SAML2: render a comprehensible error page if something goes wrong

If an error happened while processing a SAML AuthN response, or a client
ends up doing a `GET` request to `/authn_response`, then render a
customisable error page rather than a confusing error.
This commit is contained in:
Brendan Abolivier 2020-03-10 13:49:11 +00:00
parent 14b2ebe767
commit 6b0efe73e2
No known key found for this signature in database
GPG Key ID: 1E015C145F1916CD
3 changed files with 62 additions and 2 deletions

View File

@ -27,6 +27,18 @@ DEFAULT_USER_MAPPING_PROVIDER = (
"synapse.handlers.saml_handler.DefaultSamlMappingProvider" "synapse.handlers.saml_handler.DefaultSamlMappingProvider"
) )
SAML2_ERROR_DEFAULT_HTML = """
<html>
<body>
<p>Oops! Something went wrong</p>
<p>
Try logging in again from the application and if the problem persists
please contact the administrator.
</p>
</body>
</html>
"""
def _dict_merge(merge_dict, into_dict): def _dict_merge(merge_dict, into_dict):
"""Do a deep merge of two dicts """Do a deep merge of two dicts
@ -160,6 +172,13 @@ class SAML2Config(Config):
saml2_config.get("saml_session_lifetime", "5m") saml2_config.get("saml_session_lifetime", "5m")
) )
if "error_html_path" in config:
self.saml2_error_html_content = self.read_file(
config["error_html_path"], "saml2_config.error_html_path",
)
else:
self.saml2_error_html_content = SAML2_ERROR_DEFAULT_HTML
def _default_saml_config_dict( def _default_saml_config_dict(
self, required_attributes: set, optional_attributes: set self, required_attributes: set, optional_attributes: set
): ):
@ -325,6 +344,13 @@ class SAML2Config(Config):
# The default is 'uid'. # The default is 'uid'.
# #
#grandfathered_mxid_source_attribute: upn #grandfathered_mxid_source_attribute: upn
# Path to a file containing HTML content to serve in case an error happens
# when the user gets redirected from the SAML IdP back to Synapse.
# If no file is provided, this defaults to some minimalistic HTML telling the
# user that something went wrong and they should try authenticating again.
#
#error_html_path: /path/to/static/content/saml_error.html
""" % { """ % {
"config_dir_path": config_dir_path "config_dir_path": config_dir_path
} }

View File

@ -23,6 +23,7 @@ from saml2.client import Saml2Client
from synapse.api.errors import SynapseError from synapse.api.errors import SynapseError
from synapse.config import ConfigError from synapse.config import ConfigError
from synapse.http.server import finish_request
from synapse.http.servlet import parse_string from synapse.http.servlet import parse_string
from synapse.module_api import ModuleApi from synapse.module_api import ModuleApi
from synapse.types import ( from synapse.types import (
@ -73,6 +74,8 @@ class SamlHandler:
# a lock on the mappings # a lock on the mappings
self._mapping_lock = Linearizer(name="saml_mapping", clock=self._clock) self._mapping_lock = Linearizer(name="saml_mapping", clock=self._clock)
self._error_html_content = hs.config.saml2_error_html_content
def handle_redirect_request(self, client_redirect_url): def handle_redirect_request(self, client_redirect_url):
"""Handle an incoming request to /login/sso/redirect """Handle an incoming request to /login/sso/redirect
@ -114,7 +117,22 @@ class SamlHandler:
# the dict. # the dict.
self.expire_sessions() self.expire_sessions()
try:
user_id = await self._map_saml_response_to_user(resp_bytes, relay_state) user_id = await self._map_saml_response_to_user(resp_bytes, relay_state)
except Exception as e:
# If decoding the response or mapping it to a user failed, then log the
# error and tell the user that something went wrong.
logger.error(e)
request.setResponseCode(400)
request.setHeader(b"Content-Type", b"text/html; charset=utf-8")
request.setHeader(
b"Content-Length", b"%d" % (len(self._error_html_content),)
)
request.write(self._error_html_content.encode("utf8"))
finish_request(request)
return
self._auth_handler.complete_sso_login(user_id, request, relay_state) self._auth_handler.complete_sso_login(user_id, request, relay_state)
async def _map_saml_response_to_user(self, resp_bytes, client_redirect_url): async def _map_saml_response_to_user(self, resp_bytes, client_redirect_url):

View File

@ -14,7 +14,11 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
from synapse.http.server import DirectServeResource, wrap_html_request_handler from synapse.http.server import (
DirectServeResource,
finish_request,
wrap_html_request_handler,
)
class SAML2ResponseResource(DirectServeResource): class SAML2ResponseResource(DirectServeResource):
@ -24,8 +28,20 @@ class SAML2ResponseResource(DirectServeResource):
def __init__(self, hs): def __init__(self, hs):
super().__init__() super().__init__()
self._error_html_content = hs.config.saml2_error_html_content
self._saml_handler = hs.get_saml_handler() self._saml_handler = hs.get_saml_handler()
async def _async_render_GET(self, request):
# We're not expecting any GET request on that resource if everything goes right,
# but some IdPs sometimes end up responding with a 302 redirect on this endpoint.
# In this case, just tell the user that something went wrong and they should
# try to authenticate again.
request.setResponseCode(400)
request.setHeader(b"Content-Type", b"text/html; charset=utf-8")
request.setHeader(b"Content-Length", b"%d" % (len(self._error_html_content),))
request.write(self._error_html_content.encode("utf8"))
finish_request(request)
@wrap_html_request_handler @wrap_html_request_handler
async def _async_render_POST(self, request): async def _async_render_POST(self, request):
return await self._saml_handler.handle_saml_response(request) return await self._saml_handler.handle_saml_response(request)