Class: Samlurai::Response

Inherits:

Object

• Object
• Samlurai::Response

Defined in:

lib/samlurai/response.rb

Instance Attribute Summary

• #decrypted_document ⇒ Object readonly

  Returns the value of attribute decrypted_document.

• #destination ⇒ Object readonly

  Returns the value of attribute destination.

• #document ⇒ Object readonly

  Returns the value of attribute document.

• #in_response_to ⇒ Object readonly

  Returns the value of attribute in_response_to.

• #issuer ⇒ Object readonly

  Returns the value of attribute issuer.

• #name_id ⇒ Object readonly

  Returns the value of attribute name_id.

• #name_qualifier ⇒ Object readonly

  Returns the value of attribute name_qualifier.

• #response ⇒ Object readonly

  Returns the value of attribute response.

• #saml_attributes ⇒ Object readonly

  Returns the value of attribute saml_attributes.

• #session_index ⇒ Object readonly

  Returns the value of attribute session_index.

• #settings ⇒ Object

  Returns the value of attribute settings.

• #status_code ⇒ Object readonly

  Returns the value of attribute status_code.

• #status_message ⇒ Object readonly

  Returns the value of attribute status_message.

• #validation_error ⇒ Object readonly

  Returns the value of attribute validation_error.

• #xml ⇒ Object readonly

  Returns the value of attribute xml.

Class Method Summary

• .decrypt(encrypted_document, settings) ⇒ Object

  replaces EncryptedData nodes with decrypted copies.

• .validate(document, options = {}) ⇒ Object

Instance Method Summary

• #auth_failure? ⇒ Boolean
• #fingerprint_from_idp ⇒ Object
• #initialize(response, settings = nil, validation_options = {}) ⇒ Response constructor

  A new instance of Response.

• #is_valid? ⇒ Boolean
• #logger=(val) ⇒ Object
• #no_authn_context? ⇒ Boolean
• #process(settings) ⇒ Object
• #success_status? ⇒ Boolean

Constructor Details

#initialize(response, settings = nil, validation_options = {}) ⇒ Response

Returns a new instance of Response.

# File 'lib/samlurai/response.rb', line 10

def initialize(response, settings=nil, validation_options={})
  @response = response
  @validation_options = validation_options

  begin
    @xml = Base64.decode64(@response)
    @document = LibXML::XML::Document.string(@xml)
  rescue => e
    # could not parse document, everything is invalid
    @response = nil
    return
  end

  @issuer = @document.find_first("/samlp:Response/saml:Issuer", Samlurai::NAMESPACES).content rescue nil
  @status_code = @document.find_first("/samlp:Response/samlp:Status/samlp:StatusCode", Samlurai::NAMESPACES)["Value"] rescue nil

  process(settings) if settings
end

Instance Attribute Details

#decrypted_document ⇒ Object (readonly)

Returns the value of attribute decrypted_document.

# File 'lib/samlurai/response.rb', line 4

def decrypted_document
  @decrypted_document
end

#destination ⇒ Object (readonly)

Returns the value of attribute destination.

# File 'lib/samlurai/response.rb', line 7

def destination
  @destination
end

#document ⇒ Object (readonly)

Returns the value of attribute document.

# File 'lib/samlurai/response.rb', line 4

def document
  @document
end

#in_response_to ⇒ Object (readonly)

Returns the value of attribute in_response_to.

# File 'lib/samlurai/response.rb', line 7

def in_response_to
  @in_response_to
end

#issuer ⇒ Object (readonly)

Returns the value of attribute issuer.

# File 'lib/samlurai/response.rb', line 7

def issuer
  @issuer
end

#name_id ⇒ Object (readonly)

Returns the value of attribute name_id.

# File 'lib/samlurai/response.rb', line 5

def name_id
  @name_id
end

#name_qualifier ⇒ Object (readonly)

Returns the value of attribute name_qualifier.

# File 'lib/samlurai/response.rb', line 5

def name_qualifier
  @name_qualifier
end

#response ⇒ Object (readonly)

Returns the value of attribute response.

# File 'lib/samlurai/response.rb', line 4

def response
  @response
end

#saml_attributes ⇒ Object (readonly)

Returns the value of attribute saml_attributes.

# File 'lib/samlurai/response.rb', line 5

def saml_attributes
  @saml_attributes
end

#session_index ⇒ Object (readonly)

Returns the value of attribute session_index.

# File 'lib/samlurai/response.rb', line 5

def session_index
  @session_index
end

#settings ⇒ Object

Returns the value of attribute settings.

# File 'lib/samlurai/response.rb', line 3

def settings
  @settings
end

#status_code ⇒ Object (readonly)

Returns the value of attribute status_code.

# File 'lib/samlurai/response.rb', line 6

def status_code
  @status_code
end

#status_message ⇒ Object (readonly)

Returns the value of attribute status_message.

# File 'lib/samlurai/response.rb', line 6

def status_message
  @status_message
end

#validation_error ⇒ Object (readonly)

Returns the value of attribute validation_error.

# File 'lib/samlurai/response.rb', line 8

def validation_error
  @validation_error
end

#xml ⇒ Object (readonly)

Returns the value of attribute xml.

# File 'lib/samlurai/response.rb', line 4

def xml
  @xml
end

Class Method Details

.decrypt(encrypted_document, settings) ⇒ Object

replaces EncryptedData nodes with decrypted copies

# File 'lib/samlurai/response.rb', line 119

def self.decrypt(encrypted_document, settings)
  if settings.encryption_configured?
    decrypted_xml = nil
    begin
      decrypted_xml = XMLSecurity.decrypt(encrypted_document.to_s(:indent => false), settings.xmlsec_privatekey)
    rescue Exception => e
      # rescuing all exceptions here; bad. need to create superclass in xmlsecurity
    end
    if decrypted_xml
      return LibXML::XML::Document.string(decrypted_xml)
    end
  end
  encrypted_document
end

.validate(document, options = {}) ⇒ Object

# File 'lib/samlurai/response.rb', line 110

def self.validate(document, options={})
  auth_statement = document.find_first('//samlp:Response', Samlurai::NAMESPACES)
  if auth_statement
    options[:as_of] ||= auth_statement["IssueInstant"]
  end
  XMLSecurity.verify_signature(document.to_s(:indent => false), options)
end

Instance Method Details

#auth_failure? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/samlurai/response.rb', line 92

def auth_failure?
  @status_code == Samlurai::StatusCodes::AUTHN_FAILED_URI
end

#fingerprint_from_idp ⇒ Object

# File 'lib/samlurai/response.rb', line 100

def fingerprint_from_idp
  if base64_cert = @decrypted_document.find_first("//ds:X509Certificate", Samlurai::NAMESPACES)
    cert_text = Base64.decode64(base64_cert.content)
    cert = OpenSSL::X509::Certificate.new(cert_text)
    Digest::SHA1.hexdigest(cert.to_der)
  else
    nil
  end
end

#is_valid? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/samlurai/response.rb', line 52

def is_valid?
  if @response.nil? || @response == ""
    @validation_error = "No response to validate"
    return false
  end
  
  if !@settings.idp_cert_fingerprint
    @validation_error = "No fingerprint configured in SAML settings"
    return false
  end
  
  # Verify the original document if it has a signature, otherwise verify the signature
  # in the encrypted portion. If there is no signature, then we can't verify.
  verified = false
  if @document.find_first("//ds:Signature", Samlurai::NAMESPACES)
    verified = self.class.validate(@document, @validation_options.merge(:cert_fingerprint => @settings.idp_cert_fingerprint, :logger => @logger))
    if !verified
      return false
    end
  end

  if !verified && @decrypted_document.find_first("//ds:Signature", Samlurai::NAMESPACES)
    verified = self.class.validate(@decrypted_document, @validation_options.merge(:cert_fingerprint => @settings.idp_cert_fingerprint, :logger => @logger))
    if !verified
      return false
    end
  end
  
  if !verified
    @validation_error = "No signature found in the response"
    return false
  end
  
  true
end

#logger=(val) ⇒ Object

# File 'lib/samlurai/response.rb', line 48

def logger=(val)
  @logger = val
end

#no_authn_context? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/samlurai/response.rb', line 96

def no_authn_context?
  @status_code == Samlurai::StatusCodes::NO_AUTHN_CONTEXT_URI
end

#process(settings) ⇒ Object

# File 'lib/samlurai/response.rb', line 29

def process(settings)
  @settings = settings
  return unless @response

  @decrypted_document = self.class.decrypt(@document, @settings)

  @in_response_to = @decrypted_document.find_first("/samlp:Response", Samlurai::NAMESPACES)['InResponseTo'] rescue nil
  @destination = @decrypted_document.find_first("/samlp:Response", Samlurai::NAMESPACES)['Destination'] rescue nil
  @name_id = @decrypted_document.find_first("/samlp:Response/saml:Assertion/saml:Subject/saml:NameID", Samlurai::NAMESPACES).content rescue nil
  @saml_attributes = {}
  @decrypted_document.find("//saml:Attribute", Samlurai::NAMESPACES).each do |attr|
    attrname = attr['FriendlyName'] || Samlurai::ATTRIBUTES[attr['Name']] || attr['Name']
    @saml_attributes[attrname] = attr.content.strip rescue nil
  end
  @name_qualifier = @decrypted_document.find_first("/samlp:Response//saml:Assertion/saml:Subject/saml:NameID", Samlurai::NAMESPACES)["NameQualifier"] rescue nil
  @session_index = @decrypted_document.find_first("/samlp:Response//saml:Assertion/saml:AuthnStatement", Samlurai::NAMESPACES)["SessionIndex"] rescue nil
  @status_message = @decrypted_document.find_first("/samlp:Response/samlp:Status/samlp:StatusCode", Samlurai::NAMESPACES).content rescue nil
end

#success_status? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/samlurai/response.rb', line 88

def success_status?
  @status_code == Samlurai::StatusCodes::SUCCESS_URI
end