Commit 7a8c95a

mo <mo@mokhan.ca>
2018-08-11 22:20:58
Fix SubjectConfirmationData#NotOnOrAfter
The times in <SubjectConfirmationData> must fall within the interval of those in <Conditions>
main
1 parent da194a4
Changed files (2)
lib
saml
kit
builders
assertion.rb
spec
saml
kit
builders
response_spec.rb
lib/saml/kit/builders/assertion.rb
@@ -50,16 +50,17 @@ module Saml
         end
 
         def subject_confirmation_data_options
-          options = { NotOnOrAfter: not_on_or_after }
-          options[:Recipient] = destination if destination.present?
+          options = { }
           options[:InResponseTo] = request.id if request.present?
+          options[:NotOnOrAfter] = (not_on_or_after - 1.second).iso8601
+          options[:Recipient] = destination if destination.present?
           options
         end
 
         def conditions_options
           {
             NotBefore: now.utc.iso8601,
-            NotOnOrAfter: not_on_or_after,
+            NotOnOrAfter: not_on_or_after.iso8601,
           }
         end
 
@@ -67,7 +68,6 @@ module Saml
           {
             AuthnInstant: now.iso8601,
             SessionIndex: reference_id,
-            SessionNotOnOrAfter: not_on_or_after,
           }
         end
 
@@ -76,7 +76,7 @@ module Saml
         end
 
         def not_on_or_after
-          configuration.session_timeout.since(now).utc.iso8601
+          configuration.session_timeout.since(now).utc
         end
       end
     end
spec/saml/kit/builders/response_spec.rb
@@ -76,7 +76,7 @@ RSpec.describe Saml::Kit::Builders::Response do
 
       expect(hash['Response']['Assertion']['Subject']['NameID']).to eql(user.name_id)
       expect(hash['Response']['Assertion']['Subject']['SubjectConfirmation']['Method']).to eql('urn:oasis:names:tc:SAML:2.0:cm:bearer')
-      expect(hash['Response']['Assertion']['Subject']['SubjectConfirmation']['SubjectConfirmationData']['NotOnOrAfter']).to eql(3.hours.from_now.utc.iso8601)
+      expect(hash['Response']['Assertion']['Subject']['SubjectConfirmation']['SubjectConfirmationData']['NotOnOrAfter']).to eql((3.hours.from_now.utc - 1.second).iso8601)
       expect(hash['Response']['Assertion']['Subject']['SubjectConfirmation']['SubjectConfirmationData']['Recipient']).to eql(assertion_consumer_service_url)
       expect(hash['Response']['Assertion']['Subject']['SubjectConfirmation']['SubjectConfirmationData']['InResponseTo']).to eql(request.id)
 
@@ -85,7 +85,6 @@ RSpec.describe Saml::Kit::Builders::Response do
       expect(hash['Response']['Assertion']['Conditions']['AudienceRestriction']['Audience']).to eql(request.issuer)
 
       expect(hash['Response']['Assertion']['AuthnStatement']['AuthnInstant']).to eql(Time.now.utc.iso8601)
-      expect(hash['Response']['Assertion']['AuthnStatement']['SessionNotOnOrAfter']).to eql(3.hours.from_now.utc.iso8601)
       expect(hash['Response']['Assertion']['AuthnStatement']['SessionIndex']).to eql(hash['Response']['Assertion']['ID'])
       expect(hash['Response']['Assertion']['AuthnStatement']['AuthnContext']['AuthnContextClassRef']).to eql('urn:oasis:names:tc:SAML:2.0:ac:classes:Password')