saml_idp: start rewriting to use DB Certs

2018-12-14 15:30:11 +01:00 · 2018-12-14 15:30:11 +01:00 · 625835a266
parent e81f525cea
commit 625835a266
4 changed files with 17 additions and 37 deletions
--- a/passbook/saml_idp/base.py
+++ b/passbook/saml_idp/base.py
@ -176,10 +176,10 @@ class Processor:

    def _format_response(self):
        """Formats _response_params as _response_xml."""
-        sign_it = CONFIG.y('saml_idp.signing', True)
        assertion_id = self._assertion_params['ASSERTION_ID']
+        # TODO: Get application/provider instance
        self._response_xml = xml_render.get_response_xml(self._response_params,
-                                                         signed=sign_it,
+                                                         saml_provider=None,
                                                         assertion_id=assertion_id)

    def _get_django_response_params(self):
--- a/passbook/saml_idp/views.py
+++ b/passbook/saml_idp/views.py
@ -19,7 +19,7 @@ from passbook.lib.config import CONFIG
 from passbook.lib.utils.template import render_to_string
 # from passbook.core.views.common import ErrorResponseView
 # from passbook.core.views.settings import GenericSettingView
-from passbook.saml_idp import exceptions, registry, xml_signing
+from passbook.saml_idp import exceptions, registry

 # from OpenSSL.crypto import FILETYPE_PEM
 # from OpenSSL.crypto import Error as CryptoError
@ -174,7 +174,7 @@ def descriptor(request):
    entity_id = CONFIG.y('saml_idp.issuer')
    slo_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml_logout'))
    sso_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml_login_begin'))
-    pubkey = xml_signing.load_certificate(strip=True)
+    pubkey = '' # TODO: Extract application/provider for pubkey
    ctx = {
        'entity_id': entity_id,
        'cert_public_key': pubkey,
--- a/passbook/saml_idp/xml_render.py
+++ b/passbook/saml_idp/xml_render.py
@ -3,8 +3,8 @@
 from logging import getLogger

 from passbook.lib.utils.template import render_to_string
-from passbook.saml_idp.xml_signing import (get_signature_xml, load_certificate,
-                                           load_private_key, sign_with_signxml)
+from passbook.saml_idp.models import SAMLProvider
+from passbook.saml_idp.xml_signing import get_signature_xml, sign_with_signxml

 LOGGER = getLogger(__name__)

@ -64,7 +64,7 @@ def get_assertion_xml(template, parameters, signed=False):
    return render_to_string(template, params)


-def get_response_xml(parameters, signed=False, assertion_id=''):
+def get_response_xml(parameters, saml_provider: SAMLProvider, assertion_id=''):
    """Returns XML for response, with signatures, if signed is True."""
    # Reset signatures.
    params = {}
@ -72,22 +72,17 @@ def get_response_xml(parameters, signed=False, assertion_id=''):
    params['RESPONSE_SIGNATURE'] = ''
    _get_in_response_to(params)

-    unsigned = render_to_string('saml/xml/response.xml', params)
+    raw_response = render_to_string('saml/xml/response.xml', params)

    # LOGGER.debug('Unsigned: %s', unsigned)
-    if not signed:
-        return unsigned
+    if not saml_provider.signing:
+        return raw_response

-    raw_response = render_to_string('saml/xml/response.xml', params)
-    # Sign it.
-    if signed:
-        signature_xml = get_signature_xml()
-        params['RESPONSE_SIGNATURE'] = signature_xml
-        # LOGGER.debug("Raw response: %s", raw_response)
+    signature_xml = get_signature_xml()
+    params['RESPONSE_SIGNATURE'] = signature_xml
+    # LOGGER.debug("Raw response: %s", raw_response)

-        signed = sign_with_signxml(
-            load_private_key(), raw_response, [load_certificate(True)],
-            reference_uri=assertion_id) \
-            .decode("utf-8")
-        return signed
-    return raw_response
+    signed = sign_with_signxml(
+        saml_provider.signing_key, raw_response, [saml_provider.signing_cert],
+        reference_uri=assertion_id).decode("utf-8")
+    return signed
--- a/passbook/saml_idp/xml_signing.py
+++ b/passbook/saml_idp/xml_signing.py
@ -5,27 +5,12 @@ from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
 from defusedxml import ElementTree
 from signxml import XMLSigner
-from signxml.util import strip_pem_header

-from passbook.lib.config import CONFIG
 from passbook.lib.utils.template import render_to_string

 LOGGER = getLogger(__name__)


-def load_certificate(strip=False):
-    """Get Public key from config"""
-    cert = CONFIG.y('saml_idp.certificate', '')
-    if strip:
-        return strip_pem_header(cert.replace('\r', '')).replace('\n', '')
-    return cert
-
-
-def load_private_key():
-    """Get Private Key from config"""
-    return CONFIG.y('saml_idp.key', '')
-
-
 def sign_with_signxml(private_key, data, cert, reference_uri=None):
    """Sign Data with signxml"""
    key = serialization.load_pem_private_key(