Merge pull request #612 from Neven1986/saml_certificate_fix

SAML certificate fix and enhancement
This commit is contained in:
Khanh Ngo 2019-12-19 09:11:15 +07:00 committed by GitHub
commit 59110432a0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 43 additions and 11 deletions

View File

@ -82,8 +82,20 @@ SAML_ENABLED = False
# SAML_SP_ENTITY_ID = 'http://<SAML SP Entity ID>' # SAML_SP_ENTITY_ID = 'http://<SAML SP Entity ID>'
# SAML_SP_CONTACT_NAME = '<contact name>' # SAML_SP_CONTACT_NAME = '<contact name>'
# SAML_SP_CONTACT_MAIL = '<contact mail>' # SAML_SP_CONTACT_MAIL = '<contact mail>'
# #Cofigures if SAML tokens should be encrypted.
# #If enabled a new app certificate will be generated on restart # Configures the path to certificate file and it's respective private key file
# This pair is used for signing metadata, encrypting tokens and all other signing/encryption
# tasks during communication between iDP and SP
# NOTE: if this two parameters aren't explicitly provided, self-signed certificate-key pair
# will be generated in "PowerDNS-Admin" root directory
# ###########################################################################################
# CAUTION: For production use, usage of self-signed certificates it's highly discouraged.
# Use certificates from trusted CA instead
# ###########################################################################################
# SAML_CERT_FILE = '/etc/pki/powerdns-admin/cert.crt'
# SAML_CERT_KEY = '/etc/pki/powerdns-admin/key.pem'
# Cofigures if SAML tokens should be encrypted.
# SAML_SIGN_REQUEST = False # SAML_SIGN_REQUEST = False
# #Use SAML standard logout mechanism retreived from idp metadata # #Use SAML standard logout mechanism retreived from idp metadata
# #If configured false don't care about SAML session on logout. # #If configured false don't care about SAML session on logout.

View File

@ -42,7 +42,7 @@ def create_self_signed_cert():
cert.set_pubkey(k) cert.set_pubkey(k)
cert.sign(k, 'sha256') cert.sign(k, 'sha256')
open(CERT_FILE, "wt").write( open(CERT_FILE, "bw").write(
crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
open(KEY_FILE, "wt").write( open(KEY_FILE, "bw").write(
crypto.dump_privatekey(crypto.FILETYPE_PEM, k)) crypto.dump_privatekey(crypto.FILETYPE_PEM, k))

View File

@ -3,7 +3,7 @@ from threading import Thread
from flask import current_app from flask import current_app
import os import os
from ..lib.certutil import KEY_FILE, CERT_FILE from ..lib.certutil import KEY_FILE, CERT_FILE, create_self_signed_cert
from ..lib.utils import urlparse from ..lib.utils import urlparse
@ -101,12 +101,32 @@ class SAML(object):
'NameIDFormat', 'NameIDFormat',
'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified') 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified')
settings['sp']['entityId'] = current_app.config['SAML_SP_ENTITY_ID'] settings['sp']['entityId'] = current_app.config['SAML_SP_ENTITY_ID']
if os.path.isfile(CERT_FILE):
cert = open(CERT_FILE, "r").readlines()
settings['sp']['x509cert'] = "".join(cert) if ('SAML_CERT_FILE' in current_app.config) and ('SAML_KEY_FILE' in current_app.config):
if os.path.isfile(KEY_FILE):
key = open(KEY_FILE, "r").readlines() saml_cert_file = current_app.config['SAML_CERT_FILE']
settings['sp']['privateKey'] = "".join(key) saml_key_file = current_app.config['SAML_KEY_FILE']
if os.path.isfile(saml_cert_file):
cert = open(saml_cert_file, "r").readlines()
settings['sp']['x509cert'] = "".join(cert)
if os.path.isfile(saml_key_file):
key = open(saml_key_file, "r").readlines()
settings['sp']['privateKey'] = "".join(key)
else:
create_self_signed_cert()
if os.path.isfile(CERT_FILE):
cert = open(CERT_FILE, "r").readlines()
settings['sp']['x509cert'] = "".join(cert)
if os.path.isfile(KEY_FILE):
key = open(KEY_FILE, "r").readlines()
settings['sp']['privateKey'] = "".join(key)
settings['sp']['assertionConsumerService'] = {} settings['sp']['assertionConsumerService'] = {}
settings['sp']['assertionConsumerService'][ settings['sp']['assertionConsumerService'][
'binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' 'binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'