Support encryption
This commit is contained in:
parent
5dcde8614e
commit
bb08da0f9e
15
README
15
README
|
@ -100,14 +100,25 @@ doing key roll-over
|
|||
MELLON_PRIVATE_KEY
|
||||
------------------
|
||||
|
||||
The PKCS#8 PEM encoded private key, if not provided request will not
|
||||
be signed.
|
||||
The PKCS#8 PEM encoded private key. If neither MELLON_PRIVATE_KEYS and
|
||||
MELLON_PRIVATE_KEY are set, request will not be signed.
|
||||
|
||||
MELLON_PRIVATE_KEY_PASSWORD
|
||||
---------------------------
|
||||
|
||||
Password for the private key if needed, default is None
|
||||
|
||||
MELLON_PRIVATE_KEYS
|
||||
-------------------
|
||||
|
||||
A list of private keys contained in strings (same format ass
|
||||
MELLON_PRIVATE_KEY) or of tuple paris (private_key, private_key_password). If
|
||||
MELLON_PRIVATE_KEY is None, the first key in MELLON_PRIVATE_KEYS will be used
|
||||
to sign messages. Other keys are only for decrypting encrypted assertions. If
|
||||
the same key appear in MELLON_PRIVATE_KEY and MELLON_PRIVATE_KEYS it will be
|
||||
ignored the second time. If neither MELLON_PRIVATE_KEYS and MELLON_PRIVATE_KEY
|
||||
are set, request will not be signed.
|
||||
|
||||
MELLON_NAME_ID_FORMATS
|
||||
----------------------
|
||||
|
||||
|
|
|
@ -6,6 +6,7 @@ class AppSettings(object):
|
|||
__DEFAULTS = {
|
||||
'PUBLIC_KEYS': (),
|
||||
'PRIVATE_KEY': None,
|
||||
'PRIVATE_KEYS': (),
|
||||
'PRIVATE_KEY_PASSWORD': None,
|
||||
'NAME_ID_FORMATS': (),
|
||||
'NAME_ID_POLICY_FORMAT': None,
|
||||
|
|
|
@ -42,9 +42,28 @@ def create_server(request):
|
|||
if root not in SERVERS:
|
||||
idps = get_idps()
|
||||
metadata = create_metadata(request)
|
||||
if app_settings.PRIVATE_KEY:
|
||||
private_key = app_settings.PRIVATE_KEY
|
||||
private_key_password = app_settings.PRIVATE_KEY_PASSWORD
|
||||
elif app_settings.PRIVATE_KEYS:
|
||||
private_key = app_settings.PRIVATE_KEYS
|
||||
private_key_password = None
|
||||
if isinstance(private_key, (tuple, list)):
|
||||
private_key_password = private_key[1]
|
||||
private_key = private_key[0]
|
||||
else: # no signature
|
||||
private_key = None
|
||||
private_key_password = None
|
||||
server = lasso.Server.newFromBuffers(metadata,
|
||||
private_key_content=app_settings.PRIVATE_KEY,
|
||||
private_key_password=app_settings.PRIVATE_KEY_PASSWORD)
|
||||
private_key_content=private_key,
|
||||
private_key_password=private_key_password)
|
||||
server.setEncryptionPrivateKeyWithPassword(private_key, private_key_password)
|
||||
for key in app_settings.PRIVATE_KEYS:
|
||||
password = None
|
||||
if isinstance(key, (tuple, list)):
|
||||
password = key[1]
|
||||
key = key[0]
|
||||
server.setEncryptionPrivateKeyWithPassword(key, password)
|
||||
for idp in idps:
|
||||
if 'METADATA_URL' in idp and 'METADATA' not in idp:
|
||||
idp['METADATA'] = urllib.urlopen(idp['METADATA_URL']).read()
|
||||
|
@ -59,7 +78,7 @@ def create_server(request):
|
|||
def create_login(request):
|
||||
server = create_server(request)
|
||||
login = lasso.Login(server)
|
||||
if not app_settings.PRIVATE_KEY:
|
||||
if not app_settings.PRIVATE_KEY and not app_settings.PRIVATE_KEYS:
|
||||
login.setSignatureHint(lasso.PROFILE_SIGNATURE_HINT_FORBID)
|
||||
return login
|
||||
|
||||
|
|
Loading…
Reference in New Issue