Commit b894e415 authored by mh's avatar mh
Browse files

Merge branch 'unsigned_requests' into 'master'

Unsigned requests

See merge request !57
parents 24c0692f 0d657ef2
Pipeline #8939 passed with stage
in 2 minutes and 32 seconds
......@@ -38,26 +38,31 @@ class SamlManager
return
end
attributes[:certs].each do |fp, cert|
if document.valid_signature?(fp)
saml_request.service_provider.cert = cert
saml_request.service_provider.fingerprint = fp
end
end
# For unsigned requests the default cert1 will always be used to encrypt
# the response, since we cannot tell from the request, which one is
# the currently active one
unless attributes[:allow_unsigned_requests]
unless saml_request.service_provider.attributes[:validate_signature]
IApiLog.warn("SP #{saml_request.issuer} is misconfigured. we are "+
"not sure it has to sign")
unless saml_request.service_provider.cert
if attributes[:allow_unsigned_requests]
(fp, cert) = attributes[:certs].first
saml_request.service_provider.cert = cert
saml_request.service_provider.fingerprint = fp
else
IApiLog.warn("SP #{saml_request.issuer} did not sign the request.")
return
end
attributes[:certs].each do |fp, cert|
if document.valid_signature?(fp)
saml_request.service_provider.cert = cert
saml_request.service_provider.fingerprint = fp
end
end
end
unless saml_request.valid?
IApiLog.warn("Got a SAML request from #{saml_request.issuer} with an "+
"invalid (or missing) signature")
"invalid signature")
return
end
......
......@@ -24,7 +24,7 @@ class IApi < Sinatra::Base
user = AuthManager.auth(email, parsed_body,
false,
unlock: parsed_body['unlock'],
master_pw: info[:needs_master_pw],
master_pw: info && info[:needs_master_pw],
trusted: true,
totp: parsed_body['totp'],
webauthn: parsed_body['webauthn'],
......
......@@ -35,6 +35,7 @@ class IApiSamlConfig
api_access: params['api_access'],
max_reissue_time: params['max_reissue_time'],
max_reissue_time_2fa: params['max_reissue_time_2fa'],
allow_unsigned_requests: params['allow_unsigned_requests'],
}
aliases.each do |a|
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment