Add SP config validation for https entityid

- Adds check that entityid is an https url based on eIDAS SAML Message
  Format v.1.2. There's no way of really validating that the url is
correct (there are many scenarios for false positives and negatives) so
we only check that the url scheme is https as the specs define
- Adds test for the above rule

Author: ioparaskev

src/saml2/config.py

@@ -9,6 +9,7 @@
 import sys
 from functools import partial
 import re
+from urllib import parse
 from iso3166 import countries
 
 import six
@@ -676,7 +677,10 @@ def validate(self):
             "application_identifier MUST be in the form <vendor name>:<software "
             "identifier>:<major-version>.<minor-version>[.<patch-version>]":
                 self.validate_application_identifier_format(
-                    self.get_application_identifier())
+                    self.get_application_identifier()),
+            "entityid MUST be an HTTPS URL pointing to the location of its published "
+            "metadata":
+                parse.urlparse(self.entityid).scheme == "https"
         }
 
         if not all(error_validators.values()):

tests/eidas/sp_conf.py

@@ -2,7 +2,7 @@
 from pathutils import xmlsec_path
 
 CONFIG = {
-    "entityid": "urn:mace:example.com:saml:roland:sp",
+    "entityid": "https://example.org",
     "name": "urn:mace:example.com:saml:roland:sp",
     "description": "My own SP",
     "service": {

tests/eidas/test_sp.py

@@ -336,3 +336,12 @@ def test_support_contact_person_empty_email(self,
 
         with pytest.raises(ConfigValidationError):
             conf.validate()
+
+    def test_entityid_no_https(self, config):
+        config["entityid"] = "urn:mace:example.com:saml:roland:idp"
+
+        conf = eIDASSPConfig()
+        conf.load(config)
+
+        with pytest.raises(ConfigValidationError):
+            conf.validate()