Merge pull request #178 from rahulraina7/master

Load idp certs from file

Author: pitbulk

src/onelogin/saml2/auth.py

@@ -606,7 +606,7 @@ def __validate_signature(self, data, saml_type, raise_exceptions=False):
 
             idp_data = self.get_settings().get_idp_data()
 
-            exists_x509cert = 'x509cert' in idp_data and idp_data['x509cert']
+            exists_x509cert = self.get_settings().get_idp_cert() is not None
             exists_multix509sign = 'x509certMulti' in idp_data and \
                 'signing' in idp_data['x509certMulti'] and \
                 idp_data['x509certMulti']['signing']
@@ -646,7 +646,7 @@ def __validate_signature(self, data, saml_type, raise_exceptions=False):
                     OneLogin_Saml2_ValidationError.INVALID_SIGNATURE
                 )
             else:
-                cert = idp_data['x509cert']
+                cert = self.get_settings().get_idp_cert()
 
                 if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query,
                                                                  OneLogin_Saml2_Utils.b64decode(signature),

src/onelogin/saml2/logout_request.py

@@ -72,7 +72,7 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq=
                 if exists_multix509enc:
                     cert = idp_data['x509certMulti']['encryption'][0]
                 else:
-                    cert = idp_data['x509cert']
+                    cert = self.__settings.get_idp_cert()
 
             if name_id is not None:
                 if not name_id_format and sp_data['NameIDFormat'] != OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED:

src/onelogin/saml2/response.py

@@ -293,7 +293,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                     OneLogin_Saml2_ValidationError.NO_SIGNATURE_FOUND
                 )
             else:
-                cert = idp_data.get('x509cert', None)
+                cert = self.__settings.get_idp_cert()
                 fingerprint = idp_data.get('certFingerprint', None)
                 if fingerprint:
                     fingerprint = OneLogin_Saml2_Utils.format_finger_print(fingerprint)

src/onelogin/saml2/settings.py

@@ -558,7 +558,12 @@ def get_idp_cert(self):
         :returns: IdP public cert
         :rtype: string
         """
-        return self.__idp.get('x509cert')
+        cert = self.__idp.get('x509cert')
+        cert_file_name = self.__paths['cert'] + 'idp.crt'
+        if not cert and exists(cert_file_name):
+            with open(cert_file_name) as f:
+                cert = f.read()
+        return cert or None
 
     def get_idp_data(self):
         """

tests/settings/settings10.json

@@ -0,0 +1,46 @@
+{
+    "strict": false,
+    "debug": false,
+    "sp": {
+        "entityId": "http://stuff.com/endpoints/metadata.php",
+        "assertionConsumerService": {
+            "url": "http://stuff.com/endpoints/endpoints/acs.php"
+        },
+        "singleLogoutService": {
+            "url": "http://stuff.com/endpoints/endpoints/sls.php"
+        },
+        "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+    },
+    "idp": {
+        "entityId": "http://idp.example.com/",
+        "singleSignOnService": {
+            "url": "http://idp.example.com/SSOService.php"
+        },
+        "singleLogoutService": {
+            "url": "http://idp.example.com/SingleLogoutService.php"
+        },
+        "x509cert": "MIICbDCCAdWgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wHhcNMTQwOTIzMTIyNDA4WhcNNDIwMjA4MTIyNDA4WjBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOWA+YHU7cvPOrBOfxCscsYTJB+kH3MaA9BFrSHFS+KcR6cw7oPSktIJxUgvDpQbtfNcOkE/tuOPBDoech7AXfvH6d7Bw7xtW8PPJ2mB5Hn/HGW2roYhxmfh3tR5SdwN6i4ERVF8eLkvwCHsNQyK2Ref0DAJvpBNZMHCpS24916/AgMBAAGjUDBOMB0GA1UdDgQWBBQ77/qVeiigfhYDITplCNtJKZTM8DAfBgNVHSMEGDAWgBQ77/qVeiigfhYDITplCNtJKZTM8DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAJO2j/1uO80E5C2PM6Fk9mzerrbkxl7AZ/mvlbOn+sNZE+VZ1AntYuG8ekbJpJtG1YfRfc7EA9mEtqvv4dhv7zBy4nK49OR+KpIBjItWB5kYvrqMLKBa32sMbgqqUqeF1ENXKjpvLSuPdfGJZA3dNa/+Dyb8GGqWe707zLyc5F8m"
+    },
+    "security": {
+        "authnRequestsSigned": false,
+        "wantAssertionsSigned": false,
+        "signMetadata": false
+    },
+    "contactPerson": {
+        "technical": {
+            "givenName": "technical_name",
+            "emailAddress": "technical@example.com"
+        },
+        "support": {
+            "givenName": "support_name",
+            "emailAddress": "support@example.com"
+        }
+    },
+    "organization": {
+        "en-US": {
+            "name": "sp_test",
+            "displayname": "SP test",
+            "url": "http://sp.example.com"
+        }
+    }
+}

tests/settings/settings9.json

@@ -0,0 +1,46 @@
+{
+    "strict": false,
+    "debug": false,
+    "custom_base_path": "../../../tests/data/customPath/",
+    "sp": {
+        "entityId": "http://stuff.com/endpoints/metadata.php",
+        "assertionConsumerService": {
+            "url": "http://stuff.com/endpoints/endpoints/acs.php"
+        },
+        "singleLogoutService": {
+            "url": "http://stuff.com/endpoints/endpoints/sls.php"
+        },
+        "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+    },
+    "idp": {
+        "entityId": "http://idp.example.com/",
+        "singleSignOnService": {
+            "url": "http://idp.example.com/SSOService.php"
+        },
+        "singleLogoutService": {
+            "url": "http://idp.example.com/SingleLogoutService.php"
+        }
+    },
+    "security": {
+        "authnRequestsSigned": false,
+        "wantAssertionsSigned": false,
+        "signMetadata": false
+    },
+    "contactPerson": {
+        "technical": {
+            "givenName": "technical_name",
+            "emailAddress": "technical@example.com"
+        },
+        "support": {
+            "givenName": "support_name",
+            "emailAddress": "support@example.com"
+        }
+    },
+    "organization": {
+        "en-US": {
+            "name": "sp_test",
+            "displayname": "SP test",
+            "url": "http://sp.example.com"
+        }
+    }
+}

tests/src/OneLogin/saml2_tests/response_test.py

@@ -1473,7 +1473,7 @@ def testIsValid2(self):
         response_2 = OneLogin_Saml2_Response(settings_2, xml_2)
         self.assertTrue(response_2.is_valid(self.get_request_data()))
 
-        settings_info_3 = self.loadSettingsJSON('settings2.json')
+        settings_info_3 = self.loadSettingsJSON('settings10.json')
         idp_cert = OneLogin_Saml2_Utils.format_cert(settings_info_3['idp']['x509cert'])
         settings_info_3['idp']['certFingerprint'] = OneLogin_Saml2_Utils.calculate_x509_fingerprint(idp_cert)
         settings_info_3['idp']['x509cert'] = ''
@@ -1662,7 +1662,7 @@ def testIsValidSignFingerprint(self):
         self.assertFalse(response_9.is_valid(self.get_request_data()))
 
     def testMessageSignedIsValidSignWithEmptyReferenceURI(self):
-        settings_info = self.loadSettingsJSON()
+        settings_info = self.loadSettingsJSON("settings10.json")
         del settings_info['idp']['x509cert']
         settings_info['idp']['certFingerprint'] = "657302a5e11a4794a1e50a705988d66c9377575d"
         settings = OneLogin_Saml2_Settings(settings_info)
@@ -1671,7 +1671,7 @@ def testMessageSignedIsValidSignWithEmptyReferenceURI(self):
         self.assertTrue(response.is_valid(self.get_request_data()))
 
     def testAssertionSignedIsValidSignWithEmptyReferenceURI(self):
-        settings_info = self.loadSettingsJSON()
+        settings_info = self.loadSettingsJSON('settings10.json')
         del settings_info['idp']['x509cert']
         settings_info['idp']['certFingerprint'] = "657302a5e11a4794a1e50a705988d66c9377575d"
         settings = OneLogin_Saml2_Settings(settings_info)

tests/src/OneLogin/saml2_tests/settings_test.py

@@ -222,6 +222,28 @@ def testGetSPKey(self):
         settings_3 = OneLogin_Saml2_Settings(settings_data, custom_base_path=custom_base_path)
         self.assertIsNone(settings_3.get_sp_key())
 
+    def testGetIDPCert(self):
+        """
+        Tests the get_idp_cert method of the OneLogin_Saml2_Settings
+        """
+
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON('settings9.json'))
+        cert = "-----BEGIN CERTIFICATE-----\nMIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMC\nTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYD\nVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG\n9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4\nMTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xi\nZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2Zl\naWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5v\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LO\nNoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHIS\nKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d\n1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8\nBUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7n\nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2Qar\nQ4/67OZfHd7R+POBXhophSMv1ZOo\n-----END CERTIFICATE-----\n"
+        self.assertEqual(cert, settings.get_idp_cert())
+
+        settings_data = self.loadSettingsJSON()
+
+        settings = OneLogin_Saml2_Settings(settings_data)
+        settings_data['idp']['x509cert'] = cert
+        self.assertEqual(cert, settings.get_sp_cert())
+
+        del settings_data['idp']['x509cert']
+        del settings_data['custom_base_path']
+        custom_base_path = dirname(__file__)
+
+        settings_3 = OneLogin_Saml2_Settings(settings_data, custom_base_path=custom_base_path)
+        self.assertIsNone(settings_3.get_idp_cert())
+
     def testFormatIdPCert(self):
         """
         Tests the format_idp_cert method of the OneLogin_Saml2_Settings