eccs_properties.py.template

import os
import random
import string
from datetime import date
import xml.etree.ElementTree as ET

def get_real_sps():
    sps_list = []

    namespaces = {
       'md': 'urn:oasis:names:tc:SAML:2.0:metadata',
    }

    sp_1_entityid = "https://sp-demo.idem.garr.it/shibboleth"
    sp_2_entityid = "https://attribute-viewer.aai.switch.ch/interfederation-test/shibboleth"

    tree = ET.parse(SPS_MD_PATH)
    root = tree.getroot()

    sp_1 = root.find(f"./md:EntityDescriptor[@entityID='{sp_1_entityid}']/md:SPSSODescriptor/md:AssertionConsumerService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']", namespaces)
    sp_2 = root.find(f"./md:EntityDescriptor[@entityID='{sp_2_entityid}']/md:SPSSODescriptor/md:AssertionConsumerService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']", namespaces)

    sp_1_http_post_acs = sp_1.get("Location")
    sp_2_http_post_acs = sp_2.get("Location")

    # SP 1
    sps_list.append({
       "entityID":f"{sp_1_entityid}",
       "http_post_acs_location":f"{sp_1_http_post_acs}"
    })

    # SP 2
    sps_list.append({
       "entityID":f"{sp_2_entityid}",
       "http_post_acs_location":f"{sp_2_http_post_acs}"
    })

    return sps_list

def get_fake_sp_name():
    chars = string.ascii_lowercase
    return ''.join(random.choice(chars) for x in range(10))+'.org'

# Miscellaneous
DAY = date.today().isoformat()
CA_BUNDLE_PATH = "/etc/ssl/certs/ca-certificates.crt"
ECCS_DIR = f"{os.environ['HOME']}/eccs"
PATHCHROMEDRIVER = f"{ECCS_DIR}/chromedriver"
ECCS_PYTHON = f"{ECCS_DIR}/python/bin/python3"

# Input
ECCS_INPUTDIR = f"{ECCS_DIR}/input"
ECCS_LISTIDPSURL = 'https://technical.edugain.org/api.php?action=list_eccs_idps&format=json'
ECCS_LISTIDPSFILE = f"{ECCS_INPUTDIR}/list_eccs_idps.json"
ECCS_LISTFEDSURL = 'https://technical.edugain.org/api.php?action=list_feds&opt=1&format=json' 
ECCS_LISTFEDSFILE = f"{ECCS_INPUTDIR}/list_fed.json"

# Output
ECCS_OUTPUTDIR = f"{ECCS_DIR}/output"
ECCS_RESULTSLOG = f"eccs_{DAY}.log"
ECCS_HTMLDIR = f"{ECCS_DIR}/html"

# SPS Metadata
SPS_MD_PATH = f"{ECCS_INPUTDIR}/sps-metadata.xml"

# Selenium
ECCS_SELENIUMDEBUG = False
ECCS_SELENIUMLOGDIR = f"{ECCS_DIR}/selenium-logs"
ECCS_SELENIUMPAGELOADTIMEOUT = 60 #seconds (remind to change timeout seconds also on web/eccs.js)
ECCS_SELENIUMSCRIPTTIMEOUT = 60   #seconds
ECCS_REQUESTSTIMEOUT = 15   #seconds

# Logs
ECCS_LOGSDIR = f"{ECCS_DIR}/logs"
ECCS_STDOUT = f"{ECCS_LOGSDIR}/stdout_{DAY}.log"
ECCS_STDERR = f"{ECCS_LOGSDIR}/stderr_{DAY}.log"
ECCS_FAILEDCMD = f"{ECCS_LOGSDIR}/failed-cmd.sh"
ECCS_STDOUTIDP = f"{ECCS_LOGSDIR}/stdout_idp_{DAY}.log"
ECCS_STDERRIDP = f"{ECCS_LOGSDIR}/stderr_idp_{DAY}.log"
ECCS_FAILEDCMDIDP = f"{ECCS_LOGSDIR}/failed-cmd-idp.sh"

# Number of processes to run in parallel
ECCS_NUMPROCESSES = 30

# The 3 SPs that will be used to test each IdP
ECCS_SPS = [
   { 
     "entityID":f"{get_real_sps()[0]['entityID']}",
     "http_post_acs_location":f"{get_real_sps()[0]['http_post_acs_location']}",
   },
   {
     "entityID":f"{get_real_sps()[1]['entityID']}",
     "http_post_acs_location":f"{get_real_sps()[1]['http_post_acs_location']}",
   },
   {
     "entityID":f"https://{get_fake_sp_name()}/shibboleth",
     "http_post_acs_location":f"https://{get_fake_sp_name()}/Shibboleth.sso/SAML2/POST",
   }
]

# ROBOTS.TXT
ROBOTS_USER_AGENT = "ECCS/2.0 (+https://technical.edugain.org/eccs)"

# PATTERNS
JAVASCRIPT = '"x-my-okta-version"'
IDPERROR = "error\s(has\s)?occur(r)?(ed)$|Error\swhen\sprocessing\s(the\s)?authentication\srequest|The\s(server|system)\sencountered\san\s(internal\s)?error|Internal\sServer\sError|403\sForbidden|Service\sUnavailable|InvalidProfileConfiguration|Unexpected\sSystem\sError|404\s(.\s)?not\sfound|OpenAthens:\s404|On\stapahtunut\svirhe|Unhandled\sexception|Bad\sGateway|Page\sNot\sFound|Δεν\sεπιτρέπεται\sη\sπρόσβαση|tempora(ry|rily)\s(unavailable|error)+|License\serror|n'est\spas\sgérée|Invalid\sRequest|Erreur\s!|Please\sreport\sthis\serror\sto|该网站无法访问|proxy\serror|There\sis\sa\sproblem\swith\syour\saccount"
METADATAPATTERN = "Unable\sto\slocate(\sissuer\sin|)\smetadata(\sfor|)|no\smetadata\sfound|profile\sis\snot\sconfigured\sfor\srelying\sparty|Cannot\slocate\sentity|fail\sto\sload\sunknown\sprovider|does\snot\srecognise\sthe\sservice|unable\sto\sload\sprovider|Nous\sn'avons\spas\spu\s(charg|charger)\sle\sfournisseur\sde\sservice|Metadata\snot\sfound|application\s(you\shave\saccessed\s)?is\snot\sregistered\s(for\suse\sthis\sservice)?|Message\sdid\snot\smeet\ssecurity\srequirements|unsupported\s[Rr]equest|METADATANOTFOUND|Unknown\slogin\srequester|is\sunspecified\sor\sunsupported|Unknown\sservice\sprovider|Richiesta\snon\ssupportata|Metadati\snon\strovati|untrusted\sprovider|Unregistered\sService|UNHANDLEDEXCEPTION|Metadata.*.expired|Could\snot\sfind\sany.*.metadata.*.for|不支持的请求|l'application\sn'est\spas\senregistrée|Requisição\snão\ssuportada|トされていないリクエスト|is\snot\sallowed|Authorization\sFailure|Pedido\snão\ssuportado|Nicht\sunterstützte\sAnfrage|Service\sNot\sAuthorized\sfor\sSingle\sSign-On|Your\sbrowser\ssent\sa\srequest\sthat\sthis\sserver\scould\snot\sunderstand|Application\sNot\sAuthorized\sTo\sUse\sCAS"
XPATH_CHECK_PATTERN = '//input[@type="password"]|//input[@type="Password"]|//input[@type="email"]|//input[@type="user"]|//input[@name="name"]|//form[@action="/idp/module.php/multiauth/selectsource.php"]|//input[@type="text"]'
PASSWORDPATTERN = '<input[\s]+[^>]*(type=\s*[\'"]password[\'"]|password)[^>]*>'
#USERNAMEPATTERN = '<input[\s]+[^>]*((type=\s*[\'"](text|email)[\'"]|user)|(name=\s*[\'"](name)[\'"]))[^>]*>'
#REFUSEDPATTERN = '(^http)(.*\.png$)|(.*\.css$)|(.*\.js$)|(.*\.gif$)|(.*\.svg$)|(.*\.jpg$)'

# { 'reg_auth':'reason' }
FEDS_DISABLED_DICT = {
   'http://www.surfconext.nl/':'Federation excluded from check',
   'https://www.wayf.dk':'Federation excluded from check',
   'http://feide.no/':'Federation excluded from check'
}

# { 'entityid_idp':'reason' }
IDPS_DISABLED_DICT = {
   'https://idp.eie.gr/idp/shibboleth':'Disabled on 2019-04-24 because ECCS cannot check non-standard login page',
   'https://edugain-proxy.igtf.net/simplesaml/saml2/idp/metadata.php':'Disabled on 2017-03-17 on request of federation operator',
#   'https://gn-vho.grnet.gr/idp/shibboleth':'Disabled on 2019-04-24 because basic authentication is not supported by ECCS check',
   'https://wtc.tu-chemnitz.de/shibboleth':'Disabled on 2019-02-26 because ECCS cannot check non-standard login page',
   'https://idp.fraunhofer.de/idp/shibboleth':'Disabled on 2017-11-24 on request of federation operator',
   'https://idp.dfn-cert.de/idp/shibboleth':'Disabled on 2018-04-05 on request of federation operator',
   'https://idp.cambria.ac.uk/openathens':'Disabled on 2017-10-27 on request of federation operator',
   'https://login.lstonline.ac.uk/idp/pingfederate':'Disabled on 2017-02-08 on request of federation operator',
   'https://indiid.net/idp/shibboleth':'Disabled on 2017-10-27 on request of federation operator',
   'https://idp.nulc.ac.uk/openathens':'Disabled on 2017-10-27 on request of federation operator',
#   'https://lc-idp.lincolncollege.ac.uk/shibboleth':'Disabled on 2015-08-17 because uses HTTP Basic authentication, which cannot be checked reliably',
   'https://idp.wnsc.ac.uk/idp/shibboleth':'Disabled on 2017-10-27 on request of federation operator',
#   'https://idp.strodes.ac.uk/shibboleth':'Disabled on 2015-08-17 because uses HTTP Basic authentication, which cannot be checked reliably',
   'https://idp.uel.ac.uk/shibboleth':'Disabled on 2017-10-27 on request of federation operator',
   'https://idp.ucreative.ac.uk/shibboleth':'Disabled on 2017-10-27 on request of federation operator',
   'https://idp.llandrillo.ac.uk/shibboleth':'Disabled on 2017-10-27 on request of federation operator',
   'https://sso.vu.lt/SSO/saml2/idp/metadata.php':'Disabled on 2018-11-02 because ECCS cannot check non-standard login page',
   'https://ssl.education.lu/saml/saml2/idp/metadata.php':'Disabled on 2018-11-06 ECCS cannot check non-standard login page',
   'https://sso.oktaedu.com/idp/shibboleth':'Disabled on 2021-08-12 because ECCS cannot check non-standard login page',
}