Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement query signature verification #449

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Implement query signature verification #449

wants to merge 1 commit into from

Conversation

Jguer
Copy link
Contributor

@Jguer Jguer commented Jul 21, 2022
edited

Hey,

This patch implements:

  • Query signature validation for SLO redirect bindings.

  • Query signing was also slightly refactored to fix the query getting fully signed instead of only the expected req+relay+alg format (also made it easier to implement tests for it)

Section 3.4.4.1 Oasis

  1. To construct the signature, a string consisting of the concatenation of the RelayState (if present),
    SigAlg, and SAMLRequest (or SAMLResponse) query string parameters (each one URL-
    encoded) is constructed in one of the following ways (ordered as below):
SAMLRequest=value&RelayState=value&SigAlg=value
SAMLResponse=value&RelayState=value&SigAlg=value
  1. The resulting string of bytes is the octet string to be fed into the signature algorithm. Any other
    content in the original query string is not included and not signed.

It can probably be adapted for validations in other scenarios.

Please advise on style, structure or other modifications that would help the project

@orgads orgads mentioned this pull request Dec 25, 2022
Closed
@Jguer Jguer force-pushed the jguer/validate-query-signatures branch from b7db51f to 0002d15 Compare January 2, 2023 12:30
@Jguer @IevaVasiljeva @orgads
implement query signature verification
ea6eee2 
add support for sha1 & sha512

add tests

use query sign in redirect

implement review feedback

- Return error if signature is unsupported
- wrap errors

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
Co-authored-by: Orgad Shaneh <orgads@gmail.com>
@Jguer Jguer force-pushed the jguer/validate-query-signatures branch from 0002d15 to ea6eee2 Compare January 2, 2023 12:34
@Jguer
Copy link
Contributor Author

Jguer commented Mar 6, 2023

Hey, @crewjam any blocker into having this merged? I have some time to fix this up if needed

We've been running it in production for a few months now

@omerkarj
Copy link

I can confirm this does work properly.
Also passes verification with this tool (which master does not):

omerkarj
omerkarj reviewed Oct 1, 2023
View reviewed changes
service_provider.go
} else {
query += "SAMLRequest=" + url.QueryEscape(string(w.Bytes()))
query += string(samlRequest) + "=" + url.QueryEscape(reqString)
}

if relayState != "" {
query += "&RelayState=" + relayState
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
query += "&RelayState=" + relayState
query += "&RelayState=" + url.QueryEscape(relayState)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@omerkarj omerkarj omerkarj left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Jguer @omerkarj