import lasso-2.6.0-8.el8
This commit is contained in:
parent
8637b99481
commit
c64a9babf0
@ -0,0 +1,99 @@
|
||||
From 1e85f1b2bd30c0d93b4a2ef37b35abeae3d15b56 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
|
||||
Date: Fri, 28 Jun 2019 02:36:19 +0300
|
||||
Subject: [PATCH] PAOS: Do not populate "Destination" attribute
|
||||
|
||||
When ECP profile (saml-ecp-v2.0-cs01) is used with PAOS binding Lasso
|
||||
populates an AuthnRequest with the "Destination" attribute set to
|
||||
AssertionConsumerURL of an SP - this leads to IdP-side errors because
|
||||
the destination attribute in the request does not match the IdP URL.
|
||||
|
||||
The "Destination" attribute is mandatory only for HTTP Redirect and HTTP
|
||||
Post bindings when AuthRequests are signed per saml-bindings-2.0-os
|
||||
(sections 3.4.5.2 and 3.5.5.2). Specifically for PAOS it makes sense to
|
||||
avoid setting that optional attribute because an ECP decides which IdP
|
||||
to use, not the SP.
|
||||
|
||||
Fixes Bug: 34409
|
||||
License: MIT
|
||||
Signed-off-by: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
|
||||
---
|
||||
lasso/saml-2.0/login.c | 18 +++++++++---------
|
||||
lasso/saml-2.0/profile.c | 10 +++++++++-
|
||||
2 files changed, 18 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
|
||||
index 6e8f7553..0d4bb1da 100644
|
||||
--- a/lasso/saml-2.0/login.c
|
||||
+++ b/lasso/saml-2.0/login.c
|
||||
@@ -222,7 +222,7 @@ _lasso_login_must_verify_signature(LassoProfile *profile) {
|
||||
gint
|
||||
lasso_saml20_login_build_authn_request_msg(LassoLogin *login)
|
||||
{
|
||||
- char *url = NULL;
|
||||
+ char *assertionConsumerServiceURL = NULL;
|
||||
gboolean must_sign = TRUE;
|
||||
LassoProfile *profile;
|
||||
LassoSamlp2AuthnRequest *authn_request;
|
||||
@@ -247,29 +247,29 @@ lasso_saml20_login_build_authn_request_msg(LassoLogin *login)
|
||||
}
|
||||
|
||||
if (login->http_method == LASSO_HTTP_METHOD_PAOS) {
|
||||
-
|
||||
/*
|
||||
* PAOS is special, the url passed to build_request is the
|
||||
* AssertionConsumerServiceURL of this SP, not the
|
||||
- * destination.
|
||||
+ * destination IdP URL. This is done to fill paos:responseConsumerURL
|
||||
+ * appropriately down the line in build_request_msg.
|
||||
+ * See https://dev.entrouvert.org/issues/34409 for more information.
|
||||
*/
|
||||
if (authn_request->AssertionConsumerServiceURL) {
|
||||
- url = authn_request->AssertionConsumerServiceURL;
|
||||
+ assertionConsumerServiceURL = authn_request->AssertionConsumerServiceURL;
|
||||
if (!lasso_saml20_provider_check_assertion_consumer_service_url(
|
||||
- LASSO_PROVIDER(profile->server), url, LASSO_SAML2_METADATA_BINDING_PAOS)) {
|
||||
+ LASSO_PROVIDER(profile->server), assertionConsumerServiceURL, LASSO_SAML2_METADATA_BINDING_PAOS)) {
|
||||
rc = LASSO_PROFILE_ERROR_INVALID_REQUEST;
|
||||
goto cleanup;
|
||||
}
|
||||
} else {
|
||||
- url = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
|
||||
+ assertionConsumerServiceURL = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
|
||||
LASSO_PROVIDER(profile->server), LASSO_SAML2_METADATA_BINDING_PAOS);
|
||||
- lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, url);
|
||||
+ lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, assertionConsumerServiceURL);
|
||||
}
|
||||
}
|
||||
|
||||
-
|
||||
lasso_check_good_rc(lasso_saml20_profile_build_request_msg(profile, "SingleSignOnService",
|
||||
- login->http_method, url));
|
||||
+ login->http_method, assertionConsumerServiceURL));
|
||||
|
||||
cleanup:
|
||||
return rc;
|
||||
diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c
|
||||
index 22a4e08c..85f535ae 100644
|
||||
--- a/lasso/saml-2.0/profile.c
|
||||
+++ b/lasso/saml-2.0/profile.c
|
||||
@@ -968,7 +968,15 @@ lasso_saml20_profile_build_request_msg(LassoProfile *profile, const char *servic
|
||||
made_url = url = get_url(provider, service, http_method_to_binding(method));
|
||||
}
|
||||
|
||||
- if (url) {
|
||||
+
|
||||
+ // Usage of the Destination attribute on a request is mandated only
|
||||
+ // in "3.4.5.2" and "3.5.5.2" in saml-bindings-2.0-os for signed requests
|
||||
+ // and is marked as optional in the XSD schema otherwise.
|
||||
+ // PAOS is a special case because an SP does not select an IdP - ECP does
|
||||
+ // it instead. Therefore, this attribute needs to be left unpopulated.
|
||||
+ if (method == LASSO_HTTP_METHOD_PAOS) {
|
||||
+ lasso_release_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination);
|
||||
+ } else if (url) {
|
||||
lasso_assign_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination,
|
||||
url);
|
||||
} else {
|
||||
--
|
||||
2.20.1
|
||||
|
@ -58,7 +58,7 @@
|
||||
Summary: Liberty Alliance Single Sign On
|
||||
Name: lasso
|
||||
Version: 2.6.0
|
||||
Release: 7%{?dist}
|
||||
Release: 8%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Libraries
|
||||
Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz
|
||||
@ -69,6 +69,7 @@ Patch3: duplicate-python-LogoutTestCase.patch
|
||||
Patch4: versioned-python-configure.patch
|
||||
Patch5: 0005-tests-use-self-generated-certificate-to-sign-federat.patch
|
||||
Patch6: 0006-Fix-ECP-signature-not-found-error-when-only-assertio.patch
|
||||
Patch7: 0007-PAOS-Do-not-populate-Destination-attribute.patch
|
||||
|
||||
BuildRequires: libtool autoconf automake
|
||||
|
||||
@ -203,6 +204,7 @@ library.
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
|
||||
# Remove any python script shebang lines (unless they refer to python3)
|
||||
sed -i -E -e '/^#![[:blank:]]*(\/usr\/bin\/env[[:blank:]]+python[^3]?\>)|(\/usr\/bin\/python[^3]?\>)/d' \
|
||||
@ -320,6 +322,12 @@ rm -fr %{buildroot}%{_defaultdocdir}/%{name}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-8
|
||||
- Resolves: rhbz#1730018 - lasso includes "Destination" attribute in SAML
|
||||
AuthnRequest populated with SP
|
||||
AssertionConsumerServiceURL when ECP workflow
|
||||
is used which leads to IdP-side errors
|
||||
|
||||
* Fri Jun 14 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-7
|
||||
- Resolves: rhbz#1634268 - ECP signature check fails with
|
||||
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND when
|
||||
|
Loading…
Reference in New Issue
Block a user