✨ [#403] Support cafile and capath parameters (#415)

sergei-maertens · web-flow · commit 7eb6b6323a9a · 2024-10-04T09:38:43.000+02:00
When retrieving the IDP metadata, you can now optionally specify the the
capath or cafile to use for certificate verification, rather than just
enabling/disabling it.

This allows TLS verification of server certificates that are not in the
system root store (such as when using private CAs).
diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py
@@ -6,11 +6,7 @@
 
 
 from copy import deepcopy
-
-try:
-    import urllib.request as urllib2
-except ImportError:
-    import urllib2
+from urllib.request import Request, urlopen
 
 import ssl
 
@@ -27,7 +23,15 @@ class OneLogin_Saml2_IdPMetadataParser(object):
     """
 
     @classmethod
-    def get_metadata(cls, url, validate_cert=True, timeout=None, headers=None):
+    def get_metadata(
+        cls,
+        url,
+        validate_cert=True,
+        cafile=None,
+        capath=None,
+        timeout=None,
+        headers=None,
+    ):
         """
         Gets the metadata XML from the provided URL
         :param url: Url where the XML of the Identity Provider Metadata is published.
@@ -46,15 +50,20 @@ def get_metadata(cls, url, validate_cert=True, timeout=None, headers=None):
         """
         valid = False
 
-        request = urllib2.Request(url, headers=headers or {})
-
-        if validate_cert:
-            response = urllib2.urlopen(request, timeout=timeout)
-        else:
+        # Respect the no-TLS-certificate validation option
+        ctx = None
+        if not validate_cert:
+            if cafile or capath:
+                raise ValueError(
+                    "Specifying 'cafile' or 'capath' while disabling certificate "
+                    "validation is contradictory."
+                )
             ctx = ssl.create_default_context()
             ctx.check_hostname = False
             ctx.verify_mode = ssl.CERT_NONE
-            response = urllib2.urlopen(request, context=ctx, timeout=timeout)
+
+        request = Request(url, headers=headers or {})
+        response = urlopen(request, timeout=timeout, cafile=cafile, capath=capath, context=ctx)
         xml = response.read()
 
         if xml:
diff --git a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
@@ -1,10 +1,7 @@
 # -*- coding: utf-8 -*-
 
 
-try:
-    from urllib.error import URLError
-except ImportError:
-    from urllib2 import URLError
+from urllib.error import URLError
 
 from copy import deepcopy
 import json
