[fix] Accept reference id for SAML response (#226)

Zogoo · zogoo · mjobin-mdsol · web-flow · commit fb44202f1074 · 2024-11-05T00:09:19.000+01:00
* Squash commits for saml_idp gem * [feat] Allow SP config force signature validation (#16) * Allow SP config force signature validation * Allow SP config force signature validation Tested with Slack with Authn request signature option --------- Co-authored-by: zogoo <ch.tsogbadrakh@gmail.com> * [feat] Don’t ignore certificates without usage (#17) I have tested with live SAML SP apps and it works fine * Unspecified certifciate from SP metadata --------- Co-authored-by: zogoo <ch.tsogbadrakh@gmail.com> * Try with proper way to update helper method (#19) * Set minimum test coverage (#207) * Set minimum test coverage to a very high value for testing * Update minimum coverage to actual current value * Try with proper way to update helper method * Correctly decode and mock with correct REXML class * Drop the min coverage --------- Co-authored-by: Mathieu Jobin <majobin@mdsol.com> Co-authored-by: zogoo <ch.tsogbadrakh@gmail.com> * [feat] Collect request validation errors (#18) * wip add error collector * Fix type and rewrite request with proper validation test cases * Lead error render decision to gem user * Validate the certificate's existence before verifying the signature. --------- Co-authored-by: zogoo <ch.tsogbadrakh@gmail.com> * Support lowercase percent-encoded sequences for URL encoding (#20) Co-authored-by: zogoo <ch.tsogbadrakh@gmail.com> * Pass ref id as Session Index * Official Rails 8 is not released yet to RubyGem until that let's stick official older version * [fix] Gem CI updates for latest versions (#22) * Remove duplications * Pre-conditions need to be defined in before section * Le's not test logger in here --------- Co-authored-by: zogoo <ch.tsogbadrakh@gmail.com> * [fix] Allow IdP set reference ID for SAML response (#21) * Pass ref id as Session Index * Official Rails 8 is not released yet to RubyGem until that let's stick official older version --------- Co-authored-by: zogoo <ch.tsogbadrakh@gmail.com> * Fixes for ORIGIN gem --------- Co-authored-by: zogoo <ch.tsogbadrakh@gmail.com> Co-authored-by: Mathieu Jobin <majobin@mdsol.com>
diff --git a/lib/saml_idp/saml_response.rb b/lib/saml_idp/saml_response.rb
@@ -98,7 +98,7 @@ def response_builder
 
     def assertion_builder
       @assertion_builder ||=
-        AssertionBuilder.new SecureRandom.uuid,
+        AssertionBuilder.new(reference_id || SecureRandom.uuid,
                              issuer_uri,
                              principal,
                              audience_uri,
@@ -110,7 +110,7 @@ def assertion_builder
                              encryption_opts,
                              session_expiry,
                              name_id_formats_opts,
-                             asserted_attributes_opts
+                             asserted_attributes_opts)
     end
     private :assertion_builder
   end
diff --git a/spec/lib/saml_idp/saml_response_spec.rb b/spec/lib/saml_idp/saml_response_spec.rb
@@ -192,6 +192,25 @@ module SamlIdp
       expect(saml_resp.is_valid?).to eq(true)
     end
 
+    it "will pass reference_id as SessionIndex" do
+      expect { subject.build }.not_to raise_error
+      signed_encoded_xml = subject.build
+      resp_settings = saml_settings(saml_acs_url)
+      resp_settings.private_key = Default::SECRET_KEY
+      resp_settings.issuer = audience_uri
+      saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+
+      expect(
+        Nokogiri::XML(saml_resp.response).at_xpath(
+          "//saml:AuthnStatement/@SessionIndex",
+          {
+            "samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+            "saml" => "urn:oasis:names:tc:SAML:2.0:assertion"
+          }
+        ).value
+      ).to eq("_#{reference_id}")
+    end
+
     it "sets session expiration" do
       saml_resp = OneLogin::RubySaml::Response.new(subject.build)
       expect(saml_resp.session_expires_at).to eq Time.local(1990, "jan", 2).iso8601
