From 984a1feec0dd9a93c9ba6f59df437ef3a4ae382f Mon Sep 17 00:00:00 2001
From: Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
Date: Tue, 9 Jan 2024 12:27:34 +0100
Subject: [PATCH] [IMP] auth_saml: download the provider metadata

On Office365, what you get when configuring an application for SAML
authentication is the URL of the federation metadata document. This URL
is stable, but the content of the document is not. I suspect some of the
encryption keys can be updated / renewed over time. The result is that
the configured provider in Odoo suddenly stops working, because the
messages sent by the Office365 provider can no longer be validated by
Odoo (because the federation document is out of date). Downloading the
new version and updating the auth.saml.provider record fixes the issue.

This PR adds a new field to store the URL of the metadata document. When
this field is set on a provider, you get a button next to it in the form
view to download the document from the URL. The button will not update
the document if it has not changed.

Additionally, when a SignatureError happens, we check if downloading the
document again fixes the issue.
---
 auth_saml/README.rst                   |  6 ++-
 auth_saml/models/auth_saml_provider.py | 60 +++++++++++++++++++++++---
 auth_saml/readme/CONFIGURE.rst         |  4 ++
 auth_saml/views/auth_saml.xml          | 15 +++++++
 4 files changed, 79 insertions(+), 6 deletions(-)

diff --git a/auth_saml/README.rst b/auth_saml/README.rst
index 0522b0da33..fdc0367123 100644
--- a/auth_saml/README.rst
+++ b/auth_saml/README.rst
@@ -7,7 +7,7 @@ SAML2 Authentication
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-   !! source digest: sha256:749f38cb523fb18981d9e229196105be0adc619147af5f55e3c887b25ca86dc0
+   !! source digest: sha256:56a6042e204ca8c553db8eb36de4b1ad7ae8e1e9d5abe598a8398f5e17da7e7f
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
@@ -81,6 +81,10 @@ by using the query parameter ``disable_autoredirect``, as in
 ``https://example.com/web/login?disable_autoredirect=`` The login is also displayed if
 there is an error with SAML login, in order to display any error message.
 
+If you are using Office365 as identity provider, set up the federation metadata document
+rather than the document itself. This will allow the module to refresh the document when
+needed. 
+
 Usage
 =====
 
diff --git a/auth_saml/models/auth_saml_provider.py b/auth_saml/models/auth_saml_provider.py
index ccd36b1e92..e44ebfc753 100644
--- a/auth_saml/models/auth_saml_provider.py
+++ b/auth_saml/models/auth_saml_provider.py
@@ -9,13 +9,17 @@
 import tempfile
 import urllib.parse
 
+import requests
+
 # dependency name is pysaml2 # pylint: disable=W7936
 import saml2
 import saml2.xmldsig as ds
 from saml2.client import Saml2Client
 from saml2.config import Config as Saml2Config
+from saml2.sigver import SignatureError
 
 from odoo import api, fields, models
+from odoo.exceptions import UserError
 
 _logger = logging.getLogger(__name__)
 
@@ -42,6 +46,14 @@ class AuthSamlProvider(models.Model):
         ),
         required=True,
     )
+    idp_metadata_url = fields.Char(
+        string="Identity Provider Metadata URL",
+        help="Some SAML providers, notably Office365 can have a metadata "
+        "document which changes over time, and they provide a URL to the "
+        "document instead. When this field is set, the metadata can be "
+        "fetched from the provided URL.",
+    )
+
     sp_baseurl = fields.Text(
         string="Override Base URL",
         help="""Base URL sent to Odoo with this, rather than automatically
@@ -282,11 +294,24 @@ def _validate_auth_response(self, token: str, base_url: str = None):
         self.ensure_one()
 
         client = self._get_client_for_provider(base_url)
-        response = client.parse_authn_request_response(
-            token,
-            saml2.entity.BINDING_HTTP_POST,
-            self._get_outstanding_requests_dict(),
-        )
+        try:
+            response = client.parse_authn_request_response(
+                token,
+                saml2.entity.BINDING_HTTP_POST,
+                self._get_outstanding_requests_dict(),
+            )
+        except SignatureError:
+            # we have a metadata url: try to refresh the metadata document
+            if self.idp_metadata_url:
+                self.action_refresh_metadata_from_url()
+                # retry: if it fails again, we let the exception flow
+                response = client.parse_authn_request_response(
+                    token,
+                    saml2.entity.BINDING_HTTP_POST,
+                    self._get_outstanding_requests_dict(),
+                )
+            else:
+                raise
         matching_value = None
 
         if self.matching_attribute == "subject.nameId":
@@ -370,3 +395,28 @@ def _hook_validate_auth_response(self, response, matching_value):
             vals[attribute.field_name] = attribute_value
 
         return {"mapped_attrs": vals}
+
+    def action_refresh_metadata_from_url(self):
+        providers = self.search(
+            [("idp_metadata_url", "ilike", "http%"), ("id", "in", self.ids)]
+        )
+        if not providers:
+            return False
+        # lock the records we might update, so that multiple simultaneous login
+        # attempts will not cause concurrent updates
+        self.env.cr.execute(
+            "SELECT id FROM auth_saml_provider WHERE id in %s FOR UPDATE",
+            (tuple(providers.ids),),
+        )
+        updated = False
+        for provider in providers:
+            document = requests.get(provider.idp_metadata_url)
+            if document.status_code != 200:
+                raise UserError(
+                    f"Unable to download the metadata for {provider.name}: {document.reason}"
+                )
+            if document.text != provider.idp_metadata:
+                provider.idp_metadata = document.text
+                _logger.info("Updated provider metadata for %s", provider.name)
+                updated = True
+        return updated
diff --git a/auth_saml/readme/CONFIGURE.rst b/auth_saml/readme/CONFIGURE.rst
index 270886b630..b08476110c 100644
--- a/auth_saml/readme/CONFIGURE.rst
+++ b/auth_saml/readme/CONFIGURE.rst
@@ -15,3 +15,7 @@ with the highest priority. It is still possible to access the login without redi
 by using the query parameter ``disable_autoredirect``, as in
 ``https://example.com/web/login?disable_autoredirect=`` The login is also displayed if
 there is an error with SAML login, in order to display any error message.
+
+If you are using Office365 as identity provider, set up the federation metadata document
+rather than the document itself. This will allow the module to refresh the document when
+needed. 
diff --git a/auth_saml/views/auth_saml.xml b/auth_saml/views/auth_saml.xml
index 960905213b..1c6b75b38b 100644
--- a/auth_saml/views/auth_saml.xml
+++ b/auth_saml/views/auth_saml.xml
@@ -76,6 +76,21 @@
                     </div>
                     <group name="idp_settings">
                         <group string="Identity Provider Settings">
+                            <span>
+                                <label for="idp_metadata_url" />
+                                <div>
+                                    <field name="idp_metadata_url" />
+                                    <p
+                                        class="help small"
+                                    >If you provider gives you a URL, use this field preferably</p>
+                                </div>
+                                <button
+                                    type="object"
+                                    string="Refresh"
+                                    name="action_refresh_metadata_from_url"
+                                    attrs="{'invisible': [('idp_metadata_url', '=', False)]}"
+                                />
+                            </span>
                             <label for="idp_metadata" />
                             <div>
                                 <field