0001-saml-do-not-do-anything-on-HEAD-calls-to-assertion-c.patch
tests/test_saml_auth.py | ||
---|---|---|
380 | 380 |
assert req.response.headers['location'] == 'http://example.net/saml/error?RelayState=/foobar/%3Ftest%3Dok' |
381 | 381 | |
382 | 382 | |
383 |
def test_assertion_consumer_artifact_head(pub): |
|
384 |
def get_assertion_consumer_request(pub, ni_format=lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT): |
|
385 |
msg_url = get_authn_response_msg(pub, protocol_binding=lasso.SAML2_METADATA_BINDING_ARTIFACT) |
|
386 |
artifact = urllib.parse.parse_qs(urllib.parse.urlparse(msg_url).query)['SAMLart'][0] |
|
387 |
req = HTTPRequest( |
|
388 |
None, |
|
389 |
{ |
|
390 |
'REQUEST_METHOD': 'HEAD', |
|
391 |
'SERVER_NAME': 'example.net', |
|
392 |
'SCRIPT_NAME': '', |
|
393 |
'PATH_INFO': '/saml/assertionConsumerArtifact', |
|
394 |
'QUERY_STRING': urllib.parse.urlencode( |
|
395 |
{'SAMLart': artifact, 'RelayState': '/foobar/?test=ok'} |
|
396 |
), |
|
397 |
}, |
|
398 |
) |
|
399 |
req.process_inputs() |
|
400 |
pub._set_request(req) |
|
401 |
pub.session_class.wipe() |
|
402 |
req.session = pub.session_class(id=1) |
|
403 |
assert req.session.user is None |
|
404 |
return req |
|
405 | ||
406 |
req = get_assertion_consumer_request(pub) |
|
407 |
saml2 = Saml2Directory() |
|
408 |
saml2.assertionConsumerArtifact() |
|
409 |
# no request to IdP, no redirection |
|
410 |
assert req.response.status_code == 200 |
|
411 | ||
412 | ||
383 | 413 |
def test_saml_error_page(pub): |
384 | 414 |
resp = get_app(pub).get('/saml/error?RelayState=/foobar/%3Ftest%3Dok') |
385 | 415 |
resp = resp.form.submit() |
wcs/qommon/saml2.py | ||
---|---|---|
229 | 229 |
message, method = request.get_query(), lasso.HTTP_METHOD_ARTIFACT_GET |
230 | 230 |
elif request.get_method() == 'POST': |
231 | 231 |
message, method = request.form.get('SAMLart', None), lasso.HTTP_METHOD_ARTIFACT_POST |
232 |
elif request.get_method() == 'HEAD': |
|
233 |
# A proper HEAD response would be a redirection but that would mean |
|
234 |
# contacting the identify provider and probably it will mark the |
|
235 |
# artifact as consumed and that would break the GET request that is |
|
236 |
# to come. Hence not doing anything. |
|
237 |
return '' |
|
232 | 238 |
else: |
233 | 239 |
get_logger().info('Bad HTTP method on assertionConsumerArtifact endpoint') |
234 | 240 |
return error_page(_('Invalid authentication response')) |
235 |
- |