add saml slo

Signed-off-by: Ivan Zvyagintsev <ivan.zvyagintsev@flant.com>

Author: Jabejixo

connector/saml/saml.go

@@ -5,7 +5,9 @@ import (
 	"bytes"
 	"compress/flate"
 	"context"
+	"crypto"
 	"crypto/rand"
+	"crypto/rsa"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
@@ -246,6 +248,7 @@ func (c *Config) openConnector(logger *slog.Logger) (*provider, error) {
 			return nil, errors.New("no certificates found in ca data")
 		}
 		p.validator = dsig.NewDefaultValidationContext(certStore{certs})
+		p.certs = certs
 	}
 	return p, nil
 }
@@ -265,6 +268,9 @@ type provider struct {
 
 	// If nil, don't do signature validation.
 	validator *dsig.ValidationContext
+	// Stored separately for HTTP-Redirect binding signature verification,
+	// which uses raw RSA/ECDSA over query string rather than XML digital signatures.
+	certs []*x509.Certificate
 
 	// Attribute mappings
 	usernameAttr  string
@@ -865,9 +871,17 @@ func (p *provider) HandleLogoutCallback(_ context.Context, r *http.Request) erro
 		return fmt.Errorf("saml slo: %w", xrvErr)
 	}
 
-	if p.validator != nil && !p.insecureSkipSLOSignatureValidation {
-		if _, err := p.validateSignature(rawResp); err != nil {
-			return fmt.Errorf("saml slo: %v", err)
+	if !p.insecureSkipSLOSignatureValidation {
+		if r.Method == http.MethodGet && len(p.certs) > 0 {
+			// HTTP-Redirect binding: signature is in query parameters.
+			if err := p.validateRedirectSignature(r); err != nil {
+				return fmt.Errorf("saml slo: %v", err)
+			}
+		} else if r.Method != http.MethodGet && p.validator != nil {
+			// HTTP-POST binding: signature is embedded in XML.
+			if _, err := p.validateSignature(rawResp); err != nil {
+				return fmt.Errorf("saml slo: %v", err)
+			}
 		}
 	}
 
@@ -885,6 +899,101 @@ func (p *provider) HandleLogoutCallback(_ context.Context, r *http.Request) erro
 	return nil
 }
 
+// redirectSigAlgToHash maps XML Signature algorithm URIs used in SAML HTTP-Redirect
+// binding to Go crypto.Hash values. Only RSA algorithms are supported.
+// See: https://www.w3.org/TR/xmldsig-core1/#sec-AlgID
+var redirectSigAlgToHash = map[string]crypto.Hash{
+	"http://www.w3.org/2000/09/xmldsig#rsa-sha1":        crypto.SHA1,
+	"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256": crypto.SHA256,
+	"http://www.w3.org/2001/04/xmldsig-more#rsa-sha384": crypto.SHA384,
+	"http://www.w3.org/2001/04/xmldsig-more#rsa-sha512": crypto.SHA512,
+}
+
+// rawQueryParam extracts the raw (still URL-encoded) value of a query parameter
+// from a raw query string. This is needed for SAML HTTP-Redirect binding signature
+// validation, which signs over the URL-encoded parameter values.
+func rawQueryParam(rawQuery, key string) (string, bool) {
+	prefix := key + "="
+	for rawQuery != "" {
+		var pair string
+		if i := strings.IndexByte(rawQuery, '&'); i >= 0 {
+			pair, rawQuery = rawQuery[:i], rawQuery[i+1:]
+		} else {
+			pair, rawQuery = rawQuery, ""
+		}
+		if strings.HasPrefix(pair, prefix) {
+			return pair[len(prefix):], true
+		}
+	}
+	return "", false
+}
+
+// validateRedirectSignature verifies the query-string signature used in SAML
+// HTTP-Redirect binding. Unlike HTTP-POST where the signature is embedded in
+// the XML (<ds:Signature>), HTTP-Redirect carries it as Signature and SigAlg
+// query parameters. The signed content is reconstructed per SAML 2.0 Bindings
+// Section 3.4.4.1: SAMLResponse=value&RelayState=value&SigAlg=value (using
+// the original URL-encoded values).
+func (p *provider) validateRedirectSignature(r *http.Request) error {
+	rawQuery := r.URL.RawQuery
+
+	sigEncoded, ok := rawQueryParam(rawQuery, "Signature")
+	if !ok || sigEncoded == "" {
+		return fmt.Errorf("missing Signature query parameter")
+	}
+
+	sigAlgEncoded, ok := rawQueryParam(rawQuery, "SigAlg")
+	if !ok || sigAlgEncoded == "" {
+		return fmt.Errorf("missing SigAlg query parameter")
+	}
+
+	sigAlg, err := url.QueryUnescape(sigAlgEncoded)
+	if err != nil {
+		return fmt.Errorf("failed to decode SigAlg: %v", err)
+	}
+
+	hashAlg, ok := redirectSigAlgToHash[sigAlg]
+	if !ok {
+		return fmt.Errorf("unsupported signature algorithm: %s", sigAlg)
+	}
+
+	// Reconstruct the signed content in the spec-mandated order.
+	var parts []string
+	if v, ok := rawQueryParam(rawQuery, "SAMLResponse"); ok {
+		parts = append(parts, "SAMLResponse="+v)
+	}
+	if v, ok := rawQueryParam(rawQuery, "RelayState"); ok {
+		parts = append(parts, "RelayState="+v)
+	}
+	parts = append(parts, "SigAlg="+sigAlgEncoded)
+	signedContent := strings.Join(parts, "&")
+
+	sigB64, err := url.QueryUnescape(sigEncoded)
+	if err != nil {
+		return fmt.Errorf("failed to URL-decode Signature: %v", err)
+	}
+	sig, err := base64.StdEncoding.DecodeString(sigB64)
+	if err != nil {
+		return fmt.Errorf("failed to base64-decode Signature: %v", err)
+	}
+
+	h := hashAlg.New()
+	h.Write([]byte(signedContent))
+	hashed := h.Sum(nil)
+
+	for _, cert := range p.certs {
+		rsaPub, ok := cert.PublicKey.(*rsa.PublicKey)
+		if !ok {
+			continue
+		}
+		if rsa.VerifyPKCS1v15(rsaPub, hashAlg, hashed, sig) == nil {
+			return nil
+		}
+	}
+
+	return fmt.Errorf("redirect binding signature validation failed")
+}
+
 // validateSignature validates the XML digital signature of the given raw XML.
 func (p *provider) validateSignature(rawXML []byte) ([]byte, error) {
 	if p.validator == nil {

connector/saml/saml_test.go

@@ -4,6 +4,9 @@ import (
 	"bytes"
 	"compress/flate"
 	"context"
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
@@ -1268,7 +1271,14 @@ func signXMLDocument(t *testing.T, doc *etree.Document) []byte {
 	return out
 }
 
-func TestHandleLogoutCallbackSignatureValidation(t *testing.T) {
+func postSAMLResponse(encoded string) *http.Request {
+	form := url.Values{"SAMLResponse": {encoded}}
+	req := httptest.NewRequest(http.MethodPost, "/logout/callback", strings.NewReader(form.Encode()))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	return req
+}
+
+func TestHandleLogoutCallbackPOSTSignatureValidation(t *testing.T) {
 	conn, err := (&Config{
 		CA:                                 "testdata/ca.crt",
 		UsernameAttr:                       "Name",
@@ -1287,19 +1297,16 @@ func TestHandleLogoutCallbackSignatureValidation(t *testing.T) {
 			t.Fatal(err)
 		}
 		signedXML := signXMLDocument(t, doc)
-
 		encoded := base64.StdEncoding.EncodeToString(signedXML)
-		req := httptest.NewRequest(http.MethodGet, "/logout/callback?SAMLResponse="+url.QueryEscape(encoded), nil)
-		if err := conn.HandleLogoutCallback(context.Background(), req); err != nil {
+
+		if err := conn.HandleLogoutCallback(context.Background(), postSAMLResponse(encoded)); err != nil {
 			t.Errorf("expected no error for validly signed response, got: %v", err)
 		}
 	})
 
 	t.Run("InvalidSignature", func(t *testing.T) {
-		// Use unsigned XML — should fail signature validation
 		encoded := base64.StdEncoding.EncodeToString([]byte(successLogoutResponseXML))
-		req := httptest.NewRequest(http.MethodGet, "/logout/callback?SAMLResponse="+url.QueryEscape(encoded), nil)
-		if err := conn.HandleLogoutCallback(context.Background(), req); err == nil {
+		if err := conn.HandleLogoutCallback(context.Background(), postSAMLResponse(encoded)); err == nil {
 			t.Error("expected error for unsigned response when signature validation is enabled")
 		}
 	})
@@ -1322,15 +1329,112 @@ func TestHandleLogoutCallbackSignatureValidation(t *testing.T) {
 			t.Fatal(err)
 		}
 		signedXML := signXMLDocument(t, doc)
-
 		encoded := base64.StdEncoding.EncodeToString(signedXML)
-		req := httptest.NewRequest(http.MethodGet, "/logout/callback?SAMLResponse="+url.QueryEscape(encoded), nil)
-		if err := connBadCA.HandleLogoutCallback(context.Background(), req); err == nil {
+
+		if err := connBadCA.HandleLogoutCallback(context.Background(), postSAMLResponse(encoded)); err == nil {
 			t.Error("expected error when response is signed with different CA")
 		}
 	})
 }
 
+// signRedirectBinding builds a complete URL for a GET LogoutResponse with
+// SAML HTTP-Redirect binding signature. The XML is deflated, base64-encoded,
+// and a query-string RSA-SHA256 signature is appended.
+func signRedirectBinding(t *testing.T, xmlPayload string, keyFile, certFile string) string {
+	t.Helper()
+
+	var buf bytes.Buffer
+	fw, err := flate.NewWriter(&buf, flate.DefaultCompression)
+	if err != nil {
+		t.Fatalf("deflate writer: %v", err)
+	}
+	if _, err := fw.Write([]byte(xmlPayload)); err != nil {
+		t.Fatalf("deflate write: %v", err)
+	}
+	if err := fw.Close(); err != nil {
+		t.Fatalf("deflate close: %v", err)
+	}
+	samlResp := base64.StdEncoding.EncodeToString(buf.Bytes())
+
+	sigAlg := "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+	signedContent := "SAMLResponse=" + url.QueryEscape(samlResp) +
+		"&SigAlg=" + url.QueryEscape(sigAlg)
+
+	tlsCert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	if err != nil {
+		t.Fatalf("load key pair: %v", err)
+	}
+	rsaKey, ok := tlsCert.PrivateKey.(*rsa.PrivateKey)
+	if !ok {
+		t.Fatal("test key is not RSA")
+	}
+
+	h := crypto.SHA256.New()
+	h.Write([]byte(signedContent))
+	sig, err := rsa.SignPKCS1v15(rand.Reader, rsaKey, crypto.SHA256, h.Sum(nil))
+	if err != nil {
+		t.Fatalf("sign: %v", err)
+	}
+	sigB64 := base64.StdEncoding.EncodeToString(sig)
+
+	return "/logout/callback?" + signedContent +
+		"&Signature=" + url.QueryEscape(sigB64)
+}
+
+func TestHandleLogoutCallbackRedirectSignatureValidation(t *testing.T) {
+	conn, err := (&Config{
+		CA:                                 "testdata/ca.crt",
+		UsernameAttr:                       "Name",
+		EmailAttr:                          "email",
+		RedirectURI:                        "http://127.0.0.1:5556/dex/callback",
+		SSOURL:                             "http://foo.bar/",
+		InsecureSkipSLOSignatureValidation: false,
+	}).openConnector(slog.New(slog.DiscardHandler))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	t.Run("ValidSignature", func(t *testing.T) {
+		u := signRedirectBinding(t, successLogoutResponseXML, "testdata/ca.key", "testdata/ca.crt")
+		req := httptest.NewRequest(http.MethodGet, u, nil)
+		if err := conn.HandleLogoutCallback(context.Background(), req); err != nil {
+			t.Errorf("expected no error, got: %v", err)
+		}
+	})
+
+	t.Run("MissingSignature", func(t *testing.T) {
+		var buf bytes.Buffer
+		fw, _ := flate.NewWriter(&buf, flate.DefaultCompression)
+		fw.Write([]byte(successLogoutResponseXML))
+		fw.Close()
+		encoded := base64.StdEncoding.EncodeToString(buf.Bytes())
+
+		req := httptest.NewRequest(http.MethodGet,
+			"/logout/callback?SAMLResponse="+url.QueryEscape(encoded), nil)
+		if err := conn.HandleLogoutCallback(context.Background(), req); err == nil {
+			t.Error("expected error for missing Signature parameter")
+		}
+	})
+
+	t.Run("WrongCA", func(t *testing.T) {
+		u := signRedirectBinding(t, successLogoutResponseXML, "testdata/bad-ca.key", "testdata/bad-ca.crt")
+		req := httptest.NewRequest(http.MethodGet, u, nil)
+		if err := conn.HandleLogoutCallback(context.Background(), req); err == nil {
+			t.Error("expected error when signed with wrong CA")
+		}
+	})
+
+	t.Run("TamperedPayload", func(t *testing.T) {
+		u := signRedirectBinding(t, successLogoutResponseXML, "testdata/ca.key", "testdata/ca.crt")
+		// Replace part of the SAMLResponse value to simulate tampering.
+		u = strings.Replace(u, "SAMLResponse=", "SAMLResponse=AAAA", 1)
+		req := httptest.NewRequest(http.MethodGet, u, nil)
+		if err := conn.HandleLogoutCallback(context.Background(), req); err == nil {
+			t.Error("expected error for tampered payload")
+		}
+	})
+}
+
 func TestSLOEndToEnd(t *testing.T) {
 	c := Config{
 		CA:                                 "testdata/ca.crt",

connector/saml/types.go

@@ -306,6 +306,7 @@ type logoutResponse struct {
 	ID           string      `xml:"ID,attr"`
 	InResponseTo string      `xml:"InResponseTo,attr,omitempty"`
 	Version      samlVersion `xml:"Version,attr"`
+	IssueInstant xmlTime     `xml:"IssueInstant,attr,omitempty"`
 	Destination  string      `xml:"Destination,attr,omitempty"`
 
 	Issuer *issuer `xml:"Issuer,omitempty"`