Support encryption
This commit is contained in:
parent
5dcde8614e
commit
bb08da0f9e
15
README
15
README
|
@ -100,14 +100,25 @@ doing key roll-over
|
||||||
MELLON_PRIVATE_KEY
|
MELLON_PRIVATE_KEY
|
||||||
------------------
|
------------------
|
||||||
|
|
||||||
The PKCS#8 PEM encoded private key, if not provided request will not
|
The PKCS#8 PEM encoded private key. If neither MELLON_PRIVATE_KEYS and
|
||||||
be signed.
|
MELLON_PRIVATE_KEY are set, request will not be signed.
|
||||||
|
|
||||||
MELLON_PRIVATE_KEY_PASSWORD
|
MELLON_PRIVATE_KEY_PASSWORD
|
||||||
---------------------------
|
---------------------------
|
||||||
|
|
||||||
Password for the private key if needed, default is None
|
Password for the private key if needed, default is None
|
||||||
|
|
||||||
|
MELLON_PRIVATE_KEYS
|
||||||
|
-------------------
|
||||||
|
|
||||||
|
A list of private keys contained in strings (same format ass
|
||||||
|
MELLON_PRIVATE_KEY) or of tuple paris (private_key, private_key_password). If
|
||||||
|
MELLON_PRIVATE_KEY is None, the first key in MELLON_PRIVATE_KEYS will be used
|
||||||
|
to sign messages. Other keys are only for decrypting encrypted assertions. If
|
||||||
|
the same key appear in MELLON_PRIVATE_KEY and MELLON_PRIVATE_KEYS it will be
|
||||||
|
ignored the second time. If neither MELLON_PRIVATE_KEYS and MELLON_PRIVATE_KEY
|
||||||
|
are set, request will not be signed.
|
||||||
|
|
||||||
MELLON_NAME_ID_FORMATS
|
MELLON_NAME_ID_FORMATS
|
||||||
----------------------
|
----------------------
|
||||||
|
|
||||||
|
|
|
@ -6,6 +6,7 @@ class AppSettings(object):
|
||||||
__DEFAULTS = {
|
__DEFAULTS = {
|
||||||
'PUBLIC_KEYS': (),
|
'PUBLIC_KEYS': (),
|
||||||
'PRIVATE_KEY': None,
|
'PRIVATE_KEY': None,
|
||||||
|
'PRIVATE_KEYS': (),
|
||||||
'PRIVATE_KEY_PASSWORD': None,
|
'PRIVATE_KEY_PASSWORD': None,
|
||||||
'NAME_ID_FORMATS': (),
|
'NAME_ID_FORMATS': (),
|
||||||
'NAME_ID_POLICY_FORMAT': None,
|
'NAME_ID_POLICY_FORMAT': None,
|
||||||
|
|
|
@ -42,9 +42,28 @@ def create_server(request):
|
||||||
if root not in SERVERS:
|
if root not in SERVERS:
|
||||||
idps = get_idps()
|
idps = get_idps()
|
||||||
metadata = create_metadata(request)
|
metadata = create_metadata(request)
|
||||||
|
if app_settings.PRIVATE_KEY:
|
||||||
|
private_key = app_settings.PRIVATE_KEY
|
||||||
|
private_key_password = app_settings.PRIVATE_KEY_PASSWORD
|
||||||
|
elif app_settings.PRIVATE_KEYS:
|
||||||
|
private_key = app_settings.PRIVATE_KEYS
|
||||||
|
private_key_password = None
|
||||||
|
if isinstance(private_key, (tuple, list)):
|
||||||
|
private_key_password = private_key[1]
|
||||||
|
private_key = private_key[0]
|
||||||
|
else: # no signature
|
||||||
|
private_key = None
|
||||||
|
private_key_password = None
|
||||||
server = lasso.Server.newFromBuffers(metadata,
|
server = lasso.Server.newFromBuffers(metadata,
|
||||||
private_key_content=app_settings.PRIVATE_KEY,
|
private_key_content=private_key,
|
||||||
private_key_password=app_settings.PRIVATE_KEY_PASSWORD)
|
private_key_password=private_key_password)
|
||||||
|
server.setEncryptionPrivateKeyWithPassword(private_key, private_key_password)
|
||||||
|
for key in app_settings.PRIVATE_KEYS:
|
||||||
|
password = None
|
||||||
|
if isinstance(key, (tuple, list)):
|
||||||
|
password = key[1]
|
||||||
|
key = key[0]
|
||||||
|
server.setEncryptionPrivateKeyWithPassword(key, password)
|
||||||
for idp in idps:
|
for idp in idps:
|
||||||
if 'METADATA_URL' in idp and 'METADATA' not in idp:
|
if 'METADATA_URL' in idp and 'METADATA' not in idp:
|
||||||
idp['METADATA'] = urllib.urlopen(idp['METADATA_URL']).read()
|
idp['METADATA'] = urllib.urlopen(idp['METADATA_URL']).read()
|
||||||
|
@ -59,7 +78,7 @@ def create_server(request):
|
||||||
def create_login(request):
|
def create_login(request):
|
||||||
server = create_server(request)
|
server = create_server(request)
|
||||||
login = lasso.Login(server)
|
login = lasso.Login(server)
|
||||||
if not app_settings.PRIVATE_KEY:
|
if not app_settings.PRIVATE_KEY and not app_settings.PRIVATE_KEYS:
|
||||||
login.setSignatureHint(lasso.PROFILE_SIGNATURE_HINT_FORBID)
|
login.setSignatureHint(lasso.PROFILE_SIGNATURE_HINT_FORBID)
|
||||||
return login
|
return login
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue