Useful constants for pyFF. Mostly XML namespace declarations.
Various decorators used in pyFF.
This is a decorator which can be used to mark functions as deprecated. It will result in a warning being emitted when the function is used.
Retry calling the decorated function using exponential backoff based on
Parameters: |
|
---|
Bases: object
Interface for metadata index providers
Index the entity
Parameters: | entity – |
---|---|
Returns: |
Obtains a list of entities that have a=b.
Parameters: |
|
---|---|
Returns: |
Removes the entity from the index.
Parameters: | entity – |
---|
Bases: pyff.index.MDIndex
locks.py - Read-Write lock thread lock implementation
See the class documentation for more info.
Copyright (C) 2007, Heiko Wundram. Released under the BSD-license.
Bases: object
Read-Write lock class. A read-write lock differs from a standard threading.RLock() by allowing multiple threads to simultaneously hold a read lock, while allowing only a single thread to hold a write lock at the same point of time.
When a read lock is requested while a write lock is held, the reader is blocked; when a write lock is requested while another write lock is held or there are read locks, the writer is blocked.
Writers are always preferred by this implementation: if there are blocked threads waiting for a write lock, current readers may request more read locks (which they eventually should free, as they starve the waiting writers otherwise), but a new thread requesting a read lock will not be granted one, and block. This might mean starvation for readers if two writer threads interweave their calls to acquireWrite() without leaving a window only for readers.
In case a current reader requests a write lock, this can and will be satisfied without giving up the read locks first, but, only one thread may perform this kind of lock upgrade, as a deadlock would otherwise occur. After the write lock has been granted, the thread will hold a full write lock, and not be downgraded after the upgrading call to acquireWrite() has been match by a corresponding release().
Yields a read lock
Release the currently held lock.
Yields a write lock
This is the implementation of the active repository of SAML metadata. The ‘local’ and ‘remote’ pipes operate on this.
Bases: UserDict.UserDict
Bases: pyff.mdrepo.Observable
A class representing a set of SAML Metadata. Instances present as dict-like objects where the keys are URIs and values are EntitiesDescriptor elements containing sets of metadata.
Parameters: |
|
---|
Utility-method for computing a displayable string for a given entity.
Parameters: | entity – An EntityDescriptor element |
---|
Parameters: |
|
---|
Produce an EntityDescriptors set from a list of entities. Optional Name, cacheDuration and validUntil are affixed.
Utility-method for computing a displayable string for a given entity.
Parameters: | entity – An EntityDescriptor element |
---|
Return a list of the Extensions elements in the EntityDescriptor
Parameters: | e – an EntityDescriptor |
---|---|
Returns: | a list |
Fetch a series of metadata URLs and optionally verify signatures.
Parameters: |
|
---|
The list of triples is processed by first downloading the URL. If a cert-or-fingerprint is supplied it is used to validate the signature on the received XML. Two forms of XML is supported: SAML Metadata and XRD.
SAML metadata is (if valid and contains a valid signature) stored under the ‘id’ identifier (which defaults to the URL unless provided in the triple.
XRD elements are processed thus: for all <Link> elements that contain a ds;KeyInfo elements with a X509Certificate and where the <Rel> element contains the string ‘urn:oasis:names:tc:SAML:2.0:metadata‘, the corresponding <URL> element is download and verified.
Parameters: |
|
---|
Traverse a directory tree looking for metadata. Files ending in the specified extension are included. Directories starting with ‘.’ are excluded.
Lookup elements in the working metadata repository
Parameters: |
|
---|---|
Returns: | An interable of EntityDescriptor elements |
Return type: | etree.Element |
Selector Syntax
- selector “+” selector
- [sourceID] ”!” xpath
- attribute=value or {attribute}value
- entityID
- sourceID (@Name)
- <URL containing one selector per line>
The first form results in the intersection of the results of doing a lookup on the selectors. The second form results in the EntityDescriptor elements from the source (defaults to all EntityDescriptors) that match the xpath expression. The attribute-value forms resuls in the EntityDescriptors that contain the specified entity attribute pair. If non of these forms apply, the lookup is done using either source ID (normally @Name from the EntitiesDescriptor) or the entityID of single EntityDescriptors. If member is a URI but isn’t part of the metadata repository then it is fetched an treated as a list of (one per line) of selectors. If all else fails an empty list is returned.
Parameters: |
|
---|---|
Returns: |
Two EntitiesDescriptor elements are merged - the second into the first. For each element in the second collection that is present (using the @entityID attribute as key) in the first the strategy callable is called with the old and new EntityDescriptor elements as parameters. The strategy callable thus must implement the following pattern:
Parameters: |
|
---|---|
Returns: | A merged EntityDescriptor element |
Before each call to strategy old_e is removed from the MDRepository index and after merge the resultant EntityDescriptor is added to the index before it is used to replace old_e in t.
Parameters: |
|
---|
(but after xinclude processing)
A very basic test for sanity. An empty metadata set is probably not a sane output of any process.
Returns: | True iff there is at least one EntityDescriptor in the active set. |
---|
Parameters: |
|
---|
Returns a list of dict’s for each EntityDescriptor present in the metadata store such that any of the DisplayName, ServiceName, OrganizationName or OrganizationDisplayName elements match the query (as in contains the query as a substring).
The dict in the list contains three items:
Parameters: |
|
---|
Set an entity attribute on an EntityDescriptor
Parameters: |
|
---|---|
Raise: | MetadataException unless e is an EntityDescriptor element |
Parameters: | uri – An EntitiesDescriptor URI present in the MDRepository |
---|---|
Returns: | an information dict |
Returns a dict object with basic information about the EntitiesDescriptor
An implementation of draft-lajoie-md-query
Usage: pyffd <options> {pipeline-files}+
-C|--no-cache
Turn off caching
-p <pidfile>
Write a pidfile at the specified location
-f
Run in foreground
-a
Restart pyffd if any of the pipeline files change
--log=<log> | -l<log>
Set to either a file or syslog:<facility> (eg syslog:auth)
--error-log=<log> | --access-log=<log>
As --log but only affects the error or access log streams.
--loglevel=<level>
Set logging level
-P<port>|--port=<port>
Listen on the specified port
-H<host>|--host=<host>
Listen on the specified interface
-R
Use redis-based store
--frequency=<seconds>
Wake up every <seconds> and run the update pipeline. By
default the frequency is set to 600.
-A<name:uri>|--alias=<name:uri>
Add the mapping 'name: uri' to the toplevel URL alias
table. This causes URLs on the form http://server/<name>/x
to be processed as http://server/metadata/{uri}x. The
default alias table is presented at http://server
--dir=<dir>
Chdir into <dir> after the server starts up.
--proxy
The service is running behind a proxy - respect the X-Forwarded-Host header.
-m <module>|--modules=<module>
Load a module
{pipeline-files}+
One or more pipeline files
Bases: object
Cherrypy ass-u-me-s a lot about how requests are processed. In particular it is diffucult to send something that contains ‘/’ and ‘:’ (like a URL) throught the standard dispatchers. This class provides a workaround by base64-encoding the troubling stuff and sending the result through the normal displatch pipeline. At the other end base64-encoded data is unpacked.
Bases: object
The root application of pyFF. The root application assembles the MDStats and WellKnown classes with an MDServer instance.
The ‘about’ page. Contains links to statistics etc.
The default request processor unpacks base64-encoded reuqests and passes them onto the MDServer.request handler.
Process an MDX request with Content-Type hard-coded to application/xml. Regardless of the suffix you will get XML back from /entities/...
Returns the pyff icon (the alchemic symbol for sublimation).
Alias for /metadata
The main request entry point. Any requests are subject to content negotiation based on Accept headers and based on file name extension. Requesting /metadata/foo.xml gets you (signed) XML (assuming your pipeline contains that mode), requesting /metadata/foo.json gets you json, and /metadata/foo.ds gets you a discovery interface based on the IdPs found in ‘foo’. Here ‘foo’ is any supported lookup expression.
The /reset page clears all local browser settings for the device. After visiting this page users of the discovery service will see a “new device” page.
Returns a robots.txt that disables all robots.
param paged: | page the result when True |
---|---|
param query: | the string query |
param page: | the page to return of the paged result |
param page_limit: | |
the number of result per page | |
param entity_filter: | |
an optional filter to apply to the active set before searching | |
param related: | an optional ‘+’-separated list of related domain names for prioritizing search results |
return: | a JSON-formatted search result |
The /settings page documents the (non) use of cookies.
Bases: object
The MDServer class is the business logic of pyFF. This class is isolated from the request-decoding logic of MDRoot and from the ancilliary classes like MDStats and WellKnown.
The main request processor. This code implements all rendering of metadata.
Bases: cherrypy.lib.cpstats.StatsPage
Renders the standard stats page with pyFF style decoration. We use the lxml html parser to locate the body and replace it with a ‘<div>’. The result is passed as the content using the ‘basic’ template.
Bases: cherrypy.process.plugins.Monitor
Bases: object
Implementation of the .well-known URL namespace for pyFF. In particular this contains the webfinger implementation which returns information about up- and downstream metadata.
Example:
# curl http://localhost:8080/.well-known/webfinger?resource=http://localhost:8080
This should result in a JSON structure that looks something like this:
{"expires": "2013-04-13T17:40:42.188549",
"links": [
{"href": "http://reep.refeds.org:8080/role/sp.xml", "rel": "urn:oasis:names:tc:SAML:2.0:metadata"},
{"href": "http://reep.refeds.org:8080/role/sp.json", "rel": "disco-json"}],
"subject": "http://reep.refeds.org:8080"}
Depending on which version of pyFF your’re running and the configuration you may also see downstream metadata listed using the ‘role’ attribute to the link elements.
The main entrypoint for the pyffd command.
Merge strategies
pyFF statistics module
This module contains various utilities.
Bases: exceptions.Exception
Bases: pyff.utils.MetadataException
Bases: exceptions.Exception
Bases: lxml.etree.Resolver
Resolves URIs using the resource API
Return a string representation of the tree, optionally pretty_print(ed) (default False)
Parameters: | t – An ElemenTree to serialize |
---|
Parameters: | t – An EntitiesDescriptor or EntityDescriptor element |
---|
Returns the list of contained EntityDescriptor elements
Timestamp in ISO format
Current time in ISO format
Attempt to find and return the filename of the resource named by the first argument in the first location of:
# as name in the current directory # as name in the pfx subdirectory of the current directory if provided # as name relative to the package # as pfx/name relative to the package
The last two alternatives is used to locate resources distributed in the package. This includes certain XSLT and XSD files.
Parameters: |
|
---|
Attempt to load and return the contents (as a string) of the resource named by the first argument in the first location of:
# as name in the current directory # as name in the pfx subdirectory of the current directory if provided # as name relative to the package # as pfx/name relative to the package
The last two alternatives is used to locate resources distributed in the package. This includes certain XSLT and XSD files.
Parameters: |
|
---|
Safely write data to a file with name fn :param fn: a filename :param data: some data to write :return: True or False depending on the outcome of the write