Merge pull request #297 from wreiner/master

Fix sharepoint saml auth issue #272

Author: vgrem

office365/runtime/auth/providers/saml_token_provider.py

@@ -1,6 +1,11 @@
 import os
 import uuid
 from xml.etree import ElementTree
+import xml.dom.minidom as minidom
+from urllib.parse import urlparse
+
+from datetime import datetime, timezone, timedelta
+
 
 import requests
 import requests.utils
@@ -106,40 +111,35 @@ def get_last_error(self):
 
     def acquire_service_token_from_adfs(self, adfs_url, username, password):
         logger = self.logger(self.acquire_service_token_from_adfs.__name__)
+
+        now = datetime.now(tz=timezone.utc)
+        created = now.astimezone(timezone.utc).isoformat('T')[:-9]+'Z'
+        expires = (now + timedelta(minutes=10)).astimezone(timezone.utc).isoformat('T')[:-9]+'Z'
+
         payload = self._prepare_request_from_template('FederatedSAML.xml', {
             'auth_url': adfs_url,
+            'message_id': str(uuid.uuid4()),
             'username': username,
             'password': password,
-            'message_id': str(uuid.uuid4()),
-            'created': self.__sts_profile.created,
-            'expires': self.__sts_profile.expires,
+            'created': created,
+            'expires': expires,
             'issuer': self.__sts_profile.federationTokenIssuer
         })
+
         response = requests.post(adfs_url, data=payload,
                                  headers={'Content-Type': 'application/soap+xml; charset=utf-8'})
+        dom = minidom.parseString(response.content.decode())
+        assertion_node = dom.getElementsByTagNameNS("urn:oasis:names:tc:SAML:1.0:assertion", 'Assertion')[0].toxml()
+
         try:
-            xml = ElementTree.fromstring(response.content)
-            # 1.find assertion
-            assertion_node = xml.find(
-                '{0}Body/{1}RequestSecurityTokenResponse/{1}RequestedSecurityToken/{2}Assertion'.format(
-                    self.__ns_prefixes['s'], self.__ns_prefixes['wst'], self.__ns_prefixes['saml']))
-            if assertion_node is None:
-                self.error = 'Cannot get security assertion for user {0} from {1}'.format(username, adfs_url)
-                logger.error(self.error)
-                return None
-            # 2. prepare & submit token request
-            self.__sts_profile.signInPage = '_vti_bin/idcrl.svc/'
-            self.__sts_profile.securityTokenServicePath = 'rst2.srf'
-            template = self._prepare_request_from_template('RST2.xml', {
-                'auth_url': self.__sts_profile.authorityUrl,
-                'serviceTokenUrl': self.__sts_profile.security_token_service_url
+            self.tenant = urlparse(self.__sts_profile.authorityUrl).netloc
+
+            payload = self._prepare_request_from_template('RST2.xml', {
+                'auth_url': self.tenant,
+                'serviceTokenUrl': self.__sts_profile.security_token_service_url,
+                'assertion_node': assertion_node
             })
-            template_xml = ElementTree.fromstring(template)
-            security_node = template_xml.find(
-                '{0}Header/{1}Security'.format(self.__ns_prefixes['s'], self.__ns_prefixes['wsse']))
 
-            security_node.insert(1, assertion_node)
-            payload = ElementTree.tostring(template_xml).decode()
             # 3. get token
             response = requests.post(self.__sts_profile.security_token_service_url, data=payload,
                                      headers={'Content-Type': 'application/soap+xml'})
@@ -212,6 +212,7 @@ def _acquire_authentication_cookie(self, security_token, federated=False):
         :type security_token: str
         """
         logger = self.logger(self._acquire_authentication_cookie.__name__)
+
         session = requests.session()
         logger.debug_secrets("session: %s\nsession.post(%s, data=%s)", session, self.__sts_profile.signin_page_url,
                              security_token)
@@ -222,7 +223,8 @@ def _acquire_authentication_cookie(self, security_token, federated=False):
                          headers={'Content-Type': 'application/x-www-form-urlencoded'})
         else:
             self._auth_cookies['SPOIDCRL'] = None
-            session.get(self.__sts_profile.signin_page_url,
+            idcrlEndpoint = "https://{}/_vti_bin/idcrl.svc/".format(self.tenant)
+            session.get(idcrlEndpoint,
                         headers={
                             'User-Agent': 'Office365 Python Client',
                             'X-IDCRL_ACCEPTED': 't',

office365/runtime/auth/providers/templates/FederatedSAML.xml

@@ -4,22 +4,32 @@
         <wsa:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
         <wsa:To s:mustUnderstand="1">{auth_url}</wsa:To>
         <wsa:MessageID>{message_id}</wsa:MessageID>
+        <ps:AuthInfo xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" Id="PPAuthInfo">
+            <ps:HostingApp>Managed IDCRL</ps:HostingApp>
+            <ps:BinaryVersion>6</ps:BinaryVersion>
+            <ps:UIVersion>1</ps:UIVersion>
+            <ps:Cookies></ps:Cookies>
+            <ps:RequestParams>AQAAAAIAAABsYwQAAAAxMDMz</ps:RequestParams>
+        </ps:AuthInfo>
         <wsse:Security>
             <wsse:UsernameToken wsu:Id="user">
                 <wsse:Username>{username}</wsse:Username>
                 <wsse:Password>{password}</wsse:Password>
             </wsse:UsernameToken>
+            <wsu:Timestamp Id="Timestamp">
+                <wsu:Created>{created}</wsu:Created><wsu:Expires>{expires}</wsu:Expires>
+            </wsu:Timestamp>
         </wsse:Security>
     </s:Header>
     <s:Body>
         <wst:RequestSecurityToken Id="RST0">
             <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
             <wsp:AppliesTo>
                 <wsa:EndpointReference>
-                    <wsa:Address>urn:federation:MicrosoftOnline</wsa:Address>
+                    <wsa:Address>{issuer}</wsa:Address>
                 </wsa:EndpointReference>
             </wsp:AppliesTo>
             <wst:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType>
         </wst:RequestSecurityToken>
     </s:Body>
-</s:Envelope>
+</s:Envelope>

office365/runtime/auth/providers/templates/RST2.xml

@@ -1,28 +1,28 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" 
+    <S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope"
     xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
-    xmlns:wsa="http://www.w3.org/2005/08/addressing" 
+    xmlns:wsa="http://www.w3.org/2005/08/addressing"
     xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
     <S:Header>
         <wsa:Action S:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
-        <wsa:To S:mustUnderstand="1">https://login.microsoftonline.com/rst2.srf</wsa:To>
+        <wsa:To S:mustUnderstand="1">{serviceTokenUrl}</wsa:To>
         <ps:AuthInfo xmlns:ps="http://schemas.microsoft.com/LiveID/SoapServices/v1" Id="PPAuthInfo">
             <ps:BinaryVersion>5</ps:BinaryVersion>
             <ps:HostingApp>Managed IDCRL</ps:HostingApp>
         </ps:AuthInfo>
-        <wsse:Security></wsse:Security>
+        <wsse:Security>{assertion_node}</wsse:Security>
     </S:Header>
     <S:Body>
         <wst:RequestSecurityToken xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" Id="RST0">
             <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
             <wsp:AppliesTo>
                 <wsa:EndpointReference>
-                    <wsa:Address>sharepoint.com</wsa:Address>
+                    <wsa:Address>{auth_url}</wsa:Address>
                 </wsa:EndpointReference>
             </wsp:AppliesTo>
             <wsp:PolicyReference URI="MBI"></wsp:PolicyReference>
         </wst:RequestSecurityToken>
     </S:Body>
-</S:Envelope>
+    </S:Envelope>