Fix encode ADFS issue. Merge branch 'm6a-UdS-feature/bugfix-adfs'

Author: pitbulk

demo-bottle/index.py

@@ -30,13 +30,15 @@ def init_saml_auth(req):
 def prepare_bottle_request(req):
     url_data = urlparse(req.url)
     return {
+        'https': 'on' if req.urlparts.scheme == 'https' else 'off',
         'http_host': req.get_header('host'),
         'server_port': url_data.port,
         'script_name': req.fullpath,
         'get_data': req.query,
         'post_data': req.forms,
         'query_string': req.query_string,
-        'https': 'on' if req.urlparts.scheme == 'https' else 'off'
+        # Uncomment if using ADFS as IdP, https://github.com/onelogin/python-saml/pull/144
+        # 'lowercase_urlencoding': True
     }
 
 

demo-django/demo/views.py

@@ -24,6 +24,8 @@ def prepare_django_request(request):
         'server_port': request.META['SERVER_PORT'],
         'get_data': request.GET.copy(),
         'post_data': request.POST.copy(),
+        # Uncomment if using ADFS as IdP, https://github.com/onelogin/python-saml/pull/144
+        # 'lowercase_urlencoding': True,
         'query_string': request.META['QUERY_STRING']
     }
     return result

demo-flask/index.py

@@ -29,6 +29,8 @@ def prepare_flask_request(request):
         'script_name': request.path,
         'get_data': request.args.copy(),
         'post_data': request.form.copy(),
+        # Uncomment if using ADFS as IdP, https://github.com/onelogin/python-saml/pull/144
+        # 'lowercase_urlencoding': True,
         'query_string': request.query_string
     }
 

src/onelogin/saml2/logout_request.py

@@ -261,6 +261,7 @@ def is_valid(self, request_data):
         :rtype: boolean
         """
         self.__error = None
+        lowercase_urlencoding = False
         try:
             dom = fromstring(self.__logout_request)
 
@@ -272,6 +273,9 @@ def is_valid(self, request_data):
             else:
                 get_data = {}
 
+            if 'lowercase_urlencoding' in request_data.keys():
+                lowercase_urlencoding = request_data['lowercase_urlencoding']
+
             if self.__settings.is_strict():
                 res = OneLogin_Saml2_Utils.validate_xml(dom, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active())
                 if not isinstance(res, Document):
@@ -316,10 +320,10 @@ def is_valid(self, request_data):
                 else:
                     sign_alg = get_data['SigAlg']
 
-                signed_query = 'SAMLRequest=%s' % OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SAMLRequest')
+                signed_query = 'SAMLRequest=%s' % OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SAMLRequest', lowercase_urlencoding=lowercase_urlencoding)
                 if 'RelayState' in get_data:
-                    signed_query = '%s&RelayState=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'RelayState'))
-                signed_query = '%s&SigAlg=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SigAlg', OneLogin_Saml2_Constants.RSA_SHA1))
+                    signed_query = '%s&RelayState=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'RelayState', lowercase_urlencoding=lowercase_urlencoding))
+                signed_query = '%s&SigAlg=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SigAlg', OneLogin_Saml2_Constants.RSA_SHA1, lowercase_urlencoding=lowercase_urlencoding))
 
                 if 'x509cert' not in idp_data or idp_data['x509cert'] is None:
                     raise Exception('In order to validate the sign on the Logout Request, the x509cert of the IdP is required')

src/onelogin/saml2/logout_response.py

@@ -77,11 +77,15 @@ def is_valid(self, request_data, request_id=None):
         :rtype: boolean
         """
         self.__error = None
+        lowercase_urlencoding = False
         try:
             idp_data = self.__settings.get_idp_data()
             idp_entity_id = idp_data['entityId']
             get_data = request_data['get_data']
 
+            if 'lowercase_urlencoding' in request_data.keys():
+                lowercase_urlencoding = request_data['lowercase_urlencoding']
+
             if self.__settings.is_strict():
                 res = OneLogin_Saml2_Utils.validate_xml(self.document, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active())
                 if not isinstance(res, Document):
@@ -119,10 +123,10 @@ def is_valid(self, request_data, request_id=None):
                 else:
                     sign_alg = get_data['SigAlg']
 
-                signed_query = 'SAMLResponse=%s' % OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SAMLResponse')
+                signed_query = 'SAMLResponse=%s' % OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SAMLResponse', lowercase_urlencoding=lowercase_urlencoding)
                 if 'RelayState' in get_data:
-                    signed_query = '%s&RelayState=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'RelayState'))
-                signed_query = '%s&SigAlg=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SigAlg', OneLogin_Saml2_Constants.RSA_SHA1))
+                    signed_query = '%s&RelayState=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'RelayState', lowercase_urlencoding=lowercase_urlencoding))
+                signed_query = '%s&SigAlg=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SigAlg', OneLogin_Saml2_Constants.RSA_SHA1, lowercase_urlencoding=lowercase_urlencoding))
 
                 if 'x509cert' not in idp_data or idp_data['x509cert'] is None:
                     raise Exception('In order to validate the sign on the Logout Response, the x509cert of the IdP is required')

src/onelogin/saml2/utils.py

@@ -1127,18 +1127,19 @@ def validate_binary_sign(signed_query, signature, cert=None, algorithm=OneLogin_
             return False
 
     @staticmethod
-    def get_encoded_parameter(get_data, name, default=None):
+    def get_encoded_parameter(get_data, name, default=None, lowercase_urlencoding=False):
         """Return an url encoded get parameter value
         Prefer to extract the original encoded value directly from query_string since url
         encoding is not canonical. The encoding used by ADFS 3.0 is not compatible with
         python's quote_plus (ADFS produces lower case hex numbers and quote_plus produces
         upper case hex numbers)
         """
+
         if name not in get_data:
-            return quote_plus(default)
+            return OneLogin_Saml2_Utils.case_sensitive_urlencode(default, lowercase_urlencoding)
         if 'query_string' in get_data:
             return OneLogin_Saml2_Utils.extract_raw_query_parameter(get_data['query_string'], name)
-        return quote_plus(get_data[name])
+        return OneLogin_Saml2_Utils.case_sensitive_urlencode(get_data[name], lowercase_urlencoding)
 
     @staticmethod
     def extract_raw_query_parameter(query_string, parameter, default=''):
@@ -1147,3 +1148,8 @@ def extract_raw_query_parameter(query_string, parameter, default=''):
             return m.group(1)
         else:
             return default
+
+    @staticmethod
+    def case_sensitive_urlencode(to_encode, lowercase=False):
+        encoded = quote_plus(to_encode)
+        return re.sub(r"%[A-F0-9]{2}", lambda m: m.group(0).lower(), encoded) if lowercase else encoded