blob: f6eb6c915fe553ffe3d39783f585e28a1a979771 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
# frozen_string_literal: true
module Saml
module Kit
# This module is responsible for
# validating the trustworthiness
# of a saml document.
module Trustable
extend ActiveSupport::Concern
included do
validate :must_have_valid_signature, unless: :signature_verified
validate :must_be_registered
validate :must_be_trusted
end
# Returns true when the document has an embedded XML Signature or has
# been verified externally.
def signed?
signature_verified || signature.present?
end
# @!visibility private
def signature
@signature ||= Signature.new(at_xpath("/samlp:#{name}/ds:Signature"))
end
# Returns true when documents is signed and the signing certificate
# belongs to a known service entity.
def trusted?
return true if signature_verified
return false unless signed?
signature.trusted?(provider)
end
# @!visibility private
def provider
registry.metadata_for(issuer)
end
# @!visibility private
def signature_verified!
@signature_verified = true
end
private
attr_reader :signature_verified
def must_have_valid_signature
return if to_xml.blank?
return unless signature.present?
signature.valid?
signature.each_error do |attribute, error|
errors.add(attribute, error)
end
end
def must_be_registered
return unless expected_type?
return if provider.present?
errors.add(:provider, error_message(:unregistered))
end
def must_be_trusted
return if trusted?
return if provider.present? && !signed?
errors.add(:fingerprint, error_message(:invalid_fingerprint))
end
end
end
end
|
