views: add a VERIFY_SSL_CERTIFICATE setting

It controls the validation of certificates by requests on artifact resolve requests. It's a global and by idp setting. Also improve logs in errors paths around when calling the artifact resolver. fixes #7521
2015-06-10 11:47:00 +02:00 · 2015-06-10 11:47:00 +02:00 · 9d8528968c
parent e1284efa6c
commit 9d8528968c
4 changed files with 39 additions and 7 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+1.2.x
+-----
+
+- add setting MELLON_VERIFY_SSL_CERTIFICATE
+- improve logs in SAML artifact error paths
+
 1.2.16
 ------

--- a/5
+++ b/5
@ -241,6 +241,11 @@ MELLON_ERROR_REDIRECT_AFTER_TIMEOUT
 Timeout in seconds before automatically redirecting the user to the
 continue URL when authentication has failed. Default is 120 seconds.

+MELLON_VERIFY_SSL_CERTIFICATE
+-----------------------------
+
+Verify SSL certificate when doing HTTP requests, used when resolving artifacts.
+Default is True.

 Tests
 =====
--- a/mellon/app_settings.py
+++ b/mellon/app_settings.py
@ -26,6 +26,7 @@ class AppSettings(object):
            'ERROR_URL': None,
            'ERROR_REDIRECT_AFTER_TIMEOUT': 120,
            'DEFAULT_ASSERTION_CONSUMER_BINDING': 'post', # or artifact
+            'VERIFY_SSL_CERTIFICATE': True,
    }

    @property
--- a/mellon/views.py
+++ b/mellon/views.py
@ -1,5 +1,6 @@
 import logging
 import requests
+from requests.exceptions import RequestException

 from django.views.generic import View
 from django.http import HttpResponseBadRequest, HttpResponseRedirect, HttpResponse
@ -139,18 +140,36 @@ class LoginView(LogMixin, View):
        return HttpResponseRedirect(next_url)

    def continue_sso_artifact_get(self, request):
-        login = utils.create_login(request)
-        login.initRequest(request.META['QUERY_STRING'], lasso.HTTP_METHOD_ARTIFACT_GET)
-        login.buildRequestMsg()
-
        idp_message = None
        status_codes = []

-        result = requests.post(login.msgUrl, data=login.msgBody,
-                headers={'content-type': 'text/xml'})
+        login = utils.create_login(request)
+        try:
+            login.initRequest(request.META['QUERY_STRING'], lasso.HTTP_METHOD_ARTIFACT_GET)
+        except lasso.ServerProviderNotFoundError:
+            self.log.warning('no entity id found for artifact %s',
+                             request.GET['SAMLart'])
+            return HttpResponseBadRequest(
+                'no entity id found for this artifact %r' %
+                request.GET['SAMLart'])
+        idp = utils.get_idp(login.remoteProviderId)
+        if not idp:
+            self.log.warning('entity id %r is unknown', login.remoteProviderId)
+            return HttpResponseBadRequest(
+                'entity id %r is unknown' % login.remoteProviderId)
+        verify_ssl_certificate = utils.get_setting(
+            idp, 'VERIFY_SSL_CERTIFICATE')
+        login.buildRequestMsg()
+        try:
+            result = requests.post(login.msgUrl, data=login.msgBody,
+                headers={'content-type': 'text/xml'},
+                verify=verify_ssl_certificate)
+        except RequestException, e:
+            self.log.warning('unable to reach %r: %s', login.msgUrl, e)
+            return HttpResponseBadRequest('unable to reach %r: %s' % (login.msgUrl, e))
        if result.status_code != 200:
            self.log.warning('SAML authentication failed: '\
-                             'IdP returned %s when given artifact' % result.status_code)
+                             'IdP returned %s when given artifact', result.status_code)
            return self.sso_failure(request, login, idp_message, status_codes)

        try:
@ -174,6 +193,7 @@ class LoginView(LogMixin, View):
                args.append(status.statusMessage)
            self.log.warning(*args)
        except lasso.Error, e:
+            self.log.exception('unexpected lasso error')
            return HttpResponseBadRequest('error processing the authentication '
                    'response: %r' % e)
        else: