Implement query signature verification #449
Conversation
Jguer
force-pushed
the
jguer/validate-query-signatures
branch
from
b7db51f to
0002d15
Compare
add support for sha1 & sha512 add tests use query sign in redirect implement review feedback - Return error if signature is unsupported - wrap errors Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Orgad Shaneh <orgads@gmail.com>
Jguer
force-pushed
the
jguer/validate-query-signatures
branch
from
0002d15 to
ea6eee2
Compare
|
Hey, @crewjam any blocker into having this merged? I have some time to fix this up if needed We've been running it in production for a few months now |
|
I can confirm this does work properly.
|
| } else { | ||
| query += "SAMLRequest=" + url.QueryEscape(string(w.Bytes())) | ||
| query += string(samlRequest) + "=" + url.QueryEscape(reqString) | ||
| } | ||
|
|
||
| if relayState != "" { | ||
| query += "&RelayState=" + relayState |
There was a problem hiding this comment.
| query += "&RelayState=" + relayState | |
| query += "&RelayState=" + url.QueryEscape(relayState) |
| @@ -1534,6 +1531,13 @@ func (sp *ServiceProvider) ValidateLogoutResponseRedirect(queryParameterData str | |||
| return err | |||
| } | |||
|
|
|||
| if query.Get("Signature") != "" && query.Get("SigAlg") != "" { | |||
| if err := sp.validateQuerySig(query); err != nil { | |||
There was a problem hiding this comment.
I see here that the PR validates a signature coming via query elements.
However, in line 1547 the code still calls sp.validateSignature(doc.Root()), which
expects a signature element in the XML document, and wants to verify it.
So, this PR seems to expect a signature in two places, required in the XML document, and optional in the query.
With keycloak I have a signature in the query element, and nothing in the XML document.
I expect this to fail.
I am missing something ?
There was a problem hiding this comment.
Added a querySig flag for myself, recording when a proper query sig is seen.
Check this flag if xml sign errors out with not present to avoid passing on that error
IOW
querySig := false
if query.Get("Signature") != "" && query.Get("SigAlg") != "" {
if err := sp.validateQuerySig(query); err != nil {
retErr.PrivateErr = err
return retErr
}
querySig = true
}
and
if err := sp.validateSignature(doc.Root()); err != nil {
if err != errSignatureElementNotPresent || !querySig {
retErr.PrivateErr = err
return retErr
}
}
There was a problem hiding this comment.
Tested the modification against Keycloak and works. As expected it verifies the detached sig, and then ignores the missing embedded sig.
Also extended further to generate a proper detached sig for logout requests. That solved issues with OKTA.
References:
There was a problem hiding this comment.
@andreas-kupries - have you verified both IDP initiated and SP initiated single logouts? I cannot see any reference to handle LogoutRequest?
There was a problem hiding this comment.
Hi. According to our QA (First two points at rancher/rancher#38494 (comment)) both IDP initiated (logout of Okta) and SP initiated (logout of Rancher) were tested.
There was a problem hiding this comment.
Nice, I was thinking is there a way we can bring the tested fixes to this repo?
cc @crewjam
There was a problem hiding this comment.
I believe the following signature verification checking is not needed for HTTP-Redirect binding SAMLResponse as it is already done in the previous step by this PR, looks like ValidateLogoutResponseRequest handle the HTTP-Redirect binding and ValidateLogoutResponseForm handles HTTP-POST Binding
if err := sp.validateSignature(doc.Root()); err != nil {
Applied long-open PR crewjam#449 plus https://github.com/crewjam/saml/pull/449/files#r1654477177 to make embedded signature optional when a good detached signature is seen.
Thanks @crewjam, really appreciated it. Looks like there are conflicts with this PR. I can help to resolve the conflicts if that speed things up, but looks like I cannot at the moment due to permission. |
I've resolved this PR conflicts in this new PR #621, which also fixes the Single Logout with ADFS. |
|
@crewjam - Do we have any updates here? |
Hey,
This patch implements:
Query signature validation for SLO redirect bindings.
Query signing was also slightly refactored to fix the query getting fully signed instead of only the expected req+relay+alg format (also made it easier to implement tests for it)
Section 3.4.4.1 Oasis
SigAlg, and SAMLRequest (or SAMLResponse) query string parameters (each one URL-
encoded) is constructed in one of the following ways (ordered as below):
content in the original query string is not included and not signed.
It can probably be adapted for validations in other scenarios.
Please advise on style, structure or other modifications that would help the project