nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-06 05:28:15 -05:00
Code

Enforce SSO "Want assertions signed" option (#1270)

Browse Source 
* Enforce SSO Want Assertions Signed option

* Simplify changes and code style

* Fix style

* Check Issuer entityID before assertion signature
This commit is contained in:
Thomas Rittson 2021-04-22 01:06:30 +10:00 committed by GitHub
parent 477f679fc6
commit de155c78ad
1 changed files with 22 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
bitwarden_license/src/Sso/Utilities/Saml2OptionsExtensions.cs
View File

@ -33,7 +33,7 @@ namespace Bit.Sso.Utilities
} }
// We need to pull out and parse the response or request SAML envelope // We need to pull out and parse the response or request SAML envelope
XmlElement assertion = null; XmlElement envelope = null;
try try
{ {
if (string.Equals(context.Request.Method, "POST", StringComparison.OrdinalIgnoreCase) && if (string.Equals(context.Request.Method, "POST", StringComparison.OrdinalIgnoreCase) &&
@ -52,7 +52,7 @@ namespace Bit.Sso.Utilities
{ {
return false; return false;
} }
assertion = XmlHelpers.XmlDocumentFromString( envelope = XmlHelpers.XmlDocumentFromString(
Encoding.UTF8.GetString(Convert.FromBase64String(encodedMessage)))?.DocumentElement; Encoding.UTF8.GetString(Convert.FromBase64String(encodedMessage)))?.DocumentElement;
} }
else if (string.Equals(context.Request.Method, "GET", StringComparison.OrdinalIgnoreCase)) else if (string.Equals(context.Request.Method, "GET", StringComparison.OrdinalIgnoreCase))
@ -67,7 +67,7 @@ namespace Bit.Sso.Utilities
using var deCompressed = new MemoryStream(); using var deCompressed = new MemoryStream();
await decompressedStream.CopyToAsync(deCompressed); await decompressedStream.CopyToAsync(deCompressed);
assertion = XmlHelpers.XmlDocumentFromString( envelope = XmlHelpers.XmlDocumentFromString(
Encoding.UTF8.GetString(deCompressed.GetBuffer(), 0, (int)deCompressed.Length))?.DocumentElement; Encoding.UTF8.GetString(deCompressed.GetBuffer(), 0, (int)deCompressed.Length))?.DocumentElement;
} }
catch (FormatException ex) catch (FormatException ex)
@ -81,14 +81,30 @@ namespace Bit.Sso.Utilities
return false; return false;
} }
if (assertion == null) if (envelope == null)
{ {
return false; return false;
} }
// Double check the entity Ids // Double check the entity Ids
var entityId = assertion["Issuer", Saml2Namespaces.Saml2Name]?.InnerText.Trim(); var entityId = envelope["Issuer", Saml2Namespaces.Saml2Name]?.InnerText.Trim();
return string.Equals(entityId, idp.EntityId.Id, StringComparison.InvariantCultureIgnoreCase); if (!string.Equals(entityId, idp.EntityId.Id, StringComparison.InvariantCultureIgnoreCase))
{
return false;
}
if (options.SPOptions.WantAssertionsSigned)
{
var assertion = envelope["Assertion", Saml2Namespaces.Saml2Name];
var isAssertionSigned = assertion != null && XmlHelpers.IsSignedByAny(assertion, idp.SigningKeys,
options.SPOptions.ValidateCertificates, options.SPOptions.MinIncomingSigningAlgorithm);
if (!isAssertionSigned)
{
throw new Exception("Cannot verify SAML assertion signature.");
}
}
return true;
} }
} }
} }