Merge pull request #485 from skoranda/want_assertions_or_response_signed

Add want_assertions_or_response_signed functionality

Author: c00kiemon5ter

docs/howto/config.rst

@@ -624,6 +624,33 @@ Example::
         }
     }
 
+want_assertions_or_response_signed
+""""""""""""""""""""
+
+Indicates that *either* the Authentication Response *or* the assertions
+contained within the response to this SP must be signed.
+
+Valid values are True or False. Default value is False.
+
+This configuration directive **does not** override ``want_response_signed``
+or ``want_assertions_signed``. For example, if ``want_response_signed`` is True
+and the Authentication Response is not signed an exception will be thrown
+regardless of the value for this configuration directive.
+
+Thus to configure the SP to accept either a signed response or signed assertions
+set ``want_response_signed`` and ``want_assertions_signed`` both to False and
+this directive to True.
+
+Example::
+
+    "service": {
+        "sp": {
+            "want_response_signed": False,
+            "want_assertions_signed": False,
+            "want_assertions_or_response_signed": True
+        }
+    }
+
 
 idp/aa/sp
 ^^^^^^^^^

src/saml2/client_base.py

@@ -120,6 +120,7 @@ def __init__(self, config=None, identity_cache=None, state_cache=None,
             "authn_requests_signed": False,
             "want_assertions_signed": False,
             "want_response_signed": True,
+            "want_assertions_or_response_signed" : False
         }
 
         for attr, val_default in attribute_defaults.items():
@@ -135,7 +136,11 @@ def __init__(self, config=None, identity_cache=None, state_cache=None,
             setattr(self, attr, val)
 
         if self.entity_type == "sp" and not any(
-            [self.want_assertions_signed, self.want_response_signed]
+            [
+                self.want_assertions_signed,
+                self.want_response_signed,
+                self.want_assertions_or_response_signed,
+            ]
         ):
             logger.warning(
                 "The SAML service provider accepts unsigned SAML Responses "
@@ -691,6 +696,7 @@ def parse_authn_request_response(self, xmlstr, binding, outstanding=None,
             "outstanding_certs": outstanding_certs,
             "allow_unsolicited": self.allow_unsolicited,
             "want_assertions_signed": self.want_assertions_signed,
+            "want_assertions_or_response_signed": self.want_assertions_or_response_signed,
             "want_response_signed": self.want_response_signed,
             "return_addrs": self.service_urls(binding=binding),
             "entity_id": self.config.entityid,

src/saml2/config.py

@@ -77,6 +77,7 @@
     "subject_data",
     "want_response_signed",
     "want_assertions_signed",
+    "want_assertions_or_response_signed",
     "authn_requests_signed",
     "name_form",
     "endpoints",

src/saml2/entity.py

@@ -30,6 +30,7 @@
 from saml2.saml import EncryptedAssertion
 from saml2.saml import Issuer
 from saml2.saml import NAMEID_FORMAT_ENTITY
+from saml2.response import AuthnResponse
 from saml2.response import LogoutResponse
 from saml2.response import UnsolicitedResponse
 from saml2.time_util import instant
@@ -63,6 +64,7 @@
 from saml2.sigver import security_context
 from saml2.sigver import response_factory
 from saml2.sigver import SigverError
+from saml2.sigver import SignatureError
 from saml2.sigver import make_temp
 from saml2.sigver import pre_encryption_part
 from saml2.sigver import pre_signature_part
@@ -1136,17 +1138,36 @@ def _parse_response(self, xmlstr, response_cls, service, binding,
             return None
 
         try:
+            response_is_signed = False
+            # Record the response signature requirement.
+            require_response_signature = response.require_response_signature
+            # Force the requirement that the response be signed in order to
+            # force signature checking to happen so that we can know whether
+            # or not the response is signed. The attribute on the response class
+            # is reset to the recorded value in the finally clause below.
+            response.require_response_signature = True
             response = response.loads(xmlstr, False, origxml=xmlstr)
         except SigverError as err:
-            logger.error("Signature Error: %s", err)
-            raise
+            if require_response_signature:
+                logger.error("Signature Error: %s", err)
+                raise
+            else:
+                # The response is not signed but a signature is not required
+                # so reset the attribute on the response class to the recorded
+                # value and attempt to consume the unpacked XML again.
+                response.require_response_signature = require_response_signature
+                response = response.loads(xmlstr, False, origxml=xmlstr)
         except UnsolicitedResponse:
             logger.error("Unsolicited response")
             raise
         except Exception as err:
             if "not well-formed" in "%s" % err:
                 logger.error("Not well-formed XML")
             raise
+        else:
+            response_is_signed = True
+        finally:
+            response.require_response_signature = require_response_signature
 
         logger.debug("XMLSTR: %s", xmlstr)
 
@@ -1166,7 +1187,40 @@ def _parse_response(self, xmlstr, response_cls, service, binding,
                 for _cert in cert:
                     keys.append(_cert["key"])
 
-        response = response.verify(keys)
+        try:
+            assertions_are_signed = False
+            # Record the assertions signature requirement.
+            require_signature = response.require_signature
+            # Force the requirement that the assertions be signed in order to
+            # force signature checking to happen so that we can know whether
+            # or not the assertions are signed. The attribute on the response class
+            # is reset to the recorded value in the finally clause below.
+            response.require_signature = True
+            # Verify that the assertion is syntactically correct and the
+            # signature on the assertion is correct if present.
+            response = response.verify(keys)
+        except SignatureError as err:
+            if require_signature:
+                logger.error("Signature Error: %s", err)
+                raise
+            else:
+                response.require_signature = require_signature
+                response = response.verify(keys)
+        except Exception as err:
+            logger.error("Exception verifying assertion: %s" % err)
+        else:
+            assertions_are_signed = True
+        finally:
+            response.require_signature = require_signature
+
+        # If so configured enforce that either the response is signed
+        # or the assertions within it are signed.
+        if response.require_signature_or_response_signature:
+            if not response_is_signed and not assertions_are_signed:
+                msg = "Neither the response nor the assertions are signed"
+                logger.error(msg)
+                raise SigverError(msg)
+
         return response
 
     # ------------------------------------------------------------------------

src/saml2/response.py

@@ -271,6 +271,7 @@ def __init__(self, sec_context, return_addrs=None, timeslack=0,
         self.signature_check = self.sec.correctly_signed_response
         self.require_signature = False
         self.require_response_signature = False
+        self.require_signature_or_response_signature = False
         self.not_signed = False
         self.asynchop = asynchop
         self.do_not_verify = False
@@ -474,7 +475,9 @@ def __init__(self, sec_context, attribute_converters, entity_id,
             return_addrs=None, outstanding_queries=None,
             timeslack=0, asynchop=True, allow_unsolicited=False,
             test=False, allow_unknown_attributes=False,
-            want_assertions_signed=False, want_response_signed=False,
+            want_assertions_signed=False,
+            want_assertions_or_response_signed=False,
+            want_response_signed=False,
             conv_info=None, **kwargs):
 
         StatusResponse.__init__(self, sec_context, return_addrs, timeslack,
@@ -493,6 +496,7 @@ def __init__(self, sec_context, attribute_converters, entity_id,
         self.session_not_on_or_after = 0
         self.allow_unsolicited = allow_unsolicited
         self.require_signature = want_assertions_signed
+        self.require_signature_or_response_signature = want_assertions_or_response_signed
         self.require_response_signature = want_response_signed
         self.test = test
         self.allow_unknown_attributes = allow_unknown_attributes
@@ -1277,6 +1281,14 @@ def __init__(self, sec_context, attribute_converters, timeslack=0,
         self.context = "AssertionIdResponse"
         self.signature_check = self.sec.correctly_signed_assertion_id_response
 
+        # Because this class is not a subclass of StatusResponse we need
+        # to add these attributes directly so that the _parse_response()
+        # method of the Entity class can treat instances of this class
+        # like all other responses.
+        self.require_signature = False
+        self.require_response_signature = False
+        self.require_signature_or_response_signature = False
+
     def loads(self, xmldata, decode=True, origxml=None):
         # own copy
         self.xmlstr = xmldata[:]

tests/test_51_client.py

@@ -37,6 +37,7 @@
 from saml2.sigver import pre_encryption_part, pre_encrypt_assertion
 from saml2.sigver import rm_xmltag
 from saml2.sigver import verify_redirect_signature
+from saml2.sigver import SignatureError, SigverError
 from saml2.s_utils import do_attribute_statement
 from saml2.s_utils import factory
 from saml2.time_util import in_a_while, a_while_ago
@@ -1487,6 +1488,160 @@ def test_do_logout_session_expired(self):
                                                BINDING_HTTP_POST)
         assert b'<ns0:SessionIndex>_foo</ns0:SessionIndex>' in res.xmlstr
 
+    def test_signature_wants(self):
+
+        ava = {
+            "givenName": ["Derek"],
+            "sn": ["Jeter"],
+            "mail": ["[email protected]"],
+            "title": ["The man"]
+            }
+
+        nameid_policy = samlp.NameIDPolicy(
+                            allow_create="false",
+                            format=saml.NAMEID_FORMAT_PERSISTENT)
+
+        kwargs = {
+            "identity": ava,
+            "in_response_to": "id1",
+            "destination": "http://lingon.catalogix.se:8087/",
+            "sp_entity_id": "urn:mace:example.com:saml:roland:sp",
+            "name_id_policy": nameid_policy,
+            "userid": "[email protected]",
+            "authn": AUTHN
+            }
+
+        outstanding = {"id1": "http://foo.example.com/service"}
+
+        def create_authn_response(**kwargs):
+            return encode_fn(
+                    str(self.server.create_authn_response(**kwargs)).encode())
+
+        def parse_authn_response(response):
+            self.client.parse_authn_request_response(response,
+                                                BINDING_HTTP_POST, outstanding)
+
+        def set_client_want(response, assertion, either):
+            self.client.want_response_signed = response
+            self.client.want_assertions_signed = assertion
+            self.client.want_assertions_or_response_signed = either
+
+        # Response is signed but assertion is not.
+        kwargs["sign_response"] = True
+        kwargs["sign_assertion"] = False
+        response = create_authn_response(**kwargs)
+
+        set_client_want(True, True, True)
+        raises(SignatureError, parse_authn_response, response)
+
+        set_client_want(True, True, False)
+        raises(SignatureError, parse_authn_response, response)
+
+        set_client_want(True, False, True)
+        parse_authn_response(response)
+
+        set_client_want(True, False, False)
+        parse_authn_response(response)
+
+        set_client_want(False, True, True)
+        raises(SignatureError, parse_authn_response, response)
+
+        set_client_want(False, True, False)
+        raises(SignatureError, parse_authn_response, response)
+
+        set_client_want(False, False, True)
+        parse_authn_response(response)
+
+        set_client_want(False, False, False)
+        parse_authn_response(response)
+
+        # Response is not signed but assertion is signed.
+        kwargs["sign_response"] = False
+        kwargs["sign_assertion"] = True
+        response = create_authn_response(**kwargs)
+
+        set_client_want(True, True, True)
+        raises(SignatureError, parse_authn_response, response)
+
+        set_client_want(True, True, False)
+        raises(SignatureError, parse_authn_response, response)
+
+        set_client_want(True, False, True)
+        raises(SignatureError, parse_authn_response, response)
+
+        set_client_want(True, False, False)
+        raises(SignatureError, parse_authn_response, response)
+
+        set_client_want(False, True, True)
+        parse_authn_response(response)
+
+        set_client_want(False, True, False)
+        parse_authn_response(response)
+
+        set_client_want(False, False, True)
+        parse_authn_response(response)
+
+        set_client_want(False, False, False)
+        parse_authn_response(response)
+
+        # Both response and assertion are signed.
+        kwargs["sign_response"] = True
+        kwargs["sign_assertion"] = True
+        response = create_authn_response(**kwargs)
+
+        set_client_want(True, True, True)
+        parse_authn_response(response)
+
+        set_client_want(True, True, False)
+        parse_authn_response(response)
+
+        set_client_want(True, False, True)
+        parse_authn_response(response)
+
+        set_client_want(True, False, False)
+        parse_authn_response(response)
+
+        set_client_want(False, True, True)
+        parse_authn_response(response)
+
+        set_client_want(False, True, False)
+        parse_authn_response(response)
+
+        set_client_want(False, False, True)
+        parse_authn_response(response)
+
+        set_client_want(False, False, False)
+        parse_authn_response(response)
+
+        # Neither response nor assertion is signed.
+        kwargs["sign_response"] = False
+        kwargs["sign_assertion"] = False
+        response = create_authn_response(**kwargs)
+
+        set_client_want(True, True, True)
+        raises(SignatureError, parse_authn_response, response)
+
+        set_client_want(True, True, False)
+        raises(SignatureError, parse_authn_response, response)
+
+        set_client_want(True, False, True)
+        raises(SignatureError, parse_authn_response, response)
+
+        set_client_want(True, False, False)
+        raises(SignatureError, parse_authn_response, response)
+
+        set_client_want(False, True, True)
+        raises(SignatureError, parse_authn_response, response)
+
+        set_client_want(False, True, False)
+        raises(SignatureError, parse_authn_response, response)
+
+        set_client_want(False, False, True)
+        raises(SigverError, parse_authn_response, response)
+
+        set_client_want(False, False, False)
+        parse_authn_response(response)
+
 
 class TestClientNonAsciiAva:
     def setup_class(self):