forked from CiscoM31/gosaml2
/
decode_logout_request.go
73 lines (60 loc) · 1.68 KB
/
decode_logout_request.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
package saml2
import (
"encoding/base64"
"fmt"
dsig "github.com/russellhaering/goxmldsig"
)
func (sp *SAMLServiceProvider) validateLogoutRequestAttributes(request *LogoutRequest) error {
if request.Destination != "" && request.Destination != sp.ServiceProviderSLOURL {
return ErrInvalidValue{
Key: DestinationAttr,
Expected: sp.ServiceProviderSLOURL,
Actual: request.Destination,
}
}
if request.Version != "2.0" {
return ErrInvalidValue{
Reason: ReasonUnsupported,
Key: "SAML version",
Expected: "2.0",
Actual: request.Version,
}
}
return nil
}
func (sp *SAMLServiceProvider) ValidateEncodedLogoutRequestPOST(encodedRequest string) (*LogoutRequest, error) {
raw, err := base64.StdEncoding.DecodeString(encodedRequest)
if err != nil {
return nil, err
}
// Parse the raw request - parseResponse is generic
doc, el, err := parseResponse(raw)
if err != nil {
return nil, err
}
var requestSignatureValidated bool
if !sp.SkipSignatureValidation {
el, err = sp.validateElementSignature(el)
if err == dsig.ErrMissingSignature {
// Unfortunately we just blew away our Response
el = doc.Root()
} else if err != nil {
return nil, err
} else if el == nil {
return nil, fmt.Errorf("missing transformed logout request")
} else {
requestSignatureValidated = true
}
}
decodedRequest := &LogoutRequest{}
err = xmlUnmarshalElement(el, decodedRequest)
if err != nil {
return nil, fmt.Errorf("unable to unmarshal logout request: %v", err)
}
decodedRequest.SignatureValidated = requestSignatureValidated
err = sp.ValidateDecodedLogoutRequest(decodedRequest)
if err != nil {
return nil, err
}
return decodedRequest, nil
}