trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

saml_idp: start rewriting to use DB Certs

This commit is contained in:
Jens Langhammer 2018-12-14 15:30:11 +01:00
parent e81f525cea
commit 625835a266
4 changed files with 17 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
passbook/saml_idp/base.py
View File

@ -176,10 +176,10 @@ class Processor:
def _format_response(self): def _format_response(self):
"""Formats _response_params as _response_xml.""" """Formats _response_params as _response_xml."""
sign_it = CONFIG.y('saml_idp.signing', True)
assertion_id = self._assertion_params['ASSERTION_ID'] assertion_id = self._assertion_params['ASSERTION_ID']
# TODO: Get application/provider instance
self._response_xml = xml_render.get_response_xml(self._response_params, self._response_xml = xml_render.get_response_xml(self._response_params,
signed=sign_it, saml_provider=None,
assertion_id=assertion_id) assertion_id=assertion_id)
def _get_django_response_params(self): def _get_django_response_params(self):

4
passbook/saml_idp/views.py
View File

@ -19,7 +19,7 @@ from passbook.lib.config import CONFIG
from passbook.lib.utils.template import render_to_string from passbook.lib.utils.template import render_to_string
# from passbook.core.views.common import ErrorResponseView # from passbook.core.views.common import ErrorResponseView
# from passbook.core.views.settings import GenericSettingView # from passbook.core.views.settings import GenericSettingView
from passbook.saml_idp import exceptions, registry, xml_signing from passbook.saml_idp import exceptions, registry
# from OpenSSL.crypto import FILETYPE_PEM # from OpenSSL.crypto import FILETYPE_PEM
# from OpenSSL.crypto import Error as CryptoError # from OpenSSL.crypto import Error as CryptoError
@ -174,7 +174,7 @@ def descriptor(request):
entity_id = CONFIG.y('saml_idp.issuer') entity_id = CONFIG.y('saml_idp.issuer')
slo_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml_logout')) slo_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml_logout'))
sso_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml_login_begin')) sso_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml_login_begin'))
pubkey = xml_signing.load_certificate(strip=True) pubkey = '' # TODO: Extract application/provider for pubkey
ctx = { ctx = {
'entity_id': entity_id, 'entity_id': entity_id,
'cert_public_key': pubkey, 'cert_public_key': pubkey,

21
passbook/saml_idp/xml_render.py
View File

@ -3,8 +3,8 @@
from logging import getLogger from logging import getLogger
from passbook.lib.utils.template import render_to_string from passbook.lib.utils.template import render_to_string
from passbook.saml_idp.xml_signing import (get_signature_xml, load_certificate, from passbook.saml_idp.models import SAMLProvider
load_private_key, sign_with_signxml) from passbook.saml_idp.xml_signing import get_signature_xml, sign_with_signxml
LOGGER = getLogger(__name__) LOGGER = getLogger(__name__)
@ -64,7 +64,7 @@ def get_assertion_xml(template, parameters, signed=False):
return render_to_string(template, params) return render_to_string(template, params)
def get_response_xml(parameters, signed=False, assertion_id=''): def get_response_xml(parameters, saml_provider: SAMLProvider, assertion_id=''):
"""Returns XML for response, with signatures, if signed is True.""" """Returns XML for response, with signatures, if signed is True."""
# Reset signatures. # Reset signatures.
params = {} params = {}
@ -72,22 +72,17 @@ def get_response_xml(parameters, signed=False, assertion_id=''):
params['RESPONSE_SIGNATURE'] = '' params['RESPONSE_SIGNATURE'] = ''
_get_in_response_to(params) _get_in_response_to(params)
unsigned = render_to_string('saml/xml/response.xml', params) raw_response = render_to_string('saml/xml/response.xml', params)
# LOGGER.debug('Unsigned: %s', unsigned) # LOGGER.debug('Unsigned: %s', unsigned)
if not signed: if not saml_provider.signing:
return unsigned return raw_response
raw_response = render_to_string('saml/xml/response.xml', params)
# Sign it.
if signed:
signature_xml = get_signature_xml() signature_xml = get_signature_xml()
params['RESPONSE_SIGNATURE'] = signature_xml params['RESPONSE_SIGNATURE'] = signature_xml
# LOGGER.debug("Raw response: %s", raw_response) # LOGGER.debug("Raw response: %s", raw_response)
signed = sign_with_signxml( signed = sign_with_signxml(
load_private_key(), raw_response, [load_certificate(True)], saml_provider.signing_key, raw_response, [saml_provider.signing_cert],
reference_uri=assertion_id) \ reference_uri=assertion_id).decode("utf-8")
.decode("utf-8")
return signed return signed
return raw_response

15
passbook/saml_idp/xml_signing.py
View File

@ -5,27 +5,12 @@ from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives import serialization
from defusedxml import ElementTree from defusedxml import ElementTree
from signxml import XMLSigner from signxml import XMLSigner
from signxml.util import strip_pem_header
from passbook.lib.config import CONFIG
from passbook.lib.utils.template import render_to_string from passbook.lib.utils.template import render_to_string
LOGGER = getLogger(__name__) LOGGER = getLogger(__name__)
def load_certificate(strip=False):
"""Get Public key from config"""
cert = CONFIG.y('saml_idp.certificate', '')
if strip:
return strip_pem_header(cert.replace('\r', '')).replace('\n', '')
return cert
def load_private_key():
"""Get Private Key from config"""
return CONFIG.y('saml_idp.key', '')
def sign_with_signxml(private_key, data, cert, reference_uri=None): def sign_with_signxml(private_key, data, cert, reference_uri=None):
"""Sign Data with signxml""" """Sign Data with signxml"""
key = serialization.load_pem_private_key( key = serialization.load_pem_private_key(