Merge pull request #107 from francoisfreitag/unsolicited_response

Make replay attacks result in 403

Author: knaperek

CHANGES

@@ -1,6 +1,10 @@
 Changes
 =======
 
+UNRELEASED
+----------
+- A 403 (permission denied) is now raised if a SAMLResponse is replayed, instead of 500.
+
 0.16.11 (2017-12-25)
 ----------
 - Dropped compatibility for Python < 2.7 and Django < 1.8.

djangosaml2/tests/__init__.py

@@ -217,8 +217,6 @@ def test_assertion_consumer_service(self):
             metadata_file='remote_metadata_one_idp.xml',
         )
 
-        self.init_cookies()
-
         # session_id should start with a letter since it is a NCName
         session_id = "a0123456789abcdef0123456789abcdef"
         came_from = '/another-view/'
@@ -259,6 +257,37 @@ def test_assertion_consumer_service(self):
         self.assertEqual(url.path, settings.LOGIN_REDIRECT_URL)
         self.assertEqual(force_text(new_user.id), self.client.session[SESSION_KEY])
 
+    def test_assertion_consumer_service_no_session(self):
+        settings.SAML_CONFIG = conf.create_conf(
+            sp_host='sp.example.com',
+            idp_hosts=['idp.example.com'],
+            metadata_file='remote_metadata_one_idp.xml',
+        )
+
+        # session_id should start with a letter since it is a NCName
+        session_id = "a0123456789abcdef0123456789abcdef"
+        came_from = '/another-view/'
+        self.add_outstanding_query(session_id, came_from)
+
+        # Authentication is confirmed.
+        saml_response = auth_response(session_id, 'student')
+        response = self.client.post(reverse('saml2_acs'), {
+            'SAMLResponse': self.b64_for_post(saml_response),
+            'RelayState': came_from,
+        })
+        self.assertEqual(response.status_code, 302)
+        location = response['Location']
+        url = urlparse(location)
+        self.assertEqual(url.path, came_from)
+
+        # Session should no longer be in outstanding queries.
+        saml_response = auth_response(session_id, 'student')
+        response = self.client.post(reverse('saml2_acs'), {
+            'SAMLResponse': self.b64_for_post(saml_response),
+            'RelayState': came_from,
+        })
+        self.assertEqual(response.status_code, 403)
+
     def test_missing_param_to_assertion_consumer_service_request(self):
         # Send request without SAML2Response parameter
         response = self.client.post(reverse('saml2_acs'))

djangosaml2/views.py

@@ -45,7 +45,10 @@
 from saml2.ident import code, decode
 from saml2.sigver import MissingKey
 from saml2.s_utils import UnsupportedBinding
-from saml2.response import StatusError, StatusAuthnFailed, SignatureError, StatusRequestDenied
+from saml2.response import (
+    StatusError, StatusAuthnFailed, SignatureError, StatusRequestDenied,
+    UnsolicitedResponse,
+)
 from saml2.validate import ResponseLifetimeExceed, ToEarly
 from saml2.xmldsig import SIG_RSA_SHA1, SIG_RSA_SHA256  # support for SHA1 is required by spec
 
@@ -287,6 +290,9 @@ def assertion_consumer_service(request,
     except MissingKey:
         logger.exception("SAML Identity Provider is not configured correctly: certificate key is missing!")
         return fail_acs_response(request)
+    except UnsolicitedResponse:
+        logger.exception("Received SAMLResponse when no request has been made.")
+        return fail_acs_response(request)
 
     if response is None:
         logger.warning("Invalid SAML Assertion received (unknown error).")