From e550b0a10926d505f3e38bd673bb2b2603d5cba9 Mon Sep 17 00:00:00 2001
From: Attila DEBRECZENI <9527748+Atisom@users.noreply.github.com>
Date: Wed, 25 Mar 2020 21:05:30 +0000
Subject: [PATCH 1/4] SAML debug attributes

---
 powerdnsadmin/routes/index.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/powerdnsadmin/routes/index.py b/powerdnsadmin/routes/index.py
index 61e4bac..e9ffb85 100644
--- a/powerdnsadmin/routes/index.py
+++ b/powerdnsadmin/routes/index.py
@@ -722,6 +722,7 @@ def saml_authorized():
     req = saml.prepare_flask_request(request)
     auth = saml.init_saml_auth(req)
     auth.process_response()
+    current_app.logger.debug( auth.get_attributes() )
     errors = auth.get_errors()
     if len(errors) == 0:
         session['samlUserdata'] = auth.get_attributes()

From a581aa3cf230d03908480a70519b63ccebbe5363 Mon Sep 17 00:00:00 2001
From: Attila DEBRECZENI <9527748+Atisom@users.noreply.github.com>
Date: Wed, 25 Mar 2020 21:35:20 +0000
Subject: [PATCH 2/4] add SAML_ASSERTION_ENCRYPTED envrionment

---
 configs/development.py          | 2 ++
 configs/docker_config.py        | 2 ++
 powerdnsadmin/default_config.py | 1 +
 powerdnsadmin/services/saml.py  | 3 ++-
 4 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/configs/development.py b/configs/development.py
index b793995..b2351e4 100644
--- a/configs/development.py
+++ b/configs/development.py
@@ -138,3 +138,5 @@ SAML_ENABLED = False
 # #Configure to redirect to a different url then PowerDNS-Admin login after SAML logout
 # #for example redirect to google.com after successful saml logout
 # #SAML_LOGOUT_URL = 'https://google.com'
+
+# #SAML_ASSERTION_ENCRYPTED = True
diff --git a/configs/docker_config.py b/configs/docker_config.py
index b4869b4..0f5f8c8 100644
--- a/configs/docker_config.py
+++ b/configs/docker_config.py
@@ -43,6 +43,7 @@ legal_envvars = (
     'SAML_WANT_MESSAGE_SIGNED',
     'SAML_LOGOUT',
     'SAML_LOGOUT_URL',
+    'SAML_ASSERTION_ENCRYPTED',
 )
 
 legal_envvars_int = ('PORT', 'MAIL_PORT', 'SAML_METADATA_CACHE_LIFETIME')
@@ -58,6 +59,7 @@ legal_envvars_bool = (
     'SAML_SIGN_REQUEST',
     'SAML_WANT_MESSAGE_SIGNED',
     'SAML_LOGOUT',
+    'SAML_ASSERTION_ENCRYPTED',
 )
 
 # import everything from environment variables
diff --git a/powerdnsadmin/default_config.py b/powerdnsadmin/default_config.py
index b6f45ad..474d3b4 100644
--- a/powerdnsadmin/default_config.py
+++ b/powerdnsadmin/default_config.py
@@ -23,3 +23,4 @@ SQLALCHEMY_DATABASE_URI = 'mysql://'+SQLA_DB_USER+':'+SQLA_DB_PASSWORD+'@'+SQLA_
 
 # SAML Authnetication
 SAML_ENABLED = False
+SAML_ASSERTION_ENCRYPTED = True
\ No newline at end of file
diff --git a/powerdnsadmin/services/saml.py b/powerdnsadmin/services/saml.py
index 1114817..b108a71 100644
--- a/powerdnsadmin/services/saml.py
+++ b/powerdnsadmin/services/saml.py
@@ -161,7 +161,8 @@ class SAML(object):
         settings['security']['requestedAuthnContext'] = True
         settings['security'][
             'signatureAlgorithm'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
-        settings['security']['wantAssertionsEncrypted'] = True
+        settings['security']['wantAssertionsEncrypted'] = current_app.config[
+            'SAML_ASSERTION_ENCRYPTED']
         settings['security']['wantAttributeStatement'] = True
         settings['security']['wantNameId'] = True
         settings['security']['authnRequestsSigned'] = current_app.config[

From cc26174a482980bd4dc04e2f2ed2cc66d91f0a3e Mon Sep 17 00:00:00 2001
From: Attila DEBRECZENI <19527748+Atisom@users.noreply.github.com>
Date: Fri, 27 Mar 2020 02:19:06 +0100
Subject: [PATCH 3/4] wantAssertionsEncrypted to false

---
 powerdnsadmin/services/saml.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/powerdnsadmin/services/saml.py b/powerdnsadmin/services/saml.py
index b108a71..2b7ae4f 100644
--- a/powerdnsadmin/services/saml.py
+++ b/powerdnsadmin/services/saml.py
@@ -161,8 +161,7 @@ class SAML(object):
         settings['security']['requestedAuthnContext'] = True
         settings['security'][
             'signatureAlgorithm'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
-        settings['security']['wantAssertionsEncrypted'] = current_app.config[
-            'SAML_ASSERTION_ENCRYPTED']
+        settings['security']['wantAssertionsEncrypted'] = False
         settings['security']['wantAttributeStatement'] = True
         settings['security']['wantNameId'] = True
         settings['security']['authnRequestsSigned'] = current_app.config[

From def06bee417c1c635c22e9ce7ff0077dfac0e71f Mon Sep 17 00:00:00 2001
From: Attila DEBRECZENI <9527748+Atisom@users.noreply.github.com>
Date: Fri, 3 Apr 2020 13:44:03 +0000
Subject: [PATCH 4/4] set SAML wantAssertionsEncrypted from config

---
 powerdnsadmin/services/saml.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/powerdnsadmin/services/saml.py b/powerdnsadmin/services/saml.py
index 2b7ae4f..8fbeb1e 100644
--- a/powerdnsadmin/services/saml.py
+++ b/powerdnsadmin/services/saml.py
@@ -161,7 +161,8 @@ class SAML(object):
         settings['security']['requestedAuthnContext'] = True
         settings['security'][
             'signatureAlgorithm'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
-        settings['security']['wantAssertionsEncrypted'] = False
+        settings['security']['wantAssertionsEncrypted'] = current_app.config.get(
+            'SAML_ASSERTION_ENCRYPTED', True)
         settings['security']['wantAttributeStatement'] = True
         settings['security']['wantNameId'] = True
         settings['security']['authnRequestsSigned'] = current_app.config[