handle XSW case

steved · steved · commit 1108d80406cf · 2014-03-25T19:01:17.000-07:00
diff --git a/lib/samlr/assertion.rb b/lib/samlr/assertion.rb
@@ -1,5 +1,6 @@
 module Samlr
   class Assertion
+    DEFAULT_LOCATION = "/samlp:Response/saml:Assertion"
     attr_reader :document, :options
 
     def initialize(document, options)
@@ -8,38 +9,47 @@ def initialize(document, options)
     end
 
     def verify!
-      verify_assertion!
+      verify_signature!
       verify_conditions! unless skip_conditions?
-      signature.verify!  unless signature.missing?
 
       true
     end
 
     def location
-      "/samlp:Response/saml:Assertion"
+      @location ||= begin
+        verify_signature!
+
+        if !signature.missing?
+          if signature.references.any?
+            "//saml:Assertion[@ID='#{signature.references.first.uri}']"
+          else
+            raise SignatureError.new("Missing references inside checked signature")
+          end
+        else
+          DEFAULT_LOCATION
+        end
+      end
     end
 
     def signature
-      @signature ||= Samlr::Signature.new(document, location, options)
+      @signature ||= Samlr::Signature.new(document, DEFAULT_LOCATION, options)
     end
 
     def attributes
-      @attributes ||= begin
-        {}.tap do |attrs|
-          assertion.xpath("./saml:AttributeStatement/saml:Attribute", NS_MAP).each do |statement|
-            name   = statement["Name"]
-            values = statement.xpath("./saml:AttributeValue", NS_MAP)
-
-            if values.size == 0
-              next
-            elsif values.size == 1
-              value = values.first.text
-            else
-              value = values.map { |value| value.text }
-            end
-
-            attrs[name] = attrs[name.to_sym] = value
+      @attributes ||= {}.tap do |attrs|
+        assertion.xpath("./saml:AttributeStatement/saml:Attribute", NS_MAP).each do |statement|
+          name   = statement["Name"]
+          values = statement.xpath("./saml:AttributeValue", NS_MAP)
+
+          if values.size == 0
+            next
+          elsif values.size == 1
+            value = values.first.text
+          else
+            value = values.map { |value| value.text }
           end
+
+          attrs[name] = attrs[name.to_sym] = value
         end
       end
     end
@@ -54,6 +64,13 @@ def assertion
       @assertion ||= document.at(location, NS_MAP)
     end
 
+    def verify_signature!
+      verify_assertion!
+      signature.verify! unless signature.missing?
+
+      true
+    end
+
     def skip_conditions?
       !!options[:skip_conditions]
     end
@@ -67,7 +84,7 @@ def verify_conditions!
     end
 
     def verify_assertion!
-      assertion_count = document.xpath(location, NS_MAP).size
+      assertion_count = document.xpath(DEFAULT_LOCATION, NS_MAP).size
 
       if assertion_count == 0
         raise Samlr::FormatError.new("Invalid SAML response: assertion missing")
diff --git a/lib/samlr/signature.rb b/lib/samlr/signature.rb
@@ -15,6 +15,7 @@ def initialize(original, prefix, options)
       @document = original.dup
       @prefix   = prefix
       @options  = options
+      @verified = false
 
       if @signature = document.at("#{prefix}/ds:Signature", NS_MAP)
         @signature.remove # enveloped signatures only
@@ -35,14 +36,26 @@ def missing?
       signature.nil?
     end
 
+    def verified?
+      @verified
+    end
+
     def verify!
       raise SignatureError.new("No signature at #{prefix}/ds:Signature") unless present?
 
       verify_fingerprint! unless options[:skip_fingerprint]
       verify_digests!
       verify_signature!
 
-      true
+      @verified = true
+    end
+
+    def references
+      @references ||= [].tap do |refs|
+        original.xpath("#{prefix}/ds:Signature/ds:SignedInfo/ds:Reference[@URI]", NS_MAP).each do |ref|
+          refs << Samlr::Reference.new(ref)
+        end
+      end
     end
 
     private
@@ -90,16 +103,6 @@ def referenced_node(id)
       nodes.first
     end
 
-    def references
-      @references ||= begin
-        [].tap do |refs|
-          original.xpath("#{prefix}/ds:Signature/ds:SignedInfo/ds:Reference[@URI]", NS_MAP).each do |ref|
-            refs << Samlr::Reference.new(ref)
-          end
-        end
-      end
-    end
-
     def signature_method
       @signature_method ||= Samlr::Tools.algorithm(signature.at("./ds:SignedInfo/ds:SignatureMethod/@Algorithm", NS_MAP).try(:value))
     end
