1. 10 Apr, 2017 3 commits
  2. 07 Apr, 2017 2 commits
  3. 06 Apr, 2017 7 commits
  4. 04 Apr, 2017 5 commits
    • Eric Chiang's avatar
      Merge pull request #893 from ericchiang/fix-saml-validation · 207d2077
      Eric Chiang authored
      connector/saml: fix validation bug with multiple Assertion elements
      207d2077
    • Eric Chiang's avatar
      connector/saml: refactor tests and add self-signed responses · a97cffcd
      Eric Chiang authored
      Introduces SAML tests which execute full response processing and
      compare user attributes. tesdata now includes a full, self-signed
      CA and documents signed using xmlsec1.
      
      Adds deprication notices to existing tests, but don't remove them
      since they still provide coverage.
      a97cffcd
    • Eric Chiang's avatar
      connector/saml: fix validation bug with multiple Assertion elements · e0709dc2
      Eric Chiang authored
      When a SAML response provided multiple Assertion elements, only the
      first one is checked for a valid signature. If the Assertion is
      verified, the original Assertion is removed and the canonicalized
      version is prepended to the Response. However, if there were
      multiple assertions, the second assertion could end up first in the
      list of Assertions, even if it was unsigned.
      
      For example this:
      
          <Response>
            <!--
               Response unsigned. According to SAML spec must check
               assertion signature.
            -->
            <Assertion>
              <Signature>
                <!-- Correrctly signed assertion -->
              </Signature>
            </Assertion>
      
            <Assertion>
              <!-- Unsigned assertion inserted by attacker-->
            </Assertion>
          </Response>
      
      could be verified then re-ordered to the following:
      
          <Response>
            <!--
               Response unsigned. According to SAML spec must check
               assertion signature.
            -->
            <Assertion>
              <!-- Unsigned assertion inserted by attacker-->
            </Assertion>
      
            <Assertion>
              <!-- Canonicalized, correrctly signed assertion -->
            </Assertion>
          </Response>
      
      Fix this by removing all unverified child elements of the Response,
      not just the original assertion.
      e0709dc2
    • Lucas Servén's avatar
      Merge pull request #891 from squat/garbage_log_info · a7d443ea
      Lucas Servén authored
      server/server.go: make successful garbage collection log at info level
      a7d443ea
    • Lucas Serven's avatar
  5. 29 Mar, 2017 4 commits
  6. 28 Mar, 2017 4 commits
  7. 24 Mar, 2017 7 commits
  8. 23 Mar, 2017 3 commits
  9. 22 Mar, 2017 2 commits
  10. 21 Mar, 2017 3 commits