Handle empty role value in SAML

Wrong OneLogin config can lead to a role attribute with an empty value in the SAML assertion. Example: <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="https://aws.amazon.com/SAML/Attributes/Role"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/> </saml:Attribute> We check for empty value before parsing ARNs to avoid index error.
allcloud-io · Sep 10, 2018 · 0f1b7a0 · 0f1b7a0
1 parent 2d116e3
commit 0f1b7a0
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 0 deletions.
diff --git a/saml/saml.go b/saml/saml.go
@@ -67,6 +67,10 @@ func extractArns(attrs []saml.Attribute) (arns []ARN) {
 	for _, attr := range attrs {
 		if attr.Name == "https://aws.amazon.com/SAML/Attributes/Role" {
 			for _, av := range attr.Values {
+				// Value is empty
+				if len(av.Value) == 0 {
+					return
+				}
 				components := strings.Split(av.Value, ",")
 
 				arns = append(arns, ARN{components[0], components[1]})

diff --git a/saml/saml_test.go b/saml/saml_test.go
@@ -38,6 +38,7 @@ func TestGet(t *testing.T) {
 		{"Single ARN", "testdata/single-arn-response", "arn:aws:iam::123456789012:role/OneLogin-MyRole", false},
 		//{"Many ARNs", "testdata/valid-response", "", false},         // will ask questions
 		{"No ARNs", "testdata/no-arns-resonse", "", true},
+		{"No ARN value", "testdata/no-arn-value-response", "", true},
 	} {
 		t.Run(test.name, func(t *testing.T) {
 			b, _ := ioutil.ReadFile(test.path)

diff --git a/saml/testdata/no-arn-value-response b/saml/testdata/no-arn-value-response
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIj8+CjxzYW1scDpSZXNwb25zZSB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj4KICAgIDxzYW1sOkFzc2VydGlvbj4KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+CiAgICAgICAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJodHRwczovL2F3cy5hbWF6b24uY29tL1NBTUwvQXR0cmlidXRlcy9Sb2xlIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4KICAgICAgICAgICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciLz4KICAgICAgICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4KICAgICAgICA8L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50PgogICAgPC9zYW1sOkFzc2VydGlvbj4KPC9zYW1scDpSZXNwb25zZT4K