Blame SOURCES/0007-PAOS-Do-not-populate-Destination-attribute.patch

346024
From 1e85f1b2bd30c0d93b4a2ef37b35abeae3d15b56 Mon Sep 17 00:00:00 2001
346024
From: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
346024
Date: Fri, 28 Jun 2019 02:36:19 +0300
346024
Subject: [PATCH] PAOS: Do not populate "Destination" attribute
346024
346024
When ECP profile (saml-ecp-v2.0-cs01) is used with PAOS binding Lasso
346024
populates an AuthnRequest with the "Destination" attribute set to
346024
AssertionConsumerURL of an SP - this leads to IdP-side errors because
346024
the destination attribute in the request does not match the IdP URL.
346024
346024
The "Destination" attribute is mandatory only for HTTP Redirect and HTTP
346024
Post bindings when AuthRequests are signed per saml-bindings-2.0-os
346024
(sections 3.4.5.2 and 3.5.5.2). Specifically for PAOS it makes sense to
346024
avoid setting that optional attribute because an ECP decides which IdP
346024
to use, not the SP.
346024
346024
Fixes Bug: 34409
346024
License: MIT
346024
Signed-off-by: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
346024
---
346024
 lasso/saml-2.0/login.c   | 18 +++++++++---------
346024
 lasso/saml-2.0/profile.c | 10 +++++++++-
346024
 2 files changed, 18 insertions(+), 10 deletions(-)
346024
346024
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
346024
index 6e8f7553..0d4bb1da 100644
346024
--- a/lasso/saml-2.0/login.c
346024
+++ b/lasso/saml-2.0/login.c
346024
@@ -222,7 +222,7 @@ _lasso_login_must_verify_signature(LassoProfile *profile) {
346024
 gint
346024
 lasso_saml20_login_build_authn_request_msg(LassoLogin *login)
346024
 {
346024
-	char *url = NULL;
346024
+	char *assertionConsumerServiceURL = NULL;
346024
 	gboolean must_sign = TRUE;
346024
 	LassoProfile *profile;
346024
 	LassoSamlp2AuthnRequest *authn_request;
346024
@@ -247,29 +247,29 @@ lasso_saml20_login_build_authn_request_msg(LassoLogin *login)
346024
 	}
346024
 
346024
 	if (login->http_method == LASSO_HTTP_METHOD_PAOS) {
346024
-
346024
 		/*
346024
 		 * PAOS is special, the url passed to build_request is the
346024
 		 * AssertionConsumerServiceURL of this SP, not the
346024
-		 * destination.
346024
+		 * destination IdP URL. This is done to fill paos:responseConsumerURL
346024
+		 * appropriately down the line in build_request_msg.
346024
+		 * See https://dev.entrouvert.org/issues/34409 for more information.
346024
 		 */
346024
 		if (authn_request->AssertionConsumerServiceURL) {
346024
-			url = authn_request->AssertionConsumerServiceURL;
346024
+			assertionConsumerServiceURL = authn_request->AssertionConsumerServiceURL;
346024
 			if (!lasso_saml20_provider_check_assertion_consumer_service_url(
346024
-					LASSO_PROVIDER(profile->server), url, LASSO_SAML2_METADATA_BINDING_PAOS)) {
346024
+					LASSO_PROVIDER(profile->server), assertionConsumerServiceURL, LASSO_SAML2_METADATA_BINDING_PAOS)) {
346024
 				rc = LASSO_PROFILE_ERROR_INVALID_REQUEST;
346024
 				goto cleanup;
346024
 			}
346024
 		} else {
346024
-			url = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
346024
+			assertionConsumerServiceURL = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
346024
 					LASSO_PROVIDER(profile->server), LASSO_SAML2_METADATA_BINDING_PAOS);
346024
-			lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, url);
346024
+			lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, assertionConsumerServiceURL);
346024
 		}
346024
 	}
346024
 
346024
-
346024
 	lasso_check_good_rc(lasso_saml20_profile_build_request_msg(profile, "SingleSignOnService",
346024
-				login->http_method, url));
346024
+				login->http_method, assertionConsumerServiceURL));
346024
 
346024
 cleanup:
346024
 	return rc;
346024
diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c
346024
index 22a4e08c..85f535ae 100644
346024
--- a/lasso/saml-2.0/profile.c
346024
+++ b/lasso/saml-2.0/profile.c
346024
@@ -968,7 +968,15 @@ lasso_saml20_profile_build_request_msg(LassoProfile *profile, const char *servic
346024
 		made_url = url = get_url(provider, service, http_method_to_binding(method));
346024
 	}
346024
 
346024
-	if (url) {
346024
+
346024
+	// Usage of the Destination attribute on a request is mandated only
346024
+	// in "3.4.5.2" and "3.5.5.2" in saml-bindings-2.0-os for signed requests
346024
+	// and is marked as optional in the XSD schema otherwise.
346024
+	// PAOS is a special case because an SP does not select an IdP - ECP does
346024
+	// it instead. Therefore, this attribute needs to be left unpopulated.
346024
+	if (method == LASSO_HTTP_METHOD_PAOS) {
346024
+		lasso_release_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination);
346024
+	} else if (url) {
346024
 		lasso_assign_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination,
346024
 				url);
346024
 	} else {
346024
-- 
346024
2.20.1
346024