summaryrefslogtreecommitdiffstats
path: root/authentic/admin/settings.ptl
diff options
context:
space:
mode:
authorBenjamin Dauvergne <bdauvergne@entrouvert.com>2010-02-04 23:44:22 (GMT)
committerBenjamin Dauvergne <bdauvergne@entrouvert.com>2010-02-04 23:44:22 (GMT)
commita4f367004343560c225011955560290b9e8ec197 (patch)
tree22b7b0e70f7e98e8480428302dd816f8961c563d /authentic/admin/settings.ptl
parent526483fadbee2a06c2cce03ce3e959f7220045eb (diff)
downloadauthentic-old-a4f367004343560c225011955560290b9e8ec197.zip
authentic-old-a4f367004343560c225011955560290b9e8ec197.tar.gz
authentic-old-a4f367004343560c225011955560290b9e8ec197.tar.bz2
Fix import of certificates
* authentic/admin/settings.ptl: str.strip() is not made to crop string ! bad dlaniel ! do not permit to import things that do not look like proper PEM files. we still need to add automatic generatic of pair of keys and proper checking that public and private keys match, to remove the biggest problem that people encounters with configuration of authentic.
Diffstat (limited to 'authentic/admin/settings.ptl')
-rw-r--r--authentic/admin/settings.ptl77
1 files changed, 62 insertions, 15 deletions
diff --git a/authentic/admin/settings.ptl b/authentic/admin/settings.ptl
index 9c8d56e..193eb3e 100644
--- a/authentic/admin/settings.ptl
+++ b/authentic/admin/settings.ptl
@@ -1,5 +1,6 @@
import base64
import cPickle
+import copy
import re
import os
import glob
@@ -1223,9 +1224,15 @@ class SettingsDirectory(Directory):
return redirect('.')
if form.is_submitted() and not form.has_errors():
- if get_cfg('idp',{}).get('locked') is None:
- self.idp_save(form)
- return redirect('.')
+ try:
+ old_cfg = copy.deepcopy(get_publisher().cfg)
+ if get_cfg('idp',{}).get('locked') is None:
+ self.idp_save(form)
+ return redirect('.')
+ except Exception, e:
+ if str(e) != 'Bad form':
+ raise
+ get_publisher().cfg = old_cfg
get_response().breadcrumb.append(('idp', _('Identity Provider')))
html_top('settings', title = _('Identity Provider Configuration'))
@@ -1237,6 +1244,7 @@ class SettingsDirectory(Directory):
form.render()
def idp_save(self, form):
+ error = False
get_publisher().reload_cfg()
if not get_publisher().cfg.has_key('idp'):
get_publisher().cfg['idp'] = {}
@@ -1249,35 +1257,54 @@ class SettingsDirectory(Directory):
if w:
get_publisher().cfg['idp'][k] = w.parse()
+ privatekey_content = None
+ publickey_content = None
+ encryption_privatekey_content = None
+ encryption_publickey_content = None
+
dir = get_publisher().app_dir
privatekey_fn = os.path.join(dir, 'private-key.pem')
value = form.get_widget('privatekey').parse()
if value:
- file(privatekey_fn, 'w').write(value.fp.read())
+ privatekey_content = value.fp.read()
+ if not 'BEGIN RSA PRIVATE' in privatekey_content and not 'BEGIN DSA PRIVATE' in privatekey_content:
+ error = True
+ form.set_error('privatekey', _('Private key must a PEM private key file'))
if os.path.exists(privatekey_fn):
get_publisher().cfg['idp']['privatekey'] = 'private-key.pem'
publickey_fn = os.path.join(dir, 'public-key.pem')
value = form.get_widget('publickey').parse()
if value:
- file(publickey_fn, 'w').write(value.fp.read())
+ publickey_content = value.fp.read()
+ if not 'BEGIN PUBLIC KEY' in publickey_content and not 'BEGIN CERTIFICATE' in publickey_content:
+ error = True
+ print publickey_content
+ form.set_error('publickey', _('Publickey must a PEM public key or a PEM certificate'))
if os.path.exists(publickey_fn):
get_publisher().cfg['idp']['publickey'] = 'public-key.pem'
encryption_privatekey_fn = os.path.join(dir, 'encryption-private-key.pem')
value = form.get_widget('encryption_privatekey').parse()
if value:
- file(encryption_privatekey_fn, 'w').write(value.fp.read())
+ encryption_privatekey_content = value.fp.read()
+ if not 'BEGIN RSA PRIVATE' in encryption_privatekey_content and not 'BEGIN DSA PRIVATE KEY' in encryption_privatekey_content:
+ error = True
+ form.set_error('encryption_privatekey', _('Encryption private key must a PEM private key file'))
if os.path.exists(encryption_privatekey_fn):
get_publisher().cfg['idp']['encryption_privatekey'] = 'encryption-private-key.pem'
encryption_publickey_fn = os.path.join(dir, 'encryption-public-key.pem')
value = form.get_widget('encryption_publickey').parse()
if value:
- file(encryption_publickey_fn, 'w').write(value.fp.read())
+ encryption_publickey_content = value.fp.read()
+ if not 'BEGIN PUBLIC KEY' in encryption_publickey_content and not 'BEGIN CERTIFICATE' in encryption_publickey_content:
+ error = True
+ form.set_error('encryption_publickey', _('Encryption public key must be a PEM public key or a PEM certificate'))
if os.path.exists(encryption_publickey_fn):
get_publisher().cfg['idp']['encryption_publickey'] = 'encryption-public-key.pem'
+
metadata_fn = os.path.join(dir, 'metadata.xml')
file(metadata_fn, 'w').write(self.get_metadata())
get_publisher().cfg['idp']['metadata'] = 'metadata.xml'
@@ -1287,6 +1314,18 @@ class SettingsDirectory(Directory):
file(saml2_metadata_fn, 'w').write(self.get_saml2_metadata())
get_publisher().cfg['idp']['saml2_metadata'] = 'saml2-metadata.xml'
+ if error:
+ raise Exception('Bad form')
+
+ if publickey_content:
+ file(publickey_fn, 'w').write(publickey_content)
+ if privatekey_content:
+ file(privatekey_fn, 'w').write(privatekey_content)
+ if encryption_publickey_content:
+ file(encryption_publickey_fn, 'w').write(encryption_publickey_content)
+ if encryption_privatekey_content:
+ file(encryption_privatekey_fn, 'w').write(encryption_privatekey_content)
+
new_common_domain_setter_url = get_publisher().cfg['idp'].get('common_domain_setter_url')
if new_common_domain_setter_url != old_common_domain_setter_url:
old_domain = None
@@ -1337,10 +1376,13 @@ class SettingsDirectory(Directory):
else:
pem_key = encryption_pem_key
if 'CERTIF' in pem_key:
- pem_key = pem_key.strip()
- pem_key = pem_key.strip('-----BEGIN CERTIFICATE-----')
- pem_key = pem_key.strip('-----END CERTIFICATE-----')
- pem_key = pem_key.strip()
+ start = '-----BEGIN CERTIFICATE-----'
+ i = pem_key.find(start)
+ j = pem_key.find('-----END CERTIFICATE-----')
+ if i and j:
+ pem_key = pem_key[i+len(start):j].strip()
+ else:
+ pem_key = 'bad certficate file'
idp_keys[key_type] = """
<KeyDescriptor use="%s">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
@@ -1348,10 +1390,15 @@ class SettingsDirectory(Directory):
</ds:KeyInfo>
</KeyDescriptor>""" % (key_type, pem_key)
elif 'KEY' in pem_key:
- pem_key = pem_key.strip()
- pem_key = pem_key.strip('-----BEGIN PUBLIC KEY-----')
- pem_key = pem_key.strip('-----END PUBLIC KEY-----')
- pem_key = pem_key.strip()
+ # FIXME: format for RSA key is <RSAKeyValue><Modulus/><Exponent/></RSAKeyValue>
+ # need to fix lasso also
+ start = '-----BEGIN PUBLIC KEY-----'
+ i = pem_key.find(start)
+ j = pem_key.find('-----END PUBLIC KEY-----')
+ if i and j:
+ pem_key = pem_key[i+len(start):j].strip()
+ else:
+ pem_key = 'bad public key file'
idp_keys[key_type] = """
<KeyDescriptor use="%s">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">