Merge pull request #10 from zendesk/sdavidovitz/audience_verification

steved · steved · commit f0f819f041a1 · 2014-05-28T14:06:56.000-07:00
Add audience verification to assertion/condition verify
diff --git a/lib/samlr/assertion.rb b/lib/samlr/assertion.rb
@@ -51,6 +51,10 @@ def name_id
       @name_id ||= assertion.at("./saml:Subject/saml:NameID", NS_MAP).text
     end
 
+    def conditions
+      @conditions ||= Condition.new(assertion.at("./saml:Conditions", NS_MAP), options)
+    end
+
     private
 
     def assertion
@@ -68,10 +72,6 @@ def skip_conditions?
       !!options[:skip_conditions]
     end
 
-    def conditions
-      @conditions ||= Condition.new(assertion.at("./saml:Conditions", NS_MAP))
-    end
-
     def verify_conditions!
       conditions.verify!
     end
diff --git a/lib/samlr/condition.rb b/lib/samlr/condition.rb
@@ -1,10 +1,12 @@
 module Samlr
   class Condition
-    attr_reader :not_before, :not_on_or_after
+    attr_reader :audience, :not_before, :not_on_or_after, :options
 
-    def initialize(condition)
+    def initialize(condition, options)
+      @options         = options
       @not_before      = (condition || {})["NotBefore"]
       @not_on_or_after = (condition || {})["NotOnOrAfter"]
+      @audience        = extract_audience(condition)
     end
 
     def verify!
@@ -16,6 +18,10 @@ def verify!
         raise Samlr::ConditionsError.new("Not on or after violation, now #{Samlr::Tools::Timestamp.stamp} vs. at latest #{not_on_or_after}")
       end
 
+      unless audience_satisfied?
+        raise Samlr::ConditionsError.new("Audience violation, expected #{options[:audience]} vs. #{audience}")
+      end
+
       true
     end
 
@@ -26,6 +32,22 @@ def not_before_satisfied?
     def not_on_or_after_satisfied?
       not_on_or_after.nil? || Samlr::Tools::Timestamp.not_on_or_after?(Samlr::Tools::Timestamp.parse(not_on_or_after))
     end
-  end
 
+    def audience_satisfied?
+      audience.nil? || options[:audience].nil? ||
+        audience == options[:audience]
+    end
+
+    private
+
+    def extract_audience(condition)
+      return unless condition
+
+      audience_node = condition.at("./saml:AudienceRestriction/saml:Audience", NS_MAP)
+
+      return unless audience_node
+
+      audience_node.text
+    end
+  end
 end
diff --git a/test/unit/test_assertion.rb b/test/unit/test_assertion.rb
@@ -29,8 +29,16 @@
   end
 
   describe "#verify!" do
+    let(:condition) do
+      Class.new do
+        def verify!
+          raise Samlr::ConditionsError, 'error'
+        end
+      end
+    end
+
     before do
-      @unsatisfied_condition = Samlr::Condition.new("NotBefore" => Samlr::Tools::Timestamp.stamp(Time.now + 60))
+      @unsatisfied_condition = condition.new
     end
 
     describe "when conditions are not met" do
diff --git a/test/unit/test_condition.rb b/test/unit/test_condition.rb
@@ -1,10 +1,11 @@
 require File.expand_path("test/test_helper")
 
 def condition(before, after)
-  Samlr::Condition.new(
-    "NotBefore"    => before ? before.utc.iso8601 : nil,
-    "NotOnOrAfter" => after  ? after.utc.iso8601  : nil
-  )
+  element = Nokogiri::XML::Element.new('saml:Condition', Nokogiri::XML(''))
+  element["NotBefore"] = before.utc.iso8601 if before
+  element["NotOnOrAfter"] = after.utc.iso8601 if after
+
+  Samlr::Condition.new(element, {})
 end
 
 describe Samlr::Condition do
@@ -14,6 +15,44 @@ def condition(before, after)
   end
 
   describe "verify!" do
+    describe "audience verification" do
+      let(:response) { fixed_saml_response }
+      subject { response.assertion.conditions }
+
+      describe "when it is wrong" do
+        before do
+          response.options[:audience] = 'example.com'
+        end
+
+        it "raises an exception" do
+          Time.stub(:now, Time.at(1344379365)) do
+            assert subject.not_on_or_after_satisfied?
+            assert subject.not_before_satisfied?
+            refute subject.audience_satisfied?
+
+            begin
+              subject.verify!
+              flunk "Expected exception"
+            rescue Samlr::ConditionsError => e
+              assert_match /Audience/, e.message
+            end
+          end
+        end
+      end
+
+      describe "when it is right" do
+        before do
+          response.options[:audience] = 'example.org'
+        end
+
+        it "does not raise an exception" do
+          Time.stub(:now, Time.at(1344379365)) do
+            assert subject.verify!
+          end
+        end
+      end
+    end
+
     describe "when the lower time has not been met" do
       before  { @not_before = (Time.now + 5*60) }
       subject { condition(@not_before, @not_after) }
@@ -57,15 +96,30 @@ def condition(before, after)
     end
   end
 
+  describe "#audience_satisfied?" do
+    it "returns true when audience is a nil value" do
+      element = Nokogiri::XML::Node.new('saml:Condition', Nokogiri::XML(''))
+      assert Samlr::Condition.new(element, {}).audience_satisfied?
+    end
+
+    it "returns true when passed a nil audience" do
+      condition = fixed_saml_response.assertion.conditions
+      assert_equal 'example.org', condition.audience
+      assert condition.audience_satisfied?
+    end
+  end
+
   describe "#not_before_satisfied?" do
     it "returns true when passed a nil value" do
-      assert Samlr::Condition.new({}).not_before_satisfied?
+      element = Nokogiri::XML::Node.new('saml:Condition', Nokogiri::XML(''))
+      assert Samlr::Condition.new(element, {}).not_before_satisfied?
     end
   end
 
   describe "#not_on_or_after_satisfied?" do
     it "returns true when passed a nil value" do
-      assert Samlr::Condition.new({}).not_on_or_after_satisfied?
+      element = Nokogiri::XML::Node.new('saml:Condition', Nokogiri::XML(''))
+      assert Samlr::Condition.new(element, {}).not_on_or_after_satisfied?
     end
   end
 end
