[Idpy-discuss] head of pyFF master broken MDQ via sha1 hash?

Scott Koranda skoranda at gmail.com
Mon Sep 23 21:19:03 UTC 2019


For completeness, here is how I am running pyFF:

gunicorn \
    --log-config logger.ini \
    --bind 0.0.0.0:8080 \
    --timeout 600 \
    --env PYFF_PIPELINE=test_mdx.yaml \
    --env PYFF_UPDATE_FREQUENCY=3600 \
    --env PYFF_PUBLIC_URL=http://127.0.0.1:8080 \
    --env PYFF_STORE_CLASS=pyff.store:RedisWhooshStore \
    --env PYFF_SCHEDULER_JOB_STORE=redis \
    --workers 1 \
    --worker-class gthread \
    --threads 4 \
    --worker-tmp-dir /dev/shm \
    pyff.wsgi:app \
    2>&1 | tee /tmp/pyff.out

And here is test_mdx.yaml:

- when edugain_transform:
    - xslt:
        stylesheet: edugain_transform.xsl
    - break
- when ligo_transform:
    - xslt:
        stylesheet: ligo_transform.xsl
    - break
- when ligo_approved_transform:
    - xslt:
        stylesheet: ligo_approved_transform.xsl
    - break
- when update:
    - load:
        - incommon.xrd as incommon via edugain_transform
        - ligo.xrd as ligo via ligo_transform
        - ligo_approved.xrd as ligo_approved via ligo_approved_transform
    - select:
        - "!//md:EntityDescriptor[md:IDPSSODescriptor]"
        - "ligo!//md:EntityDescriptor[md:SPSSODescriptor]"
    - select as ligo_only:
        - "https://login.ligo.org/idp/shibboleth"
        - "https://login2.ligo.org/idp/shibboleth"
        - "https://login3.ligo.org/idp/shibboleth"
        - "https://login4.ligo.org/idp/shibboleth"
    - select as ligo_approved:
        - "https://login.ligo.org/idp/shibboleth"
        - "https://login2.ligo.org/idp/shibboleth"
        - "https://login3.ligo.org/idp/shibboleth"
        - "https://login4.ligo.org/idp/shibboleth"
        - "https://shibbi.pki.itc.u-tokyo.ac.jp/idp/shibboleth"
        - "https://orcid-saml-gateway.gw-astronomy.org/idp"
    - break
- when request:
    - select:
    - pipe:
        - when accept application/xml:
            - first
            - finalize:
                cacheDuration: PT12H
                validUntil: P10D
            - sign:
                key: metadata-signer.key
                cert: metadata-signer.crt
            - emit application/xml
            - break
        - when accept application/json:
            - discojson
            - emit application/json
            - break

> Hi,
> 
> I am using today's pyFF master head, commit
> 
> bbdf245ccdb0be8ce45dda8c0cef06a6d33e2755
> 
> My pipeline contains
> 
> - when request:
>     - select:
>     - pipe:
>         - when accept application/xml:
>             - first
>             - finalize:
>                 cacheDuration: PT12H
>                 validUntil: P10D
>             - sign:
>                 key: metadata-signer.key
>                 cert: metadata-signer.crt
>             - emit application/xml
>             - break
>         - when accept application/json:
>             - discojson
>             - emit application/json
>             - break
> 
> This query returns the XML I expect
> 
> curl 'http://127.0.0.1:8080/entities/https%3A%2F%2Fwiki.ligo.org%2Fshibboleth-sp'
> 
> proving that pyFF has the metadata for the entityID.
> 
> But this query returns an empty <EntitiesDescriptor>:
> 
> curl 'http://127.0.0.1:8080/entities/%7Bsha1%7Dff767393c6b06e8282603e9e4541ac1e878d63aa'
> 
> Note that
> 
> $ python3
> Python 3.7.3 (default, Apr  3 2019, 05:39:12)
> [GCC 8.3.0] on linux
> Type "help", "copyright", "credits" or "license" for more information.
> >>> from hashlib import sha1
> >>> m = sha1()
> >>> m.update(b'https://wiki.ligo.org/shibboleth-sp')
> >>> m.hexdigest()
> 'ff767393c6b06e8282603e9e4541ac1e878d63aa'
> 
> This is problematic since thiss-js wants to use sha1 hashes to query
> MDQ.
> 
> Is there something special I have to configure to get pyFF to accept the
> sha1 hash?
> 
> Thanks,
> 
> Scott K
> 


More information about the Idpy-discuss mailing list