Be able to relax SSL Certificate verification when retrieving idp metadata

pitbulk · pitbulk · commit 5e17c19cbdf0 · 2017-05-09T17:53:19.000+02:00
diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py
@@ -10,6 +10,7 @@
 """
 
 import urllib2
+import ssl
 
 from copy import deepcopy
 from defusedxml.lxml import fromstring
@@ -24,7 +25,7 @@ class OneLogin_Saml2_IdPMetadataParser(object):
     """
 
     @staticmethod
-    def get_metadata(url):
+    def get_metadata(url, validate_cert=True):
         """
         Gets the metadata XML from the provided URL
 
@@ -35,7 +36,13 @@ def get_metadata(url):
         :rtype: string
         """
         valid = False
-        response = urllib2.urlopen(url)
+        if validate_cert:
+            response = urllib2.urlopen(url)
+        else:
+            ctx = ssl.create_default_context()
+            ctx.check_hostname = False
+            ctx.verify_mode = ssl.CERT_NONE
+            response = urllib2.urlopen(url, context=ctx)
         xml = response.read()
 
         if xml:
@@ -53,7 +60,7 @@ def get_metadata(url):
         return xml
 
     @staticmethod
-    def parse_remote(url, **kwargs):
+    def parse_remote(url, validate_cert=True, **kwargs):
         """
         Gets the metadata XML from the provided URL and parse it, returning a dict with extracted data
 
@@ -63,7 +70,7 @@ def parse_remote(url, **kwargs):
         :returns: settings dict with extracted data
         :rtype: dict
         """
-        idp_metadata = OneLogin_Saml2_IdPMetadataParser.get_metadata(url)
+        idp_metadata = OneLogin_Saml2_IdPMetadataParser.get_metadata(url, validate_cert)
         return OneLogin_Saml2_IdPMetadataParser.parse(idp_metadata, **kwargs)
 
     @staticmethod
diff --git a/tests/src/OneLogin/saml2_tests/signed_response_test.py b/tests/src/OneLogin/saml2_tests/signed_response_test.py
@@ -44,6 +44,9 @@ def testResponseSignedAssertionNot(self):
         response = OneLogin_Saml2_Response(settings, b64encode(message))
 
         self.assertEquals('someone@example.org', response.get_nameid())
+        from onelogin.saml2.utils import OneLogin_Saml2_Utils
+        assertion_nodes = OneLogin_Saml2_Utils.query(response.document, '//saml:Assertion')
+        self.assertEquals(len(assertion_nodes), 1)
 
     def testResponseAndAssertionSigned(self):
         """
