Merge branch 'unsigned_requests' into 'master'

Unsigned requests See merge request !57

Merge branch 'unsigned_requests' into 'master'
Unsigned requests See merge request !57
b894e415 · mh · 24c0692f · 0d657ef2 · b894e415 · b894e415
Commit b894e415 authored Oct 03, 2021 by mh
--- a/lib/iapi/managers/saml_manager.rb
+++ b/lib/iapi/managers/saml_manager.rb
@@ -38,26 +38,31 @@ class SamlManager
        return
      end

+
+      attributes[:certs].each do |fp, cert|
+        if document.valid_signature?(fp)
+          saml_request.service_provider.cert = cert
+          saml_request.service_provider.fingerprint = fp
+        end
+      end
+
      # For unsigned requests the default cert1 will always be used to encrypt
      # the response, since we cannot tell from the request, which one is
      # the currently active one
-      unless attributes[:allow_unsigned_requests]
-        unless saml_request.service_provider.attributes[:validate_signature]
-          IApiLog.warn("SP #{saml_request.issuer} is misconfigured. we are "+
-                       "not sure it has to sign")
+      unless saml_request.service_provider.cert
+        if attributes[:allow_unsigned_requests]
+          (fp, cert) = attributes[:certs].first
+          saml_request.service_provider.cert = cert
+          saml_request.service_provider.fingerprint = fp
+        else
+          IApiLog.warn("SP #{saml_request.issuer} did not sign the request.")
          return
        end
-        attributes[:certs].each do |fp, cert|
-          if document.valid_signature?(fp)
-            saml_request.service_provider.cert = cert
-            saml_request.service_provider.fingerprint = fp
-          end
-        end
      end

      unless saml_request.valid?
        IApiLog.warn("Got a SAML request from #{saml_request.issuer} with an "+
-                     "invalid (or missing) signature")
+                     "invalid signature")
        return
      end


--- a/lib/iapi/routes/auth.rb
+++ b/lib/iapi/routes/auth.rb
@@ -24,7 +24,7 @@ class IApi < Sinatra::Base
      user = AuthManager.auth(email, parsed_body,
                              false,
                              unlock: parsed_body['unlock'],
-                              master_pw: info[:needs_master_pw],
+                              master_pw: info && info[:needs_master_pw],
                              trusted: true,
                              totp: parsed_body['totp'],
                              webauthn: parsed_body['webauthn'],

--- a/lib/iapi/saml.rb
+++ b/lib/iapi/saml.rb
@@ -35,6 +35,7 @@ class IApiSamlConfig
            api_access: params['api_access'],
            max_reissue_time: params['max_reissue_time'],
            max_reissue_time_2fa: params['max_reissue_time_2fa'],
+            allow_unsigned_requests: params['allow_unsigned_requests'],
          }

          aliases.each do |a|