Adding helper methods to load idp_cert

Author: Rahul Raina

src/onelogin/saml2/auth.py

@@ -605,8 +605,7 @@ def __validate_signature(self, data, saml_type, raise_exceptions=False):
                 return True
 
             idp_data = self.get_settings().get_idp_data()
-
-            exists_x509cert = 'x509cert' in idp_data and idp_data['x509cert']
+            exists_x509cert = self.get_settings().get_idp_cert() is not None
             exists_multix509sign = 'x509certMulti' in idp_data and \
                 'signing' in idp_data['x509certMulti'] and \
                 idp_data['x509certMulti']['signing']
@@ -646,7 +645,7 @@ def __validate_signature(self, data, saml_type, raise_exceptions=False):
                     OneLogin_Saml2_ValidationError.INVALID_SIGNATURE
                 )
             else:
-                cert = idp_data['x509cert']
+                cert = self.get_settings().get_idp_cert()
 
                 if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query,
                                                                  OneLogin_Saml2_Utils.b64decode(signature),

src/onelogin/saml2/logout_request.py

@@ -72,7 +72,7 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq=
                 if exists_multix509enc:
                     cert = idp_data['x509certMulti']['encryption'][0]
                 else:
-                    cert = idp_data['x509cert']
+                    cert = self.__settings.get_idp_cert()
 
             if name_id is not None:
                 if not name_id_format and sp_data['NameIDFormat'] != OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED:

src/onelogin/saml2/response.py

@@ -293,7 +293,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                     OneLogin_Saml2_ValidationError.NO_SIGNATURE_FOUND
                 )
             else:
-                cert = idp_data.get('x509cert', None)
+                cert  = self.__settings.get_idp_cert()
                 fingerprint = idp_data.get('certFingerprint', None)
                 if fingerprint:
                     fingerprint = OneLogin_Saml2_Utils.format_finger_print(fingerprint)

tests/settings/settings10.json

@@ -0,0 +1,46 @@
+{
+    "strict": false,
+    "debug": false,
+    "sp": {
+        "entityId": "http://stuff.com/endpoints/metadata.php",
+        "assertionConsumerService": {
+            "url": "http://stuff.com/endpoints/endpoints/acs.php"
+        },
+        "singleLogoutService": {
+            "url": "http://stuff.com/endpoints/endpoints/sls.php"
+        },
+        "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+    },
+    "idp": {
+        "entityId": "http://idp.example.com/",
+        "singleSignOnService": {
+            "url": "http://idp.example.com/SSOService.php"
+        },
+        "singleLogoutService": {
+            "url": "http://idp.example.com/SingleLogoutService.php"
+        },
+        "x509cert": "MIICbDCCAdWgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wHhcNMTQwOTIzMTIyNDA4WhcNNDIwMjA4MTIyNDA4WjBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOWA+YHU7cvPOrBOfxCscsYTJB+kH3MaA9BFrSHFS+KcR6cw7oPSktIJxUgvDpQbtfNcOkE/tuOPBDoech7AXfvH6d7Bw7xtW8PPJ2mB5Hn/HGW2roYhxmfh3tR5SdwN6i4ERVF8eLkvwCHsNQyK2Ref0DAJvpBNZMHCpS24916/AgMBAAGjUDBOMB0GA1UdDgQWBBQ77/qVeiigfhYDITplCNtJKZTM8DAfBgNVHSMEGDAWgBQ77/qVeiigfhYDITplCNtJKZTM8DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAJO2j/1uO80E5C2PM6Fk9mzerrbkxl7AZ/mvlbOn+sNZE+VZ1AntYuG8ekbJpJtG1YfRfc7EA9mEtqvv4dhv7zBy4nK49OR+KpIBjItWB5kYvrqMLKBa32sMbgqqUqeF1ENXKjpvLSuPdfGJZA3dNa/+Dyb8GGqWe707zLyc5F8m"
+    },
+    "security": {
+        "authnRequestsSigned": false,
+        "wantAssertionsSigned": false,
+        "signMetadata": false
+    },
+    "contactPerson": {
+        "technical": {
+            "givenName": "technical_name",
+            "emailAddress": "technical@example.com"
+        },
+        "support": {
+            "givenName": "support_name",
+            "emailAddress": "support@example.com"
+        }
+    },
+    "organization": {
+        "en-US": {
+            "name": "sp_test",
+            "displayname": "SP test",
+            "url": "http://sp.example.com"
+        }
+    }
+}

tests/src/OneLogin/saml2_tests/response_test.py

@@ -1473,7 +1473,7 @@ def testIsValid2(self):
         response_2 = OneLogin_Saml2_Response(settings_2, xml_2)
         self.assertTrue(response_2.is_valid(self.get_request_data()))
 
-        settings_info_3 = self.loadSettingsJSON('settings2.json')
+        settings_info_3 = self.loadSettingsJSON('settings10.json')
         idp_cert = OneLogin_Saml2_Utils.format_cert(settings_info_3['idp']['x509cert'])
         settings_info_3['idp']['certFingerprint'] = OneLogin_Saml2_Utils.calculate_x509_fingerprint(idp_cert)
         settings_info_3['idp']['x509cert'] = ''
@@ -1662,7 +1662,7 @@ def testIsValidSignFingerprint(self):
         self.assertFalse(response_9.is_valid(self.get_request_data()))
 
     def testMessageSignedIsValidSignWithEmptyReferenceURI(self):
-        settings_info = self.loadSettingsJSON()
+        settings_info = self.loadSettingsJSON("settings10.json")
         del settings_info['idp']['x509cert']
         settings_info['idp']['certFingerprint'] = "657302a5e11a4794a1e50a705988d66c9377575d"
         settings = OneLogin_Saml2_Settings(settings_info)
@@ -1671,7 +1671,7 @@ def testMessageSignedIsValidSignWithEmptyReferenceURI(self):
         self.assertTrue(response.is_valid(self.get_request_data()))
 
     def testAssertionSignedIsValidSignWithEmptyReferenceURI(self):
-        settings_info = self.loadSettingsJSON()
+        settings_info = self.loadSettingsJSON('settings10.json')
         del settings_info['idp']['x509cert']
         settings_info['idp']['certFingerprint'] = "657302a5e11a4794a1e50a705988d66c9377575d"
         settings = OneLogin_Saml2_Settings(settings_info)