Commits · e0709dc2ac4c78794ef89635de0590e90a9b7db1 · go / dex

04 Apr, 2017 1 commit

connector/saml: fix validation bug with multiple Assertion elements · e0709dc2

Eric Chiang authored Apr 04, 2017

When a SAML response provided multiple Assertion elements, only the
first one is checked for a valid signature. If the Assertion is
verified, the original Assertion is removed and the canonicalized
version is prepended to the Response. However, if there were
multiple assertions, the second assertion could end up first in the
list of Assertions, even if it was unsigned.

For example this:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <Signature>
          <!-- Correrctly signed assertion -->
        </Signature>
      </Assertion>

      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>
    </Response>

could be verified then re-ordered to the following:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>

      <Assertion>
        <!-- Canonicalized, correrctly signed assertion -->
      </Assertion>
    </Response>

Fix this by removing all unverified child elements of the Response,
not just the original assertion.

e0709dc2

29 Mar, 2017 4 commits
- Merge pull request #886 from rithujohn191/error-msg-update · f4865a35
  rithu leena john authored Mar 29, 2017
```
storage/static.go: correct the error message that gets displayed.
```
  f4865a35
- storage/static.go: correct the error message that gets displayed. · 5abb4b3d
  rithu john authored Mar 29, 2017
  
  5abb4b3d
- Merge pull request #883 from ericchiang/scopes-docs · 5eb8210e
  Eric Chiang authored Mar 29, 2017
```
Documentation: document dex scopes, claims, and client features
```
  5eb8210e
- Merge pull request #881 from ericchiang/api-test-use-client · 8902ddc0
  Eric Chiang authored Mar 29, 2017
```
server: use client connected to remove server for gRPC tests
```
  8902ddc0
28 Mar, 2017 4 commits
- Documentation: document dex scopes, claims, and client features · 5e34f0d1
  Eric Chiang authored Mar 20, 2017
  
  5e34f0d1
- server: use client connected to remove server for gRPC tests · f734b140
  Eric Chiang authored Mar 28, 2017
  
  f734b140
- Merge pull request #880 from rithujohn191/connector-object · 42c1eed2
  rithu leena john authored Mar 28, 2017
```
storage: add connector object to backend storage.
```
  42c1eed2
- storage: add connector object to backend storage. · bc55b86d
  rithu john authored Mar 23, 2017
  
  bc55b86d
24 Mar, 2017 7 commits
- Merge pull request #875 from ericchiang/fix-example-app-custom-ca · 6e50c184
  Eric Chiang authored Mar 24, 2017
```
cmd/example-app: fix custom CA behavior
```
  6e50c184
- cmd/example-app: fix custom CA behavior · 9b0e9ab2
  Eric Chiang authored Mar 24, 2017
  
  9b0e9ab2
- Merge pull request #870 from Calpicow/fix_assertion_fallback · 2a6ae0a6
  Eric Chiang authored Mar 24, 2017
```
Fix assertion fallback
```
  2a6ae0a6
- Use etreeutils.NSSelectOne to select Assertion element · 6f9ef961
  Phu Kieu authored Mar 22, 2017
  
  6f9ef961
- vendor: revendor · 4b457d8c
  Phu Kieu authored Mar 24, 2017
  
  4b457d8c
- glide.yaml: update goxmldsig · b5f70dac
  Phu Kieu authored Mar 22, 2017
  
  b5f70dac
- Merge pull request #873 from rithujohn191/client-example · 5d49e184
  rithu leena john authored Mar 24, 2017
```
examples/grpc-client: clean up the example and add tlsClientCA to ConfigMap.
```
  5d49e184
23 Mar, 2017 3 commits
- examples/grpc-client: clean up the example and add tlsClientCA to ConfigMap. · 562eae3f
  rithu john authored Mar 23, 2017
  
  562eae3f
- Merge pull request #872 from rithujohn191/offline-access-error · 6146e233
  rithu leena john authored Mar 23, 2017
```
connector: Connectors without a RefreshConnector should not error out
```
  6146e233
- connector: Connectors without a RefreshConnector should not return a refresh… · 59502850
  rithu john authored Mar 23, 2017
```
connector: Connectors without a RefreshConnector should not return a refresh token instead of erroring
```
  59502850
22 Mar, 2017 2 commits
- Merge pull request #869 from ericchiang/saml-response-to · b112aa2e
  Eric Chiang authored Mar 22, 2017
```
*: validate InResponseTo SAML response field and make issuer optional
```
  b112aa2e
- *: validate InResponseTo SAML response field and make issuer optional · 50b223a9
  Eric Chiang authored Mar 21, 2017
  
  50b223a9
21 Mar, 2017 3 commits
- Merge pull request #867 from ericchiang/xml-validation · 8b2956dd
  Eric Chiang authored Mar 21, 2017
```
glide.yaml: update goxmldsig
```
  8b2956dd
- vendor: revendor · 910d5986
  Eric Chiang authored Mar 21, 2017
  
  910d5986
- glide.yaml: update goxmldsig · 58882209
  Eric Chiang authored Mar 21, 2017
  
  58882209
20 Mar, 2017 7 commits
- Merge pull request #855 from ericchiang/static-storage-fallthrough · 95d23700
  Eric Chiang authored Mar 20, 2017
```
storage: make static storages query real storages for some actions
```
  95d23700
- Merge pull request #864 from ericchiang/spelling · af54f592
  Eric Chiang authored Mar 20, 2017
```
*: fix spelling using github.com/client9/misspell
```
  af54f592
- Merge pull request #860 from ericchiang/oidc-broken-auth-header · 25fdaa67
  Eric Chiang authored Mar 20, 2017
```
connector/oidc: expose oauth2.RegisterBrokenAuthHeaderProvider
```
  25fdaa67
- storage: make static storages query real storages for some actions · 4c39bc20
  Eric Chiang authored Mar 15, 2017
```
If dex is configured with static passwords or clients, let the API
still add or modify objects in the backing storage, so long as
their IDs don't conflict with the static ones. List options now
aggregate resources from the static list and backing storage.
```
  4c39bc20
- *: fix spelling using github.com/client9/misspell · 33f01990
  Eric Chiang authored Mar 20, 2017
  
  33f01990
- *: add documentation for the OpenID Connect provider · f503ff79
  Eric Chiang authored Mar 20, 2017
  
  f503ff79
- connector/oidc: expose oauth2.RegisterBrokenAuthHeaderProvider · ac032e99
  Eric Chiang authored Mar 20, 2017
  
  ac032e99
17 Mar, 2017 3 commits
- Merge pull request #862 from rithujohn191/update-api · 4bf74d8a
  rithu leena john authored Mar 17, 2017
```
api: Update timestamp type for RefreshTokenRef to int64.
```
  4bf74d8a
- api: Update timestamp type for RefreshTokenRef to int64. · 921090f0
  rithu john authored Mar 17, 2017
  
  921090f0
- Merge pull request #854 from rithujohn191/conformance-tests · 84af5273
  rithu leena john authored Mar 17, 2017
```
storage/conformance: update conformance tests with multiple entries per resource
```
  84af5273
16 Mar, 2017 1 commit
- storage/conformance: update conformance tests with multiple entries per resource · 9e889245
  rithu john authored Mar 15, 2017
  
  9e889245
15 Mar, 2017 2 commits
- Merge pull request #852 from ericchiang/fix-log-level · 7a798844
  rithu leena john authored Mar 15, 2017
```
storage/kubernetes: log INFO level if TPR already exists, not ERROR
```
  7a798844
- storage/kubernetes: log INFO level if TPR already exists, not ERROR · 6cb38604
  Eric Chiang authored Mar 15, 2017
  
  6cb38604
13 Mar, 2017 2 commits
- Merge pull request #848 from ericchiang/fix-sql-where-statement · d31bb1c8
  Eric Chiang authored Mar 13, 2017
```
storage/sql: add missing WHERE statement to refresh token update
```
  d31bb1c8
- storage/sql: add missing WHERE statement to refresh token update · 0481fccd
  Eric Chiang authored Mar 13, 2017
  
  0481fccd
10 Mar, 2017 1 commit
- Merge pull request #844 from dmmcquay/master · d6f4fa5d
  Eric Chiang authored Mar 10, 2017
```
update kubernetes example-app explanation
```
  d6f4fa5d