providers/saml: don't attempt verification of SAML request when no verification certificate is configured

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-10-18 22:26:01 +02:00 · 2022-10-18 22:26:01 +02:00 · 3e1490dcac
parent ea12715e01
commit 3e1490dcac
1 changed files with 4 additions and 11 deletions
--- a/authentik/providers/saml/processors/request_parser.py
+++ b/authentik/providers/saml/processors/request_parser.py
@ -29,9 +29,6 @@ ERROR_CANNOT_DECODE_REQUEST = "Cannot decode SAML request."
 ERROR_SIGNATURE_REQUIRED_BUT_ABSENT = (
    "Verification Certificate configured, but request is not signed."
 )
-ERROR_SIGNATURE_EXISTS_BUT_NO_VERIFIER = (
-    "Provider does not have a Validation Certificate configured."
-)
 ERROR_FAILED_TO_VERIFY = "Failed to verify signature"


@ -94,22 +91,19 @@ class AuthNRequestParser:
            raise CannotHandleAssertion(ERROR_CANNOT_DECODE_REQUEST)

        verifier = self.provider.verification_kp
+        if not verifier:
+            return self._parse_xml(decoded_xml, relay_state)

        root = lxml_from_string(decoded_xml)
        xmlsec.tree.add_ids(root, ["ID"])
        signature_nodes = root.xpath("/samlp:AuthnRequest/ds:Signature", namespaces=NS_MAP)
        # No signatures, no verifier configured -> decode xml directly
        if len(signature_nodes) < 1:
-            if not verifier:
-                return self._parse_xml(decoded_xml, relay_state)
            raise CannotHandleAssertion(ERROR_SIGNATURE_REQUIRED_BUT_ABSENT)

        signature_node = signature_nodes[0]

        if signature_node is not None:
-            if not verifier:
-                raise CannotHandleAssertion(ERROR_SIGNATURE_EXISTS_BUT_NO_VERIFIER)
-
            try:
                ctx = xmlsec.SignatureContext()
                key = xmlsec.Key.from_memory(
@ -138,14 +132,13 @@ class AuthNRequestParser:
            raise CannotHandleAssertion(ERROR_CANNOT_DECODE_REQUEST)

        verifier = self.provider.verification_kp
+        if not verifier:
+            return self._parse_xml(decoded_xml, relay_state)

        if verifier and not (signature and sig_alg):
            raise CannotHandleAssertion(ERROR_SIGNATURE_REQUIRED_BUT_ABSENT)

        if signature and sig_alg:
-            if not verifier:
-                raise CannotHandleAssertion(ERROR_SIGNATURE_EXISTS_BUT_NO_VERIFIER)
-
            querystring = f"SAMLRequest={quote_plus(saml_request)}&"
            if relay_state is not None:
                querystring += f"RelayState={quote_plus(relay_state)}&"