Skip to content

Commit

Permalink
Add support to retrieve from SAMLResponse the AuthnInstant and AuthnC…
Browse files Browse the repository at this point in the history
…ontextClassRef values. See #718
  • Loading branch information
pitbulk committed Sep 30, 2024
1 parent aa9bf70 commit 28d3fff
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 7 deletions.
15 changes: 8 additions & 7 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# Ruby SAML Changelog

### 2.0.0
* [#718](https://github.com/SAML-Toolkits/ruby-saml/pull/718/) Add support to retrieve from SAMLResponse the AuthnInstant and AuthnContextClassRef values
* [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Remove `OneLogin` namespace. The root namespace of the gem is now `RubySaml`.
* [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Create namespace alias `OneLogin = Object` for backward compatibility, to be removed in version `2.1.0`.
* [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Change directly structure from `lib/onelogin/ruby-saml` to `lib/ruby_saml`.
Expand Down Expand Up @@ -28,7 +29,7 @@

### 1.15.0 (Jan 04, 2023)
* [#650](https://github.com/SAML-Toolkits/ruby-saml/pull/650) Replace strip! by strip on compute_digest method
* [#638](https://github.com/SAML-Toolkits/ruby-saml/pull/638) Fix dateTime format for the validUntil attribute of the generated metadata
* [#638](https://github.com/SAML-Toolkits/ruby-saml/pull/638) Fix dateTime format for the validUntil attribute of the generated metadata
* [#576](https://github.com/SAML-Toolkits/ruby-saml/pull/576) Support `Settings#idp_cert_multi` with string keys
* [#567](https://github.com/SAML-Toolkits/ruby-saml/pull/567) Improve Code quality
* Add info about new repo, new maintainer, new security contact
Expand Down Expand Up @@ -62,7 +63,7 @@

### 1.12.0 (Feb 18, 2021)
* Support AES-128-GCM, AES-192-GCM, and AES-256-GCM encryptions
* Parse & return SLO ResponseLocation in IDPMetadataParser & Settings
* Parse & return SLO ResponseLocation in IDPMetadataParser & Settings
* Adding idp_sso_service_url and idp_slo_service_url settings
* [#536](https://github.com/SAML-Toolkits/ruby-saml/pull/536) Adding feth method to be able retrieve attributes based on regex
* Reduce size of built gem by excluding the test folder
Expand Down Expand Up @@ -192,7 +193,7 @@
* Fix response_test.rb of gem 1.3.0
* Add reference to Security Guidelines
* Update License
* [#334](https://github.com/SAML-Toolkits/ruby-saml/pull/334) Keep API backward-compatibility on IdpMetadataParser fingerprint method.
* [#334](https://github.com/SAML-Toolkits/ruby-saml/pull/334) Keep API backward-compatibility on IdpMetadataParser fingerprint method.

### 1.3.0 (June 24, 2016)
* [Security Fix](https://github.com/SAML-Toolkits/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995) Add extra validations to prevent Signature wrapping attacks
Expand All @@ -210,7 +211,7 @@
* [#316](https://github.com/SAML-Toolkits/ruby-saml/pull/316) Fix Misspelling of transation_id to transaction_id
* [#321](https://github.com/SAML-Toolkits/ruby-saml/pull/321) Support Attribute Names on IDPSSODescriptor parser
* Changes on empty URI of Signature reference management
* [#320](https://github.com/SAML-Toolkits/ruby-saml/pull/320) Dont mutate document to fix lack of reference URI
* [#320](https://github.com/SAML-Toolkits/ruby-saml/pull/320) Dont mutate document to fix lack of reference URI
* [#306](https://github.com/SAML-Toolkits/ruby-saml/pull/306) Support WantAssertionsSigned

### 1.1.2 (February 15, 2016)
Expand All @@ -227,17 +228,17 @@
* [#270](https://github.com/SAML-Toolkits/ruby-saml/pull/270) Allow SAML elements to come from any namespace (at decryption process)
* [#261](https://github.com/SAML-Toolkits/ruby-saml/pull/261) Allow validate_subject_confirmation Response validation to be skipped
* [#258](https://github.com/SAML-Toolkits/ruby-saml/pull/258) Fix allowed_clock_drift on the validate_session_expiration test
* [#256](https://github.com/SAML-Toolkits/ruby-saml/pull/256) Separate the create_authentication_xml_doc in two methods.
* [#256](https://github.com/SAML-Toolkits/ruby-saml/pull/256) Separate the create_authentication_xml_doc in two methods.
* [#255](https://github.com/SAML-Toolkits/ruby-saml/pull/255) Refactor validate signature.
* [#254](https://github.com/SAML-Toolkits/ruby-saml/pull/254) Handle empty URI references
* [#254](https://github.com/SAML-Toolkits/ruby-saml/pull/254) Handle empty URI references
* [#251](https://github.com/SAML-Toolkits/ruby-saml/pull/251) Support qualified and unqualified NameID in attributes
* [#234](https://github.com/SAML-Toolkits/ruby-saml/pull/234) Add explicit support for JRuby

### 1.0.0 (June 30, 2015)
* [#247](https://github.com/SAML-Toolkits/ruby-saml/pull/247) Avoid entity expansion (XEE attacks)
* [#246](https://github.com/SAML-Toolkits/ruby-saml/pull/246) Fix bug generating Logout Response (issuer was at wrong order)
* [#243](https://github.com/SAML-Toolkits/ruby-saml/issues/243) and [#244](https://github.com/SAML-Toolkits/ruby-saml/issues/244) Fix metadata builder errors. Fix metadata xsd.
* [#241](https://github.com/SAML-Toolkits/ruby-saml/pull/241) Add decrypt support (EncryptID and EncryptedAssertion). Improve compatibility with namespaces.
* [#241](https://github.com/SAML-Toolkits/ruby-saml/pull/241) Add decrypt support (EncryptID and EncryptedAssertion). Improve compatibility with namespaces.
* [#240](https://github.com/SAML-Toolkits/ruby-saml/pull/240) and [#238](https://github.com/SAML-Toolkits/ruby-saml/pull/238) Improve test coverage and refactor.
* [#239](https://github.com/SAML-Toolkits/ruby-saml/pull/239) Improve security: Add more validations to SAMLResponse, LogoutRequest and LogoutResponse. Refactor code and improve tests coverage.
* [#237](https://github.com/SAML-Toolkits/ruby-saml/pull/237) Don't pretty print metadata by default.
Expand Down
21 changes: 21 additions & 0 deletions lib/ruby_saml/response.rb
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,27 @@ def session_expires_at
end
end

# Gets the AuthnInstant from the AuthnStatement.
# Could be used to require re-authentication if a long time has passed
# since the last user authentication.
# @return [String] AuthnInstant value
#
def authn_instant
@authn_instant ||= begin
node = xpath_first_from_signed_assertion('/a:AuthnStatement')
node.nil? ? nil : node.attributes['AuthnInstant']
end
end

# Gets the AuthnContextClassRef from the AuthnStatement
# Could be used to require re-authentication if the assertion
# did not met the requested authentication context class.
# @return [String] AuthnContextClassRef value
#
def authn_context_class_ref
@authn_context_class_ref ||= Utils.element_text(xpath_first_from_signed_assertion('/a:AuthnStatement/a:AuthnContext/a:AuthnContextClassRef'))
end

# Checks if the Status has the "Success" code
# @return [Boolean] True if the StatusCode is Sucess
#
Expand Down
21 changes: 21 additions & 0 deletions test/response_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -1357,6 +1357,27 @@ def generate_audience_error(expected, actual)
end
end

# Gets the AuthnInstant from the AuthnStatement.
# Could be used to require re-authentication if a long time has passed
# since the last user authentication.
# @return [String] AuthnInstant value
#
def authn_instant
@authn_instant ||= begin
node = xpath_first_from_signed_assertion('/a:AuthnStatement')
node.nil? ? nil : node.attributes['AuthnInstant']
end
end

# Gets the AuthnContextClassRef from the AuthnStatement
# Could be used to require re-authentication if the assertion
# did not met the requested authentication context class.
# @return [String] AuthnContextClassRef value
#
def authn_context_class_ref
@authn_context_class_ref ||= Utils.element_text(xpath_first_from_signed_assertion('/a:AuthnStatement/a:AuthnContext/a:AuthnContextClassRef'))
end

describe "#success" do
it "find a status code that says success" do
response.success?
Expand Down

0 comments on commit 28d3fff

Please sign in to comment.