Store outstanding queries to disallow unsolicited responses

[c00kiemon5ter]

SATOSA does not work with allow_unsolicited set to false for a SAML backend.

This commit introduces an in-memory dictionary that stores outstanding queries as needed and described by pysaml2:

A dictionary with session IDs as keys and the original web request from the user before redirection as values.

Requests are added as new authn requests are created, and removed as matching authn responses are sent, if the module is configured not to accept unsolicited responses. If an unsolicited response is found it is logged and an SATOSAAuthenticationError is raised.

This could possibly be expanded to a real API that calls into some module that handles store and remove operations of the requests and gives the choice for the data to be persisted in a file or database to support across process handling of unsolicited responses.

[c00kiemon5ter]

oh noes! sp.config.allow_unsolicited does not set the correct value.
The correct value lies under self.sp.config._sp_allow_unsolicited..

[c00kiemon5ter]

The PR passes the tests now, but this right here (peeking at _-prefixed/internal data) is really ugly. It should be fixed in pysaml2 (config.py). I will have a look.

[jkakavas]

Can you let us know if this can be easily addressed in pysaml2 ? I agree with you that this is ugly and we shouldn't let it in

[c00kiemon5ter]

Updated with a more standard approach.

[c00kiemon5ter]

Regarding the problem that came up with the failed tests, pysaml2 sp.config object exposes the allow_unsolicited attribute, which is misleading. It should be removed from the config object.

As this attribute/configuration-option is available under the services.sp key, it should be accessed using sp.config.getattr(<attribute/configuration-key>, <context>) which in our case is sp.config.getattr('allow_unsolicited', 'sp').

PS: See IdentityPython/pysaml2#430