Class: Onelogin::Saml::Response

Inherits:
Object
  • Object
show all
Defined in:
lib/onelogin/ruby-samlnechotech/response.rb

Constant Summary collapse

ASSERTION = 
"urn:oasis:names:tc:SAML:2.0:assertion"
PROTOCOL = 
"urn:oasis:names:tc:SAML:2.0:protocol"
DSIG = 
"http://www.w3.org/2000/09/xmldsig#"

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(response, options = {}) ⇒ Response

Returns a new instance of Response.

Raises:

  • (ArgumentError) 


21
22
23
24
25
26
 
# File 'lib/onelogin/ruby-samlnechotech/response.rb', line 21

def initialize(response, options = {})
  raise ArgumentError.new("Response cannot be nil") if response.nil?
  @options  = options
  @response = (response =~ /^</) ? response : Base64.decode64(response)
  @document = XMLSecurity::SignedDocument.new(@response)
end

Instance Attribute Details

#documentObject (readonly)

Returns the value of attribute document.



19
20
21
 
# File 'lib/onelogin/ruby-samlnechotech/response.rb', line 19

def document
  @document
end

#optionsObject (readonly)

Returns the value of attribute options.



17
18
19
 
# File 'lib/onelogin/ruby-samlnechotech/response.rb', line 17

def options
  @options
end

#responseObject (readonly)

Returns the value of attribute response.



18
19
20
 
# File 'lib/onelogin/ruby-samlnechotech/response.rb', line 18

def response
  @response
end

#settingsObject

TODO: This should probably be ctor initialized too… WDYT?



15
16
17
 
# File 'lib/onelogin/ruby-samlnechotech/response.rb', line 15

def settings
  @settings
end

Instance Method Details

#attributesObject

A hash of alle the attributes with the response. Assuming there is only one value for each key



68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
# File 'lib/onelogin/ruby-samlnechotech/response.rb', line 68

def attributes
  @attr_statements ||= begin
    result = {}

    stmt_element = xpath_first_from_signed_assertion('/a:AttributeStatement')
    return {} if stmt_element.nil?

    stmt_element.elements.each do |attr_element|
      name  = attr_element.attributes["Name"]
      value = attr_element.elements.first.text

      result[name] = value
    end

    result.keys.each do |key|
      result[key.intern] = result[key]
    end

    result
  end
end

#conditionsObject

Conditions (if any) for the assertion to run



118
119
120
 
# File 'lib/onelogin/ruby-samlnechotech/response.rb', line 118

def conditions
  @conditions ||= xpath_first_from_signed_assertion('/a:Conditions')
end

#is_valid?Boolean

Returns:

  • (Boolean) 


28
29
30
 
# File 'lib/onelogin/ruby-samlnechotech/response.rb', line 28

def is_valid?
  validate
end

#issuerObject 



122
123
124
125
126
127
128
 
# File 'lib/onelogin/ruby-samlnechotech/response.rb', line 122

def issuer
  @issuer ||= begin
    node = REXML::XPath.first(document, "/p:Response/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
    node ||= xpath_first_from_signed_assertion('/a:Issuer')
    node.nil? ? nil : node.text
  end
end

#logObject 



130
131
132
 
# File 'lib/onelogin/ruby-samlnechotech/response.rb', line 130

def log
  Logging.debug "SAML Response:\n#{document}\n"
end

#name_idObject

The value of the user identifier as designated by the initialization request response



53
54
55
56
57
58
 
# File 'lib/onelogin/ruby-samlnechotech/response.rb', line 53

def name_id
  @name_id ||= begin
    node = xpath_first_from_signed_assertion('/a:Subject/a:NameID')
    node.nil? ? nil : node.text
  end
end

#session_expires_atObject

When this user session should expire at latest



91
92
93
94
95
96
 
# File 'lib/onelogin/ruby-samlnechotech/response.rb', line 91

def session_expires_at
  @expires_at ||= begin
    node = xpath_first_from_signed_assertion('/a:AuthnStatement')
    parse_time(node, "SessionNotOnOrAfter")
  end
end

#sessionindexObject 



60
61
62
63
64
65
 
# File 'lib/onelogin/ruby-samlnechotech/response.rb', line 60

def sessionindex
  @sessionindex ||= begin
    node = xpath_first_from_signed_assertion('/a:AuthnStatement')
    node.nil? ? nil : node.attributes['SessionIndex']
  end
end

#success?Boolean

Checks the status of the response for a “Success” code (nechotech: …or a “NoPassive” secondary status code)

Returns:

  • (Boolean) 


100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
 
# File 'lib/onelogin/ruby-samlnechotech/response.rb', line 100

def success?
  log()
  @status_code ||= begin
    node = REXML::XPath.first(document, "/p:Response/p:Status/p:StatusCode", { "p" => PROTOCOL, "a" => ASSERTION })
    primary_status = node.attributes["Value"]
    case primary_status
      when "urn:oasis:names:tc:SAML:2.0:status:Success"
        true
      when "urn:oasis:names:tc:SAML:2.0:status:Responder"
        secondary_status = node.elements[1].attributes["Value"]
        secondary_status == "urn:oasis:names:tc:SAML:2.0:status:NoPassive"
      else
        false
    end
  end
end

#validate!Object 



48
49
50
 
# File 'lib/onelogin/ruby-samlnechotech/response.rb', line 48

def validate!
  validate(false)
end

#xml_cert_validate(idp_cert_fingerprint, logger) ⇒ Object 



32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
 
# File 'lib/onelogin/ruby-samlnechotech/response.rb', line 32

def xml_cert_validate(idp_cert_fingerprint, logger)

  # get cert from response
  base64_cert = document.elements["//ds:X509Certificate"].text
  cert_text = Base64.decode64(base64_cert)
  cert = OpenSSL::X509::Certificate.new(cert_text)
  # check cert matches registered idp cert
  fingerprint = Digest::SHA1.hexdigest(cert.to_der)
  Logging.debug "Fingerprint:\n#{fingerprint}\n"
  valid_flag = fingerprint == idp_cert_fingerprint.gsub(":", "").downcase

  return valid_flag if !valid_flag

  document.validate_doc(base64_cert, Logging)
end