Commit 9891609
2017-11-10 21:29:05
1 parent
07d7db9
Changed files (6)
proof
app
saml-kit
lib
saml
spec
saml
proof/app/controllers/sessions_controller.rb
@@ -8,7 +8,9 @@ class SessionsController < ApplicationController
def create
if user = User.login(user_params[:email], user_params[:password])
create_session_for(user)
- post_to_service_provider(user)
+ @saml_response = @saml_request.response_for(user)
+ @relay_state = params[:RelayState]
+ render layout: nil
else
redirect_to new_session_path(saml_params), error: "Invalid Credentials"
end
@@ -25,12 +27,6 @@ class SessionsController < ApplicationController
session[:user_id] = user.id
end
- def post_to_service_provider(user)
- @saml_response = @saml_request.response_for(user)
- @relay_state = params[:RelayState]
- render template: "sessions/saml_post", layout: nil
- end
-
def saml_params(storage = params)
{
RelayState: storage[:RelayState],
proof/app/models/user.rb
@@ -13,16 +13,7 @@ class User < ApplicationRecord
end
def assertion_attributes_for(request)
- {
- id: uuid,
- email: email,
- created_at: created_at,
- access_token: access_token,
- }
- end
-
- def access_token
- BearerToken.new.encode(id: uuid)
+ request.trusted? ? trusted_attributes : {}
end
def self.login(email, password)
@@ -33,4 +24,19 @@ class User < ApplicationRecord
rescue ActiveRecord::RecordNotFound
nil
end
+
+ private
+
+ def access_token
+ BearerToken.new.encode(id: uuid)
+ end
+
+ def trusted_attributes
+ {
+ id: uuid,
+ email: email,
+ created_at: created_at,
+ access_token: access_token,
+ }
+ end
end
proof/app/views/sessions/saml_post.html.erb → proof/app/views/sessions/create.html.erb
@@ -39,7 +39,7 @@
<body onload="document.forms[0].submit();">
<div class="spinner"><svg xmlns="http://www.w3.org/2000/svg" width="25" height="25" viewBox="0 0 25 25"><defs><style>line{fill:none;stroke:#1a1a1a;stroke-linecap:round;stroke-miterlimit:10;stroke-width:2px;}.o25{opacity:0.25;}.o85{opacity:0.85;}.o7{opacity:0.7;}.o55{opacity:0.55;}.o35{opacity:0.35;}</style></defs><line x1="12.5" y1="2" x2="12.5" y2="7.05463"/><line class="o25" x1="12.5" y1="23" x2="12.5" y2="17.94537"/><line class="o85" x1="7.25" y1="3.40674" x2="9.77942" y2="7.78778"/><line class="o25" x1="17.75" y1="21.59326" x2="15.22058" y2="17.21222"/><line class="o25" x1="17.21222" y1="15.22058" x2="21.59326" y2="17.75"/><line class="o7" x1="7.78778" y1="9.77942" x2="3.40674" y2="7.25"/><line class="o25" x1="23" y1="12.5" x2="17.94537" y2="12.5"/><line class="o55" x1="7.05463" y1="12.5" x2="2" y2="12.5"/><line class="o35" x1="7.78778" y1="15.22058" x2="3.40674" y2="17.75"/><line class="o25" x1="21.59326" y1="7.25" x2="17.21222" y2="9.77942"/><line class="o25" x1="9.77942" y1="17.21222" x2="7.25" y2="21.59326"/><line class="o25" x1="17.75" y1="3.40674" x2="15.22058" y2="7.78778"/></svg></div>
<%= form_tag(@saml_response.acs_url, style: "position: absolute; left: -10000px; top: -10000px;") do %>
- <%= hidden_field_tag("SAMLResponse", @saml_response.encode) %>
+ <%= hidden_field_tag("SAMLResponse", @saml_response.serialize) %>
<%= hidden_field_tag("RelayState", @relay_state) %>
<%= submit_tag "Submit" %>
<% end %>
saml-kit/lib/saml/kit/authentication_request.rb
@@ -60,6 +60,12 @@ module Saml
Response::Builder.new(user, self).build
end
+ def trusted?
+ return false if provider.nil?
+ return false unless signed?
+ provider.matches?(fingerprint, use: :signing)
+ end
+
private
def registered_acs_url
@@ -82,8 +88,7 @@ module Saml
errors[:service_provider] << error_message(:unregistered)
return
end
- return if provider.matches?(fingerprint, use: :signing)
-
+ return if trusted?
errors[:fingerprint] << error_message(:invalid_fingerprint)
end
saml-kit/lib/saml/kit/response.rb
@@ -68,8 +68,8 @@ module Saml
content
end
- def encode
- Base64.strict_encode64(to_xml)
+ def serialize
+ Saml::Kit::Content.encode_raw_saml(to_xml)
end
def certificate
@@ -97,8 +97,20 @@ module Saml
Time.current > started_at && !expired?
end
- def self.deserialize(saml_response)
- new(Saml::Kit::Content.decode_raw_saml(saml_response))
+ def signed?
+ @xml_hash[name]['Signature'].present?
+ end
+
+ def trusted?
+ return false if provider.nil?
+ return false unless signed?
+ provider.matches?(fingerprint, use: :signing)
+ end
+
+ class << self
+ def deserialize(saml_response)
+ new(Saml::Kit::Content.decode_raw_saml(saml_response))
+ end
end
private
@@ -129,7 +141,7 @@ module Saml
def must_be_registered
return unless login_response?
- return if provider.present? && provider.matches?(fingerprint, use: :signing)
+ return if trusted?
errors[:base] << error_message(:unregistered)
end
@@ -186,6 +198,7 @@ module Saml
attr_reader :user, :request
attr_accessor :id, :reference_id, :now
attr_accessor :version, :status_code
+ attr_accessor :issuer
def initialize(user, request)
@user = user
@@ -195,19 +208,20 @@ module Saml
@now = Time.now.utc
@version = "2.0"
@status_code = Namespaces::SUCCESS
+ @issuer = configuration.issuer
end
def to_xml
signature = Signature.new(id)
xml = ::Builder::XmlMarkup.new
xml.Response response_options do
- xml.Issuer(configuration.issuer, xmlns: Namespaces::ASSERTION)
+ xml.Issuer(issuer, xmlns: Namespaces::ASSERTION)
signature.template(xml)
xml.Status do
xml.StatusCode Value: status_code
end
xml.Assertion(assertion_options) do
- xml.Issuer configuration.issuer
+ xml.Issuer issuer
xml.Subject do
xml.NameID user.name_id_for(request), Format: request.name_id_format
xml.SubjectConfirmation Method: Namespaces::BEARER do
@@ -224,10 +238,13 @@ module Saml
xml.AuthnContextClassRef Namespaces::PASSWORD
end
end
- xml.AttributeStatement do
- user.assertion_attributes_for(request).each do |key, value|
- xml.Attribute Name: key, NameFormat: Namespaces::URI, FriendlyName: key do
- xml.AttributeValue value.to_s
+ assertion_attributes = user.assertion_attributes_for(request)
+ if assertion_attributes.any?
+ xml.AttributeStatement do
+ assertion_attributes.each do |key, value|
+ xml.Attribute Name: key, NameFormat: Namespaces::URI, FriendlyName: key do
+ xml.AttributeValue value.to_s
+ end
end
end
end
saml-kit/spec/saml/response_spec.rb
@@ -222,4 +222,20 @@ RSpec.describe Saml::Kit::Response do
expect(subject.errors[:audience]).to be_present
end
end
+
+ describe "#serialize" do
+ let(:user) { double(:user, name_id_for: SecureRandom.uuid, assertion_attributes_for: { }) }
+ let(:request) { double(id: SecureRandom.uuid, acs_url: acs_url, issuer: issuer, name_id_format: Saml::Kit::Namespaces::PERSISTENT) }
+ let(:acs_url) { FFaker::Internet.http_url }
+ let(:issuer) { FFaker::Internet.http_url }
+
+ it 'returns a compressed and base64 encoded document' do
+ builder = described_class::Builder.new(user, request)
+ xml = builder.to_xml
+ subject = described_class.new(xml)
+
+ expected_value = Base64.encode64(Zlib::Deflate.deflate(xml, 9)).gsub(/\n/, '')
+ expect(subject.serialize).to eql(expected_value)
+ end
+ end
end