Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
2a8a4897
Commit
2a8a4897
authored
Oct 24, 2018
by
115100
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
saml/auth_hash: Allow 2FA bypass for SAML 2.0 responses
Closes gitlab-org/gitlab-ce/#53102.
parent
5726e51a
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
68 additions
and
1 deletion
+68
-1
lib/gitlab/auth/saml/auth_hash.rb
lib/gitlab/auth/saml/auth_hash.rb
+1
-1
spec/fixtures/authentication/saml2_response.xml
spec/fixtures/authentication/saml2_response.xml
+56
-0
spec/lib/gitlab/auth/saml/auth_hash_spec.rb
spec/lib/gitlab/auth/saml/auth_hash_spec.rb
+11
-0
No files found.
lib/gitlab/auth/saml/auth_hash.rb
View file @
2a8a4897
...
@@ -28,7 +28,7 @@ module Gitlab
...
@@ -28,7 +28,7 @@ module Gitlab
end
end
def
extract_authn_context
(
document
)
def
extract_authn_context
(
document
)
REXML
::
XPath
.
first
(
document
,
"//
saml:AuthnStatement/saml:AuthnContext/saml:AuthnContextClassRef
/text()"
).
to_s
REXML
::
XPath
.
first
(
document
,
"//
*[name()='saml:AuthnStatement' or name()='saml2:AuthnStatement']/*[name()='saml:AuthnContext' or name()='saml2:AuthnContext']/*[name()='saml:AuthnContextClassRef' or name()='saml2:AuthnContextClassRef']
/text()"
).
to_s
end
end
end
end
end
end
...
...
spec/fixtures/authentication/saml2_response.xml
0 → 100644
View file @
2a8a4897
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response
xmlns:saml2p=
"urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xs=
"http://www.w3.org/2001/XMLSchema"
Destination=
"https://example.hello.com/access/saml"
ID=
"jVFQbyEpSfUwqhZtJtarIaGoshwuAQMDwLoiMhzJXsv"
InResponseTo=
"cfeooghajnhofcmogakmlhpkohnmikicnfhdnjlc"
IssueInstant=
"2011-06-21T13:54:38.661Z"
Version=
"2.0"
>
<saml2:Issuer
xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion"
>
https://idm.orademo.com
</saml2:Issuer>
<ds:Signature
xmlns:ds=
"http://www.w3.org/2000/09/xmldsig#"
>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm=
"http://www.w3.org/2001/10/xml-exc-c14n#"
/>
<ds:SignatureMethod
Algorithm=
"http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
<ds:Reference
URI=
"#jVFQbyEpSfUwqhZtJtarIaGoshwuAQMDwLoiMhzJXsv"
>
<ds:Transforms>
<ds:Transform
Algorithm=
"http://www.w3.org/2000/09/xmldsig#enveloped-signature"
/>
<ds:Transform
Algorithm=
"http://www.w3.org/2001/10/xml-exc-c14n#"
>
<ec:InclusiveNamespaces
xmlns:ec=
"http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList=
"xs"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm=
"http://www.w3.org/2000/09/xmldsig#sha1"
/>
<ds:DigestValue>
uHuSry39P16Yh7srS32xESmj4Lw=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
fdghdfggfd=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
dfghjkl
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode
Value=
"urn:oasis:names:tc:SAML:2.0:status:Success"
/>
</saml2p:Status>
<saml2:Assertion
xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion"
ID=
"emmCjammnYdAbMWDuMAJeZvQIMBayeeYqqwvQoDclKE"
IssueInstant=
"2011-06-21T13:54:38.676Z"
Version=
"2.0"
>
<saml2:Issuer>
https://idm.orademo.com
</saml2:Issuer>
<saml2:Subject>
<saml2:NameID
Format=
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier=
"idp.example.org"
>
someone@example.org
</saml2:NameID>
<saml2:SubjectConfirmation
Method=
"urn:oasis:names:tc:SAML:2.0:cm:bearer"
>
<saml2:SubjectConfirmationData
InResponseTo=
"cfeooghajnhofcmogakmlhpkohnmikicnfhdnjlc"
NotOnOrAfter=
"2011-06-21T14:09:38.676Z"
Recipient=
"https://example.hello.com/access/saml"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions
NotBefore=
"2011-06-21T13:54:38.683Z"
NotOnOrAfter=
"2011-06-21T14:09:38.683Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>
hello.com
</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement
AuthnInstant=
"2011-06-21T13:54:38.685Z"
SessionIndex=
"perdkjfskdjfksdiertusfsdfsddeurtherukjdfgkdffg"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute
Name=
"FirstName"
>
<saml2:AttributeValue
xmlns:xsi=
"http://www.w3.org/2001/XMLSchema-instance"
xsi:type=
"xs:string"
>
Someone
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name=
"LastName"
>
<saml2:AttributeValue
xmlns:xsi=
"http://www.w3.org/2001/XMLSchema-instance"
xsi:type=
"xs:string"
>
Special
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
spec/lib/gitlab/auth/saml/auth_hash_spec.rb
View file @
2a8a4897
...
@@ -82,6 +82,17 @@ describe Gitlab::Auth::Saml::AuthHash do
...
@@ -82,6 +82,17 @@ describe Gitlab::Auth::Saml::AuthHash do
end
end
end
end
context
'with SAML 2.0 response_object'
do
before
do
auth_hash_data
[
:extra
][
:response_object
]
=
{
document:
saml_xml
(
File
.
read
(
'spec/fixtures/authentication/saml2_response.xml'
))
}
end
it
'can extract authn_context'
do
expect
(
saml_auth_hash
.
authn_context
).
to
eq
'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
end
end
context
'without response_object'
do
context
'without response_object'
do
it
'returns an empty string'
do
it
'returns an empty string'
do
expect
(
saml_auth_hash
.
authn_context
).
to
be_nil
expect
(
saml_auth_hash
.
authn_context
).
to
be_nil
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment