import lasso-2.6.0-8.el8
This commit is contained in:
parent
8637b99481
commit
c64a9babf0
@ -0,0 +1,99 @@
|
|||||||
|
From 1e85f1b2bd30c0d93b4a2ef37b35abeae3d15b56 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
|
||||||
|
Date: Fri, 28 Jun 2019 02:36:19 +0300
|
||||||
|
Subject: [PATCH] PAOS: Do not populate "Destination" attribute
|
||||||
|
|
||||||
|
When ECP profile (saml-ecp-v2.0-cs01) is used with PAOS binding Lasso
|
||||||
|
populates an AuthnRequest with the "Destination" attribute set to
|
||||||
|
AssertionConsumerURL of an SP - this leads to IdP-side errors because
|
||||||
|
the destination attribute in the request does not match the IdP URL.
|
||||||
|
|
||||||
|
The "Destination" attribute is mandatory only for HTTP Redirect and HTTP
|
||||||
|
Post bindings when AuthRequests are signed per saml-bindings-2.0-os
|
||||||
|
(sections 3.4.5.2 and 3.5.5.2). Specifically for PAOS it makes sense to
|
||||||
|
avoid setting that optional attribute because an ECP decides which IdP
|
||||||
|
to use, not the SP.
|
||||||
|
|
||||||
|
Fixes Bug: 34409
|
||||||
|
License: MIT
|
||||||
|
Signed-off-by: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
|
||||||
|
---
|
||||||
|
lasso/saml-2.0/login.c | 18 +++++++++---------
|
||||||
|
lasso/saml-2.0/profile.c | 10 +++++++++-
|
||||||
|
2 files changed, 18 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
|
||||||
|
index 6e8f7553..0d4bb1da 100644
|
||||||
|
--- a/lasso/saml-2.0/login.c
|
||||||
|
+++ b/lasso/saml-2.0/login.c
|
||||||
|
@@ -222,7 +222,7 @@ _lasso_login_must_verify_signature(LassoProfile *profile) {
|
||||||
|
gint
|
||||||
|
lasso_saml20_login_build_authn_request_msg(LassoLogin *login)
|
||||||
|
{
|
||||||
|
- char *url = NULL;
|
||||||
|
+ char *assertionConsumerServiceURL = NULL;
|
||||||
|
gboolean must_sign = TRUE;
|
||||||
|
LassoProfile *profile;
|
||||||
|
LassoSamlp2AuthnRequest *authn_request;
|
||||||
|
@@ -247,29 +247,29 @@ lasso_saml20_login_build_authn_request_msg(LassoLogin *login)
|
||||||
|
}
|
||||||
|
|
||||||
|
if (login->http_method == LASSO_HTTP_METHOD_PAOS) {
|
||||||
|
-
|
||||||
|
/*
|
||||||
|
* PAOS is special, the url passed to build_request is the
|
||||||
|
* AssertionConsumerServiceURL of this SP, not the
|
||||||
|
- * destination.
|
||||||
|
+ * destination IdP URL. This is done to fill paos:responseConsumerURL
|
||||||
|
+ * appropriately down the line in build_request_msg.
|
||||||
|
+ * See https://dev.entrouvert.org/issues/34409 for more information.
|
||||||
|
*/
|
||||||
|
if (authn_request->AssertionConsumerServiceURL) {
|
||||||
|
- url = authn_request->AssertionConsumerServiceURL;
|
||||||
|
+ assertionConsumerServiceURL = authn_request->AssertionConsumerServiceURL;
|
||||||
|
if (!lasso_saml20_provider_check_assertion_consumer_service_url(
|
||||||
|
- LASSO_PROVIDER(profile->server), url, LASSO_SAML2_METADATA_BINDING_PAOS)) {
|
||||||
|
+ LASSO_PROVIDER(profile->server), assertionConsumerServiceURL, LASSO_SAML2_METADATA_BINDING_PAOS)) {
|
||||||
|
rc = LASSO_PROFILE_ERROR_INVALID_REQUEST;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
- url = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
|
||||||
|
+ assertionConsumerServiceURL = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
|
||||||
|
LASSO_PROVIDER(profile->server), LASSO_SAML2_METADATA_BINDING_PAOS);
|
||||||
|
- lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, url);
|
||||||
|
+ lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, assertionConsumerServiceURL);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-
|
||||||
|
lasso_check_good_rc(lasso_saml20_profile_build_request_msg(profile, "SingleSignOnService",
|
||||||
|
- login->http_method, url));
|
||||||
|
+ login->http_method, assertionConsumerServiceURL));
|
||||||
|
|
||||||
|
cleanup:
|
||||||
|
return rc;
|
||||||
|
diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c
|
||||||
|
index 22a4e08c..85f535ae 100644
|
||||||
|
--- a/lasso/saml-2.0/profile.c
|
||||||
|
+++ b/lasso/saml-2.0/profile.c
|
||||||
|
@@ -968,7 +968,15 @@ lasso_saml20_profile_build_request_msg(LassoProfile *profile, const char *servic
|
||||||
|
made_url = url = get_url(provider, service, http_method_to_binding(method));
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (url) {
|
||||||
|
+
|
||||||
|
+ // Usage of the Destination attribute on a request is mandated only
|
||||||
|
+ // in "3.4.5.2" and "3.5.5.2" in saml-bindings-2.0-os for signed requests
|
||||||
|
+ // and is marked as optional in the XSD schema otherwise.
|
||||||
|
+ // PAOS is a special case because an SP does not select an IdP - ECP does
|
||||||
|
+ // it instead. Therefore, this attribute needs to be left unpopulated.
|
||||||
|
+ if (method == LASSO_HTTP_METHOD_PAOS) {
|
||||||
|
+ lasso_release_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination);
|
||||||
|
+ } else if (url) {
|
||||||
|
lasso_assign_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination,
|
||||||
|
url);
|
||||||
|
} else {
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -58,7 +58,7 @@
|
|||||||
Summary: Liberty Alliance Single Sign On
|
Summary: Liberty Alliance Single Sign On
|
||||||
Name: lasso
|
Name: lasso
|
||||||
Version: 2.6.0
|
Version: 2.6.0
|
||||||
Release: 7%{?dist}
|
Release: 8%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz
|
Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz
|
||||||
@ -69,6 +69,7 @@ Patch3: duplicate-python-LogoutTestCase.patch
|
|||||||
Patch4: versioned-python-configure.patch
|
Patch4: versioned-python-configure.patch
|
||||||
Patch5: 0005-tests-use-self-generated-certificate-to-sign-federat.patch
|
Patch5: 0005-tests-use-self-generated-certificate-to-sign-federat.patch
|
||||||
Patch6: 0006-Fix-ECP-signature-not-found-error-when-only-assertio.patch
|
Patch6: 0006-Fix-ECP-signature-not-found-error-when-only-assertio.patch
|
||||||
|
Patch7: 0007-PAOS-Do-not-populate-Destination-attribute.patch
|
||||||
|
|
||||||
BuildRequires: libtool autoconf automake
|
BuildRequires: libtool autoconf automake
|
||||||
|
|
||||||
@ -203,6 +204,7 @@ library.
|
|||||||
%patch4 -p1
|
%patch4 -p1
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
%patch6 -p1
|
%patch6 -p1
|
||||||
|
%patch7 -p1
|
||||||
|
|
||||||
# Remove any python script shebang lines (unless they refer to python3)
|
# Remove any python script shebang lines (unless they refer to python3)
|
||||||
sed -i -E -e '/^#![[:blank:]]*(\/usr\/bin\/env[[:blank:]]+python[^3]?\>)|(\/usr\/bin\/python[^3]?\>)/d' \
|
sed -i -E -e '/^#![[:blank:]]*(\/usr\/bin\/env[[:blank:]]+python[^3]?\>)|(\/usr\/bin\/python[^3]?\>)/d' \
|
||||||
@ -320,6 +322,12 @@ rm -fr %{buildroot}%{_defaultdocdir}/%{name}
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-8
|
||||||
|
- Resolves: rhbz#1730018 - lasso includes "Destination" attribute in SAML
|
||||||
|
AuthnRequest populated with SP
|
||||||
|
AssertionConsumerServiceURL when ECP workflow
|
||||||
|
is used which leads to IdP-side errors
|
||||||
|
|
||||||
* Fri Jun 14 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-7
|
* Fri Jun 14 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-7
|
||||||
- Resolves: rhbz#1634268 - ECP signature check fails with
|
- Resolves: rhbz#1634268 - ECP signature check fails with
|
||||||
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND when
|
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND when
|
||||||
|
Loading…
Reference in New Issue
Block a user