add setting MELLON_SIGNATURE_METHOD (#32008)

It defaults to RSA-SHA256 as RSA-SHA1 which is the default in Lasso is
deprecated.
This commit is contained in:
Benjamin Dauvergne 2019-04-04 18:30:02 +02:00
parent b2a1da8d1b
commit e1fa70d28d
3 changed files with 15 additions and 0 deletions

View File

@ -39,6 +39,7 @@ class AppSettings(object):
'LOGOUT_URL': 'mellon_logout',
'ARTIFACT_RESOLVE_TIMEOUT': 10.0,
'LOGIN_HINTS': [],
'SIGNATURE_METHOD': 'RSA-SHA256',
}
@property

View File

@ -61,6 +61,13 @@ def create_server(request):
private_key_password = None
server = lasso.Server.newFromBuffers(metadata, private_key_content=private_key,
private_key_password=private_key_password)
if app_settings.SIGNATURE_METHOD:
symbol_name = 'SIGNATURE_METHOD_' + app_settings.SIGNATURE_METHOD.replace('-', '_').upper()
if hasattr(lasso, symbol_name):
server.signatureMethod = getattr(lasso, symbol_name)
else:
logger.warning('mellon: unable to set signature method %s', app_settings.SIGNATURE_METHOD)
server.setEncryptionPrivateKeyWithPassword(private_key, private_key_password)
private_keys = app_settings.PRIVATE_KEYS
# skip first key if it is already loaded

View File

@ -47,6 +47,7 @@ def sp_settings(private_settings, idp_metadata, sp_private_key, sp_public_key):
private_settings.MELLON_PRIVATE_KEYS = [sp_private_key]
private_settings.MELLON_NAME_ID_POLICY_FORMAT = lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
private_settings.LOGIN_REDIRECT_URL = '/'
private_settings.MELLON_SIGNATURE_METHOD = 'RSA_SHA256'
return private_settings
@ -59,6 +60,7 @@ def sp_metadata(sp_settings, rf):
class MockIdp(object):
def __init__(self, idp_metadata, private_key, sp_metadata):
self.server = server = lasso.Server.newFromBuffers(idp_metadata, private_key)
self.server.signatureMethod = lasso.SIGNATURE_METHOD_RSA_SHA256
server.addProviderFromBuffer(lasso.PROVIDER_ROLE_SP, sp_metadata)
def process_authn_request_redirect(self, url, auth_result=True, consent=True, msg=None):
@ -76,6 +78,7 @@ class MockIdp(object):
base64.b64decode(
urlparse.parse_qs(
urlparse.urlparse(url).query)['SAMLRequest'][0]), -15)
assert 'rsa-sha256' in url
try:
login.validateRequestMsg(auth_result, consent)
except lasso.LoginRequestDeniedError:
@ -96,11 +99,14 @@ class MockIdp(object):
login.buildAuthnResponseMsg()
else:
raise NotImplementedError
if login.msgBody:
assert b'rsa-sha256' in base64.b64decode(login.msgBody)
return login.msgUrl, login.msgBody, login.msgRelayState
def resolve_artifact(self, soap_message):
login = lasso.Login(self.server)
login.processRequestMsg(soap_message)
assert 'rsa-sha256' in soap_message
if hasattr(self, 'artifact') and self.artifact == login.artifact:
# artifact is known, go on !
login.artifactMessage = self.artifact_message
@ -108,6 +114,7 @@ class MockIdp(object):
del self.artifact
del self.artifact_message
login.buildResponseMsg()
assert 'rsa-sha256' in login.msgBody
return login.msgBody
def mock_artifact_resolver(self):