From 8e151de7218c5fa1ce9c03cf30a275300ac8d326 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Tue, 3 Aug 2021 16:38:02 +0200
Subject: [PATCH 1/2] views: handle a nonce parameter on login view (#55953)

---
 mellon/views.py       | 10 ++++++++++
 tests/test_sso_slo.py |  7 +++++++
 2 files changed, 17 insertions(+)

diff --git a/mellon/views.py b/mellon/views.py
index a22be3d..f836c74 100644
--- a/mellon/views.py
+++ b/mellon/views.py
@@ -109,6 +109,9 @@ class ProfileMixin(object):
             return
         self.set_state('next_url', next_url)
 
+    def set_nonce(self, nonce):
+        self.set_state('nonce', nonce)
+
     def set_state(self, name, value):
         assert self.profile
         relay_state = self.get_relay_state(create=True)
@@ -135,6 +138,9 @@ class ProfileMixin(object):
     def get_next_url(self, default=None):
         return self.get_state('next_url', default=default)
 
+    def get_nonce(self):
+        return self.get_state('nonce')
+
     def show_message_status_is_not_success(self, profile, prefix):
         status_codes, idp_message = utils.get_status_codes_and_message(profile)
         args = ['%s: status is not success codes: %r', prefix, status_codes]
@@ -251,6 +257,7 @@ class LoginView(ProfileMixin, LogMixin, View):
                     if content is not None:
                         values.append(content)
         attributes['issuer'] = login.remoteProviderId
+        attributes['nonce'] = self.get_nonce()
         if login.nameIdentifier:
             name_id = login.nameIdentifier
             name_id_format = force_text(name_id.format or lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED)
@@ -491,6 +498,9 @@ class LoginView(ProfileMixin, LogMixin, View):
             policy.allowCreate = utils.get_setting(idp, 'NAME_ID_POLICY_ALLOW_CREATE')
             policy.format = utils.get_setting(idp, 'NAME_ID_POLICY_FORMAT')
             force_authn = utils.get_setting(idp, 'FORCE_AUTHN')
+            # link the nonce to the request-id
+            if 'nonce' in request.GET:
+                self.set_nonce(request.GET['nonce'][:128])
             if force_authn:
                 authn_request.forceAuthn = True
             if request.GET.get('passive') == '1':
diff --git a/tests/test_sso_slo.py b/tests/test_sso_slo.py
index f9ec6b1..ee51076 100644
--- a/tests/test_sso_slo.py
+++ b/tests/test_sso_slo.py
@@ -732,3 +732,10 @@ def test_debug_sso(db, app, idp, caplog, sp_settings, settings):
     assert '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"' in response_text
     assert '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"' in response_text
     assert 'mellon: created new user _' in response_text
+
+
+def test_nonce(db, app, idp, caplog, sp_settings):
+    response = app.get(reverse('mellon_login') + '?nonce=1234')
+    url, body, relay_state = idp.process_authn_request_redirect(response['Location'])
+    response = app.post(reverse('mellon_login'), params={'SAMLResponse': body, 'RelayState': relay_state})
+    assert app.session['mellon_session']['nonce'] == '1234'
-- 
2.32.0.rc0