Commit c7e192e
Changed files (2)
lib
saml
kit
spec
saml
lib/saml/kit/response.rb
@@ -16,6 +16,7 @@ module Saml
validate :must_be_successful
validate :must_match_request_id
validate :must_be_active_session
+ validate :must_match_issuer
def initialize(xml, request_id: nil)
@content = xml
@@ -160,6 +161,20 @@ module Saml
errors[:base] << error_message(:expired) unless active?
end
+ def must_match_issuer
+ return unless login_response?
+
+ unless audiences.include?(Saml::Kit.configuration.issuer)
+ errors[:base] << error_message(:expired)
+ end
+ end
+
+ def audiences
+ Array(@xml_hash[name]['Assertion']['Conditions']['AudienceRestriction']['Audience'])
+ rescue
+ []
+ end
+
def login_response?
return false if to_xml.blank?
@xml_hash[name].present?
spec/saml/response_spec.rb
@@ -147,6 +147,7 @@ RSpec.describe Saml::Kit::Response do
before :each do
allow(Saml::Kit.configuration).to receive(:registry).and_return(registry)
+ allow(Saml::Kit.configuration).to receive(:issuer).and_return(request.issuer)
end
it 'is valid' do
@@ -239,5 +240,15 @@ RSpec.describe Saml::Kit::Response do
travel_to 5.seconds.ago
expect(subject).to_not be_valid
end
+
+ it 'is invalid when the audience does not match the expected issuer' do
+ allow(registry).to receive(:metadata_for).and_return(metadata)
+ allow(metadata).to receive(:matches?).and_return(true)
+
+ allow(Saml::Kit.configuration).to receive(:issuer).and_return(FFaker::Internet.http_url)
+ allow(request).to receive(:issuer).and_return(FFaker::Internet.http_url)
+ subject = described_class.new(builder.to_xml)
+ expect(subject).to_not be_valid
+ end
end
end