saml_idp: start rewriting to use DB Certs
This commit is contained in:
parent
e81f525cea
commit
625835a266
|
@ -176,10 +176,10 @@ class Processor:
|
||||||
|
|
||||||
def _format_response(self):
|
def _format_response(self):
|
||||||
"""Formats _response_params as _response_xml."""
|
"""Formats _response_params as _response_xml."""
|
||||||
sign_it = CONFIG.y('saml_idp.signing', True)
|
|
||||||
assertion_id = self._assertion_params['ASSERTION_ID']
|
assertion_id = self._assertion_params['ASSERTION_ID']
|
||||||
|
# TODO: Get application/provider instance
|
||||||
self._response_xml = xml_render.get_response_xml(self._response_params,
|
self._response_xml = xml_render.get_response_xml(self._response_params,
|
||||||
signed=sign_it,
|
saml_provider=None,
|
||||||
assertion_id=assertion_id)
|
assertion_id=assertion_id)
|
||||||
|
|
||||||
def _get_django_response_params(self):
|
def _get_django_response_params(self):
|
||||||
|
|
|
@ -19,7 +19,7 @@ from passbook.lib.config import CONFIG
|
||||||
from passbook.lib.utils.template import render_to_string
|
from passbook.lib.utils.template import render_to_string
|
||||||
# from passbook.core.views.common import ErrorResponseView
|
# from passbook.core.views.common import ErrorResponseView
|
||||||
# from passbook.core.views.settings import GenericSettingView
|
# from passbook.core.views.settings import GenericSettingView
|
||||||
from passbook.saml_idp import exceptions, registry, xml_signing
|
from passbook.saml_idp import exceptions, registry
|
||||||
|
|
||||||
# from OpenSSL.crypto import FILETYPE_PEM
|
# from OpenSSL.crypto import FILETYPE_PEM
|
||||||
# from OpenSSL.crypto import Error as CryptoError
|
# from OpenSSL.crypto import Error as CryptoError
|
||||||
|
@ -174,7 +174,7 @@ def descriptor(request):
|
||||||
entity_id = CONFIG.y('saml_idp.issuer')
|
entity_id = CONFIG.y('saml_idp.issuer')
|
||||||
slo_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml_logout'))
|
slo_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml_logout'))
|
||||||
sso_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml_login_begin'))
|
sso_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml_login_begin'))
|
||||||
pubkey = xml_signing.load_certificate(strip=True)
|
pubkey = '' # TODO: Extract application/provider for pubkey
|
||||||
ctx = {
|
ctx = {
|
||||||
'entity_id': entity_id,
|
'entity_id': entity_id,
|
||||||
'cert_public_key': pubkey,
|
'cert_public_key': pubkey,
|
||||||
|
|
|
@ -3,8 +3,8 @@
|
||||||
from logging import getLogger
|
from logging import getLogger
|
||||||
|
|
||||||
from passbook.lib.utils.template import render_to_string
|
from passbook.lib.utils.template import render_to_string
|
||||||
from passbook.saml_idp.xml_signing import (get_signature_xml, load_certificate,
|
from passbook.saml_idp.models import SAMLProvider
|
||||||
load_private_key, sign_with_signxml)
|
from passbook.saml_idp.xml_signing import get_signature_xml, sign_with_signxml
|
||||||
|
|
||||||
LOGGER = getLogger(__name__)
|
LOGGER = getLogger(__name__)
|
||||||
|
|
||||||
|
@ -64,7 +64,7 @@ def get_assertion_xml(template, parameters, signed=False):
|
||||||
return render_to_string(template, params)
|
return render_to_string(template, params)
|
||||||
|
|
||||||
|
|
||||||
def get_response_xml(parameters, signed=False, assertion_id=''):
|
def get_response_xml(parameters, saml_provider: SAMLProvider, assertion_id=''):
|
||||||
"""Returns XML for response, with signatures, if signed is True."""
|
"""Returns XML for response, with signatures, if signed is True."""
|
||||||
# Reset signatures.
|
# Reset signatures.
|
||||||
params = {}
|
params = {}
|
||||||
|
@ -72,22 +72,17 @@ def get_response_xml(parameters, signed=False, assertion_id=''):
|
||||||
params['RESPONSE_SIGNATURE'] = ''
|
params['RESPONSE_SIGNATURE'] = ''
|
||||||
_get_in_response_to(params)
|
_get_in_response_to(params)
|
||||||
|
|
||||||
unsigned = render_to_string('saml/xml/response.xml', params)
|
raw_response = render_to_string('saml/xml/response.xml', params)
|
||||||
|
|
||||||
# LOGGER.debug('Unsigned: %s', unsigned)
|
# LOGGER.debug('Unsigned: %s', unsigned)
|
||||||
if not signed:
|
if not saml_provider.signing:
|
||||||
return unsigned
|
return raw_response
|
||||||
|
|
||||||
raw_response = render_to_string('saml/xml/response.xml', params)
|
signature_xml = get_signature_xml()
|
||||||
# Sign it.
|
params['RESPONSE_SIGNATURE'] = signature_xml
|
||||||
if signed:
|
# LOGGER.debug("Raw response: %s", raw_response)
|
||||||
signature_xml = get_signature_xml()
|
|
||||||
params['RESPONSE_SIGNATURE'] = signature_xml
|
|
||||||
# LOGGER.debug("Raw response: %s", raw_response)
|
|
||||||
|
|
||||||
signed = sign_with_signxml(
|
signed = sign_with_signxml(
|
||||||
load_private_key(), raw_response, [load_certificate(True)],
|
saml_provider.signing_key, raw_response, [saml_provider.signing_cert],
|
||||||
reference_uri=assertion_id) \
|
reference_uri=assertion_id).decode("utf-8")
|
||||||
.decode("utf-8")
|
return signed
|
||||||
return signed
|
|
||||||
return raw_response
|
|
||||||
|
|
|
@ -5,27 +5,12 @@ from cryptography.hazmat.backends import default_backend
|
||||||
from cryptography.hazmat.primitives import serialization
|
from cryptography.hazmat.primitives import serialization
|
||||||
from defusedxml import ElementTree
|
from defusedxml import ElementTree
|
||||||
from signxml import XMLSigner
|
from signxml import XMLSigner
|
||||||
from signxml.util import strip_pem_header
|
|
||||||
|
|
||||||
from passbook.lib.config import CONFIG
|
|
||||||
from passbook.lib.utils.template import render_to_string
|
from passbook.lib.utils.template import render_to_string
|
||||||
|
|
||||||
LOGGER = getLogger(__name__)
|
LOGGER = getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
def load_certificate(strip=False):
|
|
||||||
"""Get Public key from config"""
|
|
||||||
cert = CONFIG.y('saml_idp.certificate', '')
|
|
||||||
if strip:
|
|
||||||
return strip_pem_header(cert.replace('\r', '')).replace('\n', '')
|
|
||||||
return cert
|
|
||||||
|
|
||||||
|
|
||||||
def load_private_key():
|
|
||||||
"""Get Private Key from config"""
|
|
||||||
return CONFIG.y('saml_idp.key', '')
|
|
||||||
|
|
||||||
|
|
||||||
def sign_with_signxml(private_key, data, cert, reference_uri=None):
|
def sign_with_signxml(private_key, data, cert, reference_uri=None):
|
||||||
"""Sign Data with signxml"""
|
"""Sign Data with signxml"""
|
||||||
key = serialization.load_pem_private_key(
|
key = serialization.load_pem_private_key(
|
||||||
|
|
Reference in New Issue