saml: use RSA-SHA256 signature method (#32011)

2019-04-04 19:00:26 +02:00 · 2019-04-04 19:00:26 +02:00 · 8d91ba556c
parent 2864f57af9
commit 8d91ba556c
3 changed files with 15 additions and 2 deletions
--- a/src/authentic2/idp/saml/app_settings.py
+++ b/src/authentic2/idp/saml/app_settings.py
@ -51,6 +51,7 @@ wRiVcNacaP+BivkrMjr4BlsUM6yH4MOBsNhLURiiCL+tLJV7U0DWlCse/doWij4U
 TKX6tp6oI+7MIJE6ySZ0cBqOiydAkBePZhu57j6ToBkTa0dbHjn1WA==
 -----END RSA PRIVATE KEY-----''',
            ADD_CERTIFICATE_TO_KEY_INFO=True,
+            SIGNATURE_METHOD='RSA-SHA256',
    )

    def __init__(self, prefix):
--- a/src/authentic2/saml/common.py
+++ b/src/authentic2/saml/common.py
@ -113,6 +113,13 @@ def create_saml2_server(request, metadata, idp_map=None, sp_map=None,
        get_saml2_metadata(request, metadata, idp_map=idp_map, sp_map=sp_map,
                           options=options),
        options.get('private_key'), certificate_content=certificate_content)
+    if app_settings.SIGNATURE_METHOD:
+            signature_method = app_settings.SIGNATURE_METHOD
+            symbol_name = 'SIGNATURE_METHOD_' + signature_method.replace('-', '_').upper()
+            if hasattr(lasso, symbol_name):
+                server.signatureMethod = getattr(lasso, symbol_name)
+            else:
+                logger.warning('idp_saml: unable to set signature method %s', signature_method)
    if not server:
        raise Exception('Cannot create LassoServer object')
    return server
--- a/tests/test_idp_saml2.py
+++ b/tests/test_idp_saml2.py
@ -72,6 +72,7 @@ class SamlBaseTestCase(Authentic2TestCase):
        sp_meta = self.get_sp_metadata(base_url=base_url)
        idp_meta = self.get_idp_metadata()
        server = lasso.Server.newFromBuffers(sp_meta)
+        server.signatureMethod = lasso.SIGNATURE_METHOD_RSA_SHA256
        server.addProviderFromBuffer(lasso.PROVIDER_ROLE_IDP, idp_meta)
        return server

@ -213,6 +214,8 @@ class SamlBaseTestCase(Authentic2TestCase):
        url_parsed = urlparse.urlparse(login.msgUrl)
        self.assertEqual(url_parsed.path, reverse('a2-idp-saml-sso'),
                         'msgUrl should target the sso endpoint')
+        if sign:
+            assert 'rsa-sha256' in login.msgUrl
        return login.msgUrl, login.msgBody, request.id

    def parse_authn_response(self, saml_response):
@ -291,10 +294,11 @@ class SamlSSOTestCase(SamlBaseTestCase):
            self.assertIn('SAMLResponse', doc.forms[0].fields)
            saml_response = doc.forms[0].fields['SAMLResponse']
            try:
-                base64.b64decode(saml_response)
+                decoded_saml_response = base64.b64decode(saml_response)
            except TypeError:
                self.fail('SAMLResponse is not base64 encoded: %s'
                          % saml_response)
+            assert b'rsa-sha256' in decoded_saml_response
            with self.assertRaises(lasso.ProfileRequestDeniedError):
                assertion = self.parse_authn_response(saml_response)
        elif not authorized_service:
@ -335,9 +339,10 @@ class SamlSSOTestCase(SamlBaseTestCase):
            self.assertIn('SAMLResponse', doc.forms[0].fields)
            saml_response = doc.forms[0].fields['SAMLResponse']
            try:
-                base64.b64decode(saml_response)
+                decoded_saml_response = base64.b64decode(saml_response)
            except TypeError:
                self.fail('SAMLResponse is not base64 encoded: %s' % saml_response)
+            assert b'rsa-sha256' in decoded_saml_response
            login = self.parse_authn_response(saml_response)
            assertion = login.assertion
            session_not_on_or_after = login.assertion.authnStatement[0].sessionNotOnOrAfter