From 625835a266e9e4ed6c016d77b6b62f33541b7b05 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Fri, 14 Dec 2018 15:30:11 +0100 Subject: [PATCH] saml_idp: start rewriting to use DB Certs --- passbook/saml_idp/base.py | 4 ++-- passbook/saml_idp/views.py | 4 ++-- passbook/saml_idp/xml_render.py | 31 +++++++++++++------------------ passbook/saml_idp/xml_signing.py | 15 --------------- 4 files changed, 17 insertions(+), 37 deletions(-) diff --git a/passbook/saml_idp/base.py b/passbook/saml_idp/base.py index 661b9f72e..34d1f93c8 100644 --- a/passbook/saml_idp/base.py +++ b/passbook/saml_idp/base.py @@ -176,10 +176,10 @@ class Processor: def _format_response(self): """Formats _response_params as _response_xml.""" - sign_it = CONFIG.y('saml_idp.signing', True) assertion_id = self._assertion_params['ASSERTION_ID'] + # TODO: Get application/provider instance self._response_xml = xml_render.get_response_xml(self._response_params, - signed=sign_it, + saml_provider=None, assertion_id=assertion_id) def _get_django_response_params(self): diff --git a/passbook/saml_idp/views.py b/passbook/saml_idp/views.py index 43fc826ff..2193bdce2 100644 --- a/passbook/saml_idp/views.py +++ b/passbook/saml_idp/views.py @@ -19,7 +19,7 @@ from passbook.lib.config import CONFIG from passbook.lib.utils.template import render_to_string # from passbook.core.views.common import ErrorResponseView # from passbook.core.views.settings import GenericSettingView -from passbook.saml_idp import exceptions, registry, xml_signing +from passbook.saml_idp import exceptions, registry # from OpenSSL.crypto import FILETYPE_PEM # from OpenSSL.crypto import Error as CryptoError @@ -174,7 +174,7 @@ def descriptor(request): entity_id = CONFIG.y('saml_idp.issuer') slo_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml_logout')) sso_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml_login_begin')) - pubkey = xml_signing.load_certificate(strip=True) + pubkey = '' # TODO: Extract application/provider for pubkey ctx = { 'entity_id': entity_id, 'cert_public_key': pubkey, diff --git a/passbook/saml_idp/xml_render.py b/passbook/saml_idp/xml_render.py index d24db7c8b..f9bc5b551 100644 --- a/passbook/saml_idp/xml_render.py +++ b/passbook/saml_idp/xml_render.py @@ -3,8 +3,8 @@ from logging import getLogger from passbook.lib.utils.template import render_to_string -from passbook.saml_idp.xml_signing import (get_signature_xml, load_certificate, - load_private_key, sign_with_signxml) +from passbook.saml_idp.models import SAMLProvider +from passbook.saml_idp.xml_signing import get_signature_xml, sign_with_signxml LOGGER = getLogger(__name__) @@ -64,7 +64,7 @@ def get_assertion_xml(template, parameters, signed=False): return render_to_string(template, params) -def get_response_xml(parameters, signed=False, assertion_id=''): +def get_response_xml(parameters, saml_provider: SAMLProvider, assertion_id=''): """Returns XML for response, with signatures, if signed is True.""" # Reset signatures. params = {} @@ -72,22 +72,17 @@ def get_response_xml(parameters, signed=False, assertion_id=''): params['RESPONSE_SIGNATURE'] = '' _get_in_response_to(params) - unsigned = render_to_string('saml/xml/response.xml', params) + raw_response = render_to_string('saml/xml/response.xml', params) # LOGGER.debug('Unsigned: %s', unsigned) - if not signed: - return unsigned + if not saml_provider.signing: + return raw_response - raw_response = render_to_string('saml/xml/response.xml', params) - # Sign it. - if signed: - signature_xml = get_signature_xml() - params['RESPONSE_SIGNATURE'] = signature_xml - # LOGGER.debug("Raw response: %s", raw_response) + signature_xml = get_signature_xml() + params['RESPONSE_SIGNATURE'] = signature_xml + # LOGGER.debug("Raw response: %s", raw_response) - signed = sign_with_signxml( - load_private_key(), raw_response, [load_certificate(True)], - reference_uri=assertion_id) \ - .decode("utf-8") - return signed - return raw_response + signed = sign_with_signxml( + saml_provider.signing_key, raw_response, [saml_provider.signing_cert], + reference_uri=assertion_id).decode("utf-8") + return signed diff --git a/passbook/saml_idp/xml_signing.py b/passbook/saml_idp/xml_signing.py index 127ffbeea..a42a03749 100644 --- a/passbook/saml_idp/xml_signing.py +++ b/passbook/saml_idp/xml_signing.py @@ -5,27 +5,12 @@ from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization from defusedxml import ElementTree from signxml import XMLSigner -from signxml.util import strip_pem_header -from passbook.lib.config import CONFIG from passbook.lib.utils.template import render_to_string LOGGER = getLogger(__name__) -def load_certificate(strip=False): - """Get Public key from config""" - cert = CONFIG.y('saml_idp.certificate', '') - if strip: - return strip_pem_header(cert.replace('\r', '')).replace('\n', '') - return cert - - -def load_private_key(): - """Get Private Key from config""" - return CONFIG.y('saml_idp.key', '') - - def sign_with_signxml(private_key, data, cert, reference_uri=None): """Sign Data with signxml""" key = serialization.load_pem_private_key(