Fix issues with LogoutResponse

timlegge · timlegge · commit 10490845d176 · 2021-10-29T21:08:47.000-03:00
diff --git a/lib/Net/SAML2/Binding/Redirect.pm b/lib/Net/SAML2/Binding/Redirect.pm
@@ -40,6 +40,7 @@ use URI::QueryParam;
 use Crypt::OpenSSL::RSA;
 use Crypt::OpenSSL::X509;
 use File::Slurp qw/ read_file /;
+use URI::Encode qw/uri_decode/;
 
 =head2 new( ... )
 
@@ -79,6 +80,18 @@ sha1, sha224, sha256, sha384, sha512
 
 sha1 is current default but will change by version 44
 
+=item B<sls_force_lcase_url_encoding>
+
+Specifies that the IdP requires the encoding of a URL to be in lowercase.
+Necessary for a HTTP-Redirect of a LogoutResponse from Azure in particular.
+True (1) or False (0). Some web frameworks and underlying http requests assume
+that the encoding should be in the standard uppercase (%2F not %2f)
+
+=item B<sls_double_encoded_response>
+
+Specifies that the IdP response sent to the HTTP-Redirect is double encoded.
+The double encoding requires it to be decoded prior to processing.
+
 =back
 
 =cut
@@ -88,6 +101,8 @@ has 'cert'  => (isa => 'Str', is => 'ro', required => 1);
 has 'url'   => (isa => Uri, is => 'ro', required => 1, coerce => 1);
 has 'param' => (isa => 'Str', is => 'ro', required => 1);
 has 'sig_hash' => (isa => 'Str', is => 'ro', required => 0);
+has 'sls_force_lcase_url_encoding'    => (isa => 'Bool', is => 'ro', required => 0);
+has 'sls_double_encoded_response' => (isa => 'Bool', is => 'ro', required => 0);
 
 =head2 sign( $request, $relaystate )
 
@@ -162,6 +177,32 @@ sub verify {
     my $cert = Crypt::OpenSSL::X509->new_from_string($self->cert);
     my $rsa_pub = Crypt::OpenSSL::RSA->new_public_key($cert->pubkey);
 
+    my $signed;
+    my $saml_request;
+    my $sig = $u->query_param_delete('Signature');
+
+    # Some IdPs (PingIdentity) seem to double encode the LogoutResponse URL
+    if (defined $self->sls_double_encoded_response and $self->sls_double_encoded_response == 1) {
+        #if ($sigalg =~ m/%/) {
+        $signed = uri_decode($u->query);
+        $sig = uri_decode($sig);
+        $sigalg = uri_decode($sigalg);
+        $saml_request = uri_decode($u->query_param($self->param));
+    } else {
+        $signed = $u->query;
+        $saml_request = $u->query_param($self->param);
+    }
+
+    # What can we say about this one Microsoft Azure uses lower case in the
+    # URL encoding %2f not %2F.  As it is signed as %2f the resulting signed
+    # needs to change it to lowercase if the application layer reencoded the URL.
+    if (defined $self->sls_force_lcase_url_encoding and $self->sls_force_lcase_url_encoding == 1) {
+        # TODO: This is a hack.
+        $signed =~ s/(%..)/lc($1)/ge;
+    }
+
+    $sig = decode_base64($sig);
+
     if ($sigalg eq 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256') {
         $rsa_pub->use_sha256_hash;
     } elsif ($sigalg eq 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha224') {
@@ -176,12 +217,10 @@ sub verify {
         die "Unsupported Signature Algorithim: $sigalg";
     }
 
-    my $sig = decode_base64($u->query_param_delete('Signature'));
-    my $signed = $u->query;
     die "bad sig" unless $rsa_pub->verify($signed, $sig);
 
     # unpack the SAML request
-    my $deflated = decode_base64($u->query_param($self->param));
+    my $deflated = decode_base64($saml_request);
     my $request = '';
     rawinflate \$deflated => \$request;
 
diff --git a/lib/Net/SAML2/IdP.pm b/lib/Net/SAML2/IdP.pm
@@ -43,6 +43,18 @@ Constructor
 
 =item B<entityid>
 
+=item B<sls_force_lcase_url_encoding>
+
+Specifies that the IdP requires the encoding of a URL to be in lowercase.
+Necessary for a HTTP-Redirect of a LogoutResponse from Azure in particular.
+True (1) or False (0). Some web frameworks and underlying http requests assume
+that the encoding should be in the standard uppercase (%2F not %2f)
+
+=item B<sls_double_encoded_response>
+
+Specifies that the IdP response sent to the HTTP-Redirect is double encoded.
+The double encoding requires it to be decoded prior to processing.
+
 =back
 
 =cut
@@ -54,7 +66,9 @@ has 'slo_urls' => (isa => 'Maybe[HashRef[Str]]', is => 'ro');
 has 'art_urls' => (isa => 'Maybe[HashRef[Str]]', is => 'ro');
 has 'certs'    => (isa => 'HashRef[Str]',        is => 'ro', required => 1);
 has 'formats'  => (isa => 'HashRef[Str]',        is => 'ro', required => 1);
-has 'default_format' => (isa => 'Str', is => 'ro', required => 1);
+has 'sls_force_lcase_url_encoding'    => (isa => 'Bool', is => 'ro', required => 0);
+has 'sls_double_encoded_response' => (isa => 'Bool', is => 'ro', required => 0);
+has 'default_format'          => (isa => 'Str',  is => 'ro', required => 1);
 
 =head2 new_from_url( url => $url, cacert => $cacert, ssl_opts => {} )
 
@@ -83,7 +97,12 @@ sub new_from_url {
 
     my $xml = $res->content;
 
-    return $class->new_from_xml(xml => $xml, cacert => $args{cacert});
+    return $class->new_from_xml(
+                    xml => $xml,
+                    cacert => $args{cacert},
+                    sls_force_lcase_url_encoding => $args{sls_force_lcase_url_encoding},
+                    sls_double_encoded_response => $args{sls_double_encoded_response},
+                    );
 }
 
 =head2 new_from_xml( xml => $xml, cacert => $cacert )
@@ -189,6 +208,8 @@ sub new_from_xml {
         formats        => $data->{NameIDFormat},
         default_format => $data->{DefaultFormat},
         cacert         => $args{cacert},
+        sls_force_lcase_url_encoding => $args{sls_force_lcase_url_encoding},
+        sls_double_encoded_response => $args{sls_double_encoded_response},
     );
 
     return $self;
diff --git a/lib/Net/SAML2/SP.pm b/lib/Net/SAML2/SP.pm
@@ -257,8 +257,9 @@ sub slo_redirect_binding {
         cert  => $idp->cert('signing'),
         key   => $self->key,
         param => $param,
+        sls_force_lcase_url_encoding => $idp->{sls_force_lcase_url_encoding},
+        sls_double_encoded_response => $idp->{sls_double_encoded_response},
     );
-
     return $redirect;
 }
 
diff --git a/xt/testapp/config.yml b/xt/testapp/config.yml
@@ -17,3 +17,5 @@ org_name: "Net::SAML2 Saml2Test"
 org_display_name: "Saml2Test app for Net::SAML2"
 org_contact: "saml2test@example.com"
 error_url: "/error"
+sls_force_lcase_url_encoding: "0"
+sls_double_encoded_response: "0"
diff --git a/xt/testapp/lib/Saml2Test.pm b/xt/testapp/lib/Saml2Test.pm
@@ -16,7 +16,6 @@ Demo app to show use of Net::SAML2 as an SP.
 use Dancer ':syntax';
 use Net::SAML2;
 use MIME::Base64 qw/ decode_base64 /;
-use URI::Encode qw(uri_encode uri_decode);
 
 our $VERSION = '0.1';
 
@@ -31,7 +30,7 @@ get '/login' => sub {
         $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
         $idp->format, # default format.
     )->as_xml;
-	
+
     my $redirect = $sp->sso_redirect_binding($idp, 'SAMLRequest');
     my $url = $redirect->sign($authnreq);
     redirect $url, 302;
@@ -153,10 +152,19 @@ get '/sls-redirect-response' => sub {
     my $sp = _sp();
     my $redirect = $sp->slo_redirect_binding($idp, 'SAMLResponse');
 
-    my $decoded = uri_decode(request->uri);
-
-    my ($response, $relaystate) = $redirect->verify($decoded);
+    my ($response, $relaystate) = $redirect->verify(request->uri);
 
+    if ($response) {
+        my $logout = Net::SAML2::Protocol::LogoutResponse->new_from_xml(
+            xml => $response
+        );
+        if ($logout->status eq 'urn:oasis:names:tc:SAML:2.0:status:Success') {
+            print STDERR "\nLogout Success Status - $logout->{issuer}\n";
+        }
+    }
+    else {
+        return "<html><pre>Bad Logout Response</pre></html>";
+    }
     redirect $relaystate || '/', 302;
     return "Redirected\n";
 };
@@ -177,7 +185,7 @@ post '/sls-post-response' => sub {
             xml => decode_base64(params->{SAMLResponse})
         );
         if ($logout->status eq 'urn:oasis:names:tc:SAML:2.0:status:Success') {
-            print STDERR "Logout Success Status\n";
+            print STDERR "\nLogout Success Status - $logout->{issuer}\n";
         }
     }
     else {
@@ -213,12 +221,14 @@ sub _sp {
         org_contact	 => config->{org_contact},
     );
     return $sp;
-}	
+}
 
 sub _idp {
     my $idp = Net::SAML2::IdP->new_from_url(
         url    => config->{idp},
-        cacert => 'saml_cacert.pem'
+        cacert => 'saml_cacert.pem',
+        sls_force_lcase_url_encoding => config->{sls_force_lcase_url_encoding},
+        sls_double_encoded_response => config->{sls_double_encoded_response}
     );
     return $idp;
 }
