sources/saml: improve error handing of invalid signatures

This commit is contained in:
Jens Langhammer 2020-06-23 21:49:27 +02:00
parent 491e507d49
commit 52f138d402
3 changed files with 7 additions and 2 deletions

View File

@ -16,6 +16,7 @@ class SAMLSourceForm(forms.ModelForm):
model = SAMLSource model = SAMLSource
fields = SOURCE_FORM_FIELDS + [ fields = SOURCE_FORM_FIELDS + [
"issuer", "issuer",
"binding_type",
"idp_url", "idp_url",
"idp_logout_url", "idp_logout_url",
"auto_logout", "auto_logout",

View File

@ -68,8 +68,9 @@ class Processor:
<saml:Subject> <saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
SPNameQualifier="" SPNameQualifier="">
>email@example.com</saml:NameID> email@example.com
</saml:NameID>
""" """
assertion = self._root.find("{urn:oasis:names:tc:SAML:2.0:assertion}Assertion") assertion = self._root.find("{urn:oasis:names:tc:SAML:2.0:assertion}Assertion")
subject = assertion.find("{urn:oasis:names:tc:SAML:2.0:assertion}Subject") subject = assertion.find("{urn:oasis:names:tc:SAML:2.0:assertion}Subject")

View File

@ -6,6 +6,7 @@ from django.utils.decorators import method_decorator
from django.utils.http import urlencode from django.utils.http import urlencode
from django.views import View from django.views import View
from django.views.decorators.csrf import csrf_exempt from django.views.decorators.csrf import csrf_exempt
from signxml import InvalidSignature
from signxml.util import strip_pem_header from signxml.util import strip_pem_header
from passbook.lib.views import bad_request_message from passbook.lib.views import bad_request_message
@ -71,6 +72,8 @@ class ACSView(View):
processor.parse(request) processor.parse(request)
except MissingSAMLResponse as exc: except MissingSAMLResponse as exc:
return bad_request_message(request, str(exc)) return bad_request_message(request, str(exc))
except InvalidSignature as exc:
return bad_request_message(request, str(exc))
try: try:
return processor.prepare_flow(request) return processor.prepare_flow(request)