diff --git a/continuity/manager_relaystate.go b/continuity/manager_relaystate.go index 5ce1dc7ffee7..264a54e17064 100644 --- a/continuity/manager_relaystate.go +++ b/continuity/manager_relaystate.go @@ -49,18 +49,16 @@ func (m *ManagerRelayState) Pause(ctx context.Context, w http.ResponseWriter, r } c := NewContainer(name, *o) - // We have to put the continuity value in the cookie to ensure that value are passed between API and UI - // It is also useful to pass the value between SP and IDP with POST method because RelayState will take its value from cookie + if err := m.dr.ContinuityPersister().SaveContinuitySession(r.Context(), c); err != nil { + return errors.WithStack(err) + } + if err = x.SessionPersistValues(w, r, m.dc.ContinuityCookieManager(ctx), CookieName, map[string]interface{}{ name: c.ID.String(), }); err != nil { return err } - if err := m.dr.ContinuityPersister().SaveContinuitySession(r.Context(), c); err != nil { - return errors.WithStack(err) - } - return nil } diff --git a/go.mod b/go.mod index c5ad631c680a..7c043743e9f2 100644 --- a/go.mod +++ b/go.mod @@ -59,7 +59,6 @@ require ( github.com/hashicorp/golang-lru v0.5.4 github.com/imdario/mergo v0.3.13 github.com/inhies/go-bytesize v0.0.0-20220417184213-4913239db9cf - github.com/instana/testify v1.6.2-0.20200721153833-94b1851f4d65 github.com/jarcoal/httpmock v1.0.5 github.com/jteeuwen/go-bindata v3.0.7+incompatible github.com/julienschmidt/httprouter v1.3.0 @@ -85,6 +84,7 @@ require ( github.com/pquerna/otp v1.4.0 github.com/rs/cors v1.8.2 github.com/russellhaering/goxmldsig v1.1.1 + github.com/samber/lo v1.37.0 github.com/sirupsen/logrus v1.9.0 github.com/slack-go/slack v0.7.4 github.com/spf13/cobra v1.6.1 @@ -103,7 +103,7 @@ require ( golang.org/x/oauth2 v0.4.0 golang.org/x/sync v0.1.0 golang.org/x/tools v0.2.0 - google.golang.org/grpc v1.50.1 + google.golang.org/grpc v1.52.0 gotest.tools v2.2.0+incompatible ) @@ -328,7 +328,7 @@ require ( golang.org/x/time v0.1.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20221025140454-527a21cfbd71 // indirect + google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef // indirect google.golang.org/protobuf v1.28.1 // indirect gopkg.in/alecthomas/kingpin.v2 v2.2.6 // indirect gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect diff --git a/go.sum b/go.sum index d20267a40297..8baea54abd80 100644 --- a/go.sum +++ b/go.sum @@ -166,6 +166,8 @@ github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuP github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4= github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs= github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A= +github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= +github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -505,8 +507,8 @@ github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/V github.com/gobuffalo/plush/v4 v4.1.16/go.mod h1:6t7swVsarJ8qSLw1qyAH/KbrcSTwdun2ASEQkOznakg= github.com/gobuffalo/plush/v4 v4.1.18 h1:bnPjdMTEUQHqj9TNX2Ck3mxEXYZa+0nrFMNM07kpX9g= github.com/gobuffalo/plush/v4 v4.1.18/go.mod h1:xi2tJIhFI4UdzIL8sxZtzGYOd2xbBpcFbLZlIPGGZhU= -github.com/gobuffalo/pop/v6 v6.1.2-0.20230124165254-ec9229dbf7d7 h1:lwf/5cRw46IrLrhZnCg8J9NKgskkwMPuVvEOc2Wy72I= -github.com/gobuffalo/pop/v6 v6.1.2-0.20230124165254-ec9229dbf7d7/go.mod h1:1n7jAmI1i7fxuXPZjZb0VBPQDbksRtCoFnrDV5IsvaI= +github.com/gobuffalo/pop/v6 v6.0.8 h1:9+5ShHYh3x9NDFCITfm/gtKDDRSgOwiY7kA0Hf7N9aQ= +github.com/gobuffalo/pop/v6 v6.0.8/go.mod h1:f4JQ4Zvkffcevz+t+XAwBLStD7IQs19DiIGIDFYw1eA= github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw= github.com/gobuffalo/tags/v3 v3.1.4 h1:X/ydLLPhgXV4h04Hp2xlbI2oc5MDaa7eub6zw8oHjsM= github.com/gobuffalo/tags/v3 v3.1.4/go.mod h1:ArRNo3ErlHO8BtdA0REaZxijuWnWzF6PUXngmMXd2I0= @@ -521,8 +523,8 @@ github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw= github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/gofrs/uuid v4.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= -github.com/gofrs/uuid v4.3.1+incompatible h1:0/KbAdpx3UXAx1kEOWHJeOkpbgRFGHVgv+CFIY7dBJI= -github.com/gofrs/uuid v4.3.1+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= +github.com/gofrs/uuid v4.3.0+incompatible h1:CaSVZxm5B+7o45rtab4jC2G37WGYX1zQfuU2i6DSvnc= +github.com/gofrs/uuid v4.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= @@ -598,6 +600,7 @@ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-github/v27 v27.0.1 h1:sSMFSShNn4VnqCqs+qhab6TS3uQc+uVR6TD1bW6MavM= @@ -785,8 +788,6 @@ github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLf github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo= github.com/inhies/go-bytesize v0.0.0-20220417184213-4913239db9cf h1:FtEj8sfIcaaBfAKrE1Cwb61YDtYq9JxChK1c7AKce7s= github.com/inhies/go-bytesize v0.0.0-20220417184213-4913239db9cf/go.mod h1:yrqSXGoD/4EKfF26AOGzscPOgTTJcyAwM2rpixWT+t4= -github.com/instana/testify v1.6.2-0.20200721153833-94b1851f4d65 h1:T25FL3WEzgmKB0m6XCJNZ65nw09/QIp3T1yXr487D+A= -github.com/instana/testify v1.6.2-0.20200721153833-94b1851f4d65/go.mod h1:nYhEREG/B7HUY7P+LKOrqy53TpIqmJ9JyUShcaEKtGw= github.com/jackc/chunkreader v1.0.0/go.mod h1:RT6O25fNZIuasFJRyZ4R/Y2BbhasbmZXF9QQ7T3kePo= github.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk= github.com/jackc/chunkreader/v2 v2.0.1 h1:i+RDz65UE+mmpjTfyz0MoVTnzeYxroil2G82ki7MGG8= @@ -1119,8 +1120,8 @@ github.com/ory/nosurf v1.2.7/go.mod h1:d4L3ZBa7Amv55bqxCBtCs63wSlyaiCkWVl4vKf3OU github.com/ory/sessions v1.2.2-0.20220110165800-b09c17334dc2 h1:zm6sDvHy/U9XrGpixwHiuAwpp0Ock6khSVHkrv6lQQU= github.com/ory/sessions v1.2.2-0.20220110165800-b09c17334dc2/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= github.com/ory/viper v1.7.5/go.mod h1:ypOuyJmEUb3oENywQZRgeAMwqgOyDqwboO1tj3DjTaM= -github.com/ory/x v0.0.519 h1:T8/LbbQQqm+3P7bfI838T7eECv6+laXlvIyCp0QB+R8= -github.com/ory/x v0.0.519/go.mod h1:xUtRpoiRARyJNPVk/fcCNKzyp25Foxt9GPlj8pd7egY= +github.com/ory/x v0.0.534 h1:hc49pmcOuHdJ6rbHVGtJJ4/LU88dzDCtEQKfgeo/ecU= +github.com/ory/x v0.0.534/go.mod h1:CQopDsCC9t0tQsddE9UlyRFVEFd2xjKBVcw4nLMMMS0= github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw= github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE= github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs= @@ -1320,6 +1321,7 @@ github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tL github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= github.com/spf13/cobra v1.1.1/go.mod h1:WnodtKOvamDL/PwE2M4iKs8aMDBZ5Q5klgD3qfVJQMI= github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= +github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM= github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA= github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= @@ -1950,8 +1952,8 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.5.0 h1:+bSpV5HIeWkuvgaMfI3UmKRThoTA5ODJTUd8T17NO+4= -golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k= +golang.org/x/tools v0.2.0 h1:G6AHpWxTMGY1KyEYoAQ5WTtIekUUvDNjan3ugu60JvE= +golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA= golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/selfservice/strategy/saml/strategy.go b/selfservice/strategy/saml/strategy.go index fec366df3359..d813bb29bbd0 100644 --- a/selfservice/strategy/saml/strategy.go +++ b/selfservice/strategy/saml/strategy.go @@ -3,7 +3,9 @@ package saml import ( "bytes" "context" + "encoding/base64" "encoding/json" + "fmt" "net/http" "strings" @@ -124,6 +126,11 @@ type authCodeContainer struct { Traits json.RawMessage `json:"traits"` } +func generateState(flowID string) string { + state := x.NewUUID().String() + return base64.RawURLEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", flowID, state))) +} + func NewStrategy(d registrationStrategyDependencies) *Strategy { return &Strategy{ d: d, @@ -178,7 +185,7 @@ func (s *Strategy) GetAttributesFromAssertion(assertion *saml.Assertion) (map[st } func (s *Strategy) validateFlow(ctx context.Context, r *http.Request, rid uuid.UUID) (flow.Flow, error) { - if x.IsZeroUUID(rid) { + if rid.IsNil() { return nil, errors.WithStack(herodot.ErrBadRequest.WithReason("The session cookie contains invalid values and the flow could not be executed. Please try again.")) } diff --git a/selfservice/strategy/saml/strategy_login.go b/selfservice/strategy/saml/strategy_login.go index b31e6332b0cb..67faa6682b25 100644 --- a/selfservice/strategy/saml/strategy_login.go +++ b/selfservice/strategy/saml/strategy_login.go @@ -6,6 +6,7 @@ import ( "net/http" "time" + "github.com/gofrs/uuid" "github.com/google/go-jsonnet" "github.com/pkg/errors" "github.com/tidwall/gjson" @@ -74,7 +75,7 @@ func (s *Strategy) processLogin(w http.ResponseWriter, r *http.Request, a *login return nil, nil } -func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, ss *session.Session) (i *identity.Identity, err error) { +func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, identityID uuid.UUID) (i *identity.Identity, err error) { if err := login.CheckAAL(f, identity.AuthenticatorAssuranceLevel1); err != nil { return nil, err } @@ -102,7 +103,7 @@ func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, return } - state := x.NewUUID().String() + state := generateState(f.ID.String()) if err := s.d.RelayStateContinuityManager().Pause(r.Context(), w, r, sessionName, continuity.WithPayload(&authCodeContainer{ State: state, diff --git a/selfservice/strategy/saml/vulnerabilities_test.go b/selfservice/strategy/saml/vulnerabilities_test.go index fe8f05c447a4..7c0095aef5a8 100644 --- a/selfservice/strategy/saml/vulnerabilities_test.go +++ b/selfservice/strategy/saml/vulnerabilities_test.go @@ -12,6 +12,7 @@ import ( "github.com/beevik/etree" "github.com/crewjam/saml" + "github.com/ory/kratos/identity" dsig "github.com/russellhaering/goxmldsig" "gotest.tools/assert" @@ -56,9 +57,6 @@ func TestHappyPath(t *testing.T) { // We send the request to Kratos strategy.HandleCallback(resp, req, ps) - ids, _ := strategy.D().PrivilegedIdentityPool().ListIdentities(context.Background(), 0, 1000) - _ = ids - // This is the Happy Path, the HTTP response code should be 302 (Found status) assert.Check(t, !strings.Contains(resp.HeaderMap["Location"][0], "error")) } @@ -498,7 +496,7 @@ func TestAddXMLCommentsInSAMLAttributes(t *testing.T) { strategy.HandleCallback(resp, req, ps) // Get all identities - ids, _ := strategy.D().PrivilegedIdentityPool().ListIdentities(context.Background(), 0, 1000) + ids, _ := strategy.D().PrivilegedIdentityPool().ListIdentities(context.Background(), identity.ExpandEverything, 0, 1000) traitsMap := make(map[string]interface{}) json.Unmarshal(ids[0].Traits, &traitsMap) @@ -682,7 +680,7 @@ func TestXSW3AssertionWrap1(t *testing.T) { strategy.HandleCallback(resp, req, ps) // Get all identities - ids, _ := strategy.D().PrivilegedIdentityPool().ListIdentities(context.Background(), 0, 1000) + ids, _ := strategy.D().PrivilegedIdentityPool().ListIdentities(context.Background(), identity.ExpandEverything, 0, 1000) // We have to check that there is either an error or an identity created without the modified attribute assert.Check(t, strings.Contains(resp.HeaderMap["Location"][0], "error") || strings.Contains(string(ids[0].Traits), "alice@example.com")) @@ -744,7 +742,7 @@ func TestXSW4AssertionWrap2(t *testing.T) { strategy.HandleCallback(resp, req, ps) // Get all identities - ids, _ := strategy.D().PrivilegedIdentityPool().ListIdentities(context.Background(), 0, 1000) + ids, _ := strategy.D().PrivilegedIdentityPool().ListIdentities(context.Background(), identity.ExpandEverything, 0, 1000) // We have to check that there is either an error or an identity created without the modified attribute assert.Check(t, strings.Contains(resp.HeaderMap["Location"][0], "error") || strings.Contains(string(ids[0].Traits), "alice@example.com")) @@ -806,7 +804,7 @@ func TestXSW5AssertionWrap3(t *testing.T) { strategy.HandleCallback(resp, req, ps) // Get all identities - ids, _ := strategy.D().PrivilegedIdentityPool().ListIdentities(context.Background(), 0, 1000) + ids, _ := strategy.D().PrivilegedIdentityPool().ListIdentities(context.Background(), identity.ExpandEverything, 0, 1000) // We have to check that there is either an error or an identity created without the modified attribute assert.Check(t, strings.Contains(resp.HeaderMap["Location"][0], "error") || strings.Contains(string(ids[0].Traits), "alice@example.com")) @@ -868,7 +866,7 @@ func TestXSW6AssertionWrap4(t *testing.T) { strategy.HandleCallback(resp, req, ps) // Get all identities - ids, _ := strategy.D().PrivilegedIdentityPool().ListIdentities(context.Background(), 0, 1000) + ids, _ := strategy.D().PrivilegedIdentityPool().ListIdentities(context.Background(), identity.ExpandEverything, 0, 1000) // We have to check that there is either an error or an identity created without the modified attribute assert.Check(t, strings.Contains(resp.HeaderMap["Location"][0], "error") || strings.Contains(string(ids[0].Traits), "alice@example.com")) @@ -930,7 +928,7 @@ func TestXSW7AssertionWrap5(t *testing.T) { strategy.HandleCallback(resp, req, ps) // Get all identities - ids, _ := strategy.D().PrivilegedIdentityPool().ListIdentities(context.Background(), 0, 1000) + ids, _ := strategy.D().PrivilegedIdentityPool().ListIdentities(context.Background(), identity.ExpandEverything, 0, 1000) // We have to check that there is either an error or an identity created without the modified attribute assert.Check(t, strings.Contains(resp.HeaderMap["Location"][0], "error") || strings.Contains(string(ids[0].Traits), "alice@example.com")) @@ -990,7 +988,7 @@ func TestXSW8AssertionWrap6(t *testing.T) { strategy.HandleCallback(resp, req, ps) // Get all identities - ids, _ := strategy.D().PrivilegedIdentityPool().ListIdentities(context.Background(), 0, 1000) + ids, _ := strategy.D().PrivilegedIdentityPool().ListIdentities(context.Background(), identity.ExpandEverything, 0, 1000) // We have to check that there is either an error or an identity created without the modified attribute assert.Check(t, strings.Contains(resp.HeaderMap["Location"][0], "error") || strings.Contains(string(ids[0].Traits), "alice@example.com"))