Skip to content

Commit

Permalink
✨ [#403] Support cafile and capath parameters
Browse files Browse the repository at this point in the history
When retrieving the IDP metadata, you can now optionally specify the the
capath or cafile to use for certificate verification, rather than just
enabling/disabling it.

This allows TLS verification of server certificates that are not in the
system root store (such as when using private CAs).
  • Loading branch information
sergei-maertens committed Oct 3, 2024
1 parent 27372ce commit ed63c57
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 16 deletions.
33 changes: 21 additions & 12 deletions src/onelogin/saml2/idp_metadata_parser.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,7 @@


from copy import deepcopy

try:
import urllib.request as urllib2
except ImportError:
import urllib2
from urllib.request import Request, urlopen

import ssl

Expand All @@ -27,7 +23,15 @@ class OneLogin_Saml2_IdPMetadataParser(object):
"""

@classmethod
def get_metadata(cls, url, validate_cert=True, timeout=None, headers=None):
def get_metadata(
cls,
url,
validate_cert=True,
cafile=None,
capath=None,
timeout=None,
headers=None,
):
"""
Gets the metadata XML from the provided URL
:param url: Url where the XML of the Identity Provider Metadata is published.
Expand All @@ -46,15 +50,20 @@ def get_metadata(cls, url, validate_cert=True, timeout=None, headers=None):
"""
valid = False

request = urllib2.Request(url, headers=headers or {})

if validate_cert:
response = urllib2.urlopen(request, timeout=timeout)
else:
# Respect the no-TLS-certificate validation option
ctx = None
if not validate_cert:
if cafile or capath:
raise ValueError(
"Specifying 'cafile' or 'capath' while disabling certificate "
"validation is contradictory."
)
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
response = urllib2.urlopen(request, context=ctx, timeout=timeout)

request = Request(url, headers=headers or {})
response = urlopen(request, timeout=timeout, cafile=cafile, capath=capath, context=ctx)
xml = response.read()

if xml:
Expand Down
5 changes: 1 addition & 4 deletions tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
Original file line number Diff line number Diff line change
@@ -1,10 +1,7 @@
# -*- coding: utf-8 -*-


try:
from urllib.error import URLError
except ImportError:
from urllib2 import URLError
from urllib.error import URLError

from copy import deepcopy
import json
Expand Down

0 comments on commit ed63c57

Please sign in to comment.