providers/saml: disallow idp-initiated SSO by default and validate Request ID

2020-09-12 00:53:38 +02:00
parent c2ebaa7f64
commit ca0ba85023
10 changed files with 138 additions and 47 deletions
--- a/passbook/providers/saml/tests/test_auth_n_request.py
+++ b/passbook/providers/saml/tests/test_auth_n_request.py
@ -1,13 +1,22 @@
 """Test AuthN Request generator and parser"""
+from django.contrib.sessions.middleware import SessionMiddleware
+from django.http.request import QueryDict
 from django.test import RequestFactory, TestCase
+from guardian.utils import get_anonymous_user

 from passbook.crypto.models import CertificateKeyPair
 from passbook.flows.models import Flow
 from passbook.providers.saml.models import SAMLProvider
+from passbook.providers.saml.processors.assertion import AssertionProcessor
 from passbook.providers.saml.processors.request_parser import AuthNRequestParser
 from passbook.providers.saml.utils.encoding import deflate_and_base64_encode
+from passbook.sources.saml.exceptions import MismatchedRequestID
 from passbook.sources.saml.models import SAMLSource
-from passbook.sources.saml.processors.request import RequestProcessor
+from passbook.sources.saml.processors.request import (
+    SESSION_REQUEST_ID,
+    RequestProcessor,
+)
+from passbook.sources.saml.processors.response import ResponseProcessor


 class TestAuthNRequest(TestCase):
@ -31,6 +40,11 @@ class TestAuthNRequest(TestCase):
    def test_signed_valid(self):
        """Test generated AuthNRequest with valid signature"""
        http_request = self.factory.get("/")
+
+        middleware = SessionMiddleware()
+        middleware.process_request(http_request)
+        http_request.session.save()
+
        # First create an AuthNRequest
        request_proc = RequestProcessor(self.source, http_request, "test_state")
        request = request_proc.build_auth_n()
@ -44,6 +58,11 @@ class TestAuthNRequest(TestCase):
    def test_signed_valid_detached(self):
        """Test generated AuthNRequest with valid signature (detached)"""
        http_request = self.factory.get("/")
+
+        middleware = SessionMiddleware()
+        middleware.process_request(http_request)
+        http_request.session.save()
+
        # First create an AuthNRequest
        request_proc = RequestProcessor(self.source, http_request, "test_state")
        params = request_proc.build_auth_n_detached()
@ -53,3 +72,37 @@ class TestAuthNRequest(TestCase):
        )
        self.assertEqual(parsed_request.id, request_proc.request_id)
        self.assertEqual(parsed_request.relay_state, "test_state")
+
+    def test_request_id_invalid(self):
+        """Test generated AuthNRequest with invalid request ID"""
+        http_request = self.factory.get("/")
+        http_request.user = get_anonymous_user()
+
+        middleware = SessionMiddleware()
+        middleware.process_request(http_request)
+        http_request.session.save()
+
+        # First create an AuthNRequest
+        request_proc = RequestProcessor(self.source, http_request, "test_state")
+        request = request_proc.build_auth_n()
+
+        # change the request ID
+        http_request.session[SESSION_REQUEST_ID] = "test"
+        http_request.session.save()
+
+        # To get an assertion we need a parsed request (parsed by provider)
+        parsed_request = AuthNRequestParser(self.provider).parse(
+            deflate_and_base64_encode(request), "test_state"
+        )
+        # Now create a response and convert it to string (provider)
+        response_proc = AssertionProcessor(self.provider, http_request, parsed_request)
+        response = response_proc.build_response()
+
+        # Now parse the response (source)
+        http_request.POST = QueryDict(mutable=True)
+        http_request.POST["SAMLResponse"] = deflate_and_base64_encode(response)
+
+        response_parser = ResponseProcessor(self.source)
+
+        with self.assertRaises(MismatchedRequestID):
+            response_parser.parse(http_request)