feat(vulnerablesp): redirect to home page if not authorized

.gitignore

@@ -1 +1,2 @@
 .DS_Store
+.aider*

docker-compose.yml

@@ -4,7 +4,33 @@ services:
     build: vulnerableidp
     ports:
       - "80:80"
+    environment:
+      - SP_HOST=localhost:8000
+      - IDP_HOST=localhost
+
   sp:
     build: vulnerablesp
     ports:
       - "8000:8000"
+    environment:
+      - SP_HOST=localhost:8000
+      - IDP_HOST=localhost
+
+# services:
+#   idp:
+#     build: vulnerableidp
+#     ports:
+#       - "80:80"
+#     environment:
+#       - SP_HOST=sp.domain.com
+#       - IDP_HOST=idp.domain.com
+#       - USE_HTTPS=1
+
+#   sp:
+#     build: vulnerablesp
+#     ports:
+#       - "8000:8000"
+#     environment:
+#       - SP_HOST=sp.domain.com
+#       - IDP_HOST=idp.domain.com
+#       - USE_HTTPS=1

vulnerableidp/Dockerfile

@@ -24,5 +24,8 @@ ADD loginuserpass.php /usr/share/simplesamlphp/modules/core/templates/
 ADD welcome.png /usr/share/simplesamlphp/www/resources/
 EXPOSE 80
 
+COPY ./start.sh /start.sh
+RUN chmod +x /start.sh
+
 # Start the web service
-CMD ["apache2ctl", "-D", "FOREGROUND"]
+CMD ["/bin/bash", "/start.sh"]

vulnerableidp/saml20-idp-hosted.php

@@ -5,7 +5,7 @@
  * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted
  */
 
-$metadata['__DYNAMIC:1__'] = array(
+$metadata['http://127.0.0.1/simplesamlphp/saml2/idp/metadata.php'] = array(
         /*
          * The hostname of the server (VHOST) that will use this SAML entity.
          *

vulnerableidp/saml20-sp-remote.php

@@ -1,37 +1,12 @@
 <?php
-/**
- * SAML 2.0 remote SP metadata for SimpleSAMLphp.
- *
- * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
- */
 
-/*
- * Example SimpleSAMLphp SAML 2.0 SP
- */
-$metadata['https://saml2sp.example.org'] = array(
-        'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
-        'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
-);
-
-/*
- * This example shows an example config that works with G Suite (Google Apps) for education.
- * What is important is that you have an attribute in your IdP that maps to the local part of the email address
- * at G Suite. In example, if your Google account is foo.com, and you have a user that has an email john@foo.com, then you
- * must set the simplesaml.nameidattribute to be the name of an attribute that for this user has the value of 'john'.
- */
-$metadata['google.com'] = array(
-        'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs',
-        'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
-        'simplesaml.nameidattribute' => 'uid',
-        'simplesaml.attributes' => FALSE,
-);
 
-$metadata['http://127.0.0.1:8000/metadata/'] = array (
+$metadata['http://127.0.0.1:8000/metadata'] = array (
         'AssertionConsumerService' => 'http://127.0.0.1:8000/?acs',
         'SingleLogoutService' => 'http://127.0.0.1:8000/?sls',
 );
 
-$metadata['http://127.0.0.1:8000/metadata'] = array (
+$metadata['http://127.0.0.1:8000/metadata/'] = array (
         'AssertionConsumerService' => 'http://127.0.0.1:8000/?acs',
         'SingleLogoutService' => 'http://127.0.0.1:8000/?sls',
 );

vulnerableidp/start.sh

@@ -1,4 +1,24 @@
 #!/bin/bash
 
+# Replace 127.0.0.1:8000 with SP_HOST in source files
+if [ -n "$SP_HOST" ]; then
+  echo "Replacing 127.0.0.1:8000 with $SP_HOST"
+  find /usr/share/simplesamlphp /etc/simplesamlphp/ -type f -exec sed -i "s|127.0.0.1:8000|$SP_HOST|g" {} +
+fi
+
+# Replace 127.0.0.1 with IDP_HOST in source files
+if [ -n "$IDP_HOST" ]; then
+  echo "Replacing 127.0.0.1 with $IDP_HOST"
+  find /usr/share/simplesamlphp /etc/simplesamlphp/ -type f -exec sed -i "s|127.0.0.1|$IDP_HOST|g" {} +
+fi
+
+if [ -n "$USE_HTTPS" ]; then
+  echo "Replacing http://$SP_HOST with https://$SP_HOST"
+  find /usr/share/simplesamlphp /etc/simplesamlphp/ -type f -exec sed -i "s|http://$SP_HOST|https://$SP_HOST|g" {} +
+
+  echo "Replacing http://$IDP_HOST with https://$IDP_HOST"
+  find /usr/share/simplesamlphp /etc/simplesamlphp/ -type f -exec sed -i "s|http://$IDP_HOST|https://$IDP_HOST|g" {} +
+fi
+
 a2enconf simplesamlphp
-apache2ctl -D FOREGROUND
+apache2ctl -D FOREGROUND

vulnerablesp/Dockerfile

@@ -1,20 +1,20 @@
-FROM ubuntu:bionic
-
-RUN apt-get update -y
-RUN apt-get install -y python2.7 python2.7-dev libxmlsec1 libxmlsec1-dev git python-pip python-dev build-essential nginx
-RUN pip install --upgrade pip
-RUN pip install -U setuptools
-
-COPY . /vulnerableSP
-WORKDIR /vulnerableSP
-
-RUN pip install uwsgi
-RUN pip install -r requirements.txt
-
-RUN python /vulnerableSP/setup.py install
-
-EXPOSE 8000
-
-WORKDIR /vulnerableSP/yogiSP
-#CMD ["python", "index.py"]
-CMD ["uwsgi", "--ini", "vulnsp.ini"]
+FROM ubuntu:bionic
+
+RUN apt-get update -y
+RUN apt-get install -y python2.7 python2.7-dev libxmlsec1 libxmlsec1-dev git python-pip python-dev build-essential nginx
+RUN pip install --upgrade pip
+RUN pip install -U setuptools
+RUN pip install uwsgi
+
+RUN mkdir /vulnerableSP
+WORKDIR /vulnerableSP
+COPY ./requirements.txt /vulnerableSP/requirements.txt
+RUN pip install -r requirements.txt
+
+COPY . /vulnerableSP
+RUN chmod +x /vulnerableSP/start.sh
+
+
+EXPOSE 8000
+
+CMD ["/bin/bash", "/vulnerableSP/start.sh"]

vulnerablesp/src/onelogin/saml2/response.py

@@ -221,7 +221,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                 for issuer in issuers:
                     if issuer is None or issuer != idp_entity_id:
                         raise OneLogin_Saml2_ValidationError(
-                            'Invalid issuer in the Assertion/Response',
+                            'Invalid issuer in the Assertion/Response. Issuer: %s, IdP Entity ID: %s' % (issuer, idp_entity_id),
                             OneLogin_Saml2_ValidationError.WRONG_ISSUER
                         )
 

vulnerablesp/start.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+
+# Replace 127.0.0.1:8000 with SP_HOST in source files
+if [ -n "$SP_HOST" ]; then
+  find /vulnerableSP -type f -exec sed -i "s/127.0.0.1:8000/$SP_HOST/g" {} +
+fi
+
+# Replace 127.0.0.1 with IDP_HOST in source files
+if [ -n "$IDP_HOST" ]; then
+  find /vulnerableSP -type f -exec sed -i "s/127.0.0.1/$IDP_HOST/g" {} +
+fi
+
+if [ -n "$USE_HTTPS" ]; then
+  echo "Replacing http://$SP_HOST with https://$SP_HOST"
+  find /vulnerableSP -type f -exec sed -i "s|http://$SP_HOST|https://$SP_HOST|g" {} +
+
+  echo "Replacing http://$IDP_HOST with https://$IDP_HOST"
+  find /vulnerableSP -type f -exec sed -i "s|http://$IDP_HOST|https://$IDP_HOST|g" {} +
+fi
+
+
+cd /vulnerableSP/
+python /vulnerableSP/setup.py install
+cd /vulnerableSP/yogiSP
+uwsgi --ini vulnsp.ini

vulnerablesp/yogiSP/templates/401.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html lang="ru">
+
+<head>
+    <meta charset="UTF-8">
+    <title>401 Unauthorized</title>
+</head>
+
+<body>
+    <h1>401 Unauthorized</h1>
+    <a href="/">Back to home page</a>
+</body>
+
+</html>