Service provider fixes to work as expected.

- Fixed script hash to remove JS console errors when redirecting
- Fixed samlsp.New method to not overwrite m.ServiceProvider.IDPMetadata

Author: RichardKnop

samlsp/middleware.go

@@ -160,11 +160,9 @@ func (m *Middleware) RequireAccount(handler http.Handler) http.Handler {
 			return
 		}
 		if binding == saml.HTTPPostBinding {
-			w.Header().Set("Content-Security-Policy", ""+
+			w.Header().Add("Content-Security-Policy", ""+
 				"default-src; "+
-				"script-src 'sha256-D8xB+y+rJ90RmLdP72xBqEEc0NUatn7yuCND0orkrgk='; "+
-				"reflected-xss block; "+
-				"referrer no-referrer;")
+				"script-src 'sha256-AjPdJSbZmeWHnEc5ykvJFay8FTWeTeRbs9dutfZ0HqE='; ")
 			w.Header().Add("Content-type", "text/html")
 			w.Write([]byte(`<!DOCTYPE html><html><body>`))
 			w.Write(req.Post(relayState))
@@ -243,7 +241,7 @@ func (m *Middleware) Authorize(w http.ResponseWriter, r *http.Request, assertion
 
 		// delete the cookie
 		stateCookie.Value = ""
-		stateCookie.Expires = time.Unix(1,0) // past time as close to epoch as possible, but not zero time.Time{}
+		stateCookie.Expires = time.Unix(1, 0) // past time as close to epoch as possible, but not zero time.Time{}
 		http.SetCookie(w, stateCookie)
 	}
 

samlsp/samlsp.go

@@ -90,29 +90,32 @@ func New(opts Options) (*Middleware, error) {
 			continue
 		}
 
-		entity := &saml.EntityDescriptor{}
+		entity := new(saml.EntityDescriptor)
 		err = xml.Unmarshal(data, entity)
 
 		// this comparison is ugly, but it is how the error is generated in encoding/xml
 		if err != nil && err.Error() == "expected element type <EntityDescriptor> but have <EntitiesDescriptor>" {
-			entities := &saml.EntitiesDescriptor{}
-			if err := xml.Unmarshal(data, entities); err != nil {
+			entities := new(saml.EntitiesDescriptor)
+			if err = xml.Unmarshal(data, entities); err != nil {
 				return nil, err
 			}
 
 			err = fmt.Errorf("no entity found with IDPSSODescriptor")
-			for _, e := range entities.EntityDescriptors {
+			for j := range entities.EntityDescriptors {
+				e := entities.EntityDescriptors[j]
 				if len(e.IDPSSODescriptors) > 0 {
 					entity = &e
 					err = nil
 				}
 			}
 		}
+
+		m.ServiceProvider.IDPMetadata = entity
+
 		if err != nil {
 			return nil, err
 		}
 
-		m.ServiceProvider.IDPMetadata = entity
 		return m, nil
 	}
 

service_provider.go

@@ -304,8 +304,8 @@ func (req *AuthnRequest) Post(relayState string) []byte {
 		`<input type="hidden" name="RelayState" value="{{.RelayState}}" />` +
 		`<input id="SAMLSubmitButton" type="submit" value="Submit" />` +
 		`</form>` +
-		`<script>document.getElementById('SAMLSubmitButton').style.visibility="hidden";</script>` +
-		`<script>document.getElementById('SAMLRequestForm').submit();</script>`))
+		`<script>document.getElementById('SAMLSubmitButton').style.visibility="hidden";` +
+		`document.getElementById('SAMLRequestForm').submit();</script>`))
 	data := struct {
 		URL         string
 		SAMLRequest string