add setting MELLON_SIGNATURE_METHOD (#32008)
It defaults to RSA-SHA256 as RSA-SHA1 which is the default in Lasso is deprecated.
This commit is contained in:
parent
b2a1da8d1b
commit
e1fa70d28d
|
@ -39,6 +39,7 @@ class AppSettings(object):
|
|||
'LOGOUT_URL': 'mellon_logout',
|
||||
'ARTIFACT_RESOLVE_TIMEOUT': 10.0,
|
||||
'LOGIN_HINTS': [],
|
||||
'SIGNATURE_METHOD': 'RSA-SHA256',
|
||||
}
|
||||
|
||||
@property
|
||||
|
|
|
@ -61,6 +61,13 @@ def create_server(request):
|
|||
private_key_password = None
|
||||
server = lasso.Server.newFromBuffers(metadata, private_key_content=private_key,
|
||||
private_key_password=private_key_password)
|
||||
if app_settings.SIGNATURE_METHOD:
|
||||
symbol_name = 'SIGNATURE_METHOD_' + app_settings.SIGNATURE_METHOD.replace('-', '_').upper()
|
||||
if hasattr(lasso, symbol_name):
|
||||
server.signatureMethod = getattr(lasso, symbol_name)
|
||||
else:
|
||||
logger.warning('mellon: unable to set signature method %s', app_settings.SIGNATURE_METHOD)
|
||||
|
||||
server.setEncryptionPrivateKeyWithPassword(private_key, private_key_password)
|
||||
private_keys = app_settings.PRIVATE_KEYS
|
||||
# skip first key if it is already loaded
|
||||
|
|
|
@ -47,6 +47,7 @@ def sp_settings(private_settings, idp_metadata, sp_private_key, sp_public_key):
|
|||
private_settings.MELLON_PRIVATE_KEYS = [sp_private_key]
|
||||
private_settings.MELLON_NAME_ID_POLICY_FORMAT = lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
|
||||
private_settings.LOGIN_REDIRECT_URL = '/'
|
||||
private_settings.MELLON_SIGNATURE_METHOD = 'RSA_SHA256'
|
||||
return private_settings
|
||||
|
||||
|
||||
|
@ -59,6 +60,7 @@ def sp_metadata(sp_settings, rf):
|
|||
class MockIdp(object):
|
||||
def __init__(self, idp_metadata, private_key, sp_metadata):
|
||||
self.server = server = lasso.Server.newFromBuffers(idp_metadata, private_key)
|
||||
self.server.signatureMethod = lasso.SIGNATURE_METHOD_RSA_SHA256
|
||||
server.addProviderFromBuffer(lasso.PROVIDER_ROLE_SP, sp_metadata)
|
||||
|
||||
def process_authn_request_redirect(self, url, auth_result=True, consent=True, msg=None):
|
||||
|
@ -76,6 +78,7 @@ class MockIdp(object):
|
|||
base64.b64decode(
|
||||
urlparse.parse_qs(
|
||||
urlparse.urlparse(url).query)['SAMLRequest'][0]), -15)
|
||||
assert 'rsa-sha256' in url
|
||||
try:
|
||||
login.validateRequestMsg(auth_result, consent)
|
||||
except lasso.LoginRequestDeniedError:
|
||||
|
@ -96,11 +99,14 @@ class MockIdp(object):
|
|||
login.buildAuthnResponseMsg()
|
||||
else:
|
||||
raise NotImplementedError
|
||||
if login.msgBody:
|
||||
assert b'rsa-sha256' in base64.b64decode(login.msgBody)
|
||||
return login.msgUrl, login.msgBody, login.msgRelayState
|
||||
|
||||
def resolve_artifact(self, soap_message):
|
||||
login = lasso.Login(self.server)
|
||||
login.processRequestMsg(soap_message)
|
||||
assert 'rsa-sha256' in soap_message
|
||||
if hasattr(self, 'artifact') and self.artifact == login.artifact:
|
||||
# artifact is known, go on !
|
||||
login.artifactMessage = self.artifact_message
|
||||
|
@ -108,6 +114,7 @@ class MockIdp(object):
|
|||
del self.artifact
|
||||
del self.artifact_message
|
||||
login.buildResponseMsg()
|
||||
assert 'rsa-sha256' in login.msgBody
|
||||
return login.msgBody
|
||||
|
||||
def mock_artifact_resolver(self):
|
||||
|
|
Loading…
Reference in New Issue