Commit 51120aa

mo <mo.khan@gmail.com>
2017-11-10 19:46:17
return InvalidRequest when saml cannot be deserialized.
main
1 parent a687f6a
Changed files (5)
lib
saml
kit
locales
en.yml
invalid_request.rb
request.rb
kit.rb
spec
saml
request_spec.rb
lib/saml/kit/locales/en.yml
@@ -12,6 +12,8 @@ en:
       IDPSSODescriptor:
         invalid: "must contain IDPSSODescriptor."
         invalid_signature: "invalid signature."
+      InvalidRequest:
+        invalid: "must contain valid SAMLRequest"
       Response:
         invalid: "must contain Response."
         unregistered: "must originate from registered identity provider."
lib/saml/kit/invalid_request.rb
@@ -0,0 +1,18 @@
+module Saml
+  module Kit
+    class InvalidRequest
+      include ActiveModel::Validations
+      include XsdValidatable
+      attr_reader :raw, :name
+
+      validate do |model|
+        model.errors[:base] << model.error_message(:invalid)
+      end
+
+      def initialize(raw)
+        @raw = raw
+        @name = "InvalidRequest"
+      end
+    end
+  end
+end
lib/saml/kit/request.rb
@@ -8,6 +8,8 @@ module Saml
       def self.decode(raw_request)
         request = Saml::Kit::Content.decode_raw_saml(raw_request)
         AuthenticationRequest.new(request)
+      rescue
+        InvalidRequest.new(raw_request)
       end
     end
   end
lib/saml/kit.rb
@@ -23,6 +23,7 @@ require "saml/kit/metadata"
 require "saml/kit/request"
 require "saml/kit/response"
 require "saml/kit/identity_provider_metadata"
+require "saml/kit/invalid_request"
 require "saml/kit/self_signed_certificate"
 require "saml/kit/service_provider_metadata"
 require "saml/kit/signature"
spec/saml/request_spec.rb
@@ -16,6 +16,17 @@ RSpec.describe Saml::Kit::Request do
   describe ".decode" do
     subject { described_class }
     let(:issuer) { FFaker::Internet.http_url }
+    let(:registry) { instance_double(Saml::Kit::DefaultRegistry) }
+    let(:service_provider_metadata) { instance_double(Saml::Kit::ServiceProviderMetadata) }
+
+    before :each do
+      allow(Saml::Kit.configuration).to receive(:registry).and_return(registry)
+      allow(registry).to receive(:metadata_for).and_return(service_provider_metadata)
+      allow(service_provider_metadata).to receive(:matches?).and_return(true)
+      allow(service_provider_metadata).to receive(:assertion_consumer_services).and_return([
+        { location: FFaker::Internet.http_url, binding: Saml::Kit::Namespaces::POST }
+      ])
+    end
 
     it 'decodes the raw_request' do
       builder = Saml::Kit::AuthenticationRequest::Builder.new
@@ -24,6 +35,11 @@ RSpec.describe Saml::Kit::Request do
 
       result = subject.decode(raw_saml)
       expect(result.issuer).to eql(issuer)
+      expect(result).to be_valid
+    end
+
+    it 'returns an invalid request when the raw request is corrupted' do
+      expect(subject.decode("nonsense")).to be_invalid
     end
   end
 end