0001-views-keep-a-nonce-during-a-forceAuthn-request-55953.patch
mellon/views.py | ||
---|---|---|
251 | 251 |
if content is not None: |
252 | 252 |
values.append(content) |
253 | 253 |
attributes['issuer'] = login.remoteProviderId |
254 |
in_response_to = login.response.inResponseTo |
|
255 |
if in_response_to: |
|
256 |
attributes['nonce'] = request.session.get('mellon-nonce-%s' % in_response_to) |
|
257 |
attributes['force_authn'] = request.session.get('mellon-force-authn-%s' % in_response_to, False) |
|
258 | ||
254 | 259 |
if login.nameIdentifier: |
255 | 260 |
name_id = login.nameIdentifier |
256 | 261 |
name_id_format = force_text(name_id.format or lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED) |
... | ... | |
490 | 495 |
policy = authn_request.nameIdPolicy |
491 | 496 |
policy.allowCreate = utils.get_setting(idp, 'NAME_ID_POLICY_ALLOW_CREATE') |
492 | 497 |
policy.format = utils.get_setting(idp, 'NAME_ID_POLICY_FORMAT') |
493 |
force_authn = utils.get_setting(idp, 'FORCE_AUTHN') |
|
498 |
force_authn = utils.get_setting(idp, 'FORCE_AUTHN') or 'force-authn' in request.GET |
|
499 |
# link the nonce and forceAuthn state to the request-id |
|
500 |
if 'nonce' in request.GET: |
|
501 |
request.session['mellon-nonce-%s' % authn_request.id] = request.GET['nonce'] |
|
494 | 502 |
if force_authn: |
503 |
request.session['mellon-force-authn-%s' % authn_request.id] = True |
|
495 | 504 |
authn_request.forceAuthn = True |
496 | 505 |
if request.GET.get('passive') == '1': |
497 | 506 |
authn_request.isPassive = True |
tests/test_sso_slo.py | ||
---|---|---|
94 | 94 |
self.session_dump = None |
95 | 95 | |
96 | 96 |
def process_authn_request_redirect(self, url, auth_result=True, consent=True, msg=None): |
97 |
login = lasso.Login(self.server) |
|
97 |
login = self.login = lasso.Login(self.server)
|
|
98 | 98 |
if self.identity_dump: |
99 | 99 |
login.setIdentityFromDump(self.identity_dump) |
100 | 100 |
if self.session_dump: |
... | ... | |
421 | 421 |
assert app.session['mellon_session']['first_name'] == ['<i>Fr\xe9d\xe9ric</i>'] |
422 | 422 |
assert app.session['mellon_session']['email'] == ['john.doe@gmail.com'] |
423 | 423 |
assert app.session['mellon_session']['wtf'] == [] |
424 |
assert not app.session['mellon_session']['force_authn'] |
|
425 |
assert not app.session['mellon_session']['nonce'] |
|
424 | 426 | |
425 | 427 | |
426 | 428 |
def test_sso_request_denied(db, app, idp, caplog, sp_settings): |
... | ... | |
732 | 734 |
assert '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"' in response_text |
733 | 735 |
assert '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"' in response_text |
734 | 736 |
assert 'mellon: created new user _' in response_text |
737 | ||
738 | ||
739 |
def test_nonce(db, app, idp, caplog, sp_settings): |
|
740 |
response = app.get(reverse('mellon_login') + '?nonce=1234') |
|
741 |
url, body, relay_state = idp.process_authn_request_redirect(response['Location']) |
|
742 |
response = app.post(reverse('mellon_login'), params={'SAMLResponse': body, 'RelayState': relay_state}) |
|
743 |
assert app.session['mellon_session']['nonce'] == '1234' |
|
744 | ||
745 | ||
746 |
def test_force_authn(db, app, idp, caplog, sp_settings): |
|
747 |
response = app.get(reverse('mellon_login') + '?force-authn=1') |
|
748 |
url, body, relay_state = idp.process_authn_request_redirect(response['Location']) |
|
749 |
assert idp.login.request.forceAuthn |
|
750 | ||
751 |
response = app.post(reverse('mellon_login'), params={'SAMLResponse': body, 'RelayState': relay_state}) |
|
752 |
assert app.session['mellon_session']['force_authn'] |
|
735 |
- |