fix CSRF Bug in SAML
This commit is contained in:
Jens Langhammer
parent
436070f5bd
commit
48055d1cfd
|
|
@ -5,6 +5,8 @@ from django.contrib.auth import logout
|
||||||
from django.contrib.auth.mixins import LoginRequiredMixin
|
from django.contrib.auth.mixins import LoginRequiredMixin
|
||||||
from django.core.exceptions import ValidationError
|
from django.core.exceptions import ValidationError
|
||||||
from django.core.validators import URLValidator
|
from django.core.validators import URLValidator
|
||||||
|
from django.utils.decorators import method_decorator
|
||||||
|
from django.views.decorators.csrf import csrf_exempt
|
||||||
from django.http import HttpResponse, HttpResponseBadRequest
|
from django.http import HttpResponse, HttpResponseBadRequest
|
||||||
from django.shortcuts import get_object_or_404, redirect, render, reverse
|
from django.shortcuts import get_object_or_404, redirect, render, reverse
|
||||||
from django.utils.datastructures import MultiValueDictKeyError
|
from django.utils.datastructures import MultiValueDictKeyError
|
||||||
|
|
@ -54,10 +56,11 @@ class ProviderMixin:
|
||||||
return self._provider
|
return self._provider
|
||||||
|
|
||||||
|
|
||||||
class LoginBeginView(CSRFExemptMixin, View):
|
class LoginBeginView(View):
|
||||||
"""Receives a SAML 2.0 AuthnRequest from a Service Provider and
|
"""Receives a SAML 2.0 AuthnRequest from a Service Provider and
|
||||||
stores it in the session prior to enforcing login."""
|
stores it in the session prior to enforcing login."""
|
||||||
|
|
||||||
|
@method_decorator(csrf_exempt)
|
||||||
def dispatch(self, request, application):
|
def dispatch(self, request, application):
|
||||||
if request.method == 'POST':
|
if request.method == 'POST':
|
||||||
source = request.POST
|
source = request.POST
|
||||||
|
|
@ -71,9 +74,9 @@ class LoginBeginView(CSRFExemptMixin, View):
|
||||||
return HttpResponseBadRequest('the SAML request payload is missing')
|
return HttpResponseBadRequest('the SAML request payload is missing')
|
||||||
|
|
||||||
request.session['RelayState'] = source.get('RelayState', '')
|
request.session['RelayState'] = source.get('RelayState', '')
|
||||||
return redirect(reverse('passbook_saml_idp:saml_login_process'), kwargs={
|
return redirect(reverse('passbook_saml_idp:saml_login_process', kwargs={
|
||||||
'application': application
|
'application': application
|
||||||
})
|
}))
|
||||||
|
|
||||||
|
|
||||||
class RedirectToSPView(View):
|
class RedirectToSPView(View):
|
||||||
|
|
@ -99,7 +102,7 @@ class LoginProcessView(ProviderMixin, View):
|
||||||
# Check if user has access
|
# Check if user has access
|
||||||
access = True
|
access = True
|
||||||
# TODO: Check access here
|
# TODO: Check access here
|
||||||
if self.provider.skip_authorization and access:
|
if self.provider.application.skip_authorization and access:
|
||||||
ctx = self.provider.processor.generate_response()
|
ctx = self.provider.processor.generate_response()
|
||||||
# TODO: AuditLog Skipped Authz
|
# TODO: AuditLog Skipped Authz
|
||||||
return RedirectToSPView.as_view()(
|
return RedirectToSPView.as_view()(
|
||||||
|
|
|
||||||
Reference in a new issue