Ubuntu
lasso package

Merge ~dmitriis/ubuntu/+source/lasso:1833299-cosmic-devel-paos-ecp-destination into ubuntu/+source/lasso:ubuntu/cosmic-devel

  1. Git
  2. lp:~dmitriis/ubuntu/+source/lasso
  3. 1833299-cosmic-devel-paos-ecp-destination
  4. Merge into ubuntu/cosmic-devel
Proposed by Dmitrii Shcherbakov
Status: Rejected
Rejected by: Christian Ehrhardt 
Proposed branch: ~dmitriis/ubuntu/+source/lasso:1833299-cosmic-devel-paos-ecp-destination
Merge into: ubuntu/+source/lasso:ubuntu/cosmic-devel
Diff against target: 117 lines (+97/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/PAOS-Do-not-populate-Destination-attribute.patch (+89/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
Review via email: mp+369737@code.launchpad.net
To post a comment you must log in.
~dmitriis/ubuntu/+source/lasso:1833299-cosmic-devel-paos-ecp-destination updated
d8dca33... by Dmitrii Shcherbakov

PAOS: Do not populate "Destination" attribute

When ECP profile (saml-ecp-v2.0-cs01) is used with PAOS binding Lasso
populates an AuthnRequest with the "Destination" attribute set to
AssertionConsumerURL of an SP - this leads to IdP-side errors because
the destination attribute in the request does not match the IdP URL.

The "Destination" attribute is mandatory only for HTTP Redirect and HTTP
Post bindings when AuthRequests are signed per saml-bindings-2.0-os
(sections 3.4.5.2 and 3.5.5.2). Specifically for PAOS it makes sense to
avoid setting that optional attribute because an ECP decides which IdP
to use, not the SP.

This patch was merged upstream: https://dev.entrouvert.org/issues/34409

New changelog entries:

* d/p/PAOS-Do-not-populate-Destination-attribute.patch: Do not populate
  "Destination" attribute (LP: #1833299)

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

ack, see details in Bionic MP https://code.launchpad.net/~dmitriis/ubuntu/+source/lasso/+git/lasso/+merge/369738

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I think we are so close to Cosmic EOL that we don't need to care about it anymore.
Let me know if you think otherwise.

Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote :

I'm good with skipping Cosmic.

Unmerged commits

d8dca33... by Dmitrii Shcherbakov

PAOS: Do not populate "Destination" attribute

When ECP profile (saml-ecp-v2.0-cs01) is used with PAOS binding Lasso
populates an AuthnRequest with the "Destination" attribute set to
AssertionConsumerURL of an SP - this leads to IdP-side errors because
the destination attribute in the request does not match the IdP URL.

The "Destination" attribute is mandatory only for HTTP Redirect and HTTP
Post bindings when AuthRequests are signed per saml-bindings-2.0-os
(sections 3.4.5.2 and 3.5.5.2). Specifically for PAOS it makes sense to
avoid setting that optional attribute because an ECP decides which IdP
to use, not the SP.

This patch was merged upstream: https://dev.entrouvert.org/issues/34409

New changelog entries:

* d/p/PAOS-Do-not-populate-Destination-attribute.patch: Do not populate
  "Destination" attribute (LP: #1833299)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index c3dff7b..1511d90 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+lasso (2.5.1-0ubuntu3) UNRELEASED; urgency=medium
7+
8+ * d/p/PAOS-Do-not-populate-Destination-attribute.patch: Do not populate
9+ "Destination" attribute (LP: #1833299)
10+
11+ -- Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com> Thu, 04 Jul 2019 18:42:56 -0500
12+
13 lasso (2.5.1-0ubuntu2) cosmic; urgency=medium
14
15 * No-change rebuild to build for python3.7.
16diff --git a/debian/patches/PAOS-Do-not-populate-Destination-attribute.patch b/debian/patches/PAOS-Do-not-populate-Destination-attribute.patch
17new file mode 100644
18index 0000000..459603d
19--- /dev/null
20+++ b/debian/patches/PAOS-Do-not-populate-Destination-attribute.patch
21@@ -0,0 +1,89 @@
22+Description: PAOS: Do not populate "Destination" attribute
23+ When ECP profile (saml-ecp-v2.0-cs01) is used with PAOS binding Lasso
24+ populates an AuthnRequest with the "Destination" attribute set to
25+ AssertionConsumerURL of an SP - this leads to IdP-side errors because
26+ the destination attribute in the request does not match the IdP URL.
27+
28+ The "Destination" attribute is mandatory only for HTTP Redirect and HTTP
29+ Post bindings when AuthRequests are signed per saml-bindings-2.0-os
30+ (sections 3.4.5.2 and 3.5.5.2). Specifically for PAOS it makes sense to
31+ avoid setting that optional attribute because an ECP decides which IdP
32+ to use, not the SP.
33+Author: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
34+Origin: upstream, https://repos.entrouvert.org/lasso.git/commit/?id=1e85f1b2bd30c0d93b4a2ef37b35abeae3d15b56
35+Bug: https://dev.entrouvert.org/issues/34409
36+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lasso/+bug/1833299
37+Applied-Upstream: https://repos.entrouvert.org/lasso.git/commit/?id=1e85f1b2bd30c0d93b4a2ef37b35abeae3d15b56
38+Reviewed-by: Benjamin Dauvergne <bdauvergne@entrouvert.com>
39+Reviewed-by: John Dennis <jdennis@redhat.com>
40+Last-Update: 2019-07-06
41+---
42+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
43+--- a/lasso/saml-2.0/login.c
44++++ b/lasso/saml-2.0/login.c
45+@@ -222,7 +222,7 @@
46+ gint
47+ lasso_saml20_login_build_authn_request_msg(LassoLogin *login)
48+ {
49+- char *url = NULL;
50++ char *assertionConsumerServiceURL = NULL;
51+ gboolean must_sign = TRUE;
52+ LassoProfile *profile;
53+ LassoSamlp2AuthnRequest *authn_request;
54+@@ -247,29 +247,29 @@
55+ }
56+
57+ if (login->http_method == LASSO_HTTP_METHOD_PAOS) {
58+-
59+ /*
60+ * PAOS is special, the url passed to build_request is the
61+ * AssertionConsumerServiceURL of this SP, not the
62+- * destination.
63++ * destination IdP URL. This is done to fill paos:responseConsumerURL
64++ * appropriately down the line in build_request_msg.
65++ * See https://dev.entrouvert.org/issues/34409 for more information.
66+ */
67+ if (authn_request->AssertionConsumerServiceURL) {
68+- url = authn_request->AssertionConsumerServiceURL;
69++ assertionConsumerServiceURL = authn_request->AssertionConsumerServiceURL;
70+ if (!lasso_saml20_provider_check_assertion_consumer_service_url(
71+- LASSO_PROVIDER(profile->server), url, LASSO_SAML2_METADATA_BINDING_PAOS)) {
72++ LASSO_PROVIDER(profile->server), assertionConsumerServiceURL, LASSO_SAML2_METADATA_BINDING_PAOS)) {
73+ rc = LASSO_PROFILE_ERROR_INVALID_REQUEST;
74+ goto cleanup;
75+ }
76+ } else {
77+- url = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
78++ assertionConsumerServiceURL = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
79+ LASSO_PROVIDER(profile->server), LASSO_SAML2_METADATA_BINDING_PAOS);
80+- lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, url);
81++ lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, assertionConsumerServiceURL);
82+ }
83+ }
84+
85+-
86+ lasso_check_good_rc(lasso_saml20_profile_build_request_msg(profile, "SingleSignOnService",
87+- login->http_method, url));
88++ login->http_method, assertionConsumerServiceURL));
89+
90+ cleanup:
91+ return rc;
92+--- a/lasso/saml-2.0/profile.c
93++++ b/lasso/saml-2.0/profile.c
94+@@ -968,7 +968,15 @@
95+ made_url = url = get_url(provider, service, http_method_to_binding(method));
96+ }
97+
98+- if (url) {
99++
100++ // Usage of the Destination attribute on a request is mandated only
101++ // in "3.4.5.2" and "3.5.5.2" in saml-bindings-2.0-os for signed requests
102++ // and is marked as optional in the XSD schema otherwise.
103++ // PAOS is a special case because an SP does not select an IdP - ECP does
104++ // it instead. Therefore, this attribute needs to be left unpopulated.
105++ if (method == LASSO_HTTP_METHOD_PAOS) {
106++ lasso_release_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination);
107++ } else if (url) {
108+ lasso_assign_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination,
109+ url);
110+ } else {
111diff --git a/debian/patches/series b/debian/patches/series
112index 90e7b19..da56810 100644
113--- a/debian/patches/series
114+++ b/debian/patches/series
115@@ -1 +1,2 @@
116+PAOS-Do-not-populate-Destination-attribute.patch
117 Use-INSTALLDIRS-vendor-for-the-Perl-bindings-as-per-.patch

Subscribers

People subscribed via source and target branches