connector/saml: clean up SAML verification logic and comments #898
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rithujohn191
reviewed
Apr 7, 2017
connector/saml/saml.go
Outdated
| // | ||
| // * Verify signature on XML document (or verify sig on assertion elements). | ||
| // * Verify various parts of the Assertion element. Conditions, audience, etc. | ||
| // * Map the Assertion's attribute elements to |
connector/saml/saml.go
Outdated
| @@ -315,16 +329,25 @@ func (p *provider) HandlePOST(s connector.Scopes, samlResponse, inResponseTo str | |||
| if assertion == nil { | |||
| return ident, fmt.Errorf("response did not contain an assertion") | |||
| } | |||
|
|
|||
| // Even though subject is optional, without it we can pull the user ID, | |||
There was a problem hiding this comment.
"Even though subject is optional, without it we can --> cannot pull the user ID,"
connector/saml/saml.go
Outdated
| @@ -336,53 +359,57 @@ func (p *provider) HandlePOST(s connector.Scopes, samlResponse, inResponseTo str | |||
| return ident, fmt.Errorf("subject does not contain an NameID element") | |||
| } | |||
|
|
|||
| // After verifying the assertion, map data in the attribute statements to | |||
| // varous user info. | |||
connector/saml/saml.go
Outdated
| @@ -396,96 +423,105 @@ func (p *provider) validateStatus(resp *response) error { | |||
| return nil | |||
| } | |||
|
|
|||
| // Multiple subject SubjectConfirmation can be in the assertion | |||
| // and at least one SubjectConfirmation must be valid. | |||
| // validateSubject ensure the response is to the request we expect. | |||
connector/saml/saml.go
Outdated
| } | ||
| if !validSubjectConfirmation { | ||
| return fmt.Errorf("no valid SubjectConfirmation was found on this Response") | ||
| if len(errs) == 1 { |
There was a problem hiding this comment.
Can this value never be greater than 1?
There was a problem hiding this comment.
it's either going to be 1 or greater than 1.
There was a problem hiding this comment.
Should we change the condition to if len(errs) >= 1
There was a problem hiding this comment.
that's handled by the next return. This is just saying "if there's only one element in the slice, return that element, rather than the entire slice."
| @@ -355,152 +354,3 @@ func TestVerifySignedMessageAndSignedAssertion(t *testing.T) { | |||
| func TestVerifyUnsignedMessageAndUnsignedAssertion(t *testing.T) { | |||
| runVerify(t, "testdata/idp-cert.pem", "testdata/idp-resp.xml", false) | |||
| } | |||
There was a problem hiding this comment.
Are we planning to add other tests in its place?
connector/saml/types.go
Outdated
| @@ -115,7 +116,7 @@ type conditions struct { | |||
| NotBefore xmlTime `xml:"NotBefore,attr,omitempty"` | |||
| NotOnOrAfter xmlTime `xml:"NotOnOrAfter,attr,omitempty"` | |||
|
|
|||
| AudienceRestriction *audienceRestriction `xml:"AudienceRestriction,omitempty"` | |||
| AudienceRestriction []*audienceRestriction `xml:"AudienceRestriction,omitempty"` | |||
There was a problem hiding this comment.
Is this one not meant to be an "attr"?
There was a problem hiding this comment.
It's an element, not an attribute. So the XML will look like
<SubjectConfirmationData InResponseTo="foo">
<AudienceRestriction>
</AudienceRestriction>
<AudienceRestriction>
</AudienceRestriction>
</SubjectConfirmationData>(with a lot more namespace annotations)
ericchiang
force-pushed
the
saml-cleanup
branch
2 times, most recently
from
9896542
to
4d8441c
Compare
|
@rithujohn191 tests added. |
mmrath
pushed a commit
to mmrath/dex
that referenced
this pull request
Sep 2, 2019
connector/saml: clean up SAML verification logic and comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Intention is to make this code a little more understandable. Clean up some loops, add comments, etc.
Will add a bunch of tests tomorrow.
cc @rithujohn191 @squat