From ee4d965a5d2329e9691059ddf08ab3a0a8f77330 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Oct 27 2015 16:14:12 +0000
Subject: Catch unsigned logout requests and raise a 400 for now


A 400 is still going to blow up the logout sequence but
it is better than a 500 and at least tells the user what
is wrong.

This is most likely to be run into during initial SP
testing and not in production.

https://fedorahosted.org/ipsilon/ticket/166

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>

---

diff --git a/ipsilon/providers/saml2/logout.py b/ipsilon/providers/saml2/logout.py
index b9b205c..f706c72 100644
--- a/ipsilon/providers/saml2/logout.py
+++ b/ipsilon/providers/saml2/logout.py
@@ -42,13 +42,18 @@ class LogoutRequest(ProviderPageBase):
                                                  e, message)
             self.error(msg)
             raise UnknownProvider(msg)
+        except lasso.DsInvalidSigalgError as e:
+            msg = 'Invalid SAML Request: missing or invalid signature ' \
+                  'algorithm'
+            self.error(msg)
+            raise InvalidRequest(msg)
         except (lasso.ProfileInvalidProtocolprofileError,
-                lasso.DsError), e:
+                lasso.DsError) as e:
             msg = 'Invalid SAML Request: %r (%r [%r])' % (logout.request,
                                                           e, message)
             self.error(msg)
             raise InvalidRequest(msg)
-        except lasso.Error, e:
+        except lasso.Error as e:
             self.error('SLO unknown error: %s' % message)
             raise cherrypy.HTTPError(400, 'Invalid logout request')
 
@@ -235,14 +240,18 @@ class LogoutRequest(ProviderPageBase):
 
         saml_sessions = self.cfg.idp.sessionfactory
 
-        if lasso.SAML2_FIELD_REQUEST in message:
-            self._handle_logout_request(us, logout, saml_sessions, message)
-        elif samlresponse:
-            self._handle_logout_response(us, logout, saml_sessions, message,
-                                         samlresponse)
-        else:
-            raise cherrypy.HTTPRedirect(400, 'Bad Request. Not a logout ' +
-                                        'request or response.')
+        try:
+            if lasso.SAML2_FIELD_REQUEST in message:
+                self._handle_logout_request(us, logout, saml_sessions,
+                                            message)
+            elif samlresponse:
+                self._handle_logout_response(us, logout, saml_sessions,
+                                             message, samlresponse)
+            else:
+                raise cherrypy.HTTPError(400, 'Bad Request. Not a ' +
+                                         'logout request or response.')
+        except InvalidRequest as e:
+            raise cherrypy.HTTPError(400, 'Bad Request. %s' % e)
 
         # Fall through to handle any remaining sessions.