habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

providers/saml: fix incorrect ds:Reference URI (cherry-pick #11699) (#11701)

Browse Source 
providers/saml: fix incorrect ds:Reference URI (#11699)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
This commit is contained in:
gcp-cherry-pick-bot[bot]
2024-10-16 17:18:35 +02:00
committed by GitHub
parent 1e279950f1
commit 25b4306693
2 changed files with 11 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
authentik/providers/saml/processors/assertion.py
View File

@ -50,6 +50,7 @@ class AssertionProcessor:
_issue_instant: str _issue_instant: str
_assertion_id: str _assertion_id: str
_response_id: str
_valid_not_before: str _valid_not_before: str
_session_not_on_or_after: str _session_not_on_or_after: str
@ -62,6 +63,7 @@ class AssertionProcessor:
self._issue_instant = get_time_string() self._issue_instant = get_time_string()
self._assertion_id = get_random_id() self._assertion_id = get_random_id()
self._response_id = get_random_id()
self._valid_not_before = get_time_string( self._valid_not_before = get_time_string(
timedelta_from_string(self.provider.assertion_valid_not_before) timedelta_from_string(self.provider.assertion_valid_not_before)
@ -130,7 +132,9 @@ class AssertionProcessor:
"""Generate AuthnStatement with AuthnContext and ContextClassRef Elements.""" """Generate AuthnStatement with AuthnContext and ContextClassRef Elements."""
auth_n_statement = Element(f"{{{NS_SAML_ASSERTION}}}AuthnStatement") auth_n_statement = Element(f"{{{NS_SAML_ASSERTION}}}AuthnStatement")
auth_n_statement.attrib["AuthnInstant"] = self._valid_not_before auth_n_statement.attrib["AuthnInstant"] = self._valid_not_before
auth_n_statement.attrib["SessionIndex"] = self._assertion_id auth_n_statement.attrib["SessionIndex"] = sha256(
self.http_request.session.session_key.encode("ascii")
).hexdigest()
auth_n_statement.attrib["SessionNotOnOrAfter"] = self._session_not_on_or_after auth_n_statement.attrib["SessionNotOnOrAfter"] = self._session_not_on_or_after
auth_n_context = SubElement(auth_n_statement, f"{{{NS_SAML_ASSERTION}}}AuthnContext") auth_n_context = SubElement(auth_n_statement, f"{{{NS_SAML_ASSERTION}}}AuthnContext")
@ -285,7 +289,7 @@ class AssertionProcessor:
response.attrib["Version"] = "2.0" response.attrib["Version"] = "2.0"
response.attrib["IssueInstant"] = self._issue_instant response.attrib["IssueInstant"] = self._issue_instant
response.attrib["Destination"] = self.provider.acs_url response.attrib["Destination"] = self.provider.acs_url
response.attrib["ID"] = get_random_id() response.attrib["ID"] = self._response_id
if self.auth_n_request.id: if self.auth_n_request.id:
response.attrib["InResponseTo"] = self.auth_n_request.id response.attrib["InResponseTo"] = self.auth_n_request.id
@ -308,7 +312,7 @@ class AssertionProcessor:
ref = xmlsec.template.add_reference( ref = xmlsec.template.add_reference(
signature_node, signature_node,
digest_algorithm_transform, digest_algorithm_transform,
uri="#" + self._assertion_id, uri="#" + element.attrib["ID"],
) )
xmlsec.template.add_transform(ref, xmlsec.constants.TransformEnveloped) xmlsec.template.add_transform(ref, xmlsec.constants.TransformEnveloped)
xmlsec.template.add_transform(ref, xmlsec.constants.TransformExclC14N) xmlsec.template.add_transform(ref, xmlsec.constants.TransformExclC14N)

4
authentik/providers/saml/tests/test_auth_n_request.py
View File

@ -180,6 +180,10 @@ class TestAuthNRequest(TestCase):
# Now create a response and convert it to string (provider) # Now create a response and convert it to string (provider)
response_proc = AssertionProcessor(self.provider, http_request, parsed_request) response_proc = AssertionProcessor(self.provider, http_request, parsed_request)
response = response_proc.build_response() response = response_proc.build_response()
# Ensure both response and assertion ID are in the response twice (once as ID attribute,
# once as ds:Reference URI)
self.assertEqual(response.count(response_proc._assertion_id), 2)
self.assertEqual(response.count(response_proc._response_id), 2)
# Now parse the response (source) # Now parse the response (source)
http_request.POST = QueryDict(mutable=True) http_request.POST = QueryDict(mutable=True)