Merge remote-tracking branch 'upstream/master' into liquidpele-patch-2

Conflicts:
	djangosaml2/views.py

Author: Reece

djangosaml2/templates/djangosaml2/permission_denied.html

@@ -12,16 +12,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from defusedxml import ElementTree
 from django.conf import settings
 from saml2.s_utils import UnknownSystemEntity
 
 
 def get_custom_setting(name, default=None):
-    if hasattr(settings, name):
-        return getattr(settings, name)
-    else:
-        return default
+    return getattr(settings, name, default)
 
 
 def available_idps(config, langpref=None):
@@ -66,21 +62,3 @@ def get_location(http_info):
     header_name, header_value = headers[0]
     assert header_name == 'Location'
     return header_value
-
-
-def get_hidden_form_inputs(html):
-    """ Extracts name/value pairs from hidden input tags in an html form."""
-    pairs = dict()
-    tree = ElementTree.fromstring(html.replace('&', '&'), forbid_dtd=True)
-    # python 2.6 doesn't have iter
-    if hasattr(tree, 'iter'):
-        node_iter = tree.iter()
-    else:
-        node_iter = tree.getiterator()
-    for node in node_iter:
-        if node.tag == 'input':
-            element = dict(node.items())
-            if element['type'] == 'hidden':
-                pairs[element['name']] = element['value']
-    return pairs
-

djangosaml2/utils.py

@@ -13,14 +13,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import base64
 import logging
 
 try:
     from xml.etree import ElementTree
 except ImportError:
     from elementtree import ElementTree
-from defusedxml.common import (DTDForbidden, EntitiesForbidden,
-                               ExternalReferenceForbidden)
 
 from django.conf import settings
 from django.contrib import auth
@@ -50,13 +49,13 @@ def csrf_exempt(view_func):
 from saml2.sigver import MissingKey
 from saml2.s_utils import UnsupportedBinding
 from saml2.response import StatusError
+from saml2.xmldsig import SIG_RSA_SHA1  # support for this is required by spec
 
 from djangosaml2.cache import IdentityCache, OutstandingQueriesCache
 from djangosaml2.cache import StateCache
 from djangosaml2.conf import get_config
 from djangosaml2.signals import post_authenticated
-from djangosaml2.utils import get_custom_setting, available_idps, get_location, \
-    get_hidden_form_inputs, get_idp_sso_supported_bindings
+from djangosaml2.utils import get_custom_setting, available_idps, get_location, get_idp_sso_supported_bindings
 
 
 logger = logging.getLogger('djangosaml2')
@@ -140,25 +139,10 @@ def login(request,
                 'came_from': came_from,
                 })
 
-    # Choose binding (REDIRECT vs. POST).
-    # When authn_requests_signed is turned on, HTTP Redirect binding cannot be
-    # used the same way as without signatures; proper usage in this case involves
-    # stripping out the signature from SAML XML message and creating a new
-    # signature, following precise steps defined in the SAML2.0 standard.
-    #
-    # It is not feasible to implement this since we wouldn't be able to use an
-    # external (xmlsec1) library to handle the signatures - more (higher level)
-    # context is needed in order to create such signature (like the value of
-    # RelayState parameter).
-    #
-    # Therefore it is much easier to use the HTTP POST binding in this case, as
-    # it can relay the whole signed SAML message as is, without the need to
-    # manipulate the signature or the XML message itself.
-    #
-    # Read more in the official SAML2 specs (3.4.4.1):
-    # http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
+    # choose a binding to try first
     sign_requests = getattr(conf, '_sp_authn_requests_signed', False)
     binding = BINDING_HTTP_POST if sign_requests else BINDING_HTTP_REDIRECT
+    logger.debug('Trying binding %s for IDP %s', binding, selected_idp)
 
     # ensure our selected binding is supported by the IDP
     supported_bindings = get_idp_sso_supported_bindings(selected_idp, config=conf)
@@ -169,51 +153,70 @@ def login(request,
             logger.warning('IDP %s does not support %s,  trying %s',
                            selected_idp, binding, BINDING_HTTP_REDIRECT)
             binding = BINDING_HTTP_REDIRECT
-            if sign_requests:
-                sign_requests = False
-                logger.warning('sp_authn_requests_signed is True, but ignoring because pysaml2 does not support it for %s', BINDING_HTTP_REDIRECT)
         else:
+            logger.warning('IDP %s does not support %s,  trying %s',
+                           selected_idp, binding, BINDING_HTTP_POST)
             binding = BINDING_HTTP_POST
         # if switched binding still not supported, give up
         if binding not in supported_bindings:
-            raise UnsupportedBinding('IDP does not support %s or %s',
-                                     BINDING_HTTP_POST, BINDING_HTTP_REDIRECT)
+            raise UnsupportedBinding('IDP %s does not support %s or %s',
+                                     selected_idp, BINDING_HTTP_POST, BINDING_HTTP_REDIRECT)
 
     client = Saml2Client(conf)
-    try:
-        # we use sign kwarg to override in case of redirect binding
-        # otherwise pysaml2 may sign the xml for redirect which is incorrect
-        (session_id, result) = client.prepare_for_authenticate(
-            entityid=selected_idp, relay_state=came_from,
-            binding=binding, sign=sign_requests,
-            )
-    except TypeError as e:
-        logger.error('Unable to know which IdP to use')
-        return HttpResponse(text_type(e))
-        
-    logger.debug('Saving the session_id in the OutstandingQueries cache')
-    oq_cache = OutstandingQueriesCache(request.session)
-    oq_cache.set(session_id, came_from)
+    http_response = None
 
-    logger.debug('Redirecting user to the IdP via %s binding.', binding.split(':')[-1])
+    logger.debug('Redirecting user to the IdP via %s binding.', binding)
     if binding == BINDING_HTTP_REDIRECT:
-        return HttpResponseRedirect(get_location(result))
+        try:
+            # do not sign the xml itself, instead us the sigalg to
+            # generate the signature as a URL param
+            sigalg = SIG_RSA_SHA1 if getattr(conf, '_sp_authn_requests_signed', False) else None
+            session_id, result = client.prepare_for_authenticate(
+                entityid=selected_idp, relay_state=came_from,
+                binding=binding, sign=False, sigalg=sigalg)
+        except TypeError as e:
+            logger.error('Unable to know which IdP to use')
+            return HttpResponse(text_type(e))
+        else:
+            http_response = HttpResponseRedirect(get_location(result))
     elif binding == BINDING_HTTP_POST:
+        # use the html provided by pysaml2 if no template specified
         if not post_binding_form_template:
-            return HttpResponse(result['data'])
-        try:
-            params = get_hidden_form_inputs(result['data'][3])
-            return render(request, post_binding_form_template, {
-                    'target_url': result['url'],
-                    'params': params,
-                    })
-        except (DTDForbidden, EntitiesForbidden, ExternalReferenceForbidden):
-            raise PermissionDenied
-        except TemplateDoesNotExist:
-            return HttpResponse(result['data'])
+            try:
+                session_id, result = client.prepare_for_authenticate(
+                    entityid=selected_idp, relay_state=came_from,
+                    binding=binding)
+            except TypeError as e:
+                logger.error('Unable to know which IdP to use')
+                return HttpResponse(text_type(e))
+            else:
+                http_response = HttpResponse(result['data'])
+        # get request XML to build our own html based on the template
+        else:
+            try:
+                location = client.sso_location(selected_idp, binding)
+            except TypeError as e:
+                logger.error('Unable to know which IdP to use')
+                return HttpResponse(text_type(e))
+            session_id, request_xml = client.create_authn_request(
+                location,
+                binding=binding)
+            http_response = render(request, post_binding_form_template, {
+                'target_url': location,
+                'params': {
+                    'SAMLRequest': base64.b64encode(request_xml),
+                    'RelayState': came_from,
+                    },
+                })
     else:
         raise UnsupportedBinding('Unsupported binding: %s', binding)
 
+    # success, so save the session ID and return our response
+    logger.debug('Saving the session_id in the OutstandingQueries cache')
+    oq_cache = OutstandingQueriesCache(request.session)
+    oq_cache.set(session_id, came_from)
+    return http_response
+
 
 @require_POST
 @csrf_exempt
@@ -278,7 +281,7 @@ def assertion_consumer_service(request,
                              create_unknown_user=create_unknown_user)
     if user is None:
         logger.error('The user is None')
-        return render(request, 'djangosaml2/permission_denied.html', status=403)
+        raise PermissionDenied
 
     auth.login(request, user)
     _set_subject_id(request.session, session_info['name_id'])

djangosaml2/views.py

@@ -58,7 +58,7 @@ def read(*rnames):
     include_package_data=True,
     zip_safe=False,
     install_requires=[
-        'pysaml2==4.0.5',
+        'pysaml2==4.4.0',
         'defusedxml==0.4.1'
         ],
     )