41 lines
920 B
Ruby
41 lines
920 B
Ruby
# frozen_string_literal: true
|
|
|
|
module Gitlab
|
|
module Auth
|
|
module Saml
|
|
class OriginValidator
|
|
AUTH_REQUEST_SESSION_KEY = "last_authn_request_id".freeze
|
|
|
|
def initialize(session)
|
|
@session = session || {}
|
|
end
|
|
|
|
def store_origin(authn_request)
|
|
session[AUTH_REQUEST_SESSION_KEY] = authn_request.uuid
|
|
end
|
|
|
|
def gitlab_initiated?(saml_response)
|
|
return false if identity_provider_initiated?(saml_response)
|
|
|
|
matches?(saml_response)
|
|
end
|
|
|
|
private
|
|
|
|
attr_reader :session
|
|
|
|
def matches?(saml_response)
|
|
saml_response.in_response_to == expected_request_id
|
|
end
|
|
|
|
def identity_provider_initiated?(saml_response)
|
|
saml_response.in_response_to.blank?
|
|
end
|
|
|
|
def expected_request_id
|
|
session[AUTH_REQUEST_SESSION_KEY]
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|