clerk · dominic-clerk · Feb 22, 2025 · Apr 12, 2025 · Apr 12, 2025 · Apr 12, 2025
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -10,8 +10,11 @@ jobs:
   golangci:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: stable
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v7
         with:
-          version: v1.54.2
+          version: v2.0
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -10,10 +10,11 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go: [ '1.19.x', '1.20.x', '1.21.x']
+        go: [ '1.22.x', '1.23.x', '1.24.x']
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
         with:
           go-version: ${{ matrix.go }}
+      - run: go version
       - run: go test -v ./...
diff --git a/.golangci.yml b/.golangci.yml
@@ -1,72 +1,70 @@
-# Configuration file for golangci-lint
-#
-# https://github.com/golangci/golangci-lint
-#
-# fighting with false positives?
-# https://github.com/golangci/golangci-lint#nolint
-
+version: "2"
 linters:
   enable:
-    - bodyclose # checks whether HTTP response body is closed successfully [fast: false, auto-fix: false]
-    - errcheck # Inspects source code for security problems [fast: true, auto-fix: false]
-    - gocritic # The most opinionated Go source code linter [fast: true, auto-fix: false]
-    - gocyclo # Computes and checks the cyclomatic complexity of functions [fast: true, auto-fix: false]
-    - gofmt # Gofmt checks whether code was gofmt-ed. By default this tool runs with -s option to check for code simplification [fast: true, auto-fix: true]
-    - goimports # Goimports does everything that gofmt does. Additionally it checks unused imports [fast: true, auto-fix: true]
-    - gosec # Errcheck is a program for checking for unchecked errors in go programs. These unchecked errors can be critical bugs in some cases [fast: true, auto-fix: false]
-    - gosimple # Linter for Go source code that specializes in simplifying a code [fast: false, auto-fix: false]
-    - govet # Vet examines Go source code and reports suspicious constructs, such as Printf calls whose arguments do not align with the format string [fast: false, auto-fix: false]
-    - ineffassign # Detects when assignments to existing variables are not used [fast: true, auto-fix: false]
-    - misspell # Finds commonly misspelled English words in comments [fast: true, auto-fix: true]
-    - nakedret # Finds naked returns in functions greater than a specified function length [fast: true, auto-fix: false]
-    - prealloc # Finds slice declarations that could potentially be preallocated [fast: true, auto-fix: false]
-    - revive # Golint differs from gofmt. Gofmt reformats Go source code, whereas golint prints out style mistakes [fast: true, auto-fix: false]
-    - staticcheck # Staticcheck is a go vet on steroids, applying a ton of static analysis checks [fast: false, auto-fix: false]
-    - stylecheck # Stylecheck is a replacement for golint [fast: false, auto-fix: false]
-    - typecheck # Like the front-end of a Go compiler, parses and type-checks Go code [fast: true, auto-fix: false]
-    - unconvert # Remove unnecessary type conversions [fast: true, auto-fix: false]
-    - unparam # Reports unused function parameters [fast: false, auto-fix: false]
-    - unused # Checks Go code for unused constants, variables, functions and types [fast: false, auto-fix: false]
-
+    - bodyclose
+    - gocritic
+    - gocyclo
+    - gosec
+    - misspell
+    - nakedret
+    - prealloc
+    - revive
+    - staticcheck
+    - unconvert
+    - unparam
   disable:
     # TODO(ross): fix errors reported by these checkers and enable them
-    - dupl # Tool for code clone detection [fast: true, auto-fix: false]
-    - gochecknoglobals # Checks that no globals are present in Go code [fast: true, auto-fix: false]
-    - gochecknoinits # Checks that no init functions are present in Go code [fast: true, auto-fix: false]
-    - goconst # Finds repeated strings that could be replaced by a constant [fast: true, auto-fix: false]
-    - lll # Reports long lines [fast: true, auto-fix: false]
-    - depguard # Go linter that checks if package imports are in a list of acceptable packages [fast: true, auto-fix: false]
-linters-settings:
-  goimports:
-    local-prefixes: github.com/crewjam/saml
-  govet:
-    disable:
-      - shadow
-    enable:
-      - asmdecl
-      - assign
-      - atomic
-      - bools
-      - buildtag
-      - cgocall
-      - composites
-      - copylocks
-      - errorsas
-      - httpresponse
-      - loopclosure
-      - lostcancel
-      - nilfunc
-      - printf
-      - shift
-      - stdmethods
-      - structtag
-      - tests
-      - unmarshal
-      - unreachable
-      - unsafeptr
-      - unusedresult
-issues:
-  exclude-use-default: false
-  exclude:
-    - G104 # 'Errors unhandled. (gosec)
-
+    - depguard
+    - dupl
+    - gochecknoglobals
+    - gochecknoinits
+    - goconst
+    - lll
+  settings:
+    govet:
+      enable:
+        - asmdecl
+        - assign
+        - atomic
+        - bools
+        - buildtag
+        - cgocall
+        - composites
+        - copylocks
+        - errorsas
+        - httpresponse
+        - loopclosure
+        - lostcancel
+        - nilfunc
+        - printf
+        - shift
+        - stdmethods
+        - structtag
+        - tests
+        - unmarshal
+        - unreachable
+        - unsafeptr
+        - unusedresult
+      disable:
+        - shadow
+  exclusions:
+    generated: lax
+    rules:
+      - path: (.+)\.go$
+        text: G104 # 'Errors unhandled. (gosec)
+    paths:
+      - example/.*\.go$
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  settings:
+    goimports:
+      local-prefixes:
+        - github.com/clerk/saml
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -0,0 +1 @@
+* @crewjam
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 [![](https://godoc.org/github.com/crewjam/saml?status.svg)](http://godoc.org/github.com/crewjam/saml)
 
-![Build Status](https://github.com/crewjam/saml/workflows/Presubmit/badge.svg)
+![Build Status](https://github.com/crewjam/saml/actions/workflows/test.yml/badge.svg)
 
 Package saml contains a partial implementation of the SAML standard in golang.
 SAML is a standard for identity federation, i.e. either allowing a third party to authenticate your users or allowing third parties to rely on us to authenticate their users.
@@ -130,7 +130,7 @@ The SAML standard is huge and complex with many dark corners and strange, unused
 
 This package supports the **Web SSO** profile. Message flows from the service provider to the IDP are supported using the **HTTP Redirect** binding and the **HTTP POST** binding. Message flows from the IDP to the service provider are supported via the **HTTP POST** binding.
 
-The package can produce signed SAML assertions, and can validate both signed and encrypted SAML assertions. It does not support signed or encrypted requests.
+The package can produce signed SAML assertions, and can validate both signed and encrypted SAML assertions.
 
 ## RelayState
 

diff --git a/example/idp/idp.go b/example/idp/idp.go
@@ -6,9 +6,9 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"flag"
+	"net/http"
 	"net/url"
 
-	"github.com/zenazn/goji"
 	"golang.org/x/crypto/bcrypt"
 
 	"github.com/clerk/saml/logger"
@@ -118,6 +118,5 @@ func main() {
 		logr.Fatalf("%s", err)
 	}
 
-	goji.Handle("/*", idpServer)
-	goji.Serve()
+	http.ListenAndServe(":8080", idpServer)
 }
diff --git a/example/service.go b/example/service.go
@@ -7,18 +7,14 @@ import (
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/xml"
 	"flag"
 	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
 
-	"github.com/dchest/uniuri"
-	"github.com/kr/pretty"
-	"github.com/zenazn/goji"
-	"github.com/zenazn/goji/web"
-
 	"github.com/clerk/saml/samlsp"
 )
 
@@ -32,10 +28,16 @@ type Link struct {
 }
 
 // CreateLink handles requests to create links
-func CreateLink(_ web.C, w http.ResponseWriter, r *http.Request) {
+func CreateLink(w http.ResponseWriter, r *http.Request) {
 	account := r.Header.Get("X-Remote-User")
+
+	randomness := make([]byte, 8)
+	if _, err := r.Body.Read(randomness); err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
 	l := Link{
-		ShortLink: uniuri.New(),
+		ShortLink: base64.RawURLEncoding.EncodeToString(randomness),
 		Target:    r.FormValue("t"),
 		Owner:     account,
 	}
@@ -45,7 +47,7 @@ func CreateLink(_ web.C, w http.ResponseWriter, r *http.Request) {
 }
 
 // ServeLink handles requests to redirect to a link
-func ServeLink(_ web.C, w http.ResponseWriter, r *http.Request) {
+func ServeLink(w http.ResponseWriter, r *http.Request) {
 	l, ok := links[strings.TrimPrefix(r.URL.Path, "/")]
 	if !ok {
 		http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound)
@@ -55,7 +57,7 @@ func ServeLink(_ web.C, w http.ResponseWriter, r *http.Request) {
 }
 
 // ListLinks returns a list of the current user's links
-func ListLinks(_ web.C, w http.ResponseWriter, r *http.Request) {
+func ListLinks(w http.ResponseWriter, r *http.Request) {
 	account := r.Header.Get("X-Remote-User")
 	for _, l := range links {
 		if l.Owner == account {
@@ -64,6 +66,27 @@ func ListLinks(_ web.C, w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+// ServeWhoami serves the basic whoami endpoint
+func ServeWhoami(w http.ResponseWriter, r *http.Request) {
+	w.Header().Add("Content-Type", "text/plain")
+
+	session := samlsp.SessionFromContext(r.Context())
+	if session == nil {
+		fmt.Fprintln(w, "not signed in")
+		return
+	}
+	fmt.Fprintln(w, "signed in")
+	sessionWithAttrs, ok := session.(samlsp.SessionWithAttributes)
+	if ok {
+		fmt.Fprintln(w, "attributes:")
+		for name, values := range sessionWithAttrs.GetAttributes() {
+			for _, value := range values {
+				fmt.Fprintf(w, "%s: %v\n", name, value)
+			}
+		}
+	}
+}
+
 var (
 	key = []byte(`-----BEGIN RSA PRIVATE KEY-----
 MIICXgIBAAKBgQDU8wdiaFmPfTyRYuFlVPi866WrH/2JubkHzp89bBQopDaLXYxi
@@ -140,11 +163,9 @@ func main() {
 
 	// register with the service provider
 	spMetadataBuf, _ := xml.MarshalIndent(samlSP.ServiceProvider.Metadata(), "", "  ")
-
 	spURL := *idpMetadataURL
 	spURL.Path = "/services/sp"
 	resp, err := http.Post(spURL.String(), "text/xml", bytes.NewReader(spMetadataBuf))
-
 	if err != nil {
 		panic(err)
 	}
@@ -153,20 +174,12 @@ func main() {
 		panic(err)
 	}
 
-	goji.Handle("/saml/*", samlSP)
-
-	authMux := web.New()
-	authMux.Use(samlSP.RequireAccount)
-	authMux.Get("/whoami", func(w http.ResponseWriter, r *http.Request) {
-		if _, err := pretty.Fprintf(w, "%# v", r); err != nil {
-			panic(err)
-		}
-	})
-	authMux.Post("/", CreateLink)
-	authMux.Get("/", ListLinks)
-
-	goji.Handle("/*", authMux)
-	goji.Get("/:link", ServeLink)
+	mux := http.NewServeMux()
+	mux.Handle("GET /saml/", samlSP)
+	mux.HandleFunc("GET /{link}", ServeLink)
+	mux.Handle("GET /whoami", samlSP.RequireAccount(http.HandlerFunc(ServeWhoami)))
+	mux.Handle("POST /", samlSP.RequireAccount(http.HandlerFunc(CreateLink)))
+	mux.Handle("GET /", samlSP.RequireAccount(http.HandlerFunc(ListLinks)))
 
-	goji.Serve()
+	http.ListenAndServe(":8080", mux)
 }
diff --git a/go.mod b/go.mod
@@ -3,26 +3,17 @@ module github.com/clerk/saml
 go 1.23.0
 
 require (
-	github.com/beevik/etree v1.2.0
-	github.com/crewjam/httperr v0.2.0
-	github.com/dchest/uniuri v1.2.0
-	github.com/golang-jwt/jwt/v4 v4.5.2
-	github.com/google/go-cmp v0.6.0
-	github.com/kr/pretty v0.3.1
+	github.com/beevik/etree v1.5.0
+	github.com/golang-jwt/jwt/v5 v5.2.2
+	github.com/google/go-cmp v0.7.0
 	github.com/mattermost/xml-roundtrip-validator v0.1.0
 	github.com/russellhaering/goxmldsig v1.4.0
-	github.com/stretchr/testify v1.8.4
-	github.com/zenazn/goji v1.0.1
 	golang.org/x/crypto v0.35.0
 	gotest.tools v2.2.0+incompatible
 )
 
 require (
-	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/jonboulle/clockwork v0.2.2 // indirect
-	github.com/kr/text v0.2.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/rogpeppe/go-internal v1.9.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
+	github.com/stretchr/testify v1.10.0 // indirect
 )