Class: Spid::Saml2::ResponseValidator

Inherits:

Object

• Object
• Spid::Saml2::ResponseValidator

Defined in:

lib/spid/saml2/response_validator.rb

Overview

rubocop:disable Metrics/ClassLength

Instance Attribute Summary

• #errors ⇒ Object readonly

  Returns the value of attribute errors.

• #request_uuid ⇒ Object readonly

  Returns the value of attribute request_uuid.

• #response ⇒ Object readonly

  :nodoc:.

• #settings ⇒ Object readonly

  Returns the value of attribute settings.

Instance Method Summary

• #assertion_issuer ⇒ Object
• #audience ⇒ Object
• #call ⇒ Object
• #certificate ⇒ Object
• #conditions ⇒ Object
• #destination ⇒ Object
• #initialize(response:, settings:, request_uuid:) ⇒ ResponseValidator constructor

  A new instance of ResponseValidator.

• #issuer ⇒ Object
• #matches_request_uuid ⇒ Object
• #signature ⇒ Object
• #subject_in_response_to ⇒ Object
• #subject_not_on_or_after ⇒ Object
• #subject_recipient ⇒ Object
• #success? ⇒ Boolean

Constructor Details

#initialize(response:, settings:, request_uuid:) ⇒ ResponseValidator

Returns a new instance of ResponseValidator.

# File 'lib/spid/saml2/response_validator.rb', line 14

def initialize(response:, settings:, request_uuid:)
  @response = response
  @settings = settings
  @request_uuid = request_uuid
  @errors = {}
end

Instance Attribute Details

#errors ⇒ Object (readonly)

Returns the value of attribute errors.

# File 'lib/spid/saml2/response_validator.rb', line 11

def errors
  @errors
end

#request_uuid ⇒ Object (readonly)

Returns the value of attribute request_uuid.

# File 'lib/spid/saml2/response_validator.rb', line 12

def request_uuid
  @request_uuid
end

#response ⇒ Object (readonly)

:nodoc:

# File 'lib/spid/saml2/response_validator.rb', line 9

def response
  @response
end

#settings ⇒ Object (readonly)

Returns the value of attribute settings.

# File 'lib/spid/saml2/response_validator.rb', line 10

def settings
  @settings
end

Instance Method Details

#assertion_issuer ⇒ Object

# File 'lib/spid/saml2/response_validator.rb', line 59

def assertion_issuer
  return true if response.assertion_issuer == settings.idp_entity_id

  @errors["assertion_issuer"] =
    begin
      "Response Assertion Issuer is '#{response.assertion_issuer}'" \
      " but was expected '#{settings.idp_entity_id}'"
    end
  false
end

#audience ⇒ Object

# File 'lib/spid/saml2/response_validator.rb', line 104

def audience
  return true if response.audience == settings.sp_entity_id
  @errors["audience"] =
    begin
      "Response Audience is '#{response.audience}'" \
      " but was expected '#{settings.sp_entity_id}'"
    end
  false
end

#call ⇒ Object

# File 'lib/spid/saml2/response_validator.rb', line 21

def call
  return false unless success?
  [
    matches_request_uuid, issuer, assertion_issuer, certificate,
    destination, conditions, audience, signature
  ].all?
end

#certificate ⇒ Object

# File 'lib/spid/saml2/response_validator.rb', line 70

def certificate
  if response.certificate.to_der == settings.idp_certificate.to_der
    return true
  end

  @errors["certificate"] = "Certificates mismatch"
  false
end

#conditions ⇒ Object

# File 'lib/spid/saml2/response_validator.rb', line 91

def conditions
  time = Time.now.utc.iso8601

  if response.conditions_not_before <= time &&
     response.conditions_not_on_or_after > time

    return true
  end

  @errors["conditions"] = "Response was out of time"
  false
end

#destination ⇒ Object

# File 'lib/spid/saml2/response_validator.rb', line 79

def destination
  return true if response.destination == settings.sp_acs_url
  return true if response.destination == settings.sp_entity_id

  @errors["destination"] =
    begin
      "Response Destination is '#{response.destination}'" \
      " but was expected '#{settings.sp_acs_url}'"
    end
  false
end

#issuer ⇒ Object

# File 'lib/spid/saml2/response_validator.rb', line 48

def issuer
  return true if response.issuer == settings.idp_entity_id

  @errors["issuer"] =
    begin
      "Response Issuer is '#{response.issuer}'" \
      " but was expected '#{settings.idp_entity_id}'"
    end
  false
end

#matches_request_uuid ⇒ Object

# File 'lib/spid/saml2/response_validator.rb', line 29

def matches_request_uuid
  return true if response.in_response_to == request_uuid

  @errors["request_uuid_mismatch"] =
    "Request uuid not belongs to current session"
  false
end

#signature ⇒ Object

# File 'lib/spid/saml2/response_validator.rb', line 114

def signature
  signed_document = Xmldsig::SignedDocument.new(response.saml_message)
  return true if signed_document.validate(response.certificate)

  @errors["signature"] = "Signature mismatch"
  false
end

#subject_in_response_to ⇒ Object

# File 'lib/spid/saml2/response_validator.rb', line 126

def subject_in_response_to
  return true if response.subject_in_response_to == request_uuid
end

#subject_not_on_or_after ⇒ Object

# File 'lib/spid/saml2/response_validator.rb', line 130

def subject_not_on_or_after
  time = Time.now.utc.iso8601

  return true if response.subject_not_on_or_after > time
end

#subject_recipient ⇒ Object

# File 'lib/spid/saml2/response_validator.rb', line 122

def subject_recipient
  return true if response.subject_recipient == settings.sp_acs_url
end

#success? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/spid/saml2/response_validator.rb', line 37

def success?
  return true if response.status_code == Spid::SUCCESS_CODE

  @errors["authentication"] = {
    "status_code" => response.status_code,
    "status_message" => response.status_message,
    "status_detail" => response.status_detail
  }
  false
end