Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support signed assertions #45

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

fumieval
Copy link
Contributor

Summary

At the moment, wai-saml2 validates signed responses, but not signed assertions. This might cause an error when the identity provider signs assertions only (by default AzureAD does not sign responses).
This change adds support for signed assertions; when a signature for the response is present, it validates the response. If this is missing, it validates the signature for the assertion instead.

Checklist

  • All definitions are documented with Haddock-style comments.
  • All exported definitions have @since annotations.
  • Code is formatted in line with the existing code.
  • The changelog has been updated.

@mbg
Copy link
Owner

mbg commented May 15, 2023

I haven't had the time to review this yet, but I hope to be able to do so by the end of the coming weekend at the latest. Thank you as always for your contributions and patience! 🙇🏽

let docMinusSignature = removeSignature responseXmlDoc
docMinusSignature <- removeSignature <$> case responseSignature samlResponse of
Just _ -> pure responseXmlDoc
-- if a response signature is not present, assume that the assertion contains the signature
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When both response signature and an assertion signature are present, we could technically validate both, but I'm not sure if anyone really wants to do that

@fumieval
Copy link
Contributor Author

@mbg I split the tests to #52; I hope this makes reviewing easier a bit

@mbg
Copy link
Owner

mbg commented Jul 31, 2024

@fumieval Do you want to update this now that #52 is merged?

@fumieval fumieval force-pushed the pr-signed-assertion branch 3 times, most recently from ba8e651 to e43f0e4 Compare August 3, 2024 14:08
@fumieval
Copy link
Contributor Author

fumieval commented Aug 3, 2024

@mbg Sure. I refactored the implementation for more clarity

Copy link
Owner

@mbg mbg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As always, thank you for the good work on this library! I have a few comments/questions, but generally this looks sensible.

CHANGELOG.md Outdated Show resolved Hide resolved
package.yaml Outdated Show resolved Hide resolved
package.yaml Outdated Show resolved Hide resolved
src/Network/Wai/SAML2/Validation.hs Outdated Show resolved Hide resolved
@@ -3,6 +3,7 @@
## 0.7

- Replaced `x509Certificate` with `x509Certificates` in `IDPSSODescriptor` so that it may have more than one certificate ([#65](https://github.com/mbg/wai-saml2/pull/65) by [@fumieval](https://github.com/fumieval))
- Support signed assertions, not just signed responses by ([#45](https://github.com/mbg/wai-saml2/pull/45) by [@fumieval](https://github.com/mbg/wai-saml2))
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Support signed assertions, not just signed responses by ([#45](https://github.com/mbg/wai-saml2/pull/45) by [@fumieval](https://github.com/mbg/wai-saml2))
- Support signed assertions, not just signed responses ([#45](https://github.com/mbg/wai-saml2/pull/45) by [@fumieval](https://github.com/fumieval))

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I am happy for you to keep this as is.

Just _ -> validateSAMLResponseSignature cfg responseXmlDoc samlResponse now
Nothing -> validateSAMLAssertionSignature cfg responseXmlDoc samlResponse now

validateSAMLResponseSignature :: SAML2Config
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be good to add a docs comment for this function summarising what it does.


validateSAMLPreliminary cfg samlResponse

case responseSignature samlResponse of
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am wondering to what extent the path that's taken here should be up to the contents of the response? Rather than picking this based on whether there's a responseSignature present, would it make sense to instead have a setting in SAML2Config that determines which path we take here?

Comment on lines +271 to +277
assertion <- case responseAssertion samlResponse of
Just a -> pure a
_ -> throwError $ InvalidResponse $ userError "Assertion is required"

signature <- case assertionSignature assertion of
Just a -> pure a
_ -> throwError $ InvalidResponse $ userError "Assertion signature is required"
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be more consistent to have more constructors in the SAML2Error type for these errors than to use InvalidResponse with userError.

src/Network/Wai/SAML2/Validation.hs Show resolved Hide resolved
, documentRoot = node
, documentEpilogue = []
}
_ -> throwError $ InvalidResponse $ userError "Assertion is required"
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This error message should probably say something else?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants