idp/saml2: do not accept logout request missing a NameID (fixes #24214)

Lasso should fail in the process_logout_request(), it does not, we handle it here.
2018-06-01 11:53:24 +02:00 · 2018-06-01 11:53:24 +02:00 · 038697aae9
parent 700786714f
commit 038697aae9
2 changed files with 7 additions and 0 deletions
--- a/src/authentic2/idp/saml/saml2_endpoints.py
+++ b/src/authentic2/idp/saml/saml2_endpoints.py
@ -1410,6 +1410,10 @@ def slo(request):
            title=_('You are being redirected to "%s"') % provider.name)
    logger.info('asynchronous slo from %s' % logout.remoteProviderId)
    # Filter sessions
+    if not logout.request.nameId:
+        logger.warning('slo refused, no NameID in the SLO request')
+        return return_logout_error(request, logout,
+                AUTHENTIC_STATUS_CODE_MISSING_NAMEID)
    all_sessions = LibertySession.get_for_nameid_and_session_indexes(
            logout.server.providerId, logout.remoteProviderId,
            logout.request.nameId, logout.request.sessionIndexes)
--- a/src/authentic2/saml/models.py
+++ b/src/authentic2/saml/models.py
@ -555,6 +555,9 @@ class LibertySession(models.Model):

    @classmethod
    def get_for_nameid_and_session_indexes(cls, issuer_id, provider_id, name_id, session_indexes):
+        if not name_id:
+            # logout request did not contain any NameID, bad !
+            return LibertySession.objects.none()
        kwargs = nameid2kwargs(name_id)
        name_id_qualifier = kwargs['name_id_qualifier']
        qs = LibertySession.objects.filter(provider_id=provider_id,