From 5f6cacc8592750e6fcfdaef6b3dd23c5cd4f5ce4 Mon Sep 17 00:00:00 2001
From: Francis Lachapelle <flachapelle@inverse.ca>
Date: Wed, 4 Aug 2021 12:54:38 -0400
Subject: [PATCH] fix(saml): add XSRF-TOKEN cookie in valid SAML login

---
 Documentation/SOGoInstallationGuide.asciidoc | 19 +++++++---------
 UI/MainUI/SOGoSAML2Actions.m                 | 24 ++++++++++++++++----
 2 files changed, 27 insertions(+), 16 deletions(-)

diff --git a/Documentation/SOGoInstallationGuide.asciidoc b/Documentation/SOGoInstallationGuide.asciidoc
index 047271e4d..aa4149f82 100644
--- a/Documentation/SOGoInstallationGuide.asciidoc
+++ b/Documentation/SOGoInstallationGuide.asciidoc
@@ -1374,14 +1374,12 @@ connection properly.
 Authenticating using SAML2
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-SOGo natively supports SAML2 authentication. Please refer to the
-documentation of your identity provider and the SAML2 configuration keys
-that are listed above for proper setup. Make sure
-_SOGoXSRFValidationEnabled_ is set to `NO`. Once a SOGo instance is
-configured properly, the metadata for that instance can be retrieved
-from `http://<hostname>/SOGo/saml2-metadata` for registration with the
-identity provider. SOGo will dynamically generate the metadata based on
-the SOGoSAML2CertificateLocation's content and the SOGo server name.
+SOGo natively supports SAML2 authentication. Please refer to the documentation of your identity
+provider and the SAML2 configuration keys that are listed above for proper setup. Once a SOGo
+instance is configured properly, the metadata for that instance can be retrieved from
+`http://<hostname>/SOGo/saml2-metadata` for registration with the identity provider. SOGo will
+dynamically generate the metadata based on the SOGoSAML2CertificateLocation's content and the SOGo
+server name.
 
 When using https://simplesamlphp.org/[SimpleSAMLphp], make sure the
 convert OID to names by modifying your
@@ -3138,9 +3136,8 @@ current version of SOGo from the previous release.
 [cols="100a"]
 |=======================================================================
 h|5.1.0
-|The XSRF protection is now enabled by default in SOGo. If you use a single
-sign-on mechanisim such as C.A.S. or SAML2, you need to disable XSRF by adding
-`SOGoXSRFValidationEnabled = NO` to your configuration file.
+|The XSRF protection is now enabled by default in SOGo. If you use the C.A.S.  mechanisim, you need
+to disable XSRF by adding `SOGoXSRFValidationEnabled = NO` to your configuration file.
 
 h|5.0.0
 |Peer is now verified for TLS connections (SMTP/IMAP/Sieve). If you enabled
diff --git a/UI/MainUI/SOGoSAML2Actions.m b/UI/MainUI/SOGoSAML2Actions.m
index 1d4eb1e33..1f3a48485 100644
--- a/UI/MainUI/SOGoSAML2Actions.m
+++ b/UI/MainUI/SOGoSAML2Actions.m
@@ -1,6 +1,6 @@
 /* SOGoSAML2Actions.m - this file is part of SOGo
  *
- * Copyright (C) 2012-2014 Inverse inc
+ * Copyright (C) 2012-2021 Inverse inc
  *
  * This file is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -28,6 +28,7 @@
 #import <NGExtensions/NSCalendarDate+misc.h>
 #import <NGExtensions/NSString+misc.h>
 
+#import <SOGo/NSString+Crypto.h>
 #import <SOGo/SOGoCache.h>
 #import <SOGo/SOGoSAML2Session.h>
 #import <SOGo/SOGoSession.h>
@@ -159,10 +160,14 @@
   WOResponse *response;
   SoApplication *application;
   SOGoSAML2Session *newSession;
-  WOCookie *authCookie;
+  WOCookie *authCookie, *xsrfCookie;
+  NSArray *creds;
   NSString *login, *oldLocation, *newLocation;
   SOGoWebAuthenticator *auth;
 
+  response = [context response];
+  [response setHeader: @"text/plain; charset=utf-8"
+               forKey: @"content-type"];
   rq = [context request];
   if ([[rq method] isEqualToString: @"POST"])
     {
@@ -176,17 +181,26 @@
                                 andPassword: [newSession identifier]
                                   inContext: context];
 
+      // We prepare the XSRF protection cookie
+      creds = [auth parseCredentials: [authCookie value]];
+      xsrfCookie = [WOCookie cookieWithName: @"XSRF-TOKEN"
+                                      value: [[SOGoSession valueForSessionKey: [creds lastObject]] asSHA1String]];
+      [xsrfCookie setPath: [NSString stringWithFormat: @"/%@/", [[context request] applicationName]]];
+      [response addCookie: xsrfCookie];
+
       oldLocation = [[context clientObject] baseURLInContext: context];
       newLocation = [NSString stringWithFormat: @"%@/%@",
                               oldLocation, [login stringByEscapingURL]];
 
-      response = [context response];
       [response setStatus: 302];
-      [response setHeader: @"text/plain; charset=utf-8"
-                   forKey: @"content-type"];
       [response setHeader: newLocation forKey: @"location"];
       [response addCookie: authCookie];
     }
+  else
+    {
+      [response setStatus: 500];
+      [response appendContentString: @"Missing POST"];
+    }
 
   return response;
 }