Receive the GSSP SAMLResponse

1. To check the preconditions 2. To verify that the Subject NameID matches the SecondFactor Identifier used to start the authentication.
OpenConext · Oct 24, 2023 · 3775ae1 · 3775ae1
1 parent 011aec5
commit 3775ae1
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 12 deletions.
diff --git a/src/Surfnet/StepupGateway/SecondFactorOnlyBundle/Controller/SecondFactorOnlyController.php b/src/Surfnet/StepupGateway/SecondFactorOnlyBundle/Controller/SecondFactorOnlyController.php
@@ -124,7 +124,7 @@ public function respondAction(Request $request)
         }
 
         try {
-            $response = $this->getSecondFactorRespondService()->respond($responseContext);
+            $response = $this->getSecondFactorRespondService()->respond($responseContext, $request);
         } catch (InvalidSecondFactorMethodException $e) {
             throw new BadRequestHttpException($e->getMessage());
         }

diff --git a/src/Surfnet/StepupGateway/SecondFactorOnlyBundle/Exception/RuntimeException.php b/src/Surfnet/StepupGateway/SecondFactorOnlyBundle/Exception/RuntimeException.php
@@ -0,0 +1,26 @@
+<?php
+
+/**
+ * Copyright 2018 SURFnet bv
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace Surfnet\StepupGateway\SecondFactorOnlyBundle\Exception;
+
+use RuntimeException as BaseRuntimeException;
+
+class RuntimeException extends BaseRuntimeException
+{
+
+}
diff --git a/src/Surfnet/StepupGateway/SecondFactorOnlyBundle/Resources/config/services.yml b/src/Surfnet/StepupGateway/SecondFactorOnlyBundle/Resources/config/services.yml
@@ -158,6 +158,8 @@ services:
             - "@second_factor_only.saml_response_factory"
             - "@gateway.service.second_factor_service"
             - "@surfnet_stepup.service.second_factor_type"
+            - "@gssp.provider_repository"
+            - "@second_factor_only.http.post_binding"
 
     second_factor_only.adfs_service:
         class: Surfnet\StepupGateway\SecondFactorOnlyBundle\Service\Gateway\AdfsService

diff --git a/src/Surfnet/StepupGateway/SecondFactorOnlyBundle/Service/Gateway/RespondService.php b/src/Surfnet/StepupGateway/SecondFactorOnlyBundle/Service/Gateway/RespondService.php
@@ -19,14 +19,19 @@
 namespace Surfnet\StepupGateway\SecondFactorOnlyBundle\Service\Gateway;
 
 use SAML2\Response;
+use Surfnet\SamlBundle\Http\PostBinding;
 use Surfnet\SamlBundle\Monolog\SamlAuthenticationLogger;
 use Surfnet\StepupBundle\Service\SecondFactorTypeService;
+use Surfnet\StepupBundle\Value\SecondFactorType;
 use Surfnet\StepupGateway\GatewayBundle\Saml\ResponseContext;
 use Surfnet\StepupGateway\GatewayBundle\Service\SecondFactorService;
+use Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\ProviderRepository;
 use Surfnet\StepupGateway\SecondFactorOnlyBundle\Exception\InvalidSecondFactorMethodException;
+use Surfnet\StepupGateway\SecondFactorOnlyBundle\Exception\RuntimeException;
 use Surfnet\StepupGateway\SecondFactorOnlyBundle\Saml\ResponseFactory;
 use Surfnet\StepupGateway\SecondFactorOnlyBundle\Service\LoaAliasLookupService;
 use Surfnet\StepupBundle\Service\LoaResolutionService;
+use Symfony\Component\HttpFoundation\Request;
 
 class RespondService
 {
@@ -48,29 +53,30 @@ class RespondService
     /** @var SecondFactorTypeService */
     private $secondFactorTypeService;
 
-    /**
-     * SecondFactorRespondService constructor.
-     * @param SamlAuthenticationLogger $samlLogger
-     * @param LoaResolutionService $loaResolutionService
-     * @param LoaAliasLookupService $loaAliasLookupService
-     * @param ResponseFactory $responseFactory
-     * @param SecondFactorService $secondFactorService
-     * @param SecondFactorTypeService $secondFactorTypeService
-     */
+    /** @var ProviderRepository */
+    private $providerRepository;
+
+    /** @var PostBinding  */
+    private $postBinding;
+
     public function __construct(
         SamlAuthenticationLogger $samlLogger,
         LoaResolutionService $loaResolutionService,
         LoaAliasLookupService $loaAliasLookupService,
         ResponseFactory $responseFactory,
         SecondFactorService $secondFactorService,
-        SecondFactorTypeService $secondFactorTypeService
+        SecondFactorTypeService $secondFactorTypeService,
+        ProviderRepository $providerRepository,
+        PostBinding $postBinding
     ) {
         $this->samlLogger = $samlLogger;
         $this->loaResolutionService = $loaResolutionService;
         $this->loaAliasLookupService = $loaAliasLookupService;
         $this->responseFactory = $responseFactory;
         $this->secondFactorService = $secondFactorService;
         $this->secondFactorTypeService = $secondFactorTypeService;
+        $this->providerRepository = $providerRepository;
+        $this->postBinding = $postBinding;
     }
 
 
@@ -84,7 +90,7 @@ public function __construct(
      * @param ResponseContext $responseContext
      * @return Response
      */
-    public function respond(ResponseContext $responseContext)
+    public function respond(ResponseContext $responseContext, Request $request)
     {
         $originalRequestId = $responseContext->getInResponseTo();
         $logger = $this->samlLogger->forAuthentication($originalRequestId);
@@ -105,6 +111,31 @@ public function respond(ResponseContext $responseContext)
         }
 
         $secondFactor = $this->secondFactorService->findByUuid($selectedSecondFactorUuid);
+
+        $secondFactorType = new SecondFactorType($secondFactor->secondFactorType);
+        // When dealing with a GSSP response. It is advised to receive the SAML response through POST Binding,
+        // testing the preconditions.
+        if ($this->secondFactorTypeService->isGssf($secondFactorType)) {
+            $provider = $this->providerRepository->get($secondFactorType->getSecondFactorType());
+            // Receive the response via POST Binding, this will test all the regular pre-conditions
+            $samlResponse = $this->postBinding->processResponse(
+                $request,
+                $provider->getRemoteIdentityProvider(),
+                $provider->getServiceProvider()
+            );
+            $nameIdFromResponse = $samlResponse->getNameId()->getValue();
+            // Additionally test if the name id from the gssp matches the SF identifier that we have in state
+            if ($nameIdFromResponse !== $secondFactor->secondFactorIdentifier) {
+                throw new RuntimeException(
+                    sprintf(
+                        'The NameId from the GSSP (%s) did not match that of the Identity that vetted the selected ' .
+                        'Second Factor (%s). This might be an indication someone is tampering with a GSSP',
+                        $nameIdFromResponse,
+                        $secondFactor->secondFactorIdentifier
+                    )
+                );
+            }
+        }
         $grantedLoa = $this->loaResolutionService
             ->getLoaByLevel($secondFactor->getLoaLevel($this->secondFactorTypeService));