Merge pull request #634 from peppelinux/xmlsec_tmpfiles

Delete temporary files by xmlsec

Author: c00kiemon5ter

docs/howto/config.rst

@@ -34,6 +34,7 @@ The basic structure of the configuration file is therefore like this::
         "key_file" : "my.key",
         "cert_file" : "ca.pem",
         "xmlsec_binary" : "/usr/local/bin/xmlsec1",
+        "delete_tmpfiles": True,
         "metadata": {
             "local": ["edugain.xml"],
         },
@@ -318,6 +319,17 @@ Example::
 
     "xmlsec_binary": "/usr/local/bin/xmlsec1",
 
+delete_tmpfiles
+^^^^^^^^^^^^^^^
+
+In many cases temporary files will have to be created during the
+encryption/decryption/signing/validation process.
+This option defines whether these temporary files will be automatically deleted when
+they are no longer needed. Setting this to False, will keep these files until they are
+manually deleted or automatically deleted by the OS (i.e Linux rules for /tmp).
+Absence of this option, defaults to True.
+
+
 valid_for
 ^^^^^^^^^
 
@@ -832,6 +844,7 @@ We start with a simple but fairly complete Service provider configuration::
         "key_file" : "./mykey.pem",
         "cert_file" : "./mycert.pem",
         "xmlsec_binary" : "/usr/local/bin/xmlsec1",
+        "delete_tmpfiles": True,
         "attribute_map_dir": "./attributemaps",
         "metadata": {
             "local": ["idp.xml"]
@@ -880,6 +893,7 @@ A slightly more complex configuration::
         "key_file" : "./mykey.pem",
         "cert_file" : "./mycert.pem",
         "xmlsec_binary" : "/usr/local/bin/xmlsec1",
+        "delete_tmpfiles": True,
         "metadata" : {
             "local": ["example.xml"],
             "remote": [{

src/saml2/config.py

@@ -69,6 +69,7 @@
     "allow_unknown_attributes",
     "crypto_backend",
     "id_attr_name",
+    "delete_tmpfiles",
 ]
 
 SP_ARGS = [
@@ -243,6 +244,7 @@ def __init__(self, homedir="."):
         self.attribute = []
         self.attribute_profile = []
         self.requested_attribute_name_format = NAME_FORMAT_URI
+        self.delete_tmpfiles = True
 
     def setattr(self, context, attr, val):
         if context == "":
@@ -358,6 +360,12 @@ def load(self, cnf, metadata_construction=False):
             except TypeError:  # Something that can't be a string
                 setattr(self, arg, cnf[arg])
 
+        if not self.delete_tmpfiles:
+            logger.warning(
+                "delete_tmpfiles is set to False; "
+                "temporary files will not be deleted."
+            )
+
         if "service" in cnf:
             for typ in ["aa", "idp", "sp", "pdp", "aq"]:
                 try:

src/saml2/entity.py

@@ -144,8 +144,8 @@ def __init__(self, entity_type, config=None, config_file="",
             if _val.startswith("http"):
                 r = requests.request("GET", _val)
                 if r.status_code == 200:
-                    _, filename = make_temp(r.text, ".pem", False)
-                    setattr(self.config, item, filename)
+                    tmp = make_temp(r.text, ".pem", False, self.config.delete_tmpfiles)
+                    setattr(self.config, item, tmp.name)
                 else:
                     raise Exception(
                         "Could not fetch certificate from %s" % _val)
@@ -560,8 +560,10 @@ def _encrypt_assertion(self, encrypt_cert, sp_entity_id, response,
                     _cert = "%s%s" % (begin_cert, _cert)
                 if end_cert not in _cert:
                     _cert = "%s%s" % (_cert, end_cert)
-                _, cert_file = make_temp(_cert.encode('ascii'), decode=False)
-                response = self.sec.encrypt_assertion(response, cert_file,
+                tmp = make_temp(_cert.encode('ascii'),
+                                decode=False,
+                                delete_tmpfiles=self.config.delete_tmpfiles)
+                response = self.sec.encrypt_assertion(response, tmp.name,
                                                       pre_encryption_part(),
                                                       node_xpath=node_xpath)
                 return response