1
|
import os
|
2
|
|
3
|
def set_provider_keys(private_key_path, public_key_path):
|
4
|
# use system calls for openssl since PyOpenSSL doesn't expose the
|
5
|
# necessary functions.
|
6
|
if os.system('openssl version > /dev/null 2>&1') == 0:
|
7
|
os.system('openssl genrsa -out %s 2048' % private_key_path)
|
8
|
os.system('openssl rsa -in %s -pubout -out %s' % (private_key_path, public_key_path))
|
9
|
|
10
|
|
11
|
def get_metadata(cfg):
|
12
|
prologue = """\
|
13
|
<?xml version="1.0"?>
|
14
|
<EntityDescriptor
|
15
|
providerID="%(provider_id)s"
|
16
|
xmlns="urn:liberty:metadata:2003-08">""" % cfg
|
17
|
|
18
|
sp_head = """
|
19
|
<SPDescriptor protocolSupportEnumeration="urn:liberty:iff:2003-08">"""
|
20
|
|
21
|
signing_public_key = ''
|
22
|
if cfg.has_key('signing_public_key') and cfg['signing_public_key']:
|
23
|
if 'CERTIF' in cfg['signing_public_key']:
|
24
|
signing_public_key = """
|
25
|
<KeyDescriptor use="signing">
|
26
|
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
27
|
<ds:X509Data><ds:X509Certificate>%s</ds:X509Certificate></ds:X509Data>
|
28
|
</ds:KeyInfo>
|
29
|
</KeyDescriptor>""" % cfg['signing_public_key']
|
30
|
elif 'KEY' in cfg['signing_public_key']:
|
31
|
signing_public_key = """
|
32
|
<KeyDescriptor use="signing">
|
33
|
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
34
|
<ds:KeyValue>%s</ds:KeyValue>
|
35
|
</ds:KeyInfo>
|
36
|
</KeyDescriptor>""" % cfg['signing_public_key']
|
37
|
|
38
|
sp_body = """
|
39
|
<AssertionConsumerServiceURL id="AssertionConsumerServiceURL1" isDefault="true">%(base_url)s/assertionConsumer</AssertionConsumerServiceURL>
|
40
|
|
41
|
<SoapEndpoint>%(base_url)s/soapEndpoint</SoapEndpoint>
|
42
|
|
43
|
<SingleLogoutServiceURL>%(base_url)s/singleLogout</SingleLogoutServiceURL>
|
44
|
<SingleLogoutServiceReturnURL>%(base_url)s/singleLogoutReturn</SingleLogoutServiceReturnURL>
|
45
|
<SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-idp-http</SingleLogoutProtocolProfile>
|
46
|
<SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-sp-soap</SingleLogoutProtocolProfile>
|
47
|
<SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-sp-http</SingleLogoutProtocolProfile>
|
48
|
|
49
|
<FederationTerminationServiceURL>%(base_url)s/federationTermination</FederationTerminationServiceURL>
|
50
|
<FederationTerminationServiceReturnURL>%(base_url)s/federationTerminationReturn</FederationTerminationServiceReturnURL>
|
51
|
<FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-idp-soap</FederationTerminationNotificationProtocolProfile>
|
52
|
<FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-idp-http</FederationTerminationNotificationProtocolProfile>
|
53
|
<FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-sp-soap</FederationTerminationNotificationProtocolProfile>
|
54
|
<FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-sp-http</FederationTerminationNotificationProtocolProfile>
|
55
|
|
56
|
<AuthnRequestsSigned>true</AuthnRequestsSigned>
|
57
|
|
58
|
</SPDescriptor>""" % cfg
|
59
|
|
60
|
orga = ''
|
61
|
if cfg.get('organization_name'):
|
62
|
orga = """
|
63
|
<Organization>
|
64
|
<OrganizationName>%s</OrganizationName>
|
65
|
</Organization>""" % unicode(cfg['organization_name'], 'iso-8859-1').encode('utf-8')
|
66
|
|
67
|
epilogue = """
|
68
|
</EntityDescriptor>"""
|
69
|
|
70
|
return '\n'.join([prologue, sp_head, signing_public_key, sp_body, orga, epilogue])
|
71
|
|
72
|
|
73
|
|
74
|
def get_saml2_metadata(cfg):
|
75
|
prologue = """\
|
76
|
<?xml version="1.0"?>
|
77
|
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
|
78
|
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
79
|
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
|
80
|
entityID="%(saml2_provider_id)s">""" % cfg
|
81
|
|
82
|
sp_head = """
|
83
|
<SPSSODescriptor
|
84
|
AuthnRequestsSigned="true"
|
85
|
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">"""
|
86
|
|
87
|
signing_public_key = ''
|
88
|
if cfg.has_key('signing_public_key') and cfg['signing_public_key']:
|
89
|
if 'CERTIF' in cfg['signing_public_key']:
|
90
|
signing_public_key = """
|
91
|
<KeyDescriptor use="signing">
|
92
|
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
93
|
<ds:X509Data><ds:X509Certificate>%s</ds:X509Certificate></ds:X509Data>
|
94
|
</ds:KeyInfo>
|
95
|
</KeyDescriptor>""" % cfg['signing_public_key']
|
96
|
elif 'KEY' in cfg['signing_public_key']:
|
97
|
signing_public_key = """
|
98
|
<KeyDescriptor use="signing">
|
99
|
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
100
|
<ds:KeyValue>%s</ds:KeyValue>
|
101
|
</ds:KeyInfo>
|
102
|
</KeyDescriptor>""" % cfg['signing_public_key']
|
103
|
|
104
|
sp_body = """
|
105
|
<AssertionConsumerService isDefault="true" index="0"
|
106
|
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
|
107
|
Location="%(saml2_base_url)s/singleSignOnArtifact" />
|
108
|
<SingleLogoutService
|
109
|
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
|
110
|
Location="%(saml2_base_url)s/singleLogoutSOAP" />
|
111
|
<SingleLogoutService
|
112
|
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
113
|
Location="%(saml2_base_url)s/singleLogout"
|
114
|
ResponseLocation="%(saml2_base_url)s/singleLogoutReturn" />
|
115
|
|
116
|
</SPSSODescriptor>""" % cfg
|
117
|
|
118
|
orga = ''
|
119
|
if cfg.get('organization_name'):
|
120
|
orga = """
|
121
|
<Organization>
|
122
|
<OrganizationName>%s</OrganizationName>
|
123
|
</Organization>""" % unicode(cfg['organization_name'], 'iso-8859-1').encode('utf-8')
|
124
|
|
125
|
epilogue = """
|
126
|
</EntityDescriptor>"""
|
127
|
|
128
|
return '\n'.join([prologue, sp_head, signing_public_key, sp_body, orga, epilogue])
|
129
|
|