ruby-saml 0.8.10 → 0.8.15

data/test/responses/valid_response.xml.base64

@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgSUQ9InBmeGJjODI2YWZkLWU5ZmUtZDNmYi1kODc0LWM0NzAwYzNlZjBjOCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDYtMDRUMDI6MjI6MDJaIiBEZXN0aW5hdGlvbj0iaHR0cDovL2FwcC5tdWRhLm5vL3Nzby9jb25zdW1lIiBJblJlc3BvbnNlVG89Il9mYzRhMzRiMC03ZWZiLTAxMmUtY2FhZS03ODJiY2IxM2JiMzgiPjxzYW1sOklzc3Vlcj5odHRwczovL2FwcC5vbmVsb2dpbi5jb20vc2FtbDI8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4NCiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNwZnhiYzgyNmFmZC1lOWZlLWQzZmItZDg3NC1jNDcwMGMzZWYwYzgiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPkl6NFpRbHMzQUpaRGIzczh2Y1VYLzNSYytGUT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+UWhLSm1vbnlzUDFxbW5hN1MrZUUxTGMycktBampDMk9HclFPZ1NqUHBUb2N1bVE2aFlIa3pUU1pyN3QvSS9LVE9TdkhDUXFEMXJoNGxTMGpEUC9FdUhOQUN0azlZN2xsMlV5Z3U3MkwrYkZ0cVoyOURuOXJMa1NkR3JpK0k3SGh4TDM2N2RmQVNTaDYrc3k3V2V2RWRrTWZ3ZURRMkFYL3NhNkJCR2d6N1RFPTwvZHM6U2lnbmF0dXJlVmFsdWU+DQo8ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDR3pDQ0FZUUNDUUNOTmNRWG9tMzJWREFOQmdrcWhraUc5dzBCQVFVRkFEQlNNUXN3Q1FZRFZRUUdFd0pWVXpFTE1Ba0dBMVVFQ0JNQ1NVNHhGVEFUQmdOVkJBY1RERWx1WkdsaGJtRndiMnhwY3pFUk1BOEdBMVVFQ2hNSVQyNWxURzluYVc0eEREQUtCZ05WQkFzVEEwVnVaekFlRncweE5EQTBNak14T0RReE1ERmFGdzB4TlRBME1qTXhPRFF4TURGYU1GSXhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJRXdKSlRqRVZNQk1HQTFVRUJ4TU1TVzVrYVdGdVlYQnZiR2x6TVJFd0R3WURWUVFLRXdoUGJtVk1iMmRwYmpFTU1Bb0dBMVVFQ3hNRFJXNW5NSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURvNm0rUVp2WVEveEwwRWxMZ3VwSzFRRGNZTDRmNVBja3dzTmdTOXBVdlY3ZnpUcUNIazhUaEx4VGs0Mk1RMk1jSnNPZVVKVlA3MjhLaHltakZDcXhnUDRWdXdSazlycEFsMCttaHk2TVBkeWp5QTZHMTRqckRXUzY1eXNMY2hLNHQvdndwRUR6MFNRbEVvRzFrTXpsbFNtN3paUzNYcmVnQTdEak5hVVlRcXdJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0R0JBTE0ydkdDaVEvdm0rYTZ2NDArVlgyemRxSEEyUS8xdkYxaWJReko1NE1KQ09WV3ZzK3ZRWGZaRmhkbTBPUE0ySXJEVTdvcXZLUHFQNnhPQWVKSzZIMHlQN000WUwzZmF0U3ZJWW1tZnlYQzlrdDNTdnovTnlySHpQaFVuSjB5ZS9zVVNYeG56UXh3Y20vOVB3QXFyUWFBM1FwUWtINTd5YkYvT29yeVBlKzJoPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgVmVyc2lvbj0iMi4wIiBJRD0icGZ4OTUxNmIwZjMtNDUzNi0xMGY2LWM2ZmEtOWRkNTIzZTE0OThjIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDYtMDRUMDI6MjI6MDJaIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9hcHAub25lbG9naW4uY29tL3NhbWwyPC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+dGVzdEBvbmVsb2dpbi5jb208L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMzAtMDYtMDRUMDI6Mjc6MDJaIiBSZWNpcGllbnQ9InJlY2lwaWVudCIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDExLTA2LTA0VDAyOjE3OjAyWiIgTm90T25PckFmdGVyPSIyMDMwLTA2LTA0VDAyOjI3OjAyWiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwczovL3NvbWVvbmUuZXhhbXBsZS5jb20vYXVkaWVuY2U8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE0LTA2LTA0VDAyOjIyOjAyWiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAzMC0wNi0wNVQwMjoyMjowMloiIFNlc3Npb25JbmRleD0iXzE2ZjU3MGZiYzAzMTUwMDdhMDM1NWRmZWE2YjNjNDZjIj48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==

data/test/responses/valid_response_without_x509certificate.xml.base64

@@ -0,0 +1 @@
+pVZdd9o4EH3fc/Y/+LiPOcayDTb4BLoU0oSWfBDTbpuXPbI0Bie25Egi0Pz6lQ04kJI03X2CGY/u3LkjjXT8fpVnxgMImXLWNZ0GMt/3/vzjWOI8K8JrkAVnEgwdxGRYOrvmQrCQY5nKkOEcZKhIGPXPx6HbQCGWEoTSUObOkuL1NYXgihOemcZo2DWLZBWTtuvjhFrQScCiXhJbtB00LdIMECIeJIi0TePrlrPG0EulXMCISYWZ0i7kNC3kW6g5RW7ouiFyb0xjCFKlDKtq1VypIrRtXBSNfEFxg3FbSm4TXe4iBw3ItsVPedf8JyFN7DVjZAWg6SDHBYtgDFbQdmMSO14ce22zV8kWVlxEr8wgNyk4g4zPUtYgPLfLIPfY3o09pjKM0pkmtxBbtamsWS6Xy8bSa3Axs12EkI06to6hMp29M3W3DGO7HuiIJbyCG2DGWUpwlj5WJZ+DmnNq9LMZF6ma5y+AO7aDSnALVsQiTpO9M+0qxVOSiuQb4fa4CoktOcfOBrHEu4YEBDACxpfrUdd899b2VyVOBWYy4SKX++bvsQL2oJtTALXktjhN8PcAD6p2bP/McZjO9C78L+JthHsC+YqzBfRGj82bSSa9/qebYezJ9gP58s32rsnRx0m3IrAbXDlqydfms21TN3i9YjL//Cnn7Ie8cu5zhoPoCE6cMXHF5/7t7cC9PBWTy1l0e1VMOVnkE3/+/ezucRrdiEDZI/vz9DJ6OBtM7oeOmDezCN0Or+yTxdlFf6DuOt+DLHO//JgtAnd8FH9U9zduZ8g6YnwX0VORHo2Cs/lq7PkBTfpRNPeP5I/gb3g4oXfnyRKGE7f/TR8i/8OH09ljMD3p1uXs8NejbM/b20y2SGlT7lsDTsGolr0+sGQVHUYLQkDKqtE/g4b97SjcHOfVS8fZsb+djyMyhxybdWz662ArrcYdgZ9m4XqMdlqOH6PEs5otz7cclPgW8RNsdShtuR44zU6bvGlw/o+xVhnRIr4FojbWhdZzNDQ+6iOB1ctCOw2n8qTUSqrQUJecZn1KRSl6T+lN/ddu/k3mNfx+5gFnSVpilN1Yn73XO0zyMAYsQJgvAw2xwsYFV5fsUvQTBaJUz0M76gXra+caSFqkUMortn/rTXMI+dmnDQUdQdPysyyzfgCtClQNc55SOpuUb6C13aULmpazQF92SqRknX7vS91wyXPQgjdghfMig6rneBO0YVyveWbvodvPyqnzqTkrTxDkWiCjMn9xoUd6J2iEF6ptHQgdMQorfZ07ftIKUBIT5DkthAKMvFaLJoD92CNNn5i7pDRVBSt1wDXI9INHz9Peq28iEpIyTruv9M+SC3qlnzy6s0Cr26HgQtWCHQA/8G3PV4tWe7ejp55M27dM718=

data/test/settings_test.rb

@@ -1,12 +1,12 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
-class SettingsTest < Test::Unit::TestCase
+class SettingsTest < Minitest::Test
 
-  context "Settings" do
-    setup do
+  describe "Settings" do
+    before do
       @settings = OneLogin::RubySaml::Settings.new
     end
-    should "should provide getters and settings" do
+    it "should provide getters and settings" do
       accessors = [
         :assertion_consumer_service_url, :issuer, :sp_entity_id, :sp_name_qualifier,
         :idp_sso_target_url, :idp_cert_fingerprint, :name_identifier_format,
@@ -22,7 +22,7 @@ class SettingsTest < Test::Unit::TestCase
       end
     end
 
-    should "create settings from hash" do
+    it "create settings from hash" do
 
       config = {
           :assertion_consumer_service_url => "http://app.muda.no/sso",

data/test/test_helper.rb

@@ -1,17 +1,22 @@
 require 'rubygems'
-require 'test/unit'
 require 'minitest/autorun'
 require 'shoulda'
 require 'mocha/setup'
 require 'timecop'
 
+if RUBY_VERSION < '1.9'
+  require 'uuid'
+else
+  require 'securerandom'
+end
+
 $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 $LOAD_PATH.unshift(File.dirname(__FILE__))
 require 'ruby-saml'
 
 ENV["ruby-saml/testing"] = "1"
 
-class Test::Unit::TestCase
+class Minitest::Test
   def fixture(document, base64 = true)
     response = Dir.glob(File.join(File.dirname(__FILE__), "responses", "#{document}*")).first
     if base64 && response =~ /\.xml$/
@@ -21,32 +26,48 @@ class Test::Unit::TestCase
     end
   end
 
+  def random_id
+    RUBY_VERSION < '1.9' ? "_#{UUID.new.generate}" : "_#{SecureRandom.uuid}"
+  end
+
+  def read_invalid_response(response)
+    File.read(File.join(File.dirname(__FILE__), "responses", "invalids", response))
+  end
+
+  def read_response(response)
+    File.read(File.join(File.dirname(__FILE__), "responses", response))
+  end
+
+  def read_certificate(certificate)
+    File.read(File.join(File.dirname(__FILE__), "certificates", certificate))
+  end
+
   def response_document
-    @response_document ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response1.xml.base64'))
+    @response_document ||= read_response('response1.xml.base64')
   end
 
   def response_document_2
-    @response_document2 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response2.xml.base64'))
+    @response_document2 ||= read_response('response2.xml.base64')
   end
 
   def response_document_3
-    @response_document3 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response3.xml.base64'))
+    @response_document3 ||= read_response('response3.xml.base64')
   end
 
   def response_document_4
-    @response_document4 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response4.xml.base64'))
+    @response_document4 ||= read_response('response4.xml.base64')
   end
 
   def response_document_5
-    @response_document5 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response5.xml.base64'))
+    @response_document5 ||= read_response('response5.xml.base64')
   end
 
   def r1_response_document_6
-    @response_document6 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'r1_response6.xml.base64'))
+    @response_document6 ||= read_response('r1_response6.xml.base64')
   end
 
   def ampersands_response
-    @ampersands_resposne ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response_with_ampersands.xml.base64'))
+    @ampersands_resposne ||= read_response('response_with_ampersands.xml.base64')
   end
 
   def response_document_6
@@ -56,6 +77,22 @@ class Test::Unit::TestCase
     Base64.encode64(doc)
   end
 
+  def response_document_wrapped
+    @response_document_wrapped ||= read_response("response_wrapped.xml.base64")
+  end
+
+  def response_document_valid_signed
+    response_document_valid_signed ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'valid_response.xml.base64'))
+  end
+
+  def response_document_valid_signed_without_x509certificate
+    @response_document_valid_signed_without_x509certificate ||= read_response("valid_response_without_x509certificate.xml.base64")
+  end
+
+  def response_document_without_recipient
+    @response_document_without_recipient ||= read_response("response_with_undefined_recipient.xml.base64")
+  end
+
   def wrapped_response_2
     @wrapped_response_2 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'wrapped_response_2.xml.base64'))
   end
@@ -64,12 +101,24 @@ class Test::Unit::TestCase
     @signature_fingerprint1 ||= "C5:19:85:D9:47:F1:BE:57:08:20:25:05:08:46:EB:27:F6:CA:B7:83"
   end
 
+  def signature_fingerprint_valid_res
+    @signature_fingerprint1 ||= "4b68c453c7d994aad9025c99d5efcf566287fe8d"
+  end
+
   def signature_1
-    @signature1 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'certificate1'))
+    @signature1 ||= read_certificate('certificate1')
   end
 
   def r1_signature_2
-    @signature2 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'r1_certificate2_base64'))
+    @signature2 ||= read_certificate('r1_certificate2_base64')
+  end
+
+  def valid_cert
+    @signature_valid_cert ||= read_certificate('ruby-saml.crt')
+  end
+
+  def valid_key
+    @signature_valid_cert ||= read_certificate('ruby-saml.key')
   end
 
   def response_with_multiple_attribute_statements
@@ -79,40 +128,60 @@ class Test::Unit::TestCase
   def response_multiple_attr_values
     @response_multiple_attr_values = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
   end
-end
 
-def ruby_saml_cert_text
-  read_certificate("ruby-saml.crt")
-end
+  def ruby_saml_cert
+    @ruby_saml_cert ||= OpenSSL::X509::Certificate.new(ruby_saml_cert_text)
+  end
 
-def ruby_saml_key_text
-  read_certificate("ruby-saml.key")
-end
+  def ruby_saml_cert2
+    @ruby_saml_cert2 ||= OpenSSL::X509::Certificate.new(ruby_saml_cert_text2)
+  end
 
-def read_certificate(certificate)
-  File.read(File.join(File.dirname(__FILE__), "certificates", certificate))
-end
+  def ruby_saml_cert_fingerprint
+    @ruby_saml_cert_fingerprint ||= Digest::SHA1.hexdigest(ruby_saml_cert.to_der).scan(/../).join(":")
+  end
 
-def decode_saml_request_payload(unauth_url)
-  payload = CGI.unescape(unauth_url.split("SAMLRequest=").last)
-  decoded = Base64.decode64(payload)
+  def ruby_saml_cert_text
+    read_certificate("ruby-saml.crt")
+  end
 
-  zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
-  inflated = zstream.inflate(decoded)
-  zstream.finish
-  zstream.close
-  inflated
-end
+  def ruby_saml_cert_text2
+    read_certificate("ruby-saml-2.crt")
+  end
+
+  def ruby_saml_key_text
+    read_certificate("ruby-saml.key")
+  end
 
-# decodes a base64 encoded SAML response for use in SloLogoutresponse tests
-#
-def decode_saml_response_payload(unauth_url)
-  payload = CGI.unescape(unauth_url.split("SAMLResponse=").last)
-  decoded = Base64.decode64(payload)
-
-  zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
-  inflated = zstream.inflate(decoded)
-  zstream.finish
-  zstream.close
-  inflated
+  def ruby_saml_key
+    @ruby_saml_key ||= OpenSSL::PKey::RSA.new(ruby_saml_key_text)
+  end
+
+  def read_certificate(certificate)
+    File.read(File.join(File.dirname(__FILE__), "certificates", certificate))
+  end
+
+  def decode_saml_request_payload(unauth_url)
+    payload = CGI.unescape(unauth_url.split("SAMLRequest=").last)
+    decoded = Base64.decode64(payload)
+
+    zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+    inflated = zstream.inflate(decoded)
+    zstream.finish
+    zstream.close
+    inflated
+  end
+
+  # decodes a base64 encoded SAML response for use in SloLogoutresponse tests
+  #
+  def decode_saml_response_payload(unauth_url)
+    payload = CGI.unescape(unauth_url.split("SAMLResponse=").last)
+    decoded = Base64.decode64(payload)
+
+    zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+    inflated = zstream.inflate(decoded)
+    zstream.finish
+    zstream.close
+    inflated
+  end
 end

data/test/utils_test.rb

@@ -1,38 +1,38 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
-class UtilsTest < Test::Unit::TestCase
-  context "Utils" do
-    context 'element_text' do
-      should 'returns the element text' do
+class UtilsTest < Minitest::Test
+  describe "Utils" do
+    describe 'element_text' do
+      it 'returns the element text' do
         element = REXML::Document.new('<element>element text</element>').elements.first
         assert_equal 'element text', OneLogin::RubySaml::Utils.element_text(element)
       end
 
-      should 'returns all segments of the element text' do
+      it 'returns all segments of the element text' do
         element = REXML::Document.new('<element>element <!-- comment -->text</element>').elements.first
         assert_equal 'element text', OneLogin::RubySaml::Utils.element_text(element)
       end
 
-      should 'returns normalized element text' do
+      it 'returns normalized element text' do
         element = REXML::Document.new('<element>element &amp; text</element>').elements.first
         assert_equal 'element & text', OneLogin::RubySaml::Utils.element_text(element)
       end
 
-      should 'returns the CDATA element text' do
+      it 'returns the CDATA element text' do
         element = REXML::Document.new('<element><![CDATA[element & text]]></element>').elements.first
         assert_equal 'element & text', OneLogin::RubySaml::Utils.element_text(element)
       end
 
-      should 'returns the element text with newlines and additional whitespace' do
+      it 'returns the element text with newlines and additional whitespace' do
         element = REXML::Document.new("<element>  element \n text  </element>").elements.first
         assert_equal "  element \n text  ", OneLogin::RubySaml::Utils.element_text(element)
       end
 
-      should 'returns nil when element is nil' do
+      it 'returns nil when element is nil' do
         assert_nil OneLogin::RubySaml::Utils.element_text(nil)
       end
 
-      should 'returns empty string when element has no text' do
+      it 'returns empty string when element has no text' do
         element = REXML::Document.new('<element></element>').elements.first
         assert_equal '', OneLogin::RubySaml::Utils.element_text(element)
       end

data/test/xml_security_test.rb

@@ -1,94 +1,197 @@
-require 'test_helper'
-require 'xml_security'
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
-class XmlSecurityTest < Test::Unit::TestCase
+class XmlSecurityTest < Minitest::Test
   include XMLSecurity
 
-  context "XmlSecurity" do
-    setup do
-      @document = XMLSecurity::SignedDocument.new(Base64.decode64(response_document))
-      @base64cert = @document.elements["//ds:X509Certificate"].text
+  describe "XmlSecurity" do
+
+    let(:decoded_response) { Base64.decode64(response_document_without_recipient) }
+    let(:document) { XMLSecurity::SignedDocument.new(decoded_response) }
+    let(:settings) { OneLogin::RubySaml::Settings.new() }
+
+    before do
+      @base64cert = document.elements["//ds:X509Certificate"].text
     end
 
-    should "should run validate without throwing NS related exceptions" do
-      assert !@document.validate_signature(@base64cert, true)
+    it "should run validate without throwing NS related exceptions" do
+      assert !document.validate_signature(@base64cert, true)
     end
 
-    should "should run validate with throwing NS related exceptions" do
-      assert_raise(OneLogin::RubySaml::ValidationError) do
-        @document.validate_signature(@base64cert, false)
+    it "should run validate with throwing NS related exceptions" do
+      assert_raises(OneLogin::RubySaml::ValidationError) do
+        document.validate_signature(@base64cert, false)
       end
     end
 
-    should "not raise an error when softly validating the document multiple times" do
-      assert_nothing_raised do
-        2.times { @document.validate_signature(@base64cert, true) }
-      end
+    it "not raise an error when softly validating the document multiple times" do
+      2.times { assert_equal document.validate_signature(@base64cert, true), false }
     end
 
-    should "should raise Fingerprint mismatch" do
-      exception = assert_raise(OneLogin::RubySaml::ValidationError) do
-        @document.validate_document("no:fi:ng:er:pr:in:t", false)
+    it "not raise an error when softly validating the document and the X509Certificate is missing" do
+      decoded_response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
+      mod_document = XMLSecurity::SignedDocument.new(decoded_response)
+      assert !mod_document.validate_document("a fingerprint", true) # The fingerprint isn't relevant to this test
+    end
+
+    it "should raise Fingerprint mismatch" do
+      exception = assert_raises(OneLogin::RubySaml::ValidationError) do
+        document.validate_document("no:fi:ng:er:pr:in:t", false)
       end
       assert_equal("Fingerprint mismatch", exception.message)
     end
 
-    should "should raise Digest mismatch" do
-      exception = assert_raise(OneLogin::RubySaml::ValidationError) do
-        @document.validate_signature(@base64cert, false)
+    it "should raise Digest mismatch" do
+      exception = assert_raises(OneLogin::RubySaml::ValidationError) do
+        document.validate_signature(@base64cert, false)
       end
       assert_equal("Digest mismatch", exception.message)
     end
 
-    should "should raise Key validation error" do
-      response = Base64.decode64(response_document)
-      response.sub!("<ds:DigestValue>pJQ7MS/ek4KRRWGmv/H43ReHYMs=</ds:DigestValue>",
+    it "should raise Key validation error" do
+      decoded_response.sub!("<ds:DigestValue>pJQ7MS/ek4KRRWGmv/H43ReHYMs=</ds:DigestValue>",
                     "<ds:DigestValue>b9xsAXLsynugg3Wc1CI3kpWku+0=</ds:DigestValue>")
-      document = XMLSecurity::SignedDocument.new(response)
-      base64cert = document.elements["//ds:X509Certificate"].text
-      exception = assert_raise(OneLogin::RubySaml::ValidationError) do
-        document.validate_signature(base64cert, false)
+      mod_document = XMLSecurity::SignedDocument.new(decoded_response)
+      base64cert = mod_document.elements["//ds:X509Certificate"].text
+      exception = assert_raises(OneLogin::RubySaml::ValidationError) do
+        mod_document.validate_signature(base64cert, false)
       end
       assert_equal("Key validation error", exception.message)
     end
 
-    should "raise validation error when the X509Certificate is missing" do
-      response = Base64.decode64(response_document)
-      response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
-      document = XMLSecurity::SignedDocument.new(response)
-      exception = assert_raise(OneLogin::RubySaml::ValidationError) do
-        document.validate_document("a fingerprint", false) # The fingerprint isn't relevant to this test
+    it "correctly obtain the digest method with alternate namespace declaration" do
+      adfs_document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_xmlns, false))
+      base64cert = adfs_document.elements["//X509Certificate"].text
+      assert adfs_document.validate_signature(base64cert, false)
+    end
+
+    it "raise validation error when the X509Certificate is missing and no cert provided" do
+      decoded_response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
+      mod_document = XMLSecurity::SignedDocument.new(decoded_response)
+      exception = assert_raises(OneLogin::RubySaml::ValidationError) do
+        mod_document.validate_document("a fingerprint", false) # The fingerprint isn't relevant to this test
       end
-      assert_equal("Certificate element missing in response (ds:X509Certificate)", exception.message)
+      assert_equal("Certificate element missing in response (ds:X509Certificate) and not cert provided at settings", exception.message)
+    end
+
+    it "invalidaties when the X509Certificate is missing and the cert is provided but mismatches" do
+      decoded_response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
+      mod_document = XMLSecurity::SignedDocument.new(decoded_response)
+      cert = OpenSSL::X509::Certificate.new(ruby_saml_cert)
+      assert !mod_document.validate_document("a fingerprint", true, :cert => cert) # The fingerprint isn't relevant to this test
+    end
+  end
+
+  describe "#canon_algorithm" do
+    it "C14N_EXCLUSIVE_1_0" do
+      canon_algorithm = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+      assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/2001/10/xml-exc-c14n#")
+      assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/2001/10/xml-exc-c14n#WithComments")
+      assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("other")
+    end
+
+    it "C14N_1_0" do
+      canon_algorithm = Nokogiri::XML::XML_C14N_1_0
+      assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/TR/2001/REC-xml-c14n-20010315")
+      assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments")
+    end
+
+    it "XML_C14N_1_1" do
+      canon_algorithm = Nokogiri::XML::XML_C14N_1_1
+      assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/2006/12/xml-c14n11")
+      assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/2006/12/xml-c14n11#WithComments")
     end
   end
 
-  context "Algorithms" do
-    should "validate using SHA1" do
-      @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha1, false))
-      assert @document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+  describe "#algorithm" do
+    it "SHA1" do
+      alg = OpenSSL::Digest::SHA1
+      assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2000/09/xmldsig#rsa-sha1")
+      assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2000/09/xmldsig#sha1")
+      assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("other")
     end
 
-    should "validate using SHA256" do
-      @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha256, false))
-      assert @document.validate_document("28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA")
+    it "SHA256" do
+      alg = OpenSSL::Digest::SHA256
+      assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")
+      assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#sha256")
     end
 
-    should "validate using SHA384" do
-      @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha384, false))
-      assert @document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+    it "SHA384" do
+      alg = OpenSSL::Digest::SHA384
+      assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha384")
+      assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#sha384")
     end
 
-    should "validate using SHA512" do
-      @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha512, false))
-      assert @document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+    it "SHA512" do
+      alg = OpenSSL::Digest::SHA512
+      assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512")
+      assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#sha512")
     end
   end
 
-  context "XmlSecurity::SignedDocument" do
+  describe "Fingerprint Algorithms" do
+    let(:response_fingerprint_test) { OneLogin::RubySaml::Response.new(fixture(:adfs_response_sha1, false)) }
+
+    it "validate using SHA1" do
+      sha1_fingerprint = "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72"
+      sha1_fingerprint_downcase = "f13c6b80905a030e6c913e5d15faddb016454872"
+
+      assert response_fingerprint_test.document.validate_document(sha1_fingerprint)
+      assert response_fingerprint_test.document.validate_document(sha1_fingerprint, true, :fingerprint_alg => XMLSecurity::Document::SHA1)
+
+      assert response_fingerprint_test.document.validate_document(sha1_fingerprint_downcase)
+      assert response_fingerprint_test.document.validate_document(sha1_fingerprint_downcase, true, :fingerprint_alg => XMLSecurity::Document::SHA1)
+    end
+
+    it "validate using SHA256" do
+      sha256_fingerprint = "C4:C6:BD:41:EC:AD:57:97:CE:7B:7D:80:06:C3:E4:30:53:29:02:0B:DD:2D:47:02:9E:BD:85:AD:93:02:45:21"
+
+      assert !response_fingerprint_test.document.validate_document(sha256_fingerprint)
+      assert response_fingerprint_test.document.validate_document(sha256_fingerprint, true, :fingerprint_alg => XMLSecurity::Document::SHA256)
+    end
+
+    it "validate using SHA384" do
+      sha384_fingerprint = "98:FE:17:90:31:E7:68:18:8A:65:4D:DA:F5:76:E2:09:97:BE:8B:E3:7E:AA:8D:63:64:7C:0C:38:23:9A:AC:A2:EC:CE:48:A6:74:4D:E0:4C:50:80:40:B4:8D:55:14:14"
+
+      assert !response_fingerprint_test.document.validate_document(sha384_fingerprint)
+      assert response_fingerprint_test.document.validate_document(sha384_fingerprint, true, :fingerprint_alg => XMLSecurity::Document::SHA384)
+    end
 
-    context "#extract_inclusive_namespaces" do
-      should "support explicit namespace resolution for exclusive canonicalization" do
+    it "validate using SHA512" do
+      sha512_fingerprint = "5A:AE:BA:D0:BA:9D:1E:25:05:01:1E:1A:C9:E9:FF:DB:ED:FA:6E:F7:52:EB:45:49:BD:DB:06:D8:A3:7E:CC:63:3A:04:A2:DD:DF:EE:61:05:D9:58:95:2A:77:17:30:4B:EB:4A:9F:48:4A:44:1C:D0:9E:0B:1E:04:77:FD:A3:D2"
+
+      assert !response_fingerprint_test.document.validate_document(sha512_fingerprint)
+      assert response_fingerprint_test.document.validate_document(sha512_fingerprint, true, :fingerprint_alg => XMLSecurity::Document::SHA512)
+    end
+
+  end
+
+  describe "Signature Algorithms" do
+    it "validate using SHA1" do
+      document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha1, false))
+      assert document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+    end
+
+    it "validate using SHA256" do
+      document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha256, false))
+      assert document.validate_document("28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA")
+    end
+
+    it "validate using SHA384" do
+      document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha384, false))
+      assert document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+    end
+
+    it "validate using SHA512" do
+      document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha512, false))
+      assert document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+    end
+  end
+
+  describe "XmlSecurity::SignedDocument" do
+
+    describe "#extract_inclusive_namespaces" do
+      it "support explicit namespace resolution for exclusive canonicalization" do
         response = fixture(:open_saml_response, false)
         document = XMLSecurity::SignedDocument.new(response)
         inclusive_namespaces = document.send(:extract_inclusive_namespaces)
@@ -96,7 +199,7 @@ class XmlSecurityTest < Test::Unit::TestCase
         assert_equal %w[ xs ], inclusive_namespaces
       end
 
-      should "support implicit namespace resolution for exclusive canonicalization" do
+      it "support implicit namespace resolution for exclusive canonicalization" do
         response = fixture(:no_signature_ns, false)
         document = XMLSecurity::SignedDocument.new(response)
         inclusive_namespaces = document.send(:extract_inclusive_namespaces)
@@ -104,57 +207,245 @@ class XmlSecurityTest < Test::Unit::TestCase
         assert_equal %w[ #default saml ds xs xsi ], inclusive_namespaces
       end
 
-      should_eventually 'support inclusive canonicalization' do
-
+      it 'support inclusive canonicalization' do
+        skip('test not yet implemented')
         response = OneLogin::RubySaml::Response.new(fixture("tdnf_response.xml"))
         response.stubs(:conditions).returns(nil)
         assert !response.is_valid?
-        settings = OneLogin::RubySaml::Settings.new
         assert !response.is_valid?
         response.settings = settings
         assert !response.is_valid?
         settings.idp_cert_fingerprint = "e6 38 9a 20 b7 4f 13 db 6a bc b1 42 6a e7 52 1d d6 56 d4 1b".upcase.gsub(" ", ":")
-        assert response.validate!
+        assert response.is_valid?
       end
 
-      should "return an empty list when inclusive namespace element is missing" do
+      it "return nil when inclusive namespace element is missing" do
         response = fixture(:no_signature_ns, false)
         response.slice! %r{<InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default saml ds xs xsi"/>}
 
         document = XMLSecurity::SignedDocument.new(response)
         inclusive_namespaces = document.send(:extract_inclusive_namespaces)
 
-        assert inclusive_namespaces.empty?
+        assert inclusive_namespaces.nil?
       end
     end
 
-    context "StarfieldTMS" do
-      setup do
+    describe "XMLSecurity::DSIG" do
+      before do
+        settings.idp_sso_target_url = "https://idp.example.com/sso"
+        settings.protocol_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        settings.idp_slo_target_url = "https://idp.example.com/slo",
+        settings.sp_entity_id = "https://sp.example.com/saml2"
+        settings.assertion_consumer_service_url = "https://sp.example.com/acs"
+        settings.single_logout_service_url = "https://sp.example.com/sls"
+      end
+
+      it "sign an AuthNRequest" do
+        request = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
+        request.sign_document(ruby_saml_key, ruby_saml_cert)
+        # verify our signature
+        signed_doc = XMLSecurity::SignedDocument.new(request.to_s)
+        assert signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
+
+        request2 = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
+        request2.sign_document(ruby_saml_key, ruby_saml_cert_text)
+        # verify our signature
+        signed_doc2 = XMLSecurity::SignedDocument.new(request2.to_s)
+        assert signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
+      end
+
+      it "sign an AuthNRequest with certificate as text" do
+        request = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
+        request.sign_document(ruby_saml_key, ruby_saml_cert_text)
+
+        # verify our signature
+        signed_doc = XMLSecurity::SignedDocument.new(request.to_s)
+        assert signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
+      end
+
+      it "sign a LogoutRequest" do
+        logout_request = OneLogin::RubySaml::Logoutrequest.new.create_logout_request_xml_doc(settings)
+        logout_request.sign_document(ruby_saml_key, ruby_saml_cert)
+        # verify our signature
+        signed_doc = XMLSecurity::SignedDocument.new(logout_request.to_s)
+        assert signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
+
+        logout_request2 = OneLogin::RubySaml::Logoutrequest.new.create_logout_request_xml_doc(settings)
+        logout_request2.sign_document(ruby_saml_key, ruby_saml_cert_text)
+        # verify our signature
+        signed_doc2 = XMLSecurity::SignedDocument.new(logout_request2.to_s)
+        signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
+        assert signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
+      end
+
+      it "sign a LogoutResponse" do
+        logout_response = OneLogin::RubySaml::SloLogoutresponse.new.create_logout_response_xml_doc(settings, 'request_id_example', "Custom Logout Message")
+        logout_response.sign_document(ruby_saml_key, ruby_saml_cert)
+        # verify our signature
+        signed_doc = XMLSecurity::SignedDocument.new(logout_response.to_s)
+        assert signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
+
+        logout_response2 = OneLogin::RubySaml::SloLogoutresponse.new.create_logout_response_xml_doc(settings, 'request_id_example', "Custom Logout Message")
+        logout_response2.sign_document(ruby_saml_key, ruby_saml_cert_text)
+        # verify our signature
+        signed_doc2 = XMLSecurity::SignedDocument.new(logout_response2.to_s)
+        signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
+        assert signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
+      end
+    end
+
+    describe "StarfieldTMS" do
+      before do
         @response = OneLogin::RubySaml::Response.new(fixture(:starfield_response))
-        @response.settings = OneLogin::RubySaml::Settings.new(
-                                                          :idp_cert_fingerprint => "8D:BA:53:8E:A3:B6:F9:F1:69:6C:BB:D9:D8:BD:41:B3:AC:4F:9D:4D"
-                                                          )
+        @response.settings = OneLogin::RubySaml::Settings.new( :idp_cert_fingerprint => "8D:BA:53:8E:A3:B6:F9:F1:69:6C:BB:D9:D8:BD:41:B3:AC:4F:9D:4D")
       end
 
-      should "be able to validate a good response" do
+      it "be able to validate a good response" do
         Timecop.freeze Time.parse('2012-11-28 17:55:00 UTC') do
           assert @response.validate!
         end
       end
 
-      should "fail before response is valid" do
+      it "fail before response is valid" do
         Timecop.freeze Time.parse('2012-11-20 17:55:00 UTC') do
           assert ! @response.is_valid?
         end
       end
 
-      should "fail after response expires" do
+      it "fail after response expires" do
         Timecop.freeze Time.parse('2012-11-30 17:55:00 UTC') do
           assert ! @response.is_valid?
         end
       end
     end
 
-  end
+    describe '#validate_document' do
+      describe 'with valid document' do
+        describe 'when response has signed message and assertion' do
+          let(:document_data) { read_response('response_with_signed_message_and_assertion.xml') }
+          let(:document) { OneLogin::RubySaml::Response.new(document_data).document }
+          let(:fingerprint) { '4b68c453c7d994aad9025c99d5efcf566287fe8d' }
+
+          it 'is valid' do
+            assert document.validate_document(fingerprint, true), 'Document should be valid'
+          end
+        end
+
+        describe 'when response has signed assertion' do
+          let(:document_data) { read_response('response_with_signed_assertion_3.xml') }
+          let(:document) { OneLogin::RubySaml::Response.new(document_data).document }
+          let(:fingerprint) { '4b68c453c7d994aad9025c99d5efcf566287fe8d' }
+
+          it 'is valid' do
+            assert document.validate_document(fingerprint, true), 'Document should be valid'
+          end
+        end
+      end
+
+      describe 'signature_wrapping_attack' do
+        let(:document_data) { read_invalid_response("signature_wrapping_attack.xml.base64") }
+        let(:document) { OneLogin::RubySaml::Response.new(document_data).document }
+        let(:fingerprint) { 'afe71c28ef740bc87425be13a2263d37971da1f9' }
+
+        it 'is invalid' do
+          assert !document.validate_document(fingerprint, true), 'Document should be invalid'
+        end
+      end
+
+      describe 'signature wrapping attack - doubled SAML response body' do
+        let(:document_data) { read_invalid_response("response_with_doubled_signed_assertion.xml") }
+        let(:document) { OneLogin::RubySaml::Response.new(document_data) }
+        let(:fingerprint) { '4b68c453c7d994aad9025c99d5efcf566287fe8d' }
+
+        it 'is valid, but the unsigned information is ignored in favour of the signed information' do
+          assert document.document.validate_document(fingerprint, true), 'Document should be valid'
+          assert_equal 'someone@example.org', document.name_id, 'Document should expose only signed, valid details'
+        end
+      end
+
+      describe 'signature wrapping attack - concealed SAML response body' do
+        let(:document_data) { read_invalid_response("response_with_concealed_signed_assertion.xml") }
+        let(:document) { OneLogin::RubySaml::Response.new(document_data) }
+        let(:fingerprint) { '4b68c453c7d994aad9025c99d5efcf566287fe8d' }
+
+        it 'is valid, but fails to retrieve information' do
+          assert document.document.validate_document(fingerprint, true), 'Document should be valid'
+          assert document.name_id.nil?, 'Document should expose only signed, valid details'
+        end
+      end
 
+      describe 'when response has no cert and you provide cert' do
+        let(:document) { OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate).document }
+        let(:idp_cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
+        let(:options) { {} }
+
+        it 'is valid' do
+          options[:cert] = idp_cert
+          assert document.document.validate_document(idp_cert, true, options), 'Document should be valid'
+        end
+
+        it 'is valid if cert text instead x509cert provided' do
+          options[:cert] = ruby_saml_cert_text
+          assert document.document.validate_document(idp_cert, true, options), 'Document should be valid'
+        end
+      end
+
+      describe 'when response has no cert and you dont provide cert' do
+        let(:document) { OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate).document }
+        let(:options) { {} }
+        let(:idp_cert) { nil }
+
+        it 'is invalid' do
+          options[:cert] = idp_cert
+          assert !document.document.validate_document(idp_cert, true, options), 'Document should not be valid'
+        end
+
+        it 'is invalid and error raised' do
+          options[:cert] = idp_cert
+          assert_raises(OneLogin::RubySaml::ValidationError) do
+            document.document.validate_document(idp_cert, false, options)
+          end
+        end
+      end
+    end
+
+    describe '#validate_document_with_cert' do
+      describe 'with valid document ' do
+        describe 'when response has cert' do
+          let(:document_data) { read_response('response_with_signed_message_and_assertion.xml') }
+          let(:document) { OneLogin::RubySaml::Response.new(document_data).document }
+          let(:idp_cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
+          let(:fingerprint) { '4b68c453c7d994aad9025c99d5efcf566287fe8d' }
+
+          it 'is valid' do
+            assert document.validate_document_with_cert(idp_cert), 'Document should be valid'
+          end
+        end
+
+        describe 'when response has no cert and you provide cert' do
+          let(:document) { OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate).document }
+          let(:idp_cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
+
+          it 'is valid' do
+            assert document.validate_document_with_cert(idp_cert), 'Document should be valid'
+          end
+        end
+
+        describe 'when response has no cert and you dont provide cert' do
+          let(:document) { OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate).document }
+          let(:idp_cert) { nil }
+
+          it 'is invalid' do
+            assert !document.validate_document_with_cert(idp_cert), 'Document should not be valid'
+          end
+
+          it 'is invalid and error raised' do
+            assert_raises(OneLogin::RubySaml::ValidationError) do
+              document.validate_document_with_cert(idp_cert, false)
+            end
+          end
+        end
+      end
+    end
+  end
 end