ruby-saml 0.8.11 → 0.8.16

data/test/logoutresponse_test.rb

@@ -1,27 +1,27 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-require 'rexml/document'
-require 'responses/logoutresponse_fixtures'
+require File.expand_path(File.join(File.dirname(__FILE__), "responses/logoutresponse_fixtures"))
 
-class LogoutResponseTest < Test::Unit::TestCase
+class LogoutResponseTest < Minitest::Test
 
-  context "Logoutresponse" do
-    context "#new" do
-      should "raise an exception when response is initialized with nil" do
+  describe "Logoutresponse" do
+
+    describe "#new" do
+      it "raise an exception when response is initialized with nil" do
         assert_raises(ArgumentError) { OneLogin::RubySaml::Logoutresponse.new(nil) }
       end
-      should "default to empty settings" do
+      it "default to empty settings" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new( valid_response)
         assert logoutresponse.settings.nil?
       end
-      should "accept constructor-injected settings" do
+      it "accept constructor-injected settings" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, settings)
         assert !logoutresponse.settings.nil?
       end
-      should "accept constructor-injected options" do
+      it "accept constructor-injected options" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, nil, { :foo => :bar} )
         assert !logoutresponse.options.empty?
       end
-      should "support base64 encoded responses" do
+      it "support base64 encoded responses" do
         expected_response = valid_response
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(Base64.encode64(expected_response), settings)
 
@@ -29,21 +29,21 @@ class LogoutResponseTest < Test::Unit::TestCase
       end
     end
 
-    context "#validate" do
-      should "validate the response" do
+    describe "#validate" do
+      it "validate the response" do
         in_relation_to_request_id = random_id
-
+        settings.idp_entity_id = "https://example.com/idp"
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response({:uuid => in_relation_to_request_id}), settings)
 
         assert logoutresponse.validate
 
-        assert_equal settings.sp_entity_id, logoutresponse.issuer
+        assert_equal settings.idp_entity_id, logoutresponse.issuer
         assert_equal in_relation_to_request_id, logoutresponse.in_response_to
 
         assert logoutresponse.success?
       end
 
-      should "invalidate responses with wrong id when given option :matches_uuid" do
+      it "invalidate responses with wrong id when given option :matches_uuid" do
 
         expected_request_id = "_some_other_expected_uuid"
         opts = { :matches_request_id => expected_request_id}
@@ -51,10 +51,10 @@ class LogoutResponseTest < Test::Unit::TestCase
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, settings, opts)
 
         assert !logoutresponse.validate
-        assert_not_equal expected_request_id, logoutresponse.in_response_to
+        assert expected_request_id != logoutresponse.in_response_to
       end
 
-      should "invalidate responses with wrong request status" do
+      it "invalidate responses with wrong request status" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, settings)
 
         assert !logoutresponse.validate
@@ -62,8 +62,8 @@ class LogoutResponseTest < Test::Unit::TestCase
       end
     end
 
-    context "#validate!" do
-      should "validates good responses" do
+    describe "#validate!" do
+      it "validates good responses" do
         in_relation_to_request_id = random_id
 
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response({:uuid => in_relation_to_request_id}), settings)
@@ -71,7 +71,7 @@ class LogoutResponseTest < Test::Unit::TestCase
         logoutresponse.validate!
       end
 
-      should "raises validation error when matching for wrong request id" do
+      it "raises validation error when matching for wrong request id" do
 
         expected_request_id = "_some_other_expected_id"
         opts = { :matches_request_id => expected_request_id}
@@ -81,27 +81,13 @@ class LogoutResponseTest < Test::Unit::TestCase
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
       end
 
-      should "raise validation error for wrong request status" do
+      it "raise validation error for wrong request status" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, settings)
 
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
       end
 
-      should "raise validation error when in bad state" do
-        # no settings
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response)
-        assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
-      end
-
-      should "raise validation error when in lack of sp_entity_id setting" do
-        bad_settings = settings
-        bad_settings.issuer = nil
-        bad_settings.sp_entity_id = nil
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, bad_settings)
-        assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
-      end
-
-      should "raise error for invalid xml" do
+      it "raise error for invalid xml" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(invalid_xml_response, settings)
 
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
@@ -109,10 +95,4 @@ class LogoutResponseTest < Test::Unit::TestCase
     end
 
   end
-
-  # logoutresponse fixtures
-  def random_id
-    "_#{UUID.new.generate}"
-  end
-
 end

data/test/requests/logoutrequest_fixtures.rb

@@ -0,0 +1,47 @@
+#encoding: utf-8
+
+def default_request_opts
+  {
+      :uuid => "_28024690-000e-0130-b6d2-38f6b112be8b",
+      :issue_instant => Time.now.strftime('%Y-%m-%dT%H:%M:%SZ'),
+      :nameid => "testuser@example.com",
+      :nameid_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+      :settings => settings
+  }
+end
+
+def valid_request(opts = {})
+  opts = default_request_opts.merge!(opts)
+
+  "<samlp:LogoutRequest
+        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
+        xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\"
+        ID=\"#{random_id}\" Version=\"2.0\"
+        IssueInstant=\"#{opts[:issue_instant]}\"
+        Destination=\"#{opts[:settings].idp_slo_target_url}\">
+      <saml:Issuer>#{opts[:settings].idp_entity_id}</saml:Issuer>
+      <saml:NameID Format=\"#{opts[:nameid_format]}\">#{opts[:nameid]}</saml:NameID>
+      </samlp:LogoutRequest>"
+end
+
+def invalid_xml_request
+  "<samlp:SomethingAwful
+        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
+        ID=\"#{random_id}\" Version=\"2.0\">
+      </samlp:SomethingAwful>"
+end
+
+def settings
+  @settings ||= OneLogin::RubySaml::Settings.new(
+      {
+          :assertion_consumer_service_url => "http://app.muda.no/sso/consume",
+          :single_logout_service_url => "http://app.muda.no/sso/consume_logout",
+          :sp_entity_id => "http://app.muda.no",
+          :sp_name_qualifier => "http://sso.muda.no",
+          :idp_sso_target_url => "http://sso.muda.no/sso",
+          :idp_slo_target_url => "http://sso.muda.no/slo",
+          :idp_cert_fingerprint => "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00",
+          :name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+      }
+  )
+end

data/test/response_test.rb

@@ -1,13 +1,16 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
-class ResponseTest < Test::Unit::TestCase
+class ResponseTest <  Minitest::Test
 
-  context "Response" do
-    should "raise an exception when response is initialized with nil" do
-      assert_raises(ArgumentError) { OneLogin::RubySaml::Response.new(nil) }
+  describe "Response" do
+    it "raise an exception when response is initialized with nil" do
+      err = assert_raises(ArgumentError) do
+        OneLogin::RubySaml::Response.new(nil)
+      end
+      assert_equal "Response cannot be nil", err.message
     end
 
-    should "be able to parse a document which contains ampersands" do
+    it "be able to parse a document which contains ampersands" do
       XMLSecurity::SignedDocument.any_instance.stubs(:digests_match?).returns(true)
       OneLogin::RubySaml::Response.any_instance.stubs(:validate_conditions).returns(true)
 
@@ -18,7 +21,7 @@ class ResponseTest < Test::Unit::TestCase
       response.validate!
     end
 
-    should "adapt namespace" do
+    it "adapt namespace" do
       response = OneLogin::RubySaml::Response.new(response_document)
       assert !response.name_id.nil?
       response = OneLogin::RubySaml::Response.new(response_document_2)
@@ -27,14 +30,14 @@ class ResponseTest < Test::Unit::TestCase
       assert !response.name_id.nil?
     end
 
-    should "default to raw input when a response is not Base64 encoded" do
+    it "default to raw input when a response is not Base64 encoded" do
       decoded  = Base64.decode64(response_document_2)
       response = OneLogin::RubySaml::Response.new(decoded)
       assert response.document
     end
 
-    context "Assertion" do
-      should "only retreive an assertion with an ID that matches the signature's reference URI" do
+    describe "Assertion" do
+      it "only retreive an assertion with an ID that matches the signature's reference URI" do
         response = OneLogin::RubySaml::Response.new(wrapped_response_2)
         response.stubs(:conditions).returns(nil)
         settings = OneLogin::RubySaml::Settings.new
@@ -44,40 +47,109 @@ class ResponseTest < Test::Unit::TestCase
       end
     end
 
-    context "#validate!" do
-      should "raise when encountering a condition that prevents the document from being valid" do
+    describe "#validate!" do
+      it "raise when settings not initialized" do
+        response = OneLogin::RubySaml::Response.new(response_document)
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.validate!
+        end
+        assert_equal "No settings on response", err.message
+      end
+
+      it "raise when encountering a condition that prevents the document from being valid" do
         response = OneLogin::RubySaml::Response.new(response_document)
-        assert_raise(OneLogin::RubySaml::ValidationError) do
+        response.settings = settings
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
           response.validate!
         end
+        assert_equal "Current time is on or after NotOnOrAfter condition", err.message
       end
+
+      it "raises an exception when no cert or fingerprint provided" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = nil
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.validate!
+        end
+        assert_equal "No fingerprint or certificate on settings", err.message
+      end
+
+      it "raise when no signature" do
+        response_no_signed_elements = OneLogin::RubySaml::Response.new(read_invalid_response("no_signature.xml.base64"))
+        settings.idp_cert_fingerprint = signature_fingerprint_1
+        response_no_signed_elements.settings = settings
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response_no_signed_elements.validate!
+        end
+        assert_equal "Found an unexpected number of Signature Element. SAML Response rejected", err.message
+      end
+
+      it "raise when multiple signatures" do
+        response_multiple_signed = OneLogin::RubySaml::Response.new(read_invalid_response("multiple_signed.xml.base64"))
+        settings.idp_cert_fingerprint = signature_fingerprint_1
+        response_multiple_signed.settings = settings
+        response_multiple_signed.stubs(:validate_structure).returns(true)
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response_multiple_signed.validate!
+        end
+        assert_equal "Duplicated ID. SAML Response rejected", err.message
+      end
+
+      it "raise when fingerprint missmatch" do
+        resp_xml = Base64.decode64(response_document_valid_signed)
+        response = OneLogin::RubySaml::Response.new(Base64.encode64(resp_xml))
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        settings.idp_cert_fingerprint = signature_fingerprint_1
+        response.settings = settings
+
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.validate!
+        end
+        assert_equal 'Fingerprint mismatch', err.message
+      end
+
     end
 
-    context "#is_valid?" do
-      should "return false when response is initialized with blank data" do
+    describe "#is_valid?" do
+      it "return false when response is initialized with blank data" do
         response = OneLogin::RubySaml::Response.new('')
         assert !response.is_valid?
       end
 
-      should "return false if settings have not been set" do
+      it "return false if settings have not been set" do
         response = OneLogin::RubySaml::Response.new(response_document)
         assert !response.is_valid?
       end
 
-      should "return true when the response is initialized with valid data" do
-        response = OneLogin::RubySaml::Response.new(response_document_4)
+      it "return false when no cert or fingerprint provided" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = nil
+        assert !response.is_valid?
+      end
+
+      it "return true when the response is initialized with valid data" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
         response.stubs(:conditions).returns(nil)
         assert !response.is_valid?
         settings = OneLogin::RubySaml::Settings.new
         assert !response.is_valid?
         response.settings = settings
         assert !response.is_valid?
-        settings.idp_cert_fingerprint = signature_fingerprint_1
-        assert response.is_valid?
+        response.settings.idp_cert_fingerprint = signature_fingerprint_valid_res
+        response.validate!
       end
 
-      should "should be idempotent when the response is initialized with invalid data" do
-        response = OneLogin::RubySaml::Response.new(response_document_4)
+      it "should be idempotent when the response is initialized with invalid data" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
         response.stubs(:conditions).returns(nil)
         settings = OneLogin::RubySaml::Settings.new
         response.settings = settings
@@ -85,36 +157,58 @@ class ResponseTest < Test::Unit::TestCase
         assert !response.is_valid?
       end
 
-      should "should be idempotent when the response is initialized with valid data" do
-        response = OneLogin::RubySaml::Response.new(response_document_4)
+      it "should be idempotent when the response is initialized with valid data" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
         response.stubs(:conditions).returns(nil)
         settings = OneLogin::RubySaml::Settings.new
         response.settings = settings
-        settings.idp_cert_fingerprint = signature_fingerprint_1
+        response.settings.idp_cert_fingerprint = signature_fingerprint_valid_res
         assert response.is_valid?
         assert response.is_valid?
       end
 
-      should "return true when using certificate instead of fingerprint" do
-        response = OneLogin::RubySaml::Response.new(response_document_4)
+      it "return true when valid response and using fingerprint" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
         response.stubs(:conditions).returns(nil)
         settings = OneLogin::RubySaml::Settings.new
         response.settings = settings
-        settings.idp_cert = signature_1
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = "4B:68:C4:53:C7:D9:94:AA:D9:02:5C:99:D5:EF:CF:56:62:87:FE:8D"
         assert response.is_valid?
       end
 
-      should "not allow signature wrapping attack" do
+      it "return true when valid response using certificate" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = valid_cert
+        assert response.is_valid?
+      end
+
+      it "not allow signature wrapping attack" do
         response = OneLogin::RubySaml::Response.new(response_document_4)
         response.stubs(:conditions).returns(nil)
         settings = OneLogin::RubySaml::Settings.new
         settings.idp_cert_fingerprint = signature_fingerprint_1
         response.settings = settings
-        assert response.is_valid?
+        assert !response.is_valid?
         assert response.name_id == "test@onelogin.com"
       end
 
-      should "support dynamic namespace resolution on signature elements" do
+      it "not allow element wrapping attack" do
+        response_wrapped = OneLogin::RubySaml::Response.new(response_document_wrapped)
+        response_wrapped.stubs(:conditions).returns(nil)
+        response_wrapped.stubs(:validate_subject_confirmation).returns(true)
+        settings = OneLogin::RubySaml::Settings.new
+        response_wrapped.settings = settings
+        response_wrapped.settings.idp_cert_fingerprint = signature_fingerprint_1
+
+        assert !response_wrapped.is_valid?
+        assert_nil response_wrapped.name_id
+      end
+
+      it "support dynamic namespace resolution on signature elements" do
         response = OneLogin::RubySaml::Response.new(fixture("no_signature_ns.xml"))
         response.stubs(:conditions).returns(nil)
         settings = OneLogin::RubySaml::Settings.new
@@ -124,35 +218,70 @@ class ResponseTest < Test::Unit::TestCase
         assert response.validate!
       end
 
-      should "validate ADFS assertions" do
-        response = OneLogin::RubySaml::Response.new(fixture(:adfs_response_sha256))
+      it "support signature elements with no KeyInfo if cert provided" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate)
         response.stubs(:conditions).returns(nil)
         settings = OneLogin::RubySaml::Settings.new
-        settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
         response.settings = settings
+        settings.idp_cert = ruby_saml_cert
+        settings.idp_cert_fingerprint = nil
+        XMLSecurity::SignedDocument.any_instance.expects(:validate_signature).returns(true)
         assert response.validate!
       end
 
-      should "validate the digest" do
-        response = OneLogin::RubySaml::Response.new(r1_response_document_6)
+      it "support signature elements with no KeyInfo if cert provided as text" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate)
         response.stubs(:conditions).returns(nil)
         settings = OneLogin::RubySaml::Settings.new
-        settings.idp_cert = Base64.decode64(r1_signature_2)
         response.settings = settings
+        settings.idp_cert = ruby_saml_cert_text
+        settings.idp_cert_fingerprint = nil
+        XMLSecurity::SignedDocument.any_instance.expects(:validate_signature).returns(true)
         assert response.validate!
       end
 
-      should "validate SAML 2.0 XML structure" do
-        resp_xml = Base64.decode64(response_document_4).gsub(/emailAddress/,'test')
-        response = OneLogin::RubySaml::Response.new(Base64.encode64(resp_xml))
+      it "returns an error if the signature contains no KeyInfo, cert is not provided and soft" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate)
         response.stubs(:conditions).returns(nil)
         settings = OneLogin::RubySaml::Settings.new
-        settings.idp_cert_fingerprint = signature_fingerprint_1
         response.settings = settings
-        assert_raises(OneLogin::RubySaml::ValidationError, 'Digest mismatch'){ response.validate! }
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
+        assert !response.is_valid?
+      end
+
+      it "raises an exception if the signature contains no KeyInfo, cert is not provided and no soft" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate)
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.validate!
+        end
+        assert_equal "Certificate element missing in response (ds:X509Certificate) and not cert provided at settings", err.message
+      end
+
+      it "validate ADFS assertions" do
+        response = OneLogin::RubySaml::Response.new(fixture(:adfs_response_sha256))
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
+        response.settings = settings
+        assert response.validate!
       end
 
-      should "Prevent node text with comment (VU#475445) attack" do
+      it "validate the digest" do
+        response = OneLogin::RubySaml::Response.new(r1_response_document_6)
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        settings.idp_cert = Base64.decode64(r1_signature_2)
+        response.settings = settings
+        assert response.validate!
+      end
+
+      it "Prevent node text with comment (VU#475445) attack" do
         response_doc = File.read(File.join(File.dirname(__FILE__), "responses", 'response_node_text_attack.xml.base64'))
         response = OneLogin::RubySaml::Response.new(response_doc)
 
@@ -160,42 +289,67 @@ class ResponseTest < Test::Unit::TestCase
         assert_equal "smith", response.attributes["surname"]
       end
 
-      context '#validate_audience' do
-        should "return true when sp_entity_id not set or empty" do
-          response = OneLogin::RubySaml::Response.new(response_document_4)
+      describe '#validate_audience' do
+        it "return true when sp_entity_id not set or empty" do
+          response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
           response.stubs(:conditions).returns(nil)
           settings = OneLogin::RubySaml::Settings.new
           response.settings = settings
-          settings.idp_cert_fingerprint = signature_fingerprint_1
+          settings.idp_cert_fingerprint = signature_fingerprint_valid_res
           assert response.is_valid?
           settings.sp_entity_id = ''
           assert response.is_valid?
         end
 
-        should "return false when sp_entity_id set to incorrectly" do
-          response = OneLogin::RubySaml::Response.new(response_document_4)
+        it "return false when sp_entity_id set to incorrectly" do
+          response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
           response.stubs(:conditions).returns(nil)
           settings = OneLogin::RubySaml::Settings.new
           response.settings = settings
-          settings.idp_cert_fingerprint = signature_fingerprint_1
+          settings.idp_cert_fingerprint = signature_fingerprint_valid_res
           settings.sp_entity_id = 'wrong_audience'
           assert !response.is_valid?
         end
 
-        should "return true when sp_entity_id set to correctly" do
-          response = OneLogin::RubySaml::Response.new(response_document_4)
+        it "return true when sp_entity_id set to correctly" do
+          response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
           response.stubs(:conditions).returns(nil)
           settings = OneLogin::RubySaml::Settings.new
           response.settings = settings
-          settings.idp_cert_fingerprint = signature_fingerprint_1
-          settings.sp_entity_id = 'audience'
+          settings.idp_cert_fingerprint = signature_fingerprint_valid_res
+          settings.sp_entity_id = 'https://someone.example.com/audience'
           assert response.is_valid?
         end
       end
     end
 
-    context "#name_id" do
-      should "extract the value of the name id element" do
+    describe "#validate_issuer" do
+      it "return true when the issuer of the Message/Assertion matches the IdP entityId" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        response.settings = settings
+        assert response.send(:validate_issuer)
+
+        response.settings.idp_entity_id = 'https://app.onelogin.com/saml2'
+        assert response.send(:validate_issuer)
+      end
+
+      it "return false when the issuer of the Message does not match the IdP entityId" do
+        response = OneLogin::RubySaml::Response.new(read_invalid_response("invalid_issuer_message.xml.base64"))
+        response.settings = settings
+        response.settings.idp_entity_id = 'http://idp.example.com/'
+        assert !response.send(:validate_issuer)
+      end
+
+      it "return false when the issuer of the Assertion does not match the IdP entityId" do
+        response = OneLogin::RubySaml::Response.new(read_invalid_response("invalid_issuer_assertion.xml.base64"))
+        response.settings = settings
+        response.settings.idp_entity_id = 'http://idp.example.com/'
+        assert !response.send(:validate_issuer)
+      end
+    end
+
+    describe "#name_id" do
+      it "extract the value of the name id element" do
         response = OneLogin::RubySaml::Response.new(response_document)
         assert_equal "support@onelogin.com", response.name_id
 
@@ -203,19 +357,19 @@ class ResponseTest < Test::Unit::TestCase
         assert_equal "someone@example.com", response.name_id
       end
 
-      should "be extractable from an OpenSAML response" do
+      it "be extractable from an OpenSAML response" do
         response = OneLogin::RubySaml::Response.new(fixture(:open_saml))
         assert_equal "someone@example.org", response.name_id
       end
 
-      should "be extractable from a Simple SAML PHP response" do
+      it "be extractable from a Simple SAML PHP response" do
         response = OneLogin::RubySaml::Response.new(fixture(:simple_saml_php))
         assert_equal "someone@example.com", response.name_id
       end
     end
 
-    context "#check_conditions" do
-      should "check time conditions" do
+    describe "#check_conditions" do
+      it "check time conditions" do
         response = OneLogin::RubySaml::Response.new(response_document)
         assert !response.send(:validate_conditions, true)
         response = OneLogin::RubySaml::Response.new(response_document_6)
@@ -226,75 +380,122 @@ class ResponseTest < Test::Unit::TestCase
         assert response.send(:validate_conditions, true)
       end
 
-      should "optionally allow for clock drift" do
+      it "optionally allow for clock drift" do
         # The NotBefore condition in the document is 2011-06-14T18:21:01.516Z
-        Time.stubs(:now).returns(Time.parse("2011-06-14T18:21:01Z"))
+        expected_time = Time.parse("2011-06-14T18:21:01Z")
+        Time.stubs(:now).returns(expected_time)
         response = OneLogin::RubySaml::Response.new(response_document_5, :allowed_clock_drift => 0.515)
         assert !response.send(:validate_conditions, true)
 
-        Time.stubs(:now).returns(Time.parse("2011-06-14T18:21:01Z"))
+        expected_time = Time.parse("2011-06-14T18:21:01Z")
+        Time.stubs(:now).returns(expected_time)
         response = OneLogin::RubySaml::Response.new(response_document_5, :allowed_clock_drift => 0.516)
         assert response.send(:validate_conditions, true)
       end
     end
 
-    context "#attributes" do
-      should "extract the first attribute in a hash accessed via its symbol" do
-        response = OneLogin::RubySaml::Response.new(response_document)
-        assert_equal "demo", response.attributes[:uid]
+    describe "validate_signature" do
+      it "raises an exception when no cert or fingerprint provided" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = nil
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.send(:validate_signature, false)
+        end
+        assert_equal "No fingerprint or certificate on settings", err.message
       end
 
-      should "extract the first attribute in a hash accessed via its name" do
-        response = OneLogin::RubySaml::Response.new(response_document)
-        assert_equal "demo", response.attributes["uid"]
+      it "raises an exception when wrong cert provided" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = ruby_saml_cert2
+        settings.idp_cert_fingerprint = nil
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.send(:validate_signature, false)
+        end
+        assert_equal "Fingerprint mismatch", err.message
       end
 
-      should "extract all attributes" do
-        response = OneLogin::RubySaml::Response.new(response_document)
-        assert_equal "demo", response.attributes[:uid]
-        assert_equal "value", response.attributes[:another_value]
+      it "raises an exception when wrong fingerprint provided" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.send(:validate_signature, false)
+        end
+        assert_equal "Fingerprint mismatch", err.message
       end
 
-      should "work for implicit namespaces" do
-        response = OneLogin::RubySaml::Response.new(response_document_3)
-        assert_equal "someone@example.com", response.attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
+      it "raises an exception when no signature" do
+        response_no_signed_elements = OneLogin::RubySaml::Response.new(read_invalid_response("no_signature.xml.base64"))
+        settings.idp_cert_fingerprint = signature_fingerprint_1
+        response_no_signed_elements.settings = settings
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response_no_signed_elements.validate!
+        end
+        assert_equal "Found an unexpected number of Signature Element. SAML Response rejected", err.message
       end
+    end
 
-      should "not raise on responses without attributes" do
-        response = OneLogin::RubySaml::Response.new(response_document_4)
-        assert_equal OneLogin::RubySaml::Attributes.new, response.attributes
+    describe "#attributes" do
+      before do
+        @response = OneLogin::RubySaml::Response.new(response_document)
       end
 
-      should "extract attributes from all AttributeStatement tags" do
+      it "extract the first attribute in a hash accessed via its symbol" do
+        assert_equal "demo", @response.attributes[:uid]
+      end
+
+      it "extract the first attribute in a hash accessed via its name" do
+        assert_equal "demo", @response.attributes["uid"]
+      end
+
+      it "extract all attributes" do
+        assert_equal "demo", @response.attributes[:uid]
+        assert_equal "value", @response.attributes[:another_value]
+      end
+
+      it "work for implicit namespaces" do
+        response_3 = OneLogin::RubySaml::Response.new(response_document_3)
+        assert_equal "someone@example.com", response_3.attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
+      end
+
+      it "not raise on responses without attributes" do
+        response_4 = OneLogin::RubySaml::Response.new(response_document_4)
+        assert_equal OneLogin::RubySaml::Attributes.new, response_4.attributes
+      end
+
+      it "extract attributes from all AttributeStatement tags" do
         assert_equal "smith", response_with_multiple_attribute_statements.attributes[:surname]
         assert_equal "bob", response_with_multiple_attribute_statements.attributes[:firstname]
       end
 
-      should "be manipulable by hash methods such as #merge and not raise an exception" do
-        response = OneLogin::RubySaml::Response.new(response_document)
-        response.attributes.merge({ :testing_attribute => "test" })
+      it "be manipulable by hash methods such as #merge and not raise an exception" do
+        @response.attributes.merge({ :testing_attribute => "test" })
       end
 
-      should "be manipulable by hash methods such as #shift and not raise an exception" do
-        response = OneLogin::RubySaml::Response.new(response_document)
-        response.attributes.shift
+      it "be manipulable by hash methods such as #shift and not raise an exception" do
+        @response.attributes.shift
       end
 
-      should "be manipulable by hash methods such as #merge! and actually contain the value" do
-        response = OneLogin::RubySaml::Response.new(response_document)
-        response.attributes.merge!({ :testing_attribute => "test" })
-        assert response.attributes[:testing_attribute]
+      it "be manipulable by hash methods such as #merge! and actually contain the value" do
+        @response.attributes.merge!({ :testing_attribute => "test" })
+        assert @response.attributes[:testing_attribute]
       end
 
-      should "be manipulable by hash methods such as #shift and actually remove the value" do
-        response = OneLogin::RubySaml::Response.new(response_document)
-        removed_value = response.attributes.shift
-        assert_nil response.attributes[removed_value[0]]
+      it "be manipulable by hash methods such as #shift and actually remove the value" do
+        removed_value = @response.attributes.shift
+        assert_nil @response.attributes[removed_value[0]]
       end
     end
 
-    context "#session_expires_at" do
-      should "extract the value of the SessionNotOnOrAfter attribute" do
+    describe "#session_expires_at" do
+      it "extract the value of the SessionNotOnOrAfter attribute" do
         response = OneLogin::RubySaml::Response.new(response_document)
         assert response.session_expires_at.is_a?(Time)
 
@@ -303,124 +504,167 @@ class ResponseTest < Test::Unit::TestCase
       end
     end
 
-    context "#issuer" do
-      should "return the issuer inside the response assertion" do
+    describe "#issuer" do
+      it "return the issuer inside the response assertion" do
         response = OneLogin::RubySaml::Response.new(response_document)
         assert_equal "https://app.onelogin.com/saml/metadata/13590", response.issuer
       end
 
-      should "return the issuer inside the response" do
+      it "return the issuer inside the response" do
         response = OneLogin::RubySaml::Response.new(response_document_2)
         assert_equal "wibble", response.issuer
       end
     end
 
-    context "#success" do
-      should "find a status code that says success" do
+    describe "#success" do
+      it "find a status code that says success" do
         response = OneLogin::RubySaml::Response.new(response_document)
-        response.success?
+        assert response.send(:success?)
       end
     end
 
-    context '#xpath_first_from_signed_assertion' do
-      should 'not allow arbitrary code execution' do
+    describe '#xpath_first_from_signed_assertion' do
+      it 'not allow arbitrary code execution' do
         malicious_response_document = fixture('response_eval', false)
         response = OneLogin::RubySaml::Response.new(malicious_response_document)
         response.send(:xpath_first_from_signed_assertion)
-        assert_equal($evalled, nil)
+        assert_nil $evalled
       end
     end
 
-    context "#multiple values" do
-      should "extract single value as string" do
+    describe "#multiple values" do
+      it "extract single value as string" do
         assert_equal "demo", response_multiple_attr_values.attributes[:uid]
       end
 
-      should "extract single value as string in compatibility mode off" do
+      it "extract single value as string in compatibility mode off" do
         OneLogin::RubySaml::Attributes.single_value_compatibility = false
         assert_equal ["demo"], response_multiple_attr_values.attributes[:uid]
         # classes are not reloaded between tests so restore default
         OneLogin::RubySaml::Attributes.single_value_compatibility = true
       end
 
-      should "extract first of multiple values as string for b/w compatibility" do
+      it "extract first of multiple values as string for b/w compatibility" do
         assert_equal 'value1', response_multiple_attr_values.attributes[:another_value]
       end
 
-      should "extract first of multiple values as string for b/w compatibility in compatibility mode off" do
+      it "extract first of multiple values as string for b/w compatibility in compatibility mode off" do
         OneLogin::RubySaml::Attributes.single_value_compatibility = false
         assert_equal ['value1', 'value2'], response_multiple_attr_values.attributes[:another_value]
         OneLogin::RubySaml::Attributes.single_value_compatibility = true
       end
 
-      should "return array with all attributes when asked in XML order" do
+      it "return array with all attributes when asked in XML order" do
         assert_equal ['value1', 'value2'], response_multiple_attr_values.attributes.multi(:another_value)
       end
 
-      should "return array with all attributes when asked in XML order in compatibility mode off" do
+      it "return array with all attributes when asked in XML order in compatibility mode off" do
         OneLogin::RubySaml::Attributes.single_value_compatibility = false
         assert_equal ['value1', 'value2'], response_multiple_attr_values.attributes.multi(:another_value)
         OneLogin::RubySaml::Attributes.single_value_compatibility = true
       end
 
-      should "return first of multiple values when multiple Attribute tags in XML" do
+      it "return first of multiple values when multiple Attribute tags in XML" do
         assert_equal 'role1', response_multiple_attr_values.attributes[:role]
       end
 
-      should "return first of multiple values when multiple Attribute tags in XML in compatibility mode off" do
+      it "return first of multiple values when multiple Attribute tags in XML in compatibility mode off" do
         OneLogin::RubySaml::Attributes.single_value_compatibility = false
         assert_equal ['role1', 'role2', 'role3'], response_multiple_attr_values.attributes[:role]
         OneLogin::RubySaml::Attributes.single_value_compatibility = true
       end
 
-      should "return all of multiple values in reverse order when multiple Attribute tags in XML" do
+      it "return all of multiple values in reverse order when multiple Attribute tags in XML" do
         assert_equal ['role1', 'role2', 'role3'], response_multiple_attr_values.attributes.multi(:role)
       end
 
-      should "return all of multiple values in reverse order when multiple Attribute tags in XML in compatibility mode off" do
+      it "return all of multiple values in reverse order when multiple Attribute tags in XML in compatibility mode off" do
         OneLogin::RubySaml::Attributes.single_value_compatibility = false
         assert_equal ['role1', 'role2', 'role3'], response_multiple_attr_values.attributes.multi(:role)
         OneLogin::RubySaml::Attributes.single_value_compatibility = true
       end
 
-      should "return all of multiple values when multiple Attribute tags in multiple AttributeStatement tags" do
+      it "return all of multiple values when multiple Attribute tags in multiple AttributeStatement tags" do
         OneLogin::RubySaml::Attributes.single_value_compatibility = false
         assert_equal ['role1', 'role2', 'role3'], response_with_multiple_attribute_statements.attributes.multi(:role)
         OneLogin::RubySaml::Attributes.single_value_compatibility = true
       end
 
-      should "return nil value correctly" do
+      it "return nil value correctly" do
         assert_nil response_multiple_attr_values.attributes[:attribute_with_nil_value]
       end
 
-      should "return nil value correctly when not in compatibility mode off" do
+      it "return nil value correctly when not in compatibility mode off" do
         OneLogin::RubySaml::Attributes.single_value_compatibility = false
-        assert_equal [nil], response_multiple_attr_values.attributes[:attribute_with_nil_value]
+        assert [nil] == response_multiple_attr_values.attributes[:attribute_with_nil_value]
         OneLogin::RubySaml::Attributes.single_value_compatibility = true
       end
 
-      should "return multiple values including nil and empty string" do
+      it "return multiple values including nil and empty string" do
         response = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
         assert_equal ["", "valuePresent", nil, nil], response.attributes.multi(:attribute_with_nils_and_empty_strings)
       end
 
-      should "return multiple values from [] when not in compatibility mode off" do
+      it "return multiple values from [] when not in compatibility mode off" do
         OneLogin::RubySaml::Attributes.single_value_compatibility = false
         assert_equal ["", "valuePresent", nil, nil], response_multiple_attr_values.attributes[:attribute_with_nils_and_empty_strings]
         OneLogin::RubySaml::Attributes.single_value_compatibility = true
       end
 
-      should "check what happens when trying retrieve attribute that does not exists" do
-        assert_equal nil, response_multiple_attr_values.attributes[:attribute_not_exists]
-        assert_equal nil, response_multiple_attr_values.attributes.single(:attribute_not_exists)
-        assert_equal nil, response_multiple_attr_values.attributes.multi(:attribute_not_exists)
+      it "check what happens when trying retrieve attribute that does not exists" do
+        assert_nil response_multiple_attr_values.attributes[:attribute_not_exists]
+        assert_nil response_multiple_attr_values.attributes.single(:attribute_not_exists)
+        assert_nil response_multiple_attr_values.attributes.multi(:attribute_not_exists)
 
         OneLogin::RubySaml::Attributes.single_value_compatibility = false
-        assert_equal nil, response_multiple_attr_values.attributes[:attribute_not_exists]
-        assert_equal nil, response_multiple_attr_values.attributes.single(:attribute_not_exists)
-        assert_equal nil, response_multiple_attr_values.attributes.multi(:attribute_not_exists)
+        assert_nil response_multiple_attr_values.attributes[:attribute_not_exists]
+        assert_nil response_multiple_attr_values.attributes.single(:attribute_not_exists)
+        assert_nil response_multiple_attr_values.attributes.multi(:attribute_not_exists)
         OneLogin::RubySaml::Attributes.single_value_compatibility = true
       end
     end
+
+    describe "signature wrapping attack with encrypted assertion" do
+      it "should not be valid" do
+        settings = OneLogin::RubySaml::Settings.new
+        settings.private_key = valid_key
+        signature_wrapping_attack = read_response("encrypted_new_attack.xml.base64")
+        response_wrapped = OneLogin::RubySaml::Response.new(signature_wrapping_attack, :settings => settings)
+        response_wrapped.stubs(:conditions).returns(nil)
+        response_wrapped.stubs(:validate_subject_confirmation).returns(true)
+        settings.idp_cert_fingerprint = "385b1eec71143f00db6af936e2ea12a28771d72c"
+        assert !response_wrapped.is_valid?
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response_wrapped.validate!
+        end
+        assert_equal "Found an invalid Signed Element. SAML Response rejected", err.message
+      end
+    end
+
+    describe "signature wrapping attack - concealed SAML response body" do
+      it "should not be valid" do
+        settings = OneLogin::RubySaml::Settings.new
+        signature_wrapping_attack = read_response("response_with_concealed_signed_assertion.xml")
+        response_wrapped = OneLogin::RubySaml::Response.new(signature_wrapping_attack, :settings => settings)
+        settings.idp_cert_fingerprint = '4b68c453c7d994aad9025c99d5efcf566287fe8d'
+        response_wrapped.stubs(:conditions).returns(nil)
+        response_wrapped.stubs(:validate_subject_confirmation).returns(true)
+        response_wrapped.stubs(:validate_structure).returns(true)
+        assert !response_wrapped.is_valid?
+        assert !response_wrapped.validate!
+      end
+    end
+
+    describe "signature wrapping attack - doubled signed assertion SAML response" do
+      it "should not be valid" do
+        settings = OneLogin::RubySaml::Settings.new
+        signature_wrapping_attack = read_response("response_with_doubled_signed_assertion.xml")
+        response_wrapped = OneLogin::RubySaml::Response.new(signature_wrapping_attack, :settings => settings)
+        settings.idp_cert_fingerprint = '4b68c453c7d994aad9025c99d5efcf566287fe8d'
+        response_wrapped.stubs(:conditions).returns(nil)
+        response_wrapped.stubs(:validate_subject_confirmation).returns(true)
+        assert !response_wrapped.is_valid?
+      end
+    end
   end
 end