saml-kit 1.0.6 → 1.0.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitlab-ci.yml +5 -5
- data/.rubocop.yml +92 -0
- data/.rubocop_todo.yml +45 -0
- data/.travis.yml +7 -3
- data/Gemfile +2 -2
- data/Rakefile +5 -3
- data/bin/cibuild +23 -0
- data/bin/console +3 -3
- data/bin/lint +13 -0
- data/bin/setup +1 -1
- data/bin/test +19 -0
- data/exe/saml-kit-create-self-signed-certificate +6 -6
- data/exe/saml-kit-decode-http-redirect +6 -2
- data/lib/saml/kit.rb +42 -39
- data/lib/saml/kit/assertion.rb +67 -25
- data/lib/saml/kit/authentication_request.rb +1 -1
- data/lib/saml/kit/bindings.rb +8 -8
- data/lib/saml/kit/bindings/binding.rb +5 -5
- data/lib/saml/kit/bindings/http_redirect.rb +12 -7
- data/lib/saml/kit/bindings/url_builder.rb +2 -2
- data/lib/saml/kit/buildable.rb +3 -3
- data/lib/saml/kit/builders/assertion.rb +4 -0
- data/lib/saml/kit/builders/authentication_request.rb +3 -3
- data/lib/saml/kit/builders/logout_request.rb +1 -1
- data/lib/saml/kit/builders/logout_response.rb +1 -1
- data/lib/saml/kit/builders/response.rb +2 -8
- data/lib/saml/kit/builders/templates/assertion.builder +1 -1
- data/lib/saml/kit/builders/templates/metadata.builder +4 -4
- data/lib/saml/kit/builders/templates/service_provider_metadata.builder +1 -1
- data/lib/saml/kit/composite_metadata.rb +9 -5
- data/lib/saml/kit/configuration.rb +7 -7
- data/lib/saml/kit/default_registry.rb +1 -1
- data/lib/saml/kit/document.rb +39 -23
- data/lib/saml/kit/identity_provider_metadata.rb +6 -6
- data/lib/saml/kit/invalid_document.rb +2 -2
- data/lib/saml/kit/locales/en.yml +12 -3
- data/lib/saml/kit/logout_request.rb +1 -1
- data/lib/saml/kit/logout_response.rb +1 -1
- data/lib/saml/kit/metadata.rb +43 -41
- data/lib/saml/kit/namespaces.rb +25 -25
- data/lib/saml/kit/null_assertion.rb +17 -0
- data/lib/saml/kit/respondable.rb +2 -3
- data/lib/saml/kit/response.rb +23 -4
- data/lib/saml/kit/rspec/have_query_param.rb +1 -1
- data/lib/saml/kit/service_provider_metadata.rb +3 -3
- data/lib/saml/kit/signature.rb +74 -4
- data/lib/saml/kit/translatable.rb +3 -2
- data/lib/saml/kit/trustable.rb +4 -11
- data/lib/saml/kit/version.rb +1 -1
- data/lib/saml/kit/xml_templatable.rb +10 -5
- data/saml-kit.gemspec +25 -22
- metadata +54 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f336ef3e71456ef8822afe806133e69cdf66051db1cb47ff29b4604cd3c14080
|
4
|
+
data.tar.gz: 0af28562d5ceeb54517113a179d002584a806f5054f11e73b0aac2c91c392640
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ff41286ca85b6fa5d076ba78fabf7f7fe3e8e1cf7e951af112a2e77e1e90d7f073515694ba63e688e38263456f24fe12af0e775c6d836e8a77becf82ebbb6034
|
7
|
+
data.tar.gz: bb1b0cf0d15d68af2115f1c14f36aa702c7367c9f34af031214263b0c405e1bb078a9b5783184979eef431caa37075639a4640a842f80fb92d445e4545a5bf53
|
data/.gitlab-ci.yml
CHANGED
@@ -5,11 +5,11 @@ before_script:
|
|
5
5
|
- echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
|
6
6
|
- locale-gen
|
7
7
|
- export LC_ALL=en_US.UTF-8
|
8
|
-
- ruby -v
|
9
|
-
- which ruby
|
10
|
-
- gem install bundler --no-ri --no-rdoc
|
11
|
-
- bundle install --jobs $(nproc) "${FLAGS[@]}"
|
12
8
|
|
13
9
|
rspec:
|
14
10
|
script:
|
15
|
-
-
|
11
|
+
- bin/cibuild
|
12
|
+
|
13
|
+
lint:
|
14
|
+
script:
|
15
|
+
- bin/lint
|
data/.rubocop.yml
ADDED
@@ -0,0 +1,92 @@
|
|
1
|
+
inherit_from: .rubocop_todo.yml
|
2
|
+
|
3
|
+
require:
|
4
|
+
- rubocop/cop/internal_affairs
|
5
|
+
- rubocop-rspec
|
6
|
+
|
7
|
+
AllCops:
|
8
|
+
Exclude:
|
9
|
+
- 'coverage/**/*'
|
10
|
+
- 'pkg/**/*'
|
11
|
+
- 'spec/fixtures/**/*'
|
12
|
+
- 'spec/examples/**/*'
|
13
|
+
- 'tmp/**/*'
|
14
|
+
- 'vendor/**/*'
|
15
|
+
TargetRubyVersion: 2.2
|
16
|
+
|
17
|
+
Layout/ClassStructure:
|
18
|
+
Enabled: true
|
19
|
+
Categories:
|
20
|
+
module_inclusion:
|
21
|
+
- include
|
22
|
+
- prepend
|
23
|
+
- extend
|
24
|
+
ExpectedOrder:
|
25
|
+
- module_inclusion
|
26
|
+
- constants
|
27
|
+
- public_class_methods
|
28
|
+
- initializer
|
29
|
+
- instance_methods
|
30
|
+
- protected_methods
|
31
|
+
- private_methods
|
32
|
+
|
33
|
+
Layout/EndOfLine:
|
34
|
+
EnforcedStyle: lf
|
35
|
+
|
36
|
+
Layout/IndentArray:
|
37
|
+
EnforcedStyle: consistent
|
38
|
+
|
39
|
+
Layout/IndentHeredoc:
|
40
|
+
EnforcedStyle: active_support
|
41
|
+
|
42
|
+
Lint/AmbiguousBlockAssociation:
|
43
|
+
Exclude:
|
44
|
+
- 'spec/**/*.rb'
|
45
|
+
|
46
|
+
Lint/InterpolationCheck:
|
47
|
+
Exclude:
|
48
|
+
- 'spec/**/*.rb'
|
49
|
+
|
50
|
+
Metrics/BlockLength:
|
51
|
+
Exclude:
|
52
|
+
- '**/**/*.builder'
|
53
|
+
- '**/*.rake'
|
54
|
+
- '*.gemspec'
|
55
|
+
- 'Rakefile'
|
56
|
+
- 'spec/**/*.rb'
|
57
|
+
|
58
|
+
Metrics/ModuleLength:
|
59
|
+
Exclude:
|
60
|
+
- 'spec/**/*.rb'
|
61
|
+
|
62
|
+
Metrics/LineLength:
|
63
|
+
Exclude:
|
64
|
+
- 'spec/**/*.rb'
|
65
|
+
|
66
|
+
Naming/FileName:
|
67
|
+
Exclude:
|
68
|
+
- 'lib/saml-kit.rb'
|
69
|
+
|
70
|
+
Style/Documentation:
|
71
|
+
Enabled: false
|
72
|
+
|
73
|
+
Style/StringLiterals:
|
74
|
+
EnforcedStyle: 'single_quotes'
|
75
|
+
|
76
|
+
Style/TrailingCommaInLiteral:
|
77
|
+
Enabled: false
|
78
|
+
|
79
|
+
RSpec/ExampleLength:
|
80
|
+
Max: 80
|
81
|
+
|
82
|
+
RSpec/MultipleExpectations:
|
83
|
+
Enabled: false
|
84
|
+
|
85
|
+
RSpec/NamedSubject:
|
86
|
+
Enabled: false
|
87
|
+
|
88
|
+
RSpec/NestedGroups:
|
89
|
+
Max: 7
|
90
|
+
|
91
|
+
RSpec/SubjectStub:
|
92
|
+
Enabled: false
|
data/.rubocop_todo.yml
ADDED
@@ -0,0 +1,45 @@
|
|
1
|
+
# This configuration was generated by
|
2
|
+
# `rubocop --auto-gen-config`
|
3
|
+
# on 2018-02-16 22:08:54 -0700 using RuboCop version 0.52.1.
|
4
|
+
# The point is for the user to remove these configuration records
|
5
|
+
# one by one as the offenses are removed from the code base.
|
6
|
+
# Note that changes in the inspected code, or installation of new
|
7
|
+
# versions of RuboCop, may require this file to be generated again.
|
8
|
+
|
9
|
+
# Offense count: 1
|
10
|
+
# Cop supports --auto-correct.
|
11
|
+
# Configuration parameters: AllowUnusedKeywordArguments, IgnoreEmptyMethods.
|
12
|
+
Lint/UnusedMethodArgument:
|
13
|
+
Exclude:
|
14
|
+
- 'lib/saml/kit/invalid_document.rb'
|
15
|
+
|
16
|
+
# Offense count: 2
|
17
|
+
Metrics/AbcSize:
|
18
|
+
Max: 16
|
19
|
+
|
20
|
+
# Offense count: 3
|
21
|
+
# Configuration parameters: CountComments.
|
22
|
+
Metrics/ClassLength:
|
23
|
+
Max: 136
|
24
|
+
|
25
|
+
# Offense count: 6
|
26
|
+
# Configuration parameters: CountComments.
|
27
|
+
Metrics/MethodLength:
|
28
|
+
Max: 13
|
29
|
+
|
30
|
+
# Offense count: 1
|
31
|
+
Style/DateTime:
|
32
|
+
Exclude:
|
33
|
+
- 'lib/saml/kit/assertion.rb'
|
34
|
+
|
35
|
+
# Offense count: 1
|
36
|
+
# Cop supports --auto-correct.
|
37
|
+
Style/IfUnlessModifier:
|
38
|
+
Exclude:
|
39
|
+
- 'lib/saml/kit/builders/authentication_request.rb'
|
40
|
+
|
41
|
+
# Offense count: 128
|
42
|
+
# Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, IgnoredPatterns.
|
43
|
+
# URISchemes: http, https
|
44
|
+
Metrics/LineLength:
|
45
|
+
Max: 313
|
data/.travis.yml
CHANGED
data/Gemfile
CHANGED
@@ -1,6 +1,6 @@
|
|
1
|
-
source
|
1
|
+
source 'https://rubygems.org'
|
2
2
|
|
3
|
-
git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
|
3
|
+
git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
|
4
4
|
|
5
5
|
# Specify your gem's dependencies in saml-kit.gemspec
|
6
6
|
gemspec
|
data/Rakefile
CHANGED
@@ -1,6 +1,8 @@
|
|
1
|
-
require
|
2
|
-
require
|
1
|
+
require 'bundler/gem_tasks'
|
2
|
+
require 'rspec/core/rake_task'
|
3
3
|
|
4
4
|
RSpec::Core::RakeTask.new(:spec)
|
5
|
+
task default: :spec
|
5
6
|
|
6
|
-
|
7
|
+
require 'rubocop/rake_task'
|
8
|
+
RuboCop::RakeTask.new(:rubocop)
|
data/bin/cibuild
ADDED
@@ -0,0 +1,23 @@
|
|
1
|
+
#!/bin/sh
|
2
|
+
|
3
|
+
# script/cibuild: Setup environment for CI to run tests. This is primarily
|
4
|
+
# designed to run on the continuous integration server.
|
5
|
+
|
6
|
+
set -e
|
7
|
+
|
8
|
+
cd "$(dirname "$0")/.."
|
9
|
+
|
10
|
+
echo "Started at…"
|
11
|
+
date "+%H:%M:%S"
|
12
|
+
|
13
|
+
# GC customizations
|
14
|
+
export RUBY_GC_MALLOC_LIMIT=79000000
|
15
|
+
export RUBY_GC_HEAP_INIT_SLOTS=800000
|
16
|
+
export RUBY_HEAP_FREE_MIN=100000
|
17
|
+
export RUBY_HEAP_SLOTS_INCREMENT=400000
|
18
|
+
export RUBY_HEAP_SLOTS_GROWTH_FACTOR=1
|
19
|
+
|
20
|
+
gem install bundler --no-ri --no-rdoc --conservative
|
21
|
+
# run tests
|
22
|
+
ruby -v
|
23
|
+
bin/test
|
data/bin/console
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
#!/usr/bin/env ruby
|
2
2
|
|
3
|
-
require
|
4
|
-
require
|
3
|
+
require 'bundler/setup'
|
4
|
+
require 'saml/kit'
|
5
5
|
|
6
6
|
# You can add fixtures and/or initialization code here to make experimenting
|
7
7
|
# with your gem easier. You can also use a different console, if you like.
|
@@ -10,5 +10,5 @@ require "saml/kit"
|
|
10
10
|
# require "pry"
|
11
11
|
# Pry.start
|
12
12
|
|
13
|
-
require
|
13
|
+
require 'irb'
|
14
14
|
IRB.start(__FILE__)
|
data/bin/lint
ADDED
data/bin/setup
CHANGED
data/bin/test
ADDED
@@ -0,0 +1,19 @@
|
|
1
|
+
#!/bin/sh
|
2
|
+
|
3
|
+
# script/test: Run test suite for application. Optionally pass in a path to an
|
4
|
+
# individual test file to run a single test.
|
5
|
+
|
6
|
+
|
7
|
+
set -e
|
8
|
+
|
9
|
+
cd "$(dirname "$0")/.."
|
10
|
+
|
11
|
+
[ -z "$DEBUG" ] || set -x
|
12
|
+
|
13
|
+
echo "==> Running setup…"
|
14
|
+
date "+%H:%M:%S"
|
15
|
+
bin/setup
|
16
|
+
|
17
|
+
echo "==> Running tests…"
|
18
|
+
date "+%H:%M:%S"
|
19
|
+
bundle exec rake spec
|
@@ -3,22 +3,22 @@ require 'saml/kit'
|
|
3
3
|
|
4
4
|
Saml::Kit.deprecate("Use the 'saml-kit-cli' gem instead. saml-kit-create-self-signed-certificate")
|
5
5
|
|
6
|
-
puts
|
6
|
+
puts 'Enter Passphrase:'
|
7
7
|
passphrase = STDIN.read.strip
|
8
8
|
certificate, private_key = ::Xml::Kit::SelfSignedCertificate.new.create(passphrase: passphrase)
|
9
9
|
|
10
|
-
puts
|
10
|
+
puts '** BEGIN File Format **'
|
11
11
|
print certificate
|
12
12
|
puts private_key
|
13
|
-
puts
|
13
|
+
puts '***********************'
|
14
14
|
|
15
15
|
puts
|
16
16
|
|
17
|
-
puts
|
17
|
+
puts '*** BEGIN ENV Format **'
|
18
18
|
puts certificate.inspect
|
19
19
|
puts private_key.inspect
|
20
|
-
puts
|
20
|
+
puts '***********************'
|
21
21
|
|
22
22
|
puts
|
23
|
-
puts
|
23
|
+
puts 'Private Key Passphrase:'
|
24
24
|
puts passphrase.inspect
|
@@ -6,9 +6,13 @@ Saml::Kit.deprecate("Use the 'saml-kit-cli' gem instead. saml-kit-decode-http-re
|
|
6
6
|
input = STDIN.read
|
7
7
|
binding = Saml::Kit::Bindings::HttpRedirect.new(location: '')
|
8
8
|
|
9
|
-
uri =
|
9
|
+
uri = begin
|
10
|
+
URI.parse(input)
|
11
|
+
rescue StandardError
|
12
|
+
nil
|
13
|
+
end
|
10
14
|
if uri
|
11
|
-
query_params =
|
15
|
+
query_params = Hash[uri.query.split('&').map { |x| x.split('=', 2) }]
|
12
16
|
puts binding.deserialize(query_params).to_xml(pretty: true)
|
13
17
|
else
|
14
18
|
puts binding.deserialize('SAMLRequest' => input).to_xml(pretty: true)
|
data/lib/saml/kit.rb
CHANGED
@@ -1,46 +1,49 @@
|
|
1
|
-
require
|
1
|
+
require 'saml/kit/version'
|
2
2
|
|
3
|
-
require
|
4
|
-
require
|
5
|
-
require
|
6
|
-
require
|
7
|
-
require
|
8
|
-
require
|
9
|
-
require
|
10
|
-
require
|
11
|
-
require
|
12
|
-
require
|
13
|
-
require
|
14
|
-
require
|
15
|
-
require
|
3
|
+
require 'active_model'
|
4
|
+
require 'active_support/core_ext/date/calculations'
|
5
|
+
require 'active_support/core_ext/hash/conversions'
|
6
|
+
require 'active_support/core_ext/hash/indifferent_access'
|
7
|
+
require 'active_support/core_ext/numeric/time'
|
8
|
+
require 'active_support/deprecation'
|
9
|
+
require 'active_support/duration'
|
10
|
+
require 'forwardable'
|
11
|
+
require 'logger'
|
12
|
+
require 'net/http'
|
13
|
+
require 'nokogiri'
|
14
|
+
require 'securerandom'
|
15
|
+
require 'uri'
|
16
|
+
require 'xml/kit'
|
16
17
|
|
17
|
-
require
|
18
|
-
require
|
19
|
-
require
|
20
|
-
require
|
21
|
-
require
|
22
|
-
require
|
23
|
-
require
|
24
|
-
require
|
25
|
-
require
|
26
|
-
require
|
18
|
+
require 'saml/kit/buildable'
|
19
|
+
require 'saml/kit/builders'
|
20
|
+
require 'saml/kit/namespaces'
|
21
|
+
require 'saml/kit/serializable'
|
22
|
+
require 'saml/kit/xsd_validatable'
|
23
|
+
require 'saml/kit/respondable'
|
24
|
+
require 'saml/kit/requestable'
|
25
|
+
require 'saml/kit/trustable'
|
26
|
+
require 'saml/kit/translatable'
|
27
|
+
require 'saml/kit/document'
|
27
28
|
|
28
|
-
require
|
29
|
-
require
|
30
|
-
require
|
31
|
-
require
|
32
|
-
require
|
33
|
-
require
|
34
|
-
require
|
35
|
-
require
|
36
|
-
require
|
37
|
-
require
|
38
|
-
require
|
39
|
-
require
|
40
|
-
require
|
41
|
-
require
|
29
|
+
require 'saml/kit/assertion'
|
30
|
+
require 'saml/kit/authentication_request'
|
31
|
+
require 'saml/kit/bindings'
|
32
|
+
require 'saml/kit/configuration'
|
33
|
+
require 'saml/kit/default_registry'
|
34
|
+
require 'saml/kit/logout_response'
|
35
|
+
require 'saml/kit/logout_request'
|
36
|
+
require 'saml/kit/metadata'
|
37
|
+
require 'saml/kit/null_assertion'
|
38
|
+
require 'saml/kit/composite_metadata'
|
39
|
+
require 'saml/kit/response'
|
40
|
+
require 'saml/kit/identity_provider_metadata'
|
41
|
+
require 'saml/kit/invalid_document'
|
42
|
+
require 'saml/kit/service_provider_metadata'
|
43
|
+
require 'saml/kit/signature'
|
42
44
|
|
43
|
-
I18n.load_path +=
|
45
|
+
I18n.load_path +=
|
46
|
+
Dir[File.expand_path('kit/locales/*.yml', File.dirname(__FILE__))]
|
44
47
|
|
45
48
|
module Saml
|
46
49
|
module Kit
|
data/lib/saml/kit/assertion.rb
CHANGED
@@ -3,17 +3,29 @@ module Saml
|
|
3
3
|
class Assertion
|
4
4
|
include ActiveModel::Validations
|
5
5
|
include Translatable
|
6
|
-
|
7
|
-
|
8
|
-
|
6
|
+
XPATH = [
|
7
|
+
'/samlp:Response/saml:Assertion',
|
8
|
+
'/samlp:Response/saml:EncryptedAssertion'
|
9
|
+
].join('|')
|
10
|
+
|
11
|
+
validate :must_be_decryptable
|
12
|
+
validate :must_match_issuer, if: :decryptable?
|
13
|
+
validate :must_be_active_session, if: :decryptable?
|
14
|
+
validate :must_have_valid_signature, if: :decryptable?
|
9
15
|
attr_reader :name
|
10
16
|
attr_accessor :occurred_at
|
11
17
|
|
12
|
-
def initialize(
|
13
|
-
@name =
|
14
|
-
@
|
18
|
+
def initialize(node, configuration: Saml::Kit.configuration, private_keys: [])
|
19
|
+
@name = 'Assertion'
|
20
|
+
@node = node
|
21
|
+
@xml_hash = hash_from(node)['Response'] || {}
|
15
22
|
@configuration = configuration
|
16
23
|
@occurred_at = Time.current
|
24
|
+
decrypt!(::Xml::Kit::Decryption.new(
|
25
|
+
private_keys: (
|
26
|
+
configuration.private_keys(use: :encryption) + private_keys
|
27
|
+
).uniq
|
28
|
+
))
|
17
29
|
end
|
18
30
|
|
19
31
|
def issuer
|
@@ -29,8 +41,7 @@ module Saml
|
|
29
41
|
end
|
30
42
|
|
31
43
|
def signature
|
32
|
-
|
33
|
-
xml_hash ? Signature.new(xml_hash) : nil
|
44
|
+
@signature ||= Signature.new(at_xpath('./ds:Signature'))
|
34
45
|
end
|
35
46
|
|
36
47
|
def expired?(now = occurred_at)
|
@@ -47,7 +58,7 @@ module Saml
|
|
47
58
|
begin
|
48
59
|
attrs = assertion.fetch('AttributeStatement', {}).fetch('Attribute', [])
|
49
60
|
items = if attrs.is_a? Hash
|
50
|
-
[[attrs[
|
61
|
+
[[attrs['Name'], attrs['AttributeValue']]]
|
51
62
|
else
|
52
63
|
attrs.map { |item| [item['Name'], item['AttributeValue']] }
|
53
64
|
end
|
@@ -65,57 +76,88 @@ module Saml
|
|
65
76
|
|
66
77
|
def audiences
|
67
78
|
Array(assertion['Conditions']['AudienceRestriction']['Audience'])
|
68
|
-
rescue => error
|
79
|
+
rescue StandardError => error
|
69
80
|
Saml::Kit.logger.error(error)
|
70
81
|
[]
|
71
82
|
end
|
72
83
|
|
73
84
|
def encrypted?
|
74
|
-
@xml_hash.fetch('
|
85
|
+
@xml_hash.fetch('EncryptedAssertion', nil).present?
|
86
|
+
end
|
87
|
+
|
88
|
+
def decryptable?
|
89
|
+
return true unless encrypted?
|
90
|
+
!@cannot_decrypt
|
75
91
|
end
|
76
92
|
|
77
93
|
def present?
|
78
94
|
assertion.present?
|
79
95
|
end
|
80
96
|
|
97
|
+
def to_xml(pretty: false)
|
98
|
+
pretty ? @node.to_xml(indent: 2) : @node.to_s
|
99
|
+
end
|
100
|
+
|
81
101
|
private
|
82
102
|
|
83
103
|
attr_reader :configuration
|
84
104
|
|
85
105
|
def assertion
|
86
106
|
@assertion ||=
|
87
|
-
|
88
|
-
|
89
|
-
decryptor = ::Xml::Kit::Decryption.new(private_keys: private_keys)
|
90
|
-
decrypted = decryptor.decrypt_hash(@xml_hash['Response']['EncryptedAssertion'])
|
91
|
-
Saml::Kit.logger.debug(decrypted)
|
92
|
-
Hash.from_xml(decrypted)['Assertion']
|
93
|
-
else
|
94
|
-
result = @xml_hash.fetch('Response', {}).fetch('Assertion', {})
|
107
|
+
begin
|
108
|
+
result = (hash_from(@node)['Response'] || {})['Assertion']
|
95
109
|
return result if result.is_a?(Hash)
|
96
|
-
|
97
|
-
errors[:assertion] << error_message(:must_contain_single_assertion)
|
98
110
|
{}
|
99
111
|
end
|
100
112
|
end
|
101
113
|
|
114
|
+
def decrypt!(decryptor)
|
115
|
+
return unless encrypted?
|
116
|
+
|
117
|
+
encrypted_assertion = @node.at_xpath('./xmlenc:EncryptedData', Saml::Kit::Document::NAMESPACES)
|
118
|
+
@node = decryptor.decrypt_node(encrypted_assertion)
|
119
|
+
rescue Xml::Kit::DecryptionError => error
|
120
|
+
@cannot_decrypt = true
|
121
|
+
Saml::Kit.logger.error(error)
|
122
|
+
end
|
123
|
+
|
102
124
|
def parse_date(value)
|
103
125
|
DateTime.parse(value)
|
104
|
-
rescue => error
|
126
|
+
rescue StandardError => error
|
105
127
|
Saml::Kit.logger.error(error)
|
106
128
|
Time.at(0).to_datetime
|
107
129
|
end
|
108
130
|
|
109
131
|
def must_match_issuer
|
110
|
-
|
111
|
-
|
112
|
-
end
|
132
|
+
return if audiences.include?(configuration.entity_id)
|
133
|
+
errors[:audience] << error_message(:must_match_issuer)
|
113
134
|
end
|
114
135
|
|
115
136
|
def must_be_active_session
|
116
137
|
return if active?
|
117
138
|
errors[:base] << error_message(:expired)
|
118
139
|
end
|
140
|
+
|
141
|
+
def must_have_valid_signature
|
142
|
+
return if !signed? || signature.valid?
|
143
|
+
|
144
|
+
signature.errors.each do |attribute, message|
|
145
|
+
errors.add(attribute, message)
|
146
|
+
end
|
147
|
+
end
|
148
|
+
|
149
|
+
def must_be_decryptable
|
150
|
+
errors.add(:base, error_message(:cannot_decrypt)) unless decryptable?
|
151
|
+
end
|
152
|
+
|
153
|
+
def at_xpath(xpath)
|
154
|
+
@node.at_xpath(xpath, Saml::Kit::Document::NAMESPACES)
|
155
|
+
end
|
156
|
+
|
157
|
+
def hash_from(node)
|
158
|
+
return {} if node.nil?
|
159
|
+
Hash.from_xml(node.document.root.to_s) || {}
|
160
|
+
end
|
119
161
|
end
|
120
162
|
end
|
121
163
|
end
|