saml: use RSA-SHA256 signature method (#32011)
This commit is contained in:
parent
2864f57af9
commit
8d91ba556c
|
@ -51,6 +51,7 @@ wRiVcNacaP+BivkrMjr4BlsUM6yH4MOBsNhLURiiCL+tLJV7U0DWlCse/doWij4U
|
|||
TKX6tp6oI+7MIJE6ySZ0cBqOiydAkBePZhu57j6ToBkTa0dbHjn1WA==
|
||||
-----END RSA PRIVATE KEY-----''',
|
||||
ADD_CERTIFICATE_TO_KEY_INFO=True,
|
||||
SIGNATURE_METHOD='RSA-SHA256',
|
||||
)
|
||||
|
||||
def __init__(self, prefix):
|
||||
|
|
|
@ -113,6 +113,13 @@ def create_saml2_server(request, metadata, idp_map=None, sp_map=None,
|
|||
get_saml2_metadata(request, metadata, idp_map=idp_map, sp_map=sp_map,
|
||||
options=options),
|
||||
options.get('private_key'), certificate_content=certificate_content)
|
||||
if app_settings.SIGNATURE_METHOD:
|
||||
signature_method = app_settings.SIGNATURE_METHOD
|
||||
symbol_name = 'SIGNATURE_METHOD_' + signature_method.replace('-', '_').upper()
|
||||
if hasattr(lasso, symbol_name):
|
||||
server.signatureMethod = getattr(lasso, symbol_name)
|
||||
else:
|
||||
logger.warning('idp_saml: unable to set signature method %s', signature_method)
|
||||
if not server:
|
||||
raise Exception('Cannot create LassoServer object')
|
||||
return server
|
||||
|
|
|
@ -72,6 +72,7 @@ class SamlBaseTestCase(Authentic2TestCase):
|
|||
sp_meta = self.get_sp_metadata(base_url=base_url)
|
||||
idp_meta = self.get_idp_metadata()
|
||||
server = lasso.Server.newFromBuffers(sp_meta)
|
||||
server.signatureMethod = lasso.SIGNATURE_METHOD_RSA_SHA256
|
||||
server.addProviderFromBuffer(lasso.PROVIDER_ROLE_IDP, idp_meta)
|
||||
return server
|
||||
|
||||
|
@ -213,6 +214,8 @@ class SamlBaseTestCase(Authentic2TestCase):
|
|||
url_parsed = urlparse.urlparse(login.msgUrl)
|
||||
self.assertEqual(url_parsed.path, reverse('a2-idp-saml-sso'),
|
||||
'msgUrl should target the sso endpoint')
|
||||
if sign:
|
||||
assert 'rsa-sha256' in login.msgUrl
|
||||
return login.msgUrl, login.msgBody, request.id
|
||||
|
||||
def parse_authn_response(self, saml_response):
|
||||
|
@ -291,10 +294,11 @@ class SamlSSOTestCase(SamlBaseTestCase):
|
|||
self.assertIn('SAMLResponse', doc.forms[0].fields)
|
||||
saml_response = doc.forms[0].fields['SAMLResponse']
|
||||
try:
|
||||
base64.b64decode(saml_response)
|
||||
decoded_saml_response = base64.b64decode(saml_response)
|
||||
except TypeError:
|
||||
self.fail('SAMLResponse is not base64 encoded: %s'
|
||||
% saml_response)
|
||||
assert b'rsa-sha256' in decoded_saml_response
|
||||
with self.assertRaises(lasso.ProfileRequestDeniedError):
|
||||
assertion = self.parse_authn_response(saml_response)
|
||||
elif not authorized_service:
|
||||
|
@ -335,9 +339,10 @@ class SamlSSOTestCase(SamlBaseTestCase):
|
|||
self.assertIn('SAMLResponse', doc.forms[0].fields)
|
||||
saml_response = doc.forms[0].fields['SAMLResponse']
|
||||
try:
|
||||
base64.b64decode(saml_response)
|
||||
decoded_saml_response = base64.b64decode(saml_response)
|
||||
except TypeError:
|
||||
self.fail('SAMLResponse is not base64 encoded: %s' % saml_response)
|
||||
assert b'rsa-sha256' in decoded_saml_response
|
||||
login = self.parse_authn_response(saml_response)
|
||||
assertion = login.assertion
|
||||
session_not_on_or_after = login.assertion.authnStatement[0].sessionNotOnOrAfter
|
||||
|
|
Loading…
Reference in New Issue