Commit 26f3010
Changed files (4)
lib
saml
lib/saml/kit/http_redirect_binding.rb
@@ -17,6 +17,7 @@ module Saml
def deserialize(params)
document = deserialize_document_from!(params)
ensure_valid_signature!(params, document)
+ document.signature_verified!
document
end
lib/saml/kit/trustable.rb
@@ -4,8 +4,9 @@ module Saml
extend ActiveSupport::Concern
included do
- validate :must_have_valid_signature
+ validate :must_have_valid_signature, unless: :signature_manually_verified
validate :must_be_registered
+ validate :must_be_trusted, unless: :signature_manually_verified
end
def certificate
@@ -19,7 +20,7 @@ module Saml
end
def signed?
- to_h[name]['Signature'].present?
+ to_h.fetch(name, {}).fetch('Signature', nil).present?
end
def trusted?
@@ -36,8 +37,14 @@ module Saml
Saml::Kit.configuration.registry
end
+ def signature_verified!
+ @signature_manually_verified = true
+ end
+
private
+ attr_reader :signature_manually_verified
+
def must_have_valid_signature
return if to_xml.blank?
@@ -50,10 +57,11 @@ module Saml
def must_be_registered
return unless expected_type?
- if provider.nil?
- errors[:provider] << error_message(:unregistered)
- return
- end
+ return if provider.present?
+ errors[:provider] << error_message(:unregistered)
+ end
+
+ def must_be_trusted
return if trusted?
errors[:fingerprint] << error_message(:invalid_fingerprint)
end
spec/saml/http_redirect_binding_spec.rb
@@ -81,5 +81,17 @@ RSpec.describe Saml::Kit::HttpRedirectBinding do
subject.deserialize(query_params)
end.to raise_error(/Invalid Signature/)
end
+
+ it 'returns a signed document, when a signature is missing' do
+ builder = Saml::Kit::ServiceProviderMetadata::Builder.new
+ builder.add_assertion_consumer_service(FFaker::Internet.http_url, binding: :post)
+ provider = builder.build
+ allow(Saml::Kit.configuration.registry).to receive(:metadata_for).with(issuer).and_return(provider)
+
+ url, _ = subject.serialize(Saml::Kit::AuthenticationRequest::Builder.new)
+ result = subject.deserialize(query_params_from(url))
+ expect(result).to be_instance_of(Saml::Kit::AuthenticationRequest)
+ expect(result).to be_valid
+ end
end
end
spec/saml/response_spec.rb
@@ -94,6 +94,7 @@ RSpec.describe Saml::Kit::Response do
end
it 'is invalid when blank' do
+ allow(registry).to receive(:metadata_for).and_return(nil)
subject = described_class.new("")
expect(subject).to be_invalid
expect(subject.errors[:content]).to be_present
@@ -109,6 +110,7 @@ RSpec.describe Saml::Kit::Response do
end
it 'is invalid when not a Response' do
+ allow(registry).to receive(:metadata_for).and_return(nil)
xml = Saml::Kit::IdentityProviderMetadata::Builder.new.to_xml
subject = described_class.new(xml)
expect(subject).to be_invalid