From dc8b89a6b92e4997465e0f701e3611bcd2e3e669 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Tue, 3 Mar 2020 23:35:38 +0100
Subject: [PATCH] sources/saml: switch to new crypto

---
 passbook/sources/saml/api.py                  |  2 +-
 passbook/sources/saml/forms.py                |  9 +------
 .../migrations/0006_auto_20200303_2201.py     | 27 +++++++++++++++++++
 passbook/sources/saml/models.py               | 12 ++++++++-
 passbook/sources/saml/processors/base.py      |  2 +-
 passbook/sources/saml/views.py                |  6 ++---
 6 files changed, 44 insertions(+), 14 deletions(-)
 create mode 100644 passbook/sources/saml/migrations/0006_auto_20200303_2201.py

diff --git a/passbook/sources/saml/api.py b/passbook/sources/saml/api.py
index d89014d4a..53d741fef 100644
--- a/passbook/sources/saml/api.py
+++ b/passbook/sources/saml/api.py
@@ -17,7 +17,7 @@ class SAMLSourceSerializer(ModelSerializer):
             "idp_url",
             "idp_logout_url",
             "auto_logout",
-            "signing_cert",
+            "signing_kp",
         ]
 
 
diff --git a/passbook/sources/saml/forms.py b/passbook/sources/saml/forms.py
index ff6ed84ee..cfc3bf2c5 100644
--- a/passbook/sources/saml/forms.py
+++ b/passbook/sources/saml/forms.py
@@ -5,19 +5,12 @@ from django.contrib.admin.widgets import FilteredSelectMultiple
 from django.utils.translation import gettext as _
 
 from passbook.admin.forms.source import SOURCE_FORM_FIELDS
-from passbook.providers.saml.utils.cert import CertificateBuilder
 from passbook.sources.saml.models import SAMLSource
 
 
 class SAMLSourceForm(forms.ModelForm):
     """SAML Provider form"""
 
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        builder = CertificateBuilder()
-        builder.build()
-        self.fields["signing_cert"].initial = builder.certificate
-
     class Meta:
 
         model = SAMLSource
@@ -26,7 +19,7 @@ class SAMLSourceForm(forms.ModelForm):
             "idp_url",
             "idp_logout_url",
             "auto_logout",
-            "signing_cert",
+            "signing_kp",
         ]
         widgets = {
             "name": forms.TextInput(),
diff --git a/passbook/sources/saml/migrations/0006_auto_20200303_2201.py b/passbook/sources/saml/migrations/0006_auto_20200303_2201.py
new file mode 100644
index 000000000..7a152b2c3
--- /dev/null
+++ b/passbook/sources/saml/migrations/0006_auto_20200303_2201.py
@@ -0,0 +1,27 @@
+# Generated by Django 3.0.3 on 2020-03-03 22:01
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_crypto", "0001_initial"),
+        ("passbook_sources_saml", "0005_auto_20200220_1621"),
+    ]
+
+    operations = [
+        migrations.RemoveField(model_name="samlsource", name="signing_cert",),
+        migrations.AddField(
+            model_name="samlsource",
+            name="signing_kp",
+            field=models.ForeignKey(
+                default=None,
+                help_text="Certificate Key Pair of the IdP which Assertions are validated against.",
+                null=True,
+                on_delete=django.db.models.deletion.SET_NULL,
+                to="passbook_crypto.CertificateKeyPair",
+            ),
+        ),
+    ]
diff --git a/passbook/sources/saml/models.py b/passbook/sources/saml/models.py
index 4f8127bec..f98133ffc 100644
--- a/passbook/sources/saml/models.py
+++ b/passbook/sources/saml/models.py
@@ -5,6 +5,7 @@ from django.utils.translation import gettext_lazy as _
 
 from passbook.core.models import Source
 from passbook.core.types import UILoginButton
+from passbook.crypto.models import CertificateKeyPair
 
 
 class SAMLSource(Source):
@@ -22,7 +23,16 @@ class SAMLSource(Source):
         default=None, blank=True, null=True, verbose_name=_("IDP Logout URL")
     )
     auto_logout = models.BooleanField(default=False)
-    signing_cert = models.TextField()
+
+    signing_kp = models.ForeignKey(
+        CertificateKeyPair,
+        default=None,
+        null=True,
+        help_text=_(
+            "Certificate Key Pair of the IdP which Assertions are validated against."
+        ),
+        on_delete=models.SET_NULL,
+    )
 
     form = "passbook.sources.saml.forms.SAMLSourceForm"
 
diff --git a/passbook/sources/saml/processors/base.py b/passbook/sources/saml/processors/base.py
index 775791adf..5568d9286 100644
--- a/passbook/sources/saml/processors/base.py
+++ b/passbook/sources/saml/processors/base.py
@@ -46,7 +46,7 @@ class Processor:
     def _verify_signed(self):
         """Verify SAML Response's Signature"""
         verifier = XMLVerifier()
-        verifier.verify(self._root_xml, x509_cert=self._source.signing_cert)
+        verifier.verify(self._root_xml, x509_cert=self._source.signing_kp.certificate)
 
     def _get_email(self) -> Optional[str]:
         """
diff --git a/passbook/sources/saml/views.py b/passbook/sources/saml/views.py
index 9f6516afa..6dd38db93 100644
--- a/passbook/sources/saml/views.py
+++ b/passbook/sources/saml/views.py
@@ -101,9 +101,9 @@ class MetadataView(View):
         """Replies with the XML Metadata SPSSODescriptor."""
         source: SAMLSource = get_object_or_404(SAMLSource, slug=source_slug)
         issuer = get_issuer(request, source)
-        cert_stripped = strip_pem_header(source.signing_cert.replace("\r", "")).replace(
-            "\n", ""
-        )
+        cert_stripped = strip_pem_header(
+            source.signing_kp.certificate_data.replace("\r", "")
+        ).replace("\n", "")
         return render_xml(
             request,
             "saml/sp/xml/sp_sso_descriptor.xml",