From 7a467573a9ee47c84aa7d4e3e2e5b409cfe55c9f Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Tue, 11 Jun 2019 19:18:29 +0100
Subject: Some (partially) auth0 specific saml hacks

 * Keep track of in-flight auth requests (in an awful way)
 * auth0 specific attribute
---
 synapse/app/homeserver.py               |  1 +
 synapse/rest/client/v1/login.py         |  3 +++
 synapse/rest/saml2/response_resource.py | 10 ++++++----
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/synapse/app/homeserver.py b/synapse/app/homeserver.py
index df524a23dd..d6ffe8e9b7 100755
--- a/synapse/app/homeserver.py
+++ b/synapse/app/homeserver.py
@@ -378,6 +378,7 @@ def setup(config_options):
 
     logger.info("Database prepared in %s.", config.database_config['name'])
 
+    hs.samlreqs = {}
     hs.setup()
     hs.setup_master()
 
diff --git a/synapse/rest/client/v1/login.py b/synapse/rest/client/v1/login.py
index 1a886cbbbf..3fab4beaad 100644
--- a/synapse/rest/client/v1/login.py
+++ b/synapse/rest/client/v1/login.py
@@ -504,11 +504,14 @@ class SAMLRedirectServlet(BaseSsoRedirectServlet):
 
     def __init__(self, hs):
         self._saml_client = hs.get_saml_client()
+        self.samlreqs = hs.samlreqs
 
     def get_sso_url(self, client_redirect_url):
         reqid, info = self._saml_client.prepare_for_authenticate(
             relay_state=client_redirect_url,
         )
+        logger.info("prepared to auth - reqid: %r, info: %r, client redirect uri: %r", reqid, info, client_redirect_url)
+        self.samlreqs[reqid] = client_redirect_url
 
         for key, value in info['headers']:
             if key == 'Location':
diff --git a/synapse/rest/saml2/response_resource.py b/synapse/rest/saml2/response_resource.py
index 36ca1333a8..9aa04e6770 100644
--- a/synapse/rest/saml2/response_resource.py
+++ b/synapse/rest/saml2/response_resource.py
@@ -37,6 +37,7 @@ class SAML2ResponseResource(Resource):
         Resource.__init__(self)
         self._saml_client = hs.get_saml_client()
         self._sso_auth_handler = SSOAuthHandler(hs)
+        self.samlreqs = hs.samlreqs
 
     def render_POST(self, request):
         self._async_render_POST(request)
@@ -50,6 +51,7 @@ class SAML2ResponseResource(Resource):
         try:
             saml2_auth = self._saml_client.parse_authn_request_response(
                 resp_bytes, saml2.BINDING_HTTP_POST,
+                outstanding=self.samlreqs,
             )
         except Exception as e:
             logger.warning("Exception parsing SAML2 response", exc_info=1)
@@ -60,12 +62,12 @@ class SAML2ResponseResource(Resource):
         if saml2_auth.not_signed:
             raise CodeMessageException(400, "SAML2 response was not signed")
 
-        if "uid" not in saml2_auth.ava:
-            raise CodeMessageException(400, "uid not in SAML2 response")
+        if "http://schemas.auth0.com/name" not in saml2_auth.ava:
+            raise CodeMessageException(400, "name not in SAML2 response")
 
-        username = saml2_auth.ava["uid"][0]
+        username = saml2_auth.ava["http://schemas.auth0.com/name"][0]
 
-        displayName = saml2_auth.ava.get("displayName", [None])[0]
+        displayName = saml2_auth.ava.get("http://schemas.auth0.com/nickname", [None])[0]
         return self._sso_auth_handler.on_successful_auth(
             username, request, relay_state,
             user_display_name=displayName,
-- 
cgit 1.4.1