authentik/passbook/sources/saml/processors/base.py

"""passbook saml source processor"""
from typing import TYPE_CHECKING, Optional

from defusedxml import ElementTree
from django.http import HttpRequest, HttpResponse
from signxml import XMLVerifier
from structlog import get_logger

from passbook.core.models import User
from passbook.flows.planner import (
    PLAN_CONTEXT_PENDING_USER,
    PLAN_CONTEXT_SSO,
    FlowPlanner,
)
from passbook.flows.views import SESSION_KEY_PLAN
from passbook.lib.utils.urls import redirect_with_qs
from passbook.providers.saml.utils.encoding import decode_base64_and_inflate
from passbook.sources.saml.exceptions import (
    MissingSAMLResponse,
    UnsupportedNameIDFormat,
)
from passbook.sources.saml.models import SAMLSource
from passbook.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
from passbook.stages.prompt.stage import PLAN_CONTEXT_PROMPT

LOGGER = get_logger()
if TYPE_CHECKING:
    from xml.etree.ElementTree import Element  # nosec
DEFAULT_BACKEND = "django.contrib.auth.backends.ModelBackend"


class Processor:
    """SAML Response Processor"""

    _source: SAMLSource

    _root: "Element"
    _root_xml: str

    def __init__(self, source: SAMLSource):
        self._source = source

    def parse(self, request: HttpRequest):
        """Check if `request` contains SAML Response data, parse and validate it."""
        # First off, check if we have any SAML Data at all.
        raw_response = request.POST.get("SAMLResponse", None)
        if not raw_response:
            raise MissingSAMLResponse("Request does not contain 'SAMLResponse'")
        # relay_state = request.POST.get('RelayState', None)
        # Check if response is compressed, b64 decode it
        self._root_xml = decode_base64_and_inflate(raw_response)
        self._root = ElementTree.fromstring(self._root_xml)
        # Verify signed XML
        self._verify_signed()

    def _verify_signed(self):
        """Verify SAML Response's Signature"""
        verifier = XMLVerifier()
        verifier.verify(
            self._root_xml, x509_cert=self._source.signing_kp.certificate_data
        )

    def _get_email(self) -> Optional[str]:
        """
        Returns the email out of the response.

        At present, response must pass the email address as the Subject, eg.:

        <saml:Subject>
                <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                            SPNameQualifier="">
                    email@example.com
                </saml:NameID>
        """
        assertion = self._root.find("{urn:oasis:names:tc:SAML:2.0:assertion}Assertion")
        subject = assertion.find("{urn:oasis:names:tc:SAML:2.0:assertion}Subject")
        name_id = subject.find("{urn:oasis:names:tc:SAML:2.0:assertion}NameID")
        name_id_format = name_id.attrib["Format"]
        if name_id_format != "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress":
            raise UnsupportedNameIDFormat(
                f"Assertion contains NameID with unsupported format {name_id_format}."
            )
        return name_id.text

    def prepare_flow(self, request: HttpRequest) -> HttpResponse:
        """Prepare flow plan depending on whether or not the user exists"""
        email = self._get_email()
        matching_users = User.objects.filter(email=email)
        if matching_users.exists():
            # User exists already, switch to authentication flow
            flow = self._source.authentication_flow
            request.session[SESSION_KEY_PLAN] = FlowPlanner(flow).plan(
                request,
                {
                    # Data for authentication
                    PLAN_CONTEXT_PENDING_USER: matching_users.first(),
                    PLAN_CONTEXT_AUTHENTICATION_BACKEND: DEFAULT_BACKEND,
                    PLAN_CONTEXT_SSO: True,
                },
            )
        else:
            flow = self._source.enrollment_flow
            request.session[SESSION_KEY_PLAN] = FlowPlanner(flow).plan(
                request,
                {
                    # Data for enrollment
                    PLAN_CONTEXT_PROMPT: {"username": email, "email": email},
                    PLAN_CONTEXT_SSO: True,
                },
            )
        return redirect_with_qs(
            "passbook_flows:flow-executor-shell", request.GET, flow_slug=flow.slug,
        )
sources/saml: validate SAMLResponse signature 2020-02-20 20:33:45 +00:00			`"""passbook saml source processor"""`
root: run bandit as part of pre-commit 2020-02-21 08:03:59 +00:00			`from typing import TYPE_CHECKING, Optional`
sources/saml: validate SAMLResponse signature 2020-02-20 20:33:45 +00:00
			`from defusedxml import ElementTree`
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/: fix flow executor URL flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/: update docstrings of models core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting 2020-06-07 14:35:08 +00:00			`from django.http import HttpRequest, HttpResponse`
sources/saml: validate SAMLResponse signature 2020-02-20 20:33:45 +00:00			`from signxml import XMLVerifier`
			`from structlog import get_logger`

			`from passbook.core.models import User`
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/: fix flow executor URL flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/: update docstrings of models core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting 2020-06-07 14:35:08 +00:00			`from passbook.flows.planner import (`
			`PLAN_CONTEXT_PENDING_USER,`
			`PLAN_CONTEXT_SSO,`
			`FlowPlanner,`
			`)`
			`from passbook.flows.views import SESSION_KEY_PLAN`
			`from passbook.lib.utils.urls import redirect_with_qs`
sources/saml: validate SAMLResponse signature 2020-02-20 20:33:45 +00:00			`from passbook.providers.saml.utils.encoding import decode_base64_and_inflate`
			`from passbook.sources.saml.exceptions import (`
			`MissingSAMLResponse,`
			`UnsupportedNameIDFormat,`
			`)`
			`from passbook.sources.saml.models import SAMLSource`
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/: fix flow executor URL flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/: update docstrings of models core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting 2020-06-07 14:35:08 +00:00			`from passbook.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND`
			`from passbook.stages.prompt.stage import PLAN_CONTEXT_PROMPT`
sources/saml: validate SAMLResponse signature 2020-02-20 20:33:45 +00:00
			`LOGGER = get_logger()`
root: run bandit as part of pre-commit 2020-02-21 08:03:59 +00:00			`if TYPE_CHECKING:`
			`from xml.etree.ElementTree import Element # nosec`
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/: fix flow executor URL flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/: update docstrings of models core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting 2020-06-07 14:35:08 +00:00			`DEFAULT_BACKEND = "django.contrib.auth.backends.ModelBackend"`
sources/saml: validate SAMLResponse signature 2020-02-20 20:33:45 +00:00

			`class Processor:`
			`"""SAML Response Processor"""`

			`_source: SAMLSource`

root: run bandit as part of pre-commit 2020-02-21 08:03:59 +00:00			`_root: "Element"`
sources/saml: validate SAMLResponse signature 2020-02-20 20:33:45 +00:00			`_root_xml: str`

			`def __init__(self, source: SAMLSource):`
			`self._source = source`

			`def parse(self, request: HttpRequest):`
			"""Check if `request` contains SAML Response data, parse and validate it."""
			`# First off, check if we have any SAML Data at all.`
			`raw_response = request.POST.get("SAMLResponse", None)`
			`if not raw_response:`
			`raise MissingSAMLResponse("Request does not contain 'SAMLResponse'")`
			`# relay_state = request.POST.get('RelayState', None)`
			`# Check if response is compressed, b64 decode it`
lib: add SentryIgnoredException, to easily ignore exceptions from sentry 2020-02-20 20:37:14 +00:00			`self._root_xml = decode_base64_and_inflate(raw_response)`
sources/saml: validate SAMLResponse signature 2020-02-20 20:33:45 +00:00			`self._root = ElementTree.fromstring(self._root_xml)`
			`# Verify signed XML`
			`self._verify_signed()`

			`def _verify_signed(self):`
			`"""Verify SAML Response's Signature"""`
			`verifier = XMLVerifier()`
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/: fix flow executor URL flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/: update docstrings of models core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting 2020-06-07 14:35:08 +00:00			`verifier.verify(`
			`self._root_xml, x509_cert=self._source.signing_kp.certificate_data`
			`)`
sources/saml: validate SAMLResponse signature 2020-02-20 20:33:45 +00:00
			`def _get_email(self) -> Optional[str]:`
			`"""`
			`Returns the email out of the response.`

			`At present, response must pass the email address as the Subject, eg.:`

			`<saml:Subject>`
			`<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"`
sources/saml: improve error handing of invalid signatures 2020-06-23 19:49:27 +00:00			`SPNameQualifier="">`
			`email@example.com`
			`</saml:NameID>`
sources/saml: validate SAMLResponse signature 2020-02-20 20:33:45 +00:00			`"""`
			`assertion = self._root.find("{urn:oasis:names:tc:SAML:2.0:assertion}Assertion")`
			`subject = assertion.find("{urn:oasis:names:tc:SAML:2.0:assertion}Subject")`
			`name_id = subject.find("{urn:oasis:names:tc:SAML:2.0:assertion}NameID")`
			`name_id_format = name_id.attrib["Format"]`
			`if name_id_format != "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress":`
			`raise UnsupportedNameIDFormat(`
			`f"Assertion contains NameID with unsupported format {name_id_format}."`
			`)`
			`return name_id.text`

WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/: fix flow executor URL flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/: update docstrings of models core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting 2020-06-07 14:35:08 +00:00			`def prepare_flow(self, request: HttpRequest) -> HttpResponse:`
			`"""Prepare flow plan depending on whether or not the user exists"""`
sources/saml: validate SAMLResponse signature 2020-02-20 20:33:45 +00:00			`email = self._get_email()`
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/: fix flow executor URL flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/: update docstrings of models core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting 2020-06-07 14:35:08 +00:00			`matching_users = User.objects.filter(email=email)`
			`if matching_users.exists():`
			`# User exists already, switch to authentication flow`
			`flow = self._source.authentication_flow`
			`request.session[SESSION_KEY_PLAN] = FlowPlanner(flow).plan(`
			`request,`
			`{`
			`# Data for authentication`
			`PLAN_CONTEXT_PENDING_USER: matching_users.first(),`
			`PLAN_CONTEXT_AUTHENTICATION_BACKEND: DEFAULT_BACKEND,`
			`PLAN_CONTEXT_SSO: True,`
			`},`
			`)`
			`else:`
			`flow = self._source.enrollment_flow`
			`request.session[SESSION_KEY_PLAN] = FlowPlanner(flow).plan(`
			`request,`
			`{`
			`# Data for enrollment`
			`PLAN_CONTEXT_PROMPT: {"username": email, "email": email},`
			`PLAN_CONTEXT_SSO: True,`
			`},`
			`)`
			`return redirect_with_qs(`
			`"passbook_flows:flow-executor-shell", request.GET, flow_slug=flow.slug,`
			`)`