From 63b49852dce376708097949d0ac2c5da825853fc Mon Sep 17 00:00:00 2001 From: Ross Kinder Date: Fri, 1 Nov 2019 17:30:17 -0400 Subject: [PATCH] golangci: require comments, add a few missing ones --- .golangci.yml | 12 ++++-------- samlsp/middleware.go | 2 ++ schema.go | 4 ++++ service_provider.go | 22 ++++++++++++---------- 4 files changed, 22 insertions(+), 18 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index 98797f59..3cbb0ab3 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -71,12 +71,8 @@ linters-settings: - unreachable - unsafeptr - unusedresult +issues: + exclude-use-default: false + exclude: + - G104 # 'Errors unhandled. (gosec) -#issues: -# exclude-use-default: false -# exclude: -# - G104 # 'Errors unhandled. (gosec) -# - G204 # Subprocess launched with variable (gosec) -# - G301 # Expect directory permissions to be 0750 or less (gosec) -# - G302 # Expect file permissions to be 0600 or less (gosec) -# - G304 # Potential file inclusion via variable (gosec) \ No newline at end of file diff --git a/samlsp/middleware.go b/samlsp/middleware.go index 58c10b97..018afebd 100644 --- a/samlsp/middleware.go +++ b/samlsp/middleware.go @@ -130,6 +130,8 @@ func (m *Middleware) RequireAccount(handler http.Handler) http.Handler { return http.HandlerFunc(fn) } +// RequireAccountHandler handles an HTTP request that does not already have a +// valid session. It redirects the user to start the SAML auth flow. func (m *Middleware) RequireAccountHandler(w http.ResponseWriter, r *http.Request) { // If we try to redirect when the original request is the ACS URL we'll // end up in a loop. This is a programming error, so we panic here. In diff --git a/schema.go b/schema.go index f194c6b7..eacfb45b 100644 --- a/schema.go +++ b/schema.go @@ -39,6 +39,10 @@ type AuthnRequest struct { ProviderName string `xml:",attr"` } +// LogoutRequest represents the SAML object of the same name, a request from an IDP +// to destroy a user's session. +// +// See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf type LogoutRequest struct { XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol LogoutRequest"` diff --git a/service_provider.go b/service_provider.go index 0c5646d0..60b528cb 100644 --- a/service_provider.go +++ b/service_provider.go @@ -452,16 +452,7 @@ func (sp *ServiceProvider) validateDestination(response []byte, responseDom *Res } // ParseResponse extracts the SAML IDP response received in req, validates -// it, and returns the verified attributes of the request. -// -// This function handles decrypting the message, verifying the digital -// signature on the assertion, and verifying that the specified conditions -// and properties are met. -// -// If the function fails it will return an InvalidResponseError whose -// properties are useful in describing which part of the parsing process -// failed. However, to discourage inadvertent disclosure the diagnostic -// information, the Error() method returns a static string. +// it, and returns the verified assertion. func (sp *ServiceProvider) ParseResponse(req *http.Request, possibleRequestIDs []string) (*Assertion, error) { now := TimeNow() retErr := &InvalidResponseError{ @@ -484,6 +475,17 @@ func (sp *ServiceProvider) ParseResponse(req *http.Request, possibleRequestIDs [ } +// ParseXMLResponse validates the SAML IDP response and +// returns the verified assertion. +// +// This function handles decrypting the message, verifying the digital +// signature on the assertion, and verifying that the specified conditions +// and properties are met. +// +// If the function fails it will return an InvalidResponseError whose +// properties are useful in describing which part of the parsing process +// failed. However, to discourage inadvertent disclosure the diagnostic +// information, the Error() method returns a static string. func (sp *ServiceProvider) ParseXMLResponse(decodedResponseXML []byte, possibleRequestIDs []string) (*Assertion, error) { now := TimeNow() var err error