Commit 10356d24 authored by ale's avatar ale

Validate should ignore the ticket nonce when called with empty nonce

parent 3a27b01f
Pipeline #890 passed with stages
in 1 minute and 3 seconds
......@@ -11,18 +11,43 @@ import (
)
var (
// Errors.
ErrMissingRequiredField = errors.New("missing required field")
ErrBadNonceLength = errors.New("bad nonce length")
ErrDeserialization = errors.New("deserialization error")
// ErrMissingRequiredField is returned when a ticket does not
// contain a required field.
ErrMissingRequiredField = errors.New("missing required field")
// ErrDeserialization means that the input is not valid base64.
ErrDeserialization = errors.New("deserialization error")
// ErrUnsupportedTicketVersion is returned for unsupported
// ticket versions (either too old or too recent).
ErrUnsupportedTicketVersion = errors.New("unsupported ticket version")
ErrMessageTooShort = errors.New("encoded message too short")
ErrBadSignature = errors.New("bad signature")
ErrBadService = errors.New("service mismatch")
ErrBadDomain = errors.New("auth domain mismatch")
ErrBadNonce = errors.New("nonce mismatch")
ErrExpired = errors.New("ticket expired")
ErrUnauthorized = errors.New("unauthorized")
// ErrMessageTooShort means that the input is shorter than the
// fixed signature length + minimum ticket size.
ErrMessageTooShort = errors.New("encoded message too short")
// ErrBadSignature is returned when the signature does not
// match the given public key.
ErrBadSignature = errors.New("bad signature")
// ErrBadService is returned when validation fails due to a
// SSO service mismatch.
ErrBadService = errors.New("service mismatch")
// ErrBadDomain is returned when validation fails due to a SSO
// domain mismatch.
ErrBadDomain = errors.New("auth domain mismatch")
// ErrBadNonce is returned when validation fails due to a
// nonce mismatch.
ErrBadNonce = errors.New("nonce mismatch")
// ErrExpired means the ticket has expired.
ErrExpired = errors.New("ticket expired")
// ErrUnauthorized is returned when the user lacks the
// necessary group membership.
ErrUnauthorized = errors.New("unauthorized")
)
const (
......@@ -234,7 +259,7 @@ func (v *ssoValidator) Validate(encoded, nonce, service string, allowedGroups []
if t.Expires.Before(time.Now()) {
return nil, ErrExpired
}
if t.Nonce != nonce {
if nonce != "" && t.Nonce != nonce {
return nil, ErrBadNonce
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment