0001-views-add-a-VERIFY_SSL_CERTIFICATE-setting.patch

Benjamin Dauvergne, 10 juin 2015 15:09

Voir les différences: en ligne côte à côte

Subject: [PATCH] views: add a VERIFY_SSL_CERTIFICATE setting

It controls the validation of certificates by requests on artifact
resolve requests. It's a global and by idp setting.

Also improve logs in errors paths around when calling the artifact
resolver.

fixes #7521

 Changelog              |  6 ++++++
 README                 |  5 +++++
 mellon/app_settings.py |  1 +
 mellon/views.py        | 34 +++++++++++++++++++++++++++-------
 4 files changed, 39 insertions(+), 7 deletions(-)

 .2.x
     -----
     - add setting MELLON_VERIFY_SSL_CERTIFICATE
     - improve logs in SAML artifact error paths
 .2.16
     ------

     Timeout in seconds before automatically redirecting the user to the
     continue URL when authentication has failed. Default is 120 seconds.
     MELLON_VERIFY_SSL_CERTIFICATE
     -----------------------------
     Verify SSL certificate when doing HTTP requests, used when resolving artifacts.
     Default is True.
     Tests
     =====

mellon/app_settings.py
26	26	'ERROR_URL': None,
27	27	'ERROR_REDIRECT_AFTER_TIMEOUT': 120,
28	28	'DEFAULT_ASSERTION_CONSUMER_BINDING': 'post', # or artifact
	29	'VERIFY_SSL_CERTIFICATE': True,
29	30	}
30	31
31	32	@property

     import logging
     import requests
     from requests.exceptions import RequestException
     from django.views.generic import View
     from django.http import HttpResponseBadRequest, HttpResponseRedirect, HttpResponse
-...
             return HttpResponseRedirect(next_url)
         def continue_sso_artifact_get(self, request):
             login = utils.create_login(request)
             login.initRequest(request.META['QUERY_STRING'], lasso.HTTP_METHOD_ARTIFACT_GET)
             login.buildRequestMsg()
             idp_message = None
             status_codes = []
             result = requests.post(login.msgUrl, data=login.msgBody,
                     headers={'content-type': 'text/xml'})
             login = utils.create_login(request)
             try:
                 login.initRequest(request.META['QUERY_STRING'], lasso.HTTP_METHOD_ARTIFACT_GET)
             except lasso.ServerProviderNotFoundError:
                 self.log.warning('no entity id found for artifact %s',
                                  request.GET['SAMLart'])
                 return HttpResponseBadRequest(
                     'no entity id found for this artifact %r' %
                     request.GET['SAMLart'])
             idp = utils.get_idp(login.remoteProviderId)
             if not idp:
                 self.log.warning('entity id %r is unknown', login.remoteProviderId)
                 return HttpResponseBadRequest(
                     'entity id %r is unknown' % login.remoteProviderId)
             verify_ssl_certificate = utils.get_setting(
                 idp, 'VERIFY_SSL_CERTIFICATE')
             login.buildRequestMsg()
             try:
                 result = requests.post(login.msgUrl, data=login.msgBody,
                     headers={'content-type': 'text/xml'},
                     verify=verify_ssl_certificate)
             except RequestException, e:
                 self.log.warning('unable to reach %r: %s', login.msgUrl, e)
                 return HttpResponseBadRequest('unable to reach %r: %s' % (login.msgUrl, e))
             if result.status_code != 200:
                 self.log.warning('SAML authentication failed: '\
                                  'IdP returned %s when given artifact' % result.status_code)
                                  'IdP returned %s when given artifact', result.status_code)
                 return self.sso_failure(request, login, idp_message, status_codes)
             try:
-...
                     args.append(status.statusMessage)
                 self.log.warning(*args)
             except lasso.Error, e:
                 self.log.exception('unexpected lasso error')
                 return HttpResponseBadRequest('error processing the authentication '
                         'response: %r' % e)
             else:
+    -

Projet

Général

Profil

Produits Entr'ouvert » django-mellon

0001-views-add-a-VERIFY_SSL_CERTIFICATE-setting.patch