RubyGems - ruby-saml - Versions diffs - 0.8.11 → 0.8.16 - Mend

ruby-saml 0.8.11 → 0.8.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of ruby-saml might be problematic. Click here for more details.

Files changed (55) hide show

checksums.yaml +5 -5
data/Gemfile +3 -1
data/Rakefile +0 -14
data/lib/onelogin/ruby-saml/logoutresponse.rb +9 -51
data/lib/onelogin/ruby-saml/response.rb +121 -30
data/lib/onelogin/ruby-saml/settings.rb +27 -10
data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +101 -0
data/lib/onelogin/ruby-saml/utils.rb +92 -0
data/lib/onelogin/ruby-saml/version.rb +1 -1
data/lib/ruby-saml.rb +1 -0
data/lib/xml_security.rb +222 -87
data/test/certificates/certificate.der +0 -0
data/test/certificates/formatted_certificate +14 -0
data/test/certificates/formatted_chained_certificate +42 -0
data/test/certificates/formatted_private_key +12 -0
data/test/certificates/formatted_rsa_private_key +12 -0
data/test/certificates/invalid_certificate1 +1 -0
data/test/certificates/invalid_certificate2 +1 -0
data/test/certificates/invalid_certificate3 +12 -0
data/test/certificates/invalid_chained_certificate1 +1 -0
data/test/certificates/invalid_private_key1 +1 -0
data/test/certificates/invalid_private_key2 +1 -0
data/test/certificates/invalid_private_key3 +10 -0
data/test/certificates/invalid_rsa_private_key1 +1 -0
data/test/certificates/invalid_rsa_private_key2 +1 -0
data/test/certificates/invalid_rsa_private_key3 +10 -0
data/test/certificates/ruby-saml-2.crt +15 -0
data/test/logoutrequest_test.rb +124 -126
data/test/logoutresponse_test.rb +22 -42
data/test/requests/logoutrequest_fixtures.rb +47 -0
data/test/response_test.rb +373 -129
data/test/responses/adfs_response_xmlns.xml +45 -0
data/test/responses/encrypted_new_attack.xml.base64 +1 -0
data/test/responses/invalids/invalid_issuer_assertion.xml.base64 +1 -0
data/test/responses/invalids/invalid_issuer_message.xml.base64 +1 -0
data/test/responses/invalids/multiple_signed.xml.base64 +1 -0
data/test/responses/invalids/no_signature.xml.base64 +1 -0
data/test/responses/invalids/response_with_concealed_signed_assertion.xml +51 -0
data/test/responses/invalids/response_with_doubled_signed_assertion.xml +49 -0
data/test/responses/invalids/signature_wrapping_attack.xml.base64 +1 -0
data/test/responses/logoutresponse_fixtures.rb +4 -4
data/test/responses/response_with_concealed_signed_assertion.xml +51 -0
data/test/responses/response_with_doubled_signed_assertion.xml +49 -0
data/test/responses/response_with_signed_assertion_3.xml +30 -0
data/test/responses/response_with_signed_message_and_assertion.xml +34 -0
data/test/responses/response_with_undefined_recipient.xml.base64 +1 -0
data/test/responses/response_wrapped.xml.base64 +150 -0
data/test/responses/valid_response.xml.base64 +1 -0
data/test/responses/valid_response_without_x509certificate.xml.base64 +1 -0
data/test/settings_test.rb +111 -5
data/test/slo_logoutrequest_test.rb +66 -0
data/test/test_helper.rb +110 -41
data/test/utils_test.rb +201 -11
data/test/xml_security_test.rb +359 -68
metadata +77 -7

data/test/responses/valid_response.xml.base64 ADDED

@@ -0,0 +1 @@

+ PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgSUQ9InBmeGJjODI2YWZkLWU5ZmUtZDNmYi1kODc0LWM0NzAwYzNlZjBjOCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDYtMDRUMDI6MjI6MDJaIiBEZXN0aW5hdGlvbj0iaHR0cDovL2FwcC5tdWRhLm5vL3Nzby9jb25zdW1lIiBJblJlc3BvbnNlVG89Il9mYzRhMzRiMC03ZWZiLTAxMmUtY2FhZS03ODJiY2IxM2JiMzgiPjxzYW1sOklzc3Vlcj5odHRwczovL2FwcC5vbmVsb2dpbi5jb20vc2FtbDI8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4NCiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNwZnhiYzgyNmFmZC1lOWZlLWQzZmItZDg3NC1jNDcwMGMzZWYwYzgiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPkl6NFpRbHMzQUpaRGIzczh2Y1VYLzNSYytGUT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+UWhLSm1vbnlzUDFxbW5hN1MrZUUxTGMycktBampDMk9HclFPZ1NqUHBUb2N1bVE2aFlIa3pUU1pyN3QvSS9LVE9TdkhDUXFEMXJoNGxTMGpEUC9FdUhOQUN0azlZN2xsMlV5Z3U3MkwrYkZ0cVoyOURuOXJMa1NkR3JpK0k3SGh4TDM2N2RmQVNTaDYrc3k3V2V2RWRrTWZ3ZURRMkFYL3NhNkJCR2d6N1RFPTwvZHM6U2lnbmF0dXJlVmFsdWU+DQo8ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDR3pDQ0FZUUNDUUNOTmNRWG9tMzJWREFOQmdrcWhraUc5dzBCQVFVRkFEQlNNUXN3Q1FZRFZRUUdFd0pWVXpFTE1Ba0dBMVVFQ0JNQ1NVNHhGVEFUQmdOVkJBY1RERWx1WkdsaGJtRndiMnhwY3pFUk1BOEdBMVVFQ2hNSVQyNWxURzluYVc0eEREQUtCZ05WQkFzVEEwVnVaekFlRncweE5EQTBNak14T0RReE1ERmFGdzB4TlRBME1qTXhPRFF4TURGYU1GSXhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJRXdKSlRqRVZNQk1HQTFVRUJ4TU1TVzVrYVdGdVlYQnZiR2x6TVJFd0R3WURWUVFLRXdoUGJtVk1iMmRwYmpFTU1Bb0dBMVVFQ3hNRFJXNW5NSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURvNm0rUVp2WVEveEwwRWxMZ3VwSzFRRGNZTDRmNVBja3dzTmdTOXBVdlY3ZnpUcUNIazhUaEx4VGs0Mk1RMk1jSnNPZVVKVlA3MjhLaHltakZDcXhnUDRWdXdSazlycEFsMCttaHk2TVBkeWp5QTZHMTRqckRXUzY1eXNMY2hLNHQvdndwRUR6MFNRbEVvRzFrTXpsbFNtN3paUzNYcmVnQTdEak5hVVlRcXdJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0R0JBTE0ydkdDaVEvdm0rYTZ2NDArVlgyemRxSEEyUS8xdkYxaWJReko1NE1KQ09WV3ZzK3ZRWGZaRmhkbTBPUE0ySXJEVTdvcXZLUHFQNnhPQWVKSzZIMHlQN000WUwzZmF0U3ZJWW1tZnlYQzlrdDNTdnovTnlySHpQaFVuSjB5ZS9zVVNYeG56UXh3Y20vOVB3QXFyUWFBM1FwUWtINTd5YkYvT29yeVBlKzJoPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgVmVyc2lvbj0iMi4wIiBJRD0icGZ4OTUxNmIwZjMtNDUzNi0xMGY2LWM2ZmEtOWRkNTIzZTE0OThjIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDYtMDRUMDI6MjI6MDJaIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9hcHAub25lbG9naW4uY29tL3NhbWwyPC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+dGVzdEBvbmVsb2dpbi5jb208L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMzAtMDYtMDRUMDI6Mjc6MDJaIiBSZWNpcGllbnQ9InJlY2lwaWVudCIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDExLTA2LTA0VDAyOjE3OjAyWiIgTm90T25PckFmdGVyPSIyMDMwLTA2LTA0VDAyOjI3OjAyWiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwczovL3NvbWVvbmUuZXhhbXBsZS5jb20vYXVkaWVuY2U8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE0LTA2LTA0VDAyOjIyOjAyWiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAzMC0wNi0wNVQwMjoyMjowMloiIFNlc3Npb25JbmRleD0iXzE2ZjU3MGZiYzAzMTUwMDdhMDM1NWRmZWE2YjNjNDZjIj48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==

data/test/responses/valid_response_without_x509certificate.xml.base64 ADDED

@@ -0,0 +1 @@

+ pVZdd9o4EH3fc/Y/+LiPOcayDTb4BLoU0oSWfBDTbpuXPbI0Bie25Egi0Pz6lQ04kJI03X2CGY/u3LkjjXT8fpVnxgMImXLWNZ0GMt/3/vzjWOI8K8JrkAVnEgwdxGRYOrvmQrCQY5nKkOEcZKhIGPXPx6HbQCGWEoTSUObOkuL1NYXgihOemcZo2DWLZBWTtuvjhFrQScCiXhJbtB00LdIMECIeJIi0TePrlrPG0EulXMCISYWZ0i7kNC3kW6g5RW7ouiFyb0xjCFKlDKtq1VypIrRtXBSNfEFxg3FbSm4TXe4iBw3ItsVPedf8JyFN7DVjZAWg6SDHBYtgDFbQdmMSO14ce22zV8kWVlxEr8wgNyk4g4zPUtYgPLfLIPfY3o09pjKM0pkmtxBbtamsWS6Xy8bSa3Axs12EkI06to6hMp29M3W3DGO7HuiIJbyCG2DGWUpwlj5WJZ+DmnNq9LMZF6ma5y+AO7aDSnALVsQiTpO9M+0qxVOSiuQb4fa4CoktOcfOBrHEu4YEBDACxpfrUdd899b2VyVOBWYy4SKX++bvsQL2oJtTALXktjhN8PcAD6p2bP/McZjO9C78L+JthHsC+YqzBfRGj82bSSa9/qebYezJ9gP58s32rsnRx0m3IrAbXDlqydfms21TN3i9YjL//Cnn7Ie8cu5zhoPoCE6cMXHF5/7t7cC9PBWTy1l0e1VMOVnkE3/+/ezucRrdiEDZI/vz9DJ6OBtM7oeOmDezCN0Or+yTxdlFf6DuOt+DLHO//JgtAnd8FH9U9zduZ8g6YnwX0VORHo2Cs/lq7PkBTfpRNPeP5I/gb3g4oXfnyRKGE7f/TR8i/8OH09ljMD3p1uXs8NejbM/b20y2SGlT7lsDTsGolr0+sGQVHUYLQkDKqtE/g4b97SjcHOfVS8fZsb+djyMyhxybdWz662ArrcYdgZ9m4XqMdlqOH6PEs5otz7cclPgW8RNsdShtuR44zU6bvGlw/o+xVhnRIr4FojbWhdZzNDQ+6iOB1ctCOw2n8qTUSqrQUJecZn1KRSl6T+lN/ddu/k3mNfx+5gFnSVpilN1Yn73XO0zyMAYsQJgvAw2xwsYFV5fsUvQTBaJUz0M76gXra+caSFqkUMortn/rTXMI+dmnDQUdQdPysyyzfgCtClQNc55SOpuUb6C13aULmpazQF92SqRknX7vS91wyXPQgjdghfMig6rneBO0YVyveWbvodvPyqnzqTkrTxDkWiCjMn9xoUd6J2iEF6ptHQgdMQorfZ07ftIKUBIT5DkthAKMvFaLJoD92CNNn5i7pDRVBSt1wDXI9INHz9Peq28iEpIyTruv9M+SC3qlnzy6s0Cr26HgQtWCHQA/8G3PV4tWe7ejp55M27dM718=

data/test/settings_test.rb CHANGED

@@ -1,12 +1,12 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-class SettingsTest < Test::Unit::TestCase
+class SettingsTest < Minitest::Test
-  context "Settings" do
-    setup do
+  describe "Settings" do
+    before do
       @settings = OneLogin::RubySaml::Settings.new
     end
-    should "should provide getters and settings" do
+    it "should provide getters and settings" do
       accessors = [
         :assertion_consumer_service_url, :issuer, :sp_entity_id, :sp_name_qualifier,
         :idp_sso_target_url, :idp_cert_fingerprint, :name_identifier_format,
@@ -22,7 +22,7 @@ class SettingsTest < Test::Unit::TestCase
       end
     end
-    should "create settings from hash" do
+    it "create settings from hash" do
       config = {
           :assertion_consumer_service_url => "http://app.muda.no/sso",
@@ -42,6 +42,112 @@ class SettingsTest < Test::Unit::TestCase
       end
     end
+    describe "#get_idp_cert" do
+      it "returns nil when the cert is an empty string" do
+        @settings.idp_cert = ""
+        assert_nil @settings.get_idp_cert
+      end
+      it "returns nil when the cert is nil" do
+        @settings.idp_cert = nil
+        assert_nil @settings.get_idp_cert
+      end
+      it "returns the certificate when it is valid" do
+        @settings.idp_cert = ruby_saml_cert_text
+        assert @settings.get_idp_cert.kind_of? OpenSSL::X509::Certificate
+      end
+      it "raises when the certificate is not valid" do
+        # formatted but invalid cert
+        @settings.idp_cert = read_certificate("formatted_certificate")
+        assert_raises(OpenSSL::X509::CertificateError) {
+          @settings.get_idp_cert
+        }
+      end
+    end
+    describe "#get_sp_cert" do
+      it "returns nil when the cert is an empty string" do
+        @settings.certificate = ""
+        assert_nil @settings.get_sp_cert
+      end
+      it "returns nil when the cert is nil" do
+        @settings.certificate = nil
+        assert_nil @settings.get_sp_cert
+      end
+      it "returns the certificate when it is valid" do
+        @settings.certificate = ruby_saml_cert_text
+        assert @settings.get_sp_cert.kind_of? OpenSSL::X509::Certificate
+      end
+      it "raises when the certificate is not valid" do
+        # formatted but invalid cert
+        @settings.certificate = read_certificate("formatted_certificate")
+        assert_raises(OpenSSL::X509::CertificateError) {
+          @settings.get_sp_cert
+        }
+      end
+    end
+    describe "#get_sp_key" do
+      it "returns nil when the private key is an empty string" do
+        @settings.private_key = ""
+        assert_nil @settings.get_sp_key
+      end
+      it "returns nil when the private key is nil" do
+        @settings.private_key = nil
+        assert_nil @settings.get_sp_key
+      end
+      it "returns the private key when it is valid" do
+        @settings.private_key = ruby_saml_key_text
+        assert @settings.get_sp_key.kind_of? OpenSSL::PKey::RSA
+      end
+      it "raises when the private key is not valid" do
+        # formatted but invalid rsa private key
+        @settings.private_key = read_certificate("formatted_rsa_private_key")
+        assert_raises(OpenSSL::PKey::RSAError) {
+          @settings.get_sp_key
+        }
+      end
+    end
+    describe "#get_fingerprint" do
+      it "get the fingerprint value when cert and fingerprint in settings are nil" do
+        @settings.idp_cert_fingerprint = nil
+        @settings.idp_cert = nil
+        fingerprint = @settings.get_fingerprint
+        assert_nil fingerprint
+      end
+      it "get the fingerprint value when there is a cert at the settings" do
+        @settings.idp_cert_fingerprint = nil
+        @settings.idp_cert = ruby_saml_cert_text
+        fingerprint = @settings.get_fingerprint
+        assert fingerprint.downcase == ruby_saml_cert_fingerprint.downcase
+      end
+      it "get the fingerprint value when there is a fingerprint at the settings" do
+        @settings.idp_cert_fingerprint = ruby_saml_cert_fingerprint
+        @settings.idp_cert = nil
+        fingerprint = @settings.get_fingerprint
+        assert fingerprint.downcase == ruby_saml_cert_fingerprint.downcase
+      end
+      it "get the fingerprint value when there are cert and fingerprint at the settings" do
+        @settings.idp_cert_fingerprint = ruby_saml_cert_fingerprint
+        @settings.idp_cert = ruby_saml_cert_text
+        fingerprint = @settings.get_fingerprint
+        assert fingerprint.downcase == ruby_saml_cert_fingerprint.downcase
+      end
+    end
   end
 end

data/test/slo_logoutrequest_test.rb ADDED

@@ -0,0 +1,66 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+require File.expand_path(File.join(File.dirname(__FILE__), "requests/logoutrequest_fixtures"))
+class SloLogoutrequestTest < Minitest::Test
+  describe "SloLogoutrequest" do
+    describe "#new" do
+      it "raise an exception when request is initialized with nil" do
+        assert_raises(ArgumentError) { OneLogin::RubySaml::SloLogoutrequest.new(nil) }
+      end
+      it "default to empty settings" do
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(valid_request)
+        assert logoutrequest.settings.nil?
+      end
+      it "accept constructor-injected settings" do
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(valid_request, settings)
+        assert !logoutrequest.settings.nil?
+      end
+      it "accept constructor-injected options" do
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(valid_request, nil, { :foo => :bar} )
+        assert !logoutrequest.options.empty?
+      end
+      it "support base64 encoded requests" do
+        expected_request = valid_request
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(Base64.encode64(expected_request), settings)
+        assert_equal expected_request, logoutrequest.request
+      end
+    end
+    describe "#validate" do
+      it "validate the request" do
+        in_relation_to_request_id = random_id
+        settings.idp_entity_id = "https://example.com/idp"
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(valid_request({:uuid => in_relation_to_request_id}), settings)
+        assert logoutrequest.validate
+        assert_equal settings.idp_entity_id, logoutrequest.issuer
+        assert_equal "testuser@example.com", logoutrequest.nameid
+        assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", logoutrequest.nameid_format
+      end
+    end
+    describe "#validate!" do
+      it "validates good requests" do
+        in_relation_to_request_id = random_id
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(valid_request({:uuid => in_relation_to_request_id}), settings)
+        logoutrequest.validate!
+      end
+      it "raise error for invalid xml" do
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(invalid_xml_request, settings)
+        assert_raises(OneLogin::RubySaml::ValidationError) { logoutrequest.validate! }
+      end
+    end
+  end
+end

data/test/test_helper.rb CHANGED

@@ -1,17 +1,22 @@
 require 'rubygems'
-require 'test/unit'
 require 'minitest/autorun'
 require 'shoulda'
 require 'mocha/setup'
 require 'timecop'
+if RUBY_VERSION < '1.9'
+  require 'uuid'
+else
+  require 'securerandom'
+end
 $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 $LOAD_PATH.unshift(File.dirname(__FILE__))
 require 'ruby-saml'
 ENV["ruby-saml/testing"] = "1"
-class Test::Unit::TestCase
+class Minitest::Test
   def fixture(document, base64 = true)
     response = Dir.glob(File.join(File.dirname(__FILE__), "responses", "#{document}*")).first
     if base64 && response =~ /\.xml$/
@@ -21,32 +26,48 @@ class Test::Unit::TestCase
     end
   end
+  def random_id
+    RUBY_VERSION < '1.9' ? "_#{UUID.new.generate}" : "_#{SecureRandom.uuid}"
+  end
+  def read_invalid_response(response)
+    File.read(File.join(File.dirname(__FILE__), "responses", "invalids", response))
+  end
+  def read_response(response)
+    File.read(File.join(File.dirname(__FILE__), "responses", response))
+  end
+  def read_certificate(certificate)
+    File.read(File.join(File.dirname(__FILE__), "certificates", certificate))
+  end
   def response_document
-    @response_document ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response1.xml.base64'))
+    @response_document ||= read_response('response1.xml.base64')
   end
   def response_document_2
-    @response_document2 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response2.xml.base64'))
+    @response_document2 ||= read_response('response2.xml.base64')
   end
   def response_document_3
-    @response_document3 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response3.xml.base64'))
+    @response_document3 ||= read_response('response3.xml.base64')
   end
   def response_document_4
-    @response_document4 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response4.xml.base64'))
+    @response_document4 ||= read_response('response4.xml.base64')
   end
   def response_document_5
-    @response_document5 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response5.xml.base64'))
+    @response_document5 ||= read_response('response5.xml.base64')
   end
   def r1_response_document_6
-    @response_document6 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'r1_response6.xml.base64'))
+    @response_document6 ||= read_response('r1_response6.xml.base64')
   end
   def ampersands_response
-    @ampersands_resposne ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response_with_ampersands.xml.base64'))
+    @ampersands_resposne ||= read_response('response_with_ampersands.xml.base64')
   end
   def response_document_6
@@ -56,6 +77,22 @@ class Test::Unit::TestCase
     Base64.encode64(doc)
   end
+  def response_document_wrapped
+    @response_document_wrapped ||= read_response("response_wrapped.xml.base64")
+  end
+  def response_document_valid_signed
+    response_document_valid_signed ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'valid_response.xml.base64'))
+  end
+  def response_document_valid_signed_without_x509certificate
+    @response_document_valid_signed_without_x509certificate ||= read_response("valid_response_without_x509certificate.xml.base64")
+  end
+  def response_document_without_recipient
+    @response_document_without_recipient ||= read_response("response_with_undefined_recipient.xml.base64")
+  end
   def wrapped_response_2
     @wrapped_response_2 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'wrapped_response_2.xml.base64'))
   end
@@ -64,12 +101,24 @@ class Test::Unit::TestCase
     @signature_fingerprint1 ||= "C5:19:85:D9:47:F1:BE:57:08:20:25:05:08:46:EB:27:F6:CA:B7:83"
   end
+  def signature_fingerprint_valid_res
+    @signature_fingerprint1 ||= "4b68c453c7d994aad9025c99d5efcf566287fe8d"
+  end
   def signature_1
-    @signature1 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'certificate1'))
+    @signature1 ||= read_certificate('certificate1')
   end
   def r1_signature_2
-    @signature2 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'r1_certificate2_base64'))
+    @signature2 ||= read_certificate('r1_certificate2_base64')
+  end
+  def valid_cert
+    @signature_valid_cert ||= read_certificate('ruby-saml.crt')
+  end
+  def valid_key
+    @signature_valid_cert ||= read_certificate('ruby-saml.key')
   end
   def response_with_multiple_attribute_statements
@@ -79,40 +128,60 @@ class Test::Unit::TestCase
   def response_multiple_attr_values
     @response_multiple_attr_values = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
   end
-end
-def ruby_saml_cert_text
-  read_certificate("ruby-saml.crt")
-end
+  def ruby_saml_cert
+    @ruby_saml_cert ||= OpenSSL::X509::Certificate.new(ruby_saml_cert_text)
+  end
-def ruby_saml_key_text
-  read_certificate("ruby-saml.key")
-end
+  def ruby_saml_cert2
+    @ruby_saml_cert2 ||= OpenSSL::X509::Certificate.new(ruby_saml_cert_text2)
+  end
-def read_certificate(certificate)
-  File.read(File.join(File.dirname(__FILE__), "certificates", certificate))
-end
+  def ruby_saml_cert_fingerprint
+    @ruby_saml_cert_fingerprint ||= Digest::SHA1.hexdigest(ruby_saml_cert.to_der).scan(/../).join(":")
+  end
-def decode_saml_request_payload(unauth_url)
-  payload = CGI.unescape(unauth_url.split("SAMLRequest=").last)
-  decoded = Base64.decode64(payload)
+  def ruby_saml_cert_text
+    read_certificate("ruby-saml.crt")
+  end
-  zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
-  inflated = zstream.inflate(decoded)
-  zstream.finish
-  zstream.close
-  inflated
-end
+  def ruby_saml_cert_text2
+    read_certificate("ruby-saml-2.crt")
+  end
+  def ruby_saml_key_text
+    read_certificate("ruby-saml.key")
+  end
-# decodes a base64 encoded SAML response for use in SloLogoutresponse tests
-#
-def decode_saml_response_payload(unauth_url)
-  payload = CGI.unescape(unauth_url.split("SAMLResponse=").last)
-  decoded = Base64.decode64(payload)
-  zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
-  inflated = zstream.inflate(decoded)
-  zstream.finish
-  zstream.close
-  inflated
+  def ruby_saml_key
+    @ruby_saml_key ||= OpenSSL::PKey::RSA.new(ruby_saml_key_text)
+  end
+  def read_certificate(certificate)
+    File.read(File.join(File.dirname(__FILE__), "certificates", certificate))
+  end
+  def decode_saml_request_payload(unauth_url)
+    payload = CGI.unescape(unauth_url.split("SAMLRequest=").last)
+    decoded = Base64.decode64(payload)
+    zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+    inflated = zstream.inflate(decoded)
+    zstream.finish
+    zstream.close
+    inflated
+  end
+  # decodes a base64 encoded SAML response for use in SloLogoutresponse tests
+  #
+  def decode_saml_response_payload(unauth_url)
+    payload = CGI.unescape(unauth_url.split("SAMLResponse=").last)
+    decoded = Base64.decode64(payload)
+    zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+    inflated = zstream.inflate(decoded)
+    zstream.finish
+    zstream.close
+    inflated
+  end
 end

data/test/utils_test.rb CHANGED

@@ -1,41 +1,231 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-class UtilsTest < Test::Unit::TestCase
-  context "Utils" do
-    context 'element_text' do
-      should 'returns the element text' do
+class UtilsTest < Minitest::Test
+  describe "Utils" do
+    describe "format_cert" do
+      let(:formatted_certificate) {read_certificate("formatted_certificate")}
+      let(:formatted_chained_certificate) {read_certificate("formatted_chained_certificate")}
+      it "returns empty string when the cert is an empty string" do
+        cert = ""
+        assert_equal "", OneLogin::RubySaml::Utils.format_cert(cert)
+      end
+      it "returns nil when the cert is nil" do
+        cert = nil
+        assert_nil OneLogin::RubySaml::Utils.format_cert(cert)
+      end
+      it "returns the certificate when it is valid" do
+        assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(formatted_certificate)
+      end
+      it "reformats the certificate when there are spaces and no line breaks" do
+        invalid_certificate1 = read_certificate("invalid_certificate1")
+        assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate1)
+      end
+      it "reformats the certificate when there are spaces and no headers" do
+        invalid_certificate2 = read_certificate("invalid_certificate2")
+        assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate2)
+      end
+      it "returns the cert when it's encoded" do
+        encoded_certificate = read_certificate("certificate.der")
+        assert_equal encoded_certificate, OneLogin::RubySaml::Utils.format_cert(encoded_certificate)
+      end
+      it "reformats the certificate when there line breaks and no headers" do
+        invalid_certificate3 = read_certificate("invalid_certificate3")
+        assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate3)
+      end
+      it "returns the chained certificate when it is a valid chained certificate" do
+        assert_equal formatted_chained_certificate, OneLogin::RubySaml::Utils.format_cert(formatted_chained_certificate)
+      end
+      it "reformats the chained certificate when there are spaces and no line breaks" do
+        invalid_chained_certificate1 = read_certificate("invalid_chained_certificate1")
+        assert_equal formatted_chained_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_chained_certificate1)
+      end
+    end
+    describe "format_private_key" do
+      let(:formatted_private_key) do
+        read_certificate("formatted_private_key")
+      end
+      it "returns empty string when the private key is an empty string" do
+        private_key = ""
+        assert_equal "", OneLogin::RubySaml::Utils.format_private_key(private_key)
+      end
+      it "returns nil when the private key is nil" do
+        private_key = nil
+        assert_nil OneLogin::RubySaml::Utils.format_private_key(private_key)
+      end
+      it "returns the private key when it is valid" do
+        assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(formatted_private_key)
+      end
+      it "reformats the private key when there are spaces and no line breaks" do
+        invalid_private_key1 = read_certificate("invalid_private_key1")
+        assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key1)
+      end
+      it "reformats the private key when there are spaces and no headers" do
+        invalid_private_key2 = read_certificate("invalid_private_key2")
+        assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key2)
+      end
+      it "reformats the private key when there line breaks and no headers" do
+        invalid_private_key3 = read_certificate("invalid_private_key3")
+        assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key3)
+      end
+      describe "an RSA public key" do
+        let(:formatted_rsa_private_key) do
+          read_certificate("formatted_rsa_private_key")
+        end
+        it "returns the private key when it is valid" do
+          assert_equal formatted_rsa_private_key, OneLogin::RubySaml::Utils.format_private_key(formatted_rsa_private_key)
+        end
+        it "reformats the private key when there are spaces and no line breaks" do
+          invalid_rsa_private_key1 = read_certificate("invalid_rsa_private_key1")
+          assert_equal formatted_rsa_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key1)
+        end
+        it "reformats the private key when there are spaces and no headers" do
+          invalid_rsa_private_key2 = read_certificate("invalid_rsa_private_key2")
+          assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key2)
+        end
+        it "reformats the private key when there line breaks and no headers" do
+          invalid_rsa_private_key3 = read_certificate("invalid_rsa_private_key3")
+          assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key3)
+        end
+      end
+    end
+    describe "build_query" do
+      it "returns the query string" do
+        params = {}
+        params[:type] = "SAMLRequest"
+        params[:data] = "PHNhbWxwOkF1dGhuUmVxdWVzdCBEZXN0aW5hdGlvbj0naHR0cDovL2V4YW1wbGUuY29tP2ZpZWxkPXZhbHVlJyBJRD0nXzk4NmUxZDEwLWVhY2ItMDEzMi01MGRkLTAwOTBmNWRlZGQ3NycgSXNzdWVJbnN0YW50PScyMDE1LTA2LTAxVDIwOjM0OjU5WicgVmVyc2lvbj0nMi4wJyB4bWxuczpzYW1sPSd1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uJyB4bWxuczpzYW1scD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sJy8+"
+        params[:relay_state] = "http://example.com"
+        params[:sig_alg] = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+        query_string = OneLogin::RubySaml::Utils.build_query(params)
+        assert_equal "SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCBEZXN0aW5hdGlvbj0naHR0cDovL2V4YW1wbGUuY29tP2ZpZWxkPXZhbHVlJyBJRD0nXzk4NmUxZDEwLWVhY2ItMDEzMi01MGRkLTAwOTBmNWRlZGQ3NycgSXNzdWVJbnN0YW50PScyMDE1LTA2LTAxVDIwOjM0OjU5WicgVmVyc2lvbj0nMi4wJyB4bWxuczpzYW1sPSd1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uJyB4bWxuczpzYW1scD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sJy8%2B&RelayState=http%3A%2F%2Fexample.com&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1", query_string
+      end
+    end
+    describe "#status_error_msg" do
+      it "returns a error msg with a status message" do
+        error_msg = "The status code of the Logout Response was not Success"
+        status_code = "urn:oasis:names:tc:SAML:2.0:status:Requester"
+        status_message = "The request could not be performed due to an error on the part of the requester."
+        status_error_msg = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code, status_message)
+        assert_equal = "The status code of the Logout Response was not Success, was Requester -> The request could not be performed due to an error on the part of the requester.", status_error_msg
+        status_error_msg2 = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code)
+        assert_equal = "The status code of the Logout Response was not Success, was Requester", status_error_msg2
+        status_error_msg3 = OneLogin::RubySaml::Utils.status_error_msg(error_msg)
+        assert_equal = "The status code of the Logout Response was not Success", status_error_msg3
+      end
+    end
+    describe 'uri_match' do
+      it 'matches two urls' do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'http://www.example.com/test?var=stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+      it 'fails to match two urls' do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'http://www.example.com/othertest?var=stuff'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+      it "matches two URLs if the scheme case doesn't match" do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'HTTP://www.example.com/test?var=stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+      it "matches two URLs if the host case doesn't match" do
+        destination = 'http://www.EXAMPLE.com/test?var=stuff'
+        settings = 'http://www.example.com/test?var=stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+      it "fails to match two URLs if the path case doesn't match" do
+        destination = 'http://www.example.com/TEST?var=stuff'
+        settings = 'http://www.example.com/test?var=stuff'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+      it "fails to match two URLs if the query case doesn't match" do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'http://www.example.com/test?var=STUFF'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+      it 'matches two non urls' do
+        destination = 'stuff'
+        settings = 'stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+      it "fails to match two non urls" do
+        destination = 'stuff'
+        settings = 'not stuff'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+    end
+    describe 'element_text' do
+      it 'returns the element text' do
         element = REXML::Document.new('<element>element text</element>').elements.first
         assert_equal 'element text', OneLogin::RubySaml::Utils.element_text(element)
       end
-      should 'returns all segments of the element text' do
+      it 'returns all segments of the element text' do
         element = REXML::Document.new('<element>element <!-- comment -->text</element>').elements.first
         assert_equal 'element text', OneLogin::RubySaml::Utils.element_text(element)
       end
-      should 'returns normalized element text' do
+      it 'returns normalized element text' do
         element = REXML::Document.new('<element>element &amp; text</element>').elements.first
         assert_equal 'element & text', OneLogin::RubySaml::Utils.element_text(element)
       end
-      should 'returns the CDATA element text' do
+      it 'returns the CDATA element text' do
         element = REXML::Document.new('<element><![CDATA[element & text]]></element>').elements.first
         assert_equal 'element & text', OneLogin::RubySaml::Utils.element_text(element)
       end
-      should 'returns the element text with newlines and additional whitespace' do
+      it 'returns the element text with newlines and additional whitespace' do
         element = REXML::Document.new("<element>  element \n text  </element>").elements.first
         assert_equal "  element \n text  ", OneLogin::RubySaml::Utils.element_text(element)
       end
-      should 'returns nil when element is nil' do
+      it 'returns nil when element is nil' do
         assert_nil OneLogin::RubySaml::Utils.element_text(nil)
       end
-      should 'returns empty string when element has no text' do
+      it 'returns empty string when element has no text' do
         element = REXML::Document.new('<element></element>').elements.first
         assert_equal '', OneLogin::RubySaml::Utils.element_text(element)
       end
     end
   end
-end
+end