mirror of
https://github.com/cwinfo/powerdns-admin.git
synced 2024-11-14 01:20:27 +00:00
Merge pull request #612 from Neven1986/saml_certificate_fix
SAML certificate fix and enhancement
This commit is contained in:
commit
59110432a0
@ -82,8 +82,20 @@ SAML_ENABLED = False
|
|||||||
# SAML_SP_ENTITY_ID = 'http://<SAML SP Entity ID>'
|
# SAML_SP_ENTITY_ID = 'http://<SAML SP Entity ID>'
|
||||||
# SAML_SP_CONTACT_NAME = '<contact name>'
|
# SAML_SP_CONTACT_NAME = '<contact name>'
|
||||||
# SAML_SP_CONTACT_MAIL = '<contact mail>'
|
# SAML_SP_CONTACT_MAIL = '<contact mail>'
|
||||||
# #Cofigures if SAML tokens should be encrypted.
|
|
||||||
# #If enabled a new app certificate will be generated on restart
|
# Configures the path to certificate file and it's respective private key file
|
||||||
|
# This pair is used for signing metadata, encrypting tokens and all other signing/encryption
|
||||||
|
# tasks during communication between iDP and SP
|
||||||
|
# NOTE: if this two parameters aren't explicitly provided, self-signed certificate-key pair
|
||||||
|
# will be generated in "PowerDNS-Admin" root directory
|
||||||
|
# ###########################################################################################
|
||||||
|
# CAUTION: For production use, usage of self-signed certificates it's highly discouraged.
|
||||||
|
# Use certificates from trusted CA instead
|
||||||
|
# ###########################################################################################
|
||||||
|
# SAML_CERT_FILE = '/etc/pki/powerdns-admin/cert.crt'
|
||||||
|
# SAML_CERT_KEY = '/etc/pki/powerdns-admin/key.pem'
|
||||||
|
|
||||||
|
# Cofigures if SAML tokens should be encrypted.
|
||||||
# SAML_SIGN_REQUEST = False
|
# SAML_SIGN_REQUEST = False
|
||||||
# #Use SAML standard logout mechanism retreived from idp metadata
|
# #Use SAML standard logout mechanism retreived from idp metadata
|
||||||
# #If configured false don't care about SAML session on logout.
|
# #If configured false don't care about SAML session on logout.
|
||||||
|
@ -42,7 +42,7 @@ def create_self_signed_cert():
|
|||||||
cert.set_pubkey(k)
|
cert.set_pubkey(k)
|
||||||
cert.sign(k, 'sha256')
|
cert.sign(k, 'sha256')
|
||||||
|
|
||||||
open(CERT_FILE, "wt").write(
|
open(CERT_FILE, "bw").write(
|
||||||
crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
|
crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
|
||||||
open(KEY_FILE, "wt").write(
|
open(KEY_FILE, "bw").write(
|
||||||
crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
|
crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
|
@ -3,7 +3,7 @@ from threading import Thread
|
|||||||
from flask import current_app
|
from flask import current_app
|
||||||
import os
|
import os
|
||||||
|
|
||||||
from ..lib.certutil import KEY_FILE, CERT_FILE
|
from ..lib.certutil import KEY_FILE, CERT_FILE, create_self_signed_cert
|
||||||
from ..lib.utils import urlparse
|
from ..lib.utils import urlparse
|
||||||
|
|
||||||
|
|
||||||
@ -101,12 +101,32 @@ class SAML(object):
|
|||||||
'NameIDFormat',
|
'NameIDFormat',
|
||||||
'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified')
|
'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified')
|
||||||
settings['sp']['entityId'] = current_app.config['SAML_SP_ENTITY_ID']
|
settings['sp']['entityId'] = current_app.config['SAML_SP_ENTITY_ID']
|
||||||
|
|
||||||
|
|
||||||
|
if ('SAML_CERT_FILE' in current_app.config) and ('SAML_KEY_FILE' in current_app.config):
|
||||||
|
|
||||||
|
saml_cert_file = current_app.config['SAML_CERT_FILE']
|
||||||
|
saml_key_file = current_app.config['SAML_KEY_FILE']
|
||||||
|
|
||||||
|
if os.path.isfile(saml_cert_file):
|
||||||
|
cert = open(saml_cert_file, "r").readlines()
|
||||||
|
settings['sp']['x509cert'] = "".join(cert)
|
||||||
|
if os.path.isfile(saml_key_file):
|
||||||
|
key = open(saml_key_file, "r").readlines()
|
||||||
|
settings['sp']['privateKey'] = "".join(key)
|
||||||
|
|
||||||
|
else:
|
||||||
|
|
||||||
|
create_self_signed_cert()
|
||||||
|
|
||||||
if os.path.isfile(CERT_FILE):
|
if os.path.isfile(CERT_FILE):
|
||||||
cert = open(CERT_FILE, "r").readlines()
|
cert = open(CERT_FILE, "r").readlines()
|
||||||
settings['sp']['x509cert'] = "".join(cert)
|
settings['sp']['x509cert'] = "".join(cert)
|
||||||
if os.path.isfile(KEY_FILE):
|
if os.path.isfile(KEY_FILE):
|
||||||
key = open(KEY_FILE, "r").readlines()
|
key = open(KEY_FILE, "r").readlines()
|
||||||
settings['sp']['privateKey'] = "".join(key)
|
settings['sp']['privateKey'] = "".join(key)
|
||||||
|
|
||||||
|
|
||||||
settings['sp']['assertionConsumerService'] = {}
|
settings['sp']['assertionConsumerService'] = {}
|
||||||
settings['sp']['assertionConsumerService'][
|
settings['sp']['assertionConsumerService'][
|
||||||
'binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
|
'binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
|
||||||
|
Loading…
Reference in New Issue
Block a user