Added ability to handle nested signed assertions in SAML response

Closes #1532 Fixes error that was caused because there was a bug in processing nested assertions in a successful SAML response. This was not caught in the initial push of this code because the IDP's we tested against all sign the entire response document as opposed to parts of it. Thus the existing test cases didn't cover the code that dealt with nested assertions.
2026-05-21 16:08:47 +00:00 · 2017-07-18 15:28:35 -05:00 · 2017-07-18 15:28:35 -05:00 · e67157345a
commit e67157345a
parent f05204b4dc
3 changed files with 85 additions and 2 deletions
--- a/server/sso/authorization_response_test.go
+++ b/server/sso/authorization_response_test.go
--- a/server/sso/validate.go
+++ b/server/sso/validate.go
@ -113,7 +113,7 @@ func (v *validator) ValidateSignature(auth kolide.Auth) (kolide.Auth, error) {
 	// We've verified that the response hasn't been tampered with at this point
 	signedDoc := etree.NewDocument()
 	signedDoc.SetRoot(signed)
-	buffer, err := doc.WriteToBytes()
+	buffer, err := signedDoc.WriteToBytes()
 	if err != nil {
 		return nil, errors.Wrap(err, "creating signed doc buffer")
 	}
@ -132,7 +132,6 @@ func (v *validator) validateSignature(elt *etree.Element) (*etree.Element, error
 		// If entire doc is signed, success, we're done.
 		return validated, nil
 	}
-
 	if err == dsig.ErrMissingSignature {
 		// If entire document is not signed find signed assertions, remove assertions
 		// that are not signed.
--- a/server/sso/validate_test.go
+++ b/server/sso/validate_test.go