From 1acebec4b68610a79aef51b2c63c3b19e771059d Mon Sep 17 00:00:00 2001
From: Zachary Wasserman <zachwass2000@gmail.com>
Date: Tue, 9 Apr 2019 09:23:22 -0700
Subject: [PATCH] Close flate writer before base64 encoding SAML authorization
 request (#2025)

Fixes an issue in which the requests are not able to be read by some SAML
request decoders.

Fixes #2024
---
 server/sso/authorization_request.go      | 12 +++++++++---
 server/sso/authorization_request_test.go |  2 +-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/server/sso/authorization_request.go b/server/sso/authorization_request.go
index 9c0d05054f..8d86857728 100644
--- a/server/sso/authorization_request.go
+++ b/server/sso/authorization_request.go
@@ -114,20 +114,26 @@ func getDestinationURL(settings *Settings) (string, error) {
 // See SAML Bindings http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
 // Section 3.4.4.1
 func deflate(xmlBuffer *bytes.Buffer) (string, error) {
+	// Gzip
 	var deflated bytes.Buffer
 	writer, err := flate.NewWriter(&deflated, flate.DefaultCompression)
 	if err != nil {
-		return "", err
+		return "", errors.Wrap(err, "create flate writer")
 	}
-	defer writer.Close()
 	n, err := writer.Write(xmlBuffer.Bytes())
 	if n != xmlBuffer.Len() {
+		_ = writer.Close()
 		return "", errors.New("incomplete write during compression")
 	}
 	if err != nil {
+		_ = writer.Close()
 		return "", errors.Wrap(err, "compressing auth request")
 	}
-	writer.Flush()
+	if err := writer.Close(); err != nil {
+		return "", errors.Wrap(err, "close flate writer")
+	}
+
+	// Base64
 	encbuff := deflated.Bytes()
 	encoded := base64.StdEncoding.EncodeToString(encbuff)
 	return encoded, nil
diff --git a/server/sso/authorization_request_test.go b/server/sso/authorization_request_test.go
index ecb4fdf6ff..90e2bfeabd 100644
--- a/server/sso/authorization_request_test.go
+++ b/server/sso/authorization_request_test.go
@@ -10,7 +10,7 @@ import (
 
 func TestRequestCompression(t *testing.T) {
 	input := "<samlp:AuthnRequest AssertionConsumerServiceURL='https://sp.example.com/acs' Destination='https://idp.example.com/sso' ID='_18185425-fd62-477c-b9d4-4b5d53a89845' IssueInstant='2017-04-16T15:32:42Z' ProtocolBinding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer>https://sp.example.com/saml2</saml:Issuer><samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'/></samlp:AuthnRequest>"
-	expected := "fJJf79IwFIa/Su961f0pG4yGLZkQ4xLUBaYX3piyHaTJ2s6eTvHbmw2McPHjtnne9u1zzgal7gdRjv5iDvBzBPSkRATnlTVba3DU4I7gfqkWvhz2Ob14P6AIQxwCuEo99BC0VoeyRUp2gF4ZOUX/g6p7JhEtJdUup9/jLM7ShKfs3C05S1arlp3WXcKSU9qlC5mtsySlpEIcoTLopfE55VG8YlHC4mUTp2LBRcK/UVI7621r+3fKdMr8yOnojLASFQojNaDwrTiWH/eCB5E43SAUH5qmZvXnY0PJV3A4t+ZBRMlV9wbFZOb1TfKfqMfI8Doz3KvSYlYv5u+54g2tE8I34SN5n9gnqaHa1bZX7R9S9r39vXUgPeTUuxEoeW+dlv51l+lEdew8o8I7aVCB8TQsbk8+70XxFwAA//8="
+	expected := "fJJf79IwFIa/Su961f0pG4yGLZkQ4xLUBaYX3piyHaTJ2s6eTvHbmw2McPHjtnne9u1zzgal7gdRjv5iDvBzBPSkRATnlTVba3DU4I7gfqkWvhz2Ob14P6AIQxwCuEo99BC0VoeyRUp2gF4ZOUX/g6p7JhEtJdUup9/jLM7ShKfs3C05S1arlp3WXcKSU9qlC5mtsySlpEIcoTLopfE55VG8YlHC4mUTp2LBRcK/UVI7621r+3fKdMr8yOnojLASFQojNaDwrTiWH/eCB5E43SAUH5qmZvXnY0PJV3A4t+ZBRMlV9wbFZOb1TfKfqMfI8Doz3KvSYlYv5u+54g2tE8I34SN5n9gnqaHa1bZX7R9S9r39vXUgPeTUuxEoeW+dlv51l+lEdew8o8I7aVCB8TQsbk8+70XxNwAA//8="
 	buff := bytes.NewBufferString(input)
 	compressed, err := deflate(buff)
 	require.Nil(t, err)