sources/saml: fix SAMLRequest not being encoded properly for Redirect bindings

2020-06-24 13:12:34 +02:00 · 2020-06-24 13:12:34 +02:00 · c0d8aa2303
parent db6cb5ad51
commit c0d8aa2303
3 changed files with 10 additions and 8 deletions
--- a/passbook/providers/saml/utils/encoding.py
+++ b/passbook/providers/saml/utils/encoding.py
@ -20,5 +20,5 @@ def deflate_and_base64_encode(inflated: bytes, encoding="utf-8"):


 def nice64(src):
-    """ Returns src base64-encoded and formatted nicely for our XML. """
+    """Returns src base64-encoded and formatted nicely for our XML. """
    return base64.b64encode(src).decode("utf-8").replace("\n", "")
--- a/passbook/sources/saml/templates/saml/sp/login.html
+++ b/passbook/sources/saml/templates/saml/sp/login.html
@ -14,7 +14,7 @@
 <form method="POST" action="{{ request_url }}">
    {% csrf_token %}
    <input type="hidden" name="SAMLRequest" value="{{ request }}" />
-    <input type="hidden" name="RelayState" value="{{ token }}" />
+    <input type="hidden" name="RelayState" value="{{ relay_state }}" />
    <div class="login-group">
        <h3>
            {% blocktrans with remote=source.name %}
--- a/passbook/sources/saml/views.py
+++ b/passbook/sources/saml/views.py
@ -11,7 +11,7 @@ from signxml.util import strip_pem_header

 from passbook.lib.views import bad_request_message
 from passbook.providers.saml.utils import get_random_id, render_xml
-from passbook.providers.saml.utils.encoding import nice64
+from passbook.providers.saml.utils.encoding import deflate_and_base64_encode, nice64
 from passbook.providers.saml.utils.time import get_time_string
 from passbook.sources.saml.exceptions import (
    MissingSAMLResponse,
@ -31,8 +31,8 @@ class InitiateView(View):
        source: SAMLSource = get_object_or_404(SAMLSource, slug=source_slug)
        if not source.enabled:
            raise Http404
-        sso_destination = request.GET.get("next", None)
-        request.session["sso_destination"] = sso_destination
+        relay_state = request.GET.get("next", None)
+        request.session["sso_destination"] = relay_state
        parameters = {
            "ACS_URL": build_full_url("acs", request, source),
            "DESTINATION": source.idp_url,
@ -41,17 +41,19 @@ class InitiateView(View):
            "ISSUER": get_issuer(request, source),
        }
        authn_req = get_authnrequest_xml(parameters, signed=False)
-        _request = nice64(str.encode(authn_req))
        if source.binding_type == SAMLBindingTypes.Redirect:
-            return redirect(source.idp_url + "?" + urlencode({"SAMLRequest": _request}))
+            _request = deflate_and_base64_encode(authn_req.encode())
+            url_args = urlencode({"SAMLRequest": _request, "RelayState": relay_state})
+            return redirect(f"{source.idp_url}?{url_args}")
        if source.binding_type == SAMLBindingTypes.POST:
+            _request = nice64(authn_req.encode())
            return render(
                request,
                "saml/sp/login.html",
                {
                    "request_url": source.idp_url,
                    "request": _request,
-                    "token": sso_destination,
+                    "relay_state": relay_state,
                    "source": source,
                },
            )