openstack/deb-python-pysaml2
Code Issues Proposed changes

Verify HTTP-redirect signed message.

Browse Source
This commit is contained in:
Roland Hedberg
2013-02-27 13:16:30 +01:00
parent c9f2487af0
commit 924d200c73
1 changed files with 24 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
example/idp2/idp.py
View File

@@ -28,6 +28,7 @@ from saml2.ident import Unknown
from saml2.s_utils import rndstr, UnknownPrincipal, UnsupportedBinding from saml2.s_utils import rndstr, UnknownPrincipal, UnsupportedBinding
from saml2.s_utils import PolicyError from saml2.s_utils import PolicyError
from saml2.saml import AUTHN_PASSWORD from saml2.saml import AUTHN_PASSWORD
from saml2.sigver import verify_redirect_signature
logger = logging.getLogger("saml2.idp") logger = logging.getLogger("saml2.idp")
@@ -194,6 +195,7 @@ class SSO(Service):
self.resp_args = {} self.resp_args = {}
self.binding_out = None self.binding_out = None
self.destination = None self.destination = None
self.req_info = None
def verify(self, query, binding): def verify(self, query, binding):
""" """
@@ -205,9 +207,11 @@ class SSO(Service):
resp = Unauthorized('Unknown user') resp = Unauthorized('Unknown user')
return resp(self.environ, self.start_response) return resp(self.environ, self.start_response)
req_info = IDP.parse_authn_request(query, binding) if not self.req_info:
self.req_info = IDP.parse_authn_request(query, binding)
logger.info("parsed OK") logger.info("parsed OK")
_authn_req = req_info.message _authn_req = self.req_info.message
logger.debug("%s" % _authn_req) logger.debug("%s" % _authn_req)
self.binding_out, self.destination = IDP.pick_binding( self.binding_out, self.destination = IDP.pick_binding(
@@ -284,11 +288,25 @@ class SSO(Service):
def redirect(self): def redirect(self):
""" This is the HTTP-redirect endpoint """ """ This is the HTTP-redirect endpoint """
logger.info("--- In SSO Redirect ---") logger.info("--- In SSO Redirect ---")
_resp = self._authn(self.unpack_redirect()) _info = self._authn(self.unpack_redirect())
if isinstance(_resp, basestring): if isinstance(_info, basestring):
return self.not_authn(_resp) return self.not_authn(_info)
return self.operation(_resp, BINDING_HTTP_REDIRECT) if "SigAlg" in _info and "Signature" in _info: # Signed request
self.req_info = IDP.parse_authn_request(_info["SAMLRequest"],
BINDING_HTTP_REDIRECT)
issuer = self.req_info.message.issuer.text
_certs = IDP.metadata.certs(issuer, "any", "signing")
verified_ok = False
for cert in _certs:
if verify_redirect_signature(_info, cert):
verified_ok = True
break
if not verified_ok:
resp = BadRequest("Message signature verification failure")
return resp(self.environ, self.start_response)
return self.operation(_info, BINDING_HTTP_REDIRECT)
def post(self): def post(self):
""" """