authentik/passbook/providers/saml/utils/xml_signing.py

"""Signing code goes here."""
from typing import TYPE_CHECKING

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from lxml import etree  # nosec
from signxml import XMLSigner, XMLVerifier
from structlog import get_logger

from passbook.lib.utils.template import render_to_string

if TYPE_CHECKING:
    from passbook.providers.saml.models import SAMLProvider

LOGGER = get_logger()


def sign_with_signxml(data: str, provider: "SAMLProvider", reference_uri=None) -> str:
    """Sign Data with signxml"""
    key = serialization.load_pem_private_key(
        str.encode("\n".join([x.strip() for x in provider.signing_key.split("\n")])),
        password=None,
        backend=default_backend(),
    )
    # defused XML is not used here because it messes up XML namespaces
    # Data is trusted, so lxml is ok
    root = etree.fromstring(data)  # nosec
    signer = XMLSigner(
        c14n_algorithm="http://www.w3.org/2001/10/xml-exc-c14n#",
        signature_algorithm=provider.signature_algorithm,
        digest_algorithm=provider.digest_algorithm,
    )
    signed = signer.sign(
        root,
        key=key,
        cert=[provider.signing_kp.certificate_data],
        reference_uri=reference_uri,
    )
    XMLVerifier().verify(signed, x509_cert=provider.signing_kp.certificate_data)
    return etree.tostring(signed).decode("utf-8")  # nosec


def get_signature_xml() -> str:
    """Returns XML Signature for subject."""
    return render_to_string("saml/xml/signature.xml", {})
Many broken things 2018-11-16 08:10:35 +00:00			`"""Signing code goes here."""`
providers/saml: add changeable signature and digest algorithm 2020-02-17 15:28:18 +00:00			`from typing import TYPE_CHECKING`

Many broken things 2018-11-16 08:10:35 +00:00			`from cryptography.hazmat.backends import default_backend`
			`from cryptography.hazmat.primitives import serialization`
saml_idp: fix bandit issues 2018-12-26 16:26:17 +00:00			`from lxml import etree # nosec`
saml_idp: cleanup, fix XML signing 2018-12-26 20:56:08 +00:00			`from signxml import XMLSigner, XMLVerifier`
*(minor): stdlib logging to structlog 2019-10-01 08:24:10 +00:00			`from structlog import get_logger`
Many broken things 2018-11-16 08:10:35 +00:00
more cleanup, remove supervisr imports 2018-11-16 09:08:15 +00:00			`from passbook.lib.utils.template import render_to_string`
Many broken things 2018-11-16 08:10:35 +00:00
providers/saml: add changeable signature and digest algorithm 2020-02-17 15:28:18 +00:00			`if TYPE_CHECKING:`
			`from passbook.providers.saml.models import SAMLProvider`

*(minor): remove __name__ param from get_logger 2019-10-04 08:08:53 +00:00			`LOGGER = get_logger()`
Many broken things 2018-11-16 08:10:35 +00:00

providers/saml: add changeable signature and digest algorithm 2020-02-17 15:28:18 +00:00			`def sign_with_signxml(data: str, provider: "SAMLProvider", reference_uri=None) -> str:`
Many broken things 2018-11-16 08:10:35 +00:00			`"""Sign Data with signxml"""`
			`key = serialization.load_pem_private_key(`
providers/saml: add changeable signature and digest algorithm 2020-02-17 15:28:18 +00:00			`str.encode("\n".join([x.strip() for x in provider.signing_key.split("\n")])),`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`password=None,`
			`backend=default_backend(),`
			`)`
saml_idp: cleanup, fix XML signing 2018-12-26 20:56:08 +00:00			`# defused XML is not used here because it messes up XML namespaces`
			`# Data is trusted, so lxml is ok`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`root = etree.fromstring(data) # nosec`
providers/saml: add changeable signature and digest algorithm 2020-02-17 15:28:18 +00:00			`signer = XMLSigner(`
			`c14n_algorithm="http://www.w3.org/2001/10/xml-exc-c14n#",`
			`signature_algorithm=provider.signature_algorithm,`
			`digest_algorithm=provider.digest_algorithm,`
			`)`
			`signed = signer.sign(`
providers/saml: switch to new crypto 2020-03-03 22:35:50 +00:00			`root,`
			`key=key,`
providers/saml: fix signing_kp typo 2020-03-05 16:09:08 +00:00			`cert=[provider.signing_kp.certificate_data],`
providers/saml: switch to new crypto 2020-03-03 22:35:50 +00:00			`reference_uri=reference_uri,`
providers/saml: add changeable signature and digest algorithm 2020-02-17 15:28:18 +00:00			`)`
providers/saml: fix signing_kp typo 2020-03-05 16:09:08 +00:00			`XMLVerifier().verify(signed, x509_cert=provider.signing_kp.certificate_data)`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`return etree.tostring(signed).decode("utf-8") # nosec`
Many broken things 2018-11-16 08:10:35 +00:00

providers/saml: add changeable signature and digest algorithm 2020-02-17 15:28:18 +00:00			`def get_signature_xml() -> str:`
Many broken things 2018-11-16 08:10:35 +00:00			`"""Returns XML Signature for subject."""`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`return render_to_string("saml/xml/signature.xml", {})`