fixes #1

handnot2 · Sep 30, 2017 · 639d15c · 639d15c
1 parent bc60115
commit 639d15c
Show file tree

Hide file tree

Showing 4 changed files with 87 additions and 37 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # CHANGELOG
 
+### v0.7.0
+
++   Added config options to control if requests and/or responses are signed or not
+
 ### v0.6.3
 
 +   Added Inch CI

diff --git a/lib/samly/provider.ex b/lib/samly/provider.ex
@@ -26,6 +26,10 @@ defmodule Samly.Provider do
   config :samly, Samly.Provider,
     base_url: "http://samly.howto:4003/sso",
     #pre_session_create_pipeline: MySamlyPipeline,
+    #sign_requests: true,
+    #sign_metadata: true,
+    #signed_envelopes_in_idp_resp: true,
+    #signed_assertion_in_idp_resp: true,
     certfile: "path/to/service/provider/certificate/file",
     keyfile: "path/to/corresponding/private/key/file",
     idp_metadata_file: "path/to/idp/metadata/xml/file"
@@ -39,6 +43,10 @@ defmodule Samly.Provider do
   | SAMLY_KEYFILE  | Path to the private key for the certificate. Defaults to `samly.pem` |
   | SAMLY_IDP_METADATA_FILE | Path to the SAML IDP metadata XML file. Defaults to `idp_metadata.xml` |
   | SAMLY_BASE_URL | Set this to the base URL for your application (include `/sso`) |
+  | SAMLY_SIGN_REQUESTS | Set this to `false` if IdP is setup to receive unsigned requests |
+  | SAMLY_SIGN_METADATA | Set this to `false` if the metadata response should be unsigned |
+  | SAMLY_SIGNED_ENVELOPES_IN_IDP_RESP | Set this to `false` if IdP is sending unsigned response |
+  | SAMLY_SIGNED_ASSERTION_IN_IDP_RESP | Set this to `false` if IdP is sending unsigned response |
 
   """
 
@@ -48,11 +56,22 @@ defmodule Samly.Provider do
   require Samly.Esaml
   alias Samly.{Esaml, Helper, State}
 
-  @crt_opt :certfile
-  @key_opt :keyfile
-  @mtd_opt :idp_metadata_file
-  @url_opt :base_url
-  @pipeline_opt :pre_session_create_pipeline
+  @certfile_opt :certfile
+  @keyfile_opt :keyfile
+  @idp_metadata_file_opt :idp_metadata_file
+  @base_url_opt :base_url
+  @pre_session_create_pipeline_opt :pre_session_create_pipeline
+  @sign_requests_opt :sign_requests
+  @sign_metadata_opt :sign_metadata
+  @signed_envelopes_in_idp_resp_opt :signed_envelopes_in_idp_resp
+  @signed_assertion_in_idp_resp_opt :signed_assertion_in_idp_resp
+
+  @opt_keys [
+    @certfile_opt, @keyfile_opt, @idp_metadata_file_opt, @base_url_opt,
+    @sign_requests_opt, @sign_metadata_opt,
+    @signed_envelopes_in_idp_resp_opt, @signed_assertion_in_idp_resp_opt,
+    @pre_session_create_pipeline_opt
+  ]
 
   @doc false
   def start_link(gs_opts \\ []) do
@@ -67,8 +86,10 @@ defmodule Samly.Provider do
       {:ok, sp_rec, idp_rec} ->
         Application.put_env(:samly, :sp, sp_rec)
         Application.put_env(:samly, :idp_metadata, idp_rec)
-        if opts[@pipeline_opt] do
-          Application.put_env(:samly, :pre_session_create_pipeline, opts[@pipeline_opt])
+        if opts[@pre_session_create_pipeline_opt] do
+          Application.put_env(:samly,
+            :pre_session_create_pipeline,
+            opts[@pre_session_create_pipeline_opt])
         end
       error -> error
     end
@@ -88,39 +109,62 @@ defmodule Samly.Provider do
     end
   end
 
-  @opt_keys [:pre_session_create_pipeline, :certfile, :keyfile, :idp_metadata_file, :base_url]
   defp handle_defaults(opts) do
     get_opt_value = fn k ->
       case opts[k] do
-        nil -> {k, use_env(k) || use_default(k)}
+        nil ->
+          v = use_env(k) # value can be false, use explicity nil check
+          v = if v != nil, do: v, else: use_default(k)
+          {k, v}
         v   -> {k, v}
       end
     end
 
     Enum.map(@opt_keys, get_opt_value)
   end
 
-  defp use_env(@pipeline_opt), do: nil
-  defp use_env(@crt_opt), do: System.get_env("SAMLY_CERTFILE")
-  defp use_env(@key_opt), do: System.get_env("SAMLY_KEYFILE")
-  defp use_env(@mtd_opt), do: System.get_env("SAMLY_IDP_METADATA_FILE")
-  defp use_env(@url_opt), do: System.get_env("SAMLY_BASE_URL")
+  defp use_env(@pre_session_create_pipeline_opt), do: nil
+  defp use_env(@certfile_opt), do: System.get_env("SAMLY_CERTFILE")
+  defp use_env(@keyfile_opt), do: System.get_env("SAMLY_KEYFILE")
+  defp use_env(@idp_metadata_file_opt), do: System.get_env("SAMLY_IDP_METADATA_FILE")
+  defp use_env(@base_url_opt), do: System.get_env("SAMLY_BASE_URL")
+  defp use_env(@sign_requests_opt), do: truthy_env("SAMLY_SIGN_REQUESTS")
+  defp use_env(@sign_metadata_opt), do: truthy_env("SAMLY_SIGN_METADATA")
+  defp use_env(@signed_envelopes_in_idp_resp_opt), do: truthy_env("SAMLY_SIGNED_ENVELOPES_IN_IDP_RESP")
+  defp use_env(@signed_assertion_in_idp_resp_opt), do: truthy_env("SAMLY_SIGNED_ASSERTION_IN_IDP_RESP")
+
+  defp truthy_env(name) do
+    value = System.get_env(name)
+    value = value && String.downcase(value)
+    case value do
+      nil -> nil
+      "true" -> true
+      "false" -> false
+      _ ->
+        Logger.warn("Samly.Provider: Ignoring #{name}=#{value}")
+        nil
+    end
+  end
 
-  defp use_default(@pipeline_opt), do: nil
+  defp use_default(@pre_session_create_pipeline_opt), do: nil
+  defp use_default(k) when k in [
+      @sign_requests_opt, @sign_metadata_opt,
+      @signed_envelopes_in_idp_resp_opt, @signed_assertion_in_idp_resp_opt] do
+    true
+  end
   defp use_default(opt) do
     Logger.warn("Samly.Provider: option :#{opt} not set")
 
     case opt do
-      @pipeline_opt -> nil
-      @crt_opt -> "samly.crt"
-      @key_opt -> "samly.pem"
-      @mtd_opt -> "idp_metadata.xml"
-      @url_opt -> ""
+      @certfile_opt -> "samly.crt"
+      @keyfile_opt -> "samly.pem"
+      @idp_metadata_file_opt -> "idp_metadata.xml"
+      @base_url_opt -> ""
     end
   end
 
   defp init_idp_rec(opts) do
-    mdtfile = opts[@mtd_opt]
+    mdtfile = opts[@idp_metadata_file_opt]
     with  {:reading, {:ok, xml}} <- {:reading, File.read(mdtfile)},
           {:parsing, {:ok, mdt}} <- {:parsing, idp_metadata_from_xml(xml)}
     do
@@ -162,18 +206,20 @@ defmodule Samly.Provider do
   end
 
   defp init_sp_rec(opts, trusted_fingerprints) do
-    base_url = opts[@url_opt] |> String.to_charlist()
-    keyfile  = opts[@key_opt] |> String.to_charlist()
-    crtfile  = opts[@crt_opt] |> String.to_charlist()
+    base_url = opts[@base_url_opt] |> String.to_charlist()
+    keyfile  = opts[@keyfile_opt] |> String.to_charlist()
+    crtfile  = opts[@certfile_opt] |> String.to_charlist()
     try do
       cert = load_sp_cert(crtfile)
       key  = load_sp_priv_key(keyfile)
 
       sp_rec = Esaml.esaml_sp(
         key: key,
         certificate: cert,
-        sp_sign_requests: true,
-        sp_sign_metadata: true,
+        sp_sign_requests: opts[@sign_requests_opt],
+        sp_sign_metadata: opts[@sign_metadata_opt],
+        idp_signs_envelopes: opts[@signed_envelopes_in_idp_resp_opt],
+        idp_signs_assertions: opts[@signed_assertion_in_idp_resp_opt],
         trusted_fingerprints: trusted_fingerprints,
         metadata_uri: Helper.get_metadata_uri(base_url),
         consume_uri: Helper.get_consume_uri(base_url),

diff --git a/mix.exs b/mix.exs
@@ -1,7 +1,7 @@
 defmodule Samly.Mixfile do
   use Mix.Project
 
-  @version "0.6.3"
+  @version "0.7.0"
   @description "SAML SP SSO made easy"
   @source_url "https://github.com/handnot2/samly"
 

diff --git a/mix.lock b/mix.lock
@@ -1,10 +1,10 @@
-%{"cowboy": {:hex, :cowboy, "1.1.2", "61ac29ea970389a88eca5a65601460162d370a70018afe6f949a29dca91f3bb0", [], [{:cowlib, "~> 1.0.2", [hex: :cowlib, repo: "hexpm", optional: false]}, {:ranch, "~> 1.3.2", [hex: :ranch, repo: "hexpm", optional: false]}], "hexpm"},
-  "cowlib": {:hex, :cowlib, "1.0.2", "9d769a1d062c9c3ac753096f868ca121e2730b9a377de23dec0f7e08b1df84ee", [], [], "hexpm"},
-  "earmark": {:hex, :earmark, "1.2.3", "206eb2e2ac1a794aa5256f3982de7a76bf4579ff91cb28d0e17ea2c9491e46a4", [], [], "hexpm"},
-  "esaml": {:hex, :esaml, "3.0.1", "fea1bf280438f1c247a4fa45d87bf7df3ce1cbee504ae423c4d0f3f292e786aa", [], [{:cowboy, "1.1.2", [hex: :cowboy, repo: "hexpm", optional: false]}], "hexpm"},
-  "ex_doc": {:hex, :ex_doc, "0.16.4", "4bf6b82d4f0a643b500366ed7134896e8cccdbab4d1a7a35524951b25b1ec9f0", [], [{:earmark, "~> 1.1", [hex: :earmark, repo: "hexpm", optional: false]}], "hexpm"},
-  "inch_ex": {:hex, :inch_ex, "0.5.6", "418357418a553baa6d04eccd1b44171936817db61f4c0840112b420b8e378e67", [], [{:poison, "~> 1.5 or ~> 2.0 or ~> 3.0", [hex: :poison, repo: "hexpm", optional: false]}], "hexpm"},
-  "mime": {:hex, :mime, "1.1.0", "01c1d6f4083d8aa5c7b8c246ade95139620ef8effb009edde934e0ec3b28090a", [], [], "hexpm"},
-  "plug": {:hex, :plug, "1.4.3", "236d77ce7bf3e3a2668dc0d32a9b6f1f9b1f05361019946aae49874904be4aed", [], [{:cowboy, "~> 1.0.1 or ~> 1.1", [hex: :cowboy, repo: "hexpm", optional: true]}, {:mime, "~> 1.0", [hex: :mime, repo: "hexpm", optional: false]}], "hexpm"},
-  "poison": {:hex, :poison, "3.1.0", "d9eb636610e096f86f25d9a46f35a9facac35609a7591b3be3326e99a0484665", [], [], "hexpm"},
-  "ranch": {:hex, :ranch, "1.3.2", "e4965a144dc9fbe70e5c077c65e73c57165416a901bd02ea899cfd95aa890986", [], [], "hexpm"}}
+%{"cowboy": {:hex, :cowboy, "1.1.2", "61ac29ea970389a88eca5a65601460162d370a70018afe6f949a29dca91f3bb0", [:rebar3], [{:cowlib, "~> 1.0.2", [hex: :cowlib, repo: "hexpm", optional: false]}, {:ranch, "~> 1.3.2", [hex: :ranch, repo: "hexpm", optional: false]}], "hexpm"},
+  "cowlib": {:hex, :cowlib, "1.0.2", "9d769a1d062c9c3ac753096f868ca121e2730b9a377de23dec0f7e08b1df84ee", [:make], [], "hexpm"},
+  "earmark": {:hex, :earmark, "1.2.3", "206eb2e2ac1a794aa5256f3982de7a76bf4579ff91cb28d0e17ea2c9491e46a4", [:mix], [], "hexpm"},
+  "esaml": {:hex, :esaml, "3.0.1", "fea1bf280438f1c247a4fa45d87bf7df3ce1cbee504ae423c4d0f3f292e786aa", [:rebar3], [{:cowboy, "1.1.2", [hex: :cowboy, repo: "hexpm", optional: false]}], "hexpm"},
+  "ex_doc": {:hex, :ex_doc, "0.16.4", "4bf6b82d4f0a643b500366ed7134896e8cccdbab4d1a7a35524951b25b1ec9f0", [:mix], [{:earmark, "~> 1.1", [hex: :earmark, repo: "hexpm", optional: false]}], "hexpm"},
+  "inch_ex": {:hex, :inch_ex, "0.5.6", "418357418a553baa6d04eccd1b44171936817db61f4c0840112b420b8e378e67", [:mix], [{:poison, "~> 1.5 or ~> 2.0 or ~> 3.0", [hex: :poison, repo: "hexpm", optional: false]}], "hexpm"},
+  "mime": {:hex, :mime, "1.1.0", "01c1d6f4083d8aa5c7b8c246ade95139620ef8effb009edde934e0ec3b28090a", [:mix], [], "hexpm"},
+  "plug": {:hex, :plug, "1.4.3", "236d77ce7bf3e3a2668dc0d32a9b6f1f9b1f05361019946aae49874904be4aed", [:mix], [{:cowboy, "~> 1.0.1 or ~> 1.1", [hex: :cowboy, repo: "hexpm", optional: true]}, {:mime, "~> 1.0", [hex: :mime, repo: "hexpm", optional: false]}], "hexpm"},
+  "poison": {:hex, :poison, "3.1.0", "d9eb636610e096f86f25d9a46f35a9facac35609a7591b3be3326e99a0484665", [:mix], [], "hexpm"},
+  "ranch": {:hex, :ranch, "1.3.2", "e4965a144dc9fbe70e5c077c65e73c57165416a901bd02ea899cfd95aa890986", [:rebar3], [], "hexpm"}}