[3.2-g] Update github.com/russellhaering/goxmldsig to v1.1.0 (#4452)

* Re-sync branch e-ref * Fix role mapping for trusted clusters This commit fixes #3252 Security patches 4.2 introduced a regression - leaf clusters ignore role mapping and attempt to use role names coming from identity of the root cluster whenever GetNodes method was used. This commit reverts back the logic, however it ensures that the original fix is preserved - traits and groups are updated on the user object. Integration test has been extended to avoid the regression in the future. * Updated CHANGELOG.md. * Release 3.2.15. * Revendor golang.org/x/crypto. Update golang.org/x/crypto to mitigate CVE-2020-9283. See the following link for more details: https://groups.google.com/forum/#!msg/golang-announce/3L45YRc91SY/ywEPcKLnGQAJ * Updated CHANGELOG.md. * Release 3.2.16. * Update github.com/russellhaering/goxmldsig to v1.1.0 See GHSA-q547-gmf8-8jr7 * set version to 3.2.17-gravity Co-authored-by: Sasha Klizhentas <[email protected]> Co-authored-by: Russell Jones <[email protected]> Co-authored-by: Andrew Lytvynov <[email protected]>
gravitational · Oct 5, 2020 · eccdab5 · eccdab5
1 parent bebf7a5
commit eccdab5
Show file tree

Hide file tree

Showing 397 changed files with 147,385 additions and 41,844 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,17 @@
 # Changelog
 
+## 3.2.16
+
+This release of Teleport contains a security fix.
+
+* Mitigated [CVE-2020-9283](https://groups.google.com/forum/#!msg/golang-announce/3L45YRc91SY/ywEPcKLnGQAJ) by updating golang.org/x/crypto.
+
+## 3.2.15
+
+This release of Teleport contains a bug fix.
+
+* Fixed a regression in role mapping between trusted clusters. [#3252](https://github.com/gravitational/teleport/issues/3252)
+
 ## 3.2.14
 
 This release of Teleport contains a bug fix and a feature.

diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Makefile b/Makefile
@@ -10,7 +10,7 @@
 # Naming convention:
 #	for stable releases we use "1.0.0" format
 #   for pre-releases, we use   "1.0.0-beta.2" format
-VERSION=3.2.14
+VERSION=3.2.17-gravity
 
 # These are standard autotools variables, don't change them please
 BUILDDIR ?= build

diff --git a/e b/e
diff --git a/lib/services/saml.go b/lib/services/saml.go
@@ -540,15 +540,17 @@ func (o *SAMLConnectorV2) GetServiceProvider(clock clockwork.Clock) (*saml2.SAML
 		}
 
 		for _, kd := range metadata.IDPSSODescriptor.KeyDescriptors {
-			certData, err := base64.StdEncoding.DecodeString(kd.KeyInfo.X509Data.X509Certificate.Data)
-			if err != nil {
-				return nil, trace.Wrap(err)
-			}
-			cert, err := x509.ParseCertificate(certData)
-			if err != nil {
-				return nil, trace.Wrap(err, "failed to parse certificate in metadata")
+			for _, samlCert := range kd.KeyInfo.X509Data.X509Certificates {
+				certData, err := base64.StdEncoding.DecodeString(strings.TrimSpace(samlCert.Data))
+				if err != nil {
+					return nil, trace.Wrap(err)
+				}
+				cert, err := x509.ParseCertificate(certData)
+				if err != nil {
+					return nil, trace.Wrap(err, "failed to parse certificate in metadata")
+				}
+				certStore.Roots = append(certStore.Roots, cert)
 			}
-			certStore.Roots = append(certStore.Roots, cert)
 		}
 		o.Spec.Issuer = metadata.EntityID
 		o.Spec.SSO = metadata.IDPSSODescriptor.SingleSignOnService.Location