Class: OmniAuth::Strategies::SAML_RSTR::XMLSecurity::SecurityTokenResponseContent

Inherits:
Object
  • Object
show all
Defined in:
lib/omniauth/strategies/saml-rstr/xml_security.rb

Constant Summary collapse

DSIG =

plugging these namespaces in was required in order to get nokogiri to use them. eg @xml.at_xpath(“//ds:SignatureValue”, => DSIG).text. Any way to avoid this?

"http://www.w3.org/2000/09/xmldsig#"
SAML = 
"urn:oasis:names:tc:SAML:1.0:assertion"
WSP = 
"http://schemas.xmlsoap.org/ws/2004/09/policy"
WSA = 
"http://www.w3.org/2005/08/addressing"
WSU = 
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
TRUST = 
"http://schemas.xmlsoap.org/ws/2005/02/trust"

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(response) ⇒ SecurityTokenResponseContent

Returns a new instance of SecurityTokenResponseContent.



51
52
53
54
 
# File 'lib/omniauth/strategies/saml-rstr/xml_security.rb', line 51

def initialize(response)
  self.xml_unnamespaced = Nokogiri::XML::Document.parse(response).remove_namespaces!()
  self.xml = Nokogiri::XML::Document.parse(response)
end

Instance Attribute Details

#conditions_beforeObject

Returns the value of attribute conditions_before.



49
50
51
 
# File 'lib/omniauth/strategies/saml-rstr/xml_security.rb', line 49

def conditions_before
  @conditions_before
end

#conditions_not_on_or_afterObject

Returns the value of attribute conditions_not_on_or_after.



49
50
51
 
# File 'lib/omniauth/strategies/saml-rstr/xml_security.rb', line 49

def conditions_not_on_or_after
  @conditions_not_on_or_after
end

#info_elementObject

Returns the value of attribute info_element.



49
50
51
 
# File 'lib/omniauth/strategies/saml-rstr/xml_security.rb', line 49

def info_element
  @info_element
end

#name_identifierObject

Returns the value of attribute name_identifier.



49
50
51
 
# File 'lib/omniauth/strategies/saml-rstr/xml_security.rb', line 49

def name_identifier
  @name_identifier
end

#name_identifier_testObject

Returns the value of attribute name_identifier_test.



49
50
51
 
# File 'lib/omniauth/strategies/saml-rstr/xml_security.rb', line 49

def name_identifier_test
  @name_identifier_test
end

#x509_certObject

Returns the value of attribute x509_cert.



49
50
51
 
# File 'lib/omniauth/strategies/saml-rstr/xml_security.rb', line 49

def x509_cert
  @x509_cert
end

#xmlObject

Returns the value of attribute xml.



49
50
51
 
# File 'lib/omniauth/strategies/saml-rstr/xml_security.rb', line 49

def xml
  @xml
end

#xml_unnamespacedObject

Returns the value of attribute xml_unnamespaced.



49
50
51
 
# File 'lib/omniauth/strategies/saml-rstr/xml_security.rb', line 49

def xml_unnamespaced
  @xml_unnamespaced
end

Instance Method Details

#signatureObject 



56
57
58
 
# File 'lib/omniauth/strategies/saml-rstr/xml_security.rb', line 56

def signature
  @xml.at_xpath("//ds:SignatureValue", {"ds" => DSIG}).text
end

#validate(idp_cert_fingerprint, soft = true) ⇒ Object

validate the response fingerprint matches the plugin fingerprint validate the certificate signature matches the signature generated from signing the certificate’s SignedInfo node



86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
 
# File 'lib/omniauth/strategies/saml-rstr/xml_security.rb', line 86

def validate(idp_cert_fingerprint, soft = true)

  cert_text   = Base64.decode64(x509_cert)

  certificate = OpenSSL::X509::Certificate.new(cert_text)
  fingerprint = Digest::SHA1.hexdigest(certificate.to_der)

  if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
    raise OmniAuth::Strategies::SAML_RSTR::ValidationError.new("Fingerprint validation error")
  end

  canon_string =  info_element.canonicalize(Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0)
  sig  = Base64.decode64(signature)

  if !certificate.public_key.verify(OpenSSL::Digest::SHA256.new, sig, canon_string)
    return soft ? false : (raise OmniAuth::Strategies::SAML_RSTR::ValidationError.new("Key validation error"))
  end

  return true
end