RubyGems - ruby-saml - Versions diffs - 0.8.8 → 0.8.13 - Mend

ruby-saml 0.8.8 → 0.8.13

Potentially problematic release.

This version of ruby-saml might be problematic. Click here for more details.

Files changed (45) hide show

checksums.yaml +7 -7
data/Gemfile +11 -1
data/README.md +5 -2
data/Rakefile +0 -14
data/lib/onelogin/ruby-saml/authrequest.rb +86 -20
data/lib/onelogin/ruby-saml/logoutrequest.rb +95 -20
data/lib/onelogin/ruby-saml/logoutresponse.rb +5 -28
data/lib/onelogin/ruby-saml/metadata.rb +5 -5
data/lib/onelogin/ruby-saml/response.rb +187 -4
data/lib/onelogin/ruby-saml/setting_error.rb +6 -0
data/lib/onelogin/ruby-saml/settings.rb +146 -10
data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +158 -0
data/lib/onelogin/ruby-saml/utils.rb +169 -0
data/lib/onelogin/ruby-saml/version.rb +1 -1
data/lib/ruby-saml.rb +2 -1
data/lib/xml_security.rb +330 -78
data/test/certificates/ruby-saml-2.crt +15 -0
data/test/certificates/ruby-saml.crt +14 -0
data/test/certificates/ruby-saml.key +15 -0
data/test/logoutrequest_test.rb +177 -44
data/test/logoutresponse_test.rb +25 -29
data/test/request_test.rb +100 -37
data/test/response_test.rb +213 -111
data/test/responses/adfs_response_xmlns.xml +45 -0
data/test/responses/encrypted_new_attack.xml.base64 +1 -0
data/test/responses/invalids/multiple_signed.xml.base64 +1 -0
data/test/responses/invalids/no_signature.xml.base64 +1 -0
data/test/responses/invalids/response_with_concealed_signed_assertion.xml +51 -0
data/test/responses/invalids/response_with_doubled_signed_assertion.xml +49 -0
data/test/responses/invalids/signature_wrapping_attack.xml.base64 +1 -0
data/test/responses/logoutresponse_fixtures.rb +6 -6
data/test/responses/response_with_concealed_signed_assertion.xml +51 -0
data/test/responses/response_with_doubled_signed_assertion.xml +49 -0
data/test/responses/response_with_signed_assertion_3.xml +30 -0
data/test/responses/response_with_signed_message_and_assertion.xml +34 -0
data/test/responses/response_with_undefined_recipient.xml.base64 +1 -0
data/test/responses/response_wrapped.xml.base64 +150 -0
data/test/responses/valid_response.xml.base64 +1 -0
data/test/responses/valid_response_without_x509certificate.xml.base64 +1 -0
data/test/settings_test.rb +7 -7
data/test/slo_logoutresponse_test.rb +226 -0
data/test/test_helper.rb +117 -12
data/test/utils_test.rb +10 -10
data/test/xml_security_test.rb +310 -68
metadata +88 -45

data/test/certificates/ruby-saml-2.crt ADDED

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICVDCCAb2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBHMQswCQYDVQQGEwJ1czEQ
+MA4GA1UECAwHZXhhbXBsZTEQMA4GA1UECgwHZXhhbXBsZTEUMBIGA1UEAwwLZXhh
+bXBsZS5jb20wHhcNMTcwNDA3MDgzMDAzWhcNMjcwNDA1MDgzMDAzWjBHMQswCQYD
+VQQGEwJ1czEQMA4GA1UECAwHZXhhbXBsZTEQMA4GA1UECgwHZXhhbXBsZTEUMBIG
+A1UEAwwLZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKhP
+S4/0azxbQekHHewQGKD7Pivr3CDpsrKxY3xlVanxj427OwzOb5KUVzsDEazumt6s
+ZFY8HfidsjXY4EYA4ZzyL7ciIAR5vlAsIYN9nJ4AwVDnN/RjVwj+TN6BqWPLpVIp
+Hc6Dl005HyE0zJnk1DZDn2tQVrIzbD3FhCp7YeotAgMBAAGjUDBOMB0GA1UdDgQW
+BBRYZx4thASfNvR/E7NsCF2IaZ7wIDAfBgNVHSMEGDAWgBRYZx4thASfNvR/E7Ns
+CF2IaZ7wIDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBACz4aobx9aG3
+kh+rNyrlgM3K6dYfnKG1/YH5sJCAOvg8kDr0fQAQifH8lFVWumKUMoAe0bFTfwWt
+p/VJ8MprrEJth6PFeZdczpuv+fpLcNj2VmNVJqvQYvS4m36OnBFh1QFZW8UrbFIf
+dtm2nuZ+twSKqfKwjLdqcoX0p39h7Uw/
+-----END CERTIFICATE-----

data/test/certificates/ruby-saml.crt ADDED

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICGzCCAYQCCQCNNcQXom32VDANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJV
+UzELMAkGA1UECBMCSU4xFTATBgNVBAcTDEluZGlhbmFwb2xpczERMA8GA1UEChMI
+T25lTG9naW4xDDAKBgNVBAsTA0VuZzAeFw0xNDA0MjMxODQxMDFaFw0xNTA0MjMx
+ODQxMDFaMFIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTjEVMBMGA1UEBxMMSW5k
+aWFuYXBvbGlzMREwDwYDVQQKEwhPbmVMb2dpbjEMMAoGA1UECxMDRW5nMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDo6m+QZvYQ/xL0ElLgupK1QDcYL4f5Pckw
+sNgS9pUvV7fzTqCHk8ThLxTk42MQ2McJsOeUJVP728KhymjFCqxgP4VuwRk9rpAl
+0+mhy6MPdyjyA6G14jrDWS65ysLchK4t/vwpEDz0SQlEoG1kMzllSm7zZS3XregA
+7DjNaUYQqwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBALM2vGCiQ/vm+a6v40+VX2zd
+qHA2Q/1vF1ibQzJ54MJCOVWvs+vQXfZFhdm0OPM2IrDU7oqvKPqP6xOAeJK6H0yP
+7M4YL3fatSvIYmmfyXC9kt3Svz/NyrHzPhUnJ0ye/sUSXxnzQxwcm/9PwAqrQaA3
+QpQkH57ybF/OoryPe+2h
+-----END CERTIFICATE-----

data/test/certificates/ruby-saml.key ADDED

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDo6m+QZvYQ/xL0ElLgupK1QDcYL4f5PckwsNgS9pUvV7fzTqCH
+k8ThLxTk42MQ2McJsOeUJVP728KhymjFCqxgP4VuwRk9rpAl0+mhy6MPdyjyA6G1
+4jrDWS65ysLchK4t/vwpEDz0SQlEoG1kMzllSm7zZS3XregA7DjNaUYQqwIDAQAB
+AoGBALGR6bRBit+yV5TUU3MZSrf8WQSLWDLgs/33FQSAEYSib4+DJke2lKbI6jkG
+UoSJgFUXFbaQLtMY2+3VDsMKPBdAge9gIdvbkC4yoKjLGm/FBDOxxZcfLpR+9OPq
+U3qM9D0CNuliBWI7Je+p/zs09HIYucpDXy9E18KA1KNF6rfhAkEA9KoNam6wAKnm
+vMzz31ws3RuIOUeo2rx6aaVY95+P9tTxd6U+pNkwxy1aCGP+InVSwlYNA1aQ4Axi
+/GdMIWMkxwJBAPO1CP7cQNZQmu7yusY+GUObDII5YK9WLaY4RAicn5378crPBFxv
+Ukqf9G6FHo7u88iTCIp+vwa3Hn9Tumg3iP0CQQDgUXWBasCVqzCxU5wY4tMDWjXY
+hpoLCpmVeRML3dDJt004rFm2HKe7Rhpw7PTZNQZOxUSjFeA4e0LaNf838UWLAkB8
+QfbHM3ffjhOg96PhhjINdVWoZCb230LBOHj/xxPfUmFTHcBEfQIBSJMxcrBFAnLL
+9qPpMXymqOFk3ETz9DTlAj8E0qGbp78aVbTOtuwEwNJII+RPw+Zkc+lKR+yaWkAz
+fIXw527NPHH3+rnBG72wyZr9ud4LAum9jh+5No1LQpk=
+-----END RSA PRIVATE KEY-----

data/test/logoutrequest_test.rb CHANGED

@@ -1,14 +1,16 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-class RequestTest < Test::Unit::TestCase
+class LogoutRequestTest < Minitest::Test
-  context "Logoutrequest" do
-    settings = OneLogin::RubySaml::Settings.new
+  describe "Logoutrequest" do
+    let(:settings) { OneLogin::RubySaml::Settings.new }
-    should "create the deflated SAMLRequest URL parameter" do
+    before do
       settings.idp_slo_target_url = "http://unauth.com/logout"
       settings.name_identifier_value = "f00f00"
+    end
+    it "create the deflated SAMLRequest URL parameter" do
       unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
       assert unauth_url =~ /^http:\/\/unauth\.com\/logout\?SAMLRequest=/
@@ -17,8 +19,7 @@ class RequestTest < Test::Unit::TestCase
       assert_match /^<samlp:LogoutRequest/, inflated
     end
-    should "support additional params" do
+    it "support additional params" do
       unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :hello => nil })
       assert unauth_url =~ /&hello=$/
@@ -26,9 +27,8 @@ class RequestTest < Test::Unit::TestCase
       assert unauth_url =~ /&foo=bar$/
     end
-    should "set sessionindex" do
-      settings.idp_slo_target_url = "http://example.com"
-      sessionidx = UUID.new.generate
+    it "set sessionindex" do
+      sessionidx = random_id
       settings.sessionindex = sessionidx
       unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :name_id => "there" })
@@ -38,9 +38,7 @@ class RequestTest < Test::Unit::TestCase
       assert_match %r(#{sessionidx}</samlp:SessionIndex>), inflated
     end
-    should "set name_identifier_value" do
-      settings = OneLogin::RubySaml::Settings.new
-      settings.idp_slo_target_url = "http://example.com"
+    it "set name_identifier_value" do
       settings.name_identifier_format = "transient"
       name_identifier_value = "abc123"
       settings.name_identifier_value = name_identifier_value
@@ -52,41 +50,25 @@ class RequestTest < Test::Unit::TestCase
       assert_match %r(#{name_identifier_value}</saml:NameID>), inflated
     end
-    should "require name_identifier_value" do
-      settings = OneLogin::RubySaml::Settings.new
-      settings.idp_slo_target_url = "http://example.com"
-      settings.name_identifier_format = nil
-      assert_raises(OneLogin::RubySaml::ValidationError) { OneLogin::RubySaml::Logoutrequest.new.create(settings) }
-    end
-    context "when the target url doesn't contain a query string" do
-      should "create the SAMLRequest parameter correctly" do
-        settings = OneLogin::RubySaml::Settings.new
+    describe "when the target url doesn't contain a query string" do
+      it "create the SAMLRequest parameter correctly" do
         settings.idp_slo_target_url = "http://example.com"
-        settings.name_identifier_value = "f00f00"
         unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
         assert unauth_url =~ /^http:\/\/example.com\?SAMLRequest/
       end
     end
-    context "when the target url contains a query string" do
-      should "create the SAMLRequest parameter correctly" do
-        settings = OneLogin::RubySaml::Settings.new
+    describe "when the target url contains a query string" do
+      it "create the SAMLRequest parameter correctly" do
         settings.idp_slo_target_url = "http://example.com?field=value"
-        settings.name_identifier_value = "f00f00"
         unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
         assert unauth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
       end
     end
-    context "consumation of logout may need to track the transaction" do
-      should "have access to the request uuid" do
-        settings = OneLogin::RubySaml::Settings.new
+    describe "consumation of logout may need to track the transaction" do
+      it "have access to the request uuid" do
         settings.idp_slo_target_url = "http://example.com?field=value"
-        settings.name_identifier_value = "f00f00"
         unauth_req = OneLogin::RubySaml::Logoutrequest.new
         unauth_url = unauth_req.create(settings)
@@ -95,17 +77,168 @@ class RequestTest < Test::Unit::TestCase
         assert_match %r[ID='#{unauth_req.uuid}'], inflated
       end
     end
-  end
-  def decode_saml_request_payload(unauth_url)
-    payload = CGI.unescape(unauth_url.split("SAMLRequest=").last)
-    decoded = Base64.decode64(payload)
-    zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
-    inflated = zstream.inflate(decoded)
-    zstream.finish
-    zstream.close
-    inflated
-  end
+    describe "when the settings indicate to sign (embedded) logout request" do
+      before do
+        # sign the logout request
+        settings.security[:logout_requests_signed] = true
+        settings.security[:embed_sign] = true
+        settings.certificate = ruby_saml_cert_text
+        settings.private_key = ruby_saml_key_text
+      end
+      it "doesn't sign through create_xml_document" do
+        unauth_req = OneLogin::RubySaml::Logoutrequest.new
+        inflated = unauth_req.create_xml_document(settings).to_s
+        refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+        refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+        refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
+      end
+      it "sign unsigned request" do
+        unauth_req = OneLogin::RubySaml::Logoutrequest.new
+        unauth_req_doc = unauth_req.create_xml_document(settings)
+        inflated = unauth_req_doc.to_s
+        refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+        refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+        refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
+        inflated = unauth_req.sign_document(unauth_req_doc, settings).to_s
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
+      end
+      it "signs through create_logout_request_xml_doc" do
+        unauth_req = OneLogin::RubySaml::Logoutrequest.new
+        inflated = unauth_req.create_logout_request_xml_doc(settings).to_s
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
+      end
+      it "created a signed logout request" do
+        settings.compress_request = true
+        unauth_req = OneLogin::RubySaml::Logoutrequest.new
+        unauth_url = unauth_req.create(settings)
+        inflated = decode_saml_request_payload(unauth_url)
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
+      end
+      it "create a signed logout request with 256 digest and signature method" do
+        settings.compress_request = false
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+        settings.security[:digest_method] = XMLSecurity::Document::SHA256
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
+        request_xml = Base64.decode64(params["SAMLRequest"])
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], request_xml
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'/>], request_xml
+      end
+      it "create a signed logout request with 512 digest and signature method RSA_SHA384" do
+        settings.compress_request = false
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
+        settings.security[:digest_method] = XMLSecurity::Document::SHA512
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
+        request_xml = Base64.decode64(params["SAMLRequest"])
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'/>], request_xml
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha512'/>], request_xml
+      end
+    end
+    describe "#create_params when the settings indicate to sign the logout request" do
+      let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
+      before do
+        # sign the logout request
+        settings.security[:logout_requests_signed] = true
+        settings.security[:embed_sign] = false
+        settings.certificate = ruby_saml_cert_text
+        settings.private_key = ruby_saml_key_text
+      end
+      it "create a signature parameter with RSA_SHA1 / SHA1 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        assert params['SAMLRequest']
+        assert params[:RelayState]
+        assert params['Signature']
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
+        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA1
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+      it "create a signature parameter with RSA_SHA256 / SHA256 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        assert params['Signature']
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA256
+        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA256
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+      it "create a signature parameter with RSA_SHA384 / SHA384 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        assert params['Signature']
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA384
+        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA384
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+      it "create a signature parameter with RSA_SHA512 / SHA512 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA512
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        assert params['Signature']
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA512
+        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA512
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+    end
+  end
 end

data/test/logoutresponse_test.rb CHANGED

@@ -1,26 +1,27 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-require 'rexml/document'
-require 'responses/logoutresponse_fixtures'
-class RubySamlTest < Test::Unit::TestCase
+require File.expand_path(File.join(File.dirname(__FILE__), "responses/logoutresponse_fixtures"))
-  context "Logoutresponse" do
-    context "#new" do
-      should "raise an exception when response is initialized with nil" do
+class LogoutResponseTest < Minitest::Test
+  describe "Logoutresponse" do
+    describe "#new" do
+      it "raise an exception when response is initialized with nil" do
         assert_raises(ArgumentError) { OneLogin::RubySaml::Logoutresponse.new(nil) }
       end
-      should "default to empty settings" do
+      it "default to empty settings" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new( valid_response)
         assert logoutresponse.settings.nil?
       end
-      should "accept constructor-injected settings" do
+      it "accept constructor-injected settings" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, settings)
         assert !logoutresponse.settings.nil?
       end
-      should "accept constructor-injected options" do
+      it "accept constructor-injected options" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, nil, { :foo => :bar} )
         assert !logoutresponse.options.empty?
       end
-      should "support base64 encoded responses" do
+      it "support base64 encoded responses" do
         expected_response = valid_response
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(Base64.encode64(expected_response), settings)
@@ -28,21 +29,21 @@ class RubySamlTest < Test::Unit::TestCase
       end
     end
-    context "#validate" do
-      should "validate the response" do
+    describe "#validate" do
+      it "validate the response" do
         in_relation_to_request_id = random_id
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response({:uuid => in_relation_to_request_id}), settings)
         assert logoutresponse.validate
-        assert_equal settings.issuer, logoutresponse.issuer
+        assert_equal settings.sp_entity_id, logoutresponse.issuer
         assert_equal in_relation_to_request_id, logoutresponse.in_response_to
         assert logoutresponse.success?
       end
-      should "invalidate responses with wrong id when given option :matches_uuid" do
+      it "invalidate responses with wrong id when given option :matches_uuid" do
         expected_request_id = "_some_other_expected_uuid"
         opts = { :matches_request_id => expected_request_id}
@@ -50,10 +51,10 @@ class RubySamlTest < Test::Unit::TestCase
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, settings, opts)
         assert !logoutresponse.validate
-        assert_not_equal expected_request_id, logoutresponse.in_response_to
+        assert expected_request_id != logoutresponse.in_response_to
       end
-      should "invalidate responses with wrong request status" do
+      it "invalidate responses with wrong request status" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, settings)
         assert !logoutresponse.validate
@@ -61,8 +62,8 @@ class RubySamlTest < Test::Unit::TestCase
       end
     end
-    context "#validate!" do
-      should "validates good responses" do
+    describe "#validate!" do
+      it "validates good responses" do
         in_relation_to_request_id = random_id
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response({:uuid => in_relation_to_request_id}), settings)
@@ -70,7 +71,7 @@ class RubySamlTest < Test::Unit::TestCase
         logoutresponse.validate!
       end
-      should "raises validation error when matching for wrong request id" do
+      it "raises validation error when matching for wrong request id" do
         expected_request_id = "_some_other_expected_id"
         opts = { :matches_request_id => expected_request_id}
@@ -80,26 +81,27 @@ class RubySamlTest < Test::Unit::TestCase
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
       end
-      should "raise validation error for wrong request status" do
+      it "raise validation error for wrong request status" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, settings)
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
       end
-      should "raise validation error when in bad state" do
+      it "raise validation error when in bad state" do
         # no settings
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response)
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
       end
-      should "raise validation error when in lack of issuer setting" do
+      it "raise validation error when in lack of sp_entity_id setting" do
         bad_settings = settings
         bad_settings.issuer = nil
+        bad_settings.sp_entity_id = nil
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, bad_settings)
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
       end
-      should "raise error for invalid xml" do
+      it "raise error for invalid xml" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(invalid_xml_response, settings)
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
@@ -107,10 +109,4 @@ class RubySamlTest < Test::Unit::TestCase
     end
   end
-  # logoutresponse fixtures
-  def random_id
-    "_#{UUID.new.generate}"
-  end
 end