Skip to content

Commit c269217

Browse files
author
Daniele Giallonardo
committed
Fix validazione response su attributo AuthnContextClassRef e gestione Log
#10
1 parent 5333673 commit c269217

5 files changed

Lines changed: 58 additions & 12 deletions

File tree

CIE.AspNetCore.Authentication/CIE.AspNetCore.Authentication/CIE.AspNetCore.Authentication.csproj

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -12,11 +12,11 @@
1212
<PackageProjectUrl>https://github.com/italia/cie-aspnetcore</PackageProjectUrl>
1313
<PackageIcon>cie-nuget.png</PackageIcon>
1414
<PackageLicenseExpression>MIT</PackageLicenseExpression>
15-
<PackageVersion>2.0.0</PackageVersion>
16-
<Version>2.0.0</Version>
17-
<AssemblyVersion>2.0.0</AssemblyVersion>
18-
<FileVersion>2.0.0</FileVersion>
19-
<InformationalVersion>2.0.0</InformationalVersion>
15+
<PackageVersion>2.0.1-prerelease</PackageVersion>
16+
<Version>2.0.1</Version>
17+
<AssemblyVersion>2.0.1</AssemblyVersion>
18+
<FileVersion>2.0.1</FileVersion>
19+
<InformationalVersion>2.0.1</InformationalVersion>
2020
<PackageRequireLicenseAcceptance>true</PackageRequireLicenseAcceptance>
2121
<PackageReadmeFile>README.md</PackageReadmeFile>
2222
<RepositoryUrl>https://github.com/italia/cie-aspnetcore</RepositoryUrl>

CIE.AspNetCore.Authentication/CIE.AspNetCore.Authentication/CieHandler.cs

Lines changed: 48 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
using CIE.AspNetCore.Authentication.Saml;
77
using Microsoft.AspNetCore.Authentication;
88
using Microsoft.AspNetCore.Http;
9+
using Microsoft.AspNetCore.Http.Extensions;
910
using Microsoft.Extensions.Logging;
1011
using Microsoft.Extensions.Options;
1112
using Microsoft.Extensions.Primitives;
@@ -389,6 +390,18 @@ private string RemoveFiscalNumberPrefix(string fiscalNumber)
389390
var form = await Request.ReadFormAsync();
390391

391392
var serializedResponse = Encoding.UTF8.GetString(Convert.FromBase64String(form["SAMLResponse"][0]));
393+
394+
await _logHandler.LogPostResponse(new PostResponse()
395+
{
396+
SignedMessage = serializedResponse,
397+
SAMLResponse = form["SAMLResponse"].FirstOrDefault(),
398+
RelayState = form["RelayState"].ToString(),
399+
ContentType = Request.ContentType,
400+
Url = Request.GetEncodedUrl(),
401+
Headers = Request.Headers.ToDictionary(t => t.Key, t => t.Value),
402+
Cookies = Request.Cookies.ToDictionary(t => t.Key, t => t.Value)
403+
});
404+
392405
return (
393406
form["RelayState"].ToString(),
394407
SamlHandler.GetAuthnResponse(form["SAMLResponse"][0]),
@@ -400,6 +413,17 @@ private string RemoveFiscalNumberPrefix(string fiscalNumber)
400413
&& Request.Query.ContainsKey("RelayState"))
401414
{
402415
var serializedResponse = DecompressString(Request.Query["SAMLResponse"].FirstOrDefault());
416+
417+
await _logHandler.LogRedirectResponse(new RedirectResponse()
418+
{
419+
SignedMessage = serializedResponse,
420+
SAMLResponse = Request.Query["SAMLResponse"].FirstOrDefault(),
421+
RelayState = Request.Query["RelayState"].FirstOrDefault(),
422+
Url = Request.GetEncodedUrl(),
423+
Headers = Request.Headers.ToDictionary(t => t.Key, t => t.Value),
424+
Cookies = Request.Cookies.ToDictionary(t => t.Key, t => t.Value)
425+
});
426+
403427
return (
404428
Request.Query["RelayState"].FirstOrDefault(),
405429
SamlHandler.GetAuthnResponse(serializedResponse),
@@ -419,9 +443,21 @@ private string RemoveFiscalNumberPrefix(string fiscalNumber)
419443
var form = await Request.ReadFormAsync();
420444

421445
var serializedResponse = Encoding.UTF8.GetString(Convert.FromBase64String(form["SAMLResponse"][0]));
446+
447+
await _logHandler.LogPostResponse(new PostResponse()
448+
{
449+
SignedMessage = serializedResponse,
450+
SAMLResponse = form["SAMLResponse"].FirstOrDefault(),
451+
RelayState = form["RelayState"].ToString(),
452+
ContentType = Request.ContentType,
453+
Url = Request.GetEncodedUrl(),
454+
Headers = Request.Headers.ToDictionary(t => t.Key, t => t.Value),
455+
Cookies = Request.Cookies.ToDictionary(t => t.Key, t => t.Value)
456+
});
457+
422458
return (
423459
form["RelayState"].ToString(),
424-
SamlHandler.GetLogoutResponse(form["SAMLResponse"][0]),
460+
SamlHandler.GetLogoutResponse(serializedResponse),
425461
serializedResponse
426462
);
427463
}
@@ -430,6 +466,17 @@ private string RemoveFiscalNumberPrefix(string fiscalNumber)
430466
&& Request.Query.ContainsKey("RelayState"))
431467
{
432468
var serializedResponse = DecompressString(Request.Query["SAMLResponse"].FirstOrDefault());
469+
470+
await _logHandler.LogRedirectResponse(new RedirectResponse()
471+
{
472+
SignedMessage = serializedResponse,
473+
SAMLResponse = Request.Query["SAMLResponse"].FirstOrDefault(),
474+
RelayState = Request.Query["RelayState"].FirstOrDefault(),
475+
Url = Request.GetEncodedUrl(),
476+
Headers = Request.Headers.ToDictionary(t => t.Key, t => t.Value),
477+
Cookies = Request.Cookies.ToDictionary(t => t.Key, t => t.Value)
478+
});
479+
433480
return (
434481
Request.Query["RelayState"].FirstOrDefault(),
435482
SamlHandler.GetLogoutResponse(serializedResponse),

CIE.AspNetCore.Authentication/CIE.AspNetCore.Authentication/Helpers/OptionsHelper.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ internal static CieConfiguration CreateFromConfiguration(IConfiguration configur
4242
options.UseTokenLifetime = section.GetValue<bool?>("UseTokenLifetime") ?? false;
4343
options.SkipUnrecognizedRequests = section.GetValue<bool?>("SkipUnrecognizedRequests") ?? true;
4444
options.CacheIdpMetadata = section.GetValue<bool?>("CacheIdpMetadata") ?? false;
45-
options.SecurityLevel = section.GetValue<int?>("SecurityLevel") ?? 2;
45+
options.SecurityLevel = section.GetValue<int?>("SecurityLevel") ?? 3;
4646
var requestMethodParsed = Enum.TryParse<RequestMethod>(section.GetValue<string?>("RequestMethod"), out var requestMethod);
4747
options.RequestMethod = requestMethodParsed ? requestMethod : RequestMethod.Post;
4848
var certificateSection = section.GetSection("Certificate");

CIE.AspNetCore.Authentication/CIE.AspNetCore.Authentication/Saml/SamlHandler.cs

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -77,8 +77,8 @@ public static AuthnRequestType GetAuthnRequest(string requestId,
7777
Version = SamlConst.Version,
7878
IssueInstant = now.AddMinutes(nowDelta).ToString(dateTimeFormat),
7979
Destination = identityProvider.GetSingleSignOnServiceUrl(requestMethod),
80-
ForceAuthn = securityLevel > 1,
81-
ForceAuthnSpecified = securityLevel > 1,
80+
ForceAuthn = true,
81+
ForceAuthnSpecified = true,
8282
Issuer = new NameIDType
8383
{
8484
Value = entityId.Trim(),
@@ -356,10 +356,9 @@ public static void ValidateAuthnResponse(this ResponseType response, AuthnReques
356356
BusinessValidation.ValidationNotNull(response.GetAssertion().GetAuthnStatement().AuthnContext, ErrorFields.AuthnContext);
357357
BusinessValidation.ValidationNotNull(response.GetAssertion().GetAuthnStatement().AuthnContext.Items, ErrorFields.AuthnContext);
358358
BusinessValidation.ValidationNotNull(response.GetAssertion().GetAuthnStatement().AuthnContext.ItemsElementName, ErrorFields.AuthnContext);
359+
359360
BusinessValidation.ValidationCondition(() => response.GetAssertion().GetAuthnStatement().AuthnContext.GetAuthnContextClassRef() == null, string.Format(ErrorLocalization.NotSpecified, "AuthnStatement.AuthnContext.AuthnContextClassRef"));
360361
BusinessValidation.ValidationCondition(() => string.IsNullOrWhiteSpace(response.GetAssertion().GetAuthnStatement().AuthnContext.GetAuthnContextClassRef()), string.Format(ErrorLocalization.Missing, "AuthnStatement.AuthnContext.AuthnContextClassRef"));
361-
BusinessValidation.ValidationCondition(() => !response.GetAssertion().GetAuthnStatement().AuthnContext.GetAuthnContextClassRef().Equals(request.RequestedAuthnContext.Items[0]), string.Format(ErrorLocalization.ParameterNotValid, ErrorFields.AuthnContextClassRef));
362-
363362
BusinessValidation.ValidationCondition(() => !listAuthRefValid.Contains(response.GetAssertion().GetAuthnStatement().AuthnContext.GetAuthnContextClassRef()), string.Format(ErrorLocalization.ParameterNotValid, ErrorFields.AuthnContextClassRef));
364363

365364
var responseAuthnContextClassRefLevel = int.Parse(response.GetAssertion().GetAuthnStatement().AuthnContext.GetAuthnContextClassRef().Last().ToString());

CIE.AspNetCore.Authentication/CIE.AspNetCore.WebApp/appsettings.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@
4242
"AssertionConsumerServiceIndex": 0,
4343
"AttributeConsumingServiceIndex": 0,
4444
"Method": "Post",
45-
"SecurityLevel": 3
45+
"SecurityLevel": 2
4646
},
4747
"AllowedHosts": "*"
4848
}

0 commit comments

Comments
 (0)