Class: Onelogin::Saml::Response

Inherits:

Object

• Object
• Onelogin::Saml::Response

Defined in:

lib/onelogin/saml/response.rb

Instance Attribute Summary

• #destination ⇒ Object readonly

  Returns the value of attribute destination.

• #document ⇒ Object readonly

  Returns the value of attribute document.

• #in_response_to ⇒ Object readonly

  Returns the value of attribute in_response_to.

• #issuer ⇒ Object readonly

  Returns the value of attribute issuer.

• #name_id ⇒ Object readonly

  Returns the value of attribute name_id.

• #name_identifier_format ⇒ Object readonly

  Returns the value of attribute name_identifier_format.

• #name_qualifier ⇒ Object readonly

  Returns the value of attribute name_qualifier.

• #response ⇒ Object readonly

  Returns the value of attribute response.

• #saml_attributes ⇒ Object readonly

  Returns the value of attribute saml_attributes.

• #session_index ⇒ Object readonly

  Returns the value of attribute session_index.

• #settings ⇒ Object

  Returns the value of attribute settings.

• #sp_name_qualifier ⇒ Object readonly

  Returns the value of attribute sp_name_qualifier.

• #status_code ⇒ Object readonly

  Returns the value of attribute status_code.

• #status_message ⇒ Object readonly

  Returns the value of attribute status_message.

• #used_key ⇒ Object readonly

  Returns the value of attribute used_key.

• #validation_error ⇒ Object readonly

  Returns the value of attribute validation_error.

• #xml ⇒ Object readonly

  Returns the value of attribute xml.

Instance Method Summary

• #auth_failure? ⇒ Boolean
• #decrypted_document ⇒ Object
• #disable_signature_validation!(settings) ⇒ Object
• #fingerprint_from_idp ⇒ Object
• #initialize(response, settings = nil, as_of: Time.now) ⇒ Response constructor

  A new instance of Response.

• #is_valid? ⇒ Boolean
• #no_authn_context? ⇒ Boolean
• #process(settings, as_of: Time.now) ⇒ Object
• #success_status? ⇒ Boolean
• #trusted_find(xpath) ⇒ Object
• #trusted_find_first(xpath) ⇒ Object
• #trusted_roots ⇒ Object

  triggers validation.

• #untrusted_find_first(xpath) ⇒ Object
• #validate ⇒ Object

Constructor Details

#initialize(response, settings = nil, as_of: Time.now) ⇒ Response

Returns a new instance of Response.

# File 'lib/onelogin/saml/response.rb', line 11

def initialize(response, settings=nil, as_of: Time.now)
  @response = response

  begin
    @xml = Base64.decode64(@response)
    @document = Nokogiri::XML(@xml)
    @document.extend(XMLSecurity::SignedDocument)
  rescue
    # could not parse document, everything is invalid
    @response = nil
    return
  end

  @issuer = document.at_xpath("/samlp:Response/saml:Issuer", Onelogin::NAMESPACES).content.strip rescue nil
  @issuer ||= document.at_xpath("/samlp:Response/saml:Assertion/saml:Issuer", Onelogin::NAMESPACES).content.strip rescue nil
  @status_code = document.at_xpath("/samlp:Response/samlp:Status/samlp:StatusCode", Onelogin::NAMESPACES)["Value"] rescue nil

  process(settings, as_of: as_of) if settings
end

Instance Attribute Details

#destination ⇒ Object (readonly)

Returns the value of attribute destination.

# File 'lib/onelogin/saml/response.rb', line 8

def destination
  @destination
end

#document ⇒ Object (readonly)

Returns the value of attribute document.

# File 'lib/onelogin/saml/response.rb', line 5

def document
  @document
end

#in_response_to ⇒ Object (readonly)

Returns the value of attribute in_response_to.

# File 'lib/onelogin/saml/response.rb', line 8

def in_response_to
  @in_response_to
end

#issuer ⇒ Object (readonly)

Returns the value of attribute issuer.

# File 'lib/onelogin/saml/response.rb', line 8

def issuer
  @issuer
end

#name_id ⇒ Object (readonly)

Returns the value of attribute name_id.

# File 'lib/onelogin/saml/response.rb', line 6

def name_id
  @name_id
end

#name_identifier_format ⇒ Object (readonly)

Returns the value of attribute name_identifier_format.

# File 'lib/onelogin/saml/response.rb', line 6

def name_identifier_format
  @name_identifier_format
end

#name_qualifier ⇒ Object (readonly)

Returns the value of attribute name_qualifier.

# File 'lib/onelogin/saml/response.rb', line 6

def name_qualifier
  @name_qualifier
end

#response ⇒ Object (readonly)

Returns the value of attribute response.

# File 'lib/onelogin/saml/response.rb', line 5

def response
  @response
end

#saml_attributes ⇒ Object (readonly)

Returns the value of attribute saml_attributes.

# File 'lib/onelogin/saml/response.rb', line 6

def saml_attributes
  @saml_attributes
end

#session_index ⇒ Object (readonly)

Returns the value of attribute session_index.

# File 'lib/onelogin/saml/response.rb', line 6

def session_index
  @session_index
end

#settings ⇒ Object

Returns the value of attribute settings.

# File 'lib/onelogin/saml/response.rb', line 4

def settings
  @settings
end

#sp_name_qualifier ⇒ Object (readonly)

Returns the value of attribute sp_name_qualifier.

# File 'lib/onelogin/saml/response.rb', line 6

def sp_name_qualifier
  @sp_name_qualifier
end

#status_code ⇒ Object (readonly)

Returns the value of attribute status_code.

# File 'lib/onelogin/saml/response.rb', line 7

def status_code
  @status_code
end

#status_message ⇒ Object (readonly)

Returns the value of attribute status_message.

# File 'lib/onelogin/saml/response.rb', line 7

def status_message
  @status_message
end

#used_key ⇒ Object (readonly)

Returns the value of attribute used_key.

# File 'lib/onelogin/saml/response.rb', line 9

def used_key
  @used_key
end

#validation_error ⇒ Object (readonly)

Returns the value of attribute validation_error.

# File 'lib/onelogin/saml/response.rb', line 9

def validation_error
  @validation_error
end

#xml ⇒ Object (readonly)

Returns the value of attribute xml.

# File 'lib/onelogin/saml/response.rb', line 5

def xml
  @xml
end

Instance Method Details

#auth_failure? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/onelogin/saml/response.rb', line 156

def auth_failure?
  @status_code == Onelogin::Saml::StatusCodes::AUTHN_FAILED_URI
end

#decrypted_document ⇒ Object

# File 'lib/onelogin/saml/response.rb', line 74

def decrypted_document
  @decrypted_document ||= document.clone.tap do |doc|
    doc.extend(XMLSecurity::SignedDocument)
    doc.decrypt!(settings)
    @used_key = doc.used_key
  end
end

#disable_signature_validation!(settings) ⇒ Object

# File 'lib/onelogin/saml/response.rb', line 68

def disable_signature_validation!(settings)
  @settings      = settings
  @is_valid      = true
  @trusted_roots = [decrypted_document.root]
end

#fingerprint_from_idp ⇒ Object

# File 'lib/onelogin/saml/response.rb', line 164

def fingerprint_from_idp
  if base64_cert = decrypted_document.at_xpath("//ds:X509Certificate", Onelogin::NAMESPACES)
    cert_text = Base64.decode64(base64_cert.content)
    cert = OpenSSL::X509::Certificate.new(cert_text)
    Digest::SHA1.hexdigest(cert.to_der)
  else
    nil
  end
end

#is_valid? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/onelogin/saml/response.rb', line 96

def is_valid?
  if !instance_variable_defined?(:@is_valid)
    @is_valid = validate
  end
  @is_valid
end

#no_authn_context? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/onelogin/saml/response.rb', line 160

def no_authn_context?
  @status_code == Onelogin::Saml::StatusCodes::NO_AUTHN_CONTEXT_URI
end

#process(settings, as_of: Time.now) ⇒ Object

# File 'lib/onelogin/saml/response.rb', line 31

def process(settings, as_of: Time.now)
  @settings = settings
  @logger = settings.logger
  return unless @response

  @in_response_to = untrusted_find_first("/samlp:Response")['InResponseTo'] rescue nil
  @destination    = untrusted_find_first("/samlp:Response")['Destination'] rescue nil
  @status_message = untrusted_find_first("/samlp:Response/samlp:Status/samlp:StatusCode").content rescue nil

  @name_id        = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID").content rescue nil
  @name_identifier_format = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["Format"] rescue nil
  @name_qualifier = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["NameQualifier"] rescue nil
  @sp_name_qualifier = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["SPNameQualifier"] rescue nil
  @session_index  = trusted_find_first("saml:Assertion/saml:AuthnStatement")["SessionIndex"] rescue nil
  @issue_instant  = trusted_find_first("saml:Assertion")["IssueInstant"] rescue nil

  @saml_attributes = {}
  trusted_find("saml:Attribute").each do |attr|
    attrname = attr['FriendlyName'] || Onelogin::ATTRIBUTES[attr['Name']] || attr['Name']
    @saml_attributes[attrname] = attr.content.strip rescue nil
  end

  if @is_valid
    @issue_instant = Time.parse(@issue_instant) if @issue_instant
    if !@issue_instant
      @is_valid = false
      @validation_error = "No timestamp in message"
    elsif @issue_instant + 5 * 60 < as_of
      @is_valid = false
      @validation_error = "Assertion expired"
    elsif @issue_instant - 5 * 60 > as_of
      @is_valid = false
      @validation_error = "Assertion not yet valid"
    end
  end
end

#success_status? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/onelogin/saml/response.rb', line 152

def success_status?
  @status_code == Onelogin::Saml::StatusCodes::SUCCESS_URI
end

#trusted_find(xpath) ⇒ Object

# File 'lib/onelogin/saml/response.rb', line 90

def trusted_find(xpath)
  trusted_roots.map do |trusted_root|
    trusted_root.xpath("descendant-or-self::#{xpath}", Onelogin::NAMESPACES).to_a
  end.flatten.compact
end

#trusted_find_first(xpath) ⇒ Object

# File 'lib/onelogin/saml/response.rb', line 86

def trusted_find_first(xpath)
  trusted_find(xpath).first
end

#trusted_roots ⇒ Object

triggers validation

# File 'lib/onelogin/saml/response.rb', line 148

def trusted_roots
  is_valid? ? @trusted_roots : []
end

#untrusted_find_first(xpath) ⇒ Object

# File 'lib/onelogin/saml/response.rb', line 82

def untrusted_find_first(xpath)
  decrypted_document.at_xpath(xpath, Onelogin::NAMESPACES)
end

#validate ⇒ Object

# File 'lib/onelogin/saml/response.rb', line 103

def validate
  if response.nil? || response == ""
    @validation_error = "No response to validate"
    return false
  end

  if !settings.idp_cert_fingerprint
    @validation_error = "No fingerprint configured in SAML settings"
    return false
  end

  # Verify the original document if it has a signature, otherwise verify the signature
  # in the encrypted portion. If there is no signature, then we can't verify.
  verified = false

  if document.has_signature?
    verified = document.validate(settings.idp_cert_fingerprint, @logger)
    if !verified
      @validation_error = document.validation_error
      return false
    end
  end

  if !verified && decrypted_document.has_signature?
    verified = decrypted_document.validate(settings.idp_cert_fingerprint, @logger)
    if !verified
      @validation_error = decrypted_document.validation_error
      return false
    end
  end

  if !verified
    @validation_error = "No signature found in the response"
    return false
  end

  # If we get here, validation has succeeded, and we can trust all
  # <ds:Signature> elements. Each of those has a <ds:Reference> which
  # points to the root of the root of the NodeSet it signs.
  @trusted_roots = decrypted_document.signed_roots

  true
end