RubyGems - ruby-saml - Versions diffs - 0.8.11 → 0.8.16 - Mend

ruby-saml 0.8.11 → 0.8.16

Potentially problematic release.

This version of ruby-saml might be problematic. Click here for more details.

Files changed (55) hide show

checksums.yaml +5 -5
data/Gemfile +3 -1
data/Rakefile +0 -14
data/lib/onelogin/ruby-saml/logoutresponse.rb +9 -51
data/lib/onelogin/ruby-saml/response.rb +121 -30
data/lib/onelogin/ruby-saml/settings.rb +27 -10
data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +101 -0
data/lib/onelogin/ruby-saml/utils.rb +92 -0
data/lib/onelogin/ruby-saml/version.rb +1 -1
data/lib/ruby-saml.rb +1 -0
data/lib/xml_security.rb +222 -87
data/test/certificates/certificate.der +0 -0
data/test/certificates/formatted_certificate +14 -0
data/test/certificates/formatted_chained_certificate +42 -0
data/test/certificates/formatted_private_key +12 -0
data/test/certificates/formatted_rsa_private_key +12 -0
data/test/certificates/invalid_certificate1 +1 -0
data/test/certificates/invalid_certificate2 +1 -0
data/test/certificates/invalid_certificate3 +12 -0
data/test/certificates/invalid_chained_certificate1 +1 -0
data/test/certificates/invalid_private_key1 +1 -0
data/test/certificates/invalid_private_key2 +1 -0
data/test/certificates/invalid_private_key3 +10 -0
data/test/certificates/invalid_rsa_private_key1 +1 -0
data/test/certificates/invalid_rsa_private_key2 +1 -0
data/test/certificates/invalid_rsa_private_key3 +10 -0
data/test/certificates/ruby-saml-2.crt +15 -0
data/test/logoutrequest_test.rb +124 -126
data/test/logoutresponse_test.rb +22 -42
data/test/requests/logoutrequest_fixtures.rb +47 -0
data/test/response_test.rb +373 -129
data/test/responses/adfs_response_xmlns.xml +45 -0
data/test/responses/encrypted_new_attack.xml.base64 +1 -0
data/test/responses/invalids/invalid_issuer_assertion.xml.base64 +1 -0
data/test/responses/invalids/invalid_issuer_message.xml.base64 +1 -0
data/test/responses/invalids/multiple_signed.xml.base64 +1 -0
data/test/responses/invalids/no_signature.xml.base64 +1 -0
data/test/responses/invalids/response_with_concealed_signed_assertion.xml +51 -0
data/test/responses/invalids/response_with_doubled_signed_assertion.xml +49 -0
data/test/responses/invalids/signature_wrapping_attack.xml.base64 +1 -0
data/test/responses/logoutresponse_fixtures.rb +4 -4
data/test/responses/response_with_concealed_signed_assertion.xml +51 -0
data/test/responses/response_with_doubled_signed_assertion.xml +49 -0
data/test/responses/response_with_signed_assertion_3.xml +30 -0
data/test/responses/response_with_signed_message_and_assertion.xml +34 -0
data/test/responses/response_with_undefined_recipient.xml.base64 +1 -0
data/test/responses/response_wrapped.xml.base64 +150 -0
data/test/responses/valid_response.xml.base64 +1 -0
data/test/responses/valid_response_without_x509certificate.xml.base64 +1 -0
data/test/settings_test.rb +111 -5
data/test/slo_logoutrequest_test.rb +66 -0
data/test/test_helper.rb +110 -41
data/test/utils_test.rb +201 -11
data/test/xml_security_test.rb +359 -68
metadata +77 -7

data/test/responses/valid_response.xml.base64 ADDED

@@ -0,0 +1 @@

+ PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgSUQ9InBmeGJjODI2YWZkLWU5ZmUtZDNmYi1kODc0LWM0NzAwYzNlZjBjOCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDYtMDRUMDI6MjI6MDJaIiBEZXN0aW5hdGlvbj0iaHR0cDovL2FwcC5tdWRhLm5vL3Nzby9jb25zdW1lIiBJblJlc3BvbnNlVG89Il9mYzRhMzRiMC03ZWZiLTAxMmUtY2FhZS03ODJiY2IxM2JiMzgiPjxzYW1sOklzc3Vlcj5odHRwczovL2FwcC5vbmVsb2dpbi5jb20vc2FtbDI8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4NCiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNwZnhiYzgyNmFmZC1lOWZlLWQzZmItZDg3NC1jNDcwMGMzZWYwYzgiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPkl6NFpRbHMzQUpaRGIzczh2Y1VYLzNSYytGUT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+UWhLSm1vbnlzUDFxbW5hN1MrZUUxTGMycktBampDMk9HclFPZ1NqUHBUb2N1bVE2aFlIa3pUU1pyN3QvSS9LVE9TdkhDUXFEMXJoNGxTMGpEUC9FdUhOQUN0azlZN2xsMlV5Z3U3MkwrYkZ0cVoyOURuOXJMa1NkR3JpK0k3SGh4TDM2N2RmQVNTaDYrc3k3V2V2RWRrTWZ3ZURRMkFYL3NhNkJCR2d6N1RFPTwvZHM6U2lnbmF0dXJlVmFsdWU+DQo8ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDR3pDQ0FZUUNDUUNOTmNRWG9tMzJWREFOQmdrcWhraUc5dzBCQVFVRkFEQlNNUXN3Q1FZRFZRUUdFd0pWVXpFTE1Ba0dBMVVFQ0JNQ1NVNHhGVEFUQmdOVkJBY1RERWx1WkdsaGJtRndiMnhwY3pFUk1BOEdBMVVFQ2hNSVQyNWxURzluYVc0eEREQUtCZ05WQkFzVEEwVnVaekFlRncweE5EQTBNak14T0RReE1ERmFGdzB4TlRBME1qTXhPRFF4TURGYU1GSXhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJRXdKSlRqRVZNQk1HQTFVRUJ4TU1TVzVrYVdGdVlYQnZiR2x6TVJFd0R3WURWUVFLRXdoUGJtVk1iMmRwYmpFTU1Bb0dBMVVFQ3hNRFJXNW5NSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURvNm0rUVp2WVEveEwwRWxMZ3VwSzFRRGNZTDRmNVBja3dzTmdTOXBVdlY3ZnpUcUNIazhUaEx4VGs0Mk1RMk1jSnNPZVVKVlA3MjhLaHltakZDcXhnUDRWdXdSazlycEFsMCttaHk2TVBkeWp5QTZHMTRqckRXUzY1eXNMY2hLNHQvdndwRUR6MFNRbEVvRzFrTXpsbFNtN3paUzNYcmVnQTdEak5hVVlRcXdJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0R0JBTE0ydkdDaVEvdm0rYTZ2NDArVlgyemRxSEEyUS8xdkYxaWJReko1NE1KQ09WV3ZzK3ZRWGZaRmhkbTBPUE0ySXJEVTdvcXZLUHFQNnhPQWVKSzZIMHlQN000WUwzZmF0U3ZJWW1tZnlYQzlrdDNTdnovTnlySHpQaFVuSjB5ZS9zVVNYeG56UXh3Y20vOVB3QXFyUWFBM1FwUWtINTd5YkYvT29yeVBlKzJoPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgVmVyc2lvbj0iMi4wIiBJRD0icGZ4OTUxNmIwZjMtNDUzNi0xMGY2LWM2ZmEtOWRkNTIzZTE0OThjIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDYtMDRUMDI6MjI6MDJaIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9hcHAub25lbG9naW4uY29tL3NhbWwyPC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+dGVzdEBvbmVsb2dpbi5jb208L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMzAtMDYtMDRUMDI6Mjc6MDJaIiBSZWNpcGllbnQ9InJlY2lwaWVudCIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDExLTA2LTA0VDAyOjE3OjAyWiIgTm90T25PckFmdGVyPSIyMDMwLTA2LTA0VDAyOjI3OjAyWiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwczovL3NvbWVvbmUuZXhhbXBsZS5jb20vYXVkaWVuY2U8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE0LTA2LTA0VDAyOjIyOjAyWiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAzMC0wNi0wNVQwMjoyMjowMloiIFNlc3Npb25JbmRleD0iXzE2ZjU3MGZiYzAzMTUwMDdhMDM1NWRmZWE2YjNjNDZjIj48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==

data/test/responses/valid_response_without_x509certificate.xml.base64 ADDED

@@ -0,0 +1 @@

+ pVZdd9o4EH3fc/Y/+LiPOcayDTb4BLoU0oSWfBDTbpuXPbI0Bie25Egi0Pz6lQ04kJI03X2CGY/u3LkjjXT8fpVnxgMImXLWNZ0GMt/3/vzjWOI8K8JrkAVnEgwdxGRYOrvmQrCQY5nKkOEcZKhIGPXPx6HbQCGWEoTSUObOkuL1NYXgihOemcZo2DWLZBWTtuvjhFrQScCiXhJbtB00LdIMECIeJIi0TePrlrPG0EulXMCISYWZ0i7kNC3kW6g5RW7ouiFyb0xjCFKlDKtq1VypIrRtXBSNfEFxg3FbSm4TXe4iBw3ItsVPedf8JyFN7DVjZAWg6SDHBYtgDFbQdmMSO14ce22zV8kWVlxEr8wgNyk4g4zPUtYgPLfLIPfY3o09pjKM0pkmtxBbtamsWS6Xy8bSa3Axs12EkI06to6hMp29M3W3DGO7HuiIJbyCG2DGWUpwlj5WJZ+DmnNq9LMZF6ma5y+AO7aDSnALVsQiTpO9M+0qxVOSiuQb4fa4CoktOcfOBrHEu4YEBDACxpfrUdd899b2VyVOBWYy4SKX++bvsQL2oJtTALXktjhN8PcAD6p2bP/McZjO9C78L+JthHsC+YqzBfRGj82bSSa9/qebYezJ9gP58s32rsnRx0m3IrAbXDlqydfms21TN3i9YjL//Cnn7Ie8cu5zhoPoCE6cMXHF5/7t7cC9PBWTy1l0e1VMOVnkE3/+/ezucRrdiEDZI/vz9DJ6OBtM7oeOmDezCN0Or+yTxdlFf6DuOt+DLHO//JgtAnd8FH9U9zduZ8g6YnwX0VORHo2Cs/lq7PkBTfpRNPeP5I/gb3g4oXfnyRKGE7f/TR8i/8OH09ljMD3p1uXs8NejbM/b20y2SGlT7lsDTsGolr0+sGQVHUYLQkDKqtE/g4b97SjcHOfVS8fZsb+djyMyhxybdWz662ArrcYdgZ9m4XqMdlqOH6PEs5otz7cclPgW8RNsdShtuR44zU6bvGlw/o+xVhnRIr4FojbWhdZzNDQ+6iOB1ctCOw2n8qTUSqrQUJecZn1KRSl6T+lN/ddu/k3mNfx+5gFnSVpilN1Yn73XO0zyMAYsQJgvAw2xwsYFV5fsUvQTBaJUz0M76gXra+caSFqkUMortn/rTXMI+dmnDQUdQdPysyyzfgCtClQNc55SOpuUb6C13aULmpazQF92SqRknX7vS91wyXPQgjdghfMig6rneBO0YVyveWbvodvPyqnzqTkrTxDkWiCjMn9xoUd6J2iEF6ptHQgdMQorfZ07ftIKUBIT5DkthAKMvFaLJoD92CNNn5i7pDRVBSt1wDXI9INHz9Peq28iEpIyTruv9M+SC3qlnzy6s0Cr26HgQtWCHQA/8G3PV4tWe7ejp55M27dM718=

data/test/settings_test.rb CHANGED

@@ -1,12 +1,12 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-class SettingsTest < Test::Unit::TestCase
+class SettingsTest < Minitest::Test
-  context "Settings" do
-    setup do
+  describe "Settings" do
+    before do
       @settings = OneLogin::RubySaml::Settings.new
     end
-    should "should provide getters and settings" do
+    it "should provide getters and settings" do
       accessors = [
         :assertion_consumer_service_url, :issuer, :sp_entity_id, :sp_name_qualifier,
         :idp_sso_target_url, :idp_cert_fingerprint, :name_identifier_format,
@@ -22,7 +22,7 @@ class SettingsTest < Test::Unit::TestCase
       end
     end
-    should "create settings from hash" do
+    it "create settings from hash" do
       config = {
           :assertion_consumer_service_url => "http://app.muda.no/sso",
@@ -42,6 +42,112 @@ class SettingsTest < Test::Unit::TestCase
       end
     end
+    describe "#get_idp_cert" do
+      it "returns nil when the cert is an empty string" do
+        @settings.idp_cert = ""
+        assert_nil @settings.get_idp_cert
+      end
+      it "returns nil when the cert is nil" do
+        @settings.idp_cert = nil
+        assert_nil @settings.get_idp_cert
+      end
+      it "returns the certificate when it is valid" do
+        @settings.idp_cert = ruby_saml_cert_text
+        assert @settings.get_idp_cert.kind_of? OpenSSL::X509::Certificate
+      end
+      it "raises when the certificate is not valid" do
+        # formatted but invalid cert
+        @settings.idp_cert = read_certificate("formatted_certificate")
+        assert_raises(OpenSSL::X509::CertificateError) {
+          @settings.get_idp_cert
+        }
+      end
+    end
+    describe "#get_sp_cert" do
+      it "returns nil when the cert is an empty string" do
+        @settings.certificate = ""
+        assert_nil @settings.get_sp_cert
+      end
+      it "returns nil when the cert is nil" do
+        @settings.certificate = nil
+        assert_nil @settings.get_sp_cert
+      end
+      it "returns the certificate when it is valid" do
+        @settings.certificate = ruby_saml_cert_text
+        assert @settings.get_sp_cert.kind_of? OpenSSL::X509::Certificate
+      end
+      it "raises when the certificate is not valid" do
+        # formatted but invalid cert
+        @settings.certificate = read_certificate("formatted_certificate")
+        assert_raises(OpenSSL::X509::CertificateError) {
+          @settings.get_sp_cert
+        }
+      end
+    end
+    describe "#get_sp_key" do
+      it "returns nil when the private key is an empty string" do
+        @settings.private_key = ""
+        assert_nil @settings.get_sp_key
+      end
+      it "returns nil when the private key is nil" do
+        @settings.private_key = nil
+        assert_nil @settings.get_sp_key
+      end
+      it "returns the private key when it is valid" do
+        @settings.private_key = ruby_saml_key_text
+        assert @settings.get_sp_key.kind_of? OpenSSL::PKey::RSA
+      end
+      it "raises when the private key is not valid" do
+        # formatted but invalid rsa private key
+        @settings.private_key = read_certificate("formatted_rsa_private_key")
+        assert_raises(OpenSSL::PKey::RSAError) {
+          @settings.get_sp_key
+        }
+      end
+    end
+    describe "#get_fingerprint" do
+      it "get the fingerprint value when cert and fingerprint in settings are nil" do
+        @settings.idp_cert_fingerprint = nil
+        @settings.idp_cert = nil
+        fingerprint = @settings.get_fingerprint
+        assert_nil fingerprint
+      end
+      it "get the fingerprint value when there is a cert at the settings" do
+        @settings.idp_cert_fingerprint = nil
+        @settings.idp_cert = ruby_saml_cert_text
+        fingerprint = @settings.get_fingerprint
+        assert fingerprint.downcase == ruby_saml_cert_fingerprint.downcase
+      end
+      it "get the fingerprint value when there is a fingerprint at the settings" do
+        @settings.idp_cert_fingerprint = ruby_saml_cert_fingerprint
+        @settings.idp_cert = nil
+        fingerprint = @settings.get_fingerprint
+        assert fingerprint.downcase == ruby_saml_cert_fingerprint.downcase
+      end
+      it "get the fingerprint value when there are cert and fingerprint at the settings" do
+        @settings.idp_cert_fingerprint = ruby_saml_cert_fingerprint
+        @settings.idp_cert = ruby_saml_cert_text
+        fingerprint = @settings.get_fingerprint
+        assert fingerprint.downcase == ruby_saml_cert_fingerprint.downcase
+      end
+    end
   end
 end

data/test/slo_logoutrequest_test.rb ADDED

@@ -0,0 +1,66 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+require File.expand_path(File.join(File.dirname(__FILE__), "requests/logoutrequest_fixtures"))
+class SloLogoutrequestTest < Minitest::Test
+  describe "SloLogoutrequest" do
+    describe "#new" do
+      it "raise an exception when request is initialized with nil" do
+        assert_raises(ArgumentError) { OneLogin::RubySaml::SloLogoutrequest.new(nil) }
+      end
+      it "default to empty settings" do
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(valid_request)
+        assert logoutrequest.settings.nil?
+      end
+      it "accept constructor-injected settings" do
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(valid_request, settings)
+        assert !logoutrequest.settings.nil?
+      end
+      it "accept constructor-injected options" do
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(valid_request, nil, { :foo => :bar} )
+        assert !logoutrequest.options.empty?
+      end
+      it "support base64 encoded requests" do
+        expected_request = valid_request
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(Base64.encode64(expected_request), settings)
+        assert_equal expected_request, logoutrequest.request
+      end
+    end
+    describe "#validate" do
+      it "validate the request" do
+        in_relation_to_request_id = random_id
+        settings.idp_entity_id = "https://example.com/idp"
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(valid_request({:uuid => in_relation_to_request_id}), settings)
+        assert logoutrequest.validate
+        assert_equal settings.idp_entity_id, logoutrequest.issuer
+        assert_equal "testuser@example.com", logoutrequest.nameid
+        assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", logoutrequest.nameid_format
+      end
+    end
+    describe "#validate!" do
+      it "validates good requests" do
+        in_relation_to_request_id = random_id
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(valid_request({:uuid => in_relation_to_request_id}), settings)
+        logoutrequest.validate!
+      end
+      it "raise error for invalid xml" do
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(invalid_xml_request, settings)
+        assert_raises(OneLogin::RubySaml::ValidationError) { logoutrequest.validate! }
+      end
+    end
+  end
+end

data/test/test_helper.rb CHANGED

@@ -1,17 +1,22 @@
 require 'rubygems'
-require 'test/unit'
 require 'minitest/autorun'
 require 'shoulda'
 require 'mocha/setup'
 require 'timecop'
+if RUBY_VERSION < '1.9'
+  require 'uuid'
+else
+  require 'securerandom'
+end
 $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 $LOAD_PATH.unshift(File.dirname(__FILE__))
 require 'ruby-saml'
 ENV["ruby-saml/testing"] = "1"
-class Test::Unit::TestCase
+class Minitest::Test
   def fixture(document, base64 = true)
     response = Dir.glob(File.join(File.dirname(__FILE__), "responses", "#{document}*")).first
     if base64 && response =~ /\.xml$/
@@ -21,32 +26,48 @@ class Test::Unit::TestCase
     end
   end
+  def random_id
+    RUBY_VERSION < '1.9' ? "_#{UUID.new.generate}" : "_#{SecureRandom.uuid}"
+  end
+  def read_invalid_response(response)
+    File.read(File.join(File.dirname(__FILE__), "responses", "invalids", response))
+  end
+  def read_response(response)
+    File.read(File.join(File.dirname(__FILE__), "responses", response))
+  end
+  def read_certificate(certificate)
+    File.read(File.join(File.dirname(__FILE__), "certificates", certificate))
+  end
   def response_document
-    @response_document ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response1.xml.base64'))
+    @response_document ||= read_response('response1.xml.base64')
   end
   def response_document_2
-    @response_document2 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response2.xml.base64'))
+    @response_document2 ||= read_response('response2.xml.base64')
   end
   def response_document_3
-    @response_document3 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response3.xml.base64'))
+    @response_document3 ||= read_response('response3.xml.base64')
   end
   def response_document_4
-    @response_document4 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response4.xml.base64'))
+    @response_document4 ||= read_response('response4.xml.base64')
   end
   def response_document_5
-    @response_document5 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response5.xml.base64'))
+    @response_document5 ||= read_response('response5.xml.base64')
   end
   def r1_response_document_6
-    @response_document6 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'r1_response6.xml.base64'))
+    @response_document6 ||= read_response('r1_response6.xml.base64')
   end
   def ampersands_response
-    @ampersands_resposne ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response_with_ampersands.xml.base64'))
+    @ampersands_resposne ||= read_response('response_with_ampersands.xml.base64')
   end
   def response_document_6
@@ -56,6 +77,22 @@ class Test::Unit::TestCase
     Base64.encode64(doc)
   end
+  def response_document_wrapped
+    @response_document_wrapped ||= read_response("response_wrapped.xml.base64")
+  end
+  def response_document_valid_signed
+    response_document_valid_signed ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'valid_response.xml.base64'))
+  end
+  def response_document_valid_signed_without_x509certificate
+    @response_document_valid_signed_without_x509certificate ||= read_response("valid_response_without_x509certificate.xml.base64")
+  end
+  def response_document_without_recipient
+    @response_document_without_recipient ||= read_response("response_with_undefined_recipient.xml.base64")
+  end
   def wrapped_response_2
     @wrapped_response_2 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'wrapped_response_2.xml.base64'))
   end
@@ -64,12 +101,24 @@ class Test::Unit::TestCase
     @signature_fingerprint1 ||= "C5:19:85:D9:47:F1:BE:57:08:20:25:05:08:46:EB:27:F6:CA:B7:83"
   end
+  def signature_fingerprint_valid_res
+    @signature_fingerprint1 ||= "4b68c453c7d994aad9025c99d5efcf566287fe8d"
+  end
   def signature_1
-    @signature1 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'certificate1'))
+    @signature1 ||= read_certificate('certificate1')
   end
   def r1_signature_2
-    @signature2 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'r1_certificate2_base64'))
+    @signature2 ||= read_certificate('r1_certificate2_base64')
+  end
+  def valid_cert
+    @signature_valid_cert ||= read_certificate('ruby-saml.crt')
+  end
+  def valid_key
+    @signature_valid_cert ||= read_certificate('ruby-saml.key')
   end
   def response_with_multiple_attribute_statements
@@ -79,40 +128,60 @@ class Test::Unit::TestCase
   def response_multiple_attr_values
     @response_multiple_attr_values = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
   end
-end
-def ruby_saml_cert_text
-  read_certificate("ruby-saml.crt")
-end
+  def ruby_saml_cert
+    @ruby_saml_cert ||= OpenSSL::X509::Certificate.new(ruby_saml_cert_text)
+  end
-def ruby_saml_key_text
-  read_certificate("ruby-saml.key")
-end
+  def ruby_saml_cert2
+    @ruby_saml_cert2 ||= OpenSSL::X509::Certificate.new(ruby_saml_cert_text2)
+  end
-def read_certificate(certificate)
-  File.read(File.join(File.dirname(__FILE__), "certificates", certificate))
-end
+  def ruby_saml_cert_fingerprint
+    @ruby_saml_cert_fingerprint ||= Digest::SHA1.hexdigest(ruby_saml_cert.to_der).scan(/../).join(":")
+  end
-def decode_saml_request_payload(unauth_url)
-  payload = CGI.unescape(unauth_url.split("SAMLRequest=").last)
-  decoded = Base64.decode64(payload)
+  def ruby_saml_cert_text
+    read_certificate("ruby-saml.crt")
+  end
-  zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
-  inflated = zstream.inflate(decoded)
-  zstream.finish
-  zstream.close
-  inflated
-end
+  def ruby_saml_cert_text2
+    read_certificate("ruby-saml-2.crt")
+  end
+  def ruby_saml_key_text
+    read_certificate("ruby-saml.key")
+  end
-# decodes a base64 encoded SAML response for use in SloLogoutresponse tests
-#
-def decode_saml_response_payload(unauth_url)
-  payload = CGI.unescape(unauth_url.split("SAMLResponse=").last)
-  decoded = Base64.decode64(payload)
-  zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
-  inflated = zstream.inflate(decoded)
-  zstream.finish
-  zstream.close
-  inflated
+  def ruby_saml_key
+    @ruby_saml_key ||= OpenSSL::PKey::RSA.new(ruby_saml_key_text)
+  end
+  def read_certificate(certificate)
+    File.read(File.join(File.dirname(__FILE__), "certificates", certificate))
+  end
+  def decode_saml_request_payload(unauth_url)
+    payload = CGI.unescape(unauth_url.split("SAMLRequest=").last)
+    decoded = Base64.decode64(payload)
+    zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+    inflated = zstream.inflate(decoded)
+    zstream.finish
+    zstream.close
+    inflated
+  end
+  # decodes a base64 encoded SAML response for use in SloLogoutresponse tests
+  #
+  def decode_saml_response_payload(unauth_url)
+    payload = CGI.unescape(unauth_url.split("SAMLResponse=").last)
+    decoded = Base64.decode64(payload)
+    zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+    inflated = zstream.inflate(decoded)
+    zstream.finish
+    zstream.close
+    inflated
+  end
 end

data/test/utils_test.rb CHANGED

@@ -1,41 +1,231 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-class UtilsTest < Test::Unit::TestCase
-  context "Utils" do
-    context 'element_text' do
-      should 'returns the element text' do
+class UtilsTest < Minitest::Test
+  describe "Utils" do
+    describe "format_cert" do
+      let(:formatted_certificate) {read_certificate("formatted_certificate")}
+      let(:formatted_chained_certificate) {read_certificate("formatted_chained_certificate")}
+      it "returns empty string when the cert is an empty string" do
+        cert = ""
+        assert_equal "", OneLogin::RubySaml::Utils.format_cert(cert)
+      end
+      it "returns nil when the cert is nil" do
+        cert = nil
+        assert_nil OneLogin::RubySaml::Utils.format_cert(cert)
+      end
+      it "returns the certificate when it is valid" do
+        assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(formatted_certificate)
+      end
+      it "reformats the certificate when there are spaces and no line breaks" do
+        invalid_certificate1 = read_certificate("invalid_certificate1")
+        assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate1)
+      end
+      it "reformats the certificate when there are spaces and no headers" do
+        invalid_certificate2 = read_certificate("invalid_certificate2")
+        assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate2)
+      end
+      it "returns the cert when it's encoded" do
+        encoded_certificate = read_certificate("certificate.der")
+        assert_equal encoded_certificate, OneLogin::RubySaml::Utils.format_cert(encoded_certificate)
+      end
+      it "reformats the certificate when there line breaks and no headers" do
+        invalid_certificate3 = read_certificate("invalid_certificate3")
+        assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate3)
+      end
+      it "returns the chained certificate when it is a valid chained certificate" do
+        assert_equal formatted_chained_certificate, OneLogin::RubySaml::Utils.format_cert(formatted_chained_certificate)
+      end
+      it "reformats the chained certificate when there are spaces and no line breaks" do
+        invalid_chained_certificate1 = read_certificate("invalid_chained_certificate1")
+        assert_equal formatted_chained_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_chained_certificate1)
+      end
+    end
+    describe "format_private_key" do
+      let(:formatted_private_key) do
+        read_certificate("formatted_private_key")
+      end
+      it "returns empty string when the private key is an empty string" do
+        private_key = ""
+        assert_equal "", OneLogin::RubySaml::Utils.format_private_key(private_key)
+      end
+      it "returns nil when the private key is nil" do
+        private_key = nil
+        assert_nil OneLogin::RubySaml::Utils.format_private_key(private_key)
+      end
+      it "returns the private key when it is valid" do
+        assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(formatted_private_key)
+      end
+      it "reformats the private key when there are spaces and no line breaks" do
+        invalid_private_key1 = read_certificate("invalid_private_key1")
+        assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key1)
+      end
+      it "reformats the private key when there are spaces and no headers" do
+        invalid_private_key2 = read_certificate("invalid_private_key2")
+        assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key2)
+      end
+      it "reformats the private key when there line breaks and no headers" do
+        invalid_private_key3 = read_certificate("invalid_private_key3")
+        assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key3)
+      end
+      describe "an RSA public key" do
+        let(:formatted_rsa_private_key) do
+          read_certificate("formatted_rsa_private_key")
+        end
+        it "returns the private key when it is valid" do
+          assert_equal formatted_rsa_private_key, OneLogin::RubySaml::Utils.format_private_key(formatted_rsa_private_key)
+        end
+        it "reformats the private key when there are spaces and no line breaks" do
+          invalid_rsa_private_key1 = read_certificate("invalid_rsa_private_key1")
+          assert_equal formatted_rsa_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key1)
+        end
+        it "reformats the private key when there are spaces and no headers" do
+          invalid_rsa_private_key2 = read_certificate("invalid_rsa_private_key2")
+          assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key2)
+        end
+        it "reformats the private key when there line breaks and no headers" do
+          invalid_rsa_private_key3 = read_certificate("invalid_rsa_private_key3")
+          assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key3)
+        end
+      end
+    end
+    describe "build_query" do
+      it "returns the query string" do
+        params = {}
+        params[:type] = "SAMLRequest"
+        params[:data] = "PHNhbWxwOkF1dGhuUmVxdWVzdCBEZXN0aW5hdGlvbj0naHR0cDovL2V4YW1wbGUuY29tP2ZpZWxkPXZhbHVlJyBJRD0nXzk4NmUxZDEwLWVhY2ItMDEzMi01MGRkLTAwOTBmNWRlZGQ3NycgSXNzdWVJbnN0YW50PScyMDE1LTA2LTAxVDIwOjM0OjU5WicgVmVyc2lvbj0nMi4wJyB4bWxuczpzYW1sPSd1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uJyB4bWxuczpzYW1scD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sJy8+"
+        params[:relay_state] = "http://example.com"
+        params[:sig_alg] = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+        query_string = OneLogin::RubySaml::Utils.build_query(params)
+        assert_equal "SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCBEZXN0aW5hdGlvbj0naHR0cDovL2V4YW1wbGUuY29tP2ZpZWxkPXZhbHVlJyBJRD0nXzk4NmUxZDEwLWVhY2ItMDEzMi01MGRkLTAwOTBmNWRlZGQ3NycgSXNzdWVJbnN0YW50PScyMDE1LTA2LTAxVDIwOjM0OjU5WicgVmVyc2lvbj0nMi4wJyB4bWxuczpzYW1sPSd1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uJyB4bWxuczpzYW1scD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sJy8%2B&RelayState=http%3A%2F%2Fexample.com&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1", query_string
+      end
+    end
+    describe "#status_error_msg" do
+      it "returns a error msg with a status message" do
+        error_msg = "The status code of the Logout Response was not Success"
+        status_code = "urn:oasis:names:tc:SAML:2.0:status:Requester"
+        status_message = "The request could not be performed due to an error on the part of the requester."
+        status_error_msg = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code, status_message)
+        assert_equal = "The status code of the Logout Response was not Success, was Requester -> The request could not be performed due to an error on the part of the requester.", status_error_msg
+        status_error_msg2 = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code)
+        assert_equal = "The status code of the Logout Response was not Success, was Requester", status_error_msg2
+        status_error_msg3 = OneLogin::RubySaml::Utils.status_error_msg(error_msg)
+        assert_equal = "The status code of the Logout Response was not Success", status_error_msg3
+      end
+    end
+    describe 'uri_match' do
+      it 'matches two urls' do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'http://www.example.com/test?var=stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+      it 'fails to match two urls' do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'http://www.example.com/othertest?var=stuff'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+      it "matches two URLs if the scheme case doesn't match" do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'HTTP://www.example.com/test?var=stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+      it "matches two URLs if the host case doesn't match" do
+        destination = 'http://www.EXAMPLE.com/test?var=stuff'
+        settings = 'http://www.example.com/test?var=stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+      it "fails to match two URLs if the path case doesn't match" do
+        destination = 'http://www.example.com/TEST?var=stuff'
+        settings = 'http://www.example.com/test?var=stuff'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+      it "fails to match two URLs if the query case doesn't match" do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'http://www.example.com/test?var=STUFF'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+      it 'matches two non urls' do
+        destination = 'stuff'
+        settings = 'stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+      it "fails to match two non urls" do
+        destination = 'stuff'
+        settings = 'not stuff'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+    end
+    describe 'element_text' do
+      it 'returns the element text' do
         element = REXML::Document.new('<element>element text</element>').elements.first
         assert_equal 'element text', OneLogin::RubySaml::Utils.element_text(element)
       end
-      should 'returns all segments of the element text' do
+      it 'returns all segments of the element text' do
         element = REXML::Document.new('<element>element <!-- comment -->text</element>').elements.first
         assert_equal 'element text', OneLogin::RubySaml::Utils.element_text(element)
       end
-      should 'returns normalized element text' do
+      it 'returns normalized element text' do
         element = REXML::Document.new('<element>element &amp; text</element>').elements.first
         assert_equal 'element & text', OneLogin::RubySaml::Utils.element_text(element)
       end
-      should 'returns the CDATA element text' do
+      it 'returns the CDATA element text' do
         element = REXML::Document.new('<element><![CDATA[element & text]]></element>').elements.first
         assert_equal 'element & text', OneLogin::RubySaml::Utils.element_text(element)
       end
-      should 'returns the element text with newlines and additional whitespace' do
+      it 'returns the element text with newlines and additional whitespace' do
         element = REXML::Document.new("<element>  element \n text  </element>").elements.first
         assert_equal "  element \n text  ", OneLogin::RubySaml::Utils.element_text(element)
       end
-      should 'returns nil when element is nil' do
+      it 'returns nil when element is nil' do
         assert_nil OneLogin::RubySaml::Utils.element_text(nil)
       end
-      should 'returns empty string when element has no text' do
+      it 'returns empty string when element has no text' do
         element = REXML::Document.new('<element></element>').elements.first
         assert_equal '', OneLogin::RubySaml::Utils.element_text(element)
       end
     end
   end
-end
+end