From cd6c290855842fa9a3fd890c93aa1f95311a7c95 Mon Sep 17 00:00:00 2001
From: Hafsa Imran <hafsa.imran@hashicorp.com>
Date: Mon, 16 Dec 2024 01:39:03 -0500
Subject: [PATCH] add validation to only allow one validateSignature option at
 one time

---
 saml/response.go      | 9 +++++++++
 saml/response_test.go | 8 ++++++++
 2 files changed, 17 insertions(+)

diff --git a/saml/response.go b/saml/response.go
index b2208ec..ceca34b 100644
--- a/saml/response.go
+++ b/saml/response.go
@@ -133,6 +133,8 @@ func (sp *ServiceProvider) ParseResponse(
 		return nil, fmt.Errorf("%s: missing request ID: %w", op, ErrInvalidParameter)
 	case opts.skipSignatureValidation && callValidateSignature:
 		return nil, fmt.Errorf("%s: option `skip signature validation` cannot be true with any validate signature option : %w", op, ErrInvalidParameter)
+	case multipleSignatureOptionEnabled(opts.validateResponseAndAssertionSignatures, opts.validateResponseSignature, opts.validateAssertionSignature):
+		return nil, fmt.Errorf("%s: only one validate signature option can be set: %w", op, ErrInvalidParameter)
 	}
 
 	// We use github.com/russellhaering/gosaml2 for SAMLResponse signature and condition validation.
@@ -316,3 +318,10 @@ func validateSignature(response *core.Response, op string, opts parseResponseOpt
 
 	return nil
 }
+
+func multipleSignatureOptionEnabled(a bool, b bool, c bool) bool {
+	if (a && b) || (b && c) || (a && c) {
+		return true
+	}
+	return false
+}
diff --git a/saml/response_test.go b/saml/response_test.go
index 1d09a3d..8158b61 100644
--- a/saml/response_test.go
+++ b/saml/response_test.go
@@ -108,6 +108,14 @@ func TestServiceProvider_ParseResponse(t *testing.T) {
 			requestID:       testRequestId,
 			wantErrContains: "response and/or assertions must be signed",
 		},
+		{
+			name:            "err-multiple-validate-signature-options",
+			sp:              testSp,
+			samlResp:        base64.StdEncoding.EncodeToString([]byte(tp.SamlResponse(t))),
+			opts:            []saml.Option{saml.ValidateResponseAndAssertionSignatures(), saml.ValidateResponseSignature()},
+			requestID:       testRequestId,
+			wantErrContains: "only one validate signature option can be set",
+		},
 		{
 			name:            "error-invalid-signature - with option of validate both signatures & with only response signed",
 			sp:              testSp,