saml_idp: start rewriting to use DB Certs
This commit is contained in:
parent
e81f525cea
commit
625835a266
|
@ -176,10 +176,10 @@ class Processor:
|
|||
|
||||
def _format_response(self):
|
||||
"""Formats _response_params as _response_xml."""
|
||||
sign_it = CONFIG.y('saml_idp.signing', True)
|
||||
assertion_id = self._assertion_params['ASSERTION_ID']
|
||||
# TODO: Get application/provider instance
|
||||
self._response_xml = xml_render.get_response_xml(self._response_params,
|
||||
signed=sign_it,
|
||||
saml_provider=None,
|
||||
assertion_id=assertion_id)
|
||||
|
||||
def _get_django_response_params(self):
|
||||
|
|
|
@ -19,7 +19,7 @@ from passbook.lib.config import CONFIG
|
|||
from passbook.lib.utils.template import render_to_string
|
||||
# from passbook.core.views.common import ErrorResponseView
|
||||
# from passbook.core.views.settings import GenericSettingView
|
||||
from passbook.saml_idp import exceptions, registry, xml_signing
|
||||
from passbook.saml_idp import exceptions, registry
|
||||
|
||||
# from OpenSSL.crypto import FILETYPE_PEM
|
||||
# from OpenSSL.crypto import Error as CryptoError
|
||||
|
@ -174,7 +174,7 @@ def descriptor(request):
|
|||
entity_id = CONFIG.y('saml_idp.issuer')
|
||||
slo_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml_logout'))
|
||||
sso_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml_login_begin'))
|
||||
pubkey = xml_signing.load_certificate(strip=True)
|
||||
pubkey = '' # TODO: Extract application/provider for pubkey
|
||||
ctx = {
|
||||
'entity_id': entity_id,
|
||||
'cert_public_key': pubkey,
|
||||
|
|
|
@ -3,8 +3,8 @@
|
|||
from logging import getLogger
|
||||
|
||||
from passbook.lib.utils.template import render_to_string
|
||||
from passbook.saml_idp.xml_signing import (get_signature_xml, load_certificate,
|
||||
load_private_key, sign_with_signxml)
|
||||
from passbook.saml_idp.models import SAMLProvider
|
||||
from passbook.saml_idp.xml_signing import get_signature_xml, sign_with_signxml
|
||||
|
||||
LOGGER = getLogger(__name__)
|
||||
|
||||
|
@ -64,7 +64,7 @@ def get_assertion_xml(template, parameters, signed=False):
|
|||
return render_to_string(template, params)
|
||||
|
||||
|
||||
def get_response_xml(parameters, signed=False, assertion_id=''):
|
||||
def get_response_xml(parameters, saml_provider: SAMLProvider, assertion_id=''):
|
||||
"""Returns XML for response, with signatures, if signed is True."""
|
||||
# Reset signatures.
|
||||
params = {}
|
||||
|
@ -72,22 +72,17 @@ def get_response_xml(parameters, signed=False, assertion_id=''):
|
|||
params['RESPONSE_SIGNATURE'] = ''
|
||||
_get_in_response_to(params)
|
||||
|
||||
unsigned = render_to_string('saml/xml/response.xml', params)
|
||||
raw_response = render_to_string('saml/xml/response.xml', params)
|
||||
|
||||
# LOGGER.debug('Unsigned: %s', unsigned)
|
||||
if not signed:
|
||||
return unsigned
|
||||
if not saml_provider.signing:
|
||||
return raw_response
|
||||
|
||||
raw_response = render_to_string('saml/xml/response.xml', params)
|
||||
# Sign it.
|
||||
if signed:
|
||||
signature_xml = get_signature_xml()
|
||||
params['RESPONSE_SIGNATURE'] = signature_xml
|
||||
# LOGGER.debug("Raw response: %s", raw_response)
|
||||
signature_xml = get_signature_xml()
|
||||
params['RESPONSE_SIGNATURE'] = signature_xml
|
||||
# LOGGER.debug("Raw response: %s", raw_response)
|
||||
|
||||
signed = sign_with_signxml(
|
||||
load_private_key(), raw_response, [load_certificate(True)],
|
||||
reference_uri=assertion_id) \
|
||||
.decode("utf-8")
|
||||
return signed
|
||||
return raw_response
|
||||
signed = sign_with_signxml(
|
||||
saml_provider.signing_key, raw_response, [saml_provider.signing_cert],
|
||||
reference_uri=assertion_id).decode("utf-8")
|
||||
return signed
|
||||
|
|
|
@ -5,27 +5,12 @@ from cryptography.hazmat.backends import default_backend
|
|||
from cryptography.hazmat.primitives import serialization
|
||||
from defusedxml import ElementTree
|
||||
from signxml import XMLSigner
|
||||
from signxml.util import strip_pem_header
|
||||
|
||||
from passbook.lib.config import CONFIG
|
||||
from passbook.lib.utils.template import render_to_string
|
||||
|
||||
LOGGER = getLogger(__name__)
|
||||
|
||||
|
||||
def load_certificate(strip=False):
|
||||
"""Get Public key from config"""
|
||||
cert = CONFIG.y('saml_idp.certificate', '')
|
||||
if strip:
|
||||
return strip_pem_header(cert.replace('\r', '')).replace('\n', '')
|
||||
return cert
|
||||
|
||||
|
||||
def load_private_key():
|
||||
"""Get Private Key from config"""
|
||||
return CONFIG.y('saml_idp.key', '')
|
||||
|
||||
|
||||
def sign_with_signxml(private_key, data, cert, reference_uri=None):
|
||||
"""Sign Data with signxml"""
|
||||
key = serialization.load_pem_private_key(
|
||||
|
|
Reference in a new issue