add validation to only allow one validateSignature option at one time

hashicorp · Dec 16, 2024 · cd6c290 · cd6c290
1 parent d857fba
commit cd6c290
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/saml/response.go b/saml/response.go
@@ -133,6 +133,8 @@ func (sp *ServiceProvider) ParseResponse(
 		return nil, fmt.Errorf("%s: missing request ID: %w", op, ErrInvalidParameter)
 	case opts.skipSignatureValidation && callValidateSignature:
 		return nil, fmt.Errorf("%s: option `skip signature validation` cannot be true with any validate signature option : %w", op, ErrInvalidParameter)
+	case multipleSignatureOptionEnabled(opts.validateResponseAndAssertionSignatures, opts.validateResponseSignature, opts.validateAssertionSignature):
+		return nil, fmt.Errorf("%s: only one validate signature option can be set: %w", op, ErrInvalidParameter)
 	}
 
 	// We use github.com/russellhaering/gosaml2 for SAMLResponse signature and condition validation.
@@ -316,3 +318,10 @@ func validateSignature(response *core.Response, op string, opts parseResponseOpt
 
 	return nil
 }
+
+func multipleSignatureOptionEnabled(a bool, b bool, c bool) bool {
+	if (a && b) || (b && c) || (a && c) {
+		return true
+	}
+	return false
+}
diff --git a/saml/response_test.go b/saml/response_test.go
@@ -108,6 +108,14 @@ func TestServiceProvider_ParseResponse(t *testing.T) {
 			requestID:       testRequestId,
 			wantErrContains: "response and/or assertions must be signed",
 		},
+		{
+			name:            "err-multiple-validate-signature-options",
+			sp:              testSp,
+			samlResp:        base64.StdEncoding.EncodeToString([]byte(tp.SamlResponse(t))),
+			opts:            []saml.Option{saml.ValidateResponseAndAssertionSignatures(), saml.ValidateResponseSignature()},
+			requestID:       testRequestId,
+			wantErrContains: "only one validate signature option can be set",
+		},
 		{
 			name:            "error-invalid-signature - with option of validate both signatures & with only response signed",
 			sp:              testSp,