Class: OneLogin::RubySaml::Response

Inherits:

SamlMessage

• Object
• SamlMessage
• OneLogin::RubySaml::Response

Includes:

ErrorHandling

Defined in:

lib/onelogin/ruby-saml/response.rb

Overview

SAML2 Authentication Response. SAML Response

Constant Summary

ASSERTION =

"urn:oasis:names:tc:SAML:2.0:assertion"

PROTOCOL =

"urn:oasis:names:tc:SAML:2.0:protocol"

DSIG =

"http://www.w3.org/2000/09/xmldsig#"

XENC =

"http://www.w3.org/2001/04/xmlenc#"

AVAILABLE_OPTIONS =

Response available options This is not a whitelist to allow people extending OneLogin::RubySaml:Response and pass custom options

[
  :allowed_clock_drift, :check_duplicated_attributes, :matches_request_id, :settings, :skip_authnstatement, :skip_conditions,
  :skip_destination, :skip_recipient_check, :skip_subject_confirmation
]

Constants inherited from SamlMessage

SamlMessage::BASE64_FORMAT

Instance Attribute Summary

• #decrypted_document ⇒ Object readonly

  Returns the value of attribute decrypted_document.

• #document ⇒ Object readonly

  Returns the value of attribute document.

• #options ⇒ Object readonly

  Returns the value of attribute options.

• #response ⇒ Object readonly

  Returns the value of attribute response.

• #settings ⇒ Object

  OneLogin::RubySaml::Settings Toolkit settings.

• #soft ⇒ Object

  Returns the value of attribute soft.

Attributes included from ErrorHandling

#errors

Instance Method Summary

• #allowed_clock_drift ⇒ Integer

  returns the allowed clock drift on timing validation.

• #attributes ⇒ Attributes

  Gets the Attributes from the AttributeStatement element.

• #audiences ⇒ Array

  The Audience elements from the Contitions of the SAML Response.

• #conditions ⇒ REXML::Element

  Gets the Condition Element of the SAML Response if exists.

• #destination ⇒ String|nil

  Destination attribute from the SAML Response.

• #in_response_to ⇒ String|nil

  The InResponseTo attribute from the SAML Response.

• #initialize(response, options = {}) ⇒ Response constructor

  Constructs the SAML Response.

• #is_valid?(collect_errors = false) ⇒ Boolean

  Validates the SAML Response with the default values (soft = true).

• #issuers ⇒ Array

  Gets the Issuers (from Response and Assertion).

• #name_id ⇒ String (also: #nameid)

  The NameID provided by the SAML response from the IdP.

• #name_id_format ⇒ String (also: #nameid_format)

  The NameID Format provided by the SAML response from the IdP.

• #name_id_namequalifier ⇒ String

  The NameID NameQualifier provided by the SAML response from the IdP.

• #name_id_spnamequalifier ⇒ String

  The NameID SPNameQualifier provided by the SAML response from the IdP.

• #not_before ⇒ Time

  Gets the NotBefore Condition Element value.

• #not_on_or_after ⇒ Time

  Gets the NotOnOrAfter Condition Element value.

• #session_expires_at ⇒ String

  Gets the SessionNotOnOrAfter from the AuthnStatement.

• #sessionindex ⇒ String

  Gets the SessionIndex from the AuthnStatement.

• #status_code ⇒ String

  StatusCode value from a SAML Response.

• #status_message ⇒ String

  The StatusMessage value from a SAML Response.

• #success? ⇒ Boolean

  Checks if the Status has the “Success” code.

Methods included from ErrorHandling

#append_error, #reset_errors!

Methods inherited from SamlMessage

#id, schema, #valid_saml?, #version

Constructor Details

#initialize(response, options = {}) ⇒ Response

Constructs the SAML Response. A Response Object that is an extension of the SamlMessage class.

Parameters:

• response (String) —

  A UUEncoded SAML response from the IdP.

• options (Hash) (defaults to: {}) —

  :settings to provide the OneLogin::RubySaml::Settings object Or some options for the response validation process like skip the conditions validation with the :skip_conditions, or allow a clock_drift when checking dates with :allowed_clock_drift or :matches_request_id that will validate that the response matches the ID of the request, or skip the subject confirmation validation with the :skip_subject_confirmation option or skip the recipient validation of the subject confirmation element with :skip_recipient_check option

Raises:

• (ArgumentError)

# File 'lib/onelogin/ruby-saml/response.rb', line 50

def initialize(response, options = {})
  raise ArgumentError.new("Response cannot be nil") if response.nil?

  @errors = []

  @options = options
  @soft = true
  unless options[:settings].nil?
    @settings = options[:settings]
    unless @settings.soft.nil?
      @soft = @settings.soft
    end
  end

  @response = decode_raw_saml(response)
  @document = XMLSecurity::SignedDocument.new(@response, @errors)

  if assertion_encrypted?
    @decrypted_document = generate_decrypted_document
  end
end

Instance Attribute Details

#decrypted_document ⇒ Object (readonly)

Returns the value of attribute decrypted_document.

# File 'lib/onelogin/ruby-saml/response.rb', line 27

def decrypted_document
  @decrypted_document
end

#document ⇒ Object (readonly)

Returns the value of attribute document.

# File 'lib/onelogin/ruby-saml/response.rb', line 26

def document
  @document
end

#options ⇒ Object (readonly)

Returns the value of attribute options.

# File 'lib/onelogin/ruby-saml/response.rb', line 29

def options
  @options
end

#response ⇒ Object (readonly)

Returns the value of attribute response.

# File 'lib/onelogin/ruby-saml/response.rb', line 28

def response
  @response
end

#settings ⇒ Object

OneLogin::RubySaml::Settings Toolkit settings

# File 'lib/onelogin/ruby-saml/response.rb', line 24

def settings
  @settings
end

#soft ⇒ Object

Returns the value of attribute soft.

# File 'lib/onelogin/ruby-saml/response.rb', line 31

def soft
  @soft
end

Instance Method Details

#allowed_clock_drift ⇒ Integer

returns the allowed clock drift on timing validation

Returns:

• (Integer)

# File 'lib/onelogin/ruby-saml/response.rb', line 340

def allowed_clock_drift
  return options[:allowed_clock_drift].to_f
end

#attributes ⇒ Attributes

Gets the Attributes from the AttributeStatement element.

All attributes can be iterated over attributes.each or returned as array by attributes.all For backwards compatibility ruby-saml returns by default only the first value for a given attribute with

attributes['name']

To get all of the attributes, use:

attributes.multi('name')

Or turn off the compatibility:

OneLogin::RubySaml::Attributes.single_value_compatibility = false

Now this will return an array:

attributes['name']

Returns:

• (Attributes) —

  OneLogin::RubySaml::Attributes enumerable collection.

Raises:

• (ValidationError) —

  if there are 2+ Attribute with the same Name

# File 'lib/onelogin/ruby-saml/response.rb', line 145

def attributes
  @attr_statements ||= begin
    attributes = Attributes.new

    stmt_elements = xpath_from_signed_assertion('/a:AttributeStatement')
    stmt_elements.each do |stmt_element|
      stmt_element.elements.each do |attr_element|
        if attr_element.name == "EncryptedAttribute"
          node = decrypt_attribute(attr_element.dup)
        else
          node = attr_element
        end

        name  = node.attributes["Name"]

        if options[:check_duplicated_attributes] && attributes.include?(name)
          raise ValidationError.new("Found an Attribute element with duplicated Name")
        end

        values = node.elements.collect{|e|
          if (e.elements.nil? || e.elements.size == 0)
            # SAMLCore requires that nil AttributeValues MUST contain xsi:nil XML attribute set to "true" or "1"
            # otherwise the value is to be regarded as empty.
            ["true", "1"].include?(e.attributes['xsi:nil']) ? nil : Utils.element_text(e)
          # explicitly support saml2:NameID with saml2:NameQualifier if supplied in attributes
          # this is useful for allowing eduPersonTargetedId to be passed as an opaque identifier to use to
          # identify the subject in an SP rather than email or other less opaque attributes
          # NameQualifier, if present is prefixed with a "/" to the value
          else
            REXML::XPath.match(e,'a:NameID', { "a" => ASSERTION }).collect do |n|
              base_path = n.attributes['NameQualifier'] ? "#{n.attributes['NameQualifier']}/" : ''
              "#{base_path}#{Utils.element_text(n)}"
            end
          end
        }

        attributes.add(name, values.flatten)
      end
    end
    attributes
  end
end

#audiences ⇒ Array

Returns The Audience elements from the Contitions of the SAML Response.

Returns:

• (Array) —

  The Audience elements from the Contitions of the SAML Response.

# File 'lib/onelogin/ruby-saml/response.rb', line 331

def audiences
  @audiences ||= begin
    nodes = xpath_from_signed_assertion('/a:Conditions/a:AudienceRestriction/a:Audience')
    nodes.map { |node| Utils.element_text(node) }.reject(&:empty?)
  end
end

#conditions ⇒ REXML::Element

Gets the Condition Element of the SAML Response if exists. (returns the first node that matches the supplied xpath)

Returns:

• (REXML::Element) —

  Conditions Element if exists

# File 'lib/onelogin/ruby-saml/response.rb', line 257

def conditions
  @conditions ||= xpath_first_from_signed_assertion('/a:Conditions')
end

#destination ⇒ String|nil

Returns Destination attribute from the SAML Response.

Returns:

• (String|nil) —

  Destination attribute from the SAML Response.

# File 'lib/onelogin/ruby-saml/response.rb', line 318

def destination
  @destination ||= begin
    node = REXML::XPath.first(
      document,
      "/p:Response",
      { "p" => PROTOCOL }
    )
    node.nil? ? nil : node.attributes['Destination']
  end
end

#in_response_to ⇒ String|nil

Returns The InResponseTo attribute from the SAML Response.

Returns:

• (String|nil) —

  The InResponseTo attribute from the SAML Response.

# File 'lib/onelogin/ruby-saml/response.rb', line 305

def in_response_to
  @in_response_to ||= begin
    node = REXML::XPath.first(
      document,
      "/p:Response",
      { "p" => PROTOCOL }
    )
    node.nil? ? nil : node.attributes['InResponseTo']
  end
end

#is_valid?(collect_errors = false) ⇒ Boolean

Validates the SAML Response with the default values (soft = true)

Parameters:

• collect_errors (Boolean) (defaults to: false) —

  Stop validation when first error appears or keep validating. (if soft=true)

Returns:

• (Boolean) —

  TRUE if the SAML Response is valid

# File 'lib/onelogin/ruby-saml/response.rb', line 76

def is_valid?(collect_errors = false)
  validate(collect_errors)
end

#issuers ⇒ Array

Gets the Issuers (from Response and Assertion). (returns the first node that matches the supplied xpath from the Response and from the Assertion)

Returns:

• (Array) —

  Array with the Issuers (REXML::Element)

# File 'lib/onelogin/ruby-saml/response.rb', line 279

def issuers
  @issuers ||= begin
    issuer_response_nodes = REXML::XPath.match(
      document,
      "/p:Response/a:Issuer",
      { "p" => PROTOCOL, "a" => ASSERTION }
    )

    unless issuer_response_nodes.size == 1
      error_msg = "Issuer of the Response not found or multiple."
      raise ValidationError.new(error_msg)
    end

    issuer_assertion_nodes = xpath_from_signed_assertion("/a:Issuer")
    unless issuer_assertion_nodes.size == 1
      error_msg = "Issuer of the Assertion not found or multiple."
      raise ValidationError.new(error_msg)
    end

    nodes = issuer_response_nodes + issuer_assertion_nodes
    nodes.map { |node| Utils.element_text(node) }.compact.uniq
  end
end

#name_id ⇒ String Also known as: nameid

Returns the NameID provided by the SAML response from the IdP.

Returns:

• (String) —

  the NameID provided by the SAML response from the IdP.

# File 'lib/onelogin/ruby-saml/response.rb', line 82

def name_id
  @name_id ||= Utils.element_text(name_id_node)
end

#name_id_format ⇒ String Also known as: nameid_format

Returns the NameID Format provided by the SAML response from the IdP.

Returns:

• (String) —

  the NameID Format provided by the SAML response from the IdP.

# File 'lib/onelogin/ruby-saml/response.rb', line 90

def name_id_format
  @name_id_format ||=
    if name_id_node && name_id_node.attribute("Format")
      name_id_node.attribute("Format").value
    end
end

#name_id_namequalifier ⇒ String

Returns the NameID NameQualifier provided by the SAML response from the IdP.

Returns:

• (String) —

  the NameID NameQualifier provided by the SAML response from the IdP.

# File 'lib/onelogin/ruby-saml/response.rb', line 110

def name_id_namequalifier
  @name_id_namequalifier ||=
    if name_id_node && name_id_node.attribute("NameQualifier")
      name_id_node.attribute("NameQualifier").value
    end
end

#name_id_spnamequalifier ⇒ String

Returns the NameID SPNameQualifier provided by the SAML response from the IdP.

Returns:

• (String) —

  the NameID SPNameQualifier provided by the SAML response from the IdP.

# File 'lib/onelogin/ruby-saml/response.rb', line 101

def name_id_spnamequalifier
  @name_id_spnamequalifier ||=
    if name_id_node && name_id_node.attribute("SPNameQualifier")
      name_id_node.attribute("SPNameQualifier").value
    end
end

#not_before ⇒ Time

Gets the NotBefore Condition Element value.

Returns:

• (Time) —

  The NotBefore value in Time format

# File 'lib/onelogin/ruby-saml/response.rb', line 264

def not_before
  @not_before ||= parse_time(conditions, "NotBefore")
end

#not_on_or_after ⇒ Time

Gets the NotOnOrAfter Condition Element value.

Returns:

• (Time) —

  The NotOnOrAfter value in Time format

# File 'lib/onelogin/ruby-saml/response.rb', line 271

def not_on_or_after
  @not_on_or_after ||= parse_time(conditions, "NotOnOrAfter")
end

#session_expires_at ⇒ String

Gets the SessionNotOnOrAfter from the AuthnStatement. Could be used to set the local session expiration (expire at latest)

Returns:

• (String) —

  The SessionNotOnOrAfter value

# File 'lib/onelogin/ruby-saml/response.rb', line 192

def session_expires_at
  @expires_at ||= begin
    node = xpath_first_from_signed_assertion('/a:AuthnStatement')
    node.nil? ? nil : parse_time(node, "SessionNotOnOrAfter")
  end
end

#sessionindex ⇒ String

Gets the SessionIndex from the AuthnStatement. Could be used to be stored in the local session in order to be used in a future Logout Request that the SP could send to the IdP, to set what specific session must be deleted

Returns:

• (String) —

  SessionIndex Value

# File 'lib/onelogin/ruby-saml/response.rb', line 123

def sessionindex
  @sessionindex ||= begin
    node = xpath_first_from_signed_assertion('/a:AuthnStatement')
    node.nil? ? nil : node.attributes['SessionIndex']
  end
end

#status_code ⇒ String

Returns StatusCode value from a SAML Response.

Returns:

• (String) —

  StatusCode value from a SAML Response.

# File 'lib/onelogin/ruby-saml/response.rb', line 208

def status_code
  @status_code ||= begin
    nodes = REXML::XPath.match(
      document,
      "/p:Response/p:Status/p:StatusCode",
      { "p" => PROTOCOL }
    )
    if nodes.size == 1
      node = nodes[0]
      code = node.attributes["Value"] if node && node.attributes

      unless code == "urn:oasis:names:tc:SAML:2.0:status:Success"
        nodes = REXML::XPath.match(
          document,
          "/p:Response/p:Status/p:StatusCode/p:StatusCode",
          { "p" => PROTOCOL }
        )
        statuses = nodes.collect do |inner_node|
          inner_node.attributes["Value"]
        end
        extra_code = statuses.join(" | ")
        if extra_code
          code = "#{code} | #{extra_code}"
        end
      end
      code
    end
  end
end

#status_message ⇒ String

Returns the StatusMessage value from a SAML Response.

Returns:

• (String) —

  the StatusMessage value from a SAML Response.

# File 'lib/onelogin/ruby-saml/response.rb', line 240

def status_message
  @status_message ||= begin
    nodes = REXML::XPath.match(
      document,
      "/p:Response/p:Status/p:StatusMessage",
      { "p" => PROTOCOL }
    )
    if nodes.size == 1
      Utils.element_text(nodes.first)
    end
  end
end

#success? ⇒ Boolean

Checks if the Status has the “Success” code

Returns:

• (Boolean) —

  True if the StatusCode is Sucess

# File 'lib/onelogin/ruby-saml/response.rb', line 202

def success?
  status_code == "urn:oasis:names:tc:SAML:2.0:status:Success"
end