Commit 49e9596
Changed files (2)
lib
saml
kit
spec
saml
lib/saml/kit/response.rb
@@ -5,7 +5,7 @@ module Saml
include ActiveModel::Validations
include XsdValidatable
- attr_reader :content, :name
+ attr_reader :content, :name, :request_id
validates_presence_of :content
validates_presence_of :id
validate :must_have_valid_signature
@@ -14,17 +14,23 @@ module Saml
validate :must_match_xsd
validate :must_be_valid_version
validate :must_be_successful
+ validate :must_match_request_id
- def initialize(xml)
+ def initialize(xml, request_id: nil)
@content = xml
@xml_hash = Hash.from_xml(xml) || {}
@name = 'Response'
+ @request_id = request_id
end
def id
@xml_hash.dig(name, 'ID')
end
+ def in_response_to
+ @xml_hash.dig(name, 'InResponseTo')
+ end
+
def name_id
@xml_hash.dig(name, 'Assertion', 'Subject', 'NameID')
end
@@ -124,6 +130,14 @@ module Saml
errors[:base] << error_message(:invalid)
end
+ def must_match_request_id
+ return if request_id.nil?
+
+ if in_response_to != request_id
+ errors[:base] << error_message(:invalid)
+ end
+ end
+
def login_response?
return false if to_xml.blank?
@xml_hash[name].present?
spec/saml/response_spec.rb
@@ -215,5 +215,11 @@ RSpec.describe Saml::Kit::Response do
builder.status_code = Saml::Kit::Namespaces::REQUESTER_ERROR
expect(described_class.new(builder.to_xml)).to_not be_valid
end
+
+ it 'validates the InResponseTo' do
+ allow(registry).to receive(:metadata_for).and_return(metadata)
+ allow(metadata).to receive(:matches?).and_return(true)
+ expect(described_class.new(builder.to_xml, request_id: SecureRandom.uuid)).to_not be_valid
+ end
end
end