Projet

Général

Profil

0001-saml-do-not-do-anything-on-HEAD-calls-to-assertion-c.patch

Frédéric Péters, 01 novembre 2021 09:26

Télécharger (3,03 ko)

Voir les différences: 

Subject: [PATCH] saml: do not do anything on HEAD calls to assertion consumer
 (#18197)


 tests/test_saml_auth.py | 30 ++++++++++++++++++++++++++++++
 wcs/qommon/saml2.py     |  6 ++++++
 2 files changed, 36 insertions(+)
tests/test_saml_auth.py
380 380 
    assert req.response.headers['location'] == 'http://example.net/saml/error?RelayState=/foobar/%3Ftest%3Dok'
381 381 

  		




  382
  382
  
    

  		




  
  383
  
    
def test_assertion_consumer_artifact_head(pub):

  		




  
  384
  
    
    def get_assertion_consumer_request(pub, ni_format=lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT):

  		




  
  385
  
    
        msg_url = get_authn_response_msg(pub, protocol_binding=lasso.SAML2_METADATA_BINDING_ARTIFACT)

  		




  
  386
  
    
        artifact = urllib.parse.parse_qs(urllib.parse.urlparse(msg_url).query)['SAMLart'][0]

  		




  
  387
  
    
        req = HTTPRequest(

  		




  
  388
  
    
            None,

  		




  
  389
  
    
            {

  		




  
  390
  
    
                'REQUEST_METHOD': 'HEAD',

  		




  
  391
  
    
                'SERVER_NAME': 'example.net',

  		




  
  392
  
    
                'SCRIPT_NAME': '',

  		




  
  393
  
    
                'PATH_INFO': '/saml/assertionConsumerArtifact',

  		




  
  394
  
    
                'QUERY_STRING': urllib.parse.urlencode(

  		




  
  395
  
    
                    {'SAMLart': artifact, 'RelayState': '/foobar/?test=ok'}

  		




  
  396
  
    
                ),

  		




  
  397
  
    
            },

  		




  
  398
  
    
        )

  		




  
  399
  
    
        req.process_inputs()

  		




  
  400
  
    
        pub._set_request(req)

  		




  
  401
  
    
        pub.session_class.wipe()

  		




  
  402
  
    
        req.session = pub.session_class(id=1)

  		




  
  403
  
    
        assert req.session.user is None

  		




  
  404
  
    
        return req

  		




  
  405
  
    

  		




  
  406
  
    
    req = get_assertion_consumer_request(pub)

  		




  
  407
  
    
    saml2 = Saml2Directory()

  		




  
  408
  
    
    saml2.assertionConsumerArtifact()

  		




  
  409
  
    
    # no request to IdP, no redirection

  		




  
  410
  
    
    assert req.response.status_code == 200

  		




  
  411
  
    

  		




  
  412
  
    

  		




  383
  413
  
    
def test_saml_error_page(pub):

  		




  384
  414
  
    
    resp = get_app(pub).get('/saml/error?RelayState=/foobar/%3Ftest%3Dok')

  		




  385
  415
  
    
    resp = resp.form.submit()

  		












  

    
      wcs/qommon/saml2.py
    
  





  229
  229
  
    
                message, method = request.get_query(), lasso.HTTP_METHOD_ARTIFACT_GET

  		




  230
  230
  
    
            elif request.get_method() == 'POST':

  		




  231
  231
  
    
                message, method = request.form.get('SAMLart', None), lasso.HTTP_METHOD_ARTIFACT_POST

  		




  
  232
  
    
            elif request.get_method() == 'HEAD':

  		




  
  233
  
    
                # A proper HEAD response would be a redirection but that would mean

  		




  
  234
  
    
                # contacting the identify provider and probably it will mark the

  		




  
  235
  
    
                # artifact as consumed and that would break the GET request that is

  		




  
  236
  
    
                # to come. Hence not doing anything.

  		




  
  237
  
    
                return ''

  		




  232
  238
  
    
            else:

  		




  233
  239
  
    
                get_logger().info('Bad HTTP method on assertionConsumerArtifact endpoint')

  		




  234
  240
  
    
                return error_page(_('Invalid authentication response'))

  		




  235
  
  
    
-