0001-auth_saml-validate-xml-metadata-70492.patch
src/authentic2_auth_saml/migrations/0001_initial.py | ||
---|---|---|
4 | 4 |
import django.db.models.deletion |
5 | 5 |
from django.db import migrations, models |
6 | 6 | |
7 |
import authentic2_auth_saml.models |
|
8 | ||
7 | 9 | |
8 | 10 |
class Migration(migrations.Migration): |
9 | 11 | |
... | ... | |
46 | 48 |
verbose_name='Metadata file path', |
47 | 49 |
), |
48 | 50 |
), |
49 |
('metadata', models.TextField(blank=True, verbose_name='Metadata (XML)')), |
|
51 |
( |
|
52 |
'metadata', |
|
53 |
models.TextField( |
|
54 |
blank=True, |
|
55 |
validators=[authentic2_auth_saml.models.validate_metadata], |
|
56 |
verbose_name='Metadata (XML)', |
|
57 |
), |
|
58 |
), |
|
50 | 59 |
( |
51 | 60 |
'provision', |
52 | 61 |
models.BooleanField( |
src/authentic2_auth_saml/models.py | ||
---|---|---|
14 | 14 |
# You should have received a copy of the GNU Affero General Public License |
15 | 15 |
# along with this program. If not, see <http://www.gnu.org/licenses/>. |
16 | 16 | |
17 |
import xml.etree.ElementTree as ET |
|
18 | ||
19 |
import lasso |
|
17 | 20 |
from django.conf import settings |
18 | 21 |
from django.contrib.postgres.fields import JSONField |
19 | 22 |
from django.core.exceptions import ValidationError |
... | ... | |
28 | 31 |
from authentic2.utils.misc import redirect_to_login |
29 | 32 | |
30 | 33 | |
34 |
def validate_metadata(metadata): |
|
35 |
try: |
|
36 |
doc = ET.fromstring(metadata) |
|
37 |
except (TypeError, ET.ParseError) as e: |
|
38 |
raise ValidationError(_('Cannot parse metadata, %s') % e) |
|
39 | ||
40 |
tag_name = '{%s}EntityDescriptor' % lasso.SAML2_METADATA_HREF |
|
41 |
if doc.tag != tag_name: |
|
42 |
raise ValidationError(_('Invalid metadata, missing tag %s') % tag_name) |
|
43 | ||
44 |
if 'entityID' not in doc.attrib: |
|
45 |
raise ValidationError(_('Invalid metadata, missing entityID')) |
|
46 | ||
47 | ||
31 | 48 |
class SAMLAuthenticator(BaseAuthenticator): |
32 | 49 |
metadata_url = models.URLField(_('Metadata URL'), max_length=300, blank=True) |
33 | 50 |
metadata_cache_time = models.PositiveSmallIntegerField(_('Metadata cache time'), default=3600) |
... | ... | |
39 | 56 |
help_text=_('Absolute path to the IdP metadata file.'), |
40 | 57 |
blank=True, |
41 | 58 |
) |
42 |
metadata = models.TextField(_('Metadata (XML)'), blank=True) |
|
59 |
metadata = models.TextField(_('Metadata (XML)'), blank=True, validators=[validate_metadata])
|
|
43 | 60 | |
44 | 61 |
provision = models.BooleanField(_('Create user if their username does not already exists'), default=True) |
45 | 62 |
verify_ssl_certificate = models.BooleanField( |
tests/test_manager_authenticators.py | ||
---|---|---|
481 | 481 |
assert 'Metadata HTTP timeout' in resp.text |
482 | 482 | |
483 | 483 | |
484 |
def test_authenticators_saml_validate_metadata(app, superuser): |
|
485 |
authenticator = SAMLAuthenticator.objects.create(slug='idp1') |
|
486 | ||
487 |
resp = login(app, superuser) |
|
488 |
resp = app.get('/manage/authenticators/%s/edit/' % authenticator.pk) |
|
489 |
resp.form['metadata'] = 'invalid' |
|
490 | ||
491 |
resp.form['metadata'] = '<a/>' |
|
492 |
resp = resp.form.submit() |
|
493 |
assert 'Invalid metadata, missing tag {urn:oasis:names:tc:SAML:2.0:metadata}EntityDescriptor' in resp.text |
|
494 | ||
495 |
resp.form[ |
|
496 |
'metadata' |
|
497 |
] = '<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata"></ns0:EntityDescriptor>' |
|
498 |
resp = resp.form.submit() |
|
499 |
assert 'Invalid metadata, missing entityID' in resp.text |
|
500 | ||
501 |
resp.form['metadata'] = ( |
|
502 |
'<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata"' |
|
503 |
' entityID="https://example.com"></ns0:EntityDescriptor>' |
|
504 |
) |
|
505 |
resp.form.submit(status=302) |
|
506 | ||
507 | ||
484 | 508 |
def test_authenticators_saml_missing_signing_key(app, superuser, settings): |
485 | 509 |
authenticator = SAMLAuthenticator.objects.create(slug='idp1') |
486 | 510 | |
487 |
- |