Commit cff391f
Changed files (3)
lib
saml
kit
builders
spec
saml
lib/saml/kit/builders/assertion.rb
@@ -6,10 +6,11 @@ module Saml
include XmlTemplatable
extend Forwardable
- def_delegators :@response_builder, :embed_signature, :request, :issuer, :reference_id, :now, :configuration, :user, :version, :destination
+ def_delegators :@response_builder, :request, :issuer, :reference_id, :now, :configuration, :user, :version, :destination
- def initialize(response_builder)
+ def initialize(response_builder, embed_signature)
@response_builder = response_builder
+ self.embed_signature = embed_signature
end
def name_id_format
lib/saml/kit/builders/response.rb
@@ -35,12 +35,10 @@ module Saml
nil
end
- private
-
def assertion
@assertion ||=
begin
- assertion = Saml::Kit::Builders::Assertion.new(self)
+ assertion = Saml::Kit::Builders::Assertion.new(self, embed_signature)
if encrypt
Saml::Kit::Builders::EncryptedAssertion.new(self, assertion)
else
@@ -49,6 +47,8 @@ module Saml
end
end
+ private
+
def response_options
{
ID: id,
spec/saml/response_spec.rb
@@ -229,6 +229,22 @@ RSpec.describe Saml::Kit::Response do
expect(subject).to_not be_valid
expect(subject.errors[:assertion]).to be_present
end
+
+ it 'is invalid when the assertion has a signature and has been tampered with' do
+ token = SecureRandom.uuid
+ user = double(:user, name_id_for: SecureRandom.uuid, assertion_attributes_for: { token: token })
+ request = Saml::Kit::AuthenticationRequest.build
+ document = described_class.build(user, request, configuration: configuration) do |x|
+ x.embed_signature = false
+ x.assertion.embed_signature = true
+ end
+
+ altered_xml = document.to_xml.gsub(/token/, 'heck')
+ subject = described_class.new(altered_xml)
+ expect(subject).to_not be_valid
+ puts subject.errors.full_messages.inspect
+ expect(subject.errors[:assertion]).to be_present
+ end
end
describe "#signed?" do