saml_idp: fix bandit issues

2018-12-26 17:26:17 +01:00 · 2018-12-26 17:26:17 +01:00 · 4d5f688a44
parent 60d4a30992
commit 4d5f688a44
4 changed files with 13 additions and 6 deletions
--- a/passbook/saml_idp/models.py
+++ b/passbook/saml_idp/models.py
@ -30,6 +30,7 @@ class SAMLProvider(Provider):

    @property
    def processor(self):
+        """Return selected processor as instance"""
        if not self._processor:
            self._processor = path_to_class(self.processor_path)(self)
        return self._processor
--- a/passbook/saml_idp/urls.py
+++ b/passbook/saml_idp/urls.py
@ -4,9 +4,13 @@ from django.urls import path
 from passbook.saml_idp import views

 urlpatterns = [
-    path('login/', views.LoginBeginView.as_view(), name="saml_login_begin"),
-    path('login/process/', views.LoginProcessView.as_view(), name='saml_login_process'),
+    path('login/<slug:application>/',
+         views.LoginBeginView.as_view(), name="saml_login_begin"),
+    path('login/<slug:application>/idp_init/',
+         views.LoginInitView.as_view(), name="saml_login_init"),
+    path('login/<slug:application>/process/',
+         views.LoginProcessView.as_view(), name='saml_login_process'),
    path('logout/', views.LogoutView.as_view(), name="saml_logout"),
-    path('metadata/<int:application_id>/',
+    path('metadata/<slug:application>/',
         views.DescriptorDownloadView.as_view(), name='metadata_xml'),
 ]
--- a/passbook/saml_idp/utils.py
+++ b/passbook/saml_idp/utils.py
@ -44,6 +44,7 @@ class CertificateBuilder:
        self.__certificate = None

    def build(self):
+        """Build self-signed certificate"""
        one_day = datetime.timedelta(1, 0, 0)
        self.__private_key = rsa.generate_private_key(
            public_exponent=65537,
--- a/passbook/saml_idp/xml_signing.py
+++ b/passbook/saml_idp/xml_signing.py
@ -4,7 +4,7 @@ from logging import getLogger
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
 from defusedxml import ElementTree
-from lxml import etree
+from lxml import etree  # nosec
 from signxml import XMLSigner

 from passbook.lib.utils.template import render_to_string
@ -17,8 +17,9 @@ def sign_with_signxml(private_key, data, cert, reference_uri=None):
    key = serialization.load_pem_private_key(
        str.encode('\n'.join([x.strip() for x in private_key.split('\n')])),
        password=None, backend=default_backend())
-    root = etree.fromstring(data)
-    # root = ElementTree.fromstring(data, forbid_entities=False)
+    # LXML is used here because defusedxml causes issues with serialization
+    # data is trusted so no issues
+    root = etree.fromstring(data) # nosec
    signer = XMLSigner(c14n_algorithm='http://www.w3.org/2001/10/xml-exc-c14n#')
    signed = signer.sign(root, key=key, cert=cert, reference_uri=reference_uri)
    return ElementTree.tostring(signed)