From 6c835aa7117592505820c1cb9a825d3ff8189e7f Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Wed, 10 Jun 2015 11:47:00 +0200
Subject: [PATCH] views: add a VERIFY_SSL_CERTIFICATE setting

It controls the validation of certificates by requests on artifact
resolve requests. It's a global and by idp setting.

fixes #7521
---
 README                 |  5 +++++
 mellon/app_settings.py |  1 +
 mellon/views.py        | 25 ++++++++++++++++++-------
 3 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/README b/README
index f59cc16..9471f8f 100644
--- a/README
+++ b/README
@@ -241,6 +241,11 @@ MELLON_ERROR_REDIRECT_AFTER_TIMEOUT
 Timeout in seconds before automatically redirecting the user to the
 continue URL when authentication has failed. Default is 120 seconds.
 
+MELLON_VERIFY_SSL_CERTIFICATE
+-----------------------------
+
+Verify SSL certificate when doing HTTP requests, used when resolving artifacts.
+Default is True.
 
 Tests
 =====
diff --git a/mellon/app_settings.py b/mellon/app_settings.py
index 3dd5b57..717107f 100644
--- a/mellon/app_settings.py
+++ b/mellon/app_settings.py
@@ -26,6 +26,7 @@ class AppSettings(object):
             'ERROR_URL': None,
             'ERROR_REDIRECT_AFTER_TIMEOUT': 120,
             'DEFAULT_ASSERTION_CONSUMER_BINDING': 'post', # or artifact
+            'VERIFY_SSL_CERTIFICATE': True,
     }
 
     @property
diff --git a/mellon/views.py b/mellon/views.py
index 86c0d7f..071f4b5 100644
--- a/mellon/views.py
+++ b/mellon/views.py
@@ -20,8 +20,9 @@ class LogMixin(object):
         super(LogMixin, self).__init__(*args, **kwargs)
 
 class LoginView(LogMixin, View):
-    def get_idp(self, request):
-        entity_id = request.REQUEST.get('entity_id')
+    def get_idp(self, request, entity_id=None):
+        if entity_id is None:
+            entity_id = request.REQUEST.get('entity_id')
         if not entity_id:
             return next(utils.get_idps())
         else:
@@ -139,15 +140,25 @@ class LoginView(LogMixin, View):
         return HttpResponseRedirect(next_url)
 
     def continue_sso_artifact_get(self, request):
-        login = utils.create_login(request)
-        login.initRequest(request.META['QUERY_STRING'], lasso.HTTP_METHOD_ARTIFACT_GET)
-        login.buildRequestMsg()
-
         idp_message = None
         status_codes = []
 
+        login = utils.create_login(request)
+        try:
+            login.initRequest(request.META['QUERY_STRING'], lasso.HTTP_METHOD_ARTIFACT_GET)
+        except lasso.ServerProviderNotFoundError:
+            return HttpResponseBadRequest(
+                'no entity id found for this artifact %r' %
+                request.GET['SAMLart'])
+        idp = utils.get_idp(login.remoteProviderId)
+        if not idp:
+            return HttpResponseBadRequest(
+                'entity id %r is unknown' % login.remoteProviderId)
+        verify_ssl_certificate = utils.get_setting(
+            idp, 'VERIFY_SSL_CERTIFICATE')
+        login.buildRequestMsg()
         result = requests.post(login.msgUrl, data=login.msgBody,
-                headers={'content-type': 'text/xml'})
+                headers={'content-type': 'text/xml'}, verify=verify_ssl_certificate)
         if result.status_code != 200:
             self.log.warning('SAML authentication failed: '\
                              'IdP returned %s when given artifact' % result.status_code)
-- 
2.1.4