new: SAML2 frontend+backend: support reloading metadata

Using the reload_metadata method added into pysaml2 in IdentityPython/pysaml2#809,
support reloading metadata when triggered via an externally exposed URL
(as `/<module_name>/reload-metadata`)

This is off by default (URL not exposed) and needs to be explicitly enabled
by setting the newly introduced config option `enable_metadata_reload`
for the SAML modules to `true` (or `yes`).

The loaded config is already preserved in the modules, so can be easily used
to provide a reference copy of the metadata configuration to the `reload_metadata` method.

This is implemented separately for the SAML2 Backend and SAML2 Frontend
(applying to all three SAML2 Frontend classes).

This will complete the missing functionality identified in IdentityPython/pysaml2#808

Author: vladimir-mencl-eresearch

Diff for: example/plugins/backends/saml2_backend.yaml.example

@@ -15,6 +15,7 @@ config:
   memorize_idp: no
   use_memorized_idp_when_force_authn: no
   send_requester_id: no
+  enable_metadata_reload: no
 
   sp_config:
     key_file: backend.key

Diff for: example/plugins/frontends/saml2_frontend.yaml.example

@@ -19,6 +19,7 @@ config:
   #  domain: .example.com
 
   entityid_endpoint: true
+  enable_metadata_reload: no
 
   idp_config:
     organization: {display_name: Example Identities, name: Example Identities Org., url: 'http://www.example.com'}

Diff for: example/plugins/frontends/saml2_virtualcofrontend.yaml.example

@@ -94,6 +94,8 @@ config:
       'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': sso/post
       'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': sso/redirect
 
+  enable_metadata_reload: no
+
   # If configured and not false or empty the common domain cookie _saml_idp will be set
   # with or have appended the IdP used for authentication. The default is not to set the
   # cookie. If the value is a dictionary with key 'domain' then the domain for the cookie

Diff for: src/satosa/backends/saml2.py

@@ -82,6 +82,7 @@ class SAMLBackend(BackendModule, SAMLBaseModule):
     KEY_SAML_DISCOVERY_SERVICE_URL = 'saml_discovery_service_url'
     KEY_SAML_DISCOVERY_SERVICE_POLICY = 'saml_discovery_service_policy'
     KEY_SP_CONFIG = 'sp_config'
+    KEY_METADATA = 'metadata'
     KEY_SEND_REQUESTER_ID = 'send_requester_id'
     KEY_MIRROR_FORCE_AUTHN = 'mirror_force_authn'
     KEY_MEMORIZE_IDP = 'memorize_idp'
@@ -479,8 +480,22 @@ def register_endpoints(self):
             url_map.append(("^{0}".format(parsed_entity_id.path[1:]),
                             self._metadata_endpoint))
 
+        if self.enable_metadata_reload():
+            url_map.append(
+                ("^%s/%s$" % (self.name, "reload-metadata"), self._reload_metadata))
+
         return url_map
 
+    def _reload_metadata(self, context):
+        """
+        Reload SAML metadata
+        """
+        logger.debug("Reloading metadata")
+        res = self.sp.reload_metadata(copy.deepcopy(self.config[SAMLBackend.KEY_SP_CONFIG][SAMLBackend.KEY_METADATA]))
+        message = "Metadata reload %s" % ("OK" if res else "failed")
+        status = "200 OK" if res else "500 FAILED"
+        return Response(message=message, status=status)
+
     def get_metadata_desc(self):
         """
         See super class satosa.backends.backend_base.BackendModule#get_metadata_desc

Diff for: src/satosa/base.py

@@ -261,6 +261,7 @@ def run(self, context):
 
 class SAMLBaseModule(object):
     KEY_ENTITYID_ENDPOINT = 'entityid_endpoint'
+    KEY_ENABLE_METADATA_RELOAD = 'enable_metadata_reload'
     KEY_ATTRIBUTE_PROFILE = 'attribute_profile'
     KEY_ACR_MAPPING = 'acr_mapping'
     VALUE_ATTRIBUTE_PROFILE_DEFAULT = 'saml'
@@ -276,6 +277,15 @@ def expose_entityid_endpoint(self):
         value = self.config.get(self.KEY_ENTITYID_ENDPOINT, False)
         return bool(value)
 
+    def enable_metadata_reload(self):
+        """
+        Check whether metadata reload has been enabled in config
+
+        return: bool
+        """
+        value = self.config.get(self.KEY_ENABLE_METADATA_RELOAD, False)
+        return bool(value)
+
 
 class SAMLEIDASBaseModule(SAMLBaseModule):
     VALUE_ATTRIBUTE_PROFILE_DEFAULT = 'eidas'

Diff for: src/satosa/frontends/saml2.py

@@ -64,6 +64,7 @@ class SAMLFrontend(FrontendModule, SAMLBaseModule):
     KEY_CUSTOM_ATTR_RELEASE = 'custom_attribute_release'
     KEY_ENDPOINTS = 'endpoints'
     KEY_IDP_CONFIG = 'idp_config'
+    KEY_METADATA = 'metadata'
 
     def __init__(self, auth_req_callback_func, internal_attributes, config, base_url, name):
         self._validate_config(config)
@@ -113,12 +114,18 @@ def register_endpoints(self, backend_names):
         :type backend_names: list[str]
         :rtype: list[(str, ((satosa.context.Context, Any) -> satosa.response.Response, Any))]
         """
+        url_map = []
+
+        if self.enable_metadata_reload():
+            url_map.append(
+                ("^%s/%s$" % (self.name, "reload-metadata"), self._reload_metadata))
+
         self.idp_config = self._build_idp_config_endpoints(
             self.config[self.KEY_IDP_CONFIG], backend_names)
         # Create the idp
         idp_config = IdPConfig().load(copy.deepcopy(self.idp_config))
         self.idp = Server(config=idp_config)
-        return self._register_endpoints(backend_names)
+        return self._register_endpoints(backend_names) + url_map
 
     def _create_state_data(self, context, resp_args, relay_state):
         """
@@ -484,6 +491,16 @@ def _metadata_endpoint(self, context):
                                                  None).decode("utf-8")
         return Response(metadata_string, content="text/xml")
 
+    def _reload_metadata(self, context):
+        """
+        Reload SAML metadata
+        """
+        logger.debug("Reloading metadata")
+        res = self.idp.reload_metadata(copy.deepcopy(self.config[SAMLFrontend.KEY_IDP_CONFIG][SAMLFrontend.KEY_METADATA]))
+        message = "Metadata reload %s" % ("OK" if res else "failed")
+        status = "200 OK" if res else "500 FAILED"
+        return Response(message=message, status=status)
+
     def _register_endpoints(self, providers):
         """
         Register methods to endpoints