connector/saml: make unparsable (trailing, non-space/newline) data an error

Fixes #1304, if we want to be harsh. However, I think if it was the user's intention to pass two certs, and the second one couldn't be read, that shouldn't just disappear. After all, when attempting to login later, that might fail because the expected IdP cert data isn't there. Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-26 11:50:34 +02:00
parent ff70c0453f
commit 26c0206627
2 changed files with 92 additions and 0 deletions
--- a/connector/saml/saml.go
+++ b/connector/saml/saml.go
@@ -2,6 +2,7 @@
 package saml

 import (
+	"bytes"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/pem"
@@ -200,6 +201,10 @@ func (c *Config) openConnector(logger logrus.FieldLogger) (*provider, error) {
 		for {
 			block, caData = pem.Decode(caData)
 			if block == nil {
+				caData = bytes.TrimSpace(caData)
+				if len(caData) > 0 { // if there's some left, we've been given bad caData
+					return nil, fmt.Errorf("parse cert: trailing data: %q", string(caData))
+				}
 				break
 			}
 			cert, err := x509.ParseCertificate(block.Bytes)