From 608260d0f197c271220740ec079cdd5eb1402437 Mon Sep 17 00:00:00 2001 From: Stephan Renatus Date: Wed, 28 Feb 2018 08:42:17 +0100 Subject: [PATCH] saml: add tests case covering tampered NameID field (comment) As sketched here: https://developer.okta.com/blog/2018/02/27/a-breakdown-of-the-new-saml-authentication-bypass-vulnerability Thought it was interesting to see how our SAML connector behaved. And it seems to be behaving well. :) Signed-off-by: Stephan Renatus --- connector/saml/saml_test.go | 14 ++++ connector/saml/testdata/tampered-resp.xml | 79 +++++++++++++++++++++++ 2 files changed, 93 insertions(+) create mode 100644 connector/saml/testdata/tampered-resp.xml diff --git a/connector/saml/saml_test.go b/connector/saml/saml_test.go index 37cda8c3..a162eedf 100644 --- a/connector/saml/saml_test.go +++ b/connector/saml/saml_test.go @@ -262,6 +262,20 @@ func TestTwoAssertionFirstSigned(t *testing.T) { test.run(t) } +func TestTamperedResponseNameID(t *testing.T) { + test := responseTest{ + caFile: "testdata/ca.crt", + respFile: "testdata/tampered-resp.xml", + now: "2017-04-04T04:34:59.330Z", + usernameAttr: "Name", + emailAttr: "email", + inResponseTo: "6zmm5mguyebwvajyf2sdwwcw6m", + redirectURI: "http://127.0.0.1:5556/dex/callback", + wantErr: true, + } + test.run(t) +} + func loadCert(ca string) (*x509.Certificate, error) { data, err := ioutil.ReadFile(ca) if err != nil { diff --git a/connector/saml/testdata/tampered-resp.xml b/connector/saml/testdata/tampered-resp.xml new file mode 100644 index 00000000..7543b096 --- /dev/null +++ b/connector/saml/testdata/tampered-resp.xml @@ -0,0 +1,79 @@ + + + + + + + + + + + + + ew38E1LGMwYT+0gUZNq0RacD3GM= + + + TQ84pCaZAyEDBGkNafTMfwPUWujFvmdoXzyYMXZURIlKhA8Pv1bIZfzQ5MgbQr1W +z2Ye99/hss24Y4ueNT9nS+53LvDekhNctFGYfgdMjrbxs8Awo3KnbvveDib5zGvk +fWd/0/QLvlbFd/3670QGb5JQE1nD9mlAqPonyQgoufk63gEM84+tU71cAM7XKiy6 +09MC0y4s967qRAiLAtfgKbvi+46HkF/g+WsS74Wa8cu/A863URt56W0cogRjHWpQ +B+q8/FyVeJRE0NlrOjhnsgTU2QJtvkxYYvqIpRDbMv53NLKeAFvRhOcyJxhFXtSj +LF/oPMjbmHji4ylFiAlQWw== + + +MIIDGTCCAgGgAwIBAgIJAKLbLcQajEf8MA0GCSqGSIb3DQEBCwUAMCMxDDAKBgNV +BAoMA0RFWDETMBEGA1UEAwwKY29yZW9zLmNvbTAeFw0xNzA0MDQwNzAwNTNaFw0z +NzAzMzAwNzAwNTNaMCMxDDAKBgNVBAoMA0RFWDETMBEGA1UEAwwKY29yZW9zLmNv +bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKH3dKWbRqCIZD2m3aHI +4lfBT+u/4DECde74Ggq9WugdTucVQzDZUTaI7wzn17JM9hdPmXvaSRG9BaB1H3uO +ZCs/fmdhBERRhPvuEVfAZaFfQfR7vn7WvUzT7zwMLLB8+EHzL3fOSGM2QnCOMeUD +AB27Pb0fuBW43NXaTD9rwfFCHvo1UP+TBJIPnV65HMeMGIrtGLt7MZTPuPm3LnYA +faXLf2vWSzL5nAgnJvUgceZXmyuciBfXpt8c1jIsj4y3tBoRTRqaxuaW1Eo7WMKF +a7s6KvTBKErPKuzAoIcVB4ir6jm1ticAgB72SScKtPJJdEPemTXRNNzkiw7VbpY9 +QacCAwEAAaNQME4wHQYDVR0OBBYEFNHyGYyY2+eZ1l7ZLPZsnc3GOtj/MB8GA1Ud +IwQYMBaAFNHyGYyY2+eZ1l7ZLPZsnc3GOtj/MAwGA1UdEwQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAHVXB5QmZfki9QpKzoiBNfpQ/mo6XWhExLGBTJXEWJT3P7JP +oR4Z0+85bp0fUK338s+WjyqTn0U55Jtp0B65Qxy6ythkZat/6NPp/S7gto2De6pS +hSGygokQioVQnoYQeK0MXl2QbtrWwNiM4HC+9yohbUfjwv8yI7opwn/rjB6X/4De +oX2YzwTBJgoIXF7zMKYFF0DrKQjbTQr/a7kfNjq4930o7VhFph9Qpdv0EWM3svTd +esSffLKbWcabtyMtCr5QyEwZiozd567oWFWZYeHQyEtd+w6tAFmz9ZslipdQEa/j +1xUtrScuXt19sUfOgjUvA+VUNeMLDdpHUKHNW/Q= + + + + http://www.okta.com/exk91cb99lKkKSYoy0h7 + + + + + http://www.okta.com/exk91cb99lKkKSYoy0h7 + + noteric.chiang+okta@coreos.com + + + + + + + http://127.0.0.1:5556/dex/callback + + + + + urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + + + + + eric.chiang+okta@coreos.com + + + Eric + + + Everyone + Admins + + + +