SAML-Toolkits#56. Be able to relax SSL Certificate verification when retrieving idp metadata

pitbulk · pitbulk · commit f7a9652aced9 · 2017-05-09T17:23:32.000+02:00
diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py
@@ -14,6 +14,8 @@
 except ImportError:
     import urllib2
 
+import ssl
+
 from onelogin.saml2.constants import OneLogin_Saml2_Constants
 from onelogin.saml2.xml_utils import OneLogin_Saml2_XML
 from onelogin.saml2.utils import OneLogin_Saml2_Utils
@@ -25,7 +27,7 @@ class OneLogin_Saml2_IdPMetadataParser(object):
     """
 
     @staticmethod
-    def get_metadata(url):
+    def get_metadata(url, validate_cert=True):
         """
         Gets the metadata XML from the provided URL
         :param url: Url where the XML of the Identity Provider Metadata is published.
@@ -34,7 +36,14 @@ def get_metadata(url):
         :rtype: string
         """
         valid = False
-        response = urllib2.urlopen(url)
+
+        if validate_cert:
+            response = urllib2.urlopen(url)
+        else:
+            ctx = ssl.create_default_context()
+            ctx.check_hostname = False
+            ctx.verify_mode = ssl.CERT_NONE
+            response = urllib2.urlopen(url, context=ctx)
         xml = response.read()
 
         if xml:
@@ -52,15 +61,15 @@ def get_metadata(url):
         return xml
 
     @staticmethod
-    def parse_remote(url, **kwargs):
+    def parse_remote(url, validate_cert=True, **kwargs):
         """
         Gets the metadata XML from the provided URL and parse it, returning a dict with extracted data
         :param url: Url where the XML of the Identity Provider Metadata is published.
         :type url: string
         :returns: settings dict with extracted data
         :rtype: dict
         """
-        idp_metadata = OneLogin_Saml2_IdPMetadataParser.get_metadata(url)
+        idp_metadata = OneLogin_Saml2_IdPMetadataParser.get_metadata(url, validate_cert)
         return OneLogin_Saml2_IdPMetadataParser.parse(idp_metadata, **kwargs)
 
     @staticmethod
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -1411,4 +1411,4 @@ def testStatusCheckBeforeAssertionCheck(self):
         xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'status_code_responder.xml.base64'))
         response = OneLogin_Saml2_Response(settings, xml)
         with self.assertRaisesRegexp(Exception, 'The status code of the Response was not Success, was Responder'):
-            response.is_valid(self.get_request_data(), raise_exceptions=True)
+            response.is_valid(self.get_request_data(), raise_exceptions=True)
