Merge pull request #95 from JaZo/feature/certificate-and-key-from-env

Allow setting the certificate and key using environment variables

README.md

@@ -56,6 +56,8 @@ Options:
   --certname=<name>  Name of the certificate file [default: cert.pem]
 ```
 
+Optionally, you can set the certificate and key using two environment variables: `SAMLIDP_CERT` and `SAMLIDP_KEY`.
+
 ## Usage
 
 Within your login view, probably `resources/views/auth/login.blade.php` add the SAMLRequest directive beneath the CSRF directive:

config/samlidp.php

@@ -21,9 +21,13 @@
     'logout_after_slo' => env('LOGOUT_AFTER_SLO', false),
     // The URI to the saml metadata file, this describes your idP
     'issuer_uri' => 'saml/metadata',
-    // Name of the certificate PEM file
+    // The certificate
+    'cert' => env('SAMLIDP_CERT'),
+    // Name of the certificate PEM file, ignored if cert is used
     'certname' => 'cert.pem',
-    // Name of the certificate key PEM file
+    // The certificate key
+    'key' => env('SAMLIDP_KEY'),
+    // Name of the certificate key PEM file, ignored if key is used
     'keyname' => 'key.pem',
     // Encrypt requests and responses
     'encrypt_assertion' => true,

src/Http/Controllers/MetadataController.php

@@ -19,7 +19,15 @@ public function index()
             \Barryvdh\Debugbar\Facade::disable();
         }
 
-        $cert = Storage::disk('samlidp')->get(config('samlidp.certname', 'cert.pem'));
+        $cert = config('samlidp.cert') ?: Storage::disk('samlidp')->get(config('samlidp.certname', 'cert.pem'));
+
+        if (strpos($cert, 'file://') === 0) {
+            if (!is_file($cert)) {
+                throw new \InvalidArgumentException(sprintf("File not found '%s'", $cert));
+            }
+            $cert = file_get_contents($cert);
+        }
+
         $cert = preg_replace('/^\W+\w+\s+\w+\W+\s(.*)\s+\W+.*$/s', '$1', trim($cert));
         $cert = str_replace(PHP_EOL, "", $cert);
 

src/LaravelSamlIdpServiceProvider.php

@@ -72,11 +72,6 @@ public function offerPublishing()
             $this->publishes([
                 __DIR__ . '/../config/samlidp.php' => config_path('samlidp.php'),
             ], 'samlidp_config');
-
-            // Create storage/samlidp directory
-            if (!file_exists(storage_path() . "/samlidp")) {
-                mkdir(storage_path() . "/samlidp", 0755, true);
-            }
         }
     }
 

src/Traits/PerformsSingleSignOn.php

@@ -25,9 +25,8 @@ trait PerformsSingleSignOn
     protected function init()
     {
         $this->issuer = url(config('samlidp.issuer_uri'));
-        $this->certificate = (new X509Certificate)->loadPem(Storage::disk('samlidp')->get(config('samlidp.certname', 'cert.pem')));
-        $this->private_key = Storage::disk('samlidp')->get(config('samlidp.keyname', 'key.pem'));
-        $this->private_key = KeyHelper::createPrivateKey($this->private_key, '', false, XMLSecurityKey::RSA_SHA256);
+        $this->certificate = $this->getCertificate();
+        $this->private_key = $this->getKey();
         $this->digest_algorithm = config('samlidp.digest_algorithm', XMLSecurityDSig::SHA1);
     }
 
@@ -63,4 +62,26 @@ public function getServiceProvider($request)
     {
         return base64_encode($request->getAssertionConsumerServiceURL());
     }
+
+    /**
+     * @return \LightSaml\Credential\X509Certificate
+     */
+    protected function getCertificate(): X509Certificate
+    {
+        $certificate = config('samlidp.cert') ?: Storage::disk('samlidp')->get(config('samlidp.certname', 'cert.pem'));
+
+        return (strpos($certificate, 'file://') === 0)
+            ? X509Certificate::fromFile($certificate)
+            : (new X509Certificate)->loadPem($certificate);
+    }
+
+    /**
+     * @return \RobRichards\XMLSecLibs\XMLSecurityKey
+     */
+    protected function getKey(): XMLSecurityKey
+    {
+        $key = config('samlidp.key') ?: Storage::disk('samlidp')->get(config('samlidp.keyname', 'key.pem'));
+
+        return KeyHelper::createPrivateKey($key, '', strpos($key, 'file://') === 0, XMLSecurityKey::RSA_SHA256);
+    }
 }