zulip/zproject
Mateusz Mandera 158287f998 saml: Set wantMessagesSigned to True only for processing LogoutRequests.
Having wantMessagesSigned=True globally means that it's also applied by
python3-saml to regular authentication SAMLResponses - making it require
the response to be signed, which is an issue because a feasible
alternative way that some IdPs (e.g. AzureAD) take by default is to sign
specifically the assertions in the SAMLResponse. This is also secure,
and thus we generally want to accept it.

Without this, the setting of wantMessagesSigned=True globally
in 4105ccdb17 causes a
regression for deployments that have already set up SAML with providers
such as AzureAD, making Zulip stop accepting the SAMLResponses.

Testing that this new logic works is handled by
test_saml_idp_initiated_logout_invalid_signature, which verifies that a
LogoutRequest without signature will be rejected.
2021-12-06 11:01:00 -08:00
..
jinja2 refactor: Rename and move app_filters.py. 2021-06-11 07:43:22 -07:00
__init__.py Rename Django project to zproject. 2013-08-07 11:04:03 -04:00
backends.py saml: Set wantMessagesSigned to True only for processing LogoutRequests. 2021-12-06 11:01:00 -08:00
computed_settings.py saml: Set wantMessagesSigned to True only for processing LogoutRequests. 2021-12-06 11:01:00 -08:00
config.py sentry: Set environment from machine.deploy_type config. 2021-07-15 15:01:43 -07:00
configured_settings.py python: Sort imports with isort. 2020-06-11 16:45:32 -07:00
default_settings.py deletion: Preserve deleted objects for 30 days rather than 7. 2021-11-17 18:03:31 -08:00
dev_settings.py auth: Add support for using SCIM for account management. 2021-10-14 12:29:10 -07:00
dev_urls.py typing: Fix function signatures with django-stubs. 2021-08-20 06:02:55 -07:00
email_backends.py zproject: Fix typing errors under the zproject directory. 2021-08-20 05:54:19 -07:00
legacy_urls.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
prod_settings_template.py rate_limit: Add a flag to lump all TOR exit node IPs together. 2021-11-16 11:42:00 -08:00
prod_settings.pyi zproject: Add prod_settings mypy stub, aliasing prod_settings_template. 2021-07-05 09:53:41 -07:00
sentry.py sentry: Increase shutdown_timeout from 2s to 10s. 2021-11-08 18:11:47 -08:00
settings.py python: Add noqa comments for the specific star imports we allow. 2020-06-11 15:36:43 -07:00
terms.md.template docs: Capitalize Markdown consistently. 2020-08-11 10:23:06 -07:00
test_extra_settings.py settings: Add rate limiting for email address changes. 2021-11-04 20:34:39 -07:00
test_settings.py test_settings: Use TEST_EXTERNAL_HOST to override ‘testserver’ default. 2020-12-17 13:07:59 -08:00
urls.py CVE-2021-43791: Validate confirmation keys in /accounts/register/ codepath. 2021-12-01 23:14:04 +00:00
wsgi.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00