pysaml2
pysaml2 copied to clipboard
IdentityPython
Allow to choose algorithms when creating new metadata
The make_metadata.py uses default (and poor) algorithms for signature and digest computation when creating new metadata. It would be nice to allow the selection of these algorithms. The PR introduces the -S and -D command line arguments that can be used as follows
$ ../../tools/make_metadata.py \
-s -x /usr/bin/xmlsec1 \
-k pki/mykey.pem -c pki/mycert.pem \
-S http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 \
-D http://www.w3.org/2001/04/xmlenc#sha512 \
sp_conf
All Submissions:
- [x] Have you checked to ensure there aren't other open Pull Requests for the same update/change?
- [x] Have you added an explanation of what problem you are trying to solve with this PR?
- [x] Have you added information on what your changes do and why you chose this as your solution?
- [ ] Have you written new tests for your changes?
- [x] Does your submission pass tests?
- [x] This project follows PEP8 style guide. Have you run your code against the 'flake8' linter?
Codecov Report
Merging #645 into master will increase coverage by
0.04%. The diff coverage isn/a.
@@ Coverage Diff @@
## master #645 +/- ##
==========================================
+ Coverage 65.44% 65.48% +0.04%
==========================================
Files 103 103
Lines 25703 25703
==========================================
+ Hits 16821 16832 +11
+ Misses 8882 8871 -11
| Impacted Files | Coverage Δ | |
|---|---|---|
| src/saml2/__init__.py | 87.78% <0%> (-0.19%) |
:arrow_down: |
| src/saml2/time_util.py | 87.42% <0%> (+0.59%) |
:arrow_up: |
| src/saml2/validate.py | 79.21% <0%> (+4.31%) |
:arrow_up: |
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact),ø = not affected,? = missing dataPowered by Codecov. Last update b224a02...123427f. Read the comment docs.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
@psmiraglia Hey Paolo, nice to see you here! The discussion on this topic is here: https://github.com/IdentityPython/pysaml2/pull/628
I also saw that you have also bringed some commits from another branch of mine (those with allow_create documentation... already merged by c00kieMon5ter here: https://github.com/IdentityPython/pysaml2/pull/632/files).
If you can we could work on this in that PR, close this one. We should move to a configuration asset that permits users to disable weak alghorithms not only in the metadata but also during signature/encryption verification.
Nice shoot
@psmiraglia Hey Paolo, nice to see you here! The discussion on this topic is here: #628
I don't think so. My PR just covers the script to generate the metadata. Algorithms I'm referring to are just used to compute the signature and the digest of the whole metadata (to check its integrity and authenticity). The mechanism to advertise supported algorithms (for SAML signature and assertions encryption) remains untouched.
I also saw that you have also bringed some commits from another branch of mine (those with allow_create documentation... already merged by c00kieMon5ter here: https://github.com/IdentityPython/pysaml2/pull/632/files).
Don't know why it happened... Anyway, I rebased it!
If you can we could work on this in that PR, close this one.
As I said, topics are similar but different. So, I would keep the PR opened.
We should move to a configuration asset that permits users to disable weak alghorithms not only in the metadata but also during signature/encryption verification.
This makes sense
Nice shoot
:smile:
Hi,
Given that metadata generation can also be invoked within an application (e.g., in SATOSA at /Saml2/proxy_saml2_backend.xml), it might be better to specify the algorithms in the config, instead of extra flags passed to make_metadata.py.
If all input information needed for generating the metadata is captured in the config, then all the different ways of triggering the metadata generation would produce the same output.
How does this sound?
Cheers, Vlad
