ruby-saml 0.8.15 → 0.8.16

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3039afb4b2668c3859e51ae9eff0c1b423d7dda319a7d646b26702de315047af
-  data.tar.gz: 2ef188024bd8030c659b499db22b3b28f2ae24930954f8c45cc69c175b8fc4e3
+  metadata.gz: 68cb87ca6e3a580cea96b7784b71f60afe0f0982fc9b3c7b2de4fdda0ea1af31
+  data.tar.gz: 216f43c0d0a179f3a9c506f198c31e2a01a08a8661bfaafbe3cb50811b1acf88
 SHA512:
-  metadata.gz: 0ab896476c0de2ebcd71b060dc305d091e3b6c3be7abd81ce702389cb8e8409cbd5730a4a73a71dfdfedbeb7a0081f448ed4aec60737a8ce6c1b6fb966ce9c4f
-  data.tar.gz: 203b1fd9b1fa4d23ab66cac8a034d3154a48e243bff21040ae2e873d191e90c0d8b8ccdfee368ca542c306fd58ddcdbeec700047893ae6044b82b406af43de18
+  metadata.gz: 35ba610649dbff55acae0612782ab7e81947907212b9c454494f9baa5c3926a126430eed919356049261a9cb40767d7079874f56f1b4cb1bd7efb637f4f6ba4f
+  data.tar.gz: a3e9ce681547c0e648f477198a134749c9febb1f86e042d2bb3266e01a740767672a667d0c85a162d0f11489e87ee4c1a53cbd15d45e6aeefeb31fc30a2fe99f

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -29,7 +29,7 @@ module OneLogin
 
         @options = options
         @response = OneLogin::RubySaml::Utils.decode_raw_saml(response)
-        @document = XMLSecurity::SignedDocument.new(response)
+        @document = XMLSecurity::SignedDocument.new(@response)
       end
 
       def validate!
@@ -37,7 +37,7 @@ module OneLogin
       end
 
       def validate(soft = true)
-        return false unless valid_saml?(soft) && valid_state?(soft)
+        return false unless validate_structure(soft)
 
         valid_in_response_to?(soft) && valid_issuer?(soft) && success?(soft)
       end
@@ -51,7 +51,7 @@ module OneLogin
 
       def in_response_to
         @in_response_to ||= begin
-          node = REXML::XPath.first(document, "/p:LogoutResponse", { "p" => PROTOCOL, "a" => ASSERTION })
+          node = REXML::XPath.first(document, "/p:LogoutResponse", { "p" => PROTOCOL })
           node.nil? ? nil : node.attributes['InResponseTo']
         end
       end
@@ -59,7 +59,6 @@ module OneLogin
       def issuer
         @issuer ||= begin
           node = REXML::XPath.first(document, "/p:LogoutResponse/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
-          node ||= REXML::XPath.first(document, "/p:LogoutResponse/a:Assertion/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
           Utils.element_text(node)
         end
       end
@@ -73,7 +72,7 @@ module OneLogin
 
       private
 
-      def valid_saml?(soft = true)
+      def validate_structure(soft = true)
         Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
           @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
           @xml = Nokogiri::XML(self.document.to_s)
@@ -85,26 +84,6 @@ module OneLogin
         end
       end
 
-      def valid_state?(soft = true)
-        if response.empty?
-          return soft ? false : validation_error("Blank response")
-        end
-
-        if settings.nil?
-          return soft ? false : validation_error("No settings on response")
-        end
-
-        if settings.sp_entity_id.nil?
-          return soft ? false : validation_error("No sp_entity_id in settings")
-        end
-
-        if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
-          return soft ? false : validation_error("No fingerprint or certificate on settings")
-        end
-
-        true
-      end
-
       def valid_in_response_to?(soft = true)
         return true unless self.options.has_key? :matches_request_id
 
@@ -116,8 +95,10 @@ module OneLogin
       end
 
       def valid_issuer?(soft = true)
-        unless URI.parse(issuer) == URI.parse(self.settings.sp_entity_id)
-          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.sp_entity_id}>, but was: <#{issuer}>")
+        return true if settings.nil? || settings.idp_entity_id.nil? || issuer.nil?
+
+        unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
+          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.idp_entity_id}>, but was: <#{issuer}>")
         end
         true
       end

data/lib/onelogin/ruby-saml/response.rb

@@ -134,6 +134,34 @@ module OneLogin
         end
       end
 
+      # Gets the Issuers (from Response and Assertion).
+      # (returns the first node that matches the supplied xpath from the Response and from the Assertion)
+      # @return [Array] Array with the Issuers (REXML::Element)
+      #
+      def issuers
+        @issuers ||= begin
+          issuer_response_nodes = REXML::XPath.match(
+            document,
+            "/p:Response/a:Issuer",
+            { "p" => PROTOCOL, "a" => ASSERTION }
+          )
+
+          unless issuer_response_nodes.size == 1
+            error_msg = "Issuer of the Response not found or multiple."
+            raise ValidationError.new(error_msg)
+          end
+
+          issuer_assertion_nodes = xpath_from_signed_assertion("/a:Issuer")
+          unless issuer_assertion_nodes.size == 1
+            error_msg = "Issuer of the Assertion not found or multiple."
+            raise ValidationError.new(error_msg)
+          end
+
+          nodes = issuer_response_nodes + issuer_assertion_nodes
+          nodes.map { |node| Utils.element_text(node) }.compact.uniq
+        end
+      end
+
       # @return [Array] The Audience elements from the Contitions of the SAML Response.
       #
       def audiences
@@ -157,6 +185,7 @@ module OneLogin
         validate_response_state(soft)  &&
         validate_conditions(soft)      &&
         validate_audience(soft)        &&
+        validate_issuer(soft)          &&
         validate_signature(soft)       &&
         success?
       end
@@ -390,6 +419,25 @@ module OneLogin
         true
       end
 
+      def validate_issuer(soft = true)
+        return true if settings.idp_entity_id.nil?
+
+        begin
+          obtained_issuers = issuers
+        rescue ValidationError => e
+          return soft ? false : validation_error("Error while extracting issuers")
+        end
+
+        obtained_issuers.each do |issuer|
+          unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
+            error_msg = "Doesn't match the issuer, expected: <#{settings.idp_entity_id}>, but was: <#{issuer}>"
+            return soft ? false : validation_error(error_msg)
+          end
+        end
+
+        true
+      end
+
       def validate_signature(soft = true)
         error_msg = "Invalid Signature on SAML Response"
 

data/lib/onelogin/ruby-saml/settings.rb

@@ -27,6 +27,7 @@ module OneLogin
       attr_accessor :idp_cert_fingerprint
       attr_accessor :idp_cert
       attr_accessor :idp_slo_target_url
+      attr_accessor :idp_entity_id
       #sp data
       attr_accessor :sp_entity_id
       attr_accessor :assertion_consumer_service_url
@@ -36,7 +37,6 @@ module OneLogin
       attr_accessor :name_identifier_value
       attr_accessor :name_identifier_value_requested
       attr_accessor :sessionindex
-      attr_accessor :assertion_consumer_logout_service_url
       attr_accessor :compress_request
       attr_accessor :compress_response
       attr_accessor :double_quote_xml_attribute_values
@@ -152,15 +152,6 @@ module OneLogin
         OpenSSL::X509::Certificate.new(formatted_cert)
       end
 
-      # @return [OpenSSL::X509::Certificate|nil] Build the New SP certificate from the settings (previously format it)
-      #
-      def get_sp_cert_new
-        return nil if certificate_new.nil? || certificate_new.empty?
-
-        formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate_new)
-        OpenSSL::X509::Certificate.new(formatted_cert)
-      end
-
       # @return [OpenSSL::PKey::RSA] Build the SP private from the settings (previously format it)
       #
       def get_sp_key

data/lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -0,0 +1,101 @@
+require "xml_security"
+require "time"
+
+# Only supports SAML 2.0
+# SAML2 Logout Request (SLO IdP initiated, Parser)
+module OneLogin
+  module RubySaml
+    class SloLogoutrequest
+
+      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+      PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+
+      # OneLogin::RubySaml::Settings Toolkit settings
+      attr_accessor :settings
+
+      attr_reader :document
+      attr_reader :request
+      attr_reader :options
+
+      def initialize(request, settings = nil, options = {})
+        raise ArgumentError.new("Request cannot be nil") if request.nil?
+        self.settings = settings
+
+        @options = options
+        @request = OneLogin::RubySaml::Utils.decode_raw_saml(request)
+        @document = XMLSecurity::SignedDocument.new(@request)
+      end
+
+      def validate!
+        validate(false)
+      end
+
+      def validate(soft = true)
+        return false unless validate_structure(soft)
+
+        valid_issuer?(soft)
+      end
+
+      def name_id
+        @name_id ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
+          Utils.element_text(node)
+        end
+      end
+
+      alias_method :nameid, :name_id
+
+      def name_id_format
+        @name_id_node ||= REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
+        @name_id_format ||=
+          if @name_id_node && @name_id_node.attribute("Format")
+            @name_id_node.attribute("Format").value
+          end
+      end
+
+      alias_method :nameid_format, :name_id_format
+
+      def id
+        @id ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutRequest", { "p" => PROTOCOL } )
+          node.nil? ? nil : node.attributes['ID']
+        end
+      end
+
+      def issuer
+        @issuer ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutRequest/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
+          Utils.element_text(node)
+        end
+      end
+
+      private
+
+      def validate_structure(soft = true)
+        Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
+          @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
+          @xml = Nokogiri::XML(self.document.to_s)
+        end
+        if soft
+          @schema.validate(@xml).map{ return false }
+        else
+          @schema.validate(@xml).map{ |error| validation_error("#{error.message}\n\n#{@xml.to_s}") }
+        end
+      end
+
+      def valid_issuer?(soft = true)
+        return true if settings.nil? || settings.idp_entity_id.nil? || issuer.nil?
+
+        unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
+          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.idp_entity_id}>, but was: <#{issuer}>")
+        end
+        true
+      end
+
+      def validation_error(message)
+        raise ValidationError.new(message)
+      end
+
+    end
+  end
+end

data/lib/onelogin/ruby-saml/utils.rb

@@ -179,6 +179,33 @@ module OneLogin
         Zlib::Deflate.deflate(inflated, 9)[2..-5]
       end
 
+      # Given two strings, attempt to match them as URIs using Rails' parse method.  If they can be parsed,
+      # then the fully-qualified domain name and the host should performa a case-insensitive match, per the
+      # RFC for URIs.  If Rails can not parse the string in to URL pieces, return a boolean match of the
+      # two strings.  This maintains the previous functionality.
+      # @return [Boolean]
+      def self.uri_match?(destination_url, settings_url)
+        dest_uri = URI.parse(destination_url)
+        acs_uri = URI.parse(settings_url)
+
+        if dest_uri.scheme.nil? || acs_uri.scheme.nil? || dest_uri.host.nil? || acs_uri.host.nil?
+          raise URI::InvalidURIError
+        else
+          dest_uri.scheme.downcase == acs_uri.scheme.downcase &&
+            dest_uri.host.downcase == acs_uri.host.downcase &&
+            dest_uri.path == acs_uri.path &&
+            dest_uri.query == acs_uri.query
+        end
+      rescue URI::InvalidURIError
+        original_uri_match?(destination_url, settings_url)
+      end
+
+      # If Rails' URI.parse can't match to valid URL, default back to the original matching service.
+      # @return [Boolean]
+      def self.original_uri_match?(destination_url, settings_url)
+        destination_url == settings_url
+      end
+
     end
   end
 end

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '0.8.15'
+    VERSION = '0.8.16'
   end
 end

data/lib/ruby-saml.rb

@@ -2,6 +2,7 @@ require 'onelogin/ruby-saml/logging'
 require 'onelogin/ruby-saml/authrequest'
 require 'onelogin/ruby-saml/logoutrequest'
 require 'onelogin/ruby-saml/logoutresponse'
+require 'onelogin/ruby-saml/slo_logoutrequest'
 require 'onelogin/ruby-saml/slo_logoutresponse'
 require 'onelogin/ruby-saml/response'
 require 'onelogin/ruby-saml/settings'

data/test/certificates/formatted_certificate

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICPDCCAaWgAwIBAgIIEiC/9HMAWWAwDQYJKoZIhvcNAQEFBQAwTzELMAkGA1UE
+BhMCVVMxDDAKBgNVBAoTA2libTEMMAoGA1UECxMDc3NvMSQwIgYDVQQDExtjMjVh
+MDI3Ny50b3JvbnRvLmNhLmlibS5jb20wHhcNMTEwNTI0MTYzNTQ4WhcNMjEwNTIx
+wsQMPBj4WQTNzTYMCQYDVQQGEwJVUzEMMAoGA1UEChMDaWJtMQwwCgYDVQQLEwNz
+c28xJDAiBgNVBAMTG2MyNWEwMjc3LnRvcm9udG8uY2EuaWJtLmNvbTCBnzANBgkq
+hkiG9w0BAQEFAAOBjQAwgYkCgYEAgzfYQZuf5FVdJTcrsIQZ+YHTPjOsw2MGo0jC
+mdGMcp4brWeFgk1OVaOmytPx6P76wHWR436AleX3crHBPd8gPxuZdnvBQ7PkrKpw
+Vvaq52juenFrho8JY0TeVgVkY5jAh45YzytjP2y2k/cGQurI/56NT0PpQJ0S1G3N
+4eTg718CAwEAAaMhMB8wHQYDVR0OBBYEFCYVLJqcJ7WgdzGIsuJ/TzDGDqinMA0G
+CSqGSIb3DQEBBQUAA4GBAB80bIePf+qWDvWe+9bEEnbFTw7pCknLexxZ0AMqrsmZ
++4jmI+evP1JZYCjfIg9X+MBH01hfp5dFcetz3o6w6SkV+BxLYLgfcy5KUcYsIM/1
+2Zkedj87bS1glzOy5B89pKD2DMbu6828Abzgc+4lyQ2ASifsqM4cZdVayzo8n+dQ
+-----END CERTIFICATE-----

data/test/certificates/formatted_chained_certificate

@@ -0,0 +1,42 @@
+-----BEGIN CERTIFICATE-----
+MIICPDCCAaWgAwIBAgIIEiC/9HMAWWAwDQYJKoZIhvcNAQEFBQAwTzELMAkGA1UE
+BhMCVVMxDDAKBgNVBAoTA2libTEMMAoGA1UECxMDc3NvMSQwIgYDVQQDExtjMjVh
+MDI3Ny50b3JvbnRvLmNhLmlibS5jb20wHhcNMTEwNTI0MTYzNTQ4WhcNMjEwNTIx
+wsQMPBj4WQTNzTYMCQYDVQQGEwJVUzEMMAoGA1UEChMDaWJtMQwwCgYDVQQLEwNz
+c28xJDAiBgNVBAMTG2MyNWEwMjc3LnRvcm9udG8uY2EuaWJtLmNvbTCBnzANBgkq
+hkiG9w0BAQEFAAOBjQAwgYkCgYEAgzfYQZuf5FVdJTcrsIQZ+YHTPjOsw2MGo0jC
+mdGMcp4brWeFgk1OVaOmytPx6P76wHWR436AleX3crHBPd8gPxuZdnvBQ7PkrKpw
+Vvaq52juenFrho8JY0TeVgVkY5jAh45YzytjP2y2k/cGQurI/56NT0PpQJ0S1G3N
+4eTg718CAwEAAaMhMB8wHQYDVR0OBBYEFCYVLJqcJ7WgdzGIsuJ/TzDGDqinMA0G
+CSqGSIb3DQEBBQUAA4GBAB80bIePf+qWDvWe+9bEEnbFTw7pCknLexxZ0AMqrsmZ
++4jmI+evP1JZYCjfIg9X+MBH01hfp5dFcetz3o6w6SkV+BxLYLgfcy5KUcYsIM/1
+2Zkedj87bS1glzOy5B89pKD2DMbu6828Abzgc+4lyQ2ASifsqM4cZdVayzo8n+dQ
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICPDCCAaWgAwIBAgIIEiC/9HMAWWAwDQYJKoZIhvcNAQEFBQAwTzELMAkGA1UE
+BhMCVVMxDDAKBgNVBAoTA2libTEMMAoGA1UECxMDc3NvMSQwIgYDVQQDExtjMjVh
+MDI3Ny50b3JvbnRvLmNhLmlibS5jb20wHhcNMTEwNTI0MTYzNTQ4WhcNMjEwNTIx
+wsQMPBj4WQTNzTYMCQYDVQQGEwJVUzEMMAoGA1UEChMDaWJtMQwwCgYDVQQLEwNz
+c28xJDAiBgNVBAMTG2MyNWEwMjc3LnRvcm9udG8uY2EuaWJtLmNvbTCBnzANBgkq
+hkiG9w0BAQEFAAOBjQAwgYkCgYEAgzfYQZuf5FVdJTcrsIQZ+YHTPjOsw2MGo0jC
+mdGMcp4brWeFgk1OVaOmytPx6P76wHWR436AleX3crHBPd8gPxuZdnvBQ7PkrKpw
+Vvaq52juenFrho8JY0TeVgVkY5jAh45YzytjP2y2k/cGQurI/56NT0PpQJ0S1G3N
+4eTg718CAwEAAaMhMB8wHQYDVR0OBBYEFCYVLJqcJ7WgdzGIsuJ/TzDGDqinMA0G
+CSqGSIb3DQEBBQUAA4GBAB80bIePf+qWDvWe+9bEEnbFTw7pCknLexxZ0AMqrsmZ
++4jmI+evP1JZYCjfIg9X+MBH01hfp5dFcetz3o6w6SkV+BxLYLgfcy5KUcYsIM/1
+2Zkedj87bS1glzOy5B89pKD2DMbu6828Abzgc+4lyQ2ASifsqM4cZdVayzo8n+dQ
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICPDCCAaWgAwIBAgIIEiC/9HMAWWAwDQYJKoZIhvcNAQEFBQAwTzELMAkGA1UE
+BhMCVVMxDDAKBgNVBAoTA2libTEMMAoGA1UECxMDc3NvMSQwIgYDVQQDExtjMjVh
+MDI3Ny50b3JvbnRvLmNhLmlibS5jb20wHhcNMTEwNTI0MTYzNTQ4WhcNMjEwNTIx
+wsQMPBj4WQTNzTYMCQYDVQQGEwJVUzEMMAoGA1UEChMDaWJtMQwwCgYDVQQLEwNz
+c28xJDAiBgNVBAMTG2MyNWEwMjc3LnRvcm9udG8uY2EuaWJtLmNvbTCBnzANBgkq
+hkiG9w0BAQEFAAOBjQAwgYkCgYEAgzfYQZuf5FVdJTcrsIQZ+YHTPjOsw2MGo0jC
+mdGMcp4brWeFgk1OVaOmytPx6P76wHWR436AleX3crHBPd8gPxuZdnvBQ7PkrKpw
+Vvaq52juenFrho8JY0TeVgVkY5jAh45YzytjP2y2k/cGQurI/56NT0PpQJ0S1G3N
+4eTg718CAwEAAaMhMB8wHQYDVR0OBBYEFCYVLJqcJ7WgdzGIsuJ/TzDGDqinMA0G
+CSqGSIb3DQEBBQUAA4GBAB80bIePf+qWDvWe+9bEEnbFTw7pCknLexxZ0AMqrsmZ
++4jmI+evP1JZYCjfIg9X+MBH01hfp5dFcetz3o6w6SkV+BxLYLgfcy5KUcYsIM/1
+2Zkedj87bS1glzOy5B89pKD2DMbu6828Abzgc+4lyQ2ASifsqM4cZdVayzo8n+dQ
+-----END CERTIFICATE-----

data/test/certificates/formatted_private_key

@@ -0,0 +1,12 @@
+-----BEGIN PRIVATE KEY-----
+MIIBuwIBAAKBgQDImEj39zKfeh4LbgzPuos/DCnyKZUJzAHX3OSXA1Akl+CA1Ak3
+NgRCJ3NOflCGzW+PcLvxrSwH3mHaqQAvDA2fJOySiVtJ9+tm1jrQnL+AAw7JzUht
+YzmnRC8wwuN1+TDuKiK1Hzr/4fz2eFZ6+M53YC4eHOkBYA0FdFGRYrH70wIVAJfR
+hg3tWWhJvyJBvaZoh3/BP613AoGBAL0KkMDFRc3FXcvdRKNpWbrsU41G32bBlfQR
+O1EBe1+ghIasBr7lxEEhdkfthlaF4JiFHyaXuSx5hPKUbo8AO/MfaPJ7SKK2QRS3
+B/qlstzIbjmvgYJJuOs4O4x6lYgeU5rb9G5SoOEBvyo46ZxfzdWhAwfZofsrzAhe
+3WlOTZkdAoGAGmt0xlYn/0oYZjCxGKStjBA80E5NypAl7UyFj1RhGjIUkiuRcgOL
+d3/fC6vKuqsMtLHyb5EGqtHPbqm4re1rw0zDh+qHEFA4N6UW0poc9eNEfosJA2BO
+5o8ft9FzKA033pl89mD0CBj05EPadGR7E7QhL5mXuQJpjXJEiyqbce4CFAUFhvCK
+GeW2AKaE6oqRqeVwGw4V
+-----END PRIVATE KEY-----

data/test/certificates/formatted_rsa_private_key

@@ -0,0 +1,12 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBuwIBAAKBgQDImEj39zKfeh4LbgzPuos/DCnyKZUJzAHX3OSXA1Akl+CA1Ak3
+NgRCJ3NOflCGzW+PcLvxrSwH3mHaqQAvDA2fJOySiVtJ9+tm1jrQnL+AAw7JzUht
+YzmnRC8wwuN1+TDuKiK1Hzr/4fz2eFZ6+M53YC4eHOkBYA0FdFGRYrH70wIVAJfR
+hg3tWWhJvyJBvaZoh3/BP613AoGBAL0KkMDFRc3FXcvdRKNpWbrsU41G32bBlfQR
+O1EBe1+ghIasBr7lxEEhdkfthlaF4JiFHyaXuSx5hPKUbo8AO/MfaPJ7SKK2QRS3
+B/qlstzIbjmvgYJJuOs4O4x6lYgeU5rb9G5SoOEBvyo46ZxfzdWhAwfZofsrzAhe
+3WlOTZkdAoGAGmt0xlYn/0oYZjCxGKStjBA80E5NypAl7UyFj1RhGjIUkiuRcgOL
+d3/fC6vKuqsMtLHyb5EGqtHPbqm4re1rw0zDh+qHEFA4N6UW0poc9eNEfosJA2BO
+5o8ft9FzKA033pl89mD0CBj05EPadGR7E7QhL5mXuQJpjXJEiyqbce4CFAUFhvCK
+GeW2AKaE6oqRqeVwGw4V
+-----END RSA PRIVATE KEY-----

data/test/certificates/invalid_certificate1

@@ -0,0 +1 @@
+-----BEGIN CERTIFICATE----- MIICPDCCAaWgAwIBAgIIEiC/9HMAWWAwDQYJKoZIhvcNAQEFBQAwTzELMAkGA1UE BhMCVVMxDDAKBgNVBAoTA2libTEMMAoGA1UECxMDc3NvMSQwIgYDVQQDExtjMjVh MDI3Ny50b3JvbnRvLmNhLmlibS5jb20wHhcNMTEwNTI0MTYzNTQ4WhcNMjEwNTIx wsQMPBj4WQTNzTYMCQYDVQQGEwJVUzEMMAoGA1UEChMDaWJtMQwwCgYDVQQLEwNz c28xJDAiBgNVBAMTG2MyNWEwMjc3LnRvcm9udG8uY2EuaWJtLmNvbTCBnzANBgkq hkiG9w0BAQEFAAOBjQAwgYkCgYEAgzfYQZuf5FVdJTcrsIQZ+YHTPjOsw2MGo0jC mdGMcp4brWeFgk1OVaOmytPx6P76wHWR436AleX3crHBPd8gPxuZdnvBQ7PkrKpw Vvaq52juenFrho8JY0TeVgVkY5jAh45YzytjP2y2k/cGQurI/56NT0PpQJ0S1G3N 4eTg718CAwEAAaMhMB8wHQYDVR0OBBYEFCYVLJqcJ7WgdzGIsuJ/TzDGDqinMA0G CSqGSIb3DQEBBQUAA4GBAB80bIePf+qWDvWe+9bEEnbFTw7pCknLexxZ0AMqrsmZ +4jmI+evP1JZYCjfIg9X+MBH01hfp5dFcetz3o6w6SkV+BxLYLgfcy5KUcYsIM/1 2Zkedj87bS1glzOy5B89pKD2DMbu6828Abzgc+4lyQ2ASifsqM4cZdVayzo8n+dQ -----END CERTIFICATE-----

data/test/certificates/invalid_certificate2

@@ -0,0 +1 @@
+MIICPDCCAaWgAwIBAgIIEiC/9HMAWWAwDQYJKoZIhvcNAQEFBQAwTzELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA2libTEMMAoGA1UECxMDc3NvMSQwIgYDVQQDExtjMjVhMDI3Ny50b3JvbnRvLmNhLmlibS5jb20wHhcNMTEwNTI0MTYzNTQ4WhcNMjEwNTIxwsQMPBj4WQTNzTYMCQYDVQQGEwJVUzEMMAoGA1UEChMDaWJtMQwwCgYDVQQLEwNzc28xJDAiBgNVBAMTG2MyNWEwMjc3LnRvcm9udG8uY2EuaWJtLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAgzfYQZuf5FVdJTcrsIQZ+YHTPjOsw2MGo0jCmdGMcp4brWeFgk1OVaOmytPx6P76wHWR436AleX3crHBPd8gPxuZdnvBQ7PkrKpw Vvaq52juenFrho8JY0TeVgVkY5jAh45YzytjP2y2k/cGQurI/56NT0PpQJ0S1G3N 4eTg718CAwEAAaMhMB8wHQYDVR0OBBYEFCYVLJqcJ7WgdzGIsuJ/TzDGDqinMA0G CSqGSIb3DQEBBQUAA4GBAB80bIePf+qWDvWe+9bEEnbFTw7pCknLexxZ0AMqrsmZ +4jmI+evP1JZYCjfIg9X+MBH01hfp5dFcetz3o6w6SkV+BxLYLgfcy5KUcYsIM/1 2Zkedj87bS1glzOy5B89pKD2DMbu6828Abzgc+4lyQ2ASifsqM4cZdVayzo8n+dQ

data/test/certificates/invalid_certificate3

@@ -0,0 +1,12 @@
+MIICPDCCAaWgAwIBAgIIEiC/9HMAWWAwDQYJKoZIhvcNAQEFBQAwTzELMAkGA1UE
+BhMCVVMxDDAKBgNVBAoTA2libTEMMAoGA1UECxMDc3NvMSQwIgYDVQQDExtjMjVh
+MDI3Ny50b3JvbnRvLmNhLmlibS5jb20wHhcNMTEwNTI0MTYzNTQ4WhcNMjEwNTIx
+wsQMPBj4WQTNzTYMCQYDVQQGEwJVUzEMMAoGA1UEChMDaWJtMQwwCgYDVQQLEwNz
+c28xJDAiBgNVBAMTG2MyNWEwMjc3LnRvcm9udG8uY2EuaWJtLmNvbTCBnzANBgkq
+hkiG9w0BAQEFAAOBjQAwgYkCgYEAgzfYQZuf5FVdJTcrsIQZ+YHTPjOsw2MGo0jC
+mdGMcp4brWeFgk1OVaOmytPx6P76wHWR436AleX3crHBPd8gPxuZdnvBQ7PkrKpw
+Vvaq52juenFrho8JY0TeVgVkY5jAh45YzytjP2y2k/cGQurI/56NT0PpQJ0S1G3N
+4eTg718CAwEAAaMhMB8wHQYDVR0OBBYEFCYVLJqcJ7WgdzGIsuJ/TzDGDqinMA0G
+CSqGSIb3DQEBBQUAA4GBAB80bIePf+qWDvWe+9bEEnbFTw7pCknLexxZ0AMqrsmZ
++4jmI+evP1JZYCjfIg9X+MBH01hfp5dFcetz3o6w6SkV+BxLYLgfcy5KUcYsIM/1
+2Zkedj87bS1glzOy5B89pKD2DMbu6828Abzgc+4lyQ2ASifsqM4cZdVayzo8n+dQ

data/test/certificates/invalid_chained_certificate1

@@ -0,0 +1 @@
+-----BEGIN CERTIFICATE-----MIICPDCCAaWgAwIBAgIIEiC/9HMAWW AwDQYJKoZIhvcNAQEFBQAwTzELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA2libTEMMAoGA1UECxMDc3NvMSQwIgYDVQQDExtjMjVhMDI3Ny50b3JvbnRvLmNhLmlibS5jb20wHhcNMTEwNTI0MTYzNTQ4WhcNMjEwNTIxwsQMPBj4WQTNzTYMCQYDVQQGEwJVUzEMMAoGA1UEChMDaWJtMQwwCgYDVQQLEwNzc28xJDAiBgNVBAMTG2MyNWE wMjc3LnRvcm9udG8uY2EuaWJtLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAgzfYQZuf5FVdJTcrsIQZ+YHTPjOsw2MGo0jCmdGMcp4brWeFgk1OVaOmytPx6P76wHWR436AleX3crHBPd8gPxuZdnvBQ7PkrKpwVvaq52juenFrho8JY0TeVgVkY5jAh45YzytjP2y2k/cGQurI/56NT0PpQJ0S1G3N4eTg718CAwEAAaMhMB8wHQYDVR0OBBYEFCYVLJqcJ7WgdzGIsuJ/TzDGDqinMA0GCSqGSIb3DQEBBQUAA4GBAB80bIePf+qWDvWe+9bEEnbFTw7pCknLexxZ0AMqrsmZ+4jmI+evP1JZYCjfIg9X+MBH01hfp5dFcetz3o6w6SkV+BxLYLgfcy5KUcYsIM/12Zkedj87bS1glzOy5B89pKD2DMbu6828Abzgc+4lyQ2ASifsqM4cZdVayzo8n+dQ-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIICPDCCAaWgAw IBAgIIEiC/9HMAWWAwDQYJKoZIhvcNAQEFBQAwTzELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA2libTEMMAoGA1UECxMDc3NvMSQwIgYDVQQDExtjMjVhMDI3Ny50b3JvbnRvLmNhLmlibS5jb20wHhcNMTEwNTI0MTYzNTQ4WhcNMjEwNTIxwsQMPBj4WQTNzTYMCQYDVQQGEwJVUzEMMAoGA1UEChMDaWJtMQwwCgYDVQQLEwNzc28xJDAiBgNVBAMTG2MyNWEwMjc3LnRvcm9udG8uY2EuaWJtLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAgzfYQZuf5FVdJTcrsIQZ+YHTPjOsw2MGo0jCmdGMcp4brWeFgk1OVaOmytPx6P76wHWR436AleX3crHBPd8gPxuZdnvBQ7PkrKpwVvaq52juenFrho8JY0TeVgVkY5jAh45YzytjP2y2k/cGQurI/56NT0PpQJ0S1G3N4eTg718CAwEAAaMhMB8wHQYDVR0OBBYEFCYVLJqcJ7WgdzGIsuJ/TzDGDqinMA0GCSqGSIb3DQEBBQUAA4GBAB80bIePf+qWDvWe+9bEEnbFTw7pCknLexxZ0AMqrsmZ+4jmI+evP1JZYCjfIg9X+MBH01hfp5dFcetz3o6w6SkV+BxLYLgfcy5KUcYsIM/12Zkedj87bS1glzOy5B89pKD2DMbu6828Abzgc+4lyQ2ASifsqM4cZdVayzo8n+dQ-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIICPDCCAaWgAwIBAgIIEiC/9HMAWWAwDQYJKoZIhvcNAQEFBQAwTzELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA2libTEMMAoGA1UECxMDc3NvMSQwIgYDVQQDExtjMjVhMDI3Ny50b3JvbnRvLmNhLmlibS5jb20wHhcNMTEwNTI0MTYzNTQ4WhcNMjEwNTIxwsQMPBj4WQTNzTYMCQYDVQQGEwJVUzEMMAoGA1UEChMDaWJtMQwwCgYDVQQLEwNzc28xJDAiBgNVBAMTG2MyNWEwMjc3LnRvcm9udG8uY2EuaWJtLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAgzfYQZuf5FVdJTcrsIQZ+YHTPjOsw2MGo0jCmdGMcp4brWeFgk1OVaOmytPx6P76wHWR436AleX3crHBPd8gPxuZdnvBQ7PkrKpwVvaq52juenFrho8JY0TeVgVkY5jAh45YzytjP2y2k/cGQurI/56NT0PpQJ0S1G3N4eTg718CAwEAAaMhMB8wHQYDVR0OBBYEFCYVLJqcJ7WgdzGIsuJ/TzDGDqinMA0GCSqGSIb3DQEBBQUAA4GBAB80bIePf+qWDvWe+9bEEnbFTw7pCknLexxZ0AMqrsmZ+4jmI+evP1JZYCjfIg9X+MBH01hfp5dFcetz3o6w6SkV+BxLYLgfcy5KUcYsIM/12Zkedj87bS1glzOy5B89pKD2DMbu6828Abzgc+4lyQ2ASifsqM4cZdVayzo8n+dQ-----END CERTIFICATE-----

data/test/certificates/invalid_private_key1

@@ -0,0 +1 @@
+-----BEGIN PRIVATE KEY----- MIIBuwIBAAKBgQDImEj39zKfeh4LbgzPuos/DCnyKZUJzAHX3OSXA1Akl+CA1Ak3 NgRCJ3NOflCGzW+PcLvxrSwH3mHaqQAvDA2fJOySiVtJ9+tm1jrQnL+AAw7JzUht YzmnRC8wwuN1+TDuKiK1Hzr/4fz2eFZ6+M53YC4eHOkBYA0FdFGRYrH70wIVAJfR hg3tWWhJvyJBvaZoh3/BP613AoGBAL0KkMDFRc3FXcvdRKNpWbrsU41G32bBlfQR O1EBe1+ghIasBr7lxEEhdkfthlaF4JiFHyaXuSx5hPKUbo8AO/MfaPJ7SKK2QRS3 B/qlstzIbjmvgYJJuOs4O4x6lYgeU5rb9G5SoOEBvyo46ZxfzdWhAwfZofsrzAhe 3WlOTZkdAoGAGmt0xlYn/0oYZjCxGKStjBA80E5NypAl7UyFj1RhGjIUkiuRcgOL d3/fC6vKuqsMtLHyb5EGqtHPbqm4re1rw0zDh+qHEFA4N6UW0poc9eNEfosJA2BO 5o8ft9FzKA033pl89mD0CBj05EPadGR7E7QhL5mXuQJpjXJEiyqbce4CFAUFhvCK GeW2AKaE6oqRqeVwGw4V -----END PRIVATE KEY-----

data/test/certificates/invalid_private_key2

@@ -0,0 +1 @@
+MIIBuwIBAAKBgQDImEj39zKfeh4LbgzPuos/DCnyKZUJzAHX3OSXA1Akl+CA1Ak3NgRCJ3NOflCGzW+PcLvxrSwH3mHaqQAvDA2fJOySiVtJ9+tm1jrQnL+AAw7JzUhtYzmnRC8wwuN1+TDuKiK1Hzr/4fz2eFZ6+M53YC4eHOkBYA0FdFGRYrH70wIVAJfRhg3tWWhJvyJBvaZoh3/BP613AoGBAL0KkMDFRc3FXcvdRKNpWbrsU41G32bBlfQRO1EBe1+ghIasBr7lxEEhdkfthlaF4JiFHyaXuSx5hPKUbo8AO/MfaPJ7SKK2QRS3B/qlstzIbjmvgYJJuOs4O4x6lYgeU5rb9G5SoOEBvyo46ZxfzdWhAwfZofsrzAhe3WlOTZkdAoGAGmt0xlYn/0oYZjCxGKStjBA80E5NypAl7UyFj1RhGjIUkiuRcgOLd3/fC6vKuqsMtLHyb5EGqtHPbqm4re1rw0zDh+qHEFA4N6UW0poc9eNEfosJA2BO5o8ft9FzKA033pl89mD0CBj05EPadGR7E7QhL5mXuQJpjXJEiyqbce4CFAUFhvCKGeW2AKaE6oqRqeVwGw4V

data/test/certificates/invalid_private_key3

@@ -0,0 +1,10 @@
+MIIBuwIBAAKBgQDImEj39zKfeh4LbgzPuos/DCnyKZUJzAHX3OSXA1Akl+CA1Ak3
+NgRCJ3NOflCGzW+PcLvxrSwH3mHaqQAvDA2fJOySiVtJ9+tm1jrQnL+AAw7JzUht
+YzmnRC8wwuN1+TDuKiK1Hzr/4fz2eFZ6+M53YC4eHOkBYA0FdFGRYrH70wIVAJfR
+hg3tWWhJvyJBvaZoh3/BP613AoGBAL0KkMDFRc3FXcvdRKNpWbrsU41G32bBlfQR
+O1EBe1+ghIasBr7lxEEhdkfthlaF4JiFHyaXuSx5hPKUbo8AO/MfaPJ7SKK2QRS3
+B/qlstzIbjmvgYJJuOs4O4x6lYgeU5rb9G5SoOEBvyo46ZxfzdWhAwfZofsrzAhe
+3WlOTZkdAoGAGmt0xlYn/0oYZjCxGKStjBA80E5NypAl7UyFj1RhGjIUkiuRcgOL
+d3/fC6vKuqsMtLHyb5EGqtHPbqm4re1rw0zDh+qHEFA4N6UW0poc9eNEfosJA2BO
+5o8ft9FzKA033pl89mD0CBj05EPadGR7E7QhL5mXuQJpjXJEiyqbce4CFAUFhvCK
+GeW2AKaE6oqRqeVwGw4V

data/test/certificates/invalid_rsa_private_key1

@@ -0,0 +1 @@
+-----BEGIN RSA PRIVATE KEY----- MIIBuwIBAAKBgQDImEj39zKfeh4LbgzPuos/DCnyKZUJzAHX3OSXA1Akl+CA1Ak3 NgRCJ3NOflCGzW+PcLvxrSwH3mHaqQAvDA2fJOySiVtJ9+tm1jrQnL+AAw7JzUht YzmnRC8wwuN1+TDuKiK1Hzr/4fz2eFZ6+M53YC4eHOkBYA0FdFGRYrH70wIVAJfR hg3tWWhJvyJBvaZoh3/BP613AoGBAL0KkMDFRc3FXcvdRKNpWbrsU41G32bBlfQR O1EBe1+ghIasBr7lxEEhdkfthlaF4JiFHyaXuSx5hPKUbo8AO/MfaPJ7SKK2QRS3 B/qlstzIbjmvgYJJuOs4O4x6lYgeU5rb9G5SoOEBvyo46ZxfzdWhAwfZofsrzAhe 3WlOTZkdAoGAGmt0xlYn/0oYZjCxGKStjBA80E5NypAl7UyFj1RhGjIUkiuRcgOL d3/fC6vKuqsMtLHyb5EGqtHPbqm4re1rw0zDh+qHEFA4N6UW0poc9eNEfosJA2BO 5o8ft9FzKA033pl89mD0CBj05EPadGR7E7QhL5mXuQJpjXJEiyqbce4CFAUFhvCK GeW2AKaE6oqRqeVwGw4V -----END RSA PRIVATE KEY-----

data/test/certificates/invalid_rsa_private_key2

@@ -0,0 +1 @@
+MIIBuwIBAAKBgQDImEj39zKfeh4LbgzPuos/DCnyKZUJzAHX3OSXA1Akl+CA1Ak3NgRCJ3NOflCGzW+PcLvxrSwH3mHaqQAvDA2fJOySiVtJ9+tm1jrQnL+AAw7JzUhtYzmnRC8wwuN1+TDuKiK1Hzr/4fz2eFZ6+M53YC4eHOkBYA0FdFGRYrH70wIVAJfRhg3tWWhJvyJBvaZoh3/BP613AoGBAL0KkMDFRc3FXcvdRKNpWbrsU41G32bBlfQRO1EBe1+ghIasBr7lxEEhdkfthlaF4JiFHyaXuSx5hPKUbo8AO/MfaPJ7SKK2QRS3B/qlstzIbjmvgYJJuOs4O4x6lYgeU5rb9G5SoOEBvyo46ZxfzdWhAwfZofsrzAhe3WlOTZkdAoGAGmt0xlYn/0oYZjCxGKStjBA80E5NypAl7UyFj1RhGjIUkiuRcgOLd3/fC6vKuqsMtLHyb5EGqtHPbqm4re1rw0zDh+qHEFA4N6UW0poc9eNEfosJA2BO5o8ft9FzKA033pl89mD0CBj05EPadGR7E7QhL5mXuQJpjXJEiyqbce4CFAUFhvCKGeW2AKaE6oqRqeVwGw4V

data/test/certificates/invalid_rsa_private_key3

@@ -0,0 +1,10 @@
+MIIBuwIBAAKBgQDImEj39zKfeh4LbgzPuos/DCnyKZUJzAHX3OSXA1Akl+CA1Ak3
+NgRCJ3NOflCGzW+PcLvxrSwH3mHaqQAvDA2fJOySiVtJ9+tm1jrQnL+AAw7JzUht
+YzmnRC8wwuN1+TDuKiK1Hzr/4fz2eFZ6+M53YC4eHOkBYA0FdFGRYrH70wIVAJfR
+hg3tWWhJvyJBvaZoh3/BP613AoGBAL0KkMDFRc3FXcvdRKNpWbrsU41G32bBlfQR
+O1EBe1+ghIasBr7lxEEhdkfthlaF4JiFHyaXuSx5hPKUbo8AO/MfaPJ7SKK2QRS3
+B/qlstzIbjmvgYJJuOs4O4x6lYgeU5rb9G5SoOEBvyo46ZxfzdWhAwfZofsrzAhe
+3WlOTZkdAoGAGmt0xlYn/0oYZjCxGKStjBA80E5NypAl7UyFj1RhGjIUkiuRcgOL
+d3/fC6vKuqsMtLHyb5EGqtHPbqm4re1rw0zDh+qHEFA4N6UW0poc9eNEfosJA2BO
+5o8ft9FzKA033pl89mD0CBj05EPadGR7E7QhL5mXuQJpjXJEiyqbce4CFAUFhvCK
+GeW2AKaE6oqRqeVwGw4V

data/test/logoutresponse_test.rb

@@ -32,12 +32,12 @@ class LogoutResponseTest < Minitest::Test
     describe "#validate" do
       it "validate the response" do
         in_relation_to_request_id = random_id
-
+        settings.idp_entity_id = "https://example.com/idp"
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response({:uuid => in_relation_to_request_id}), settings)
 
         assert logoutresponse.validate
 
-        assert_equal settings.sp_entity_id, logoutresponse.issuer
+        assert_equal settings.idp_entity_id, logoutresponse.issuer
         assert_equal in_relation_to_request_id, logoutresponse.in_response_to
 
         assert logoutresponse.success?
@@ -87,20 +87,6 @@ class LogoutResponseTest < Minitest::Test
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
       end
 
-      it "raise validation error when in bad state" do
-        # no settings
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response)
-        assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
-      end
-
-      it "raise validation error when in lack of sp_entity_id setting" do
-        bad_settings = settings
-        bad_settings.issuer = nil
-        bad_settings.sp_entity_id = nil
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, bad_settings)
-        assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
-      end
-
       it "raise error for invalid xml" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(invalid_xml_response, settings)
 

data/test/requests/logoutrequest_fixtures.rb

@@ -0,0 +1,47 @@
+#encoding: utf-8
+
+def default_request_opts
+  {
+      :uuid => "_28024690-000e-0130-b6d2-38f6b112be8b",
+      :issue_instant => Time.now.strftime('%Y-%m-%dT%H:%M:%SZ'),
+      :nameid => "testuser@example.com",
+      :nameid_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+      :settings => settings
+  }
+end
+
+def valid_request(opts = {})
+  opts = default_request_opts.merge!(opts)
+
+  "<samlp:LogoutRequest
+        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
+        xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\"
+        ID=\"#{random_id}\" Version=\"2.0\"
+        IssueInstant=\"#{opts[:issue_instant]}\"
+        Destination=\"#{opts[:settings].idp_slo_target_url}\">
+      <saml:Issuer>#{opts[:settings].idp_entity_id}</saml:Issuer>
+      <saml:NameID Format=\"#{opts[:nameid_format]}\">#{opts[:nameid]}</saml:NameID>
+      </samlp:LogoutRequest>"
+end
+
+def invalid_xml_request
+  "<samlp:SomethingAwful
+        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
+        ID=\"#{random_id}\" Version=\"2.0\">
+      </samlp:SomethingAwful>"
+end
+
+def settings
+  @settings ||= OneLogin::RubySaml::Settings.new(
+      {
+          :assertion_consumer_service_url => "http://app.muda.no/sso/consume",
+          :single_logout_service_url => "http://app.muda.no/sso/consume_logout",
+          :sp_entity_id => "http://app.muda.no",
+          :sp_name_qualifier => "http://sso.muda.no",
+          :idp_sso_target_url => "http://sso.muda.no/sso",
+          :idp_slo_target_url => "http://sso.muda.no/slo",
+          :idp_cert_fingerprint => "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00",
+          :name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+      }
+  )
+end

data/test/response_test.rb

@@ -323,6 +323,31 @@ class ResponseTest <  Minitest::Test
       end
     end
 
+    describe "#validate_issuer" do
+      it "return true when the issuer of the Message/Assertion matches the IdP entityId" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        response.settings = settings
+        assert response.send(:validate_issuer)
+
+        response.settings.idp_entity_id = 'https://app.onelogin.com/saml2'
+        assert response.send(:validate_issuer)
+      end
+
+      it "return false when the issuer of the Message does not match the IdP entityId" do
+        response = OneLogin::RubySaml::Response.new(read_invalid_response("invalid_issuer_message.xml.base64"))
+        response.settings = settings
+        response.settings.idp_entity_id = 'http://idp.example.com/'
+        assert !response.send(:validate_issuer)
+      end
+
+      it "return false when the issuer of the Assertion does not match the IdP entityId" do
+        response = OneLogin::RubySaml::Response.new(read_invalid_response("invalid_issuer_assertion.xml.base64"))
+        response.settings = settings
+        response.settings.idp_entity_id = 'http://idp.example.com/'
+        assert !response.send(:validate_issuer)
+      end
+    end
+
     describe "#name_id" do
       it "extract the value of the name id element" do
         response = OneLogin::RubySaml::Response.new(response_document)

data/test/responses/invalids/invalid_issuer_assertion.xml.base64

@@ -0,0 +1 @@
+nVdbc6rKEn4/Vec/WK7HlOEuYiXZZwQ1XlARNCYvp2AYBOUmg4L++j3gJSYm2Xutp8Se7p7v+3pmunn4Kw/8yg4l2IvCxypzT1f/evrvfx6wGfhxc4pwHIUYVYhTiJuF8bG6TcJmZGIPN0MzQLiZwqYO1GGTvaebJsYoSUmq6lVI/HNMnERpBCO/WlEQTr3QTEsobprGTYrC6dZx7mEUUCi048gLU3z1nwnxfezG1UpPeazGTm41oAAFTqpZdVGqOQjaNQfaXI3nHUTWeIllG8Q5PBMzosfq/wXRgpYj0jXRYpwazbCoBhssUxMbLFlgOMviiiCMt6gX4tQM08cqSzNMja7XGNFg+KbANxn+rVqZn3UkvKpExkqlFLJZxiZPJ0qeHd+j3AxiH5XEHqhrpwcbN3VvSWTYJmfhbXzRI8uy+4y7j5IlxdI0TdESRXxs7C1/nXY8xSO7FzpRmU42wyj0oOl7h1JcFaVuZFeAv4wSL3WDb5IzFEMXyWsohzXI8OGvKlVu8b5JCfJfpvuANcFmDbsmc8pY5JsiByUohKgym/Yeq7/+bTlLikZihtiJkgB//Pl7qFC4Q34UI7uGz+QIwN9L+KVqD9QtRsVbkvP+J+KdhHtPMjf9LXqqd6e6PlU9TRjpfVEaL1iqTs0ZvK43HksA186l4SL58eenY3Mp8DFCUbUFMth+wM5TrMnLpSrxstwaTplpKxss4YzbTfmlx4DtIHvDq5k/cjXZnvLtfR8e7ux0YoxovIGZEHGrLb2b7CEVBuOpLwZrecP0WWMyVwHf6q1HL2OB995io6tCMx/frejp4KU/YGfOAFBB3p+arc0sdveD0Z0qhCN3NxyH00Hg530B9hXnsAWPFzpX+MmrRowDtL8QXAi0pJipefkhF4+XQ25Kip7UXk/uHmQZvGqyrMmjEdQWUcCxcwWMWsv1xl17XSmjW0CbdYDS0lUNZ7L2qsw1rdvO+vPZoT1UwboLmFlbbqmyPuPzjgGM1nI0bwFoKG1/+9b1XSvoZBabx/DQnqqgcfR31Z7BCr7RlULzhc8VBQyOcdgA9Hz7dgCok9H5SAG0ulLzsaLlqtIxS5vx0aZ2erl8AP1j/KsB/LlxhbVHsPaNVXuuttRy71auqvqLsDZfOtvXRWtndf2DOm1nSlb6D9qZO7GCuWqxdmyt2qoKoiNmstv0RQjVXtdRAd2V9U1X71mcorULjQDguyOgyC1PI1Q0JaoHd9rb7lWj8iHd9ofLbTxgNAW+DnlHmMB1hkdLXYpnu7noHIyN/LxuGO4wN9Y8q2qsCvt4jGb9+URkGwN3H6w68iZfTvj5NpuupSQGPn0XuPu6OrH3qz2odxl+lSgvel3Y4yF0B3xK7bK4rRxoXfPbUZdZqwff1wPx8KZziwQtgaisRubsVdtkPQVooPWZU+vIqQWGKrvryp5G7YI7s77j6bv5gj3Ym2fAahSz6zCepR36Aq/25fH8ZYfvdtrCeeu4dkCPJyrbS5SZGG12g8lmUs/HAPUH9Wd6PxFV/nXIOWaq73qvQeDsF7K0Tjl9d6BG++T5MHFnYZ/eIwrP9EUeHrQ8gwElTTKwSTQTcFqsrZ8FcW91qHGU7CfojnXLa/H5oF+Mx6tAXV+SD9fovaHFTT0lJnzuBtc2ObJRpbxxP7d9XHo39S2ECONzH6Bu0h87KDgPFqeOmH/XERlqoQ516KLArF58vX92rnlla4foMkuIDZ6RJIY84iLn1HiaE2qIRWQ2YEQa0oixOcT/6VjwzWAQ7kiPtu+90vrDjFAkuE6jb60Vgukp9dk6Ipr3lEqHdBwz/b4YzD1TWjzSXEvXJpHD84FtJ0VhKvqkSKRtCTTHQwmREvl+VKCqPuEoQFGI/ncF9YT0uPknRCecchQ6XrFTUc9jA/z5rMCgaSEzQUn1kvCHlMU5/rMZbxSl43CcACcteLI0S18VUzoWc4qgF3uoqPZvjajUuxbUd8jPZ4P6oqpHusTb9gpXXIBtIVIxVB67a6Rcky+Q3rBhbth8qg/Y2l4xDhDp0sSDV5BufZ5+YB+g1LRJFQriJzKXsE8qfL/lyeGd8QchwDZ1w+KZQAGpRaX8+f01pEWih06OM8nTC22UF0eCsRAnSnWBzJKCIEp2g+YYnqHFusTVbcgiyWZsqYEs5xL6raIse77sN4oSXIRCivL0CynfF2WffDuReezpx88r2ISFHzFPyJ8sSuyLjF+kupH6Bsv1ykXMjzqnpCzWNkWfl28cKsWVf6wWb0e1/P+fHp6SEYkurOenxyJ+8PaWXzYpG0uFvOjNdB+T3XLyiUmWwuVPb9HH6BtZzqufNPma+Hn13I+KsZL6+LX89Dc=

data/test/responses/invalids/invalid_issuer_message.xml.base64

@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeDY1YzllMWQ5LTY2MjItNGE4MC1kMjNjLTE4ZWQwOTdkZTU1MCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaW52YWxpZC5pc3N1ZXIuZXhhbXBsZS5jb20vPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4NCiAgPGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4NCiAgICA8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+DQogIDxkczpSZWZlcmVuY2UgVVJJPSIjcGZ4NjVjOWUxZDktNjYyMi00YTgwLWQyM2MtMThlZDA5N2RlNTUwIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5TYmc4M0hkZXZwcTN5ajZJOVlRdDR3bkZGYnM9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPjRVbHROQWxmMHRwQWJEYnFnbkxUWXAxcFJRQ2NMbFZkZERCdDhYRC9WYmFzMTBJSkd2V09UeExqMkVMci9wbytuSWd5Zkw2ejlWcThidm5EVVNjT3o5bVg0OFFsclJaRXo0U3RGTzBCVWM2MjFreFpYM3ZMSXBoeHc1N3o0U2FvckVmZGRGOFFkazBPQTl1Z3dFb014Z2FqcklXbWRldC8zMTVBTGJFSk13VT08L2RzOlNpZ25hdHVyZVZhbHVlPg0KPGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ2dUQ0NBZW9DQ1FDYk9scldEZFg3RlRBTkJna3Foa2lHOXcwQkFRVUZBRENCaERFTE1Ba0dBMVVFQmhNQ1RrOHhHREFXQmdOVkJBZ1REMEZ1WkhKbFlYTWdVMjlzWW1WeVp6RU1NQW9HQTFVRUJ4TURSbTl2TVJBd0RnWURWUVFLRXdkVlRrbE9SVlJVTVJnd0ZnWURWUVFERXc5bVpXbGtaUzVsY214aGJtY3VibTh4SVRBZkJna3Foa2lHOXcwQkNRRVdFbUZ1WkhKbFlYTkFkVzVwYm1WMGRDNXViekFlRncwd056QTJNVFV4TWpBeE16VmFGdzB3TnpBNE1UUXhNakF4TXpWYU1JR0VNUXN3Q1FZRFZRUUdFd0pPVHpFWU1CWUdBMVVFQ0JNUFFXNWtjbVZoY3lCVGIyeGlaWEpuTVF3d0NnWURWUVFIRXdOR2IyOHhFREFPQmdOVkJBb1RCMVZPU1U1RlZGUXhHREFXQmdOVkJBTVREMlpsYVdSbExtVnliR0Z1Wnk1dWJ6RWhNQjhHQ1NxR1NJYjNEUUVKQVJZU1lXNWtjbVZoYzBCMWJtbHVaWFIwTG01dk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRRGl2YmhSN1A1MTZ4L1MzQnFLeHVwUWUwTE9Ob2xpdXBpQk9lc0NPM1NIYkRybDMrcTlJYmZuZm1FMDRyTnVNY1BzSXhCMTYxVGREcEllc0xDbjdjOGFQSElTS090UGxBZVRaU25iOFFBdTdhUmpacTMrUGJyUDV1VzNUY2ZDR1B0S1R5dEhPZ2UvT2xKYm8wNzhkVmhYUTE0ZDFFRHdYSlcxclJYdVV0NEM4UUlEQVFBQk1BMEdDU3FHU0liM0RRRUJCUVVBQTRHQkFDRFZmcDg2SE9icVkrZThCVW9XUTkrVk1ReDFBU0RvaEJqd09zZzJXeWtVcVJYRitkTGZjVUg5ZFdSNjNDdFpJS0ZEYlN0Tm9tUG5RejduYksrb255Z3dCc3BWRWJuSHVVaWhacTNaVWRtdW1RcUN3NFV2cy8xVXZxM29yT28vV0pWaFR5dkxnRlZLMlFhclE0LzY3T1pmSGQ3UitQT0JYaG9waFNNdjFaT288L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT4NCiAgPHNhbWxwOlN0YXR1cz4NCiAgICA8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+DQogIDwvc2FtbHA6U3RhdHVzPg0KICA8c2FtbDpBc3NlcnRpb24geG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiBJRD0icGZ4Nzg0MTk5MWMtYzczZi00MDM1LWUyZWUtYzE3MGMwZTFkM2U0IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxMS0wNi0xN1QxNDo1NDoxNFoiPg0KICAgIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+ICAgIA0KICAgIDxzYW1sOlN1YmplY3Q+DQogICAgICA8c2FtbDpOYW1lSUQgU1BOYW1lUXVhbGlmaWVyPSJoZWxsby5jb20iIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj5zb21lb25lQGV4YW1wbGUuY29tPC9zYW1sOk5hbWVJRD4NCiAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj4NCiAgICAgICAgPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDIwLTA2LTE3VDE0OjU5OjE0WiIgUmVjaXBpZW50PSJodHRwOi8vc3R1ZmYuY29tL2VuZHBvaW50cy9lbmRwb2ludHMvYWNzLnBocCIgSW5SZXNwb25zZVRvPSJfNTdiY2JmNzAtN2IxZi0wMTJlLWM4MjEtNzgyYmNiMTNiYjM4Ii8+DQogICAgICA8L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L3NhbWw6U3ViamVjdD4NCiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0wNi0xN1QxNDo1Mzo0NFoiIE5vdE9uT3JBZnRlcj0iMjAyMS0wNi0xN1QxNDo1OToxNFoiPg0KICAgICAgPHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPHNhbWw6QXVkaWVuY2U+aHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPg0KICAgICAgPC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgPC9zYW1sOkNvbmRpdGlvbnM+DQogICAgPHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDExLTA2LTE3VDE0OjU0OjA3WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAyMS0wNi0xN1QyMjo1NDoxNFoiIFNlc3Npb25JbmRleD0iXzUxYmUzNzk2NWZlYjU1NzlkODAzMTQxMDc2OTM2ZGMyZTlkMWQ5OGViZiI+DQogICAgICA8c2FtbDpBdXRobkNvbnRleHQ+DQogICAgICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPg0KICAgICAgPC9zYW1sOkF1dGhuQ29udGV4dD4NCiAgICA8L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+DQogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9Im1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5zb21lb25lQGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4NCiAgICA8L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICA8L3NhbWw6QXNzZXJ0aW9uPg0KPC9zYW1scDpSZXNwb25zZT4=

data/test/responses/logoutresponse_fixtures.rb

@@ -15,9 +15,9 @@ def valid_response(opts = {})
         xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
         ID=\"#{random_id}\" Version=\"2.0\"
         IssueInstant=\"#{opts[:issue_instant]}\"
-        Destination=\"#{opts[:settings].single_logout_service_url}\"
+        Destination=\"#{opts[:settings].idp_slo_target_url}\"
         InResponseTo=\"#{opts[:uuid]}\">
-      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].sp_entity_id}</saml:Issuer>
+      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].idp_entity_id}</saml:Issuer>
       <samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
       <samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
           Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\">
@@ -33,9 +33,9 @@ def unsuccessful_response(opts = {})
         xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
         ID=\"#{random_id}\" Version=\"2.0\"
         IssueInstant=\"#{opts[:issue_instant]}\"
-        Destination=\"#{opts[:settings].single_logout_service_url}\"
+        Destination=\"#{opts[:settings].idp_slo_target_url}\"
         InResponseTo=\"#{opts[:uuid]}\">
-      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].sp_entity_id}</saml:Issuer>
+      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].idp_entity_id}</saml:Issuer>
       <samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
       <samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
           Value=\"urn:oasis:names:tc:SAML:2.0:status:Requester\">

data/test/settings_test.rb

@@ -42,6 +42,112 @@ class SettingsTest < Minitest::Test
       end
     end
 
+    describe "#get_idp_cert" do
+      it "returns nil when the cert is an empty string" do
+        @settings.idp_cert = ""
+        assert_nil @settings.get_idp_cert
+      end
+
+      it "returns nil when the cert is nil" do
+        @settings.idp_cert = nil
+        assert_nil @settings.get_idp_cert
+      end
+
+      it "returns the certificate when it is valid" do
+        @settings.idp_cert = ruby_saml_cert_text
+        assert @settings.get_idp_cert.kind_of? OpenSSL::X509::Certificate
+      end
+
+      it "raises when the certificate is not valid" do
+        # formatted but invalid cert
+        @settings.idp_cert = read_certificate("formatted_certificate")
+        assert_raises(OpenSSL::X509::CertificateError) {
+          @settings.get_idp_cert
+        }
+      end
+    end
+
+    describe "#get_sp_cert" do
+      it "returns nil when the cert is an empty string" do
+        @settings.certificate = ""
+        assert_nil @settings.get_sp_cert
+      end
+
+      it "returns nil when the cert is nil" do
+        @settings.certificate = nil
+        assert_nil @settings.get_sp_cert
+      end
+
+      it "returns the certificate when it is valid" do
+        @settings.certificate = ruby_saml_cert_text
+        assert @settings.get_sp_cert.kind_of? OpenSSL::X509::Certificate
+      end
+
+      it "raises when the certificate is not valid" do
+        # formatted but invalid cert
+        @settings.certificate = read_certificate("formatted_certificate")
+        assert_raises(OpenSSL::X509::CertificateError) {
+          @settings.get_sp_cert
+        }
+      end
+    end
+
+    describe "#get_sp_key" do
+      it "returns nil when the private key is an empty string" do
+        @settings.private_key = ""
+        assert_nil @settings.get_sp_key
+      end
+
+      it "returns nil when the private key is nil" do
+        @settings.private_key = nil
+        assert_nil @settings.get_sp_key
+      end
+
+      it "returns the private key when it is valid" do
+        @settings.private_key = ruby_saml_key_text
+        assert @settings.get_sp_key.kind_of? OpenSSL::PKey::RSA
+      end
+
+      it "raises when the private key is not valid" do
+        # formatted but invalid rsa private key
+        @settings.private_key = read_certificate("formatted_rsa_private_key")
+        assert_raises(OpenSSL::PKey::RSAError) {
+          @settings.get_sp_key
+        }
+      end
+
+    end
+
+    describe "#get_fingerprint" do
+      it "get the fingerprint value when cert and fingerprint in settings are nil" do
+        @settings.idp_cert_fingerprint = nil
+        @settings.idp_cert = nil
+        fingerprint = @settings.get_fingerprint
+        assert_nil fingerprint
+      end
+
+      it "get the fingerprint value when there is a cert at the settings" do
+        @settings.idp_cert_fingerprint = nil
+        @settings.idp_cert = ruby_saml_cert_text
+        fingerprint = @settings.get_fingerprint
+        assert fingerprint.downcase == ruby_saml_cert_fingerprint.downcase
+      end
+
+      it "get the fingerprint value when there is a fingerprint at the settings" do
+        @settings.idp_cert_fingerprint = ruby_saml_cert_fingerprint
+        @settings.idp_cert = nil
+        fingerprint = @settings.get_fingerprint
+        assert fingerprint.downcase == ruby_saml_cert_fingerprint.downcase
+      end
+
+      it "get the fingerprint value when there are cert and fingerprint at the settings" do
+        @settings.idp_cert_fingerprint = ruby_saml_cert_fingerprint
+        @settings.idp_cert = ruby_saml_cert_text
+        fingerprint = @settings.get_fingerprint
+        assert fingerprint.downcase == ruby_saml_cert_fingerprint.downcase
+      end
+    end
+
   end
 
 end

data/test/slo_logoutrequest_test.rb

@@ -0,0 +1,66 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+require File.expand_path(File.join(File.dirname(__FILE__), "requests/logoutrequest_fixtures"))
+
+class SloLogoutrequestTest < Minitest::Test
+
+  describe "SloLogoutrequest" do
+
+    describe "#new" do
+      it "raise an exception when request is initialized with nil" do
+        assert_raises(ArgumentError) { OneLogin::RubySaml::SloLogoutrequest.new(nil) }
+      end
+      it "default to empty settings" do
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(valid_request)
+        assert logoutrequest.settings.nil?
+      end
+      it "accept constructor-injected settings" do
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(valid_request, settings)
+        assert !logoutrequest.settings.nil?
+      end
+      it "accept constructor-injected options" do
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(valid_request, nil, { :foo => :bar} )
+        assert !logoutrequest.options.empty?
+      end
+      it "support base64 encoded requests" do
+        expected_request = valid_request
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(Base64.encode64(expected_request), settings)
+
+        assert_equal expected_request, logoutrequest.request
+      end
+    end
+
+    describe "#validate" do
+      it "validate the request" do
+        in_relation_to_request_id = random_id
+        settings.idp_entity_id = "https://example.com/idp"
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(valid_request({:uuid => in_relation_to_request_id}), settings)
+
+        assert logoutrequest.validate
+
+        assert_equal settings.idp_entity_id, logoutrequest.issuer
+
+        assert_equal "testuser@example.com", logoutrequest.nameid
+
+        assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", logoutrequest.nameid_format
+      end
+
+    end
+
+    describe "#validate!" do
+      it "validates good requests" do
+        in_relation_to_request_id = random_id
+
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(valid_request({:uuid => in_relation_to_request_id}), settings)
+
+        logoutrequest.validate!
+      end
+
+      it "raise error for invalid xml" do
+        logoutrequest = OneLogin::RubySaml::SloLogoutrequest.new(invalid_xml_request, settings)
+
+        assert_raises(OneLogin::RubySaml::ValidationError) { logoutrequest.validate! }
+      end
+    end
+
+  end
+end

data/test/utils_test.rb

@@ -2,6 +2,194 @@ require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
 class UtilsTest < Minitest::Test
   describe "Utils" do
+
+    describe "format_cert" do
+      let(:formatted_certificate) {read_certificate("formatted_certificate")}
+      let(:formatted_chained_certificate) {read_certificate("formatted_chained_certificate")}
+
+      it "returns empty string when the cert is an empty string" do
+        cert = ""
+        assert_equal "", OneLogin::RubySaml::Utils.format_cert(cert)
+      end
+
+      it "returns nil when the cert is nil" do
+        cert = nil
+        assert_nil OneLogin::RubySaml::Utils.format_cert(cert)
+      end
+
+      it "returns the certificate when it is valid" do
+        assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(formatted_certificate)
+      end
+
+      it "reformats the certificate when there are spaces and no line breaks" do
+        invalid_certificate1 = read_certificate("invalid_certificate1")
+        assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate1)
+      end
+
+      it "reformats the certificate when there are spaces and no headers" do
+        invalid_certificate2 = read_certificate("invalid_certificate2")
+        assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate2)
+      end
+
+      it "returns the cert when it's encoded" do
+        encoded_certificate = read_certificate("certificate.der")
+        assert_equal encoded_certificate, OneLogin::RubySaml::Utils.format_cert(encoded_certificate)
+      end
+
+      it "reformats the certificate when there line breaks and no headers" do
+        invalid_certificate3 = read_certificate("invalid_certificate3")
+        assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate3)
+      end
+
+      it "returns the chained certificate when it is a valid chained certificate" do
+        assert_equal formatted_chained_certificate, OneLogin::RubySaml::Utils.format_cert(formatted_chained_certificate)
+      end
+
+      it "reformats the chained certificate when there are spaces and no line breaks" do
+        invalid_chained_certificate1 = read_certificate("invalid_chained_certificate1")
+        assert_equal formatted_chained_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_chained_certificate1)
+      end
+
+    end
+
+    describe "format_private_key" do
+      let(:formatted_private_key) do
+        read_certificate("formatted_private_key")
+      end
+
+      it "returns empty string when the private key is an empty string" do
+        private_key = ""
+        assert_equal "", OneLogin::RubySaml::Utils.format_private_key(private_key)
+      end
+
+      it "returns nil when the private key is nil" do
+        private_key = nil
+        assert_nil OneLogin::RubySaml::Utils.format_private_key(private_key)
+      end
+
+      it "returns the private key when it is valid" do
+        assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(formatted_private_key)
+      end
+
+      it "reformats the private key when there are spaces and no line breaks" do
+        invalid_private_key1 = read_certificate("invalid_private_key1")
+        assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key1)
+      end
+
+      it "reformats the private key when there are spaces and no headers" do
+        invalid_private_key2 = read_certificate("invalid_private_key2")
+        assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key2)
+      end
+
+      it "reformats the private key when there line breaks and no headers" do
+        invalid_private_key3 = read_certificate("invalid_private_key3")
+        assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key3)
+      end
+
+      describe "an RSA public key" do
+        let(:formatted_rsa_private_key) do
+          read_certificate("formatted_rsa_private_key")
+        end
+
+        it "returns the private key when it is valid" do
+          assert_equal formatted_rsa_private_key, OneLogin::RubySaml::Utils.format_private_key(formatted_rsa_private_key)
+        end
+
+        it "reformats the private key when there are spaces and no line breaks" do
+          invalid_rsa_private_key1 = read_certificate("invalid_rsa_private_key1")
+          assert_equal formatted_rsa_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key1)
+        end
+
+        it "reformats the private key when there are spaces and no headers" do
+          invalid_rsa_private_key2 = read_certificate("invalid_rsa_private_key2")
+          assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key2)
+        end
+
+        it "reformats the private key when there line breaks and no headers" do
+          invalid_rsa_private_key3 = read_certificate("invalid_rsa_private_key3")
+          assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key3)
+        end
+      end
+    end
+
+    describe "build_query" do
+      it "returns the query string" do
+        params = {}
+        params[:type] = "SAMLRequest"
+        params[:data] = "PHNhbWxwOkF1dGhuUmVxdWVzdCBEZXN0aW5hdGlvbj0naHR0cDovL2V4YW1wbGUuY29tP2ZpZWxkPXZhbHVlJyBJRD0nXzk4NmUxZDEwLWVhY2ItMDEzMi01MGRkLTAwOTBmNWRlZGQ3NycgSXNzdWVJbnN0YW50PScyMDE1LTA2LTAxVDIwOjM0OjU5WicgVmVyc2lvbj0nMi4wJyB4bWxuczpzYW1sPSd1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uJyB4bWxuczpzYW1scD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sJy8+"
+        params[:relay_state] = "http://example.com"
+        params[:sig_alg] = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+        query_string = OneLogin::RubySaml::Utils.build_query(params)
+        assert_equal "SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCBEZXN0aW5hdGlvbj0naHR0cDovL2V4YW1wbGUuY29tP2ZpZWxkPXZhbHVlJyBJRD0nXzk4NmUxZDEwLWVhY2ItMDEzMi01MGRkLTAwOTBmNWRlZGQ3NycgSXNzdWVJbnN0YW50PScyMDE1LTA2LTAxVDIwOjM0OjU5WicgVmVyc2lvbj0nMi4wJyB4bWxuczpzYW1sPSd1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uJyB4bWxuczpzYW1scD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sJy8%2B&RelayState=http%3A%2F%2Fexample.com&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1", query_string
+      end
+    end
+
+    describe "#status_error_msg" do
+      it "returns a error msg with a status message" do
+        error_msg = "The status code of the Logout Response was not Success"
+        status_code = "urn:oasis:names:tc:SAML:2.0:status:Requester"
+        status_message = "The request could not be performed due to an error on the part of the requester."
+        status_error_msg = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code, status_message)
+        assert_equal = "The status code of the Logout Response was not Success, was Requester -> The request could not be performed due to an error on the part of the requester.", status_error_msg
+
+        status_error_msg2 = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code)
+        assert_equal = "The status code of the Logout Response was not Success, was Requester", status_error_msg2
+
+        status_error_msg3 = OneLogin::RubySaml::Utils.status_error_msg(error_msg)
+        assert_equal = "The status code of the Logout Response was not Success", status_error_msg3
+      end
+    end
+
+    describe 'uri_match' do
+      it 'matches two urls' do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'http://www.example.com/test?var=stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it 'fails to match two urls' do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'http://www.example.com/othertest?var=stuff'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it "matches two URLs if the scheme case doesn't match" do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'HTTP://www.example.com/test?var=stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it "matches two URLs if the host case doesn't match" do
+        destination = 'http://www.EXAMPLE.com/test?var=stuff'
+        settings = 'http://www.example.com/test?var=stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it "fails to match two URLs if the path case doesn't match" do
+        destination = 'http://www.example.com/TEST?var=stuff'
+        settings = 'http://www.example.com/test?var=stuff'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it "fails to match two URLs if the query case doesn't match" do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'http://www.example.com/test?var=STUFF'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it 'matches two non urls' do
+        destination = 'stuff'
+        settings = 'stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it "fails to match two non urls" do
+        destination = 'stuff'
+        settings = 'not stuff'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+    end
+
     describe 'element_text' do
       it 'returns the element text' do
         element = REXML::Document.new('<element>element text</element>').elements.first
@@ -36,6 +224,8 @@ class UtilsTest < Minitest::Test
         element = REXML::Document.new('<element></element>').elements.first
         assert_equal '', OneLogin::RubySaml::Utils.element_text(element)
       end
+
+
     end
   end
-end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 0.8.15
+  version: 0.8.16
 platform: ruby
 authors:
 - OneLogin LLC
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-10-27 00:00:00.000000000 Z
+date: 2020-11-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: uuid
@@ -63,6 +63,7 @@ files:
 - lib/onelogin/ruby-saml/response.rb
 - lib/onelogin/ruby-saml/setting_error.rb
 - lib/onelogin/ruby-saml/settings.rb
+- lib/onelogin/ruby-saml/slo_logoutrequest.rb
 - lib/onelogin/ruby-saml/slo_logoutresponse.rb
 - lib/onelogin/ruby-saml/utils.rb
 - lib/onelogin/ruby-saml/validation_error.rb
@@ -74,7 +75,22 @@ files:
 - lib/schemas/xmldsig_schema.xsd
 - lib/xml_security.rb
 - ruby-saml.gemspec
+- test/certificates/certificate.der
 - test/certificates/certificate1
+- test/certificates/formatted_certificate
+- test/certificates/formatted_chained_certificate
+- test/certificates/formatted_private_key
+- test/certificates/formatted_rsa_private_key
+- test/certificates/invalid_certificate1
+- test/certificates/invalid_certificate2
+- test/certificates/invalid_certificate3
+- test/certificates/invalid_chained_certificate1
+- test/certificates/invalid_private_key1
+- test/certificates/invalid_private_key2
+- test/certificates/invalid_private_key3
+- test/certificates/invalid_rsa_private_key1
+- test/certificates/invalid_rsa_private_key2
+- test/certificates/invalid_rsa_private_key3
 - test/certificates/r1_certificate2_base64
 - test/certificates/ruby-saml-2.crt
 - test/certificates/ruby-saml.crt
@@ -82,6 +98,7 @@ files:
 - test/logoutrequest_test.rb
 - test/logoutresponse_test.rb
 - test/request_test.rb
+- test/requests/logoutrequest_fixtures.rb
 - test/response_test.rb
 - test/responses/adfs_response_sha1.xml
 - test/responses/adfs_response_sha256.xml
@@ -89,6 +106,8 @@ files:
 - test/responses/adfs_response_sha512.xml
 - test/responses/adfs_response_xmlns.xml
 - test/responses/encrypted_new_attack.xml.base64
+- test/responses/invalids/invalid_issuer_assertion.xml.base64
+- test/responses/invalids/invalid_issuer_message.xml.base64
 - test/responses/invalids/multiple_signed.xml.base64
 - test/responses/invalids/no_signature.xml.base64
 - test/responses/invalids/response_with_concealed_signed_assertion.xml
@@ -121,6 +140,7 @@ files:
 - test/responses/valid_response_without_x509certificate.xml.base64
 - test/responses/wrapped_response_2.xml.base64
 - test/settings_test.rb
+- test/slo_logoutrequest_test.rb
 - test/slo_logoutresponse_test.rb
 - test/test_helper.rb
 - test/utils_test.rb
@@ -149,7 +169,22 @@ signing_key:
 specification_version: 4
 summary: SAML Ruby Tookit
 test_files:
+- test/certificates/certificate.der
 - test/certificates/certificate1
+- test/certificates/formatted_certificate
+- test/certificates/formatted_chained_certificate
+- test/certificates/formatted_private_key
+- test/certificates/formatted_rsa_private_key
+- test/certificates/invalid_certificate1
+- test/certificates/invalid_certificate2
+- test/certificates/invalid_certificate3
+- test/certificates/invalid_chained_certificate1
+- test/certificates/invalid_private_key1
+- test/certificates/invalid_private_key2
+- test/certificates/invalid_private_key3
+- test/certificates/invalid_rsa_private_key1
+- test/certificates/invalid_rsa_private_key2
+- test/certificates/invalid_rsa_private_key3
 - test/certificates/r1_certificate2_base64
 - test/certificates/ruby-saml-2.crt
 - test/certificates/ruby-saml.crt
@@ -157,6 +192,7 @@ test_files:
 - test/logoutrequest_test.rb
 - test/logoutresponse_test.rb
 - test/request_test.rb
+- test/requests/logoutrequest_fixtures.rb
 - test/response_test.rb
 - test/responses/adfs_response_sha1.xml
 - test/responses/adfs_response_sha256.xml
@@ -164,6 +200,8 @@ test_files:
 - test/responses/adfs_response_sha512.xml
 - test/responses/adfs_response_xmlns.xml
 - test/responses/encrypted_new_attack.xml.base64
+- test/responses/invalids/invalid_issuer_assertion.xml.base64
+- test/responses/invalids/invalid_issuer_message.xml.base64
 - test/responses/invalids/multiple_signed.xml.base64
 - test/responses/invalids/no_signature.xml.base64
 - test/responses/invalids/response_with_concealed_signed_assertion.xml
@@ -196,6 +234,7 @@ test_files:
 - test/responses/valid_response_without_x509certificate.xml.base64
 - test/responses/wrapped_response_2.xml.base64
 - test/settings_test.rb
+- test/slo_logoutrequest_test.rb
 - test/slo_logoutresponse_test.rb
 - test/test_helper.rb
 - test/utils_test.rb