Add eIDAS IdP validation rule for WantAuthnRequestsSigned

- Adds error validation rule to require want_authn_requests_signed to be
  set to True as defined in the eIDAS SAML Message Format v.1.2 spec
document
- Adds tests for the above scenario

Author: ioparaskev

src/saml2/config.py

@@ -737,7 +737,10 @@ def warning_validators(self):
 
     @property
     def error_validators(self):
-        idp_error_validators = {}
+        idp_error_validators = {
+            "want_authn_requests_signed MUST be set to True":
+            getattr(self, "_idp_want_authn_requests_signed", None) is True
+        }
         return {**super().error_validators, **idp_error_validators}
 
 

tests/eidas/eidas_idp_conf.py

@@ -37,7 +37,8 @@
             "subject_data": full_path("subject_data.db"),
             "node_country": "GR",
             "application_identifier": "CEF:eIDAS-ref:2.0",
-            "protocol_version": [1.1, 2.2]
+            "protocol_version": [1.1, 2.2],
+            "want_authn_requests_signed": True
         },
     },
     "debug": 1,

tests/eidas/test_idp.py

@@ -240,3 +240,13 @@ def test_entityid_no_https(self, config):
         config["entityid"] = "urn:mace:example.com:saml:roland:idp"
 
         self.assert_validation_error(config)
+
+    def test_want_authn_requests_signed_unset(self, config):
+        del config["service"]["idp"]["want_authn_requests_signed"]
+
+        self.assert_validation_error(config)
+
+    def test_want_authn_requests_signed_false(self, config):
+        config["service"]["idp"]["want_authn_requests_signed"] = False
+
+        self.assert_validation_error(config)