Changes based on integrating with ADFS, Azure, and PingOne

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+- package-ecosystem: gitsubmodule
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10

.github/workflows/build-publish.yml

@@ -0,0 +1,60 @@
+# Run on master branch builds.  Tags a release with v{semver}
+name: CI-Go-Publish
+permissions:
+  contents: write
+  id-token: write
+
+on:
+  push:
+    branches:
+      - master
+      - main
+
+jobs:
+  go-build-publish:
+    name: go build publish
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ github.head_ref }}
+        fetch-depth: 0
+    - name: Install xmlsec1
+      run: sudo apt-get install -y libxmlsec1 && sudo apt-get install xmlsec1
+    - name: Go Build
+      run: |
+        echo "machine github.com login machine-parsable password ${{ secrets.GH_PAT_MACHINE_PARSABLE }}" > ~/.netrc
+        git fetch --tags
+        go build -v -o bin/events
+    - name: Go Test
+      run: go test -v -race ./...
+    - name: Git Version
+      id: version
+      uses: codacy/[email protected]
+      with:
+        release-branch: master
+        prefix: v
+    - name: Tag
+      id: tag
+      run: |
+        truncated_version=$(echo ${{ steps.version.outputs.version }} | awk -F- '{print $1}')
+        echo previous tag ${{ steps.version.outputs.previous-version }}
+        git config --global user.email "[email protected]"
+        git config --global user.name "machine-parsable"
+        git tag -a -m "${truncated_version}" ${truncated_version}
+        git push --tags
+        echo "new_tag=${truncated_version}" >> $GITHUB_OUTPUT
+    - name: Checkout common-actions repo
+      uses: actions/checkout@v4
+      with:
+        repository: parsable/common-actions
+        path: ./common-actions
+        token: ${{ secrets.GH_PAT_MACHINE_PARSABLE }}
+        ref: v1.0.1
+    - name: Release
+      uses: ./common-actions/release-with-changelog
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        tag: ${{ steps.tag.outputs.new_tag }}

.github/workflows/ci-test.yml

@@ -0,0 +1,28 @@
+# Run on branch builds
+name: CI-Go-Tests
+permissions:
+  contents: read
+  id-token: write
+
+on:
+  push:
+    branches-ignore:
+      - master
+      - main
+
+jobs:
+  go-build-test:
+    name: go build test
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+    - name: Install xmlsec1
+      run: sudo apt-get install -y libxmlsec1 && sudo apt-get install xmlsec1
+    - name: Go Build
+      run: |
+        echo "machine github.com login machine-parsable password ${{ secrets.GH_PAT_MACHINE_PARSABLE }}" > ~/.netrc
+        go build -v -o bin/events
+    - name: Go Test
+      run: go test -v -race ./...

.github/workflows/stale-actions.yaml

@@ -0,0 +1,26 @@
+name: "Mark or close stale issues and PRs"
+on:
+  schedule:
+    - cron: "0 10 * * 1-5"
+
+jobs:
+  stale:
+    name: "Check for stale PRs"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v8
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          # Staling issues and PR's
+          days-before-stale: 15
+          stale-pr-label: stale
+          stale-pr-message: |
+            This PR has been automatically marked as stale because it has been open 15 days
+            with no activity. Remove stale label and comment on this PR or it will be closed
+            in 3 days. Setting this PR to draft will also prevent it from being closed.
+          exempt-all-milestones: true
+          exempt-draft-pr: true
+          # Time is up after 18 days
+          days-before-pr-close: 18
+          delete-branch: true
+          close-pr-message: "This PR was closed because it has been stalled for 18 days with no activity."

.gitleaks.toml

@@ -0,0 +1,52 @@
+[allowlist]
+  regexes = ['''-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEA6KPw06lqMicl0dCvoReKcOKgZGiy9IG2yqIih/u8L3cxzjTq
+BQXxeTUI9NjOCScnjkOvoR2FeEI7VBuNczH9V6B/1OhMv6FEZLgiSQhoVvQMg/gO
+Fj+GEuAIP7je6ND957o+4SYqXn2NQc5oNp/PYhw3KR78Ck7VVmWHY+g4G8IfWR/U
+IkUUafhmR17u51vlQmTNJhPvao8SuDMPihAw+iyIEjgM0S1i8lJm9isL3Pvg4cA7
+SKE4VR2KDXeEpPY+v+Adw5j2vN4v9XWSshWjAg1J+/ouiocCFmxn4OrkDDPBul8x
+eFeceWoJoPAytuFV7N8m9ZTiFHMzVauGR5AKXOI8B1ol53Gm/PFJwzxu6VZvO8IW
+jIIVjcK2ALf/0BCJxMZMYzYVsMTRZXpYP/G/X1LHR+fBXmYmfpjZ8AAl54IJmRBP
+pVF+RYfJe/W5HvnZ0GyQIUH4vjoZjZapnPqLigz2KpNPyAvav904OuRI/TIqvdfC
+AL0AFbZcMMKeiOf9NgGuYqmaMwU1F2KlhP6l4sZaVodrT+ZY3nIBms7sOfLRo9vp
+10vQwPcFYBlAJeMSRTv7PHpp2udpUj88L3K+o/gTIn1x69FgSBHE27c14cVKXwui
+AteMnzzn/IOFiioINVqtx+HRohNdcuunHmHodUWZVl6vyRLSdRVS6BquKi8CAwEA
+AQKCAgBFa0YdotwRgyUB6ue9hizFapq525Qq6doFtUPgl/mboFG4WonKXe+kX3MA
+vQEeMhTXmtL5nLmLHRhfDKm0yiHy1+3NNlRQimrCMz/n0x5vc/uYFZj+go4ba8aK
+XTwG9PYPA8Bnpt/VullAXbszMZTMjebX2msTGFsIoNs5sL2tasu36IuAfmSNCpZa
+jbV0TDOpEDM3PZOflHndhT8Jz7MNs+QWq6sHcCeqb3RR2J59npuIQbhu/8yzeVEM
+m7F1GBW5Y8L97tMRoKtm72KKyXIO1rBRBGKG66pvzoFg2DacfYU9e9JjOqFyiXW+
+FG7Nq4fcWuphNcAQoh+bXMeA6zZr11ZXuvEbrQcqrCyAkKOuIHJ3rmT34bVNzdw4
+rxWp/IX7WvjOXpzo18vQiTZOqtVgHjWNq7q0S5MeYJLJtSKr5CqpGMnRyjnTMYZ4
+xB5fHbeoklb+s33kaeuVfI8q1F8DDwoYGuYyoUe61K55R9UU0MRvCLtaIsOzk03E
+EM7tWgguX2tFpXU2YvmvCv8mMROguDKQwivdUGdBTip7O0EiDKEBP+nlOOVGCeKV
+oDU9OqeOLZu+7QJx3b/ygnoIfcL6yJ0OrcMK8GLMyZ0WkULhs9OotekPCthKPx8D
+pNRVcCGX4HPTaXsCB/HbkyFEdbfgsBJoqpG5aNinrbJepsx24QKCAQEA+hSc6aWH
+v/buELwdPi6OT1SW/9a5AZC9/gVzmO5fhO7hrFxIKopa+BH0Qo46v3BJKg+8QE8a
+CKAzxvRq2yPPKu4thyFIoGqAwOonCitRhfnABA0rdZfgm5IWyTlQAhWHIPMkT4Nw
+RhvYx2W35PWIAzfMMCZfIzgZDb0+4C+f/QeilAcMzBmqQMC5x9akThny3b3gyMLU
+2y4ta3COyC+aaQ32WR5rO+dJSYZSXHXdlsq1B1X3Ft3k3AzdmAlw6Mj6iiE7BDLC
+x/PjLhXU8tXMO3iKfSDGnlMew7vqjpwYuEQ3O+6cExu1ISjDkmLFL7JvzNalNFad
+tqFpAkOntEu66wKCAQEA7iWlzTlw10ySyWt/mLenRAvSxisCLJ5e8C0j/JU4zZUG
+K/LPmTGyoRGlnooWW0F8bagMPU2CH4j9U9hLfphqCneqiPxf4p38p/TtawPxNwvP
+I3N/5d8CEOOGZ5XM2H7rpWmCTGhqUMobVmula/J5WSMD6fjnUd0O8jmUVNu+Otgk
+lQ+goRc8Q268h2fCrtji7M89LwUQbh/Ugj/d7LU5GBkOa/nM5WnSYWfPpsKrybrN
+WYkyohoWZt3x0es7DzqdtKLmBd6lqrq2hFwHkvqDudF07BsQSu6OkQhtb5jusHTE
+ptc1Dvrkr8JiT4Q8aPpL88WP9G+iFaHhoU0xGEV0zQKCAQAI4Sh9J1J9n2/uii9j
+oNWOvYsrBF3HT3NfjKQBHx2nI7BBpXkugYEfY8vPfSta1srSQoLFqclb2wxbmRwe
+MdROSuy06pqgj4eI0geW1djsL+UAf9M2NrFT9Mj4Vh+gI1GL+vYkGJ+o7Z4x3ku8
+RneQ3a9TWllwb7J8CWctIKPGoTnFlcZ/jL291NoD3XwyBbvY4cAUgM58BdS5BuMa
++o26AzPnECxwkRLKGIneHJVEoGfzHbtLRY+1vIM1vcgTi+dRdkKZMJA391Hutfm8
+sZix1+La9In43yyteIOokqRSDqIDb8J87zPsPH1NOlKUEfrkRA7Tn+uzq2GGIg7X
+WQUHAoIBACv528In50R6qWh0Z12GHGceX8+kRYSDwjhLvad4zsJ30GnxLpC1cqz3
+m0PJcBNt5lJBg/EWDP9RxqXi/R3lez9vlZgyMmqgjfVd7zGhyrtFfPyo6WdDZRhF
+S555NRiNZ2pmL194sJk2mRG+Uw+5+NqS8rgT9HNThN0J8PAym9A19ZtpBVp59fDl
+0/6VFIhBGLZuFnhGUSBk1FMxBAQf+ukOR3F88W8zuVuvVdMPg7V+v0jXYvg4JQbd
+2TfQXlmTk2e15RAUazc5v1Z1wBhOFmEL4rFu1fVgVAdILR08emcvSNkeSHf5sJ0c
+IhdY7ebcwYXEZ67VpnKkMAwfOv+mY8kCggEBAMBe/O4JlLGYgqz/I/z7pfHYSr1S
+emIKJWyUbRUaFnrZ2JNJrsgGpXiMtPJygAIBpzGl54jxXn559HCuq4fx9sZmYPl7
+yUXFHPxRMmMOCtDELUHqkNwtLOk0MNhl76vJWszhH5NHom7zmi+QycRx9dH7jfxB
+ZFm6o6VHSEGOmuedgyDxeUVucLn628NzLxSrU6ZTgHJGLFkZrkKxLqDk8n4bI54F
+1Myc8ayl84XWneJSUcN2CO/Og2Oxqqs9roxw2x/HOGvhhunut8p+VzU56Y9rSd7c
+7jcjgDa7JwUJ+Je0tdOnV+K+jx8ogPtBKquc04kS/H9XpjiTldxZeFLQEC0=
+-----END RSA PRIVATE KEY-----''']

authnrequest.go

@@ -21,7 +21,7 @@ import (
 	"net/url"
 	"time"
 
-	"github.com/RobotsAndPencils/go-saml/util"
+	"github.com/parsable/go-saml/util"
 )
 
 func ParseCompressedEncodedRequest(b64RequestXML string) (*AuthnRequest, error) {
@@ -82,10 +82,13 @@ func (r *AuthnRequest) Validate(publicCertPath string) error {
 
 // GetSignedAuthnRequest returns a singed XML document that represents a AuthnRequest SAML document
 func (s *ServiceProviderSettings) GetAuthnRequest() *AuthnRequest {
-	r := NewAuthnRequest()
+	r := NewAuthnRequestCustom(s.SPSignRequest)
 	r.AssertionConsumerServiceURL = s.AssertionConsumerServiceURL
 	r.Issuer.Url = s.IDPSSODescriptorURL
-	r.Signature.KeyInfo.X509Data.X509Certificate.Cert = s.PublicCert()
+	if s.SPSignRequest {
+		r.Signature[0].KeyInfo.X509Data.X509Certificate.Cert = s.PublicCert()
+		r.Destination = s.IDPSSOURL
+	}
 
 	return r
 }
@@ -105,14 +108,17 @@ func GetAuthnRequestURL(baseURL string, b64XML string, state string) (string, er
 }
 
 func NewAuthnRequest() *AuthnRequest {
+	return NewAuthnRequestCustom(true)
+}
+
+func NewAuthnRequestCustom(sign bool) *AuthnRequest {
 	id := util.ID()
-	return &AuthnRequest{
+	authReq := &AuthnRequest{
 		XMLName: xml.Name{
 			Local: "samlp:AuthnRequest",
 		},
 		SAMLP:                       "urn:oasis:names:tc:SAML:2.0:protocol",
 		SAML:                        "urn:oasis:names:tc:SAML:2.0:assertion",
-		SAMLSIG:                     "http://www.w3.org/2000/09/xmldsig#",
 		ID:                          id,
 		ProtocolBinding:             "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
 		Version:                     "2.0",
@@ -122,31 +128,33 @@ func NewAuthnRequest() *AuthnRequest {
 				Local: "saml:Issuer",
 			},
 			Url:  "", // caller must populate ar.AppSettings.Issuer
-			SAML: "urn:oasis:names:tc:SAML:2.0:assertion",
 		},
-		IssueInstant: time.Now().UTC().Format(time.RFC3339Nano),
-		NameIDPolicy: NameIDPolicy{
+		IssueInstant: time.Now().UTC().Format(time.RFC3339),
+		NameIDPolicy: &NameIDPolicy{
 			XMLName: xml.Name{
 				Local: "samlp:NameIDPolicy",
 			},
 			AllowCreate: true,
-			Format:      "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+			Format:      "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
 		},
-		RequestedAuthnContext: RequestedAuthnContext{
+		RequestedAuthnContext: &RequestedAuthnContext{
 			XMLName: xml.Name{
 				Local: "samlp:RequestedAuthnContext",
 			},
-			SAMLP:      "urn:oasis:names:tc:SAML:2.0:protocol",
 			Comparison: "exact",
 			AuthnContextClassRef: AuthnContextClassRef{
 				XMLName: xml.Name{
 					Local: "saml:AuthnContextClassRef",
 				},
-				SAML:      "urn:oasis:names:tc:SAML:2.0:assertion",
 				Transport: "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
 			},
 		},
-		Signature: Signature{
+	}
+
+	if sign {
+		authReq.SAMLSIG = "http://www.w3.org/2000/09/xmldsig#"
+		authReq.Signature = make([]Signature, 1, 1)
+		authReq.Signature[0] = Signature{
 			XMLName: xml.Name{
 				Local: "samlsig:Signature",
 			},
@@ -165,7 +173,7 @@ func NewAuthnRequest() *AuthnRequest {
 					XMLName: xml.Name{
 						Local: "samlsig:SignatureMethod",
 					},
-					Algorithm: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+					Algorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
 				},
 				SamlsigReference: SamlsigReference{
 					XMLName: xml.Name{
@@ -176,18 +184,26 @@ func NewAuthnRequest() *AuthnRequest {
 						XMLName: xml.Name{
 							Local: "samlsig:Transforms",
 						},
-						Transform: Transform{
-							XMLName: xml.Name{
-								Local: "samlsig:Transform",
+						Transforms: []Transform{
+							{
+								XMLName: xml.Name{
+									Local: "samlsig:Transform",
+								},
+								Algorithm: "http://www.w3.org/2000/09/xmldsig#enveloped-signature",
+							},
+							{
+								XMLName: xml.Name{
+									Local: "samlsig:Transform",
+								},
+								Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#",
 							},
-							Algorithm: "http://www.w3.org/2000/09/xmldsig#enveloped-signature",
 						},
 					},
 					DigestMethod: DigestMethod{
 						XMLName: xml.Name{
 							Local: "samlsig:DigestMethod",
 						},
-						Algorithm: "http://www.w3.org/2000/09/xmldsig#sha1",
+						Algorithm: "http://www.w3.org/2001/04/xmlenc#sha256",
 					},
 					DigestValue: DigestValue{
 						XMLName: xml.Name{
@@ -217,12 +233,13 @@ func NewAuthnRequest() *AuthnRequest {
 					},
 				},
 			},
-		},
+		}
 	}
+	return authReq
 }
 
 func (r *AuthnRequest) String() (string, error) {
-	b, err := xml.MarshalIndent(r, "", "    ")
+	b, err := xml.Marshal(r)
 	if err != nil {
 		return "", err
 	}