diff --git a/saml/response.go b/saml/response.go index 984e593..76353f2 100644 --- a/saml/response.go +++ b/saml/response.go @@ -79,7 +79,7 @@ func InsecureSkipSignatureValidation() Option { } } -// ValidateResponseAndAssertionSignatures enables validation of both the SAML response and its assertions. +// ValidateResponseAndAssertionSignatures enables signature validation for both the SAML response and its assertions. func ValidateResponseAndAssertionSignatures() Option { return func(o interface{}) { if o, ok := o.(*parseResponseOptions); ok { @@ -88,7 +88,7 @@ func ValidateResponseAndAssertionSignatures() Option { } } -// ValidateAssertionSignature enables validation of just the SAML response. +// ValidateResponseSignature enables signature validation for just the SAML response. func ValidateResponseSignature() Option { return func(o interface{}) { if o, ok := o.(*parseResponseOptions); ok { @@ -97,7 +97,7 @@ func ValidateResponseSignature() Option { } } -// ValidateAssertionSignature enables validation of just the SAML assertion. +// ValidateAssertionSignature enables signature validation for just the SAML assertion. func ValidateAssertionSignature() Option { return func(o interface{}) { if o, ok := o.(*parseResponseOptions); ok { @@ -191,8 +191,8 @@ func (sp *ServiceProvider) ParseResponse( samlResponse := core.Response{Response: *response} if callValidateSignature { // func ip.ValidateEncodedResponse(...) above only requires either `response or all its `assertions` are signed, - // but does not require both. The validateSignature function will validate either response or assertion is signeed - // or both depending on the the parse response options given. + // but does not require both. The validateSignature function will validate either response or assertion is signed + // or both depending on the parse response options given. if err := validateSignature(&samlResponse, op, opts); err != nil { return nil, err } @@ -299,7 +299,7 @@ func validateSignature(response *core.Response, op string, opts parseResponseOpt if !assert.SignatureValidated { // note: at one time func ip.ValidateEncodedResponse(...) above allows all signed or all unsigned // assertions, and will give error if there is a mix of both. We are still looping on all assertions - // instead of retrieving value for one assertion, so we do not depend on dependency implementation. + // instead of retrieving signature for one assertion, so we do not depend on dependency implementation. if opts.validateAssertionSignature || opts.validateResponseAndAssertionSignatures { return fmt.Errorf("%s: %w", op, ErrInvalidSignature) } diff --git a/saml/response_test.go b/saml/response_test.go index d1c43c2..c45b693 100644 --- a/saml/response_test.go +++ b/saml/response_test.go @@ -80,21 +80,21 @@ func TestServiceProvider_ParseResponse(t *testing.T) { requestID: testRequestId, }, { - name: "success for option validate both signatures - with both response and assertion signed", + name: "success - with option validate both signatures and with both response and assertion signed", sp: testSp, samlResp: base64.StdEncoding.EncodeToString([]byte(tp.SamlResponse(t, testprovider.WithResponseAndAssertionSigned()))), opts: []saml.Option{saml.ValidateResponseAndAssertionSignatures()}, requestID: testRequestId, }, { - name: "success for option validate response signature - with only response signed", + name: "success - with option validate response signature and with only response signed", sp: testSp, samlResp: base64.StdEncoding.EncodeToString([]byte(tp.SamlResponse(t, testprovider.WithJustResponseElemSigned()))), opts: []saml.Option{saml.ValidateResponseSignature()}, requestID: testRequestId, }, { - name: "success for option validate assertion signature - with only assertion signed", + name: "success - with option validate assertion signature and with only assertion signed", sp: testSp, samlResp: base64.StdEncoding.EncodeToString([]byte(tp.SamlResponse(t, testprovider.WithJustAssertionElemSigned()))), opts: []saml.Option{saml.ValidateAssertionSignature()}, @@ -109,7 +109,7 @@ func TestServiceProvider_ParseResponse(t *testing.T) { wantErrContains: "response and/or assertions must be signed", }, { - name: "error-invalid-signature for option validate both signatures - with just response signed", + name: "error-invalid-signature - with option validate both signatures and with just response signed", sp: testSp, samlResp: base64.StdEncoding.EncodeToString([]byte(tp.SamlResponse(t, testprovider.WithJustResponseElemSigned()))), opts: []saml.Option{saml.ValidateResponseAndAssertionSignatures()}, @@ -117,7 +117,7 @@ func TestServiceProvider_ParseResponse(t *testing.T) { wantErrContains: "invalid signature", }, { - name: "error-invalid-signature for option validate both signatures - with just assertion signed", + name: "error-invalid-signature - with option validate both signatures and with just assertion signed", sp: testSp, samlResp: base64.StdEncoding.EncodeToString([]byte(tp.SamlResponse(t, testprovider.WithJustAssertionElemSigned()))), opts: []saml.Option{saml.ValidateResponseAndAssertionSignatures()}, @@ -125,7 +125,7 @@ func TestServiceProvider_ParseResponse(t *testing.T) { wantErrContains: "invalid signature", }, { - name: "error-invalid-signature for option validate response signature - with just assertion signed", + name: "error-invalid-signature - with option validate response signature and with just assertion signed", sp: testSp, samlResp: base64.StdEncoding.EncodeToString([]byte(tp.SamlResponse(t, testprovider.WithJustAssertionElemSigned()))), opts: []saml.Option{saml.ValidateResponseSignature()}, @@ -133,7 +133,7 @@ func TestServiceProvider_ParseResponse(t *testing.T) { wantErrContains: "invalid signature", }, { - name: "error-invalid-signature for option validate assertion signature - with just response signed", + name: "error-invalid-signature -with option validate assertion signature and with just response signed", sp: testSp, samlResp: base64.StdEncoding.EncodeToString([]byte(tp.SamlResponse(t, testprovider.WithJustResponseElemSigned()))), opts: []saml.Option{saml.ValidateAssertionSignature()},