SAML certificate fix and enhancement

Problems resolved: - Method create_self_signed_cert() was invoked nowhere. This puts parameter "SAML_SIGN_REQUEST" description in configs/development.py as incorrect - Method create_self_signed_cert() was returning error while trying to write out certificate and private key. File handler was opened for writing out TEXT instead of BINARY data Enhancements: - Two new parameters are introduced SAML_CERT_FILE and SAML_KEY_FILE. User can now explicitly define own certificate and key file anywhere on file-system. - If parameters mentioned in previous bullet aren't explicitly defined, in PowerDNS-Admin root directory self-signed certificate will be created. - Certificates will be used or generated in any case, because in saml.py there are explicit parameters defined which require certificate/key in order to work normally. If they aren't, exception will be thrown. Examples of parameters defined in saml.py requiring certificate: wantAssertionsEncrypted, signMetadata, wantAssertionsSigned.
2025-06-14 12:06:06 +00:00 · 2019-12-19 00:40:25 +01:00
parent 37f24f9fde
commit 567430790c
3 changed files with 43 additions and 11 deletions
--- a/powerdnsadmin/services/saml.py
+++ b/powerdnsadmin/services/saml.py
@ -3,7 +3,7 @@ from threading import Thread
 from flask import current_app
 import os

-from ..lib.certutil import KEY_FILE, CERT_FILE
+from ..lib.certutil import KEY_FILE, CERT_FILE, create_self_signed_cert
 from ..lib.utils import urlparse

 class SAML(object):
@ -101,12 +101,32 @@ class SAML(object):
                'NameIDFormat',
                'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified')
        settings['sp']['entityId'] = current_app.config['SAML_SP_ENTITY_ID']
-        if os.path.isfile(CERT_FILE):
-            cert = open(CERT_FILE, "r").readlines()
-            settings['sp']['x509cert'] = "".join(cert)
-        if os.path.isfile(KEY_FILE):
-            key = open(KEY_FILE, "r").readlines()
-            settings['sp']['privateKey'] = "".join(key)
+
+
+        if ('SAML_CERT_FILE' in current_app.config) and ('SAML_KEY_FILE' in current_app.config):
+
+             saml_cert_file = current_app.config['SAML_CERT_FILE']
+             saml_key_file = current_app.config['SAML_KEY_FILE']
+
+             if os.path.isfile(saml_cert_file):
+                 cert = open(saml_cert_file, "r").readlines()
+                 settings['sp']['x509cert'] = "".join(cert)
+             if os.path.isfile(saml_key_file):
+                 key = open(saml_key_file, "r").readlines()
+                 settings['sp']['privateKey'] = "".join(key)
+
+        else:
+
+             create_self_signed_cert()
+
+             if os.path.isfile(CERT_FILE):
+                 cert = open(CERT_FILE, "r").readlines()
+                 settings['sp']['x509cert'] = "".join(cert)
+             if os.path.isfile(KEY_FILE):
+                 key = open(KEY_FILE, "r").readlines()
+                 settings['sp']['privateKey'] = "".join(key)
+
+
        settings['sp']['assertionConsumerService'] = {}
        settings['sp']['assertionConsumerService'][
            'binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'