ruby-saml 1.9.0 → 1.12.0

data/test/logging_test.rb

@@ -1,62 +0,0 @@
-require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-
-require 'onelogin/ruby-saml/logging'
-
-class LoggingTest < Minitest::Test
-
-  describe "Logging" do
-    before do
-      OneLogin::RubySaml::Logging.logger = nil
-    end
-
-    after do
-      OneLogin::RubySaml::Logging.logger = ::TEST_LOGGER
-    end
-
-    describe "given no specific logging setup" do
-      it "prints to stdout" do
-        OneLogin::RubySaml::Logging::DEFAULT_LOGGER.expects(:debug).with('hi mom')
-        OneLogin::RubySaml::Logging.debug('hi mom')
-      end
-    end
-
-    describe "given a Rails app" do
-      let(:logger) { mock('Logger') }
-
-      before do
-        ::Rails = mock('Rails module')
-        ::Rails.stubs(:logger).returns(logger)
-      end
-
-      after do
-        Object.instance_eval { remove_const(:Rails) }
-      end
-
-      it "delegates to Rails" do
-        logger.expects(:debug).with('hi mom')
-        logger.expects(:info).with('sup?')
-
-        OneLogin::RubySaml::Logging.debug('hi mom')
-        OneLogin::RubySaml::Logging.info('sup?')
-      end
-    end
-
-    describe "given a specific Logger" do
-      let(:logger) { mock('Logger') }
-
-      before { OneLogin::RubySaml::Logging.logger = logger }
-
-      after do
-        OneLogin::RubySaml::Logging.logger = ::TEST_LOGGER
-      end
-
-      it "delegates to the object" do
-        logger.expects(:debug).with('hi mom')
-        logger.expects(:info).with('sup?')
-
-        OneLogin::RubySaml::Logging.debug('hi mom')
-        OneLogin::RubySaml::Logging.info('sup?')
-      end
-    end
-  end
-end

data/test/logout_requests/invalid_slo_request.xml

@@ -1,6 +0,0 @@
-<samlp:LogoutRequest Version='2.0' ID='_c0348950-935b-0131-1060-782bcb56fcaa' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' IssueInstant='2014-03-21T19:20:13'>
-<saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>https://app.onelogin.com/saml/metadata/SOMEACCOUNT</saml:Issuer>
-<saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>https://app.onelogin.com/saml/metadata/SOMEACCOUNT</saml:Issuer>
-<saml:NameID xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>someone@example.org</saml:NameID>
-<saml:NameID xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>someone2@example.org</saml:NameID>
-</samlp:LogoutRequest>

data/test/logout_requests/slo_request.xml

@@ -1,4 +0,0 @@
-<samlp:LogoutRequest Version='2.0' ID='_c0348950-935b-0131-1060-782bcb56fcaa' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' IssueInstant='2014-03-21T19:20:13'>
-  <saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>https://app.onelogin.com/saml/metadata/SOMEACCOUNT</saml:Issuer>
-  <saml:NameID xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>someone@example.org</saml:NameID>
-</samlp:LogoutRequest>

data/test/logout_requests/slo_request.xml.base64

@@ -1 +0,0 @@
-PHNhbWxwOkxvZ291dFJlcXVlc3QgVmVyc2lvbj0nMi4wJyBJRD0nX2MwMzQ4OTUwLTkzNWItMDEzMS0xMDYwLTc4MmJjYjU2ZmNhYScgeG1sbnM6c2FtbHA9J3VybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCcgSXNzdWVJbnN0YW50PScyMDE0LTAzLTIxVDE5OjIwOjEzJz4NCiAgPHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9J3VybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24nPmh0dHBzOi8vYXBwLm9uZWxvZ2luLmNvbS9zYW1sL21ldGFkYXRhL1NPTUVBQ0NPVU5UPC9zYW1sOklzc3Vlcj4NCiAgPHNhbWw6TmFtZUlEIHhtbG5zOnNhbWw9J3VybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24nPnNvbWVvbmVAZXhhbXBsZS5vcmc8L3NhbWw6TmFtZUlEPg0KPC9zYW1scDpMb2dvdXRSZXF1ZXN0Pg==

data/test/logout_requests/slo_request_deflated.xml.base64

@@ -1 +0,0 @@
-ndG7asMwFIDhvdB38KZJlmTHaSxs05B0COQCTdq1yKrqGqxLdWTI41dJOpgOHToKDv93DqpA6MHxre3sGJ7V16ggJK/KQ29NjbKUomSzrtGbpPlsURYUl3nRYspyhhmdU/ywyFrZFvMPKQRKznowwK/JGo3ecCugB26EVsCD5MflbstjlDtvg5V2iHWAUW0MBGFCBCmbYZrjjJ1YyTPKWY6a+7skqS5Rfh32E+ZvRQAoH+IlqPkMwQEnRDiXWqMG2/UmlVaTS4VoFcS7CIIcD7un5Wp1eNmfKjIhJzvsI7NZ/2cHsFpF+1GdhXaDSq3vfpBbMyK396//aL4B

data/test/logout_requests/slo_request_with_name_id_format.xml

@@ -1,4 +0,0 @@
-<samlp:LogoutRequest Version='2.0' ID='_c0348950-935b-0131-1060-782bcb56fcaa' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' IssueInstant='2014-03-21T19:20:13'>
-  <saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>https://app.onelogin.com/saml/metadata/SOMEACCOUNT</saml:Issuer>
-  <saml:NameID xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'>someone@example.org</saml:NameID>
-</samlp:LogoutRequest>

data/test/logout_requests/slo_request_with_session_index.xml

@@ -1,5 +0,0 @@
-<samlp:LogoutRequest Version='2.0' ID='_c0348950-935b-0131-1060-782bcb56fcaa' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' IssueInstant='2014-03-21T19:20:13'>
-<saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>https://app.onelogin.com/saml/metadata/SOMEACCOUNT</saml:Issuer>
-<saml:NameID xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>someone@example.org</saml:NameID>
-<samlp:SessionIndex>_ea853497-c58a-408a-bc23-c849752d9741</samlp:SessionIndex>
-</samlp:LogoutRequest>

data/test/logout_responses/logoutresponse_fixtures.rb

@@ -1,67 +0,0 @@
-#encoding: utf-8
-
-def default_logout_response_opts
-  {
-      :uuid => "_28024690-000e-0130-b6d2-38f6b112be8b",
-      :issue_instant => Time.now.strftime('%Y-%m-%dT%H:%M:%SZ'),
-      :settings => settings
-  }
-end
-
-def valid_logout_response_document(opts = {})
-  opts = default_logout_response_opts.merge(opts)
-
-  "<samlp:LogoutResponse
-        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
-        ID=\"#{random_id}\" Version=\"2.0\"
-        IssueInstant=\"#{opts[:issue_instant]}\"
-        Destination=\"#{opts[:settings].single_logout_service_url}\"
-        InResponseTo=\"#{opts[:uuid]}\">
-      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].issuer}</saml:Issuer>
-      <samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
-      <samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
-          Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\">
-      </samlp:StatusCode>
-      </samlp:Status>
-      </samlp:LogoutResponse>"
-end
-
-def unsuccessful_logout_response_document(opts = {})
-  opts = default_logout_response_opts.merge(opts)
-
-  "<samlp:LogoutResponse
-        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
-        ID=\"#{random_id}\" Version=\"2.0\"
-        IssueInstant=\"#{opts[:issue_instant]}\"
-        Destination=\"#{opts[:settings].single_logout_service_url}\"
-        InResponseTo=\"#{opts[:uuid]}\">
-      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].issuer}</saml:Issuer>
-      <samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
-      <samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
-          Value=\"urn:oasis:names:tc:SAML:2.0:status:Requester\">
-      </samlp:StatusCode>
-      </samlp:Status>
-      </samlp:LogoutResponse>"
-end
-
-def invalid_xml_logout_response_document
-  "<samlp:SomethingAwful
-        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
-        ID=\"#{random_id}\" Version=\"2.0\">
-      </samlp:SomethingAwful>"
-end
-
-def settings
-  @settings ||= OneLogin::RubySaml::Settings.new(
-      {
-          :assertion_consumer_service_url => "http://app.muda.no/sso/consume",
-          :single_logout_service_url => "http://app.muda.no/sso/consume_logout",
-          :issuer => "http://app.muda.no",
-          :sp_name_qualifier => "http://sso.muda.no",
-          :idp_sso_target_url => "http://sso.muda.no/sso",
-          :idp_slo_target_url => "http://sso.muda.no/slo",
-          :idp_cert_fingerprint => "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00",
-          :name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
-      }
-  )
-end

data/test/logoutrequest_test.rb

@@ -1,226 +0,0 @@
-require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-
-require 'onelogin/ruby-saml/logoutrequest'
-
-class RequestTest < Minitest::Test
-
-  describe "Logoutrequest" do
-    let(:settings) { OneLogin::RubySaml::Settings.new }
-
-    before do
-      settings.idp_slo_target_url = "http://unauth.com/logout"
-      settings.name_identifier_value = "f00f00"
-    end
-
-    it "create the deflated SAMLRequest URL parameter" do
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
-      assert_match /^http:\/\/unauth\.com\/logout\?SAMLRequest=/, unauth_url
-
-      inflated = decode_saml_request_payload(unauth_url)
-      assert_match /^<samlp:LogoutRequest/, inflated
-    end
-
-    it "support additional params" do
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :hello => nil })
-      assert_match /&hello=$/, unauth_url
-
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :foo => "bar" })
-      assert_match /&foo=bar$/, unauth_url
-    end
-
-    it "RelayState cases" do
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :RelayState => nil })
-      assert !unauth_url.include?('RelayState')
-
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :RelayState => "http://example.com" })
-      assert unauth_url.include?('&RelayState=http%3A%2F%2Fexample.com')
-
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { 'RelayState' => nil })
-      assert !unauth_url.include?('RelayState')
-
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { 'RelayState' => "http://example.com" })
-      assert unauth_url.include?('&RelayState=http%3A%2F%2Fexample.com')
-    end
-
-    it "set sessionindex" do
-      settings.idp_slo_target_url = "http://example.com"
-      sessionidx = OneLogin::RubySaml::Utils.uuid
-      settings.sessionindex = sessionidx
-
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :nameid => "there" })
-      inflated = decode_saml_request_payload(unauth_url)
-
-      assert_match /<samlp:SessionIndex/, inflated
-      assert_match %r(#{sessionidx}</samlp:SessionIndex>), inflated
-    end
-
-    it "set name_identifier_value" do
-      settings.name_identifier_format = "transient"
-      name_identifier_value = "abc123"
-      settings.name_identifier_value = name_identifier_value
-
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :nameid => "there" })
-      inflated = decode_saml_request_payload(unauth_url)
-
-      assert_match /<saml:NameID/, inflated
-      assert_match %r(#{name_identifier_value}</saml:NameID>), inflated
-    end
-
-    describe "when the target url doesn't contain a query string" do
-      it "create the SAMLRequest parameter correctly" do
-        unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
-        assert_match /^http:\/\/unauth.com\/logout\?SAMLRequest/, unauth_url
-      end
-    end
-
-    describe "when the target url contains a query string" do
-      it "create the SAMLRequest parameter correctly" do
-        settings.idp_slo_target_url = "http://example.com?field=value"
-
-        unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
-        assert_match /^http:\/\/example.com\?field=value&SAMLRequest/, unauth_url
-      end
-    end
-
-    describe "consumation of logout may need to track the transaction" do
-      it "have access to the request uuid" do
-        settings.idp_slo_target_url = "http://example.com?field=value"
-
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        unauth_url = unauth_req.create(settings)
-
-        inflated = decode_saml_request_payload(unauth_url)
-        assert_match %r[ID='#{unauth_req.uuid}'], inflated
-      end
-    end
-
-    describe "when the settings indicate to sign (embedded) logout request" do
-
-      before do
-        # sign the logout request
-        settings.security[:logout_requests_signed] = true
-        settings.security[:embed_sign] = true
-        settings.certificate = ruby_saml_cert_text
-        settings.private_key = ruby_saml_key_text
-      end
-
-      it "created a signed logout request" do
-        settings.compress_request = true
-
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        unauth_url = unauth_req.create(settings)
-
-        inflated = decode_saml_request_payload(unauth_url)
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-      end
-
-      it "create a signed logout request with 256 digest and signature method" do
-        settings.compress_request = false
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
-        settings.security[:digest_method] = XMLSecurity::Document::SHA256
-
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
-        request_xml = Base64.decode64(params["SAMLRequest"])
-
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], request_xml
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'/>], request_xml
-      end
-
-      it "create a signed logout request with 512 digest and signature method RSA_SHA384" do
-        settings.compress_request = false
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
-        settings.security[:digest_method] = XMLSecurity::Document::SHA512
-
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
-        request_xml = Base64.decode64(params["SAMLRequest"])
-
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'/>], request_xml
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha512'/>], request_xml
-      end
-    end
-
-    describe "#create_params when the settings indicate to sign the logout request" do
-
-      let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
-
-      before do
-        # sign the logout request
-        settings.security[:logout_requests_signed] = true
-        settings.security[:embed_sign] = false
-        settings.certificate = ruby_saml_cert_text
-        settings.private_key = ruby_saml_key_text
-      end
-
-      it "create a signature parameter with RSA_SHA1 / SHA1 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        assert params['SAMLRequest']
-        assert params[:RelayState]
-        assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
-
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA1
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-      end
-
-      it "create a signature parameter with RSA_SHA256 / SHA256 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
-
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA256
-
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA256 
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string) 
-      end
-
-      it "create a signature parameter with RSA_SHA384 / SHA384 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
-
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA384
-
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA384 
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string) 
-      end
-
-      it "create a signature parameter with RSA_SHA512 / SHA512 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA512
-
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA512
-
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA512 
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string) 
-      end
-
-    end
-  end
-end

data/test/logoutresponse_test.rb

@@ -1,402 +0,0 @@
-require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-
-require 'onelogin/ruby-saml/logoutresponse'
-require 'logout_responses/logoutresponse_fixtures'
-
-class RubySamlTest < Minitest::Test
-
-  describe "Logoutresponse" do
-
-    let(:valid_logout_response_without_settings) { OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document) }
-    let(:valid_logout_response) { OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings) }
-
-    describe "#new" do
-      it "raise an exception when response is initialized with nil" do
-        assert_raises(ArgumentError) { OneLogin::RubySaml::Logoutresponse.new(nil) }
-      end
-      it "default to empty settings" do
-        assert_nil valid_logout_response_without_settings.settings
-      end
-      it "accept constructor-injected settings" do
-        refute_nil valid_logout_response.settings
-      end
-      it "accept constructor-injected options" do
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, nil, { :foo => :bar} )
-        assert !logoutresponse.options.empty?
-      end
-      it "support base64 encoded responses" do
-        generated_logout_response = valid_logout_response_document
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(Base64.encode64(generated_logout_response), settings)
-        assert_equal generated_logout_response, logoutresponse.response
-      end
-    end
-
-    describe "#validate_structure" do
-        it "invalidates when the logout response has an invalid xml" do
-          settings.soft = true
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(invalid_xml_logout_response_document, settings)
-          assert !logoutresponse.send(:validate_structure)
-          assert_includes logoutresponse.errors, "Invalid SAML Logout Response. Not match the saml-schema-protocol-2.0.xsd"
-        end
-
-        it "raise when the logout response has an invalid xml" do
-          settings.soft = false
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(invalid_xml_logout_response_document, settings)
-          assert_raises OneLogin::RubySaml::ValidationError do
-            logoutresponse.send(:validate_structure)
-          end
-        end
-    end
-
-    describe "#validate" do
-      describe "when soft=true" do
-        before do
-          settings.soft = true
-        end
-
-        it "validate the logout response" do
-          in_relation_to_request_id = random_id
-          opts = { :matches_request_id => in_relation_to_request_id}
-
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document({:uuid => in_relation_to_request_id}), settings, opts)
-
-          assert logoutresponse.validate
-
-          assert_equal settings.issuer, logoutresponse.issuer
-          assert_equal in_relation_to_request_id, logoutresponse.in_response_to
-
-          assert logoutresponse.success?
-          assert_empty logoutresponse.errors
-        end
-
-        it "validate the logout response extended" do
-          in_relation_to_request_id = random_id
-          settings.idp_entity_id = 'http://app.muda.no'
-          opts = { :matches_request_id => in_relation_to_request_id}
-
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document({:uuid => in_relation_to_request_id}), settings, opts)
-          assert logoutresponse.validate
-          assert_equal in_relation_to_request_id, logoutresponse.in_response_to
-          assert logoutresponse.success?
-          assert_empty logoutresponse.errors
-        end
-
-        it "invalidate logout response when initiated with blank" do
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new("", settings)
-          assert !logoutresponse.validate
-          assert_includes logoutresponse.errors, "Blank logout response"
-        end
-
-        it "invalidate logout response when initiated with no idp cert or fingerprint" do
-          settings.idp_cert_fingerprint = nil
-          settings.idp_cert = nil
-          settings.idp_cert_multi = nil
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings)
-          assert !logoutresponse.validate
-          assert_includes logoutresponse.errors, "No fingerprint or certificate on settings of the logout response"
-        end
-
-        it "invalidate logout response with wrong id when given option :matches_request_id" do
-          expected_request_id = "_some_other_expected_uuid"
-          opts = { :matches_request_id => expected_request_id}
-
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings, opts)
-
-          assert !logoutresponse.validate
-          refute_equal expected_request_id, logoutresponse.in_response_to
-          assert_includes logoutresponse.errors, "The InResponseTo of the Logout Response: #{logoutresponse.in_response_to}, does not match the ID of the Logout Request sent by the SP: #{expected_request_id}"
-        end
-
-        it "invalidate logout response with wrong request status" do
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, settings)
-
-          assert !logoutresponse.success?
-          assert !logoutresponse.validate
-          assert_includes logoutresponse.errors, "Bad status code. Expected <urn:oasis:names:tc:SAML:2.0:status:Success>, but was: <urn:oasis:names:tc:SAML:2.0:status:Requester>"
-          assert_includes logoutresponse.errors, "The status code of the Logout Response was not Success, was Requester"
-        end
-
-        it "invalidate logout response when in lack of issuer setting" do
-          bad_settings = settings
-          bad_settings.issuer = nil
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, bad_settings)
-          assert !logoutresponse.validate
-          assert_includes logoutresponse.errors, "No issuer in settings of the logout response"
-        end
-
-        it "invalidate logout response with wrong issuer" do
-          in_relation_to_request_id = random_id
-          settings.idp_entity_id = 'http://invalid.issuer.example.com/'
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document({:uuid => in_relation_to_request_id}), settings)
-          assert !logoutresponse.validate
-          assert_includes logoutresponse.errors, "Doesn't match the issuer, expected: <#{logoutresponse.settings.idp_entity_id}>, but was: <http://app.muda.no>"
-        end
-
-        it "collect errors when collect_errors=true" do          
-          settings.idp_entity_id = 'http://invalid.issuer.example.com/'
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, settings)
-          collect_errors = true
-          assert !logoutresponse.validate(collect_errors)
-          assert_includes logoutresponse.errors, "Bad status code. Expected <urn:oasis:names:tc:SAML:2.0:status:Success>, but was: <urn:oasis:names:tc:SAML:2.0:status:Requester>"
-          assert_includes logoutresponse.errors, "Doesn't match the issuer, expected: <#{logoutresponse.settings.idp_entity_id}>, but was: <http://app.muda.no>"
-        end
-
-      end
-
-      describe "when soft=false" do
-        before do
-          settings.soft = false
-        end
-
-        it "validates good logout response" do
-          in_relation_to_request_id = random_id
-
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document({:uuid => in_relation_to_request_id}), settings)
-          assert logoutresponse.validate
-          assert_empty logoutresponse.errors
-        end
-
-        it "raises validation error when response initiated with blank" do
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new("", settings)
-
-          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
-          assert_includes logoutresponse.errors, "Blank logout response"
-        end
-
-        it "raises validation error when initiated with no idp cert or fingerprint" do
-          settings.idp_cert_fingerprint = nil
-          settings.idp_cert = nil
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings)
-          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
-          assert_includes logoutresponse.errors, "No fingerprint or certificate on settings of the logout response"
-        end
-
-        it "raises validation error when matching for wrong request id" do
-
-          expected_request_id = "_some_other_expected_id"
-          opts = { :matches_request_id => expected_request_id}
-
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings, opts)
-          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }          
-          assert_includes logoutresponse.errors, "The InResponseTo of the Logout Response: #{logoutresponse.in_response_to}, does not match the ID of the Logout Request sent by the SP: #{expected_request_id}"
-        end
-
-        it "raise validation error for wrong request status" do
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, settings)
-
-          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
-          assert_includes logoutresponse.errors, "Bad status code. Expected <urn:oasis:names:tc:SAML:2.0:status:Success>, but was: <urn:oasis:names:tc:SAML:2.0:status:Requester>"
-        end
-
-        it "raise validation error when in bad state" do
-          # no settings
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, settings)
-          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
-          assert_includes logoutresponse.errors, "Bad status code. Expected <urn:oasis:names:tc:SAML:2.0:status:Success>, but was: <urn:oasis:names:tc:SAML:2.0:status:Requester>"
-        end
-
-        it "raise validation error when in lack of issuer setting" do
-          settings.issuer = nil
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, settings)
-          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
-          assert_includes logoutresponse.errors, "No issuer in settings of the logout response"
-        end
-
-        it "raise validation error when logout response with wrong issuer" do
-          in_relation_to_request_id = random_id
-          settings.idp_entity_id = 'http://invalid.issuer.example.com/'
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document({:uuid => in_relation_to_request_id}), settings)
-          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
-          assert_includes logoutresponse.errors, "Doesn't match the issuer, expected: <#{logoutresponse.settings.idp_entity_id}>, but was: <http://app.muda.no>"
-        end
-      end
-
-      describe "#validate_signature" do
-        let (:params) { OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, random_id, "Custom Logout Message", :RelayState => 'http://example.com') }
-
-        before do
-          settings.soft = true
-          settings.idp_slo_target_url = "http://example.com?field=value"
-          settings.security[:logout_responses_signed] = true
-          settings.security[:embed_sign] = false
-          settings.certificate = ruby_saml_cert_text
-          settings.private_key = ruby_saml_key_text
-          settings.idp_cert = ruby_saml_cert_text
-        end
-
-        it "return true when no idp_cert is provided and option :relax_signature_validation is present" do
-          settings.idp_cert = nil
-          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-          params['RelayState'] = params[:RelayState]
-          options = {}
-          options[:get_params] = params
-          options[:relax_signature_validation] = true
-          logoutresponse_sign_test = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          assert logoutresponse_sign_test.send(:validate_signature)
-        end
-
-        it "return false when no idp_cert is provided and no option :relax_signature_validation is present" do
-          settings.idp_cert = nil
-          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-          params['RelayState'] = params[:RelayState]
-          options = {}
-          options[:get_params] = params
-          logoutresponse_sign_test = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          assert !logoutresponse_sign_test.send(:validate_signature)
-        end
-
-        it "return true when valid RSA_SHA1 Signature" do
-          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-          params['RelayState'] = params[:RelayState]
-          options = {}
-          options[:get_params] = params
-          logoutresponse_sign_test = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          assert logoutresponse_sign_test.send(:validate_signature)
-        end
-
-        it "return true when valid RSA_SHA256 Signature" do
-          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
-          params['RelayState'] = params[:RelayState]
-          options = {}
-          options[:get_params] = params
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          assert logoutresponse.send(:validate_signature)
-        end
-
-        it "return false when invalid RSA_SHA1 Signature" do
-          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-          params['RelayState'] = 'http://invalid.example.com'
-          options = {}
-          options[:get_params] = params
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          assert !logoutresponse.send(:validate_signature)
-        end
-
-        it "raise when invalid RSA_SHA1 Signature" do
-          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-          settings.soft = false
-          params['RelayState'] = 'http://invalid.example.com'
-          options = {}
-          options[:get_params] = params
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-
-          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.send(:validate_signature) }
-          assert logoutresponse.errors.include? "Invalid Signature on Logout Response"
-        end
-
-        it "raise when get_params encoding differs from what this library generates" do
-          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-          settings.soft = false
-          options = {}
-          options[:get_params] = params
-          options[:get_params]['RelayState'] = 'http://example.com'
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          # Assemble query string.
-          query = OneLogin::RubySaml::Utils.build_query(
-            :type => 'SAMLResponse',
-            :data => params['SAMLResponse'],
-            :relay_state => params['RelayState'],
-            :sig_alg => params['SigAlg']
-          )
-          # Modify the query string so that it encodes the same values,
-          # but with different percent-encoding. Sanity-check that they
-          # really are equialent before moving on.
-          original_query = query.dup
-          query.gsub!("example", "ex%61mple")
-          refute_equal(query, original_query)
-          assert_equal(CGI.unescape(query), CGI.unescape(original_query))
-          # Make normalised signature based on our modified params.
-          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
-          signature = settings.get_sp_key.sign(sign_algorithm.new, query)
-          params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
-          # Re-create the Logoutresponse based on these modified parameters,
-          # and ask it to validate the signature. It will do it incorrectly,
-          # because it will compute it based on re-encoded query parameters,
-          # rather than their original encodings.
-          options[:get_params] = params
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          assert_raises(OneLogin::RubySaml::ValidationError, "Invalid Signature on Logout Request") do
-            logoutresponse.send(:validate_signature)
-          end
-        end
-
-        it "return true even if raw_get_params encoding differs from what this library generates" do
-          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-          settings.soft = false
-          options = {}
-          options[:get_params] = params
-          options[:get_params]['RelayState'] = 'http://example.com'
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          # Assemble query string.
-          query = OneLogin::RubySaml::Utils.build_query(
-            :type => 'SAMLResponse',
-            :data => params['SAMLResponse'],
-            :relay_state => params['RelayState'],
-            :sig_alg => params['SigAlg']
-          )
-          # Modify the query string so that it encodes the same values,
-          # but with different percent-encoding. Sanity-check that they
-          # really are equialent before moving on.
-          original_query = query.dup
-          query.gsub!("example", "ex%61mple")
-          refute_equal(query, original_query)
-          assert_equal(CGI.unescape(query), CGI.unescape(original_query))
-          # Make normalised signature based on our modified params.
-          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
-          signature = settings.get_sp_key.sign(sign_algorithm.new, query)
-          params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
-          # Re-create the Logoutresponse based on these modified parameters,
-          # and ask it to validate the signature. Provide the altered parameter
-          # in its raw URI-encoded form, so that we don't have to guess the value
-          # that contributed to the signature.
-          options[:get_params] = params
-          options[:get_params].delete("RelayState")
-          options[:raw_get_params] = {
-            "RelayState" => "http%3A%2F%2Fex%61mple.com",
-          }
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          assert logoutresponse.send(:validate_signature)
-        end
-      end
-
-      describe "#validate_signature" do
-        let (:params) { OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, random_id, "Custom Logout Message", :RelayState => 'http://example.com') }
-
-        before do
-          settings.soft = true
-          settings.idp_slo_target_url = "http://example.com?field=value"
-          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-          settings.security[:logout_responses_signed] = true
-          settings.security[:embed_sign] = false
-          settings.certificate = ruby_saml_cert_text
-          settings.private_key = ruby_saml_key_text
-          settings.idp_cert = nil
-        end
-
-        it "return true when at least a idp_cert is valid" do
-          params['RelayState'] = params[:RelayState]
-          options = {}
-          options[:get_params] = params
-          settings.idp_cert_multi = {
-            :signing => [ruby_saml_cert_text2, ruby_saml_cert_text],
-            :encryption => []
-          }
-          logoutresponse_sign_test = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          assert logoutresponse_sign_test.send(:validate_signature)
-        end
-
-        it "return false when none cert on idp_cert_multi is valid" do
-          params['RelayState'] = params[:RelayState]
-          options = {}
-          options[:get_params] = params
-          settings.idp_cert_multi = {
-            :signing => [ruby_saml_cert_text2, ruby_saml_cert_text2],
-            :encryption => []
-          }
-          logoutresponse_sign_test = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          assert !logoutresponse_sign_test.send(:validate_signature)
-        end
-      end
-    end
-  end
-end