saml_idp: fix bandit issues

This commit is contained in:
Jens Langhammer 2018-12-26 17:26:17 +01:00
parent 60d4a30992
commit 4d5f688a44
No known key found for this signature in database
GPG Key ID: BEBC05297D92821B
4 changed files with 13 additions and 6 deletions

View File

@ -30,6 +30,7 @@ class SAMLProvider(Provider):
@property @property
def processor(self): def processor(self):
"""Return selected processor as instance"""
if not self._processor: if not self._processor:
self._processor = path_to_class(self.processor_path)(self) self._processor = path_to_class(self.processor_path)(self)
return self._processor return self._processor

View File

@ -4,9 +4,13 @@ from django.urls import path
from passbook.saml_idp import views from passbook.saml_idp import views
urlpatterns = [ urlpatterns = [
path('login/', views.LoginBeginView.as_view(), name="saml_login_begin"), path('login/<slug:application>/',
path('login/process/', views.LoginProcessView.as_view(), name='saml_login_process'), views.LoginBeginView.as_view(), name="saml_login_begin"),
path('login/<slug:application>/idp_init/',
views.LoginInitView.as_view(), name="saml_login_init"),
path('login/<slug:application>/process/',
views.LoginProcessView.as_view(), name='saml_login_process'),
path('logout/', views.LogoutView.as_view(), name="saml_logout"), path('logout/', views.LogoutView.as_view(), name="saml_logout"),
path('metadata/<int:application_id>/', path('metadata/<slug:application>/',
views.DescriptorDownloadView.as_view(), name='metadata_xml'), views.DescriptorDownloadView.as_view(), name='metadata_xml'),
] ]

View File

@ -44,6 +44,7 @@ class CertificateBuilder:
self.__certificate = None self.__certificate = None
def build(self): def build(self):
"""Build self-signed certificate"""
one_day = datetime.timedelta(1, 0, 0) one_day = datetime.timedelta(1, 0, 0)
self.__private_key = rsa.generate_private_key( self.__private_key = rsa.generate_private_key(
public_exponent=65537, public_exponent=65537,

View File

@ -4,7 +4,7 @@ from logging import getLogger
from cryptography.hazmat.backends import default_backend from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives import serialization
from defusedxml import ElementTree from defusedxml import ElementTree
from lxml import etree from lxml import etree # nosec
from signxml import XMLSigner from signxml import XMLSigner
from passbook.lib.utils.template import render_to_string from passbook.lib.utils.template import render_to_string
@ -17,8 +17,9 @@ def sign_with_signxml(private_key, data, cert, reference_uri=None):
key = serialization.load_pem_private_key( key = serialization.load_pem_private_key(
str.encode('\n'.join([x.strip() for x in private_key.split('\n')])), str.encode('\n'.join([x.strip() for x in private_key.split('\n')])),
password=None, backend=default_backend()) password=None, backend=default_backend())
root = etree.fromstring(data) # LXML is used here because defusedxml causes issues with serialization
# root = ElementTree.fromstring(data, forbid_entities=False) # data is trusted so no issues
root = etree.fromstring(data) # nosec
signer = XMLSigner(c14n_algorithm='http://www.w3.org/2001/10/xml-exc-c14n#') signer = XMLSigner(c14n_algorithm='http://www.w3.org/2001/10/xml-exc-c14n#')
signed = signer.sign(root, key=key, cert=cert, reference_uri=reference_uri) signed = signer.sign(root, key=key, cert=cert, reference_uri=reference_uri)
return ElementTree.tostring(signed) return ElementTree.tostring(signed)