Commit 0d95185

mo <mo@mokhan.ca>
2017-11-20 23:35:56
handle error from responder.
main
1 parent 6387059
Changed files (4)
lib
saml
kit
locales
en.yml
respondable.rb
response.rb
spec
saml
response_spec.rb
lib/saml/kit/locales/en.yml
@@ -14,12 +14,13 @@ en:
       LogoutResponse:
         unregistered: "is unregistered."
       Response:
-        invalid: "must contain Response."
-        unregistered: "must originate from registered identity provider."
         expired: "must not be expired."
-        invalid_version: "must be 2.0."
+        invalid: "must contain Response."
+        invalid_fingerprint: "does not match."
         invalid_response_to: "must match request id."
+        invalid_version: "must be 2.0."
         must_match_issuer: "must match entityId."
+        unregistered: "must originate from registered identity provider."
       SPSSODescriptor:
         invalid: "must contain SPSSODescriptor."
         invalid_signature: "invalid signature."
lib/saml/kit/respondable.rb
@@ -21,6 +21,10 @@ module Saml
         to_h.fetch(name, {}).fetch('InResponseTo', nil)
       end
 
+      def success?
+        Namespaces::SUCCESS == status_code
+      end
+
       private
 
       def must_match_request_id
lib/saml/kit/response.rb
@@ -46,11 +46,13 @@ module Saml
 
       def must_be_active_session
         return unless expected_type?
+        return unless success?
         errors[:base] << error_message(:expired) unless active?
       end
 
       def must_match_issuer
         return unless expected_type?
+        return unless success?
 
         unless audiences.include?(Saml::Kit.configuration.issuer)
           errors[:audience] << error_message(:must_match_issuer)
spec/saml/response_spec.rb
@@ -209,6 +209,24 @@ RSpec.describe Saml::Kit::Response do
       expect(subject).to be_invalid
       expect(subject.errors[:audience]).to be_present
     end
+
+    it 'is invalid' do
+      now = Time.now.utc
+      destination = FFaker::Internet.http_url
+      raw_xml = <<-XML
+<?xml version="1.0"?>
+<samlp:Response xmlns:samlp="#{Saml::Kit::Namespaces::PROTOCOL}" ID="_#{SecureRandom.uuid}" Version="2.0" IssueInstant="#{now.iso8601}" Destination="#{destination}" Consent="#{Saml::Kit::Namespaces::UNSPECIFIED}" InResponseTo="#{request.id}">
+  <Issuer xmlns="#{Saml::Kit::Namespaces::ASSERTION}">#{request.issuer}</Issuer>
+  <samlp:Status>
+    <samlp:StatusCode Value="#{Saml::Kit::Namespaces::RESPONDER_ERROR}"/>
+  </samlp:Status>
+</samlp:Response>
+      XML
+
+      allow(registry).to receive(:metadata_for).with(request.issuer).and_return(metadata)
+      subject = described_class.new(raw_xml)
+      expect(subject).to be_invalid
+    end
   end
 
   describe described_class::Builder do