russellhaering · erka · Sep 16, 2021
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -15,3 +15,10 @@ jobs:
           go-version: ${{ matrix.go }}
       - name: Test
         run: go test ./...
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
diff --git a/build_logout_response.go b/build_logout_response.go
@@ -77,7 +77,10 @@ func (sp *SAMLServiceProvider) BuildLogoutResponseDocumentNoSig(status string, r
 }
 
 func (sp *SAMLServiceProvider) SignLogoutResponse(el *etree.Element) (*etree.Element, error) {
-	ctx := sp.SigningContext()
+	ctx, err := sp.SigningContext()
+	if err != nil {
+		return nil, err
+	}
 
 	sig, err := ctx.ConstructSignature(el, true)
 	if err != nil {

diff --git a/build_request.go b/build_request.go
@@ -108,7 +108,10 @@ func (sp *SAMLServiceProvider) BuildAuthRequestDocumentNoSig() (*etree.Document,
 //
 // [1] https://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd
 func (sp *SAMLServiceProvider) SignAuthnRequest(el *etree.Element) (*etree.Element, error) {
-	ctx := sp.SigningContext()
+	ctx, err := sp.SigningContext()
+	if err != nil {
+		return nil, err
+	}
 
 	sig, err := ctx.ConstructSignature(el, true)
 	if err != nil {
@@ -173,7 +176,10 @@ func (sp *SAMLServiceProvider) buildAuthURLFromDocument(relayState, binding stri
 
 	if sp.SignAuthnRequests && binding == BindingHttpRedirect {
 		// Sign URL encoded query (see Section 3.4.4.1 DEFLATE Encoding of saml-bindings-2.0-os.pdf)
-		ctx := sp.SigningContext()
+		ctx, err := sp.SigningContext()
+		if err != nil {
+			return "", err
+		}
 		qs.Add("SigAlg", ctx.GetSignatureMethodIdentifier())
 		var rawSignature []byte
 		if rawSignature, err = ctx.SignString(signatureInputString(qs.Get("SAMLRequest"), qs.Get("RelayState"), qs.Get("SigAlg"))); err != nil {
@@ -356,7 +362,10 @@ func (sp *SAMLServiceProvider) buildLogoutRequest(includeSig bool, nameID string
 }
 
 func (sp *SAMLServiceProvider) SignLogoutRequest(el *etree.Element) (*etree.Element, error) {
-	ctx := sp.SigningContext()
+	ctx, err := sp.SigningContext()
+	if err != nil {
+		return nil, err
+	}
 
 	sig, err := ctx.ConstructSignature(el, true)
 	if err != nil {
@@ -486,7 +495,11 @@ func (sp *SAMLServiceProvider) buildLogoutURLFromDocument(relayState, binding st
 
 	if binding == BindingHttpRedirect {
 		// Sign URL encoded query (see Section 3.4.4.1 DEFLATE Encoding of saml-bindings-2.0-os.pdf)
-		ctx := sp.SigningContext()
+		ctx, err := sp.SigningContext()
+		if err != nil {
+			return "", err
+		}
+
 		qs.Add("SigAlg", ctx.GetSignatureMethodIdentifier())
 		var rawSignature []byte
 		//qs.Encode() sorts the keys (See https://golang.org/pkg/net/url/#Values.Encode).

diff --git a/build_request_test.go b/build_request_test.go
@@ -45,10 +45,10 @@ func TestRedirect(t *testing.T) {
 	}
 
 	require.NoError(t, sp.AuthRedirect(w, r, "foobar"))
-	require.Len(t, w.HeaderMap, 1, "wrong number of headers was set")
+	require.Len(t, w.Header(), 1, "wrong number of headers was set")
 	require.Equal(t, http.StatusFound, w.Code, "wrong http status was set")
 
-	u, err := url.Parse(w.HeaderMap.Get("Location"))
+	u, err := url.Parse(w.Header().Get("Location"))
 	require.NoError(t, err, "invalid url used for redirect")
 
 	require.Equal(t, "idp.test", u.Host)

diff --git a/providertests/oktadev_test.go b/providertests/oktadev_test.go
@@ -1,11 +1,11 @@
 // Copyright 2016 Russell Haering et al.
-// 
+//
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
-// 
+//
 //     https://www.apache.org/licenses/LICENSE-2.0
-// 
+//
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -20,8 +20,8 @@ import (
 	"time"
 
 	"github.com/jonboulle/clockwork"
-	"github.com/russellhaering/gosaml2"
-	"github.com/russellhaering/goxmldsig"
+	saml2 "github.com/russellhaering/gosaml2"
+	dsig "github.com/russellhaering/goxmldsig"
 )
 
 var oktaScenarioErrors = map[int]string{

diff --git a/providertests/onelogin_test.go b/providertests/onelogin_test.go
@@ -1,11 +1,11 @@
 // Copyright 2016 Russell Haering et al.
-// 
+//
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
-// 
+//
 //     https://www.apache.org/licenses/LICENSE-2.0
-// 
+//
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -18,7 +18,7 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/russellhaering/gosaml2"
+	saml2 "github.com/russellhaering/gosaml2"
 )
 
 var oneLoginScenarioErrors = map[int]string{

diff --git a/providertests/pingfed_test.go b/providertests/pingfed_test.go
@@ -1,11 +1,11 @@
 // Copyright 2016 Russell Haering et al.
-// 
+//
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
-// 
+//
 //     https://www.apache.org/licenses/LICENSE-2.0
-// 
+//
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -18,7 +18,7 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/russellhaering/gosaml2"
+	saml2 "github.com/russellhaering/gosaml2"
 )
 
 var pingFedScenarioErrors = map[int]string{

diff --git a/providertests/providers_test.go b/providertests/providers_test.go
@@ -1,11 +1,11 @@
 // Copyright 2016 Russell Haering et al.
-// 
+//
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
-// 
+//
 //     https://www.apache.org/licenses/LICENSE-2.0
-// 
+//
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -19,8 +19,8 @@ import (
 	"time"
 
 	"github.com/jonboulle/clockwork"
-	"github.com/russellhaering/gosaml2"
-	"github.com/russellhaering/goxmldsig"
+	saml2 "github.com/russellhaering/gosaml2"
+	dsig "github.com/russellhaering/goxmldsig"
 )
 
 func TestValidateResponses(t *testing.T) {
@@ -108,7 +108,7 @@ func TestValidateResponses(t *testing.T) {
 				AudienceURI:                 "{audience}",
 				SkipSignatureValidation:     false,
 				AllowMissingAttributes:      true,
-				Clock: dsig.NewFakeClock(clockwork.NewFakeClockAt(time.Date(2017, 3, 8, 7, 51, 0, 0, time.UTC))),
+				Clock:                       dsig.NewFakeClock(clockwork.NewFakeClockAt(time.Date(2017, 3, 8, 7, 51, 0, 0, time.UTC))),
 			},
 		},
 		{
@@ -122,7 +122,7 @@ func TestValidateResponses(t *testing.T) {
 				AudienceURI:                 "JSAuth",
 				SkipSignatureValidation:     false,
 				AllowMissingAttributes:      true,
-				Clock: dsig.NewFakeClock(clockwork.NewFakeClockAt(time.Date(2016, 12, 12, 16, 55, 0, 0, time.UTC))),
+				Clock:                       dsig.NewFakeClock(clockwork.NewFakeClockAt(time.Date(2016, 12, 12, 16, 55, 0, 0, time.UTC))),
 			},
 		},
 	}

diff --git a/providertests/utils.go b/providertests/utils.go
@@ -1,11 +1,11 @@
 // Copyright 2016 Russell Haering et al.
-// 
+//
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
-// 
+//
 //     https://www.apache.org/licenses/LICENSE-2.0
-// 
+//
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -27,17 +27,17 @@ import (
 	"time"
 
 	"github.com/jonboulle/clockwork"
-	"github.com/russellhaering/gosaml2"
+	saml2 "github.com/russellhaering/gosaml2"
 	"github.com/russellhaering/gosaml2/types"
-	"github.com/russellhaering/goxmldsig"
+	dsig "github.com/russellhaering/goxmldsig"
 	"github.com/stretchr/testify/require"
 )
 
 func scenarioIndexes(errs map[int]string, warns map[int]scenarioWarnings) (idxs []int) {
-	for idx, _ := range errs {
+	for idx := range errs {
 		idxs = append(idxs, idx)
 	}
-	for idx, _ := range warns {
+	for idx := range warns {
 		idxs = append(idxs, idx)
 	}
 	sort.Ints(idxs)
@@ -150,8 +150,16 @@ func spAtTime(template *saml2.SAMLServiceProvider, atTime time.Time, rawResp str
 		panic(fmt.Errorf("cannot parse Response XML: %v", err))
 	}
 
-	var sp saml2.SAMLServiceProvider
-	sp = *template // copy most fields template, we only set the clock below
+	sp := saml2.SAMLServiceProvider{
+		IdentityProviderSSOURL:      template.IdentityProviderSSOURL,
+		IdentityProviderIssuer:      template.IdentityProviderIssuer,
+		AssertionConsumerServiceURL: template.AssertionConsumerServiceURL,
+		AudienceURI:                 template.AudienceURI,
+		IDPCertificateStore:         template.IDPCertificateStore,
+		SPKeyStore:                  template.SPKeyStore,
+		SPSigningKeyStore:           template.SPSigningKeyStore,
+		ValidateEncryptionCert:      template.ValidateEncryptionCert,
+	} // copy most fields template, we only set the clock below
 	if atTime.IsZero() {
 		// Prefer more official Assertion IssueInstant over Response IssueIntant
 		// (Assertion will be signed, either individually or as part of Response)

diff --git a/saml.go b/saml.go
@@ -253,25 +253,28 @@ func (sp *SAMLServiceProvider) GetSigningCertBytes() ([]byte, error) {
 	}
 }
 
-func (sp *SAMLServiceProvider) SigningContext() *dsig.SigningContext {
+func (sp *SAMLServiceProvider) SigningContext() (*dsig.SigningContext, error) {
 	sp.signingContextMu.RLock()
 	signingContext := sp.signingContext
 	sp.signingContextMu.RUnlock()
 
 	if signingContext != nil {
-		return signingContext
+		return signingContext, nil
 	}
 
 	sp.signingContextMu.Lock()
 	defer sp.signingContextMu.Unlock()
 
 	sp.signingContext = dsig.NewDefaultSigningContext(sp.GetSigningKey())
-	sp.signingContext.SetSignatureMethod(sp.SignAuthnRequestsAlgorithm)
+	err := sp.signingContext.SetSignatureMethod(sp.SignAuthnRequestsAlgorithm)
+	if err != nil {
+		return nil, err
+	}
 	if sp.SignAuthnRequestsCanonicalizer != nil {
 		sp.signingContext.Canonicalizer = sp.SignAuthnRequestsCanonicalizer
 	}
 
-	return sp.signingContext
+	return sp.signingContext, nil
 }
 
 type ProxyRestriction struct {

diff --git a/saml_test.go b/saml_test.go
@@ -55,7 +55,9 @@ func TestDecode(t *testing.T) {
 	}
 	decoded := make([]byte, len(f))
 
-	base64.StdEncoding.Decode(decoded, f)
+	_, err = base64.StdEncoding.Decode(decoded, f)
+	require.NoError(t, err)
+
 	response := &types.Response{}
 
 	err = xml.Unmarshal(decoded, response)
@@ -86,7 +88,7 @@ func TestDecode(t *testing.T) {
 
 	expected := &types.Assertion{}
 	err = xml.Unmarshal(f2, expected)
-
+	require.NoError(t, err)
 	require.EqualValues(t, expected, assertion, "decrypted assertion did not match expectation")
 }
 
@@ -103,8 +105,9 @@ func signResponse(t *testing.T, resp string, sp *SAMLServiceProvider) string {
 		parent := sig.Parent()
 		parent.RemoveChild(sig)
 	}
-
-	el, err = sp.SigningContext().SignEnveloped(el)
+	signingCtx, err := sp.SigningContext()
+	require.NoError(t, err)
+	el, err = signingCtx.SignEnveloped(el)
 	require.NoError(t, err)
 
 	doc0 := etree.NewDocument()
@@ -129,7 +132,7 @@ func TestSAML(t *testing.T) {
 
 	randomKeyStore := dsig.RandomKeyStoreForTest()
 	_, _cert, err := randomKeyStore.GetKeyPair()
-
+	require.NoError(t, err)
 	cert0, err := x509.ParseCertificate(_cert)
 	require.NoError(t, err)
 	require.NotEmpty(t, cert0)
@@ -147,6 +150,7 @@ func TestSAML(t *testing.T) {
 		IDPCertificateStore:         &certStore,
 		SPKeyStore:                  randomKeyStore,
 		NameIdFormat:                NameIdFormatPersistent,
+		SignAuthnRequestsAlgorithm:  dsig.RSASHA1SignatureMethod,
 	}
 
 	authRequestURL, err := sp.BuildAuthURL("/some/link/here")
@@ -309,9 +313,10 @@ func TestInvalidResponseBadXML(t *testing.T) {
 	compressor, err := flate.NewWriter(compressed, flate.BestCompression)
 	require.NoError(t, err)
 
-	compressor.Write([]byte(">Definitely&Invalid XML"))
-	compressor.Close()
-
+	_, err = compressor.Write([]byte(">Definitely&Invalid XML"))
+	require.NoError(t, err)
+	err = compressor.Close()
+	require.NoError(t, err)
 	b64Response := base64.StdEncoding.EncodeToString(compressed.Bytes())
 
 	response, err := sp.ValidateEncodedResponse(b64Response)