_instance(desc)
+        print desc
+    else:
+        for eid in eds:
+            if sign:
+                desc = sign_entity_descriptor(eid, valid_for, id, secc)
+            else:
+                desc = eid
+            valid_instance(desc)
+            print desc
+
 if __name__ == "__main__":
     import sys