Module: WSDL::Security::ResponseVerification

Defined in:

lib/wsdl/security/response_verification.rb

Overview

Immutable configuration objects for SOAP response security verification.

This namespace groups certificate and timestamp verification options used by response signature verification.

Defined Under Namespace

Classes: Certificate, Options, Timestamp

Instance Attribute Summary

• #certificate ⇒ Certificate readonly

  Certificate verification options.

• #timestamp ⇒ Timestamp readonly

  Timestamp verification options.

• #tolerance_seconds ⇒ Integer readonly

  Acceptable clock skew tolerance in seconds.

• #trust_store ⇒ OpenSSL::X509::Store, ... readonly

  Trust store for certificate chain validation.

• #validate ⇒ Boolean readonly

  Whether to validate timestamp freshness.

• #verify_not_expired ⇒ Boolean readonly

  Whether to check the certificate's validity period (not_before/not_after).

Instance Attribute Details

#certificate ⇒ Certificate (readonly)

Certificate verification options.

Returns:

# File 'lib/wsdl/security/response_verification.rb', line 96

Options = Data.define(:certificate, :timestamp) {
  # Returns default response verification options.
  #
  # @return [Options] defaults for both certificate and timestamp
  #
  def self.default
    new(certificate: Certificate.default, timestamp: Timestamp.default)
  end

  # Creates verification options from a Security::Config instance.
  #
  # @param config [Security::Config] the security configuration
  # @return [Options] verification options extracted from config
  #
  def self.from_config(config)
    return config.response_verification_options if config.respond_to?(:response_verification_options)

    new(
      certificate: Certificate.new(
        trust_store: config.verification_trust_store,
        verify_not_expired: config.check_certificate_validity
      ),
      timestamp: Timestamp.new(
        validate: config.validate_timestamp,
        tolerance_seconds: config.clock_skew
      )
    )
  end
}

#timestamp ⇒ Timestamp (readonly)

Timestamp verification options.

Returns:

# File 'lib/wsdl/security/response_verification.rb', line 96

Options = Data.define(:certificate, :timestamp) {
  # Returns default response verification options.
  #
  # @return [Options] defaults for both certificate and timestamp
  #
  def self.default
    new(certificate: Certificate.default, timestamp: Timestamp.default)
  end

  # Creates verification options from a Security::Config instance.
  #
  # @param config [Security::Config] the security configuration
  # @return [Options] verification options extracted from config
  #
  def self.from_config(config)
    return config.response_verification_options if config.respond_to?(:response_verification_options)

    new(
      certificate: Certificate.new(
        trust_store: config.verification_trust_store,
        verify_not_expired: config.check_certificate_validity
      ),
      timestamp: Timestamp.new(
        validate: config.validate_timestamp,
        tolerance_seconds: config.clock_skew
      )
    )
  end
}

#tolerance_seconds ⇒ Integer (readonly)

Acceptable clock skew tolerance in seconds. Allows for minor time differences between client and server clocks.

Returns:

• tolerance in seconds (default: 300, per WS-I BSP guidance)

# File 'lib/wsdl/security/response_verification.rb', line 49

Timestamp = Data.define(:validate, :tolerance_seconds) {
  # Returns default timestamp verification options.
  #
  # @return [Timestamp] defaults with validation enabled and 5-minute tolerance
  #
  def self.default
    new(validate: true, tolerance_seconds: 300)
  end
}

#trust_store ⇒ OpenSSL::X509::Store, ... (readonly)

Trust store for certificate chain validation.

Returns:

• • nil — No chain validation (default)
  • :system — Use system CA certificates
  • String — Path to CA certificate file or directory
  • Array — Array of certificate objects or PEM strings
  • OpenSSL::X509::Store — Pre-configured trust store

# File 'lib/wsdl/security/response_verification.rb', line 25

Certificate = Data.define(:trust_store, :verify_not_expired) {
  # Returns default certificate verification options.
  #
  # @return [Certificate] defaults with no trust store and expiration checking enabled
  #
  def self.default
    new(trust_store: nil, verify_not_expired: true)
  end
}

#validate ⇒ Boolean (readonly)

Whether to validate timestamp freshness.

Returns:

• true to validate timestamps (default: true)

# File 'lib/wsdl/security/response_verification.rb', line 49

Timestamp = Data.define(:validate, :tolerance_seconds) {
  # Returns default timestamp verification options.
  #
  # @return [Timestamp] defaults with validation enabled and 5-minute tolerance
  #
  def self.default
    new(validate: true, tolerance_seconds: 300)
  end
}

#verify_not_expired ⇒ Boolean (readonly)

Whether to check the certificate's validity period (not_before/not_after).

Returns:

• true to verify certificate is not expired (default: true)

# File 'lib/wsdl/security/response_verification.rb', line 25

Certificate = Data.define(:trust_store, :verify_not_expired) {
  # Returns default certificate verification options.
  #
  # @return [Certificate] defaults with no trust store and expiration checking enabled
  #
  def self.default
    new(trust_store: nil, verify_not_expired: true)
  end
}