Merge branch 'knaperek-master' into user-fetching-customization

Author: mhindery

.github/workflows/python-package.yml

@@ -5,7 +5,7 @@ name: Python package
 
 on:
   push:
-    branches: [ master, user-fetching-customization ]
+    branches: [ master ]
   pull_request:
     branches: [ master ]
 

.gitignore

@@ -12,3 +12,5 @@ venv
 tags
 .idea/
 .vscode/
+build/
+dist/

README.rst

@@ -113,6 +113,24 @@ If you want to allow several authentication mechanisms in your project
 you should set the LOGIN_URL option to another view and put a link in such
 view to the ``/saml2/login/`` view.
 
+Handling Post-Login Redirects
+-----------------------------
+It is often desireable for the client to maintain the URL state (or at least manage it) so that
+the URL once authentication has completed is consistent with the desired application state (such
+as retaining query parameters, etc.)  By default, the HttpRequest objects get_host() method is used
+to determine the hostname of the server, and redirect URL's are allowed so long as the destination
+host matches the output of get_host().  However, in some cases it becomes desireable for additional
+hostnames to be used for the post-login redirect.  In such cases, the setting::
+
+  SAML_ALLOWED_HOSTS = []
+  
+May be set to a list of allowed post-login redirect hostnames (note, the URL components beyond the hostname
+may be specified by the client - typically with the ?next= parameter.) 
+
+In the absence of a ?next= parameter, the LOGIN_REDIRECT_URL setting will be used (assuming the destination hostname 
+either matches the output of get_host() or is included in the SAML_ALLOWED_HOSTS setting)
+
+
 Preferred Logout binding
 ------------------------
 Use the following setting to choose your preferred binding for SP initiated logout requests::
@@ -206,6 +224,7 @@ We will see a typical configuration for protecting a Django project::
             'optional_attributes': ['eduPersonAffiliation'],
 
             # in this section the list of IdPs we talk to are defined
+            # This is not mandatory! All the IdP available in the metadata will be considered.
             'idp': {
                 # we do not need a WAYF service since there is
                 # only an IdP defined here. This IdP should be
@@ -320,7 +339,7 @@ Custom error handler
 
 When an error occurs during the authentication flow, djangosaml2 will render
 a simple error page with an error message and status code. You can customize
-this behaviour by specifying the path to your own error handler in the settings:
+this behaviour by specifying the path to your own error handler in the settings::
 
   SAML_ACS_FAILURE_RESPONSE_FUNCTION = 'python.path.to.your.view'
 
@@ -377,10 +396,12 @@ can set in the settings.py file::
 
 This setting is True by default.
 
+The following setting lets you specify a URL for redirection after a successful
+authentication::
+
   ACS_DEFAULT_REDIRECT_URL = reverse_lazy('some_url_name')
 
-This setting lets you specify a URL for redirection after a successful
-authentication. Particularly useful when you only plan to use
+Particularly useful when you only plan to use
 IdP initiated login and the IdP does not have a configured RelayState
 parameter. The default is ``/``.
 

djangosaml2/tests/__init__.py

@@ -16,9 +16,11 @@
 
 import base64
 import datetime
+import mock
 import re
 import sys
-from unittest import mock, skip
+
+from unittest import skip
 
 from django.conf import settings
 from django.contrib.auth import SESSION_KEY, get_user_model
@@ -35,6 +37,7 @@
 from djangosaml2.conf import get_config
 from djangosaml2.signals import post_authenticated
 from djangosaml2.tests import conf
+from djangosaml2.tests.utils import SAMLPostFormParser
 from djangosaml2.tests.auth_response import auth_response
 from djangosaml2.views import finish_logout
 
@@ -106,6 +109,35 @@ def render_template(self, text):
     def b64_for_post(self, xml_text, encoding='utf-8'):
         return base64.b64encode(xml_text.encode(encoding)).decode('ascii')
 
+    def test_unsigned_post_authn_request(self):
+        """
+        Test that unsigned authentication requests via POST binding
+        does not error.
+
+        https://github.com/knaperek/djangosaml2/issues/168
+        """
+        settings.SAML_CONFIG = conf.create_conf(
+            sp_host='sp.example.com',
+            idp_hosts=['idp.example.com'],
+            metadata_file='remote_metadata_post_binding.xml',
+            authn_requests_signed=False
+        )
+        response = self.client.get(reverse('saml2_login'))
+
+        self.assertEqual(response.status_code, 200)
+
+        # Using POST-binding returns a page with form containing the SAMLRequest
+        response_parser = SAMLPostFormParser()
+        response_parser.feed(response.content.decode('utf-8'))
+        saml_request = response_parser.saml_request_value
+        expected_request = """<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://sp.example.com/saml2/acs/" Destination="https://idp.example.com/simplesaml/saml2/idp/SSOService.php" ID="XXXXXXXXXXXXXXXXXXXXXX" IssueInstant="2010-01-01T00:00:00Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://sp.example.com/saml2/metadata/</saml:Issuer><samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /></samlp:AuthnRequest>"""
+
+        self.assertIsNotNone(saml_request)
+        self.assertSAMLRequestsEquals(
+            base64.b64decode(saml_request).decode('utf-8'),
+            expected_request
+        )
+
     def test_login_evil_redirect(self):
         """
         Make sure that if we give an URL other than our own host as the next

djangosaml2/tests/conf.py

@@ -19,7 +19,7 @@
 
 
 def create_conf(sp_host='sp.example.com', idp_hosts=['idp.example.com'],
-                metadata_file='remote_metadata.xml'):
+                metadata_file='remote_metadata.xml', authn_requests_signed=None):
 
     try:
         from saml2.sigver import get_xmlsec_binary
@@ -90,6 +90,9 @@ def create_conf(sp_host='sp.example.com', idp_hosts=['idp.example.com'],
         'valid_for': 24,
         }
 
+    if authn_requests_signed is not None:
+        config['service']['sp']['authn_requests_signed'] = authn_requests_signed
+
     for idp in idp_hosts:
         entity_id = 'https://%s/simplesaml/saml2/idp/metadata.php' % idp
         config['service']['sp']['idp'][entity_id] = {

djangosaml2/tests/remote_metadata_post_binding.xml

@@ -0,0 +1,33 @@
+<?xml version="1.0"?>
+<md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <md:EntityDescriptor entityID="https://idp.example.com/simplesaml/saml2/idp/metadata.php">
+    <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+      <md:KeyDescriptor use="signing">
+        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+          <ds:X509Data>
+            <ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate>
+          </ds:X509Data>
+        </ds:KeyInfo>
+      </md:KeyDescriptor>
+      <md:KeyDescriptor use="encryption">
+        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+          <ds:X509Data>
+            <ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate>
+          </ds:X509Data>
+        </ds:KeyInfo>
+      </md:KeyDescriptor>
+      <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.example.com/simplesaml/saml2/idp/SingleLogoutService.php"/>
+      <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
+      <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.example.com/simplesaml/saml2/idp/SSOService.php"/>
+    </md:IDPSSODescriptor>
+    <md:Organization>
+      <md:OrganizationName xml:lang="en">Lorenzo's test IdP</md:OrganizationName>
+      <md:OrganizationDisplayName xml:lang="en">idp.example.com IdP</md:OrganizationDisplayName>
+      <md:OrganizationURL xml:lang="en">http://idp.example.com/</md:OrganizationURL>
+    </md:Organization>
+    <md:ContactPerson contactType="technical">
+      <md:SurName>Administrator</md:SurName>
+      <md:EmailAddress>lgs@yaco.es</md:EmailAddress>
+    </md:ContactPerson>
+  </md:EntityDescriptor>
+</md:EntitiesDescriptor>

djangosaml2/tests/utils.py

@@ -0,0 +1,16 @@
+from html.parser import HTMLParser
+
+
+class SAMLPostFormParser(HTMLParser):
+    """
+    Parses the SAML Post binding form page for the SAMLRequest value.
+    """
+
+    saml_request_value = None
+
+    def handle_starttag(self, tag, attrs):
+        attrs_dict = dict(attrs)
+
+        if tag != "input" or attrs_dict.get("name") != "SAMLRequest":
+            return
+        self.saml_request_value = attrs_dict.get("value")

djangosaml2/views.py

@@ -44,6 +44,7 @@
 )
 from saml2.mdstore import SourceNotFound
 from saml2.sigver import MissingKey
+from saml2.samlp import AuthnRequest
 from saml2.validate import ResponseLifetimeExceed, ToEarly
 from saml2.xmldsig import (  # support for SHA1 is required by spec
     SIG_RSA_SHA1, SIG_RSA_SHA256)
@@ -105,9 +106,16 @@ def login(request,
         came_from = settings.LOGIN_REDIRECT_URL
 
     # Ensure the user-originating redirection url is safe.
-    if not is_safe_url(url=came_from, allowed_hosts={request.get_host()}):
+    # By setting SAML_ALLOWED_HOSTS in settings.py the user may provide a list of "allowed"
+    # hostnames for post-login redirects, much like one would specify ALLOWED_HOSTS .
+    # If this setting is absent, the default is to use the hostname that was used for the current
+    # request.
+    saml_allowed_hosts = set(getattr(settings, 'SAML_ALLOWED_HOSTS', [request.get_host()]))
+
+    if not is_safe_url(url=came_from, allowed_hosts=saml_allowed_hosts):
         came_from = settings.LOGIN_REDIRECT_URL
 
+
     # if the user is already authenticated that maybe because of two reasons:
     # A) He has this URL in two browser windows and in the other one he
     #    has already initiated the authenticated session.
@@ -221,6 +229,9 @@ def login(request,
                 binding=binding,
                 **kwargs)
             try:
+                if isinstance(request_xml, AuthnRequest):
+                    # request_xml will be an instance of AuthnRequest if the message is not signed
+                    request_xml = str(request_xml)
                 saml_request = base64.b64encode(bytes(request_xml, 'UTF-8')).decode('utf-8')
 
                 http_response = render(request, post_binding_form_template, {
@@ -348,7 +359,15 @@ def assertion_consumer_service(request,
     if not relay_state:
         logger.warning('The RelayState parameter exists but is empty')
         relay_state = default_relay_state
-    if not is_safe_url(url=relay_state, allowed_hosts={request.get_host()}):
+    
+    # Ensure the user-originating redirection url is safe.
+    # By setting SAML_ALLOWED_HOSTS in settings.py the user may provide a list of "allowed"
+    # hostnames for post-login redirects, much like one would specify ALLOWED_HOSTS .
+    # If this setting is absent, the default is to use the hostname that was used for the current
+    # request.
+    saml_allowed_hosts = set(getattr(settings, 'SAML_ALLOWED_HOSTS', [request.get_host()]))
+    
+    if not is_safe_url(url=relay_state, allowed_hosts=saml_allowed_hosts):
         relay_state = settings.LOGIN_REDIRECT_URL
     logger.debug('Redirecting to the RelayState: %s', relay_state)
     return HttpResponseRedirect(relay_state)

setup.py

@@ -60,7 +60,7 @@ def read(*rnames):
     install_requires=[
         'defusedxml>=0.4.1',
         'Django>=2.2',
-        'pysaml2>=4.6.0',
+        'pysaml2>=5.0.0',
         ],
     tests_require=[
         # Provides assert_called_once.