saml: add tests case covering tampered NameID field (comment)

As sketched here: https://developer.okta.com/blog/2018/02/27/a-breakdown-of-the-new-saml-authentication-bypass-vulnerability Thought it was interesting to see how our SAML connector behaved. And it seems to be behaving well. :) Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-02-28 08:42:17 +01:00
parent 39a66d1496
commit 608260d0f1
2 changed files with 93 additions and 0 deletions
--- a/connector/saml/saml_test.go
+++ b/connector/saml/saml_test.go
@@ -262,6 +262,20 @@ func TestTwoAssertionFirstSigned(t *testing.T) {
 	test.run(t)
 }

+func TestTamperedResponseNameID(t *testing.T) {
+	test := responseTest{
+		caFile:       "testdata/ca.crt",
+		respFile:     "testdata/tampered-resp.xml",
+		now:          "2017-04-04T04:34:59.330Z",
+		usernameAttr: "Name",
+		emailAttr:    "email",
+		inResponseTo: "6zmm5mguyebwvajyf2sdwwcw6m",
+		redirectURI:  "http://127.0.0.1:5556/dex/callback",
+		wantErr:      true,
+	}
+	test.run(t)
+}
+
 func loadCert(ca string) (*x509.Certificate, error) {
 	data, err := ioutil.ReadFile(ca)
 	if err != nil {