1
diff --git a/debian/changelog b/debian/changelog
2
index c3dff7b..1511d90 100644
3
--- a/debian/changelog
4
+++ b/debian/changelog
5
@@ -1,3 +1,10 @@
6
1
lasso (2.5.1-0ubuntu3) UNRELEASED; urgency=medium
7
2
8
3
  * d/p/PAOS-Do-not-populate-Destination-attribute.patch: Do not populate
9
4
    "Destination" attribute (LP: #1833299)
10
5
11
6
 -- Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>  Thu, 04 Jul 2019 18:42:56 -0500
12
7
13
1
lasso (2.5.1-0ubuntu2) cosmic; urgency=medium
8
lasso (2.5.1-0ubuntu2) cosmic; urgency=medium
14
2
9
15
3
  * No-change rebuild to build for python3.7.
10
  * No-change rebuild to build for python3.7.
16
diff --git a/debian/patches/PAOS-Do-not-populate-Destination-attribute.patch b/debian/patches/PAOS-Do-not-populate-Destination-attribute.patch
17
4
new file mode 100644
11
new file mode 100644
18
index 0000000..459603d
19
--- /dev/null
20
+++ b/debian/patches/PAOS-Do-not-populate-Destination-attribute.patch
21
@@ -0,0 +1,89 @@
22
1
Description: PAOS: Do not populate "Destination" attribute
23
2
 When ECP profile (saml-ecp-v2.0-cs01) is used with PAOS binding Lasso
24
3
 populates an AuthnRequest with the "Destination" attribute set to
25
4
 AssertionConsumerURL of an SP - this leads to IdP-side errors because
26
5
 the destination attribute in the request does not match the IdP URL.
27
6
28
7
 The "Destination" attribute is mandatory only for HTTP Redirect and HTTP
29
8
 Post bindings when AuthRequests are signed per saml-bindings-2.0-os
30
9
 (sections 3.4.5.2 and 3.5.5.2). Specifically for PAOS it makes sense to
31
10
 avoid setting that optional attribute because an ECP decides which IdP
32
11
 to use, not the SP.
33
12
Author: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
34
13
Origin: upstream, https://repos.entrouvert.org/lasso.git/commit/?id=1e85f1b2bd30c0d93b4a2ef37b35abeae3d15b56
35
14
Bug: https://dev.entrouvert.org/issues/34409
36
15
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lasso/+bug/1833299
37
16
Applied-Upstream: https://repos.entrouvert.org/lasso.git/commit/?id=1e85f1b2bd30c0d93b4a2ef37b35abeae3d15b56
38
17
Reviewed-by: Benjamin Dauvergne <bdauvergne@entrouvert.com>
39
18
Reviewed-by: John Dennis <jdennis@redhat.com>
40
19
Last-Update: 2019-07-06
41
20
---
42
21
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
43
22
--- a/lasso/saml-2.0/login.c
44
23
+++ b/lasso/saml-2.0/login.c
45
24
@@ -222,7 +222,7 @@
46
25
 gint
47
26
 lasso_saml20_login_build_authn_request_msg(LassoLogin *login)
48
27
 {
49
28
-	char *url = NULL;
50
29
+	char *assertionConsumerServiceURL = NULL;
51
30
 	gboolean must_sign = TRUE;
52
31
 	LassoProfile *profile;
53
32
 	LassoSamlp2AuthnRequest *authn_request;
54
33
@@ -247,29 +247,29 @@
55
34
 	}
56
35
 
57
36
 	if (login->http_method == LASSO_HTTP_METHOD_PAOS) {
58
37
-
59
38
 		/*
60
39
 		 * PAOS is special, the url passed to build_request is the
61
40
 		 * AssertionConsumerServiceURL of this SP, not the
62
41
-		 * destination.
63
42
+		 * destination IdP URL. This is done to fill paos:responseConsumerURL
64
43
+		 * appropriately down the line in build_request_msg.
65
44
+		 * See https://dev.entrouvert.org/issues/34409 for more information.
66
45
 		 */
67
46
 		if (authn_request->AssertionConsumerServiceURL) {
68
47
-			url = authn_request->AssertionConsumerServiceURL;
69
48
+			assertionConsumerServiceURL = authn_request->AssertionConsumerServiceURL;
70
49
 			if (!lasso_saml20_provider_check_assertion_consumer_service_url(
71
50
-					LASSO_PROVIDER(profile->server), url, LASSO_SAML2_METADATA_BINDING_PAOS)) {
72
51
+					LASSO_PROVIDER(profile->server), assertionConsumerServiceURL, LASSO_SAML2_METADATA_BINDING_PAOS)) {
73
52
 				rc = LASSO_PROFILE_ERROR_INVALID_REQUEST;
74
53
 				goto cleanup;
75
54
 			}
76
55
 		} else {
77
56
-			url = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
78
57
+			assertionConsumerServiceURL = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
79
58
 					LASSO_PROVIDER(profile->server), LASSO_SAML2_METADATA_BINDING_PAOS);
80
59
-			lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, url);
81
60
+			lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, assertionConsumerServiceURL);
82
61
 		}
83
62
 	}
84
63
 
85
64
-
86
65
 	lasso_check_good_rc(lasso_saml20_profile_build_request_msg(profile, "SingleSignOnService",
87
66
-				login->http_method, url));
88
67
+				login->http_method, assertionConsumerServiceURL));
89
68
 
90
69
 cleanup:
91
70
 	return rc;
92
71
--- a/lasso/saml-2.0/profile.c
93
72
+++ b/lasso/saml-2.0/profile.c
94
73
@@ -968,7 +968,15 @@
95
74
 		made_url = url = get_url(provider, service, http_method_to_binding(method));
96
75
 	}
97
76
 
98
77
-	if (url) {
99
78
+
100
79
+	// Usage of the Destination attribute on a request is mandated only
101
80
+	// in "3.4.5.2" and "3.5.5.2" in saml-bindings-2.0-os for signed requests
102
81
+	// and is marked as optional in the XSD schema otherwise.
103
82
+	// PAOS is a special case because an SP does not select an IdP - ECP does
104
83
+	// it instead. Therefore, this attribute needs to be left unpopulated.
105
84
+	if (method == LASSO_HTTP_METHOD_PAOS) {
106
85
+		lasso_release_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination);
107
86
+	} else if (url) {
108
87
 		lasso_assign_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination,
109
88
 				url);
110
89
 	} else {
111
diff --git a/debian/patches/series b/debian/patches/series
112
index 90e7b19..da56810 100644
113
--- a/debian/patches/series
114
+++ b/debian/patches/series
115
@@ -1 +1,2 @@
116
1
PAOS-Do-not-populate-Destination-attribute.patch
117
1
Use-INSTALLDIRS-vendor-for-the-Perl-bindings-as-per-.patch
2
Use-INSTALLDIRS-vendor-for-the-Perl-bindings-as-per-.patch
Reviewer	Date Requested	Status
Christian Ehrhardt  (community)	2019-07-05	Approve on 2019-07-11
Canonical Server	2019-07-05	Pending
Review via email: mp+369737@code.launchpad.net