-
Notifications
You must be signed in to change notification settings - Fork 0
/
redirect.go
130 lines (114 loc) · 3.02 KB
/
redirect.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
package provider
import (
"context"
"encoding/base64"
"fmt"
"net/url"
"github.com/tzrd/saml/pkg/provider/serviceprovider"
"github.com/tzrd/saml/pkg/provider/signature"
"github.com/tzrd/saml/pkg/provider/xml"
"github.com/tzrd/saml/pkg/provider/xml/md"
"github.com/tzrd/saml/pkg/provider/xml/saml2p"
)
func signatureRedirectVerificationNecessary(
idpMetadataF func() *md.IDPSSODescriptorType,
spMetadataF func() *md.EntityDescriptorType,
signatureF func() string,
protocolBinding func() string,
) func() bool {
return func() bool {
spMeta := spMetadataF()
idpMeta := idpMetadataF()
return ((spMeta == nil || spMeta.SPSSODescriptor == nil || spMeta.SPSSODescriptor.AuthnRequestsSigned == "true") ||
(idpMeta == nil || idpMeta.WantAuthnRequestsSigned == "true") ||
signatureF() != "") &&
protocolBinding() == RedirectBinding
}
}
func verifyRedirectSignature(
authRequest func() string,
relayState func() string,
sig func() string,
sigAlg func() string,
sp func() *serviceprovider.ServiceProvider,
errF func(error),
) func() error {
return func() error {
if authRequest() == "" {
return fmt.Errorf("no authrequest provided but required")
}
if relayState() == "" {
return fmt.Errorf("no relaystate provided but required")
}
if sig() == "" {
return fmt.Errorf("no signature provided but required")
}
if sigAlg() == "" {
return fmt.Errorf("no signature algorithm provided but required")
}
spInstance := sp()
if sp == nil {
return fmt.Errorf("no service provider instance provided but required")
}
err := spInstance.ValidateRedirectSignature(
authRequest(),
relayState(),
sigAlg(),
sig(),
)
errF(err)
return err
}
}
func createRedirectSignature(
ctx context.Context,
samlResponse *saml2p.ResponseType,
idp *IdentityProvider,
response *Response,
) error {
respStr, err := xml.Marshal(samlResponse)
if err != nil {
return err
}
respData, err := xml.DeflateAndBase64([]byte(respStr))
if err != nil {
return err
}
cert, key, err := getResponseCert(ctx, idp.storage)
if err != nil {
return err
}
tlsCert, err := signature.ParseTlsKeyPair(cert, key)
if err != nil {
return err
}
signingContext, err := signature.GetSigningContext(tlsCert, idp.conf.SignatureAlgorithm)
if err != nil {
return err
}
sig, err := signature.CreateRedirect(signingContext, buildRedirectQuery(string(respData), response.RelayState, idp.conf.SignatureAlgorithm, ""))
if err != nil {
return err
}
response.Signature = url.QueryEscape(base64.StdEncoding.EncodeToString(sig))
response.SigAlg = url.QueryEscape(base64.StdEncoding.EncodeToString([]byte(idp.conf.SignatureAlgorithm)))
return nil
}
func buildRedirectQuery(
response string,
relayState string,
sigAlg string,
sig string,
) string {
query := "SAMLResponse=" + url.QueryEscape(response)
if relayState != "" {
query += "&RelayState=" + url.QueryEscape(relayState)
}
if sig != "" {
query += "&Signature=" + url.QueryEscape(sig)
}
if sigAlg != "" {
query += "&SigAlg=" + url.QueryEscape(sigAlg)
}
return query
}