Commit 8e07117

mo <mo@mokhan.ca>
2017-11-03 16:08:27
start to validate authnrequest.
main
1 parent 0dd0953
Changed files (2)
lib
saml
kit
authentication_request.rb
spec
saml
authentication_request_spec.rb
lib/saml/kit/authentication_request.rb
@@ -1,9 +1,15 @@
 module Saml
   module Kit
     class AuthenticationRequest
+      include ActiveModel::Validations
+      validates_presence_of :content
+      validate :must_have_valid_signature
+
+      attr_reader :content
+
       def initialize(xml)
-        @xml = xml
-        @hash = Hash.from_xml(@xml)
+        @content = xml
+        @hash = Hash.from_xml(@content)
       end
 
       def id
@@ -19,15 +25,27 @@ module Saml
       end
 
       def to_xml
-        @xml
+        @content
       end
 
       def response_for(user)
         Response::Builder.new(user, self).build
       end
 
-      def valid?
-        true
+      private
+
+      def must_have_valid_signature
+        return if to_xml.blank?
+
+        xml = Saml::Kit::Xml.new(to_xml)
+        xml.valid?
+        xml.errors.each do |error|
+          errors[:metadata] << error
+        end
+      end
+
+      def error_message(key)
+        I18n.translate(key, scope: "saml/kit.errors.#{descriptor_name}")
       end
 
       class Builder
spec/saml/authentication_request_spec.rb
@@ -18,18 +18,6 @@ RSpec.describe Saml::Kit::AuthenticationRequest do
   it { expect(subject.id).to eql("_#{id}") }
   it { expect(subject.acs_url).to eql(acs_url) }
 
-<<-EXAMPLE
-<samlp:AuthnRequest
-  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
-  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-  ID="ONELOGIN_809707f0030a5d00620c9d9df97f627afe9dcc24"
-  Version="2.0"
-  IssueInstant="2014-07-16T23:52:45Z"
-  AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs">
-  <saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer>
-  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
-</samlp:AuthnRequest>
-EXAMPLE
   describe "#to_xml" do
     subject { described_class::Builder.new(configuration) }
     let(:configuration) do
@@ -53,4 +41,21 @@ EXAMPLE
       expect(result['AuthnRequest']['NameIDPolicy']['Format']).to eql("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")
     end
   end
+
+  describe "#valid?" do
+    it 'is valid when left untampered' do
+      expect(described_class.new(raw_xml)).to be_valid
+    end
+
+    it 'is invalid if the document has been tampered with' do
+      raw_xml.gsub!(issuer, 'corrupt')
+      subject = described_class.new(raw_xml)
+      expect(subject).to_not be_valid
+      puts subject.errors.full_messages.inspect
+    end
+
+    it 'is invalid when blank' do
+      expect(described_class.new('')).to be_invalid
+    end
+  end
 end