Skip to content

Conversation

@crewjam
Copy link
Owner

@crewjam crewjam commented Nov 1, 2019

Split the Middleware component into three interfaces (in addition to the saml.ServiceProvider:

  • RequestTracker (better name needed?) which will handle tracking pending authn requests
  • Session which will handle issuing session cookies
  • OnError which handles reporting errors to both the user and any logging.

The default implementations of RequestTracker and Session use http cookie to encode JWTs, but further delegate the encoding/verification of the JWTs to codec interfaces which allow further customization, again with default implementations.

Copy link
Contributor

@mmailhos mmailhos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really like the interface split, it would make the library easier to use as it would behave more like a toolbox than a "all-in-one" package.
The ability to provide our own http client is also a big plus.

For my use case, this is exactly the behaviour I am expecting from the SAML library where I need to have the ability to retrieve metadata, parse it or generate tokens without using the middleware.

I have made a few minor comments and I am still going through the existing code but I would definitely love to see this merged in a new major version. I am going to work a bit on a fork here which might not go too far but I hope that can help a bit.

panic(err) // TODO handle error
}

idpMetadata, err := samlsp.FetchMetadata(context.Background(), http.DefaultClient,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's missing an error handling here (if err != nil { panic(err) //TODO handle error})

if err != nil {
panic(err) // TODO handle error
}
idpMetadata, err := samlsp.FetchMetadata(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, either add an error handling or skip error checking like above - preferably option 1.

URL: *rootURL,
Key: keyPair.PrivateKey.(*rsa.PrivateKey),
Certificate: keyPair.Leaf,
samlSP, err := samlsp.New(samlsp.Options{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto on err

return nil, err
}

err = fmt.Errorf("no entity found with IDPSSODescriptor")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fmt.Errorf is good when there is a need to format. Here we can simply use errors.New

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

err = fmt.Errorf("no entity found with IDPSSODescriptor")
for i, e := range entities.EntityDescriptors {
if len(e.IDPSSODescriptors) > 0 {
entity = &entities.EntityDescriptors[i]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why looping over the entire array and not returning on the first valid element? Isn't it the same as return &entities.EntityDescriptors[i], nil here?

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch, left over from splitting parse and fetch. Thanks. :)

if resp.StatusCode >= 400 {
return nil, httperr.Response(*resp)
}
defer resp.Body.Close()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The body needs to be closed in any case, even with a statuscode > 400 as error is nil (from doc). This line should be moved up on line 58.

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated.


// The following fields exist <= 0.3.0, but are superceded by the new
// SessionProvider and RequestTracker interfaces.
Logger logger.Interface // DEPRECATED: this field will be removed, instead provide a custom OnError function to handle errors
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think those fields can be removed and the package be bumped to an higher major version?

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was planning on that, for sure, and semver et al allow breaking changes pre 1.0, but I think it is a little developer unfriendly to make such sweeping changes without a transition / warning. This is based on poking around how people are using the library publicly, although there are breaking changes, keeping these fields around, at least for a while, seems like it would make the breaking changes easier to deal with.

I'm convincible here, but on balance, my gut for now is to hang on to them for a while.

I'd appreciate any feedback here and/or how strongly people feel about this.

if a == nil {
return ""
}
v := a[key]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm proposing this more idiomatic syntax:

if v, ok := a[key]; ok {
    return v[0]
}
return ""

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this suggestion. Reasonable minds can differ, but I think I prefer the success path flow straight through the function when possible. :)

@crewjam crewjam merged commit 695c7b1 into master Nov 22, 2019
@crewjam crewjam deleted the refactor_samlsp branch November 22, 2019 15:34
mattcobb added a commit to lightstep/saml that referenced this pull request Nov 30, 2021
* bugfix: New sometimes selected the wrong EntityDescriptor when parsing a metadata file with multiple EntityDescriptor's underneath a EntitiesDescriptor tag

* Add syntax highlight

* expose CookieMaxAge in samlsp Options

* Enable persistent name id format (crewjam#107)

* Enable persistent name id format

* add ability to set the domain for the cookies (crewjam#95)

* Fixed script hash to remove JS console errors when redirecting (crewjam#117)

@RichardKnop PR#94

* saml{sp,idp}: add httpOnly and secure flag (conditionally) to cookies (crewjam#116)

* Use dep package manager (crewjam#114)

* use dep package manager
* updated travis

* Fix example code so that it compiles (crewjam#118)

* expose ForceAuthn (crewjam#119)

* fix validUntil in SPSSODescriptor

fixes crewjam#123

* samlsp.Middleware.SecureCookie option (crewjam#128)

* remove cruft

* update README

* fix some minor lint / style errors

* samlsp: use current time for the JWT rather than the IssueInstant from the assertion (crewjam#130)

fixes crewjam#122

jwt-go not support leeway parameter

* travis cleanup: remove older go versions (crewjam#132)

* samlsp: remove X-Saml headers in favor of attaching Claims to request context (crewjam#131)

* samlsp: move the setting and reading of cookies into an interface (crewjam#133)

We’ve had a bunch of changes requesting the ability to customize
how cookies are set and it is getting a little messy. This change
moves the code to setting and reading cookies into two interfaces
which you can extend/customize.

* add field to IdpAuthnRequest so you can externally control the “current” time (crewjam#136)

The default is obviously the current time, but for various reasons you may wish to evaluate the
response at a different reference time, for example processing a response that has been deferred.

We can’t use the global TimeNow() thunk, which is designed for testing, because it isn’t safe to modify concurrently.

* idp: handle assertions where no ACS url is specified (crewjam#139)

* add test cases for SAML comment injection (crewjam#140)

ref: CVE-2017-11427
ref: CVE-2017-11428
ref: CVE-2017-11429
ref: CVE-2017-11430
ref: CVE-2018-0489
ref: CVE-2018-7340
ref: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations

* Update PGP key in README.md

* make MaxIssueDelay configurable at runtime (mini-hack)

* Remove the default xmlns from the expected output because the encoder does not reset the default.  Should resolve the test for issue 152. (crewjam#158)

* Added Travis badge (crewjam#159)

* Fixed some typos in the README.md file. (crewjam#160)

* dep ensure [ch16254] (crewjam#156)

* add the ability to use custom cookie names and domain

* fix missing time on IDP-initiated IdpAuthnRequest (crewjam#147)

* added godoc badge to README.md (crewjam#143)

* made selected binding configureable (crewjam#144)

* Fix AES decryption (crewjam#142)

Fix AES decryption by decrypting the EncryptedKey from the response, and passing
the decrypted key to the data encryption.

* idp: Allow intermediates to be encoded in signature (crewjam#127)

* idp: Make signature method configurable (crewjam#126)

* Removed %s format for claims audience not matching Provider EntityID for crewjam#154 (crewjam#161)

* add support for a logout URL binding

* add stale integration

ref: https://probot.github.io/apps/stale/

* add support for other external middleware (crewjam#184)

Changed samlsp/middleware.go to move the request handling part of the RequireAccount method out into a separate public method attached to the middleware type which can be used as a stand alone HTTP RequestHandler. That way the Handler can be used with other middleware chains which provide their own http.Handler wrapper methods.

* crewjam#192: Support multiple IdP signing certificates

* crewjam#192: Account for Go/check changes.

* Handle root URL's with trailing slash

* crewjam#194: Properly default EncryptionMethod/DigestMethod when not present.

* Allow AudienceRestriction to be missing

re crewjam#198

* Don't include the port with the domain when setting the cookie (crewjam#202)

* update value of UnspecifiedNameIDFormat and EmailAddressNameIDFormat (crewjam#217)

* Don't require Destination attribute in response when response is not signed (crewjam#213)

* Destination is checked only if this is a signed SAML request, as that is the only case in which a Destination attribute is required.
* Check Destination when present, even if response unsigned

* Replaces testshib.org with samltest.id in the README (crewjam#211)

Fixes crewjam#201

* Set the default domain for cookies properly (crewjam#187)

Fixes crewjam#186.

* Separate response validation from the Middleware so that ServiceProvider can be used standalone to validate requests. Also fix IDPInitiated requestids bug since Standalone validation may not have possibleRequestIds.

* Adding support for eduPersonScopedAffiliation

* Add in actual attribute evaluation for eduPersonScopedAffiliation.

* Fix typo for idp example path in readme (crewjam#170)

* omit validUntil if empty (crewjam#190)

* Prevent panic caused by IDP-initiated login (crewjam#183)

* - Check if IDP-initiated login is allowed and if so assume that the RelayState is a deep-link.
- Guard against an IDP-initiated request that may not have the request ID in the claims.
- Attempt to retrieve a state value using the RelayState first before checking if IDP-initiated flow is allowed.

* Only address the panic in IDP-initiated login (#1)

This change undoes some of the changes made in 4908b26, to just address the panic for IDP-initiated logins.

I'll file an issue in the `crewjam/saml` repo about the other issue blocking IDP-initiated logins, which is how to support relay states from the IDP.

* SP: Add capability to provide intermediate certs (crewjam#178)

* remove bad import

* remove log junk

* fix compile error

* Gopkg -> go.mod

* tests: convert from go-check to testify

* lint with golangci-lint

* lint with golangci-lint

* fix go.mod

* fix travis configuration

* fix travis configuration

* Use RS256 rather than HS256

Using HS256 with the RSA private key (serialised as ASN.1 according
to PKCS1) as the secret is unconventional and perhaps dangerous. The
string of bytes isn't entirely random given that it starts with the
version number. The encoded RSA key will be larger than the block size
of the underlying hash and so to create a secret, the RSA key will be
hashed.

A more important problem is that we should be able to validate a jwt
issued by the middleware with just the RSA public key. By moving to
RS256, we can validate jwts without sharing the private key.

Fix randomBytes: should ensure that the entire buffer is full.

* Add Single Logout data structure

* Set session NameID based on email

* update test expectations

* removed mandatory check for validating embedded certificate for rsa

* Rename validateRSAKey to validateRSAKeyIfPresent

Now that the validation is optional, the previous name did not
accurately reflected the intention.

* Removes unused dependencies

Ran go mod tidy to remove golangci-lint as that isn't actally needed for
this project. Its inclusion result in a huge number of dependencies to
be imported.

* travis: pin golangci-lint version

* Bump github.com/beevik/etree from 1.0.1 to 1.1.0

Bumps [github.com/beevik/etree](https://github.com/beevik/etree) from 1.0.1 to 1.1.0.
- [Release notes](https://github.com/beevik/etree/releases)
- [Changelog](https://github.com/beevik/etree/blob/master/RELEASE_NOTES.md)
- [Commits](beevik/etree@v1.0.1...v1.1.0)

Signed-off-by: dependabot-preview[bot] <[email protected]>

* update test expectations

* Return status code if not success

* Make cert optional for ServiceProvider.Metadata()

* Add test case from OneLogin

This adds a test case provided by @fredipevcin in [https://github.com/crewjam/saml/pull/25](PR25) that
makes sure we can parse cases where the assertion is signed rather than the whole message. This
has been supported for a while, but it is nice to ensure that the compatibility at issue continues to work.

* Remove 'Failing' from certificate missing check

* (Add tests for) Destination is checked only if this is a signed SAML request, as that is the only case in which a Destination attribute is required.

* update readme to reflect our inability to produce encrypted assertions

re crewjam#179

* fix bad merge

* golangci: require comments, add a few missing ones

* golangci: require comments, add a few missing ones

* update test expectations

* schema: don't include empty Format attributes in samlp:NameIDPolicyElement

fixes crewjam#177

* make ValidDuration configurable for IDP. (crewjam#235)

* refactor samlsp package to be more modular (crewjam#230)

This change splits the Middleware component into three interfaces (in addition to the saml.ServiceProvider):

* RequestTracker which handles tracking pending authn requests.
* Session which handles issuing session cookies.
* OnError which handles reporting errors to both the user and any logging.

The default implementations of RequestTracker and Session use http cookie to encode JWTs, but further delegate the encoding/verification of the JWTs to codec interfaces which allow further customization, again with default implementations.

This should make the *samlsp* package easier to extend to fit more use cases.

Fixes crewjam#231

* Add optional callback for signature verification (crewjam#237)

Fixes crewjam#234

* AllowIDPInitiated=true allows both IDP-initiated and normal (crewjam#240)

* Bump github.com/kr/pretty from 0.1.0 to 0.2.0 (crewjam#243)

Bumps [github.com/kr/pretty](https://github.com/kr/pretty) from 0.1.0 to 0.2.0.
- [Release notes](https://github.com/kr/pretty/releases)
- [Commits](kr/pretty@v0.1.0...v0.2.0)

Signed-off-by: dependabot-preview[bot] <[email protected]>

* add HTTPOnly bool to CookieSessionProvider (crewjam#248)

* feat(slo): add logout response request validation (crewjam#247)

* fix(slo): fix SessionIndex attribute in LogoutRequest (crewjam#245)

* clean up README about breaking changes

* feat(slo): add Bytes() and Deflate() functions for LogoutRequest (crewjam#251)

Bytes() is needed in for returning a byte array for POST Binding.
Deflate() is needed for compressing using gzip algorithm a LogoutRequest
byte array.

* fix(sp): no check for InResponseTo for if IDPInitiated is true (crewjam#259)

* Add EntityID (crewjam#258)

* feat: add Post / Redirect methods for LogoutRequest (crewjam#260)

* Update README.md (crewjam#261)

* Bump github.com/stretchr/testify from 1.4.0 to 1.5.0 (crewjam#263)

Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.4.0 to 1.5.0.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](stretchr/testify@v1.4.0...v1.5.0)

Signed-off-by: dependabot-preview[bot] <[email protected]>

* Bump github.com/stretchr/testify from 1.5.0 to 1.5.1 (crewjam#264)

Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.5.0 to 1.5.1.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](stretchr/testify@v1.5.0...v1.5.1)

Signed-off-by: dependabot-preview[bot] <[email protected]>

* Include a path when clearing the cookie (crewjam#278)

Some browsers will refuse to remove a cookie that doesn't include the path

* SessionNotOnOrAfter is serialized to XML if set (crewjam#292)

It is currently possible to set SessionNotOnOrAfter directly on the Go
structure, but it is not serialized to or deserialized from XML.

* Fixes handling signed response with encrypted assertions (crewjam#273)

When the response is signed, the verification must happen before the assertion is decrypted since the encrypted XML is used in the signature digest.
The response signature is sufficient unless the assertion is also signed in which case both must be valid.

* Bump github.com/kr/pretty from 0.2.0 to 0.2.1 (crewjam#294)

Bumps [github.com/kr/pretty](https://github.com/kr/pretty) from 0.2.0 to 0.2.1.
- [Release notes](https://github.com/kr/pretty/releases)
- [Commits](kr/pretty@v0.2.0...v0.2.1)

Signed-off-by: dependabot-preview[bot] <[email protected]>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>

* Bump github.com/stretchr/testify from 1.5.1 to 1.6.1 (crewjam#288)

Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.5.1 to 1.6.1.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](stretchr/testify@v1.5.1...v1.6.1)

Signed-off-by: dependabot-preview[bot] <[email protected]>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>

* Add support for signed authnRequest (crewjam#296)

* Fixes handling signed response with encrypted assertions

When the response is signed, the verification must happen before the assertion is decrypted since the encrypted XML is used in the signature digest.
The response signature is sufficient unless the assertion is also signed in which case both must be valid.

* Add support for signed authnRequests

* Update metadata.go (crewjam#297)

Renamed LocalizedName & LocalizedURI Lang attributes -> `xml:"http://www.w3.org/XML/1998/namespace lang,attr"`

fixes crewjam#295

* Allows configuring SameSite for session cookie (crewjam#276)

Fixes crewjam#275

* fix lint errors & update test expectations

* update README re: security issues

* fix test expectation for go 1.15

* remove output cruft from xmlenc test

* [SECURITY] bump version of goxmldsig [CVE-2020-15216]

There was a signature validation bypass in goxmldsig, which saml uses to
authenticate assertions. This change increments the dependent version of
goxmldsig to a version that is no longer affected.

For more information:

GHSA-q547-gmf8-8jr7

* Merge pull request from GHSA-4hq8-gmxx-h6w9

This change validates that the XML input we receive is safe to parse before
passing it to the standard library's XML parsing functions or the etree DOM
parsing functions.

This validation mitigates critical vulnerabilities in `encoding/xml` - CVE-2020-29509, CVE-2020-29510, and CVE-2020-29511.

TODO: is there going to be a go.mod version assigned to this on release?

* fix version of xml-roundtrip-validator in go.mod

* add SignLogoutResponse SignLogoutRequest MakeLogoutResponse

* add SessionIndex to claims Attributes

* Include a domain when clearing the cookie

* identity_provider: extend session with CustomAttributes (crewjam#310)

* add xUserId and xAccountId for session

* add CustomAttributes for idp session content

* fix: logout response element Response -> LogoutResponse (crewjam#305)

* Spread the use of option SameSite to tracking cookies (crewjam#302)

* fix formatting

* travis -> github actions

* fix typo in README

* update test expectations

* Stop validating InResponseTo when AllowIDPInitiated is set

With this change we no longer validate InResponseTo when AllowIDPInitiated is set. Here's why:

The SAML specification does not provide clear guidance for handling InResponseTo for IDP-initiated requests where there is no request to be in response to. The specification says:

   InResponseTo [Optional]
       The ID of a SAML protocol message in response to which an attesting entity can present the
       assertion. For example, this attribute might be used to correlate the assertion to a SAML
       request that resulted in its presentation.

The initial thought was that we should specify a single empty string in possibleRequestIDs for IDP-initiated  requests so that we would ensure that an InResponseTo was *not* provided in those cases where it wasn't expected. Even that turns out to be frustrating for users. And in practice some IDPs (e.g. Rippling)  set a specific non-empty value for InResponseTo in IDP-initiated requests.

Finally, it is unclear that there is significant security value in checking InResponseTo when we allow  IDP initiated assertions.

This issue has been reported quite a few times, including:

Fixes crewjam#291 crewjam#286 crewjam#300 crewjam#301 crewjam#286

* set cookie domain when clearing request tracker cookie (crewjam#321)

* samlsp: make middleware endpoints public (crewjam#323)

* samlsp: remove deprecated fields (crewjam#324)

* remove deprecated fields
* update readme

* add test that we can marshal an AuthnStatement without SessionNotOnOrAfter being set

re crewjam#312

* samlsp: fix validating response with no issuer element (crewjam#328)

* in tests, replace long strings with files we read from testdata/

* replace testify (which is more or less unmaintained) with gotest.tools

* remove redundant []byte conversions

* explicitly copy loop iterator variables

This silences a warning from golangci-lint

* fix spelling of test data file

* add maintainer action to update dependencies

* adjust maintainer action to update dependencies

* Update go.mod

* upgrade github.com/crewjam/httperr from v0.0.0-20190612203328-a946449404da to v0.2.0
* upgrade github.com/dchest/uniuri from v0.0.0-20160212164326-8902c56451e9 to v0.0.0-20200228104902-7aecb25e1fe5
* upgrade github.com/mattermost/xml-roundtrip-validator from v0.0.0-20201213122252-bcd7e1b9601e to v0.0.0-20201219040909-8fd2afad43d1
* upgrade github.com/zenazn/goji from v0.9.1-0.20160507202103-64eb34159fe5 to v1.0.1
* upgrade golang.org/x/crypto from v0.0.0-20200622213623-75b288015ac9 to v0.0.0-20201221181555-eec23a3978ad

* Fix AuthN Request signing for HTTP-Redirect binding (crewjam#339)

* Fix signing for HTTP-Redirect binding

The currently implemented behavior for signing AuthN Requests where
an enveloped signature is added in the XML Document, is appropriate
only when the HTTP-POST binding is used.
Signing for authentication requests when the HTTP-Redirect binding
is in use, is described in
http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
section 3.4.4.1 and involves generating a signature of the deflated
form of the AuthN request along with some other URL parameters, mainly
because of URL length considerations.

This commit implements proper AuthNRequest signing support according
to the specification.

* Add comment for function

* linter is picky :)

* SplitHostPort on DeleteSession (crewjam#335)

* Add explicit tests for XSW (crewjam#338)

XML Signature Wrapping attacks are unfortunately still very common
in SAML implementations. crewjam/saml is not vulnerable to any XSW
attacks as goxmldsig and this library's use of goxmldsig are safe.

This commit adds a number of tests against common XSW attacks, so
that these can serve as verification of the current safe state,
prevent future regressions in crewjam/saml and detect possible
future regressions in goxmldsig

The numbering of the permutations of the XSW attack follows that
of https://github.com/CompassSecurity/SAMLRaider and a visual
depiction is available in
https://github.com/CompassSecurity/SAMLRaider/blob/5b9eace70e88d0af17b86c26c2cad1178b08c7d0/src/main/resources/xswlist.png

* Custom relayState generator (crewjam#337)

* Update go.mod (crewjam#331)

* upgrade github.com/mattermost/xml-roundtrip-validator from v0.0.0-20201219040909-8fd2afad43d1 to v0.1.0
* upgrade golang.org/x/crypto from v0.0.0-20201221181555-eec23a3978ad to v0.0.0-20210317152858-513c2a44f670

Co-authored-by: Github Actions <[email protected]>

* Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 (crewjam#336)

* Bump github.com/google/go-cmp from 0.5.4 to 0.5.5

Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.4 to 0.5.5.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](google/go-cmp@v0.5.4...v0.5.5)

Signed-off-by: dependabot-preview[bot] <[email protected]>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Ross Kinder <[email protected]>

* update README (crewjam#340)

fixes crewjam#333

* Update go.mod (crewjam#342)

* upgrade golang.org/x/crypto from v0.0.0-20210317152858-513c2a44f670 to v0.0.0-20210322153248-0c34fe9e7dc2

Co-authored-by: Github Actions <[email protected]>

* Update go.mod (crewjam#343)

Co-authored-by: crewjam <[email protected]>

* Change dgrijalva/jwt-go imported module to form3tech-oss/jwt-go. (crewjam#344)

* Change dgrijalva/jwt-go imported module to form3tech-oss/jwt-go.

dgrijalva/jwt-go is abandoned (dgrijalva/jwt-go#457) with an outstanding security vulnerability (dgrijalva/jwt-go#422).

form3tech-oss/jwt-go is a fork that has fixed the vulnerability.

* Upgrade to GitHub-native Dependabot (crewjam#346)

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>

* Make SP check more certs in IDP metadata (crewjam#353)

From
https://www.oasis-open.org/committees/download.php/56785/sstc-saml-metadata-errata-2.0-wd-05.pdf
```
[E62]A use value of "signing" means that the contained key information is applicable to both signing
and TLS/SSL operations performed by the entity when acting in the enclosing role.

A use value of "encryption" means that the contained key information is suitable for use in wrapping
encryption keys for use by the entity when acting in the enclosing role.

If the use attribute is omitted, then the contained key information is applicable to both of the above uses.
```

We need to include certificates both when they have a "use" attribute of
"signing" as well as when the "use" attribute is missing.

Fixes crewjam#352

SAML input from @simmel.

* bring monorepo lightstep/saml changes into lightstep forked saml repo #LS-26157

* Fix merge problems

* Fix valid until tests

* req.now may not be initialized in MakeResponse() so use Now()

* use TimeNow()

* req.now not guaranteed to be defined. Use TimeNow() in IdpAuthnRequest() and MakeAssertion()

* Remove old code from comments, remove commented out Skip(broken)

* use upstream's new validateDestination, but modify it to use urlsMatchModuloPortNumbers(). Add clock kew to notOnOrAfter

Co-authored-by: Donald Hoelle <[email protected]>
Co-authored-by: Umayr Shahid <[email protected]>
Co-authored-by: Dustin Decker <[email protected]>
Co-authored-by: Ross Kinder <[email protected]>
Co-authored-by: Bryce Fisher <[email protected]>
Co-authored-by: Sevki <[email protected]>
Co-authored-by: Paul Tötterman <[email protected]>
Co-authored-by: Lucas <[email protected]>
Co-authored-by: Beyang Liu <[email protected]>
Co-authored-by: Nao YONASHIRO <[email protected]>
Co-authored-by: Darrel Herbst <[email protected]>
Co-authored-by: Neha Malviya <[email protected]>
Co-authored-by: Josh Silvas <[email protected]>
Co-authored-by: ☃ Elliot Shepherd <[email protected]>
Co-authored-by: Christoph Hack <[email protected]>
Co-authored-by: Volkan Gürel <[email protected]>
Co-authored-by: Andrew Pilloud <[email protected]>
Co-authored-by: jb <[email protected]>
Co-authored-by: Stephen Kress <[email protected]>
Co-authored-by: Geoff Bourne <[email protected]>
Co-authored-by: Robin Wood <[email protected]>
Co-authored-by: Noval Agung Prayogo <[email protected]>
Co-authored-by: Chris Vermilion <[email protected]>
Co-authored-by: Joe Siltberg <[email protected]>
Co-authored-by: Daniel Cormier <[email protected]>
Co-authored-by: Tom Bruno <[email protected]>
Co-authored-by: Shane Jeffery <[email protected]>
Co-authored-by: ferhat elmas <[email protected]>
Co-authored-by: Christopher Goulet <[email protected]>
Co-authored-by: Praneet Loke <[email protected]>
Co-authored-by: Benjamin Schubert <[email protected]>
Co-authored-by: Stevie Johnstone <[email protected]>
Co-authored-by: Ryan Zhang <[email protected]>
Co-authored-by: Grace Noah <[email protected]>
Co-authored-by: Jon Gyllensward <[email protected]>
Co-authored-by: gotjosh <[email protected]>
Co-authored-by: Leonard Gram <[email protected]>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Michael Rauh <[email protected]>
Co-authored-by: Matthew Steffen <[email protected]>
Co-authored-by: Bryce Fisher <[email protected]>
Co-authored-by: Jan Szumiec <[email protected]>
Co-authored-by: aspeteRakete <[email protected]>
Co-authored-by: Joe Siltberg <[email protected]>
Co-authored-by: David Goeke <[email protected]>
Co-authored-by: Daniel Hochman <[email protected]>
Co-authored-by: Mathieu Mailhos <[email protected]>
Co-authored-by: miketonks <[email protected]>
Co-authored-by: (0x794E6).toString(36) <[email protected]>
Co-authored-by: Andreas Fritzler <[email protected]>
Co-authored-by: Ron Kuris <[email protected]>
Co-authored-by: Andy Lindeman <[email protected]>
Co-authored-by: Ricardo Andrade <[email protected]>
Co-authored-by: bstrueb <[email protected]>
Co-authored-by: Ross Kinder <[email protected]>
Co-authored-by: neilli-sable <[email protected]>
Co-authored-by: Alex Yan <[email protected]>
Co-authored-by: Alan Shreve <[email protected]>
Co-authored-by: AlekseyZolotuhin <[email protected]>
Co-authored-by: Alexander Zobnin <[email protected]>
Co-authored-by: Github Actions <[email protected]>
Co-authored-by: Ioannis Kakavas <[email protected]>
Co-authored-by: yuki2006 <[email protected]>
Co-authored-by: Harold Alcala <[email protected]>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: crewjam <[email protected]>
Co-authored-by: Bay Grabowski <[email protected]>
Co-authored-by: Patrik Lundin <[email protected]>
atezet pushed a commit to atezet/saml that referenced this pull request Jul 9, 2022
This change splits the Middleware component into three interfaces (in addition to the saml.ServiceProvider):

* RequestTracker which handles tracking pending authn requests.
* Session which handles issuing session cookies.
* OnError which handles reporting errors to both the user and any logging.

The default implementations of RequestTracker and Session use http cookie to encode JWTs, but further delegate the encoding/verification of the JWTs to codec interfaces which allow further customization, again with default implementations.

This should make the *samlsp* package easier to extend to fit more use cases.

Fixes crewjam#231
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants