Merge pull request saml-idp#102 from saml-idp/validate-acs-url

jphenow · web-flow · commit f579b15368fc · 2018-11-09T09:31:44.000-06:00
Validate acs url
diff --git a/.ruby-version b/.ruby-version
@@ -0,0 +1 @@
+2.5.1
diff --git a/README.md b/README.md
@@ -171,7 +171,11 @@ CERT
   service_providers = {
     "some-issuer-url.com/saml" => {
       fingerprint: "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D",
-      metadata_url: "http://some-issuer-url.com/saml/metadata"
+      metadata_url: "http://some-issuer-url.com/saml/metadata",
+
+      # We now validate AssertionConsumerServiceURL will match the MetadataURL set above.
+      # *If* it's not going to match your Metadata URL's Host, then set this so we can validate the host using this list
+      response_hosts: ["foo.some-issuer-url.com"]
     },
   }
 
diff --git a/lib/saml_idp/configurator.rb b/lib/saml_idp/configurator.rb
@@ -17,6 +17,7 @@ class Configurator
     attr_accessor :single_logout_service_redirect_location
     attr_accessor :attributes
     attr_accessor :service_provider
+    attr_accessor :assertion_consumer_service_hosts
     attr_accessor :session_expiry
 
     def initialize
diff --git a/lib/saml_idp/request.rb b/lib/saml_idp/request.rb
@@ -105,6 +105,11 @@ def valid?
         return false
       end
 
+      if !service_provider.acceptable_response_hosts.include?(response_host)
+        log "No acceptable AssertionConsumerServiceURL, either configure them via config.service_provider.response_hosts or match to your metadata_url host"
+        return false
+      end
+
       return true
     end
 
@@ -136,6 +141,14 @@ def session_index
       @_session_index ||= xpath("//samlp:SessionIndex", samlp: samlp).first.try(:content)
     end
 
+    def response_host
+      uri = URI(response_url)
+      if uri
+        uri.host
+      end
+    end
+    private :response_host
+
     def document
       @_document ||= Saml::XML::Document.parse(raw_xml)
     end
diff --git a/lib/saml_idp/service_provider.rb b/lib/saml_idp/service_provider.rb
@@ -13,6 +13,7 @@ class ServiceProvider
     attribute :validate_signature
     attribute :acs_url
     attribute :assertion_consumer_logout_service_url
+    attribute :response_hosts
 
     delegate :config, to: :SamlIdp
 
@@ -46,6 +47,19 @@ def current_metadata
       @current_metadata ||= get_current_or_build
     end
 
+    def acceptable_response_hosts
+      hosts = Array(self.response_hosts)
+      hosts.push(metadata_url_host) if metadata_url_host
+
+      hosts
+    end
+
+    def metadata_url_host
+      if metadata_url.present?
+        URI(metadata_url).host
+      end
+    end
+
     def get_current_or_build
       persisted = metadata_getter[identifier, self]
       if persisted.is_a? Hash
diff --git a/spec/acceptance/idp_controller_spec.rb b/spec/acceptance/idp_controller_spec.rb
@@ -4,8 +4,9 @@
   scenario 'Login via default signup page' do
     saml_request = make_saml_request("http://foo.example.com/saml/consume")
     visit "/saml/auth?SAMLRequest=#{CGI.escape(saml_request)}"
-    fill_in 'Email', :with => "foo@example.com"
-    fill_in 'Password', :with => "okidoki"
+    expect(status_code).to eq(200)
+    fill_in 'email', :with => "foo@example.com"
+    fill_in 'password', :with => "okidoki"
     click_button 'Sign in'
     click_button 'Submit'   # simulating onload
     expect(current_url).to eq('http://foo.example.com/saml/consume')
diff --git a/spec/lib/saml_idp/encryptor_spec.rb b/spec/lib/saml_idp/encryptor_spec.rb
@@ -5,19 +5,19 @@
 module SamlIdp
   describe Encryptor do
     let (:encryption_opts) do
-      {   
+      {
         cert: Default::X509_CERTIFICATE,
         block_encryption: 'aes256-cbc',
         key_transport: 'rsa-oaep-mgf1p',
-      }   
+      }
     end
 
     subject { described_class.new encryption_opts }
 
     it "encrypts XML" do
       raw_xml = '<foo>bar</foo>'
       encrypted_xml = subject.encrypt(raw_xml)
-      expect(encrypted_xml).to_not match 'bar'
+      expect(encrypted_xml).to_not match raw_xml
       encrypted_doc = Nokogiri::XML::Document.parse(encrypted_xml)
       encrypted_data = Xmlenc::EncryptedData.new(encrypted_doc.at_xpath('//xenc:EncryptedData', Xmlenc::NAMESPACES))
       decrypted_xml = encrypted_data.decrypt(subject.encryption_key)
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -45,5 +45,7 @@
   end
 end
 
+SamlIdp::Default::SERVICE_PROVIDER[:metadata_url] = 'https://example.com/meta'
+SamlIdp::Default::SERVICE_PROVIDER[:response_hosts] = ['foo.example.com']
 SamlIdp::Default::SERVICE_PROVIDER[:assertion_consumer_logout_service_url] = 'https://foo.example.com/saml/logout'
 Capybara.default_host = "https://app.example.com"
