summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBenjamin Dauvergne <bdauvergne@entrouvert.com>2019-04-04 16:30:02 (GMT)
committerBenjamin Dauvergne <bdauvergne@entrouvert.com>2019-04-19 09:09:11 (GMT)
commite1fa70d28db7bbb8cc04dd03f748382ab2657392 (patch)
treebfde4efc435e0ec2094c1ea623fff099cee8d099
parentb2a1da8d1b49d045ba4f4ddc8bab028aeb3f17d5 (diff)
downloaddjango-mellon-e1fa70d28db7bbb8cc04dd03f748382ab2657392.zip
django-mellon-e1fa70d28db7bbb8cc04dd03f748382ab2657392.tar.gz
django-mellon-e1fa70d28db7bbb8cc04dd03f748382ab2657392.tar.bz2
add setting MELLON_SIGNATURE_METHOD (#32008)v1.2.42
It defaults to RSA-SHA256 as RSA-SHA1 which is the default in Lasso is deprecated.
-rw-r--r--mellon/app_settings.py1
-rw-r--r--mellon/utils.py7
-rw-r--r--tests/test_sso_slo.py7
3 files changed, 15 insertions, 0 deletions
diff --git a/mellon/app_settings.py b/mellon/app_settings.py
index fe1a566..ae095bd 100644
--- a/mellon/app_settings.py
+++ b/mellon/app_settings.py
@@ -39,6 +39,7 @@ class AppSettings(object):
'LOGOUT_URL': 'mellon_logout',
'ARTIFACT_RESOLVE_TIMEOUT': 10.0,
'LOGIN_HINTS': [],
+ 'SIGNATURE_METHOD': 'RSA-SHA256',
}
@property
diff --git a/mellon/utils.py b/mellon/utils.py
index 5e70014..6462f81 100644
--- a/mellon/utils.py
+++ b/mellon/utils.py
@@ -61,6 +61,13 @@ def create_server(request):
private_key_password = None
server = lasso.Server.newFromBuffers(metadata, private_key_content=private_key,
private_key_password=private_key_password)
+ if app_settings.SIGNATURE_METHOD:
+ symbol_name = 'SIGNATURE_METHOD_' + app_settings.SIGNATURE_METHOD.replace('-', '_').upper()
+ if hasattr(lasso, symbol_name):
+ server.signatureMethod = getattr(lasso, symbol_name)
+ else:
+ logger.warning('mellon: unable to set signature method %s', app_settings.SIGNATURE_METHOD)
+
server.setEncryptionPrivateKeyWithPassword(private_key, private_key_password)
private_keys = app_settings.PRIVATE_KEYS
# skip first key if it is already loaded
diff --git a/tests/test_sso_slo.py b/tests/test_sso_slo.py
index 20efc69..276c373 100644
--- a/tests/test_sso_slo.py
+++ b/tests/test_sso_slo.py
@@ -47,6 +47,7 @@ def sp_settings(private_settings, idp_metadata, sp_private_key, sp_public_key):
private_settings.MELLON_PRIVATE_KEYS = [sp_private_key]
private_settings.MELLON_NAME_ID_POLICY_FORMAT = lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
private_settings.LOGIN_REDIRECT_URL = '/'
+ private_settings.MELLON_SIGNATURE_METHOD = 'RSA_SHA256'
return private_settings
@@ -59,6 +60,7 @@ def sp_metadata(sp_settings, rf):
class MockIdp(object):
def __init__(self, idp_metadata, private_key, sp_metadata):
self.server = server = lasso.Server.newFromBuffers(idp_metadata, private_key)
+ self.server.signatureMethod = lasso.SIGNATURE_METHOD_RSA_SHA256
server.addProviderFromBuffer(lasso.PROVIDER_ROLE_SP, sp_metadata)
def process_authn_request_redirect(self, url, auth_result=True, consent=True, msg=None):
@@ -76,6 +78,7 @@ class MockIdp(object):
base64.b64decode(
urlparse.parse_qs(
urlparse.urlparse(url).query)['SAMLRequest'][0]), -15)
+ assert 'rsa-sha256' in url
try:
login.validateRequestMsg(auth_result, consent)
except lasso.LoginRequestDeniedError:
@@ -96,11 +99,14 @@ class MockIdp(object):
login.buildAuthnResponseMsg()
else:
raise NotImplementedError
+ if login.msgBody:
+ assert b'rsa-sha256' in base64.b64decode(login.msgBody)
return login.msgUrl, login.msgBody, login.msgRelayState
def resolve_artifact(self, soap_message):
login = lasso.Login(self.server)
login.processRequestMsg(soap_message)
+ assert 'rsa-sha256' in soap_message
if hasattr(self, 'artifact') and self.artifact == login.artifact:
# artifact is known, go on !
login.artifactMessage = self.artifact_message
@@ -108,6 +114,7 @@ class MockIdp(object):
del self.artifact
del self.artifact_message
login.buildResponseMsg()
+ assert 'rsa-sha256' in login.msgBody
return login.msgBody
def mock_artifact_resolver(self):