From e550b0a10926d505f3e38bd673bb2b2603d5cba9 Mon Sep 17 00:00:00 2001 From: Attila DEBRECZENI <9527748+Atisom@users.noreply.github.com> Date: Wed, 25 Mar 2020 21:05:30 +0000 Subject: [PATCH 1/4] SAML debug attributes --- powerdnsadmin/routes/index.py | 1 + 1 file changed, 1 insertion(+) diff --git a/powerdnsadmin/routes/index.py b/powerdnsadmin/routes/index.py index 61e4bac..e9ffb85 100644 --- a/powerdnsadmin/routes/index.py +++ b/powerdnsadmin/routes/index.py @@ -722,6 +722,7 @@ def saml_authorized(): req = saml.prepare_flask_request(request) auth = saml.init_saml_auth(req) auth.process_response() + current_app.logger.debug( auth.get_attributes() ) errors = auth.get_errors() if len(errors) == 0: session['samlUserdata'] = auth.get_attributes() From a581aa3cf230d03908480a70519b63ccebbe5363 Mon Sep 17 00:00:00 2001 From: Attila DEBRECZENI <9527748+Atisom@users.noreply.github.com> Date: Wed, 25 Mar 2020 21:35:20 +0000 Subject: [PATCH 2/4] add SAML_ASSERTION_ENCRYPTED envrionment --- configs/development.py | 2 ++ configs/docker_config.py | 2 ++ powerdnsadmin/default_config.py | 1 + powerdnsadmin/services/saml.py | 3 ++- 4 files changed, 7 insertions(+), 1 deletion(-) diff --git a/configs/development.py b/configs/development.py index b793995..b2351e4 100644 --- a/configs/development.py +++ b/configs/development.py @@ -138,3 +138,5 @@ SAML_ENABLED = False # #Configure to redirect to a different url then PowerDNS-Admin login after SAML logout # #for example redirect to google.com after successful saml logout # #SAML_LOGOUT_URL = 'https://google.com' + +# #SAML_ASSERTION_ENCRYPTED = True diff --git a/configs/docker_config.py b/configs/docker_config.py index b4869b4..0f5f8c8 100644 --- a/configs/docker_config.py +++ b/configs/docker_config.py @@ -43,6 +43,7 @@ legal_envvars = ( 'SAML_WANT_MESSAGE_SIGNED', 'SAML_LOGOUT', 'SAML_LOGOUT_URL', + 'SAML_ASSERTION_ENCRYPTED', ) legal_envvars_int = ('PORT', 'MAIL_PORT', 'SAML_METADATA_CACHE_LIFETIME') @@ -58,6 +59,7 @@ legal_envvars_bool = ( 'SAML_SIGN_REQUEST', 'SAML_WANT_MESSAGE_SIGNED', 'SAML_LOGOUT', + 'SAML_ASSERTION_ENCRYPTED', ) # import everything from environment variables diff --git a/powerdnsadmin/default_config.py b/powerdnsadmin/default_config.py index b6f45ad..474d3b4 100644 --- a/powerdnsadmin/default_config.py +++ b/powerdnsadmin/default_config.py @@ -23,3 +23,4 @@ SQLALCHEMY_DATABASE_URI = 'mysql://'+SQLA_DB_USER+':'+SQLA_DB_PASSWORD+'@'+SQLA_ # SAML Authnetication SAML_ENABLED = False +SAML_ASSERTION_ENCRYPTED = True \ No newline at end of file diff --git a/powerdnsadmin/services/saml.py b/powerdnsadmin/services/saml.py index 1114817..b108a71 100644 --- a/powerdnsadmin/services/saml.py +++ b/powerdnsadmin/services/saml.py @@ -161,7 +161,8 @@ class SAML(object): settings['security']['requestedAuthnContext'] = True settings['security'][ 'signatureAlgorithm'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' - settings['security']['wantAssertionsEncrypted'] = True + settings['security']['wantAssertionsEncrypted'] = current_app.config[ + 'SAML_ASSERTION_ENCRYPTED'] settings['security']['wantAttributeStatement'] = True settings['security']['wantNameId'] = True settings['security']['authnRequestsSigned'] = current_app.config[ From cc26174a482980bd4dc04e2f2ed2cc66d91f0a3e Mon Sep 17 00:00:00 2001 From: Attila DEBRECZENI <19527748+Atisom@users.noreply.github.com> Date: Fri, 27 Mar 2020 02:19:06 +0100 Subject: [PATCH 3/4] wantAssertionsEncrypted to false --- powerdnsadmin/services/saml.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/powerdnsadmin/services/saml.py b/powerdnsadmin/services/saml.py index b108a71..2b7ae4f 100644 --- a/powerdnsadmin/services/saml.py +++ b/powerdnsadmin/services/saml.py @@ -161,8 +161,7 @@ class SAML(object): settings['security']['requestedAuthnContext'] = True settings['security'][ 'signatureAlgorithm'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' - settings['security']['wantAssertionsEncrypted'] = current_app.config[ - 'SAML_ASSERTION_ENCRYPTED'] + settings['security']['wantAssertionsEncrypted'] = False settings['security']['wantAttributeStatement'] = True settings['security']['wantNameId'] = True settings['security']['authnRequestsSigned'] = current_app.config[ From def06bee417c1c635c22e9ce7ff0077dfac0e71f Mon Sep 17 00:00:00 2001 From: Attila DEBRECZENI <9527748+Atisom@users.noreply.github.com> Date: Fri, 3 Apr 2020 13:44:03 +0000 Subject: [PATCH 4/4] set SAML wantAssertionsEncrypted from config --- powerdnsadmin/services/saml.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/powerdnsadmin/services/saml.py b/powerdnsadmin/services/saml.py index 2b7ae4f..8fbeb1e 100644 --- a/powerdnsadmin/services/saml.py +++ b/powerdnsadmin/services/saml.py @@ -161,7 +161,8 @@ class SAML(object): settings['security']['requestedAuthnContext'] = True settings['security'][ 'signatureAlgorithm'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' - settings['security']['wantAssertionsEncrypted'] = False + settings['security']['wantAssertionsEncrypted'] = current_app.config.get( + 'SAML_ASSERTION_ENCRYPTED', True) settings['security']['wantAttributeStatement'] = True settings['security']['wantNameId'] = True settings['security']['authnRequestsSigned'] = current_app.config[