Merge pull request #612 from Neven1986/saml_certificate_fix

SAML certificate fix and enhancement

configs/development.py

@@ -82,8 +82,20 @@ SAML_ENABLED = False
 # SAML_SP_ENTITY_ID = 'http://<SAML SP Entity ID>'
 # SAML_SP_CONTACT_NAME = '<contact name>'
 # SAML_SP_CONTACT_MAIL = '<contact mail>'
-# #Cofigures if SAML tokens should be encrypted.
-# #If enabled a new app certificate will be generated on restart
+
+# Configures the path to certificate file and it's respective private key file
+# This pair is used for signing metadata, encrypting tokens and all other signing/encryption 
+# tasks during communication between iDP and SP
+# NOTE: if this two parameters aren't explicitly provided, self-signed certificate-key pair 
+# will be generated in "PowerDNS-Admin" root directory
+# ###########################################################################################
+# CAUTION: For production use, usage of self-signed certificates it's highly discouraged.
+# Use certificates from trusted CA instead  
+# ###########################################################################################
+# SAML_CERT_FILE = '/etc/pki/powerdns-admin/cert.crt'
+# SAML_CERT_KEY = '/etc/pki/powerdns-admin/key.pem'
+
+# Cofigures if SAML tokens should be encrypted.
 # SAML_SIGN_REQUEST = False
 # #Use SAML standard logout mechanism retreived from idp metadata
 # #If configured false don't care about SAML session on logout.

powerdnsadmin/lib/certutil.py

@@ -42,7 +42,7 @@ def create_self_signed_cert():
     cert.set_pubkey(k)
     cert.sign(k, 'sha256')
 
-    open(CERT_FILE, "wt").write(
+    open(CERT_FILE, "bw").write(
         crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
-    open(KEY_FILE, "wt").write(
+    open(KEY_FILE, "bw").write(
         crypto.dump_privatekey(crypto.FILETYPE_PEM, k))

powerdnsadmin/services/saml.py

@@ -3,7 +3,7 @@ from threading import Thread
 from flask import current_app
 import os
 
-from ..lib.certutil import KEY_FILE, CERT_FILE
+from ..lib.certutil import KEY_FILE, CERT_FILE, create_self_signed_cert
 from ..lib.utils import urlparse
 
 
@@ -101,12 +101,32 @@ class SAML(object):
                 'NameIDFormat',
                 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified')
         settings['sp']['entityId'] = current_app.config['SAML_SP_ENTITY_ID']
-        if os.path.isfile(CERT_FILE):
-            cert = open(CERT_FILE, "r").readlines()
-            settings['sp']['x509cert'] = "".join(cert)
-        if os.path.isfile(KEY_FILE):
-            key = open(KEY_FILE, "r").readlines()
-            settings['sp']['privateKey'] = "".join(key)
+
+
+        if ('SAML_CERT_FILE' in current_app.config) and ('SAML_KEY_FILE' in current_app.config):
+
+             saml_cert_file = current_app.config['SAML_CERT_FILE']
+             saml_key_file = current_app.config['SAML_KEY_FILE']
+
+             if os.path.isfile(saml_cert_file):
+                 cert = open(saml_cert_file, "r").readlines()
+                 settings['sp']['x509cert'] = "".join(cert)
+             if os.path.isfile(saml_key_file):
+                 key = open(saml_key_file, "r").readlines()
+                 settings['sp']['privateKey'] = "".join(key)
+
+        else:
+
+             create_self_signed_cert()
+
+             if os.path.isfile(CERT_FILE):
+                 cert = open(CERT_FILE, "r").readlines()
+                 settings['sp']['x509cert'] = "".join(cert)
+             if os.path.isfile(KEY_FILE):
+                 key = open(KEY_FILE, "r").readlines()
+                 settings['sp']['privateKey'] = "".join(key)
+
+
         settings['sp']['assertionConsumerService'] = {}
         settings['sp']['assertionConsumerService'][
             'binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'