Comments (12)
Newer version url request are handled by requests it will verify SSL certificate, it is more secure.
from django-cas-ng.
@duoi no action was taken. I do not have commit access, so I cannot say if a PR will be accepted or not. I am on the fence as to the wisdom of this change though. On the one hand it makes testing a local setup easier, although getting a working setup without this change is not impossible. On the other hand, you should really never run a CAS system in production with this flag set, and I think that is where I am skeptical that this would be a good addition, it is to easy to do something that is not safe.
So if you are thinking about creating a PR, here is what I would like to see. Some good test coverage to make sure that the setting is working properly. The default values should verify the certificates. There should be a warning presented to the user that this operation is not safe for a production environment, something along the lines of the naive datetime warning from django[0]. At the end of the day it is up to @mingchen to accept the pull request though.
[0] - https://github.com/django/django/blob/master/django/db/models/fields/__init__.py#L1358
from django-cas-ng.
@duoi no problem. Glad you got your PR merged!
from django-cas-ng.
Yes, I know it's more secure, but what do I do if I have a self-signed certificate for in our development environment?
from django-cas-ng.
Can you add the signing certificate (CA bundle) to the client? This would be the best way to handle your issue. More details on how to do this in Ubuntu [0]
On the other hand requests has a mechanism for not verifying the certificate [1], but that would need to be exposed, most likely through a setting. I could see this being somewhat useful in certain circumstances (closed networks with their own CA). There are two ways that requests addresses this issue.
- You can turn off certificate verification all together by passing verify=False to the request.
- You can also use the verify parameter to pass a full path to a CA bundle that signed your servers certificate, this would allow you to use your own CA bundle without having to add your bundle to the system.
I could see a settings along the lines of CAS_VERIFY_CERTIFICATE that is None by default, but takes either False or a full path to a CA bundle. Internally we would use that settings for all requests if the setting is something other than None, otherwise verify the certificate with just the system certs.
[0] http://superuser.com/questions/437330/how-do-you-add-a-certificate-authority-ca-to-ubuntu
[1] http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification
from django-cas-ng.
@bgroff this was closed, but did anything ever come from this? a setting to control certificate validation would be extremely welcomed. I can develop a PR if it hasn't already been done.
from django-cas-ng.
see python-cas 1.4.0 include python-cas/python-cas#16
- Add kwarg to bypass SSL certificate validation #16
from django-cas-ng.
@bgroff thanks for getting back to me. I agree with your points and will produce something that hits them.
Good call on the warning message, I didn’t consider that, and will definitely stick it in. Given that my other PR on the ‘python-cas’ dependency package has been merged in I’ll begin working on this one probably later this evening or so. Cheers.
from django-cas-ng.
@bgroff would you be able to give me any advice how I should write the tests? I've been looking for a way to do it with RequestFactory
but I can't see anything that would let me enter into a state where I can mock rejection of unsigned certificates.
Here is what I have:
- The new setting: https://github.com/duoi/django-cas-ng/blob/master/django_cas_ng/__init__.py#L31
- The warning: https://github.com/duoi/django-cas-ng/blob/master/django_cas_ng/utils.py#L72
- Being passed to
cas.py
: https://github.com/duoi/django-cas-ng/blob/master/django_cas_ng/utils.py#L88
I added the warning on the get_cas_client()
function as it it is called several times across the system and it's the only way to ensure that the user is made very well aware of what's happening. Would that be too much in your opinion?
from django-cas-ng.
Hey, sorry it took a bit to get back to you. Is it possible to check that the cas_client.verify_ssl_certificate is True/False for the combinations of settings?
from django-cas-ng.
I just can't see a way to pass in an invalid certificate with RequestFactory
. I can write tests, but the tests wouldn't provide much value. We're unable to test for the negative (or more important) case when the certificate is invalid but verify_ssl_certificate
is set to True :/
from django-cas-ng.
CAS_VERIFY_CERTIFICATE
This does not work :(
from django-cas-ng.
Related Issues (20)
- CAS_CHECK_NEXT no longer supports callable? HOT 1
- DataError at /accounts/login/ value too long for type character varying(255)
- Exception Value: mismatched tag: line 50, column 75
- Invalid next URLs in login causes a server error HOT 2
- Not an issue , but a doubt , so the user attributes from django mama cas are contained in the st ticket and they get loaded into user table ? HOT 1
- Failed when `python manage.py migrate` HOT 3
- Django >= 3.2.7 requires new migration script HOT 2
- Single Logout ignores `CAS_ROOT_PROXIED_AS` setting
- Please make a release HOT 2
- ParseError: not well-formed (invalid token): line 1, column 854 HOT 1
- Can't request XML content using by requests HOT 1
- CAS Affiliation support HOT 2
- django.db.utils.OperationalError: (1071, 'Specified key was too long; max key length is 3072 bytes') HOT 5
- Redirect url error when passing absolute rute to next param on logout view
- CAS_APPLY_ATTRIBUTES_TO_USER does not appear to add any attributes to user HOT 2
- doc: `CAS_ADMIN_REDIRECT` is not documented HOT 1
- Live Demo on https://djangocas.dev is not working
- Documentation changelog not updated
- [solved][nobug] CAS_USERNAME_ATTRIBUTE
- Internal Server Error: /accounts/login/ (duplicate key constraint)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-cas-ng.