providers/saml: big cleanup, simplify base processor

add New fields for - assertion_valid_not_before - assertion_valid_not_on_or_after - session_valid_not_on_or_after allow flexible time durations for these fields fall back to Provider's ACS if none is specified in AuthNRequest
2020-02-14 15:19:48 +01:00
parent 2be026dd44
commit e36d7928e4
19 changed files with 495 additions and 392 deletions
--- a/passbook/providers/saml/utils/xml_signing.py
+++ b/passbook/providers/saml/utils/xml_signing.py
@ -0,0 +1,31 @@
+"""Signing code goes here."""
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
+from lxml import etree  # nosec
+from signxml import XMLSigner, XMLVerifier
+from structlog import get_logger
+
+from passbook.lib.utils.template import render_to_string
+
+LOGGER = get_logger()
+
+
+def sign_with_signxml(private_key, data, cert, reference_uri=None):
+    """Sign Data with signxml"""
+    key = serialization.load_pem_private_key(
+        str.encode("\n".join([x.strip() for x in private_key.split("\n")])),
+        password=None,
+        backend=default_backend(),
+    )
+    # defused XML is not used here because it messes up XML namespaces
+    # Data is trusted, so lxml is ok
+    root = etree.fromstring(data)  # nosec
+    signer = XMLSigner(c14n_algorithm="http://www.w3.org/2001/10/xml-exc-c14n#")
+    signed = signer.sign(root, key=key, cert=[cert], reference_uri=reference_uri)
+    XMLVerifier().verify(signed, x509_cert=cert)
+    return etree.tostring(signed).decode("utf-8")  # nosec
+
+
+def get_signature_xml():
+    """Returns XML Signature for subject."""
+    return render_to_string("saml/xml/signature.xml", {})