Fix signing for requests with the soap binding

Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
author: Ivan Kanakarakis <ivan.kanak@gmail.com> 2021-11-22 02:23:18 +0200
committer: Ivan Kanakarakis <ivan.kanak@gmail.com> 2021-11-22 02:23:58 +0200
commit: 44d967d264609f12ab648d1c3be6e3a166185dcf (patch)
tree: 5911d2e2663dcf22f5c6fdeb0985163b8d880797
parent: 937c866e901d27d30c40942e370e30e272301c2c (diff)
download: pysaml2-44d967d264609f12ab648d1c3be6e3a166185dcf.tar.gz
2 files changed, 7 insertions, 10 deletions
diff --git a/src/saml2/client.py b/src/saml2/client.py
index 5f82c6bc..e8642dfa 100644
--- a/src/saml2/client.py
+++ b/src/saml2/client.py
@@ -152,8 +152,8 @@ class Saml2Client(Base):
             # XXX   ^through self.create_authn_request(...)
             # XXX - sign_redirect will add the signature to the query params
             # XXX   ^through self.apply_binding(...)
-            sign_post = False if binding == BINDING_HTTP_REDIRECT else sign
-            sign_redirect = False if binding == BINDING_HTTP_POST and sign else sign
+            sign_redirect = sign and binding == BINDING_HTTP_REDIRECT
+            sign_post = sign and not sign_redirect
 
             reqid, request = self.create_authn_request(
                 destination=destination,
@@ -318,10 +318,8 @@ class Saml2Client(Base):
                 session_indexes = None
 
             sign = sign if sign is not None else self.logout_requests_signed
-            sign_post = sign and (
-                binding == BINDING_HTTP_POST or binding == BINDING_SOAP
-            )
             sign_redirect = sign and binding == BINDING_HTTP_REDIRECT
+            sign_post = sign and not sign_redirect
 
             log_report = {
                 "message": "Invoking SLO on entity",
diff --git a/src/saml2/request.py b/src/saml2/request.py
index 200a1ff8..787af78f 100644
--- a/src/saml2/request.py
+++ b/src/saml2/request.py
@@ -2,7 +2,6 @@ import logging
 
 from saml2 import time_util
 from saml2 import BINDING_HTTP_REDIRECT
-from saml2 import BINDING_HTTP_POST
 from saml2.attribute_converter import to_local
 from saml2.s_utils import OtherError
 
@@ -55,22 +54,22 @@ class Request(object):
         logger.debug("xmlstr: %s, relay_state: %s, sigalg: %s, signature: %s",
                      self.xmlstr, relay_state, sigalg, signature)
 
-        signed_post = must and binding == BINDING_HTTP_POST
-        signed_redirect = must and binding == BINDING_HTTP_REDIRECT
+        sign_redirect = must and binding == BINDING_HTTP_REDIRECT
+        sign_post = must and not sign_redirect
         incorrectly_signed = IncorrectlySigned("Request was not signed correctly")
 
         try:
             self.message = self.signature_check(
                 xmldata,
                 origdoc=origdoc,
-                must=signed_post,
+                must=sign_post,
                 only_valid_cert=only_valid_cert,
             )
         except Exception as e:
             self.message = None
             raise incorrectly_signed from e
 
-        if signed_redirect:
+        if sign_redirect:
             if sigalg is None or signature is None:
                 raise incorrectly_signed
author	Ivan Kanakarakis <ivan.kanak@gmail.com>	2021-11-22 02:23:18 +0200
committer	Ivan Kanakarakis <ivan.kanak@gmail.com>	2021-11-22 02:23:58 +0200
commit	44d967d264609f12ab648d1c3be6e3a166185dcf (patch)
tree	5911d2e2663dcf22f5c6fdeb0985163b8d880797
parent	937c866e901d27d30c40942e370e30e272301c2c (diff)
download	pysaml2-44d967d264609f12ab648d1c3be6e3a166185dcf.tar.gz