Be able to invalidate a SAMLResponse if it contains InResponseTo value but no RequestId parameter provided at the is_valid method. See rejectUnsolicitedResponsesWithInResponseTo security parameter (By default deactivated)

pitbulk · pitbulk · commit 4081893698ab · 2017-12-18T19:08:31.000+01:00
diff --git a/README.md b/README.md
@@ -414,6 +414,11 @@ In addition to the required settings data (idp, sp), extra settings can be defin
         // Indicates a requirement for the AttributeStatement element
         "wantAttributeStatement": true,
 
+        // Rejects SAML responses with a InResponseTo attribute when request_id
+        // not provided in the process_response method that later call the 
+        // response is_valid method with that parameter.
+        "rejectUnsolicitedResponsesWithInResponseTo": false,
+
         // Authentication context.
         // Set to false and no AuthContext will be sent in the AuthNRequest,
         // Set true or don't present this parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
@@ -133,14 +133,19 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                 security = self.__settings.get_security_data()
                 current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
 
-                # Check if the InResponseTo of the Response matchs the ID of the AuthNRequest (requestId) if provided
                 in_response_to = self.document.get('InResponseTo', None)
-                if in_response_to is not None and request_id is not None:
-                    if in_response_to != request_id:
-                        raise OneLogin_Saml2_ValidationError(
-                            'The InResponseTo of the Response: %s, does not match the ID of the AuthNRequest sent by the SP: %s' % (in_response_to, request_id),
-                            OneLogin_Saml2_ValidationError.WRONG_INRESPONSETO
-                        )
+                if request_id is None and in_response_to is not None and security.get('rejectUnsolicitedResponsesWithInResponseTo', False):
+                    raise OneLogin_Saml2_ValidationError(
+                        'The Response has an InResponseTo attribute: %s while no InResponseTo was expected' % in_response_to,
+                        OneLogin_Saml2_ValidationError.WRONG_INRESPONSETO
+                    )
+
+                # Check if the InResponseTo of the Response matchs the ID of the AuthNRequest (requestId) if provided
+                if request_id is not None and in_response_to != request_id:
+                    raise OneLogin_Saml2_ValidationError(
+                        'The InResponseTo of the Response: %s, does not match the ID of the AuthNRequest sent by the SP: %s' % (in_response_to, request_id),
+                        OneLogin_Saml2_ValidationError.WRONG_INRESPONSETO
+                    )
 
                 if not self.encrypted and security.get('wantAssertionsEncrypted', False):
                     raise OneLogin_Saml2_ValidationError(
@@ -244,7 +249,9 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                         continue
                     else:
                         irt = sc_data.get('InResponseTo', None)
-                        if in_response_to and irt and irt != in_response_to:
+                        if (in_response_to is None and irt is not None and
+                           security.get('rejectUnsolicitedResponsesWithInResponseTo', False)) or \
+                           in_response_to and irt and irt != in_response_to:
                             continue
                         recipient = sc_data.get('Recipient', None)
                         if recipient and current_url not in recipient:
diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
@@ -280,6 +280,9 @@ def __add_default_values(self):
         # NameID element expected
         self.__security.setdefault('wantNameId', True)
 
+        # SAML responses with a InResponseTo attribute not rejected when requestId not passed
+        self.__security.setdefault('rejectUnsolicitedResponsesWithInResponseTo', False)
+
         # Encrypt expected
         self.__security.setdefault('wantAssertionsEncrypted', False)
         self.__security.setdefault('wantNameIdEncrypted', False)
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -1173,6 +1173,54 @@ def testIsInValidRequestId(self):
         response.is_valid(request_data, valid_request_id)
         self.assertEqual('No Signature found. SAML Response rejected', response.get_error())
 
+    def testRejectUnsolicitedResponsesWithInResponseTo(self):
+        settings_info = self.loadSettingsJSON()
+        settings_info['strict'] = True
+        settings_info['security']['rejectUnsolicitedResponsesWithInResponseTo'] = False
+        settings = OneLogin_Saml2_Settings(settings_info)
+        request_data = {
+            'http_host': 'stuff.com',
+            'script_name': 'endpoints/endpoints/acs.php'
+        }
+
+        xml = self.file_contents(join(self.data_path, 'responses', 'unsigned_response.xml.base64'))
+        response = OneLogin_Saml2_Response(settings, xml)
+        response.is_valid(request_data)
+        self.assertEqual('No Signature found. SAML Response rejected', response.get_error())
+
+        settings_info['security']['rejectUnsolicitedResponsesWithInResponseTo'] = True
+        settings = OneLogin_Saml2_Settings(settings_info)
+        response = OneLogin_Saml2_Response(settings, xml)
+        response.is_valid(request_data)
+        self.assertEqual('The Response has an InResponseTo attribute: _57bcbf70-7b1f-012e-c821-782bcb13bb38 while no InResponseTo was expected', response.get_error())
+
+        settings_info['idp']['entityId'] = 'https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php'
+        settings_info['sp']['entityId'] = 'https://pitbulk.no-ip.org/newonelogin/demo1/metadata.php'
+        request_data = {
+            'https': 'on',
+            'http_host': 'pitbulk.no-ip.org',
+            'script_name': 'newonelogin/demo1/index.php?acs'
+        }
+        not_on_or_after = datetime.strptime('2014-02-19T09:37:01Z', '%Y-%m-%dT%H:%M:%SZ')
+        not_on_or_after -= timedelta(seconds=150)
+
+        # InResponseTo on the SubjectConfirmation only
+        xml = self.file_contents(join(self.data_path, 'responses', 'valid_response_without_inresponseto.xml.base64'))
+        settings_info['security']['rejectUnsolicitedResponsesWithInResponseTo'] = False
+        settings = OneLogin_Saml2_Settings(settings_info)
+        response = OneLogin_Saml2_Response(settings, xml)
+
+        with freeze_time(not_on_or_after):
+            self.assertTrue(response.is_valid(request_data))
+
+        settings_info['security']['rejectUnsolicitedResponsesWithInResponseTo'] = True
+        settings = OneLogin_Saml2_Settings(settings_info)
+        response = OneLogin_Saml2_Response(settings, xml)
+
+        with freeze_time(not_on_or_after):
+            self.assertFalse(response.is_valid(request_data))
+            self.assertEquals("A valid SubjectConfirmation was not found on this Response", response.get_error())
+
     def testIsInValidSignIssues(self):
         """
         Tests the is_valid method of the OneLogin_Saml2_Response class
