From 8e6bb482279b0996f5d621d153cd6cb5ac9ab50b Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Sun, 13 Sep 2020 15:39:25 +0200 Subject: [PATCH] sources/saml: add mitigation for idp-initiated requests --- e2e/test_source_oauth.py | 4 +++- passbook/sources/saml/processors/response.py | 11 +++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/e2e/test_source_oauth.py b/e2e/test_source_oauth.py index 696833e64..7af40227b 100644 --- a/e2e/test_source_oauth.py +++ b/e2e/test_source_oauth.py @@ -1,6 +1,7 @@ """test OAuth Source""" from os.path import abspath from sys import platform +from time import sleep from typing import Any, Dict, Optional from unittest.case import skipUnless @@ -200,10 +201,11 @@ class TestSourceOAuth(SeleniumTestCase): (By.CLASS_NAME, "pf-c-login__main-footer-links-item-link") ) ) + sleep(1) self.driver.find_element( By.CLASS_NAME, "pf-c-login__main-footer-links-item-link" ).click() - + sleep(1) # Now we should be at the IDP, wait for the login field self.wait.until(ec.presence_of_element_located((By.ID, "login"))) self.driver.find_element(By.ID, "login").send_keys("admin@example.com") diff --git a/passbook/sources/saml/processors/response.py b/passbook/sources/saml/processors/response.py index 51f0f443e..d1b2d98c8 100644 --- a/passbook/sources/saml/processors/response.py +++ b/passbook/sources/saml/processors/response.py @@ -2,6 +2,8 @@ from typing import TYPE_CHECKING, Dict from defusedxml import ElementTree +from django.core.cache import cache +from django.core.exceptions import SuspiciousOperation from django.http import HttpRequest, HttpResponse from signxml import XMLVerifier from structlog import get_logger @@ -37,6 +39,8 @@ from passbook.stages.prompt.stage import PLAN_CONTEXT_PROMPT LOGGER = get_logger() if TYPE_CHECKING: from xml.etree.ElementTree import Element # nosec + +CACHE_SEEN_REQUEST_ID = "passbook_saml_seen_ids_%s" DEFAULT_BACKEND = "django.contrib.auth.backends.ModelBackend" @@ -75,6 +79,13 @@ class ResponseProcessor: def _verify_request_id(self, request: HttpRequest): if self._source.allow_idp_initiated: + # If IdP-initiated SSO flows are enabled, we want to cache the Response ID + # somewhat mitigate replay attacks + seen_ids = cache.get(CACHE_SEEN_REQUEST_ID % self._source.pk, []) + if self._root.attrib["ID"] in seen_ids: + raise SuspiciousOperation("Replay attack detected") + seen_ids.append(self._root.attrib["ID"]) + cache.set(CACHE_SEEN_REQUEST_ID % self._source.pk, seen_ids) return if ( SESSION_REQUEST_ID not in request.session