trustchain-oc1-orchestral/authentik
Archived
10
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

providers/saml: don't attempt verification of SAML request when no verification certificate is configured

Browse source 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2022-10-18 22:26:01 +02:00
parent ea12715e01
commit 3e1490dcac
1 changed files with 4 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
authentik/providers/saml/processors/request_parser.py
View file

@ -29,9 +29,6 @@ ERROR_CANNOT_DECODE_REQUEST = "Cannot decode SAML request."
ERROR_SIGNATURE_REQUIRED_BUT_ABSENT = ( ERROR_SIGNATURE_REQUIRED_BUT_ABSENT = (
"Verification Certificate configured, but request is not signed." "Verification Certificate configured, but request is not signed."
) )
ERROR_SIGNATURE_EXISTS_BUT_NO_VERIFIER = (
"Provider does not have a Validation Certificate configured."
)
ERROR_FAILED_TO_VERIFY = "Failed to verify signature" ERROR_FAILED_TO_VERIFY = "Failed to verify signature"
@ -94,22 +91,19 @@ class AuthNRequestParser:
raise CannotHandleAssertion(ERROR_CANNOT_DECODE_REQUEST) raise CannotHandleAssertion(ERROR_CANNOT_DECODE_REQUEST)
verifier = self.provider.verification_kp verifier = self.provider.verification_kp
if not verifier:
return self._parse_xml(decoded_xml, relay_state)
root = lxml_from_string(decoded_xml) root = lxml_from_string(decoded_xml)
xmlsec.tree.add_ids(root, ["ID"]) xmlsec.tree.add_ids(root, ["ID"])
signature_nodes = root.xpath("/samlp:AuthnRequest/ds:Signature", namespaces=NS_MAP) signature_nodes = root.xpath("/samlp:AuthnRequest/ds:Signature", namespaces=NS_MAP)
# No signatures, no verifier configured -> decode xml directly # No signatures, no verifier configured -> decode xml directly
if len(signature_nodes) < 1: if len(signature_nodes) < 1:
if not verifier:
return self._parse_xml(decoded_xml, relay_state)
raise CannotHandleAssertion(ERROR_SIGNATURE_REQUIRED_BUT_ABSENT) raise CannotHandleAssertion(ERROR_SIGNATURE_REQUIRED_BUT_ABSENT)
signature_node = signature_nodes[0] signature_node = signature_nodes[0]
if signature_node is not None: if signature_node is not None:
if not verifier:
raise CannotHandleAssertion(ERROR_SIGNATURE_EXISTS_BUT_NO_VERIFIER)
try: try:
ctx = xmlsec.SignatureContext() ctx = xmlsec.SignatureContext()
key = xmlsec.Key.from_memory( key = xmlsec.Key.from_memory(
@ -138,14 +132,13 @@ class AuthNRequestParser:
raise CannotHandleAssertion(ERROR_CANNOT_DECODE_REQUEST) raise CannotHandleAssertion(ERROR_CANNOT_DECODE_REQUEST)
verifier = self.provider.verification_kp verifier = self.provider.verification_kp
if not verifier:
return self._parse_xml(decoded_xml, relay_state)
if verifier and not (signature and sig_alg): if verifier and not (signature and sig_alg):
raise CannotHandleAssertion(ERROR_SIGNATURE_REQUIRED_BUT_ABSENT) raise CannotHandleAssertion(ERROR_SIGNATURE_REQUIRED_BUT_ABSENT)
if signature and sig_alg: if signature and sig_alg:
if not verifier:
raise CannotHandleAssertion(ERROR_SIGNATURE_EXISTS_BUT_NO_VERIFIER)
querystring = f"SAMLRequest={quote_plus(saml_request)}&" querystring = f"SAMLRequest={quote_plus(saml_request)}&"
if relay_state is not None: if relay_state is not None:
querystring += f"RelayState={quote_plus(relay_state)}&" querystring += f"RelayState={quote_plus(relay_state)}&"