Skip to content

Ensure signature checking for SAML Responses is enabled by default #439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Oct 11, 2017
Merged

Ensure signature checking for SAML Responses is enabled by default #439

merged 10 commits into from
Oct 11, 2017

Conversation

jkakavas
Copy link
Member

@jkakavas jkakavas commented Aug 1, 2017

Make sure that all Service Provider deployments based on pysaml2 are protected from SAML signature exclusion attacks by default.
Fixes #424

@jkakavas
Copy link
Member Author

jkakavas commented Aug 1, 2017 via email

johanlundberg
johanlundberg requested changes Aug 1, 2017
View reviewed changes
Copy link
Contributor

@johanlundberg johanlundberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are several tests failing on SignatureError: Signature missing for response. I guess that is expected but the tests needs to be updated.

Ioannis Kakavas added 2 commits August 1, 2017 15:24
Revert this change as it is not required
f58330e
Updated tests to work with new default signing requirements
303efd9 
Explicitly allow unsigned responses in tests where we do not
sign them.
@jkakavas jkakavas mentioned this pull request Aug 1, 2017
Merged
c00kiemon5ter
c00kiemon5ter requested changes Aug 2, 2017
View reviewed changes
src/saml2/client_base.py Outdated
@@ -108,17 +108,28 @@ def __init__(self, config=None, identity_cache=None, state_cache=None,
else:
self.state = state_cache

# Handle values which are False by default
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO this shouts for a refactor. What we want to achieve is use the configuration-provided values and if they are not set, use the default values. However, this piece of code does the exact opposite - it sets the defaults, then looks up the configuration-provided values. It also never mentions default or configuration which makes it harder to reason about. Lets fix this.

diff --git a/src/saml2/client_base.py b/src/saml2/client_base.py
index 531ddea..e3b7134 100644
--- a/src/saml2/client_base.py
+++ b/src/saml2/client_base.py
@@ -113,17 +113,25 @@ class Base(Entity):
         else:
             self.state = state_cache
 
-        self.logout_requests_signed = False
-        self.allow_unsolicited = False
-        self.authn_requests_signed = False
-        self.want_assertions_signed = False
-        self.want_response_signed = False
-        for foo in ["allow_unsolicited", "authn_requests_signed",
-                    "logout_requests_signed", "want_assertions_signed",
-                    "want_response_signed"]:
-            v = self.config.getattr(foo, "sp")
-            if v is True or v == 'true':
-                setattr(self, foo, True)
+        attribute_defaults = {
+            "logout_requests_signed": False,
+            "allow_unsolicited": False,
+            "authn_requests_signed": False,
+            "want_assertions_signed": False,
+            "want_response_signed": True,
+        }
+
+        for attr, val_default in attribute_defaults:
+            val_config = self.config.getattr(attr, "sp")
+            if val_config is None:
+                val = val_default
+            else:
+                val = val_config
+
+            if val == 'true':
+                val = True
+
+            setattr(self, attr, val)
 
         self.artifact2response = {}

tests/test_63_ecp.py Outdated
@@ -92,7 +92,7 @@ def test_complete_flow():
entity_id=sp_entity_id)

resp = idp.create_ecp_authn_request_response(
destination, {"eduPersonEntitlement": "Short stop",
destination,{"eduPersonEntitlement": "Short stop",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we restore this whitespace? Formatting is already ugly in the source files, lets try to fix it by each new commit.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

aye

@rohe
Copy link
Contributor

rohe commented Sep 28, 2017

I fixed a conflict and then one test fails. Could you fix @jkakavas ?

@jkakavas
Copy link
Member Author

@rohe at your service!

@rohe rohe merged commit 46d24f6 into IdentityPython:master Oct 11, 2017
@c00kiemon5ter c00kiemon5ter mentioned this pull request Oct 28, 2017
Closed
This was referenced Feb 12, 2018
Merged
Closed
c00kiemon5ter added a commit that referenced this pull request Feb 12, 2018
@c00kiemon5ter
Merge pull request #491 from c00kiemon5ter/fix-example-sp
34e4b41 
Fix example sp

This fixes #490 by fixing wsgiserver import and the Signature missing for response error by not requesting a signature. Not requesting a signature was the default behaviour prior to v4.5.0 – more details on #424, #439 and #470.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@c00kiemon5ter c00kiemon5ter c00kiemon5ter approved these changes

@johanlundberg johanlundberg johanlundberg approved these changes

@rohe rohe Awaiting requested review from rohe

@skoranda skoranda Awaiting requested review from skoranda

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jkakavas @rohe @c00kiemon5ter @johanlundberg