Separated functional tests from unit tests and added extra validation

auth0 · Jun 14, 2017 · 556c8c9 · 556c8c9
1 parent 2b9ab19
commit 556c8c9
Show file tree

Hide file tree

Showing 3 changed files with 232 additions and 451 deletions.
diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js
@@ -93,12 +93,20 @@ SAML.prototype.validateSignature = function (xml, options, callback) {
     return callback(new Error('Signature check errors: ' + sig.validationErrors));
   }
 
+  var uri = sig.references && sig.references[0].uri; // might not be 0 - depending on the document you verify
+  var id = (uri[0] === '#') ? uri.substring(1) : uri;
+
+  // xml.documentElement is for SAMLResponses (the root ekement). We use the xml part when we are not passing the root element (SAML Assertion)
+  var element = xml.documentElement || xml;
+  if (element.getAttribute('ID') != id && element.getAttribute('Id') != id && element.getAttribute('id') != id && element.getAttribute('AssertionID') != id){
+    return callback(new Error('The ' + element.nodeName + ' element was not the one verified by the signature'));
+  }
+
   if (options.cert) {
     return callback();
   }
 
   if (options.thumbprints) {
-
     var valid_thumbprint = options.thumbprints.some(function (thumbprint) {
       return self.calculatedThumbprint.toUpperCase() === thumbprint.toUpperCase();
     });