feat: add support to read cert and keys from files

Resolves RobotsAndPencils#6.

Signed-off-by: Ranadeep Polavarapu <[email protected]>

examples/certs/idp.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA0EOsaFAUiVn41jrDUtBzDlpPiZCqXsAHjaroLjGS2mOgcKs6
+3eISdcRZMy0k4prk80Qi9LQ73dEZDrBJepeotT9ZifO8goRZ2omqUjoghdkcGXCC
+56jQWk5dBi10AtGtg7LyGncE3KS2OHqWLwz28lnCE2hj1oROuZ1VGgzJSPrGaI9Q
+MlaC6PK/r2xTS3GaGVoAOZ9eMjYM3bgEpmGNWuHHK5Tlsi89vaOynUVe4GcMRa7u
+RhF52E0HskLsNBu1Dsm41GOw8/WG7is/jmjyN8ZZ74l51EqZ7jhPSHxgTjhisvOa
+C49pmlXZ30/+SPJa2gXcf7JlRv93eCoR/mwiTQIDAQABAoIBAQDCoNu4SE5I5fo0
+SopLFF7R5Pg7uSRek9r7O+LreIyi50QCxyKmRSW3RR2PQ/sagmLALMb2JJFmBIkE
+Px8MIDsb1u4Yi915o7JNFyZC3euS6ojmBU1wrUS5gE5S/ZtTHxym3U6ACQZUJOHd
++kHsCpOlfNhwRrg2u0LPGAd15skdFv8cHRRJWTiuQH8rGtqOujKkzVaM1s1OzT+9
+7ef9qbMJ36CVmNhT00AejFHfICA8SKizFoi3ckfDYRAT4XiuTwQSQHN4suBteZMA
+PRBPrnF7KlTu+1UD4YcFPwa4tEAa3dyHINmZRwxphtUYw91DYA16FlwYn95Yr/Kp
+/NyQBh/BAoGBAO3tPg1CyMI0wLKhbM1hVkjZ9qp/IkxJzGHPW7RKq5tNrfs3kqWD
+Bv4xqKRxKZhJAVocTpKpDsGrOGRfsGnu19M8ca8dsutn49HqqViePFEnr/4TbXjj
+IiyzqcXM8Z7rRbGUsBDS6Hs9CzupS3UW4Qat9pje2QT/si6AQde9Q0lJAoGBAOAV
+nLb3jliefR2M0tER+JofoSZAuTNsdfJEiHqLEeQo1BWQVo8UneliR9AJaEL3Or1S
+qxYYCV5k3rhReH/Y38obsKKxHxlCj+MI6FTh2dij1GIoVRE0ef9FHWvy48qgsXA3
+rhPme0lITaiJdeTL2yvAkibVUsN/cdHb9mlmUvTlAoGAN64CjIXph5Fi2yrt1G6I
+C8p+cE4KT8Ihg25Mbrfeyxx1r8nEltlABLLIXZth+ZJ0L4taU/YeTvJr4wmFtnS/
+q16E2E9h9Lc+WHzLHsMBKJjaFeKkBttYvw9YlsKsdN1oVPOP9I/2+ghCHbczwnYV
+OUPy5rmYHhRctYcsYXmYSokCgYBvyZhSlpEGmJomAbix39s7WAgWgzdg9fypDZNg
+PryAK/YRg94KpuhYI1Vb7TV8IsXE6Na8wOT7mCqbnNkWPmT1+HZX0zCGc3RAeJMe
+tUTuFFzBUwmM+bbap+oTjiohTaT3LG/FMbfTSSSkrV6I80G1Q+4lPUp6iLuJS8hT
+sF42GQKBgQDl10lGbzefFSx/97GbLpZk0BEV7CRUDEEy9tWcmVfINkJ+YtZOT1os
+P5aHDmT/n+4yKVNM4ZPJ1sEcByWpIy85UqBHH0wTnkRoM45AV1gXn29gnylCBhMp
+YrFioyChfIcY2+K/h8c+VwCY+uYyJfmrVQFJo6aKbwvKh4x2sBsRPg==
+-----END RSA PRIVATE KEY-----

examples/certs/idp.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDITCCAgmgAwIBAgIUCnWJffzG7ehWg5DLtwYvhTR9oTIwDQYJKoZIhvcNAQEL
+BQAwIDEeMBwGA1UEAwwVaWRlbnRpdHktcHJvdmlkZXIuY29tMB4XDTIwMDkxNzIz
+NDQwNVoXDTIxMDkxNzIzNDQwNVowIDEeMBwGA1UEAwwVaWRlbnRpdHktcHJvdmlk
+ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0EOsaFAUiVn4
+1jrDUtBzDlpPiZCqXsAHjaroLjGS2mOgcKs63eISdcRZMy0k4prk80Qi9LQ73dEZ
+DrBJepeotT9ZifO8goRZ2omqUjoghdkcGXCC56jQWk5dBi10AtGtg7LyGncE3KS2
+OHqWLwz28lnCE2hj1oROuZ1VGgzJSPrGaI9QMlaC6PK/r2xTS3GaGVoAOZ9eMjYM
+3bgEpmGNWuHHK5Tlsi89vaOynUVe4GcMRa7uRhF52E0HskLsNBu1Dsm41GOw8/WG
+7is/jmjyN8ZZ74l51EqZ7jhPSHxgTjhisvOaC49pmlXZ30/+SPJa2gXcf7JlRv93
+eCoR/mwiTQIDAQABo1MwUTAdBgNVHQ4EFgQU7XI0rfRcWI9//x28oHcfpTHXLzMw
+HwYDVR0jBBgwFoAU7XI0rfRcWI9//x28oHcfpTHXLzMwDwYDVR0TAQH/BAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEATIfDtbTeRRCJNTvlbH9dQPk9W/UNCHoVWfF/
+lYhvQmUkkvXA/xoALOQqPH6xjrb9/jMnq89FsM7p7wPph+dnCEp1b3+ZQ5BFepYX
+PNDTT2u08EN20b6QDb+EWDiFx3vMDRPvwByGAWHwbORF/AR3JwaUF7ElcWN48+pt
+qEGBV9MmR6mM4icRTwOVWcSlE4D1OHPvjBcfFzrAg1KS/J4r7+vWbCAdtKLe2bKm
+WklVrOJ3OhOeY5SFefaZ969uFPHhK7C0ntUNhJjm5losUrFPczG6twLvZdmrbcya
+v3xrxdzGxa0jAQysOzB+CMsjYWjWAZA8wOtd/pDQ/K2n6+7ABA==
+-----END CERTIFICATE-----

examples/certs/sp.pem

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEdTCCA12gAwIBAgIOAW1mLqPmAAAAAC+KcbswDQYJKoZIhvcNAQELBQAwfzEX
+MBUGA1UEAwwOZGV2Y2VydGlmaWNhdGUxGDAWBgNVBAsMDzAwRDdGMDAwMDA0Qnlz
+YzEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lz
+Y28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0EwHhcNMTkwOTI1MDIwOTU1WhcN
+MjAwOTI1MDAwMDAwWjB/MRcwFQYDVQQDDA5kZXZjZXJ0aWZpY2F0ZTEYMBYGA1UE
+CwwPMDBEN0YwMDAwMDRCeXNjMRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQG
+A1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9HcJmAFUAjQaY4WiIVMcIX
+v5vRJ+jefBUwVtU4qBD5FGqO33F7dLGcdvQcJwnMVFIXG+PJ67XkwApXOs5e6ViG
+xWmKa40kMYnzYKH/q47VIf+3mTxIpAr37AYkBzHhcSTnjOXpmgfLe7eaYVXYQKCL
+rO+ilSF7T3+pC8vUcgSFRokhJ9V5bUOf2EqEl89AGHCddzNa49u2a5xTl2i0+4FS
+V+r4H/naDZpTaTwEPmZ5xHHLn74znyqYb776Tmxo57HVG8jyeKvjHhoaaFBb+RQK
+kOj8JcvnNnT4Hd6iYQxZ3or58iC0nPnSjVrCYiYTOZSElEZ2C5esHKB50uGTZ1kC
+AwEAAaOB7jCB6zAdBgNVHQ4EFgQUtEZepqOQLwHToZGuf/WuRrRBvjowDwYDVR0T
+AQH/BAUwAwEB/zCBuAYDVR0jBIGwMIGtgBS0Rl6mo5AvAdOhka5/9a5GtEG+OqGB
+hKSBgTB/MRcwFQYDVQQDDA5kZXZjZXJ0aWZpY2F0ZTEYMBYGA1UECwwPMDBEN0Yw
+MDAwMDRCeXNjMRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2Fu
+IEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQYIOAW1mLqPmAAAA
+AC+KcbswDQYJKoZIhvcNAQELBQADggEBACsiskSO0vNW2peA4h1IXZlbnLCmc8jO
+qbh5bAAG+Vak9lWk24oa2KEco7fX2M/9N259Z3GJVcsULXMpYYgMECXKVzxb8k6v
++wcr9vCqA+FVId6qle6qy2zXHsO40NgG5DJ2catvDH19YWEJcnzNqbXoNOqZgGE/
+EKv76hpQVH+35aRPBFC6AKU/4Ix4YTIqpntyRc15vdtlKSAPLGxXRSL+m3KDMCMR
+qFyauy7mI6RmOyJvY7cgICNmPWLGcjb6YiVS9eEjRZhF17X8PeFb0/5cIC776vwr
+Z9LcnL+ebNUyc8yS7JkYMjSihyB4POHSzCdZviyJqtCoOMD+9GraRDo=
+-----END CERTIFICATE-----

idp.go

@@ -66,9 +66,21 @@ func (idp *IdentityProvider) NewSignedLogoutResponse() (string, error) {
 }
 
 func (idp *IdentityProvider) MetaDataResponse() (string, error) {
+	var idpCert string
+	if idp.IDPCertFilePath != "" {
+		// IDP Cert is provided by file path.
+		buf, err := ioutil.ReadFile(idp.IDPCertFilePath)
+		if err != nil {
+			return "", errors.New("SAML Configuration: IDP Certificate file could not be read")
+		}
+		idpCert = util.GetRawCertificate(string(buf))
+	} else {
+		idpCert = util.GetRawCertificate(idp.IDPCert)
+	}
+
 	metadata := lib.GetIdpEntityDescriptor()
 	metadata.EntityId = idp.Issuer
-	metadata.IDPSSODescriptor.SigningKeyDescriptor.KeyInfo.X509Data.X509Certificate.Cert = util.GetRawCertificate(idp.IDPCert)
+	metadata.IDPSSODescriptor.SigningKeyDescriptor.KeyInfo.X509Data.X509Certificate.Cert = idpCert
 	if len(idp.SingleSignOnService) > 0 {
 		for i := 0; i < len(idp.SingleSignOnService); i++ {
 			metadata.IDPSSODescriptor.SingleSignOnService = append(metadata.IDPSSODescriptor.SingleSignOnService, lib.SingleSignOnService{
@@ -175,24 +187,50 @@ func (idp *IdentityProvider) ResponseHtml(signedXML string, requestType string)
 }
 
 func (idp *IdentityProvider) validateIDPX509Certificate() error {
-	if idp.IDPCert == "" {
+	if idp.IDPCert == "" && idp.IDPCertFilePath == "" {
 		return errors.New("SAML Configuration: IDP Certificate is empty")
 	}
-	err := util.ValidateCertificatePem(idp.IDPCert)
-	if err != nil {
-		return err
+
+	if idp.IDPCertFilePath != "" {
+		// IDP Cert is provided by file path.
+		buf, err := ioutil.ReadFile(idp.IDPCertFilePath)
+		if err != nil {
+			return errors.New("SAML Configuration: IDP Certificate file could not be read")
+		}
+		if err := util.ValidateCertificatePem(string(buf)); err != nil {
+			return err
+		}
+	} else {
+		// IDP Cert is provided by string.
+		if err := util.ValidateCertificatePem(idp.IDPCert); err != nil {
+			return err
+		}
 	}
+
 	return nil
 }
 
 func (idp *IdentityProvider) validateSPX509Certificate() error {
-	if idp.SPCert == "" {
+	if idp.SPCert == "" && idp.SPCertFilePath == "" {
 		return errors.New("SAML Configuration: SP Certificate is empty")
 	}
-	err := util.ValidateCertificatePem(idp.SPCert)
-	if err != nil {
-		return err
+
+	if idp.SPCertFilePath != "" {
+		// SP Cert is provided by file path.
+		buf, err := ioutil.ReadFile(idp.SPCertFilePath)
+		if err != nil {
+			return errors.New("SAML Configuration: SP Certificate file could not be read")
+		}
+		if err := util.ValidateCertificatePem(string(buf)); err != nil {
+			return err
+		}
+	} else {
+		// SP Cert is provided by string.
+		if err := util.ValidateCertificatePem(idp.SPCert); err != nil {
+			return err
+		}
 	}
+
 	return nil
 }
 
@@ -201,7 +239,18 @@ func (idp *IdentityProvider) rawIdpX509Certificate() error {
 	if err != nil {
 		return err
 	}
-	idp.x509IdpCertificate = util.GetRawCertificate(idp.IDPCert)
+
+	if idp.IDPCertFilePath != "" {
+		// IDP Cert is provided by file path.
+		buf, err := ioutil.ReadFile(idp.IDPCertFilePath)
+		if err != nil {
+			return errors.New("SAML Configuration: IDP Certificate file could not be read")
+		}
+		idp.x509IdpCertificate = util.GetRawCertificate(string(buf))
+	} else {
+		idp.x509IdpCertificate = util.GetRawCertificate(idp.IDPCert)
+	}
+
 	return nil
 }
 
@@ -210,7 +259,18 @@ func (idp *IdentityProvider) rawSPX509Certificate() error {
 	if err != nil {
 		return err
 	}
-	idp.x509SpCertificate = util.GetRawCertificate(idp.SPCert)
+
+	if idp.SPCertFilePath != "" {
+		// SP Cert is provided by file path.
+		buf, err := ioutil.ReadFile(idp.SPCertFilePath)
+		if err != nil {
+			return errors.New("SAML Configuration: SP Certificate file could not be read")
+		}
+		idp.x509SpCertificate = util.GetRawCertificate(string(buf))
+	} else {
+		idp.x509SpCertificate = util.GetRawCertificate(idp.SPCert)
+	}
+
 	return nil
 }
 
@@ -233,14 +293,30 @@ func (idp *IdentityProvider) parseSpX509Certificate() error {
 }
 
 func (idp *IdentityProvider) parsePrivateKey() error {
-	if idp.IDPKey == "" {
+	if idp.IDPKey == "" && idp.IDPKeyFilePath == "" {
 		return errors.New("SAML Configuration: IDP Private Key is empty")
 	}
-	privateKey, err := util.ParseRsaPrivateKeyPem(idp.IDPKey)
-	if err != nil {
-		return err
+
+	if idp.IDPKeyFilePath != "" {
+		// IDP Private Key is provided by file path.
+		buf, err := ioutil.ReadFile(idp.IDPKeyFilePath)
+		if err != nil {
+			return errors.New("SAML Configuration: IDP Private Key file could not be read")
+		}
+		privateKey, err := util.ParseRsaPrivateKeyPem(string(buf))
+		if err != nil {
+			return err
+		}
+		idp.idpPrivateKey = privateKey
+	} else {
+		// IDP Private Key is provided by string.
+		privateKey, err := util.ParseRsaPrivateKeyPem(idp.IDPKey)
+		if err != nil {
+			return err
+		}
+		idp.idpPrivateKey = privateKey
 	}
-	idp.idpPrivateKey = privateKey
+
 	return nil
 }
 

saml.go

@@ -22,6 +22,9 @@ type IdentityProvider struct {
 	IDPCert              string
 	IDPKey               string
 	SPCert               string
+	IDPCertFilePath      string
+	IDPKeyFilePath       string
+	SPCertFilePath       string
 	Attributes           []map[string]string
 	SignatureAlgorithm   string
 	SignaturePrefix      string