diff --git a/digid_eherkenning/admin.py b/digid_eherkenning/admin.py
index f8a949c..5ad24bd 100644
--- a/digid_eherkenning/admin.py
+++ b/digid_eherkenning/admin.py
@@ -9,6 +9,7 @@
@admin.register(DigidConfiguration)
class DigidConfigurationAdmin(PrivateMediaMixin, SingletonModelAdmin):
+ readonly_fields = ("idp_metadata_file", "idp_service_entity_id")
fieldsets = (
(
_("X.509 Certificate"),
@@ -23,8 +24,9 @@ class DigidConfigurationAdmin(PrivateMediaMixin, SingletonModelAdmin):
_("Identity provider"),
{
"fields": (
- "idp_metadata_file",
+ "metadata_file_source",
"idp_service_entity_id",
+ "idp_metadata_file",
),
},
),
@@ -72,6 +74,7 @@ class DigidConfigurationAdmin(PrivateMediaMixin, SingletonModelAdmin):
@admin.register(EherkenningConfiguration)
class EherkenningConfigurationAdmin(PrivateMediaMixin, SingletonModelAdmin):
+ readonly_fields = ("idp_metadata_file", "idp_service_entity_id")
fieldsets = (
(
_("X.509 Certificate"),
@@ -86,8 +89,9 @@ class EherkenningConfigurationAdmin(PrivateMediaMixin, SingletonModelAdmin):
_("Identity provider"),
{
"fields": (
- "idp_metadata_file",
+ "metadata_file_source",
"idp_service_entity_id",
+ "idp_metadata_file",
),
},
),
diff --git a/digid_eherkenning/management/commands/update_stored_metadata.py b/digid_eherkenning/management/commands/update_stored_metadata.py
new file mode 100644
index 0000000..2ed816b
--- /dev/null
+++ b/digid_eherkenning/management/commands/update_stored_metadata.py
@@ -0,0 +1,42 @@
+from django.core.cache import cache
+from django.core.management import BaseCommand, CommandError
+
+from digid_eherkenning.models.digid import DigidConfiguration
+from digid_eherkenning.models.eherkenning import EherkenningConfiguration
+
+
+class Command(BaseCommand):
+ help = "Updates the stored metadata file and repopulates the db fields."
+
+ def add_arguments(self, parser):
+ parser.add_argument(
+ "--digid",
+ action="store_true",
+ help="Update the DigiD configuration metadata.",
+ )
+ parser.add_argument(
+ "--eherkenning",
+ action="store_true",
+ help="Update the Eherkenning configuration metadata.",
+ )
+
+ def handle(self, **options):
+ if options["digid"]:
+ config = DigidConfiguration.get_solo()
+ elif options["eherkenning"]:
+ config = EherkenningConfiguration.get_solo()
+ else:
+ raise CommandError(
+ "A required argument is missing. Please provide either digid or eherkenning."
+ )
+
+ # delete the cache for the urls in order to trigger fetching and parsing xml again
+ if config.metadata_file_source and cache.get(config._meta.object_name):
+ cache.delete(config._meta.object_name)
+ config.save()
+
+ self.stdout.write(self.style.SUCCESS("Update was successful"))
+ else:
+ self.stdout.write(
+ self.style.WARNING("Update failed, no metadata file source found")
+ )
diff --git a/digid_eherkenning/migrations/0006_digidconfiguration_metadata_file_source_and_more.py b/digid_eherkenning/migrations/0006_digidconfiguration_metadata_file_source_and_more.py
new file mode 100644
index 0000000..c0c06f2
--- /dev/null
+++ b/digid_eherkenning/migrations/0006_digidconfiguration_metadata_file_source_and_more.py
@@ -0,0 +1,83 @@
+# Generated by Django 4.2.6 on 2023-10-12 14:36
+
+from django.db import migrations, models
+import privates.fields
+import privates.storages
+
+
+class Migration(migrations.Migration):
+ dependencies = [
+ (
+ "digid_eherkenning",
+ "0005_alter_eherkenningconfiguration_eh_service_instance_uuid_and_more",
+ ),
+ ]
+
+ operations = [
+ migrations.AddField(
+ model_name="digidconfiguration",
+ name="metadata_file_source",
+ field=models.URLField(
+ default="",
+ help_text="The URL-source where the XML metadata file can be retrieved from.",
+ max_length=255,
+ verbose_name="metadata file(XML) URL",
+ ),
+ ),
+ migrations.AddField(
+ model_name="eherkenningconfiguration",
+ name="metadata_file_source",
+ field=models.URLField(
+ default="",
+ help_text="The URL-source where the XML metadata file can be retrieved from.",
+ max_length=255,
+ verbose_name="metadata file(XML) URL",
+ ),
+ ),
+ migrations.AlterField(
+ model_name="digidconfiguration",
+ name="idp_metadata_file",
+ field=privates.fields.PrivateMediaFileField(
+ blank=True,
+ help_text="The metadata file of the identity provider. This is auto populated by the retrieved metadata XML file.",
+ null=True,
+ storage=privates.storages.PrivateMediaFileSystemStorage(),
+ upload_to="",
+ verbose_name="identity provider metadata",
+ ),
+ ),
+ migrations.AlterField(
+ model_name="digidconfiguration",
+ name="idp_service_entity_id",
+ field=models.CharField(
+ blank=True,
+ help_text="Example value: 'https://was-preprod1.digid.nl/saml/idp/metadata'. Note that this must match the 'entityID' attribute on the 'md:EntityDescriptor' node found in the Identity Provider's metadata. This is auto populated by the retrieved metadata XML file.",
+ max_length=255,
+ null=True,
+ verbose_name="identity provider service entity ID",
+ ),
+ ),
+ migrations.AlterField(
+ model_name="eherkenningconfiguration",
+ name="idp_metadata_file",
+ field=privates.fields.PrivateMediaFileField(
+ blank=True,
+ help_text="The metadata file of the identity provider. This is auto populated by the retrieved metadata XML file.",
+ null=True,
+ storage=privates.storages.PrivateMediaFileSystemStorage(),
+ upload_to="",
+ verbose_name="identity provider metadata",
+ ),
+ ),
+ migrations.AlterField(
+ model_name="eherkenningconfiguration",
+ name="idp_service_entity_id",
+ field=models.CharField(
+ blank=True,
+ help_text="Example value: 'https://was-preprod1.digid.nl/saml/idp/metadata'. Note that this must match the 'entityID' attribute on the 'md:EntityDescriptor' node found in the Identity Provider's metadata. This is auto populated by the retrieved metadata XML file.",
+ max_length=255,
+ null=True,
+ verbose_name="identity provider service entity ID",
+ ),
+ ),
+ ]
diff --git a/digid_eherkenning/models/base.py b/digid_eherkenning/models/base.py
index b24cdaa..9f75dd7 100644
--- a/digid_eherkenning/models/base.py
+++ b/digid_eherkenning/models/base.py
@@ -1,13 +1,18 @@
+from django.core.cache import cache
from django.core.exceptions import ValidationError
+from django.core.files.base import ContentFile
from django.db import models
from django.utils.encoding import force_str
from django.utils.translation import gettext_lazy as _
+from onelogin.saml2.constants import OneLogin_Saml2_Constants
+from onelogin.saml2.idp_metadata_parser import OneLogin_Saml2_IdPMetadataParser
from privates.fields import PrivateMediaFileField
from simple_certmanager.models import Certificate
from solo.models import SingletonModel
from ..choices import DigestAlgorithms, SignatureAlgorithms, XMLContentTypes
+from ..settings import get_setting
class ConfigurationManager(models.Manager):
@@ -29,17 +34,31 @@ class BaseConfiguration(SingletonModel):
)
idp_metadata_file = PrivateMediaFileField(
_("identity provider metadata"),
- blank=False,
- help_text=_("The metadata file of the identity provider."),
+ blank=True,
+ null=True,
+ help_text=_(
+ "The metadata file of the identity provider. This is auto populated "
+ "by the retrieved metadata XML file."
+ ),
)
idp_service_entity_id = models.CharField(
_("identity provider service entity ID"),
max_length=255,
- blank=False,
+ blank=True,
+ null=True,
help_text=_(
"Example value: 'https://was-preprod1.digid.nl/saml/idp/metadata'. Note "
"that this must match the 'entityID' attribute on the "
- "'md:EntityDescriptor' node found in the Identity Provider's metadata."
+ "'md:EntityDescriptor' node found in the Identity Provider's metadata. "
+ "This is auto populated by the retrieved metadata XML file."
+ ),
+ )
+ metadata_file_source = models.URLField(
+ _("metadata file(XML) URL"),
+ max_length=255,
+ default="",
+ help_text=_(
+ "The URL-source where the XML metadata file can be retrieved from."
),
)
want_assertions_signed = models.BooleanField(
@@ -166,7 +185,78 @@ class Meta:
def __str__(self):
return force_str(self._meta.verbose_name)
+ def populate_xml_fields(self, urls, xml):
+ """
+ Populates the idp_metadata_file and idp_service_entity_id fields based on the
+ fetched xml metadata
+ """
+ self.idp_service_entity_id = urls["entityId"]
+ content = ContentFile(xml.encode("utf-8"))
+ self.idp_metadata_file.save("metadata.xml", content, save=False)
+
+ def fetch_xml_metadata(self):
+ """
+ Retrieves the xml metadata from the provided url (metadata_file_source)
+
+ :return a string of the xml metadata.
+ """
+ return OneLogin_Saml2_IdPMetadataParser.get_metadata(self.metadata_file_source)
+
+ def parse_data_from_xml_source(self):
+ """
+ Parses the xml metadata
+
+ :return a tuple of a dictionary with the useful urls and the xml string itself.
+ """
+ urls = {}
+ xml = ""
+
+ try:
+ xml = self.fetch_xml_metadata()
+ parsed_idp_metadata = OneLogin_Saml2_IdPMetadataParser.parse(
+ xml,
+ required_sso_binding=OneLogin_Saml2_Constants.BINDING_HTTP_POST,
+ required_slo_binding=OneLogin_Saml2_Constants.BINDING_HTTP_POST,
+ )
+ except Exception:
+ raise ValidationError(
+ _(
+ "An error has occured while processing the xml file. Make sure the file is valid"
+ )
+ )
+
+ if idp := parsed_idp_metadata.get("idp"):
+ urls = {
+ "entityId": (
+ idp.get("entityId")
+ if not idp.get("entityId").startswith("urn")
+ else self.metadata_file_source
+ ),
+ "sso_url": idp.get("singleSignOnService", {}).get("url"),
+ "slo_url": idp.get("singleLogoutService", {}).get("url"),
+ }
+
+ if cache.get(self._meta.object_name):
+ cache.delete(self._meta.object_name)
+
+ return (urls, xml)
+
def save(self, *args, **kwargs):
+ if self.pk and self.metadata_file_source:
+ if (
+ cache.get(self._meta.object_name, {}).get("entityId")
+ != self.metadata_file_source
+ ):
+ urls, xml = self.parse_data_from_xml_source()
+
+ if urls and xml:
+ self.populate_xml_fields(urls, xml)
+ cache.set(
+ self._meta.object_name,
+ urls,
+ get_setting("METADATA_URLS_CACHE_TIMEOUT"),
+ )
+
if self.base_url.endswith("/"):
self.base_url = self.base_url[:-1]
super().save(*args, **kwargs)
diff --git a/digid_eherkenning/settings.py b/digid_eherkenning/settings.py
index 9ec613a..fe944fb 100644
--- a/digid_eherkenning/settings.py
+++ b/digid_eherkenning/settings.py
@@ -12,6 +12,7 @@
# Public settings
class Defaults:
DIGID_SESSION_AGE: int = 60 * 15 # 15 minutes, in seconds
+ METADATA_URLS_CACHE_TIMEOUT = 86400
def get_setting(name: str):
diff --git a/docs/cli.rst b/docs/cli.rst
index 56f2511..6f77f1e 100644
--- a/docs/cli.rst
+++ b/docs/cli.rst
@@ -9,6 +9,7 @@ django-digid-eherkenning ships with a couple of Django management commands:
* ``generate_digid_metadata``
* ``generate_eherkenning_metadata``
* ``generate_eherkenning_dienstcatalogus``
+* ``update_stored_metadata``
For details, call:
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 4a17790..fd2f82e 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -24,7 +24,7 @@ If this header is not set or empty, we instead get the value from ``REMOTE_ADDR`
**Protecting metadata endpoints**
-The metdata URLs are open by design to facilitate sharing these URLs with identity
+The metadata URLs are open by design to facilitate sharing these URLs with identity
providers or other interested parties. Because the metadata is generated on the fly,
there is a Denial-of-Service risk. We recommend to protect these URLs at the web-server
level by:
@@ -57,3 +57,7 @@ Django settings
.. note:: This setting is a last resort and it will expire after 15 minutes even if
there is user activity. Typically you want to define a middleware in your project
to extend the session duration while there is still activity.
+
+``METADATA_URLS_CACHE_TIMEOUT``
+ The library uses django cache in order to store some useful urls. This prevents reading an XML file
+ if this has not been updated. Defaults to 86400 (1 day).
diff --git a/tests/conftest.py b/tests/conftest.py
index b348246..66ad752 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -12,6 +12,13 @@
DIGID_TEST_METADATA_FILE = BASE_DIR / "files" / "digid" / "metadata"
+DIGID_TEST_METADATA_FILE_SLO_POST = (
+ BASE_DIR / "files" / "digid" / "metadata_with_slo_POST"
+)
+DIGID_TEST_METADATA_FILE_SLO_POST_2 = (
+ BASE_DIR / "files" / "digid" / "metadata_with_slo_POST_2"
+)
+
DIGID_TEST_KEY_FILE = BASE_DIR / "files" / "snakeoil-cert" / "ssl-cert-snakeoil.key"
DIGID_TEST_CERTIFICATE_FILE = (
BASE_DIR / "files" / "snakeoil-cert" / "ssl-cert-snakeoil.pem"
@@ -20,6 +27,7 @@
"base_url": "https://sp.example.nl",
"entity_id": "sp.example.nl/digid",
"idp_service_entity_id": "https://was-preprod1.digid.nl/saml/idp/metadata",
+ "metadata_file_source": "https://was-preprod1.digid.nl/saml/idp/metadata",
"attribute_consuming_service_index": "1",
"service_name": "Example",
"requested_attributes": [],
diff --git a/tests/files/digid/metadata_with_slo_POST b/tests/files/digid/metadata_with_slo_POST
new file mode 100644
index 0000000..853ef16
--- /dev/null
+++ b/tests/files/digid/metadata_with_slo_POST
@@ -0,0 +1,85 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DNT82s99BhXBIvewrpNSnBnuACmZFAKg7Ze+rZmflcQ=
+
+
+
+ gDvJjFd221rI7Y6JT6IFNRr9L1JVQgXiOSx62zfy0Qx7wZTjx1ngs+eOcRloHEdIKBd/BCDQGl10VakEmmzB1OYcuR2V5mq7IdR+lIJb+eoKO1dhc6IK+F2vfWCUxphYUDbfWBE0U06YvSI4di2j0CISMXUbbNiO8DeFWI6/NYuiRimONpRomjwz1X+nR1Aaw58A8hrqiYKMZzMDHL2wJ7haK5ZKv3lWtACpSMYcdNXAzo2le9T0IyZjNUlkGtgHH2UyjDUL1OcZnvMSpd3lHFc6HkUfkbrGmJecNJWZyXT+7BH2HxaYFW0jQEYaTw7vyYatYf0HTNqfcN4VePU7Ww==
+
+ 2e9046aba2e95ed07efb655f6f50880ef686e531
+
+
+
+
+
+ 2e9046aba2e95ed07efb655f6f50880ef686e531
+
+ MIICsjCCAZqgAwIBAgIJAJhvbn1Aal/aMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
+ BAMMBnVidW50dTAeFw0xNzEyMjkxNjI3NDhaFw0yNzEyMjcxNjI3NDhaMBExDzAN
+ BgNVBAMMBnVidW50dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAObY
+ RaZaguRBRowjJraDM8A7VpcWi+aIzYc0003gmz1j+/31pQ7QX12cCFAnyo+6bFlQ
+ Or8/Qda24yIAsaaj96Z3iA4bWDUARLUD8N6gftI8sZwf1JRW6kgwYn3DiLdhDeKd
+ 8LsrraUzHK/CXccCt5xM6t7gsgBoJvMNmy2ddpuh6T5xLQpREcI9JVqAihRa33ty
+ PMDk4QzPYjKsshYfFqlpRz6Zb3SMUnqjhRlWKyF/QgviNdrK8w1xlx6ix/oVruOP
+ P4qSl5vOmGk49CRqWY7IWciD2VHcH04fVfjhwPsh4Dv7uTaMLHwyGvJ8XFjK6yef
+ aiSODBsnb+bqKe8jWssCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsF
+ AAOCAQEAWOjsjh9NxJ5Lu5bGsNQecxheCtkv6WdTB4O5+z60qVNxQZrwQkPbnTQm
+ yAfTxR/VubLGqJ3mYU5YsqKJ2Z9Cqvc3wIPXLkruv5A1RwDv0eb0R/UE5nF/nKQR
+ B3yn9AYVrzu5kNlpFr/hK6brqfznMKPT6K4n9jMdUg9Bek9b2j8vG7L/Jgona43K
+ e7Ip6lACOP0q5PQvrKIkkdfh5QbZjrCQnUVRsScDh/qjWS01rYUp9z7rfuEuQNt5
+ TPNMhvmH+podlP9zgONDdwYsjdP59+pFIRebf3Qlkd2nNk6AfL4oFpacr8x7EuHx
+ QJZ5MqEauEhsXVSP+gFGywjSsYHMHg==
+
+
+
+
+
+
+ 2e9046aba2e95ed07efb655f6f50880ef686e531
+
+ MIICsjCCAZqgAwIBAgIJAJhvbn1Aal/aMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
+ BAMMBnVidW50dTAeFw0xNzEyMjkxNjI3NDhaFw0yNzEyMjcxNjI3NDhaMBExDzAN
+ BgNVBAMMBnVidW50dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAObY
+ RaZaguRBRowjJraDM8A7VpcWi+aIzYc0003gmz1j+/31pQ7QX12cCFAnyo+6bFlQ
+ Or8/Qda24yIAsaaj96Z3iA4bWDUARLUD8N6gftI8sZwf1JRW6kgwYn3DiLdhDeKd
+ 8LsrraUzHK/CXccCt5xM6t7gsgBoJvMNmy2ddpuh6T5xLQpREcI9JVqAihRa33ty
+ PMDk4QzPYjKsshYfFqlpRz6Zb3SMUnqjhRlWKyF/QgviNdrK8w1xlx6ix/oVruOP
+ P4qSl5vOmGk49CRqWY7IWciD2VHcH04fVfjhwPsh4Dv7uTaMLHwyGvJ8XFjK6yef
+ aiSODBsnb+bqKe8jWssCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsF
+ AAOCAQEAWOjsjh9NxJ5Lu5bGsNQecxheCtkv6WdTB4O5+z60qVNxQZrwQkPbnTQm
+ yAfTxR/VubLGqJ3mYU5YsqKJ2Z9Cqvc3wIPXLkruv5A1RwDv0eb0R/UE5nF/nKQR
+ B3yn9AYVrzu5kNlpFr/hK6brqfznMKPT6K4n9jMdUg9Bek9b2j8vG7L/Jgona43K
+ e7Ip6lACOP0q5PQvrKIkkdfh5QbZjrCQnUVRsScDh/qjWS01rYUp9z7rfuEuQNt5
+ TPNMhvmH+podlP9zgONDdwYsjdP59+pFIRebf3Qlkd2nNk6AfL4oFpacr8x7EuHx
+ QJZ5MqEauEhsXVSP+gFGywjSsYHMHg==
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/tests/files/digid/metadata_with_slo_POST_2 b/tests/files/digid/metadata_with_slo_POST_2
new file mode 100644
index 0000000..b567449
--- /dev/null
+++ b/tests/files/digid/metadata_with_slo_POST_2
@@ -0,0 +1,85 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DNT82s99BhXBIvewrpNSnBnuACmZFAKg7Ze+rZmflcQ=
+
+
+
+ gDvJjFd221rI7Y6JT6IFNRr9L1JVQgXiOSx62zfy0Qx7wZTjx1ngs+eOcRloHEdIKBd/BCDQGl10VakEmmzB1OYcuR2V5mq7IdR+lIJb+eoKO1dhc6IK+F2vfWCUxphYUDbfWBE0U06YvSI4di2j0CISMXUbbNiO8DeFWI6/NYuiRimONpRomjwz1X+nR1Aaw58A8hrqiYKMZzMDHL2wJ7haK5ZKv3lWtACpSMYcdNXAzo2le9T0IyZjNUlkGtgHH2UyjDUL1OcZnvMSpd3lHFc6HkUfkbrGmJecNJWZyXT+7BH2HxaYFW0jQEYaTw7vyYatYf0HTNqfcN4VePU7Ww==
+
+ 2e9046aba2e95ed07efb655f6f50880ef686e531
+
+
+
+
+
+ 2e9046aba2e95ed07efb655f6f50880ef686e531
+
+ MIICsjCCAZqgAwIBAgIJAJhvbn1Aal/aMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
+ BAMMBnVidW50dTAeFw0xNzEyMjkxNjI3NDhaFw0yNzEyMjcxNjI3NDhaMBExDzAN
+ BgNVBAMMBnVidW50dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAObY
+ RaZaguRBRowjJraDM8A7VpcWi+aIzYc0003gmz1j+/31pQ7QX12cCFAnyo+6bFlQ
+ Or8/Qda24yIAsaaj96Z3iA4bWDUARLUD8N6gftI8sZwf1JRW6kgwYn3DiLdhDeKd
+ 8LsrraUzHK/CXccCt5xM6t7gsgBoJvMNmy2ddpuh6T5xLQpREcI9JVqAihRa33ty
+ PMDk4QzPYjKsshYfFqlpRz6Zb3SMUnqjhRlWKyF/QgviNdrK8w1xlx6ix/oVruOP
+ P4qSl5vOmGk49CRqWY7IWciD2VHcH04fVfjhwPsh4Dv7uTaMLHwyGvJ8XFjK6yef
+ aiSODBsnb+bqKe8jWssCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsF
+ AAOCAQEAWOjsjh9NxJ5Lu5bGsNQecxheCtkv6WdTB4O5+z60qVNxQZrwQkPbnTQm
+ yAfTxR/VubLGqJ3mYU5YsqKJ2Z9Cqvc3wIPXLkruv5A1RwDv0eb0R/UE5nF/nKQR
+ B3yn9AYVrzu5kNlpFr/hK6brqfznMKPT6K4n9jMdUg9Bek9b2j8vG7L/Jgona43K
+ e7Ip6lACOP0q5PQvrKIkkdfh5QbZjrCQnUVRsScDh/qjWS01rYUp9z7rfuEuQNt5
+ TPNMhvmH+podlP9zgONDdwYsjdP59+pFIRebf3Qlkd2nNk6AfL4oFpacr8x7EuHx
+ QJZ5MqEauEhsXVSP+gFGywjSsYHMHg==
+
+
+
+
+
+
+ 2e9046aba2e95ed07efb655f6f50880ef686e531
+
+ MIICsjCCAZqgAwIBAgIJAJhvbn1Aal/aMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
+ BAMMBnVidW50dTAeFw0xNzEyMjkxNjI3NDhaFw0yNzEyMjcxNjI3NDhaMBExDzAN
+ BgNVBAMMBnVidW50dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAObY
+ RaZaguRBRowjJraDM8A7VpcWi+aIzYc0003gmz1j+/31pQ7QX12cCFAnyo+6bFlQ
+ Or8/Qda24yIAsaaj96Z3iA4bWDUARLUD8N6gftI8sZwf1JRW6kgwYn3DiLdhDeKd
+ 8LsrraUzHK/CXccCt5xM6t7gsgBoJvMNmy2ddpuh6T5xLQpREcI9JVqAihRa33ty
+ PMDk4QzPYjKsshYfFqlpRz6Zb3SMUnqjhRlWKyF/QgviNdrK8w1xlx6ix/oVruOP
+ P4qSl5vOmGk49CRqWY7IWciD2VHcH04fVfjhwPsh4Dv7uTaMLHwyGvJ8XFjK6yef
+ aiSODBsnb+bqKe8jWssCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsF
+ AAOCAQEAWOjsjh9NxJ5Lu5bGsNQecxheCtkv6WdTB4O5+z60qVNxQZrwQkPbnTQm
+ yAfTxR/VubLGqJ3mYU5YsqKJ2Z9Cqvc3wIPXLkruv5A1RwDv0eb0R/UE5nF/nKQR
+ B3yn9AYVrzu5kNlpFr/hK6brqfznMKPT6K4n9jMdUg9Bek9b2j8vG7L/Jgona43K
+ e7Ip6lACOP0q5PQvrKIkkdfh5QbZjrCQnUVRsScDh/qjWS01rYUp9z7rfuEuQNt5
+ TPNMhvmH+podlP9zgONDdwYsjdP59+pFIRebf3Qlkd2nNk6AfL4oFpacr8x7EuHx
+ QJZ5MqEauEhsXVSP+gFGywjSsYHMHg==
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/tests/test_commands.py b/tests/test_commands.py
new file mode 100644
index 0000000..6f4b235
--- /dev/null
+++ b/tests/test_commands.py
@@ -0,0 +1,72 @@
+from io import StringIO
+from unittest.mock import patch
+
+from django.core.management import CommandError, call_command
+from django.test import TestCase
+
+import pytest
+
+from digid_eherkenning.models import DigidConfiguration, EherkenningConfiguration
+
+from .conftest import DIGID_TEST_METADATA_FILE_SLO_POST, EHERKENNING_TEST_METADATA_FILE
+
+
+@pytest.mark.usefixtures("digid_config_defaults", "temp_private_root")
+class UpdateStoredMetadataTests(TestCase):
+ @patch(
+ "onelogin.saml2.idp_metadata_parser.OneLogin_Saml2_IdPMetadataParser.get_metadata"
+ )
+ def test_command_triggers_xml_fetching_when_digid(self, get_matadata):
+ config = DigidConfiguration.get_solo()
+
+ with DIGID_TEST_METADATA_FILE_SLO_POST.open("rb") as metadata_file:
+ metadata_content = metadata_file.read().decode("utf-8")
+ get_matadata.return_value = metadata_content
+ config.metadata_file_source = (
+ "https://was-preprod1.digid.nl/saml/idp/metadata"
+ )
+ config.save()
+
+ call_command("update_stored_metadata", "--digid")
+
+ self.assertTrue(get_matadata.called_once())
+
+ @patch(
+ "onelogin.saml2.idp_metadata_parser.OneLogin_Saml2_IdPMetadataParser.get_metadata"
+ )
+ def test_command_triggers_xml_fetching_when_eherkenning(self, get_matadata):
+ output = StringIO()
+ config = EherkenningConfiguration.get_solo()
+
+ with EHERKENNING_TEST_METADATA_FILE.open("rb") as metadata_file:
+ metadata_content = metadata_file.read().decode("utf-8")
+ get_matadata.return_value = metadata_content
+ config.metadata_file_source = (
+ "https://eh01.staging.iwelcome.nl/broker/sso/1.13"
+ )
+ config.save()
+
+ call_command("update_stored_metadata", "--eherkenning", stdout=output)
+
+ self.assertTrue(get_matadata.called_once())
+ self.assertEqual(output.getvalue(), "Update was successful\n")
+
+ def test_command_fails_when_no_argument_provided(self):
+ try:
+ call_command("update_stored_metadata")
+ except CommandError as e:
+ error_message = str(e)
+
+ self.assertEqual(
+ error_message,
+ "A required argument is missing. Please provide either digid or eherkenning.",
+ )
+
+ def test_command_fails_when_no_metadata_file_source(self):
+ output = StringIO()
+ call_command("update_stored_metadata", "--digid", stdout=output)
+
+ self.assertEqual(
+ output.getvalue(),
+ "Update failed, no metadata file source found\n",
+ )
diff --git a/tests/test_models.py b/tests/test_models.py
new file mode 100644
index 0000000..477acbd
--- /dev/null
+++ b/tests/test_models.py
@@ -0,0 +1,142 @@
+import datetime
+from unittest.mock import patch
+
+from django.core.cache import cache
+from django.core.exceptions import ValidationError
+from django.test import TestCase, override_settings
+from django.utils.translation import gettext as _
+
+import pytest
+from freezegun import freeze_time
+
+from digid_eherkenning.models import DigidConfiguration, EherkenningConfiguration
+
+from .conftest import (
+ DIGID_TEST_METADATA_FILE_SLO_POST,
+ DIGID_TEST_METADATA_FILE_SLO_POST_2,
+ EHERKENNING_TEST_METADATA_FILE,
+)
+
+
+@pytest.mark.usefixtures("digid_config_defaults", "temp_private_root")
+class BaseModelTests(TestCase):
+ @patch(
+ "onelogin.saml2.idp_metadata_parser.OneLogin_Saml2_IdPMetadataParser.get_metadata"
+ )
+ def test_fields_are_populated_on_digid_save(self, get_matadata):
+ config = DigidConfiguration.get_solo()
+
+ with DIGID_TEST_METADATA_FILE_SLO_POST.open("rb") as metadata_file:
+ metadata_content = metadata_file.read().decode("utf-8")
+ get_matadata.return_value = metadata_content
+ config.metadata_file_source = (
+ "https://was-preprod1.digid.nl/saml/idp/metadata"
+ )
+ config.save()
+
+ self.assertTrue(get_matadata.called_once())
+ self.assertEqual(
+ config.idp_metadata_file.read().decode("utf-8"), metadata_content
+ )
+ self.assertEqual(
+ config.idp_service_entity_id,
+ "https://was-preprod1.digid.nl/saml/idp/metadata",
+ )
+
+ @patch(
+ "onelogin.saml2.idp_metadata_parser.OneLogin_Saml2_IdPMetadataParser.get_metadata"
+ )
+ def test_fields_are_populated_on_eherkennig_save(self, get_matadata):
+ config = EherkenningConfiguration.get_solo()
+
+ with EHERKENNING_TEST_METADATA_FILE.open("rb") as metadata_file:
+ metadata_content = metadata_file.read().decode("utf-8")
+ get_matadata.return_value = metadata_content
+ config.metadata_file_source = (
+ "https://eh01.staging.iwelcome.nl/broker/sso/1.13"
+ )
+ config.save()
+
+ self.assertTrue(get_matadata.called_once())
+ self.assertEqual(
+ config.idp_metadata_file.read().decode("utf-8"), metadata_content
+ )
+ self.assertEqual(
+ config.idp_service_entity_id,
+ "https://eh01.staging.iwelcome.nl/broker/sso/1.13",
+ )
+
+ @patch(
+ "onelogin.saml2.idp_metadata_parser.OneLogin_Saml2_IdPMetadataParser.get_metadata"
+ )
+ def test_no_fetching_xml_when_no_file_source_change(self, get_matadata):
+ config = DigidConfiguration.get_solo()
+
+ with DIGID_TEST_METADATA_FILE_SLO_POST.open("rb") as metadata_file:
+ metadata_content = metadata_file.read().decode("utf-8")
+ get_matadata.return_value = metadata_content
+ config.metadata_file_source = (
+ "https://was-preprod1.digid.nl/saml/idp/metadata"
+ )
+ config.save()
+
+ config.organization_name = "test"
+ config.save()
+
+ # Make sure we don't try to fetch and parse the xml file, since there is no update
+ self.assertTrue(get_matadata.called_once())
+
+ @patch(
+ "onelogin.saml2.idp_metadata_parser.OneLogin_Saml2_IdPMetadataParser.get_metadata"
+ )
+ def test_wrong_xml_format_raises_validation_error(self, get_matadata):
+ config = DigidConfiguration.get_solo()
+
+ with DIGID_TEST_METADATA_FILE_SLO_POST.open("rb") as metadata_file:
+ metadata_content = metadata_file.read().decode("utf-8")
+ get_matadata.return_value = metadata_content
+ config.metadata_file_source = (
+ "https://was-preprod1.digid.nl/saml/idp/metadata"
+ )
+ config.save()
+
+ get_matadata.return_value = "wrong xml format"
+ config.metadata_file_source = "https://example.com"
+
+ with self.assertRaisesMessage(
+ ValidationError,
+ _(
+ "An error has occured while processing the xml file. Make sure the file is valid"
+ ),
+ ):
+ config.save()
+
+ @override_settings(METADATA_URLS_CACHE_TIMEOUT=2)
+ @patch(
+ "onelogin.saml2.idp_metadata_parser.OneLogin_Saml2_IdPMetadataParser.get_metadata"
+ )
+ def test_urls_caching(self, get_matadata):
+ config = DigidConfiguration.get_solo()
+
+ with freeze_time("2023-05-22 12:00:00Z") as frozen_datetime:
+ with DIGID_TEST_METADATA_FILE_SLO_POST.open("rb") as metadata_file:
+ metadata_content = metadata_file.read().decode("utf-8")
+ get_matadata.return_value = metadata_content
+ config.metadata_file_source = (
+ "https://was-preprod1.digid.nl/saml/idp/metadata"
+ )
+ config.save()
+
+ with DIGID_TEST_METADATA_FILE_SLO_POST_2.open("rb") as metadata_file:
+ metadata_content = metadata_file.read().decode("utf-8")
+ get_matadata.return_value = metadata_content
+ config.metadata_file_source = "https://example.com"
+ config.save()
+
+ self.assertEqual(
+ cache.get("DigidConfiguration")["entityId"], "https://example.com"
+ )
+
+ frozen_datetime.tick(delta=datetime.timedelta(seconds=3))
+
+ self.assertIsNone(cache.get("DigidConfiguration"))