Method to Match certs including SHA256 errors#126
Merged
Conversation
zachmargolis
approved these changes
Nov 22, 2024
lib/saml_idp/xml_security.rb
Outdated
Comment on lines
+86
to
+93
| @request_cert ||= if cert_element.text.blank? | ||
| raise ValidationError.new( | ||
| 'Certificate element present in response (ds:X509Certificate) but evaluating to nil', | ||
| :no_certificate_in_request | ||
| ) | ||
| end | ||
|
|
||
| cert_element.text |
There was a problem hiding this comment.
As-is, the memoization seems to be memoizing the raise which is not actually a value? so I think this is memoizing nil
Unless cert_element.text is very expensive, probably easier not to memoize at all
Suggested change
| @request_cert ||= if cert_element.text.blank? | |
| raise ValidationError.new( | |
| 'Certificate element present in response (ds:X509Certificate) but evaluating to nil', | |
| :no_certificate_in_request | |
| ) | |
| end | |
| cert_element.text | |
| if cert_element.text.blank? | |
| raise ValidationError.new( | |
| 'Certificate element present in response (ds:X509Certificate) but evaluating to nil', | |
| :no_certificate_in_request | |
| ) | |
| end | |
| cert_element.text |
Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
jmhooper
approved these changes
Nov 23, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Recently, I merged code to add an add an explicit error for when requests are using anything but SHA256, our desired encryption algorithm, for the signature method algorithm.
However, when I went to add this to the Idp, I tried to write some tests to replicate the original behavior and was unable to. This is when I determined (with the help of @jmhooper) that we actually do not seem to have validations for the signature method algorithm, but we ARE doing some determinations around whether the digest method algorithm is SHA256. We use that algorithm to ensure that the cert that is passed in the request matches a Service Provider's registered certs, but that code is complex and could be streamlined by just directly comparing the certificates (if the certificate is embedded in the request.)
Updating this means there is a possibility of a currently valid request being marked as invalid, or vice versa, which means there are opportunities for us to find a different matching certificate.
This change:
validate_with_sha256) to the XmlSecurity class that we can call so that we can set up event tracking in the IdP in order to determine if any integrations will break.