Pass options with :get_params to signature validation #50
Conversation
| def valid_signature?(fingerprint) | ||
| signed? && | ||
| signed_document.validate(fingerprint, :soft) | ||
| def options_have_signature(options) |
There was a problem hiding this comment.
This seems slightly unnecessary as a separate method, or at least unnecessary as a public method
There was a problem hiding this comment.
Good point. Marked as private in 381640e
I made it a method to avoid having a really long line with mixed booleans.
|
It seems we took a relatively single-entry interface and just added "options" - is there a way we could solve this without passing ambiguous options all the way down and changing the signature of a string of methods? For instance, perhaps we accept options at the top, convert the inputs into something relatively consistent (perhaps even put a class in between to make things easier to access consistently) then return to business as usual |
|
I agree that it would have been preferable to not change so many method signatures. The dilemma is that the class that really requires a change is
I followed the pattern in ruby-saml: |
|
@jphenow I'd be happy to try a different approach for this; I'm just honestly not sure how. The architecture of the lib puts all the signature checking in an internal-only class. The ruby-saml lib architecture puts the signature checking in an external Utils class. Maybe that approach works better here? |
|
There's a related discussion here: SAML-Toolkits/python-saml#153 (comment) Note that when using DEFLATE in a SAMLRequest (as |
| @@ -24,7 +24,7 @@ def validate_saml_request(raw_saml_request = params[:SAMLRequest]) | |||
| end | |||
|
|
|||
| def decode_request(raw_saml_request) | |||
| self.saml_request = Request.from_deflated_request(raw_saml_request) | |||
| self.saml_request = Request.from_deflated_request(raw_saml_request, get_params: params) | |||
|
Thinking on this one.. I have some ideas, I may pull the feature you're looking for and use it as an opportunity for a minor restructure. I'll come back with something soon |
|
@jphenow are you still thinking on this one? Or is this something that is going to see the light of day? |
|
I'm not actively overseeing this project at the moment and would rather not step on those that are now caring for it. @mvastola how do you feel about these changes? |
|
assuming 18F fork is the relevant one now. |
The RubySaml lib supports signature validation via GET params as well as embedded within the XML document itself. This PR adds similar support, especially for Logout requests, where signature is necessary to prevent cross-site attacks.