Dmm/add invalid sig errors #86

Sgtpluck · 2023-11-24T19:27:02Z

This change:

Passes a require_auth_errors option through the validation methods to trigger validation failures as a way of passing more meaningful errors through
Adds an error dictionary to catch validation errors and return translatable keywords
Adds tests to make sure right certificates are being used, and that a partner can't pass a certificate through the SAML request that is not registered in the IdP
Updates the tests to use request macros instead of hard-coding XML
Updates the request macros to be more configurable (this could use some more cleanup)

zachmargolis · 2023-11-24T19:47:30Z

lib/saml_idp/request.rb

+            errors.push(:invalid_signature)
+          end
+        rescue SamlIdp::XMLSecurity::SignedDocument::ValidationError => e
+          errors.push(validation_error_dictionary[e.message])


do we need to have a default mesage here if the dictionary doesn't have a matching error?

the dictionary keys appear to be symbols but e.message looks like it will be strings

i included all possible ValidationErrors that could pop up (and some that actually i think are impossible for us to reach, but wanted to keep them there for the moment until we refactored the code) so it didn't feel strictly necessary. happy to add a default if you disagree![

i threw a with_indifferent_access in there but i can change it to the hash rockets if you'd prefer, i just think they're kind ugly!

I didn't realize our own code threw those errors, if it's more limited that seems fine then. Maybe we just update each time we throw to have its own error_code property or something do we can do e.error_code instead of a reverse lookup
So like...
raise SamlIdp::XMLSecurity::SignedDocument::ValidationError.new('error message', error_code: :some_symbole_thing_here)

I missed the with_indifferent_access that seems fine

zachmargolis · 2023-11-24T19:49:20Z

lib/saml_idp/service_provider.rb

        if doc.valid_signature?(fingerprint_cert(cert), options.merge(cert: cert))
-          @matching_cert = cert
+          cert
        end


if we're switching to a find, the block just needs to return true so we can get rid of the if and just have that condition be the body

@matching_cert = Array(certs).find do |cert| doc.valid_signature?(fingerprint_cert(cert), options.merge(cert: cert)) end

updated in 0d555da

zachmargolis

LGTM! Thanks for adding the error code to the error class itself!

Also don't forget to bump the gem version before merging!

lib/saml_idp/request.rb

lib/saml_idp/xml_security.rb

Sgtpluck · 2023-11-27T16:37:30Z

spec/xml_security_spec.rb

+          expect { document.validate_doc(base64cert, false) }.to(
+            raise_error(SamlIdp::XMLSecurity::SignedDocument::ValidationError, 'All signatures must use RSA SHA-256')
+          )
+        end


i really want to fix the tests in this file (and spec/support/security_helpers.rb but this scope has already gotten expanded so left a TODO in security_helpers.rb

lib/saml_idp/request.rb

Sgtpluck · 2024-06-07T14:44:39Z

this PR is stale -- reference only

Sgtpluck added 4 commits November 24, 2023 09:02

Add service provider tests

dd1a559

Update valid_signature? to use find method

75eb33f

Update request.rb to allow hard validation errors

873c646

Standardize quote marks

3bf439c

zachmargolis reviewed Nov 24, 2023

View reviewed changes

Sgtpluck added 2 commits November 24, 2023 15:31

Updates based on PR feedback

0d555da

Update ValidationError class to have an error_code

b1bd75b

zachmargolis approved these changes Nov 27, 2023

View reviewed changes

lib/saml_idp/request.rb Outdated Show resolved Hide resolved

lib/saml_idp/xml_security.rb Show resolved Hide resolved

Sgtpluck force-pushed the dmm/add-invalid-sig-errors branch from f1754cc to 0bc0aa9 Compare November 27, 2023 16:32

Add ValidationError if the SignatureAlgorithm does not have SHA256

c27da1c

Sgtpluck force-pushed the dmm/add-invalid-sig-errors branch from 0bc0aa9 to c27da1c Compare November 27, 2023 16:33

Sgtpluck commented Nov 27, 2023

View reviewed changes

lib/saml_idp/request.rb Outdated Show resolved Hide resolved

Fix typo

061b51b

Sgtpluck force-pushed the dmm/add-invalid-sig-errors branch from 27f8f16 to 061b51b Compare November 27, 2023 21:20

Sgtpluck mentioned this pull request Nov 29, 2023

Add tests to service_provider validate method #85

Merged

Only raise request errors

59d17eb

Sgtpluck force-pushed the dmm/add-invalid-sig-errors branch from c813112 to 59d17eb Compare December 1, 2023 15:10

Sgtpluck mentioned this pull request Jan 23, 2024

LG-12085 Returns 400 when blank certificate element is passed through assertion 18F/identity-idp#9960

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dmm/add invalid sig errors #86

Dmm/add invalid sig errors #86

Sgtpluck commented Nov 24, 2023 •

edited

Loading

zachmargolis Nov 24, 2023

Sgtpluck Nov 24, 2023

zachmargolis Nov 24, 2023 •

edited

Loading

zachmargolis Nov 24, 2023

Sgtpluck Nov 24, 2023

zachmargolis left a comment

Sgtpluck Nov 27, 2023 •

edited

Loading

Sgtpluck commented Jun 7, 2024

Dmm/add invalid sig errors #86

Are you sure you want to change the base?

Dmm/add invalid sig errors #86

Conversation

Sgtpluck commented Nov 24, 2023 • edited Loading

zachmargolis Nov 24, 2023

Choose a reason for hiding this comment

Sgtpluck Nov 24, 2023

Choose a reason for hiding this comment

zachmargolis Nov 24, 2023 • edited Loading

Choose a reason for hiding this comment

zachmargolis Nov 24, 2023

Choose a reason for hiding this comment

Sgtpluck Nov 24, 2023

Choose a reason for hiding this comment

zachmargolis left a comment

Choose a reason for hiding this comment

Sgtpluck Nov 27, 2023 • edited Loading

Choose a reason for hiding this comment

Sgtpluck commented Jun 7, 2024

Sgtpluck commented Nov 24, 2023 •

edited

Loading

zachmargolis Nov 24, 2023 •

edited

Loading

Sgtpluck Nov 27, 2023 •

edited

Loading