From a7d81a7eee1a37b808ad94c8e3eb49b08e1ac1e8 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Thu, 4 Apr 2019 19:00:26 +0200
Subject: [PATCH] saml: use RSA-SHA256 signature method (#32011)

---
 src/authentic2/idp/saml/app_settings.py | 1 +
 src/authentic2/saml/common.py           | 7 +++++++
 tests/test_idp_saml2.py                 | 9 +++++++--
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/authentic2/idp/saml/app_settings.py b/src/authentic2/idp/saml/app_settings.py
index 63a1c865..f32c3947 100644
--- a/src/authentic2/idp/saml/app_settings.py
+++ b/src/authentic2/idp/saml/app_settings.py
@@ -51,6 +51,7 @@ wRiVcNacaP+BivkrMjr4BlsUM6yH4MOBsNhLURiiCL+tLJV7U0DWlCse/doWij4U
 TKX6tp6oI+7MIJE6ySZ0cBqOiydAkBePZhu57j6ToBkTa0dbHjn1WA==
 -----END RSA PRIVATE KEY-----''',
             ADD_CERTIFICATE_TO_KEY_INFO=True,
+            SIGNATURE_METHOD='RSA-SHA256',
     )
 
     def __init__(self, prefix):
diff --git a/src/authentic2/saml/common.py b/src/authentic2/saml/common.py
index 47f5a3a9..8846b0ca 100644
--- a/src/authentic2/saml/common.py
+++ b/src/authentic2/saml/common.py
@@ -113,6 +113,13 @@ def create_saml2_server(request, metadata, idp_map=None, sp_map=None,
         get_saml2_metadata(request, metadata, idp_map=idp_map, sp_map=sp_map,
                            options=options),
         options.get('private_key'), certificate_content=certificate_content)
+    if app_settings.SIGNATURE_METHOD:
+            signature_method = app_settings.SIGNATURE_METHOD
+            symbol_name = 'SIGNATURE_METHOD_' + signature_method.replace('-', '_').upper()
+            if hasattr(lasso, symbol_name):
+                server.signatureMethod = getattr(lasso, symbol_name)
+            else:
+                logger.warning('idp_saml: unable to set signature method %s', signature_method)
     if not server:
         raise Exception('Cannot create LassoServer object')
     return server
diff --git a/tests/test_idp_saml2.py b/tests/test_idp_saml2.py
index 59c89af1..8e84d9af 100644
--- a/tests/test_idp_saml2.py
+++ b/tests/test_idp_saml2.py
@@ -72,6 +72,7 @@ class SamlBaseTestCase(Authentic2TestCase):
         sp_meta = self.get_sp_metadata(base_url=base_url)
         idp_meta = self.get_idp_metadata()
         server = lasso.Server.newFromBuffers(sp_meta)
+        server.signatureMethod = lasso.SIGNATURE_METHOD_RSA_SHA256
         server.addProviderFromBuffer(lasso.PROVIDER_ROLE_IDP, idp_meta)
         return server
 
@@ -213,6 +214,8 @@ class SamlBaseTestCase(Authentic2TestCase):
         url_parsed = urlparse.urlparse(login.msgUrl)
         self.assertEqual(url_parsed.path, reverse('a2-idp-saml-sso'),
                          'msgUrl should target the sso endpoint')
+        if sign:
+            assert 'rsa-sha256' in login.msgUrl
         return login.msgUrl, login.msgBody, request.id
 
     def parse_authn_response(self, saml_response):
@@ -291,10 +294,11 @@ class SamlSSOTestCase(SamlBaseTestCase):
             self.assertIn('SAMLResponse', doc.forms[0].fields)
             saml_response = doc.forms[0].fields['SAMLResponse']
             try:
-                base64.b64decode(saml_response)
+                decoded_saml_response = base64.b64decode(saml_response)
             except TypeError:
                 self.fail('SAMLResponse is not base64 encoded: %s'
                           % saml_response)
+            assert b'rsa-sha256' in decoded_saml_response
             with self.assertRaises(lasso.ProfileRequestDeniedError):
                 assertion = self.parse_authn_response(saml_response)
         elif not authorized_service:
@@ -335,9 +339,10 @@ class SamlSSOTestCase(SamlBaseTestCase):
             self.assertIn('SAMLResponse', doc.forms[0].fields)
             saml_response = doc.forms[0].fields['SAMLResponse']
             try:
-                base64.b64decode(saml_response)
+                decoded_saml_response = base64.b64decode(saml_response)
             except TypeError:
                 self.fail('SAMLResponse is not base64 encoded: %s' % saml_response)
+            assert b'rsa-sha256' in decoded_saml_response
             login = self.parse_authn_response(saml_response)
             assertion = login.assertion
             session_not_on_or_after = login.assertion.authnStatement[0].sessionNotOnOrAfter
-- 
2.20.1