providers/saml: optionally verify SAML Signature

2020-05-06 18:03:12 +02:00
parent 75bb59a22a
commit fff05e35ac
5 changed files with 63 additions and 1 deletions
--- a/passbook/providers/saml/processors/base.py
+++ b/passbook/providers/saml/processors/base.py
@ -1,8 +1,10 @@
 """Basic SAML Processor"""
 from typing import TYPE_CHECKING, Dict, List, Union

+from cryptography.exceptions import InvalidSignature
 from defusedxml import ElementTree
 from django.http import HttpRequest
+from signxml import XMLVerifier
 from structlog import get_logger

 from passbook.core.exceptions import PropertyMappingExpressionException
@ -146,6 +148,15 @@ class Processor:
        """Parses various parameters from _request_xml into _request_params."""
        decoded_xml = decode_base64_and_inflate(self._saml_request)

+        if self._remote.require_signing and self._remote.signing_kp:
+            self._logger.debug("Verifying Request signature")
+            try:
+                XMLVerifier().verify(
+                    decoded_xml, x509_cert=self._remote.signing_kp.certificate_data
+                )
+            except InvalidSignature as exc:
+                raise CannotHandleAssertion("Failed to verify signature") from exc
+
        root = ElementTree.fromstring(decoded_xml)

        params = {}