impossible to use embedded certs when signing is required

[anthonyrisinger]

when using embedded certs (certs contained within the settings dictionary... ie. NO external files whatsoever) it's not possible to enable signatures of any kind.

__load_settings_from_dict (also called by __load_settings_from_file) tries to check settings:
https://github.com/onelogin/python-saml/blob/master/src/onelogin/saml2/settings.py#L194

which tries to ensure certs are available:
https://github.com/onelogin/python-saml/blob/master/src/onelogin/saml2/settings.py#L373

which interacts with self.__sp:
https://github.com/onelogin/python-saml/blob/master/src/onelogin/saml2/settings.py#L441
https://github.com/onelogin/python-saml/blob/master/src/onelogin/saml2/settings.py#L461

but that hasn't been set yet! (note the lineno of the first step):
https://github.com/onelogin/python-saml/blob/master/src/onelogin/saml2/settings.py#L197

check_sp_certs(...), get_sp_key(...), and get_sp_cert(...) should either accept an sp argument and fallback to self.__sp or self.__sp must be set earlier.

this can be worked around in a disgusting way (sadly made more disgusting due to excessive use of __ prefix, we don't do this in python!):

def get_saml_auth(request_data, settings_dict):
    """
    Wrapper to handle buggy saml object init
    """
    # drop security info so objects can initialize
    security = settings_dict.pop('security')
    auth = OneLogin_Saml2_Auth(request_data, settings_dict)
    settings = OneLogin_Saml2_Settings(settings_dict)

    # reinstate security info, prime object, reload from dict
    settings_dict['security'] = security
    settings._OneLogin_Saml2_Settings__sp = settings_dict['sp']
    settings._OneLogin_Saml2_Settings__load_settings_from_dict(settings_dict)

    # assign new internal settings object
    auth._OneLogin_Saml2_Auth__settings = settings
    return auth

[pitbulk]

Certs must be provided in the "certs" folder or in the json settings file (For example https://github.com/onelogin/python-saml/blob/master/demo-django/saml/settings.json "x509cert" and "privateKey").

All settings data must be provided when you initialize the OneLogin_Saml2_Auth object.

I suggest you to take a look on the django demo and to read the Settings section of the documentation:
https://github.com/onelogin/python-saml#settings

[anthonyrisinger]

I've read all of the documentation and have a working implementation.

did you look at the lines I gave above? it clearly shows the problem. I don't want to use an external json file or certs because the application is self-contained in a zip file.

I am passing all the settings to the Auth initialization and this is in line with the docs. I can cook a patch for this very easily.

[anthonyrisinger]

the crux of the issue is you cannot initialize an Auth object 100% from code if it contains a security key enabling signatures because of this logic error.

[anthonyrisinger]

just to be clear, I have x509cert and privateKey defined for the SP and x509cert defined for the IdP in the settings dict passed to Auth initialization.

[pitbulk]

Sorry I replied you on my mobile and had no time to analyze the real problem, I thought that your issue was other.

I think the commit solves the problem, it was a bug introduced when added the ability of define a cert on the settings (before SP cert only were allowed to be defined as a file).

Thank you for catching that bug, good luck with the Signature issue.

P.S The __ on private attributes was introduced to make the code of the python-saml toolkit similar to the php-saml.
I know that is not very common, but I think is allowed:
http://stackoverflow.com/questions/1301346/the-meaning-of-a-single-and-a-double-underscore-before-an-object-name-in-python

[anthonyrisinger]

yes this commit will solve the issue.

the double underscore thing isn't a problem per se, it just introduces name mangling and makes it harder for others to access those identifiers as needed (in a perfect world they'd be "private", but... we don't live there ;)

any chance you'd be able to cut a point release to PyPI? ie. 2.0.2?

closing the bug because the solution does work.

[pitbulk]

I will as soon as possible.

[pitbulk]

New version available at https://pypi.python.org/pypi/python-saml/2.0.2

[anthonyrisinger]

great, thank you!