spid 0.13.0 → 0.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 83dc2ec01f9adb676d89eb91c160f3aacacf30cb6473514fc5c4655b1f2c0f32
-  data.tar.gz: ce9606fdab6a9349888111b259979269977643add8e6f68a15a26c5286d38b82
+  metadata.gz: 1abf8d3050f0829891601311959388cab3234dc5d75edd59e6dd19bc7de26c7f
+  data.tar.gz: c4668cb869d0ffc65438aa4a30ee70fcf2611c7c4b07274791d0683acf215471
 SHA512:
-  metadata.gz: 5d5b83dcc34a604397c5d60a682081d04064777cc54cf72fc1f61e3e0a6703215856715c5bd553335ad128231ac4da0a80a2bc084063bd130860566b84369e86
-  data.tar.gz: dcea75e1ce343c0a3e3297a02f78f889150ae0693a3a68a1258fdab1d7d24999ec99a79d1e53a1b87544fd15c144559f91f4b0f19c0633814271b35c6c0760f0
+  metadata.gz: f3b6676b2941c3eba7cb55f80e0a04310467a244a8c52bae620dd3c2fbcad63ab4933fb1948f80f6b6ade12502125fbddf6ff0105c2f31fec04521c0dfd1cf70
+  data.tar.gz: 52981e148719b87079cb6e6aba5cf583552b92306a8e9c4b10673fd699214cbaaa1967adf6c1241efa2cba6e75ec58ad8d94018b7ef434da2f151218ee37c79e

data/CHANGELOG.md

@@ -2,6 +2,11 @@
 
 ## [Unreleased]
 
+## [0.14.0] - 2018-08-30
+### Added
+- IDP-Initiated SLO management
+- Error Handling
+
 ## [0.13.0] - 2018-08-29
 ### Added
 - Validation of Response and LogoutResponse
@@ -101,7 +106,8 @@
 - Coveralls Integration
 - Rubygems version badge in README
 
-[Unreleased]: https://github.com/italia/spid-ruby/compare/v0.13.0...HEAD
+[Unreleased]: https://github.com/italia/spid-ruby/compare/v0.14.0...HEAD
+[0.14.0]: https://github.com/italia/spid-ruby/compare/v0.13.0...v0.14.0
 [0.13.0]: https://github.com/italia/spid-ruby/compare/v0.12.0...v0.13.0
 [0.12.0]: https://github.com/italia/spid-ruby/compare/v0.11.0...v0.12.0
 [0.11.0]: https://github.com/italia/spid-ruby/compare/v0.10.0...v0.11.0

data/lib/spid.rb

@@ -71,6 +71,8 @@ module Spid # :nodoc:
     L3
   ].freeze
 
+  SUCCESS_CODE = "urn:oasis:names:tc:SAML:2.0:status:Success"
+
   ATTRIBUTES_MAP = {
     spid_code: "spidCode",
     name: "name",

data/lib/spid/identity_provider_manager.rb

@@ -4,7 +4,6 @@ require "base64"
 
 module Spid
   class IdentityProviderManager # :nodoc:
-    extend Spid::Saml2::Utils
     include Singleton
 
     def identity_providers
@@ -40,8 +39,7 @@ module Spid
         entity_id: idp_settings[:idp_entity_id],
         sso_target_url: idp_settings[:idp_sso_target_url],
         slo_target_url: idp_settings[:idp_slo_target_url],
-        cert_fingerprint: idp_settings[:idp_cert_fingerprint],
-        certificate: certificate_from_encoded_der(idp_settings[:idp_cert])
+        certificate: idp_settings[:idp_cert]
       )
     end
 

data/lib/spid/rack/login.rb

@@ -11,11 +11,10 @@ module Spid
 
       def call(env)
         @sso = LoginEnv.new(env)
-        if @sso.valid_request?
-          @sso.response
-        else
-          app.call(env)
-        end
+
+        return @sso.response if @sso.valid_request?
+
+        app.call(env)
       end
 
       class LoginEnv # :nodoc:
@@ -26,7 +25,12 @@ module Spid
           @request = ::Rack::Request.new(env)
         end
 
+        def session
+          request.session["spid"]
+        end
+
         def response
+          session["sso_request_uuid"] = sso_request.uuid
           [
             302,
             { "Location" => sso_url },
@@ -35,11 +39,18 @@ module Spid
         end
 
         def sso_url
-          Spid::Sso::Request.new(
-            idp_name: idp_name,
-            relay_state: relay_state,
-            attribute_index: attribute_consuming_service_index
-          ).url
+          sso_request.url
+        end
+
+        def sso_request
+          @sso_request ||=
+            begin
+              Spid::Sso::Request.new(
+                idp_name: idp_name,
+                relay_state: relay_state,
+                attribute_index: attribute_consuming_service_index
+              )
+            end
         end
 
         def valid_request?

data/lib/spid/rack/logout.rb

@@ -11,11 +11,10 @@ module Spid
 
       def call(env)
         @slo = LogoutEnv.new(env)
-        if @slo.valid_request?
-          @slo.response
-        else
-          app.call(env)
-        end
+
+        return @slo.response if @slo.valid_request?
+
+        app.call(env)
       end
 
       class LogoutEnv # :nodoc:
@@ -27,6 +26,7 @@ module Spid
         end
 
         def response
+          session["slo_request_uuid"] = slo_request.uuid
           [
             302,
             { "Location" => slo_url },
@@ -34,12 +34,23 @@ module Spid
           ]
         end
 
+        def session
+          request.session["spid"]
+        end
+
         def slo_url
-          Spid::Slo::Request.new(
-            idp_name: idp_name,
-            relay_state: relay_state,
-            session_index: spid_session["session-index"]
-          ).url
+          slo_request.url
+        end
+
+        def slo_request
+          @slo_request ||=
+            begin
+              Spid::Slo::Request.new(
+                idp_name: idp_name,
+                relay_state: relay_state,
+                session_index: spid_session["session_index"]
+              )
+            end
         end
 
         def valid_request?

data/lib/spid/rack/slo.rb

@@ -11,11 +11,10 @@ module Spid
 
       def call(env)
         @slo = SloEnv.new(env)
-        if @slo.valid_request?
-          @slo.response
-        else
-          app.call(env)
-        end
+
+        return @slo.response if @slo.valid_request?
+
+        app.call(env)
       end
 
       class SloEnv # :nodoc:
@@ -27,12 +26,24 @@ module Spid
           @request = ::Rack::Request.new(env)
         end
 
+        def session
+          request.session["spid"]
+        end
+
         def clear_session
           request.session["spid"] = {}
         end
 
+        def store_session_failure
+          session["errors"] = slo_response.errors
+        end
+
         def response
-          clear_session
+          if valid_response?
+            clear_session
+          else
+            store_session_failure
+          end
           [
             302,
             { "Location" => relay_state },
@@ -67,9 +78,25 @@ module Spid
           request.path == Spid.configuration.slo_path
         end
 
+        def valid_response?
+          slo_response.valid?
+        end
+
         def valid_request?
           valid_path? && valid_http_verb?
         end
+
+        def saml_response
+          request.params["SAMLResponse"]
+        end
+
+        def slo_response
+          @slo_response ||= ::Spid::Slo::Response.new(
+            body: saml_response,
+            request_uuid: session["slo_request_uuid"],
+            session_index: session["session_index"]
+          )
+        end
       end
     end
   end

data/lib/spid/rack/sso.rb

@@ -12,11 +12,9 @@ module Spid
       def call(env)
         @sso = SsoEnv.new(env)
 
-        if @sso.valid_request?
-          @sso.response
-        else
-          app.call(env)
-        end
+        return @sso.response if @sso.valid_request?
+
+        app.call(env)
       end
 
       class SsoEnv # :nodoc:
@@ -28,15 +26,26 @@ module Spid
           @request = ::Rack::Request.new(env)
         end
 
-        def store_session
-          request.session["spid"] = {
-            "attributes" => sso_response.attributes,
-            "session_index" => sso_response.session_index
-          }
+        def session
+          request.session["spid"]
+        end
+
+        def store_session_success
+          session["attributes"] = sso_response.attributes
+          session["session_index"] = sso_response.session_index
+          session.delete("sso_request_uuid")
+        end
+
+        def store_session_failure
+          session["errors"] = sso_response.errors
         end
 
         def response
-          store_session
+          if valid_response?
+            store_session_success
+          else
+            store_session_failure
+          end
           [
             302,
             { "Location" => relay_state },
@@ -75,12 +84,19 @@ module Spid
           request.path == Spid.configuration.acs_path
         end
 
+        def valid_response?
+          sso_response.valid?
+        end
+
         def valid_request?
           valid_path? && valid_http_verb?
         end
 
         def sso_response
-          ::Spid::Sso::Response.new(body: saml_response)
+          @sso_response ||= ::Spid::Sso::Response.new(
+            body: saml_response,
+            request_uuid: session["sso_request_uuid"]
+          )
         end
       end
     end

data/lib/spid/saml2.rb

@@ -6,7 +6,9 @@ require "spid/saml2/settings"
 require "spid/saml2/authn_request"
 require "spid/saml2/response"
 require "spid/saml2/logout_request"
+require "spid/saml2/idp_logout_request"
 require "spid/saml2/logout_response"
+require "spid/saml2/idp_logout_response"
 require "spid/saml2/sp_metadata"
 require "spid/saml2/utils"
 require "spid/saml2/idp_metadata_parser"

data/lib/spid/saml2/authn_request.rb

@@ -6,12 +6,11 @@ module Spid
   module Saml2
     class AuthnRequest # :nodoc:
       attr_reader :document
-      attr_reader :uuid
       attr_reader :settings
 
       def initialize(uuid: nil, settings:)
         @document = REXML::Document.new
-        @uuid = uuid || SecureRandom.uuid
+        @uuid = uuid
         @settings = settings
       end
 
@@ -39,7 +38,7 @@ module Spid
             attributes = {
               "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
               "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
-              "ID" => "_#{uuid}",
+              "ID" => uuid,
               "Version" => "2.0",
               "IssueInstant" => issue_instant,
               "Destination" => settings.idp_sso_target_url,
@@ -100,6 +99,10 @@ module Spid
       def issue_instant
         @issue_instant ||= Time.now.utc.iso8601
       end
+
+      def uuid
+        @uuid ||= "_#{SecureRandom.uuid}"
+      end
     end
   end
 end

data/lib/spid/saml2/identity_provider.rb

@@ -7,26 +7,20 @@ module Spid
       attr_reader :entity_id
       attr_reader :sso_target_url
       attr_reader :slo_target_url
-      attr_reader :cert_fingerprint
       attr_reader :certificate
-
-      # rubocop:disable Metrics/ParameterLists
       def initialize(
             name:,
             entity_id:,
             sso_target_url:,
             slo_target_url:,
-            cert_fingerprint:,
             certificate:
           )
         @name = name
         @entity_id = entity_id
         @sso_target_url = sso_target_url
         @slo_target_url = slo_target_url
-        @cert_fingerprint = cert_fingerprint
         @certificate = certificate
       end
-      # rubocop:enable Metrics/ParameterLists
     end
   end
 end

data/lib/spid/saml2/idp_logout_request.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module Spid
+  module Saml2
+    class IdpLogoutRequest # :nodoc:
+      attr_reader :saml_message
+      attr_reader :document
+
+      def initialize(saml_message:)
+        @saml_message = saml_message
+        @document = REXML::Document.new(@saml_message)
+      end
+
+      def id
+        document.elements["/samlp:LogoutRequest/@ID"]&.value
+      end
+
+      def destination
+        document.elements["/samlp:LogoutRequest/@Destination"]&.value
+      end
+
+      def issue_instant
+        document.elements["/samlp:LogoutRequest/@IssueInstant"]&.value
+      end
+
+      def issuer_name_qualifier
+        document.elements[
+          "/samlp:LogoutRequest/saml:Issuer/@NameQualifier"
+        ]&.value
+      end
+
+      def name_id_name_qualifier
+        document.elements[
+          "/samlp:LogoutRequest/saml:NameID/@NameQualifier"
+        ]&.value
+      end
+
+      def issuer
+        document.elements["/samlp:LogoutRequest/saml:Issuer/text()"]&.value
+      end
+
+      def session_index
+        document.elements[
+          "/samlp:LogoutRequest/saml:SessionIndex/text()"
+        ]&.value
+      end
+    end
+  end
+end

data/lib/spid/saml2/idp_logout_response.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+module Spid
+  module Saml2
+    class IdpLogoutResponse # :nodoc:
+      attr_reader :document
+      attr_reader :settings
+      attr_reader :uuid
+      attr_reader :issue_instant
+      attr_reader :request_uuid
+
+      def initialize(settings:, request_uuid:, uuid: nil)
+        @document = REXML::Document.new
+        @settings = settings
+        @uuid = uuid || SecureRandom.uuid
+        @issue_instant = Time.now.utc.iso8601
+        @request_uuid = request_uuid
+      end
+
+      def to_saml
+        document.add_element(logout_response)
+        document.to_s
+      end
+
+      def logout_response
+        @logout_response ||=
+          begin
+            element = REXML::Element.new("samlp:LogoutResponse")
+            element.add_attributes(logout_response_attributes)
+            element.add_element(issuer)
+            element.add_element(status)
+            element
+          end
+      end
+
+      def logout_response_attributes
+        @logout_response_attributes ||= {
+          "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+          "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
+          "IssueInstant" => issue_instant,
+          "InResponseTo" => request_uuid,
+          "Destination" => settings.idp_slo_target_url,
+          "ID" => "_#{uuid}"
+        }
+      end
+
+      def issuer
+        @issuer ||=
+          begin
+            element = REXML::Element.new("saml:Issuer")
+            element.add_attributes(
+              "Format" => "urn:oasis:names:tc:SAML:2.0:nameid-format:entity",
+              "NameQualifier" => settings.sp_entity_id
+            )
+            element.text = settings.sp_entity_id
+            element
+          end
+      end
+
+      def status
+        @status ||=
+          begin
+            element = REXML::Element.new("saml:Status")
+            element.add_element(status_code)
+            element
+          end
+      end
+
+      def status_code
+        @status_code ||=
+          begin
+            element = REXML::Element.new("saml:StatusCode")
+            element.text = "urn:oasis:names:tc:SAML:2.0:status:Success"
+            element
+          end
+      end
+    end
+  end
+end

data/lib/spid/saml2/idp_metadata_parser.rb

@@ -22,37 +22,24 @@ module Spid
 
       attr_reader :document
       attr_reader :response
-      attr_reader :options
 
       # Parse the Identity Provider metadata and return the results as Hash
       #
       # @param idp_metadata [String]
       #
-      # @param options [Hash] options used for parsing the metadata and the returned Settings instance
-      # @option options [Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
-      # @option options [Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
-      # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When ommitted, the first entity descriptor is used.
-      #
       # @return [Hash]
-      def parse_to_hash(idp_metadata, options = {})
+      def parse_to_hash(idp_metadata)
         @document = REXML::Document.new(idp_metadata)
-        @options = options
         @entity_descriptor = nil
         @certificates = nil
-        @fingerprint = nil
-
-        if idpsso_descriptor.nil?
-          raise ArgumentError.new("idp_metadata must contain an IDPSSODescriptor element")
-        end
 
         {
           :idp_entity_id => idp_entity_id,
           :name_identifier_format => idp_name_id_format,
-          :idp_sso_target_url => single_signon_service_url(options),
-          :idp_slo_target_url => single_logout_service_url(options),
+          :idp_sso_target_url => single_signon_service_url,
+          :idp_slo_target_url => single_logout_service_url,
           :idp_attribute_names => attribute_names,
           :idp_cert => nil,
-          :idp_cert_fingerprint => nil,
           :idp_cert_multi => nil
         }.tap do |response_hash|
           merge_certificates_into(response_hash) unless certificates.nil?
@@ -64,28 +51,11 @@ module Spid
       def entity_descriptor
         @entity_descriptor ||= REXML::XPath.first(
           document,
-          entity_descriptor_path,
+          "//md:EntityDescriptor",
           namespace
         )
       end
 
-      def entity_descriptor_path
-        path = "//md:EntityDescriptor"
-        entity_id = options[:entity_id]
-        return path unless entity_id
-        path << "[@entityID=\"#{entity_id}\"]"
-      end
-
-      def idpsso_descriptor
-        unless entity_descriptor.nil?
-          return REXML::XPath.first(
-            entity_descriptor,
-            "md:IDPSSODescriptor",
-            namespace
-          )
-        end
-      end
-
       # @return [String|nil] IdP Entity ID value if exists
       #
       def idp_entity_id
@@ -103,28 +73,21 @@ module Spid
         element_text(node)
       end
 
-      # @param binding_priority [Array]
       # @return [String|nil] SingleSignOnService binding if exists
       #
-      def single_signon_service_binding(binding_priority = nil)
+      def single_signon_service_binding
         nodes = REXML::XPath.match(
           entity_descriptor,
           "md:IDPSSODescriptor/md:SingleSignOnService/@Binding",
           namespace
         )
-        if binding_priority
-          values = nodes.map(&:value)
-          binding_priority.detect{ |binding| values.include? binding }
-        else
-          nodes.first.value if nodes.any?
-        end
+        nodes.first.value if nodes.any?
       end
 
-      # @param options [Hash]
       # @return [String|nil] SingleSignOnService endpoint if exists
       #
-      def single_signon_service_url(options = {})
-        binding = single_signon_service_binding(options[:sso_binding])
+      def single_signon_service_url
+        binding = single_signon_service_binding
         unless binding.nil?
           node = REXML::XPath.first(
             entity_descriptor,
@@ -135,28 +98,21 @@ module Spid
         end
       end
 
-      # @param binding_priority [Array]
       # @return [String|nil] SingleLogoutService binding if exists
       #
-      def single_logout_service_binding(binding_priority = nil)
+      def single_logout_service_binding
         nodes = REXML::XPath.match(
           entity_descriptor,
           "md:IDPSSODescriptor/md:SingleLogoutService/@Binding",
           namespace
         )
-        if binding_priority
-          values = nodes.map(&:value)
-          binding_priority.detect{ |binding| values.include? binding }
-        else
-          nodes.first.value if nodes.any?
-        end
+        nodes.first.value if nodes.any?
       end
 
-      # @param options [Hash]
       # @return [String|nil] SingleLogoutService endpoint if exists
       #
-      def single_logout_service_url(options = {})
-        binding = single_logout_service_binding(options[:slo_binding])
+      def single_logout_service_url
+        binding = single_logout_service_binding
         unless binding.nil?
           node = REXML::XPath.first(
             entity_descriptor,
@@ -204,20 +160,6 @@ module Spid
         end
       end
 
-      # @return [String|nil] the fingerpint of the X509Certificate if it exists
-      #
-      def fingerprint(certificate, fingerprint_algorithm = ::Spid::SHA256)
-        @fingerprint ||= begin
-          if certificate
-            cert = OpenSSL::X509::Certificate.new(Base64.decode64(certificate))
-
-            algorithm = fingerprint_algorithm || ::Spid::SHA256
-            fingerprint_alg = ::Spid::SIGNATURE_ALGORITHMS[algorithm]
-            fingerprint_alg.hexdigest(cert.to_der).upcase.scan(/../).join(":")
-          end
-        end
-      end
-
       # @return [Array] the names of all SAML attributes if any exist
       #
       def attribute_names
@@ -239,40 +181,14 @@ module Spid
       end
 
       def merge_certificates_into(parsed_metadata)
-        if (certificates.size == 1 &&
-              (certificates_has_one('signing') || certificates_has_one('encryption'))) ||
-              (certificates_has_one('signing') && certificates_has_one('encryption') &&
-              certificates["signing"][0] == certificates["encryption"][0])
-
           if certificates.key?("signing")
-            parsed_metadata[:idp_cert] = certificates["signing"][0]
-            parsed_metadata[:idp_cert_fingerprint] = fingerprint(
-              parsed_metadata[:idp_cert],
-              parsed_metadata[:idp_cert_fingerprint_algorithm]
-            )
+            certificate = certificates["signing"][0]
           else
-            parsed_metadata[:idp_cert] = certificates["encryption"][0]
-            parsed_metadata[:idp_cert_fingerprint] = fingerprint(
-              parsed_metadata[:idp_cert],
-              parsed_metadata[:idp_cert_fingerprint_algorithm]
-            )
+            certificate = certificates["encryption"][0]
           end
-        else
-          # symbolize keys of certificates and pass it on
-          parsed_metadata[:idp_cert_multi] = Hash[certificates.map { |k, v| [k.to_sym, v] }]
-        end
-      end
-
-      def certificates_has_one(key)
-        certificates.key?(key) && certificates[key].size == 1
-      end
-
-      def merge_parsed_metadata_into(settings, parsed_metadata)
-        parsed_metadata.each do |key, value|
-          settings.send("#{key}=".to_sym, value)
-        end
-
-        settings
+          parsed_metadata[:idp_cert] = OpenSSL::X509::Certificate.new(
+            Base64.decode64(certificate)
+          )
       end
 
       def element_text(element)

data/lib/spid/saml2/logout_request.rb

@@ -4,15 +4,16 @@ module Spid
   module Saml2
     class LogoutRequest # :nodoc:
       attr_reader :settings
-      attr_reader :uuid
       attr_reader :document
       attr_reader :session_index
+      attr_reader :issue_instant
 
       def initialize(uuid: nil, settings:, session_index:)
         @settings = settings
         @document = REXML::Document.new
         @session_index = session_index
-        @uuid = uuid || SecureRandom.uuid
+        @uuid = uuid
+        @issue_instant = Time.now.utc.iso8601
       end
 
       def to_saml
@@ -78,10 +79,8 @@ module Spid
           end
       end
 
-      private
-
-      def issue_instant
-        @issue_instant ||= Time.now.utc.iso8601
+      def uuid
+        @uuid ||= "_#{SecureRandom.uuid}"
       end
     end
   end

data/lib/spid/saml2/logout_response_validator.rb

@@ -5,25 +5,52 @@ module Spid
     class LogoutResponseValidator # :nodoc:
       attr_reader :response
       attr_reader :settings
+      attr_reader :request_uuid
+      attr_reader :errors
 
-      def initialize(response:, settings:)
+      def initialize(response:, settings:, request_uuid:)
         @response = response
         @settings = settings
+        @request_uuid = request_uuid
+        @errors = {}
       end
 
       def call
         [
+          matches_request_uuid,
           destination,
           issuer
         ].all?
       end
 
+      def matches_request_uuid
+        return true if response.in_response_to == request_uuid
+
+        @errors["request_uuid_mismatch"] =
+          "Request uuid not belongs to current session"
+        false
+      end
+
       def destination
-        response.destination == settings.sp_slo_service_url
+        return true if response.destination == settings.sp_slo_service_url
+
+        @errors["destination"] =
+          begin
+            "Response Destination is '#{response.destination}'" \
+            " but was expected '#{settings.sp_slo_service_url}'"
+          end
+        false
       end
 
       def issuer
-        response.issuer == settings.idp_entity_id
+        return true if response.issuer == settings.idp_entity_id
+
+        @errors["issuer"] =
+          begin
+            "Response Issuer is '#{response.issuer}'" \
+            " but was expected '#{settings.idp_entity_id}'"
+          end
+        false
       end
     end
   end

data/lib/spid/saml2/response.rb

@@ -19,6 +19,10 @@ module Spid
         document.elements["/samlp:Response/saml:Issuer/text()"]&.value
       end
 
+      def in_response_to
+        document.elements["/samlp:Response/@InResponseTo"]&.value
+      end
+
       def name_id
         document.elements[
           "/samlp:Response/saml:Assertion/saml:Subject/saml:NameID/text()"
@@ -71,6 +75,26 @@ module Spid
         document.elements[xpath]&.value
       end
 
+      def status_code
+        document.elements[
+          "/samlp:Response/samlp:Status/samlp:StatusCode/@Value"
+        ]&.value
+      end
+
+      def status_message
+        document.elements[
+          "/samlp:Response/samlp:Status/samlp:StatusCode/" \
+          "samlp:StatusMessage/@Value"
+        ]&.value
+      end
+
+      def status_detail
+        document.elements[
+          "/samlp:Response/samlp:Status/samlp:StatusCode/" \
+          "samlp:StatusDetail/@Value"
+        ]&.value
+      end
+
       def attributes
         main_xpath = "/samlp:Response/saml:Assertion/saml:AttributeStatement"
         main_xpath = "#{main_xpath}/saml:Attribute"

data/lib/spid/saml2/response_validator.rb

@@ -7,49 +7,106 @@ module Spid
     class ResponseValidator # :nodoc:
       attr_reader :response
       attr_reader :settings
+      attr_reader :errors
+      attr_reader :request_uuid
 
-      def initialize(response:, settings:)
+      def initialize(response:, settings:, request_uuid:)
         @response = response
         @settings = settings
+        @request_uuid = request_uuid
+        @errors = {}
       end
 
       def call
         [
+          matches_request_uuid,
           issuer,
           certificate,
           destination,
           conditions,
           audience,
-          signature
+          signature,
+          success?
         ].all?
       end
 
+      def matches_request_uuid
+        return true if response.in_response_to == request_uuid
+
+        @errors["request_uuid_mismatch"] =
+          "Request uuid not belongs to current session"
+        false
+      end
+
+      def success?
+        return true if response.status_code == Spid::SUCCESS_CODE
+
+        @errors["authentication"] = {
+          "status_message" => response.status_message,
+          "status_detail" => response.status_detail
+        }
+        false
+      end
+
       def issuer
-        response.assertion_issuer == settings.idp_entity_id
+        return true if response.assertion_issuer == settings.idp_entity_id
+
+        @errors["issuer"] =
+          begin
+            "Response Issuer is '#{response.assertion_issuer}'" \
+            " but was expected '#{settings.idp_entity_id}'"
+          end
+        false
       end
 
       def certificate
-        response.certificate.to_der == settings.idp_certificate.to_der
+        if response.certificate.to_der == settings.idp_certificate.to_der
+          return true
+        end
+
+        @errors["certificate"] = "Certificates mismatch"
+        false
       end
 
       def destination
-        response.destination == settings.sp_acs_url
+        return true if response.destination == settings.sp_acs_url
+
+        @errors["destination"] =
+          begin
+            "Response Destination is '#{response.destination}'" \
+            " but was expected '#{settings.sp_acs_url}'"
+          end
+        false
       end
 
       def conditions
         time = Time.now.iso8601
 
-        response.conditions_not_before <= time &&
-          response.conditions_not_on_or_after > time
+        if response.conditions_not_before <= time &&
+           response.conditions_not_on_or_after > time
+          return true
+        end
+
+        @errors["conditions"] = "Response was out of time"
+        false
       end
 
       def audience
-        response.audience == settings.sp_entity_id
+        return true if response.audience == settings.sp_entity_id
+        @errors["audience"] =
+          begin
+            "Response Audience is '#{response.audience}'" \
+            " but was expected '#{settings.sp_entity_id}'"
+          end
+        false
       end
 
       def signature
         signed_document = Xmldsig::SignedDocument.new(response.saml_message)
-        signed_document.validate(response.certificate)
+        return true if signed_document.validate(response.certificate)
+
+        @errors["signature"] = "Signature mismatch"
+        false
       end
     end
   end

data/lib/spid/slo/request.rb

@@ -23,6 +23,10 @@ module Spid
         ].join("?")
       end
 
+      def uuid
+        logout_request.uuid
+      end
+
       def query_params_signer
         @query_params_signer ||=
           begin

data/lib/spid/slo/response.rb

@@ -5,23 +5,31 @@ module Spid
     class Response # :nodoc:
       attr_reader :body
       attr_reader :session_index
-      attr_reader :matches_request_id
+      attr_reader :request_uuid
 
-      def initialize(body:, session_index:, matches_request_id:)
+      def initialize(body:, session_index:, request_uuid:)
         @body = body
         @session_index = session_index
-        @matches_request_id = matches_request_id
+        @request_uuid = request_uuid
       end
 
       def valid?
-        Spid::Saml2::LogoutResponseValidator.new(
-          response: saml_response,
-          settings: settings
-        ).call
+        validator.call
       end
 
       def errors
-        []
+        validator.errors
+      end
+
+      def validator
+        @validator ||=
+          begin
+            Spid::Saml2::LogoutResponseValidator.new(
+              response: saml_response,
+              settings: settings,
+              request_uuid: request_uuid
+            )
+          end
       end
 
       def identity_provider

data/lib/spid/sso/request.rb

@@ -32,6 +32,10 @@ module Spid
         ].join("?")
       end
 
+      def uuid
+        authn_request.uuid
+      end
+
       def query_params_signer
         @query_params_signer ||=
           begin

data/lib/spid/sso/response.rb

@@ -10,23 +10,35 @@ module Spid
 
       attr_reader :body
       attr_reader :saml_message
+      attr_reader :request_uuid
 
-      def initialize(body:)
+      def initialize(body:, request_uuid:)
         @body = body
         @saml_message = decode_and_inflate(body)
+        @request_uuid = request_uuid
       end
 
       def valid?
-        Spid::Saml2::ResponseValidator.new(
-          response: saml_response,
-          settings: settings
-        ).call
+        validator.call
+      end
+
+      def validator
+        @validator ||=
+          Spid::Saml2::ResponseValidator.new(
+            response: saml_response,
+            settings: settings,
+            request_uuid: request_uuid
+          )
       end
 
       def issuer
         saml_response.assertion_issuer
       end
 
+      def errors
+        validator.errors
+      end
+
       def attributes
         raw_attributes.each_with_object({}) do |(key, value), acc|
           acc[normalize_key(key)] = value

data/lib/spid/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Spid
-  VERSION = "0.13.0"
+  VERSION = "0.14.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spid
 version: !ruby/object:Gem::Version
-  version: 0.13.0
+  version: 0.14.0
 platform: ruby
 authors:
 - David Librera
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-08-29 00:00:00.000000000 Z
+date: 2018-08-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -324,6 +324,8 @@ files:
 - lib/spid/saml2.rb
 - lib/spid/saml2/authn_request.rb
 - lib/spid/saml2/identity_provider.rb
+- lib/spid/saml2/idp_logout_request.rb
+- lib/spid/saml2/idp_logout_response.rb
 - lib/spid/saml2/idp_metadata_parser.rb
 - lib/spid/saml2/logout_request.rb
 - lib/spid/saml2/logout_response.rb