commit
b489b0e691
|
@ -64,6 +64,12 @@
|
||||||
{% trans 'Policies' %}
|
{% trans 'Policies' %}
|
||||||
</a>
|
</a>
|
||||||
</li>
|
</li>
|
||||||
|
<li class="pf-c-nav__item">
|
||||||
|
<a href="{% url 'passbook_admin:certificate_key_pair' %}"
|
||||||
|
class="pf-c-nav__link {% is_active 'passbook_admin:certificate_key_pair' 'passbook_admin:certificatekeypair-create' 'passbook_admin:certificatekeypair-update' 'passbook_admin:certificatekeypair-delete' %}">
|
||||||
|
{% trans 'Certificates' %}
|
||||||
|
</a>
|
||||||
|
</li>
|
||||||
<li class="pf-c-nav__item">
|
<li class="pf-c-nav__item">
|
||||||
<a href="{% url 'passbook_admin:invitations' %}"
|
<a href="{% url 'passbook_admin:invitations' %}"
|
||||||
class="pf-c-nav__link {% is_active 'passbook_admin:invitations' 'passbook_admin:invitation-create' 'passbook_admin:invitation-update' 'passbook_admin:invitation-delete' 'passbook_admin:invitation-test' %}">
|
class="pf-c-nav__link {% is_active 'passbook_admin:invitations' 'passbook_admin:invitation-create' 'passbook_admin:invitation-update' 'passbook_admin:invitation-delete' 'passbook_admin:invitation-test' %}">
|
||||||
|
|
|
@ -0,0 +1,69 @@
|
||||||
|
{% extends "administration/base.html" %}
|
||||||
|
|
||||||
|
{% load i18n %}
|
||||||
|
{% load utils %}
|
||||||
|
|
||||||
|
{% block content %}
|
||||||
|
<section class="pf-c-page__main-section pf-m-light">
|
||||||
|
<div class="pf-c-content">
|
||||||
|
<h1>
|
||||||
|
<i class="pf-icon pf-icon-key"></i>
|
||||||
|
{% trans 'Certificate-Key Pairs' %}
|
||||||
|
</h1>
|
||||||
|
<p>{% trans "Import certificates of external providers or create certificates to sign requests with." %}</p>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
<section class="pf-c-page__main-section pf-m-no-padding-mobile">
|
||||||
|
<div class="pf-c-card">
|
||||||
|
<div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-top">
|
||||||
|
<div class="pf-c-toolbar__action-group">
|
||||||
|
<a href="{% url 'passbook_admin:certificatekeypair-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
|
||||||
|
</div>
|
||||||
|
{% include 'partials/pagination.html' %}
|
||||||
|
</div>
|
||||||
|
<table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
|
||||||
|
<thead>
|
||||||
|
<tr role="row">
|
||||||
|
<th role="columnheader" scope="col">{% trans 'Name' %}</th>
|
||||||
|
<th role="columnheader" scope="col">{% trans 'Private Key available' %}</th>
|
||||||
|
<th role="columnheader" scope="col">{% trans 'Fingerprint' %}</th>
|
||||||
|
<th role="columnheader" scope="col">{% trans 'Provider Type' %}</th>
|
||||||
|
<th role="cell"></th>
|
||||||
|
</tr>
|
||||||
|
</thead>
|
||||||
|
<tbody role="rowgroup">
|
||||||
|
{% for kp in object_list %}
|
||||||
|
<tr role="row">
|
||||||
|
<th role="columnheader">
|
||||||
|
<div>
|
||||||
|
<div>{{ kp.name }}</div>
|
||||||
|
</div>
|
||||||
|
</th>
|
||||||
|
<td role="cell">
|
||||||
|
<span>
|
||||||
|
{% if kp.key_data is not None %}
|
||||||
|
{% trans 'Yes' %}
|
||||||
|
{% else %}
|
||||||
|
{% trans 'No' %}
|
||||||
|
{% endif %}
|
||||||
|
</span>
|
||||||
|
</td>
|
||||||
|
<td role="cell">
|
||||||
|
<span>
|
||||||
|
{{ kp.fingerprint }}
|
||||||
|
</span>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<a class="pf-c-button pf-m-secondary" href="{% url 'passbook_admin:certificatekeypair-update' pk=kp.pk %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>
|
||||||
|
<a class="pf-c-button pf-m-danger" href="{% url 'passbook_admin:certificatekeypair-delete' pk=kp.pk %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
{% endfor %}
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
<div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
|
||||||
|
{% include 'partials/pagination.html' %}
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
{% endblock %}
|
|
@ -4,6 +4,7 @@ from django.urls import path
|
||||||
from passbook.admin.views import (
|
from passbook.admin.views import (
|
||||||
applications,
|
applications,
|
||||||
audit,
|
audit,
|
||||||
|
certificate_key_pair,
|
||||||
debug,
|
debug,
|
||||||
factors,
|
factors,
|
||||||
groups,
|
groups,
|
||||||
|
@ -148,6 +149,27 @@ urlpatterns = [
|
||||||
path(
|
path(
|
||||||
"group/<uuid:pk>/delete/", groups.GroupDeleteView.as_view(), name="group-delete"
|
"group/<uuid:pk>/delete/", groups.GroupDeleteView.as_view(), name="group-delete"
|
||||||
),
|
),
|
||||||
|
# Certificate-Key Pairs
|
||||||
|
path(
|
||||||
|
"crypto/certificates/",
|
||||||
|
certificate_key_pair.CertificateKeyPairListView.as_view(),
|
||||||
|
name="certificate_key_pair",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"crypto/certificates/create/",
|
||||||
|
certificate_key_pair.CertificateKeyPairCreateView.as_view(),
|
||||||
|
name="certificatekeypair-create",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"crypto/certificates/<uuid:pk>/update/",
|
||||||
|
certificate_key_pair.CertificateKeyPairUpdateView.as_view(),
|
||||||
|
name="certificatekeypair-update",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"crypto/certificates/<uuid:pk>/delete/",
|
||||||
|
certificate_key_pair.CertificateKeyPairDeleteView.as_view(),
|
||||||
|
name="certificatekeypair-delete",
|
||||||
|
),
|
||||||
# Audit Log
|
# Audit Log
|
||||||
path("audit/", audit.EventListView.as_view(), name="audit-log"),
|
path("audit/", audit.EventListView.as_view(), name="audit-log"),
|
||||||
# Groups
|
# Groups
|
||||||
|
|
77
passbook/admin/views/certificate_key_pair.py
Normal file
77
passbook/admin/views/certificate_key_pair.py
Normal file
|
@ -0,0 +1,77 @@
|
||||||
|
"""passbook CertificateKeyPair administration"""
|
||||||
|
from django.contrib import messages
|
||||||
|
from django.contrib.auth.mixins import LoginRequiredMixin
|
||||||
|
from django.contrib.auth.mixins import (
|
||||||
|
PermissionRequiredMixin as DjangoPermissionRequiredMixin,
|
||||||
|
)
|
||||||
|
from django.contrib.messages.views import SuccessMessageMixin
|
||||||
|
from django.urls import reverse_lazy
|
||||||
|
from django.utils.translation import ugettext as _
|
||||||
|
from django.views.generic import DeleteView, ListView, UpdateView
|
||||||
|
from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
|
||||||
|
|
||||||
|
from passbook.crypto.forms import CertificateKeyPairForm
|
||||||
|
from passbook.crypto.models import CertificateKeyPair
|
||||||
|
from passbook.lib.views import CreateAssignPermView
|
||||||
|
|
||||||
|
|
||||||
|
class CertificateKeyPairListView(LoginRequiredMixin, PermissionListMixin, ListView):
|
||||||
|
"""Show list of all keypairs"""
|
||||||
|
|
||||||
|
model = CertificateKeyPair
|
||||||
|
permission_required = "passbook_crypto.view_certificatekeypair"
|
||||||
|
ordering = "name"
|
||||||
|
paginate_by = 40
|
||||||
|
template_name = "administration/certificatekeypair/list.html"
|
||||||
|
|
||||||
|
|
||||||
|
class CertificateKeyPairCreateView(
|
||||||
|
SuccessMessageMixin,
|
||||||
|
LoginRequiredMixin,
|
||||||
|
DjangoPermissionRequiredMixin,
|
||||||
|
CreateAssignPermView,
|
||||||
|
):
|
||||||
|
"""Create new CertificateKeyPair"""
|
||||||
|
|
||||||
|
model = CertificateKeyPair
|
||||||
|
form_class = CertificateKeyPairForm
|
||||||
|
permission_required = "passbook_crypto.add_certificatekeypair"
|
||||||
|
|
||||||
|
template_name = "generic/create.html"
|
||||||
|
success_url = reverse_lazy("passbook_admin:certificate_key_pair")
|
||||||
|
success_message = _("Successfully created CertificateKeyPair")
|
||||||
|
|
||||||
|
def get_context_data(self, **kwargs):
|
||||||
|
kwargs["type"] = "Certificate-Key Pair"
|
||||||
|
return super().get_context_data(**kwargs)
|
||||||
|
|
||||||
|
|
||||||
|
class CertificateKeyPairUpdateView(
|
||||||
|
SuccessMessageMixin, LoginRequiredMixin, PermissionRequiredMixin, UpdateView
|
||||||
|
):
|
||||||
|
"""Update certificatekeypair"""
|
||||||
|
|
||||||
|
model = CertificateKeyPair
|
||||||
|
form_class = CertificateKeyPairForm
|
||||||
|
permission_required = "passbook_crypto.change_certificatekeypair"
|
||||||
|
|
||||||
|
template_name = "generic/update.html"
|
||||||
|
success_url = reverse_lazy("passbook_admin:certificate_key_pair")
|
||||||
|
success_message = _("Successfully updated Certificate-Key Pair")
|
||||||
|
|
||||||
|
|
||||||
|
class CertificateKeyPairDeleteView(
|
||||||
|
SuccessMessageMixin, LoginRequiredMixin, PermissionRequiredMixin, DeleteView
|
||||||
|
):
|
||||||
|
"""Delete certificatekeypair"""
|
||||||
|
|
||||||
|
model = CertificateKeyPair
|
||||||
|
permission_required = "passbook_crypto.delete_certificatekeypair"
|
||||||
|
|
||||||
|
template_name = "generic/delete.html"
|
||||||
|
success_url = reverse_lazy("passbook_admin:certificate_key_pair")
|
||||||
|
success_message = _("Successfully deleted Certificate-Key Pair")
|
||||||
|
|
||||||
|
def delete(self, request, *args, **kwargs):
|
||||||
|
messages.success(self.request, self.success_message)
|
||||||
|
return super().delete(request, *args, **kwargs)
|
0
passbook/crypto/__init__.py
Normal file
0
passbook/crypto/__init__.py
Normal file
5
passbook/crypto/admin.py
Normal file
5
passbook/crypto/admin.py
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
"""passbook crypto model admin"""
|
||||||
|
|
||||||
|
from passbook.lib.admin import admin_autoregister
|
||||||
|
|
||||||
|
admin_autoregister("passbook_crypto")
|
10
passbook/crypto/apps.py
Normal file
10
passbook/crypto/apps.py
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
"""passbook crypto app config"""
|
||||||
|
from django.apps import AppConfig
|
||||||
|
|
||||||
|
|
||||||
|
class PassbookCryptoConfig(AppConfig):
|
||||||
|
"""passbook crypto app config"""
|
||||||
|
|
||||||
|
name = "passbook.crypto"
|
||||||
|
label = "passbook_crypto"
|
||||||
|
verbose_name = "passbook Crypto"
|
|
@ -36,8 +36,7 @@ class CertificateBuilder:
|
||||||
x509.Name(
|
x509.Name(
|
||||||
[
|
[
|
||||||
x509.NameAttribute(
|
x509.NameAttribute(
|
||||||
NameOID.COMMON_NAME,
|
NameOID.COMMON_NAME, u"passbook Self-signed Certificate",
|
||||||
u"passbook Self-signed SAML Certificate",
|
|
||||||
),
|
),
|
||||||
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"passbook"),
|
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"passbook"),
|
||||||
x509.NameAttribute(
|
x509.NameAttribute(
|
||||||
|
@ -50,8 +49,7 @@ class CertificateBuilder:
|
||||||
x509.Name(
|
x509.Name(
|
||||||
[
|
[
|
||||||
x509.NameAttribute(
|
x509.NameAttribute(
|
||||||
NameOID.COMMON_NAME,
|
NameOID.COMMON_NAME, u"passbook Self-signed Certificate",
|
||||||
u"passbook Self-signed SAML Certificate",
|
|
||||||
),
|
),
|
||||||
]
|
]
|
||||||
)
|
)
|
27
passbook/crypto/forms.py
Normal file
27
passbook/crypto/forms.py
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
"""passbook Crypto forms"""
|
||||||
|
from django import forms
|
||||||
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
|
from passbook.crypto.models import CertificateKeyPair
|
||||||
|
|
||||||
|
|
||||||
|
class CertificateKeyPairForm(forms.ModelForm):
|
||||||
|
"""CertificateKeyPair Form"""
|
||||||
|
|
||||||
|
class Meta:
|
||||||
|
|
||||||
|
model = CertificateKeyPair
|
||||||
|
fields = [
|
||||||
|
"name",
|
||||||
|
"certificate_data",
|
||||||
|
"key_data",
|
||||||
|
]
|
||||||
|
widgets = {
|
||||||
|
"name": forms.TextInput(),
|
||||||
|
"certificate_data": forms.Textarea(attrs={"class": "monospaced"}),
|
||||||
|
"key_data": forms.Textarea(attrs={"class": "monospaced"}),
|
||||||
|
}
|
||||||
|
labels = {
|
||||||
|
"certificate_data": _("Certificate"),
|
||||||
|
"key_data": _("Private Key"),
|
||||||
|
}
|
67
passbook/crypto/migrations/0001_initial.py
Normal file
67
passbook/crypto/migrations/0001_initial.py
Normal file
|
@ -0,0 +1,67 @@
|
||||||
|
# Generated by Django 3.0.3 on 2020-03-03 21:45
|
||||||
|
|
||||||
|
import uuid
|
||||||
|
|
||||||
|
from django.db import migrations, models
|
||||||
|
|
||||||
|
|
||||||
|
def create_self_signed(apps, schema_editor):
|
||||||
|
CertificateKeyPair = apps.get_model("passbook_crypto", "CertificateKeyPair")
|
||||||
|
db_alias = schema_editor.connection.alias
|
||||||
|
from passbook.crypto.builder import CertificateBuilder
|
||||||
|
|
||||||
|
builder = CertificateBuilder()
|
||||||
|
builder.build()
|
||||||
|
CertificateKeyPair.objects.using(db_alias).create(
|
||||||
|
name="passbook Self-signed Certificate",
|
||||||
|
certificate_data=builder.certificate,
|
||||||
|
key_data=builder.private_key,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
class Migration(migrations.Migration):
|
||||||
|
|
||||||
|
initial = True
|
||||||
|
|
||||||
|
dependencies = []
|
||||||
|
|
||||||
|
operations = [
|
||||||
|
migrations.CreateModel(
|
||||||
|
name="CertificateKeyPair",
|
||||||
|
fields=[
|
||||||
|
("created", models.DateTimeField(auto_now_add=True)),
|
||||||
|
("last_updated", models.DateTimeField(auto_now=True)),
|
||||||
|
(
|
||||||
|
"uuid",
|
||||||
|
models.UUIDField(
|
||||||
|
default=uuid.uuid4,
|
||||||
|
editable=False,
|
||||||
|
primary_key=True,
|
||||||
|
serialize=False,
|
||||||
|
),
|
||||||
|
),
|
||||||
|
("name", models.TextField()),
|
||||||
|
("certificate_data", models.TextField()),
|
||||||
|
("key_data", models.TextField(blank=True, default="")),
|
||||||
|
],
|
||||||
|
options={
|
||||||
|
"verbose_name": "Certificate-Key Pair",
|
||||||
|
"verbose_name_plural": "Certificate-Key Pairs",
|
||||||
|
},
|
||||||
|
),
|
||||||
|
migrations.RunPython(create_self_signed),
|
||||||
|
migrations.AlterField(
|
||||||
|
model_name="certificatekeypair",
|
||||||
|
name="certificate_data",
|
||||||
|
field=models.TextField(help_text="PEM-encoded Certificate data"),
|
||||||
|
),
|
||||||
|
migrations.AlterField(
|
||||||
|
model_name="certificatekeypair",
|
||||||
|
name="key_data",
|
||||||
|
field=models.TextField(
|
||||||
|
blank=True,
|
||||||
|
default="",
|
||||||
|
help_text="Optional Private Key. If this is set, you can use this keypair for encryption.",
|
||||||
|
),
|
||||||
|
),
|
||||||
|
]
|
0
passbook/crypto/migrations/__init__.py
Normal file
0
passbook/crypto/migrations/__init__.py
Normal file
64
passbook/crypto/models.py
Normal file
64
passbook/crypto/models.py
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
"""passbook crypto models"""
|
||||||
|
from binascii import hexlify
|
||||||
|
from typing import Optional
|
||||||
|
|
||||||
|
from cryptography.hazmat.backends import default_backend
|
||||||
|
from cryptography.hazmat.primitives import hashes
|
||||||
|
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
|
||||||
|
from cryptography.hazmat.primitives.serialization import load_pem_private_key
|
||||||
|
from cryptography.x509 import Certificate, load_pem_x509_certificate
|
||||||
|
from django.db import models
|
||||||
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
|
from passbook.lib.models import CreatedUpdatedModel, UUIDModel
|
||||||
|
|
||||||
|
|
||||||
|
class CertificateKeyPair(UUIDModel, CreatedUpdatedModel):
|
||||||
|
"""CertificateKeyPair that can be used for signing or encrypting if `key_data`
|
||||||
|
is set, otherwise it can be used to verify remote data."""
|
||||||
|
|
||||||
|
name = models.TextField()
|
||||||
|
certificate_data = models.TextField(help_text=_("PEM-encoded Certificate data"))
|
||||||
|
key_data = models.TextField(
|
||||||
|
help_text=_(
|
||||||
|
"Optional Private Key. If this is set, you can use this keypair for encryption."
|
||||||
|
),
|
||||||
|
blank=True,
|
||||||
|
default="",
|
||||||
|
)
|
||||||
|
|
||||||
|
_cert: Optional[Certificate] = None
|
||||||
|
_key: Optional[RSAPrivateKey] = None
|
||||||
|
|
||||||
|
@property
|
||||||
|
def certificate(self) -> Certificate:
|
||||||
|
"""Get python cryptography Certificate instance"""
|
||||||
|
if not self._cert:
|
||||||
|
self._cert = load_pem_x509_certificate(
|
||||||
|
self.certificate_data.encode("utf-8"), default_backend()
|
||||||
|
)
|
||||||
|
return self._cert
|
||||||
|
|
||||||
|
@property
|
||||||
|
def private_key(self) -> Optional[RSAPrivateKey]:
|
||||||
|
"""Get python cryptography PrivateKey instance"""
|
||||||
|
if not self._key:
|
||||||
|
self._key = load_pem_private_key(
|
||||||
|
str.encode("\n".join([x.strip() for x in self.key_data.split("\n")])),
|
||||||
|
password=None,
|
||||||
|
backend=default_backend(),
|
||||||
|
)
|
||||||
|
return self._key
|
||||||
|
|
||||||
|
@property
|
||||||
|
def fingerprint(self) -> str:
|
||||||
|
"""Get SHA256 Fingerprint of certificate_data"""
|
||||||
|
return hexlify(self.certificate.fingerprint(hashes.SHA256())).decode("utf-8")
|
||||||
|
|
||||||
|
def __str__(self) -> str:
|
||||||
|
return f"Certificate-Key Pair {self.name} {self.fingerprint}"
|
||||||
|
|
||||||
|
class Meta:
|
||||||
|
|
||||||
|
verbose_name = _("Certificate-Key Pair")
|
||||||
|
verbose_name_plural = _("Certificate-Key Pairs")
|
|
@ -24,9 +24,7 @@ class SAMLProviderSerializer(ModelSerializer):
|
||||||
"property_mappings",
|
"property_mappings",
|
||||||
"digest_algorithm",
|
"digest_algorithm",
|
||||||
"signature_algorithm",
|
"signature_algorithm",
|
||||||
"signing",
|
"singing_kp",
|
||||||
"signing_cert",
|
|
||||||
"signing_key",
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -9,7 +9,6 @@ from passbook.providers.saml.models import (
|
||||||
SAMLProvider,
|
SAMLProvider,
|
||||||
get_provider_choices,
|
get_provider_choices,
|
||||||
)
|
)
|
||||||
from passbook.providers.saml.utils.cert import CertificateBuilder
|
|
||||||
|
|
||||||
|
|
||||||
class SAMLProviderForm(forms.ModelForm):
|
class SAMLProviderForm(forms.ModelForm):
|
||||||
|
@ -19,13 +18,6 @@ class SAMLProviderForm(forms.ModelForm):
|
||||||
choices=get_provider_choices(), label="Processor"
|
choices=get_provider_choices(), label="Processor"
|
||||||
)
|
)
|
||||||
|
|
||||||
def __init__(self, *args, **kwargs):
|
|
||||||
super().__init__(*args, **kwargs)
|
|
||||||
builder = CertificateBuilder()
|
|
||||||
builder.build()
|
|
||||||
self.fields["signing_cert"].initial = builder.certificate
|
|
||||||
self.fields["signing_key"].initial = builder.private_key
|
|
||||||
|
|
||||||
class Meta:
|
class Meta:
|
||||||
|
|
||||||
model = SAMLProvider
|
model = SAMLProvider
|
||||||
|
@ -41,9 +33,7 @@ class SAMLProviderForm(forms.ModelForm):
|
||||||
"property_mappings",
|
"property_mappings",
|
||||||
"digest_algorithm",
|
"digest_algorithm",
|
||||||
"signature_algorithm",
|
"signature_algorithm",
|
||||||
"signing",
|
"singing_kp",
|
||||||
"signing_cert",
|
|
||||||
"signing_key",
|
|
||||||
]
|
]
|
||||||
widgets = {
|
widgets = {
|
||||||
"name": forms.TextInput(),
|
"name": forms.TextInput(),
|
||||||
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
# Generated by Django 3.0.3 on 2020-03-03 21:57
|
||||||
|
|
||||||
|
import django.db.models.deletion
|
||||||
|
from django.db import migrations, models
|
||||||
|
|
||||||
|
|
||||||
|
class Migration(migrations.Migration):
|
||||||
|
|
||||||
|
dependencies = [
|
||||||
|
("passbook_crypto", "0001_initial"),
|
||||||
|
("passbook_providers_saml", "0006_auto_20200217_2031"),
|
||||||
|
]
|
||||||
|
|
||||||
|
operations = [
|
||||||
|
migrations.RemoveField(model_name="samlprovider", name="signing",),
|
||||||
|
migrations.RemoveField(model_name="samlprovider", name="signing_cert",),
|
||||||
|
migrations.RemoveField(model_name="samlprovider", name="signing_key",),
|
||||||
|
migrations.AddField(
|
||||||
|
model_name="samlprovider",
|
||||||
|
name="singing_kp",
|
||||||
|
field=models.ForeignKey(
|
||||||
|
default=None,
|
||||||
|
help_text="Singing is enabled upon selection of a Key Pair.",
|
||||||
|
null=True,
|
||||||
|
on_delete=django.db.models.deletion.SET_NULL,
|
||||||
|
to="passbook_crypto.CertificateKeyPair",
|
||||||
|
),
|
||||||
|
),
|
||||||
|
]
|
|
@ -8,6 +8,7 @@ from django.utils.translation import ugettext_lazy as _
|
||||||
from structlog import get_logger
|
from structlog import get_logger
|
||||||
|
|
||||||
from passbook.core.models import PropertyMapping, Provider
|
from passbook.core.models import PropertyMapping, Provider
|
||||||
|
from passbook.crypto.models import CertificateKeyPair
|
||||||
from passbook.lib.utils.reflection import class_to_path, path_to_class
|
from passbook.lib.utils.reflection import class_to_path, path_to_class
|
||||||
from passbook.lib.utils.template import render_to_string
|
from passbook.lib.utils.template import render_to_string
|
||||||
from passbook.providers.saml.processors.base import Processor
|
from passbook.providers.saml.processors.base import Processor
|
||||||
|
@ -74,9 +75,13 @@ class SAMLProvider(Provider):
|
||||||
default="rsa-sha256",
|
default="rsa-sha256",
|
||||||
)
|
)
|
||||||
|
|
||||||
signing = models.BooleanField(default=True)
|
singing_kp = models.ForeignKey(
|
||||||
signing_cert = models.TextField(verbose_name=_("Singing Certificate"))
|
CertificateKeyPair,
|
||||||
signing_key = models.TextField()
|
default=None,
|
||||||
|
null=True,
|
||||||
|
help_text=_("Singing is enabled upon selection of a Key Pair."),
|
||||||
|
on_delete=models.SET_NULL,
|
||||||
|
)
|
||||||
|
|
||||||
form = "passbook.providers.saml.forms.SAMLProviderForm"
|
form = "passbook.providers.saml.forms.SAMLProviderForm"
|
||||||
_processor = None
|
_processor = None
|
||||||
|
|
|
@ -31,9 +31,12 @@ def sign_with_signxml(data: str, provider: "SAMLProvider", reference_uri=None) -
|
||||||
digest_algorithm=provider.digest_algorithm,
|
digest_algorithm=provider.digest_algorithm,
|
||||||
)
|
)
|
||||||
signed = signer.sign(
|
signed = signer.sign(
|
||||||
root, key=key, cert=[provider.signing_cert], reference_uri=reference_uri
|
root,
|
||||||
|
key=key,
|
||||||
|
cert=[provider.singing_kp.certificate_data],
|
||||||
|
reference_uri=reference_uri,
|
||||||
)
|
)
|
||||||
XMLVerifier().verify(signed, x509_cert=provider.signing_cert)
|
XMLVerifier().verify(signed, x509_cert=provider.singing_kp.certificate_data)
|
||||||
return etree.tostring(signed).decode("utf-8") # nosec
|
return etree.tostring(signed).decode("utf-8") # nosec
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -274,9 +274,9 @@ class DescriptorDownloadView(AccessRequiredView):
|
||||||
kwargs={"application": provider.application.slug},
|
kwargs={"application": provider.application.slug},
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
pubkey = strip_pem_header(provider.signing_cert.replace("\r", "")).replace(
|
pubkey = strip_pem_header(
|
||||||
"\n", ""
|
provider.singing_kp.certificate_data.replace("\r", "")
|
||||||
)
|
).replace("\n", "")
|
||||||
subject_format = provider.processor.subject_format
|
subject_format = provider.processor.subject_format
|
||||||
ctx = {
|
ctx = {
|
||||||
"entity_id": entity_id,
|
"entity_id": entity_id,
|
||||||
|
|
|
@ -85,6 +85,7 @@ INSTALLED_APPS = [
|
||||||
"passbook.api.apps.PassbookAPIConfig",
|
"passbook.api.apps.PassbookAPIConfig",
|
||||||
"passbook.lib.apps.PassbookLibConfig",
|
"passbook.lib.apps.PassbookLibConfig",
|
||||||
"passbook.audit.apps.PassbookAuditConfig",
|
"passbook.audit.apps.PassbookAuditConfig",
|
||||||
|
"passbook.crypto.apps.PassbookCryptoConfig",
|
||||||
"passbook.recovery.apps.PassbookRecoveryConfig",
|
"passbook.recovery.apps.PassbookRecoveryConfig",
|
||||||
"passbook.sources.saml.apps.PassbookSourceSAMLConfig",
|
"passbook.sources.saml.apps.PassbookSourceSAMLConfig",
|
||||||
"passbook.sources.ldap.apps.PassbookSourceLDAPConfig",
|
"passbook.sources.ldap.apps.PassbookSourceLDAPConfig",
|
||||||
|
|
|
@ -17,7 +17,7 @@ class SAMLSourceSerializer(ModelSerializer):
|
||||||
"idp_url",
|
"idp_url",
|
||||||
"idp_logout_url",
|
"idp_logout_url",
|
||||||
"auto_logout",
|
"auto_logout",
|
||||||
"signing_cert",
|
"signing_kp",
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -5,19 +5,12 @@ from django.contrib.admin.widgets import FilteredSelectMultiple
|
||||||
from django.utils.translation import gettext as _
|
from django.utils.translation import gettext as _
|
||||||
|
|
||||||
from passbook.admin.forms.source import SOURCE_FORM_FIELDS
|
from passbook.admin.forms.source import SOURCE_FORM_FIELDS
|
||||||
from passbook.providers.saml.utils.cert import CertificateBuilder
|
|
||||||
from passbook.sources.saml.models import SAMLSource
|
from passbook.sources.saml.models import SAMLSource
|
||||||
|
|
||||||
|
|
||||||
class SAMLSourceForm(forms.ModelForm):
|
class SAMLSourceForm(forms.ModelForm):
|
||||||
"""SAML Provider form"""
|
"""SAML Provider form"""
|
||||||
|
|
||||||
def __init__(self, *args, **kwargs):
|
|
||||||
super().__init__(*args, **kwargs)
|
|
||||||
builder = CertificateBuilder()
|
|
||||||
builder.build()
|
|
||||||
self.fields["signing_cert"].initial = builder.certificate
|
|
||||||
|
|
||||||
class Meta:
|
class Meta:
|
||||||
|
|
||||||
model = SAMLSource
|
model = SAMLSource
|
||||||
|
@ -26,7 +19,7 @@ class SAMLSourceForm(forms.ModelForm):
|
||||||
"idp_url",
|
"idp_url",
|
||||||
"idp_logout_url",
|
"idp_logout_url",
|
||||||
"auto_logout",
|
"auto_logout",
|
||||||
"signing_cert",
|
"signing_kp",
|
||||||
]
|
]
|
||||||
widgets = {
|
widgets = {
|
||||||
"name": forms.TextInput(),
|
"name": forms.TextInput(),
|
||||||
|
|
27
passbook/sources/saml/migrations/0006_auto_20200303_2201.py
Normal file
27
passbook/sources/saml/migrations/0006_auto_20200303_2201.py
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
# Generated by Django 3.0.3 on 2020-03-03 22:01
|
||||||
|
|
||||||
|
import django.db.models.deletion
|
||||||
|
from django.db import migrations, models
|
||||||
|
|
||||||
|
|
||||||
|
class Migration(migrations.Migration):
|
||||||
|
|
||||||
|
dependencies = [
|
||||||
|
("passbook_crypto", "0001_initial"),
|
||||||
|
("passbook_sources_saml", "0005_auto_20200220_1621"),
|
||||||
|
]
|
||||||
|
|
||||||
|
operations = [
|
||||||
|
migrations.RemoveField(model_name="samlsource", name="signing_cert",),
|
||||||
|
migrations.AddField(
|
||||||
|
model_name="samlsource",
|
||||||
|
name="signing_kp",
|
||||||
|
field=models.ForeignKey(
|
||||||
|
default=None,
|
||||||
|
help_text="Certificate Key Pair of the IdP which Assertions are validated against.",
|
||||||
|
null=True,
|
||||||
|
on_delete=django.db.models.deletion.SET_NULL,
|
||||||
|
to="passbook_crypto.CertificateKeyPair",
|
||||||
|
),
|
||||||
|
),
|
||||||
|
]
|
|
@ -5,6 +5,7 @@ from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
from passbook.core.models import Source
|
from passbook.core.models import Source
|
||||||
from passbook.core.types import UILoginButton
|
from passbook.core.types import UILoginButton
|
||||||
|
from passbook.crypto.models import CertificateKeyPair
|
||||||
|
|
||||||
|
|
||||||
class SAMLSource(Source):
|
class SAMLSource(Source):
|
||||||
|
@ -22,7 +23,16 @@ class SAMLSource(Source):
|
||||||
default=None, blank=True, null=True, verbose_name=_("IDP Logout URL")
|
default=None, blank=True, null=True, verbose_name=_("IDP Logout URL")
|
||||||
)
|
)
|
||||||
auto_logout = models.BooleanField(default=False)
|
auto_logout = models.BooleanField(default=False)
|
||||||
signing_cert = models.TextField()
|
|
||||||
|
signing_kp = models.ForeignKey(
|
||||||
|
CertificateKeyPair,
|
||||||
|
default=None,
|
||||||
|
null=True,
|
||||||
|
help_text=_(
|
||||||
|
"Certificate Key Pair of the IdP which Assertions are validated against."
|
||||||
|
),
|
||||||
|
on_delete=models.SET_NULL,
|
||||||
|
)
|
||||||
|
|
||||||
form = "passbook.sources.saml.forms.SAMLSourceForm"
|
form = "passbook.sources.saml.forms.SAMLSourceForm"
|
||||||
|
|
||||||
|
|
|
@ -46,7 +46,7 @@ class Processor:
|
||||||
def _verify_signed(self):
|
def _verify_signed(self):
|
||||||
"""Verify SAML Response's Signature"""
|
"""Verify SAML Response's Signature"""
|
||||||
verifier = XMLVerifier()
|
verifier = XMLVerifier()
|
||||||
verifier.verify(self._root_xml, x509_cert=self._source.signing_cert)
|
verifier.verify(self._root_xml, x509_cert=self._source.signing_kp.certificate)
|
||||||
|
|
||||||
def _get_email(self) -> Optional[str]:
|
def _get_email(self) -> Optional[str]:
|
||||||
"""
|
"""
|
||||||
|
|
|
@ -101,9 +101,9 @@ class MetadataView(View):
|
||||||
"""Replies with the XML Metadata SPSSODescriptor."""
|
"""Replies with the XML Metadata SPSSODescriptor."""
|
||||||
source: SAMLSource = get_object_or_404(SAMLSource, slug=source_slug)
|
source: SAMLSource = get_object_or_404(SAMLSource, slug=source_slug)
|
||||||
issuer = get_issuer(request, source)
|
issuer = get_issuer(request, source)
|
||||||
cert_stripped = strip_pem_header(source.signing_cert.replace("\r", "")).replace(
|
cert_stripped = strip_pem_header(
|
||||||
"\n", ""
|
source.signing_kp.certificate_data.replace("\r", "")
|
||||||
)
|
).replace("\n", "")
|
||||||
return render_xml(
|
return render_xml(
|
||||||
request,
|
request,
|
||||||
"saml/sp/xml/sp_sso_descriptor.xml",
|
"saml/sp/xml/sp_sso_descriptor.xml",
|
||||||
|
|
Reference in a new issue