Fix encode ADFS issue.

pitbulk · pitbulk · commit d960ec57659c · 2016-06-03T23:53:04.000+02:00
diff --git a/demo-django/demo/views.py b/demo-django/demo/views.py
@@ -23,6 +23,8 @@ def prepare_django_request(request):
         'script_name': request.META['PATH_INFO'],
         'server_port': request.META['SERVER_PORT'],
         'get_data': request.GET.copy(),
+        # Uncomment if using ADFS as IdP, https://github.com/onelogin/python-saml/pull/144
+        # 'lowercase_urlencoding': True,
         'post_data': request.POST.copy()
     }
     return result
diff --git a/demo-flask/index.py b/demo-flask/index.py
@@ -28,6 +28,8 @@ def prepare_flask_request(request):
         'server_port': url_data.port,
         'script_name': request.path,
         'get_data': request.args.copy(),
+        # Uncomment if using ADFS as IdP, https://github.com/onelogin/python-saml/pull/144
+        # 'lowercase_urlencoding': True,
         'post_data': request.form.copy()
     }
 
diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
@@ -386,7 +386,7 @@ def add_response_signature(self, response_data, sign_algorithm=OneLogin_Saml2_Co
         return self.__build_signature(response_data, 'SAMLResponse', sign_algorithm)
 
     @staticmethod
-    def __build_sign_query(saml_data, relay_state, algorithm, saml_type):
+    def __build_sign_query(saml_data, relay_state, algorithm, saml_type, lowercase_urlencoding=False):
         """
         Build sign query
 
@@ -401,12 +401,14 @@ def __build_sign_query(saml_data, relay_state, algorithm, saml_type):
 
         :param saml_type: The target URL the user should be redirected to
         :type saml_type: string  SAMLRequest | SAMLResponse
-        """
 
-        sign_data = ['%s=%s' % (saml_type, OneLogin_Saml2_Utils.escape_url(saml_data))]
+        :param lowercase_urlencoding: lowercase or no
+        :type lowercase_urlencoding: boolean
+        """
+        sign_data = ['%s=%s' % (saml_type, OneLogin_Saml2_Utils.escape_url(saml_data, lowercase_urlencoding))]
         if relay_state is not None:
-            sign_data.append('RelayState=%s' % OneLogin_Saml2_Utils.escape_url(relay_state))
-        sign_data.append('SigAlg=%s' % OneLogin_Saml2_Utils.escape_url(algorithm))
+            sign_data.append('RelayState=%s' % OneLogin_Saml2_Utils.escape_url(relay_state, lowercase_urlencoding))
+        sign_data.append('SigAlg=%s' % OneLogin_Saml2_Utils.escape_url(algorithm, lowercase_urlencoding))
         return '&'.join(sign_data)
 
     def __build_signature(self, data, saml_type, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1):
@@ -502,10 +504,15 @@ def __validate_signature(self, data, saml_type):
             if isinstance(sign_alg, bytes):
                 sign_alg = sign_alg.decode('utf8')
 
+            lowercase_urlencoding = False
+            if 'lowercase_urlencoding' in self.__request_data.keys():
+                lowercase_urlencoding = self.__request_data['lowercase_urlencoding']
+
             signed_query = self.__build_sign_query(data[saml_type],
                                                    data.get('RelayState', None),
                                                    sign_alg,
-                                                   saml_type)
+                                                   saml_type,
+                                                   )
 
             if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query,
                                                              OneLogin_Saml2_Utils.b64decode(signature),
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
@@ -41,15 +41,23 @@ class OneLogin_Saml2_Utils(object):
 
     """
     @staticmethod
-    def escape_url(url):
+    def escape_url(url, lowercase_urlencoding=False):
         """
         escape the non-safe symbols in url
+        The encoding used by ADFS 3.0 is not compatible with
+        python's quote_plus (ADFS produces lower case hex numbers and quote_plus produces
+        upper case hex numbers)
         :param url: the url to escape
         :type url: str
+
+        :param lowercase_urlencoding: lowercase or no
+        :type lowercase_urlencoding: boolean
+
         :return: the escaped url
         :rtype str
         """
-        return quote_plus(url)
+        encoded = quote_plus(url)
+        return re.sub(r"%[A-F0-9]{2}", lambda m: m.group(0).lower(), encoded) if lowercase_urlencoding else encoded
 
     @staticmethod
     def b64encode(data):

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,8 @@ def prepare_django_request(request):`
`23`	`23`	`'script_name': request.META['PATH_INFO'],`
`24`	`24`	`'server_port': request.META['SERVER_PORT'],`
`25`	`25`	`'get_data': request.GET.copy(),`
	`26`	`+ # Uncomment if using ADFS as IdP, https://github.com/onelogin/python-saml/pull/144`
	`27`	`+ # 'lowercase_urlencoding': True,`
`26`	`28`	`'post_data': request.POST.copy()`
`27`	`29`	`}`
`28`	`30`	`return result`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,8 @@ def prepare_flask_request(request):`
`28`	`28`	`'server_port': url_data.port,`
`29`	`29`	`'script_name': request.path,`
`30`	`30`	`'get_data': request.args.copy(),`
	`31`	`+ # Uncomment if using ADFS as IdP, https://github.com/onelogin/python-saml/pull/144`
	`32`	`+ # 'lowercase_urlencoding': True,`
`31`	`33`	`'post_data': request.form.copy()`
`32`	`34`	`}`
`33`	`35`