0001-views-keep-a-nonce-during-a-forceAuthn-request-55953.patch
| mellon/views.py | ||
|---|---|---|
| 251 | 251 |
if content is not None: |
| 252 | 252 |
values.append(content) |
| 253 | 253 |
attributes['issuer'] = login.remoteProviderId |
| 254 |
in_response_to = login.response.inResponseTo |
|
| 255 |
if in_response_to: |
|
| 256 |
attributes['nonce'] = request.session.get('mellon-nonce-%s' % in_response_to)
|
|
| 257 |
attributes['force_authn'] = request.session.get('mellon-force-authn-%s' % in_response_to, False)
|
|
| 258 | ||
| 254 | 259 |
if login.nameIdentifier: |
| 255 | 260 |
name_id = login.nameIdentifier |
| 256 | 261 |
name_id_format = force_text(name_id.format or lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED) |
| ... | ... | |
| 490 | 495 |
policy = authn_request.nameIdPolicy |
| 491 | 496 |
policy.allowCreate = utils.get_setting(idp, 'NAME_ID_POLICY_ALLOW_CREATE') |
| 492 | 497 |
policy.format = utils.get_setting(idp, 'NAME_ID_POLICY_FORMAT') |
| 493 |
force_authn = utils.get_setting(idp, 'FORCE_AUTHN') |
|
| 498 |
force_authn = utils.get_setting(idp, 'FORCE_AUTHN') or 'force-authn' in request.GET |
|
| 499 |
# link the nonce and forceAuthn state to the request-id |
|
| 500 |
if 'nonce' in request.GET: |
|
| 501 |
request.session['mellon-nonce-%s' % authn_request.id] = request.GET['nonce'] |
|
| 494 | 502 |
if force_authn: |
| 503 |
request.session['mellon-force-authn-%s' % authn_request.id] = True |
|
| 495 | 504 |
authn_request.forceAuthn = True |
| 496 | 505 |
if request.GET.get('passive') == '1':
|
| 497 | 506 |
authn_request.isPassive = True |
| tests/test_sso_slo.py | ||
|---|---|---|
| 94 | 94 |
self.session_dump = None |
| 95 | 95 | |
| 96 | 96 |
def process_authn_request_redirect(self, url, auth_result=True, consent=True, msg=None): |
| 97 |
login = lasso.Login(self.server) |
|
| 97 |
login = self.login = lasso.Login(self.server)
|
|
| 98 | 98 |
if self.identity_dump: |
| 99 | 99 |
login.setIdentityFromDump(self.identity_dump) |
| 100 | 100 |
if self.session_dump: |
| ... | ... | |
| 421 | 421 |
assert app.session['mellon_session']['first_name'] == ['<i>Fr\xe9d\xe9ric</i>'] |
| 422 | 422 |
assert app.session['mellon_session']['email'] == ['john.doe@gmail.com'] |
| 423 | 423 |
assert app.session['mellon_session']['wtf'] == [] |
| 424 |
assert not app.session['mellon_session']['force_authn'] |
|
| 425 |
assert not app.session['mellon_session']['nonce'] |
|
| 424 | 426 | |
| 425 | 427 | |
| 426 | 428 |
def test_sso_request_denied(db, app, idp, caplog, sp_settings): |
| ... | ... | |
| 732 | 734 |
assert '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"' in response_text |
| 733 | 735 |
assert '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"' in response_text |
| 734 | 736 |
assert 'mellon: created new user _' in response_text |
| 737 | ||
| 738 | ||
| 739 |
def test_nonce(db, app, idp, caplog, sp_settings): |
|
| 740 |
response = app.get(reverse('mellon_login') + '?nonce=1234')
|
|
| 741 |
url, body, relay_state = idp.process_authn_request_redirect(response['Location']) |
|
| 742 |
response = app.post(reverse('mellon_login'), params={'SAMLResponse': body, 'RelayState': relay_state})
|
|
| 743 |
assert app.session['mellon_session']['nonce'] == '1234' |
|
| 744 | ||
| 745 | ||
| 746 |
def test_force_authn(db, app, idp, caplog, sp_settings): |
|
| 747 |
response = app.get(reverse('mellon_login') + '?force-authn=1')
|
|
| 748 |
url, body, relay_state = idp.process_authn_request_redirect(response['Location']) |
|
| 749 |
assert idp.login.request.forceAuthn |
|
| 750 | ||
| 751 |
response = app.post(reverse('mellon_login'), params={'SAMLResponse': body, 'RelayState': relay_state})
|
|
| 752 |
assert app.session['mellon_session']['force_authn'] |
|
| 735 |
- |
|