ruby-saml 1.4.1 → 1.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 785edd651b4a713d7a01a4841676034300a5465b
-  data.tar.gz: 33e3be90b834541836dad199a3843f0f50dc1d73
+  metadata.gz: 639540398f041bbcc593b2d2fdb14cf93028ce45
+  data.tar.gz: ab5128758b3789b7354906a8f9145af07ac873e5
 SHA512:
-  metadata.gz: 7f0297c376b1b4ae225cd8b93a5541ff06829e89dcb8ee796b1ad1256a401532f1bf96ae257a8e63114f18de72333769d89f83bb4ac188e2659710dd75c9d3d0
-  data.tar.gz: ca1e2d0aefbdf122c4c214736c3c3d704184387f5becff71f4f1ebfdb1dc6b4d83a63dd1b267c12decdd69b1a8ada3db5886f4c6b64d46904a254e9dca85f260
+  metadata.gz: 6ff40b3269727503ec6977fec4697e3babe3742cf6bc214281a156745057f581df8cfd7b93ec3499e23bf3ed99d806abe38bc03d4e7784b83ccb0b617494d883
+  data.tar.gz: 3fe0c819cb2183ed1c574f4a2d02db01894a69bc1c4673582d4646fc80217ed88504de2ae0c59bbe22cc209212e9aa5a895a7d22c5be83fc10589be713247c50

data/README.md

@@ -614,3 +614,5 @@ settings.attribute_consuming_service.configure do
   add_attribute :name => "Another Attribute", :name_format => "Name Format", :friendly_name => "Friendly Name", :attribute_value => "Attribute Value"
 end
 ```
+
+The `attribute_value` option additionally accepts an array of possible values.

data/changelog.md

@@ -1,5 +1,14 @@
 # RubySaml Changelog
 
+### 1.4.2 (January 11, 2017)
+* Improve tests format
+* Fix nokogiri requirements based on ruby version
+* Only publish KeyDescriptor[use="encryption"] at SP metadata if security[:want_assertions_encrypted] is true
+* Be able to skip destination validation
+* Improved inResponse validation on SAMLResponses and LogoutResponses
+* [#354](https://github.com/onelogin/ruby-saml/pull/354) Allow scheme and domain to match ignoring case
+* [#363](https://github.com/onelogin/ruby-saml/pull/363) Add support for multiple requested attributes
+
 ### 1.4.1 (October 19, 2016)
 * [#357](https://github.com/onelogin/ruby-saml/pull/357) Add EncryptedAttribute support. Improve decrypt method
 * Allow multiple authn_context_decl_ref in settings

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -180,12 +180,11 @@ module OneLogin
       #
       def valid_in_response_to?
         return true unless options.has_key? :matches_request_id
+        return true if options[:matches_request_id].nil?
+        return true unless options[:matches_request_id] != in_response_to
 
-        unless options[:matches_request_id] == in_response_to
-          return append_error("Response does not match the request ID, expected: <#{options[:matches_request_id]}>, but was: <#{in_response_to}>")
-        end
-
-        true
+        error_msg = "The InResponseTo of the Logout Response: #{in_response_to}, does not match the ID of the Logout Request sent by the SP: #{options[:matches_request_id]}"
+        append_error(error_msg)
       end
 
       # Validates the Issuer of the Logout Response
@@ -195,7 +194,7 @@ module OneLogin
       def valid_issuer?
         return true if settings.idp_entity_id.nil? || issuer.nil?
 
-        unless URI.parse(issuer) == URI.parse(settings.idp_entity_id)
+        unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
           return append_error("Doesn't match the issuer, expected: <#{settings.idp_entity_id}>, but was: <#{issuer}>")
         end
         true

data/lib/onelogin/ruby-saml/metadata.rb

@@ -42,11 +42,13 @@ module OneLogin
           xc = xd.add_element "ds:X509Certificate"
           xc.text = cert_text
 
-          kd2 = sp_sso.add_element "md:KeyDescriptor", { "use" => "encryption" }
-          ki2 = kd2.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
-          xd2 = ki2.add_element "ds:X509Data"
-          xc2 = xd2.add_element "ds:X509Certificate"
-          xc2.text = cert_text
+          if settings.security[:want_assertions_encrypted]
+            kd2 = sp_sso.add_element "md:KeyDescriptor", { "use" => "encryption" }
+            ki2 = kd2.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+            xd2 = ki2.add_element "ds:X509Data"
+            xc2 = xd2.add_element "ds:X509Certificate"
+            xc2.text = cert_text
+          end
         end
 
         root.attributes["ID"] = OneLogin::RubySaml::Utils.uuid
@@ -89,8 +91,10 @@ module OneLogin
               "FriendlyName" => attribute[:friendly_name]
             }
             unless attribute[:attribute_value].nil?
-              sp_attr_val = sp_req_attr.add_element "saml:AttributeValue"
-              sp_attr_val.text = attribute[:attribute_value]
+              Array(attribute[:attribute_value]).each do |value|
+                sp_attr_val = sp_req_attr.add_element "saml:AttributeValue"
+                sp_attr_val.text = value.to_str
+              end
             end
           end
         end

data/lib/onelogin/ruby-saml/response.rb

@@ -563,7 +563,7 @@ module OneLogin
       #
       def validate_in_response_to
         return true unless options.has_key? :matches_request_id
-        return true if options[:matches_request_id].nil? || options[:matches_request_id].empty?
+        return true if options[:matches_request_id].nil?
         return true unless options[:matches_request_id] != in_response_to
 
         error_msg = "The InResponseTo of the Response: #{in_response_to}, does not match the ID of the AuthNRequest sent by the SP: #{options[:matches_request_id]}"
@@ -586,12 +586,14 @@ module OneLogin
         true
       end
 
-      # Validates the Destination, (If the SAML Response is received where expected)
+      # Validates the Destination, (If the SAML Response is received where expected).
+      # If the response was initialized with the :skip_destination option, this validation is skipped,
       # If fails, the error is added to the errors array
       # @return [Boolean] True if there is a Destination element that matches the Consumer Service URL, otherwise False
       #
       def validate_destination
         return true if destination.nil?
+        return true if options[:skip_destination]
 
         if destination.empty?
           error_msg = "The response has an empty Destination value"
@@ -600,7 +602,7 @@ module OneLogin
 
         return true if settings.assertion_consumer_service_url.nil? || settings.assertion_consumer_service_url.empty?
 
-        unless destination == settings.assertion_consumer_service_url
+        unless OneLogin::RubySaml::Utils.uri_match?(destination, settings.assertion_consumer_service_url)
           error_msg = "The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}"
           return append_error(error_msg)
         end
@@ -675,7 +677,7 @@ module OneLogin
         end
 
         obtained_issuers.each do |issuer|
-          unless URI.parse(issuer) == URI.parse(settings.idp_entity_id)
+          unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
             error_msg = "Doesn't match the issuer, expected: <#{settings.idp_entity_id}>, but was: <#{issuer}>"
             return append_error(error_msg)
           end

data/lib/onelogin/ruby-saml/settings.rb

@@ -151,15 +151,16 @@ module OneLogin
         :compress_response                         => true,
         :soft                                      => true,
         :security                                  => {
-          :authn_requests_signed    => false,
-          :logout_requests_signed   => false,
-          :logout_responses_signed  => false,
-          :want_assertions_signed   => false,
-          :want_name_id             => false,
-          :metadata_signed          => false,
-          :embed_sign               => false,
-          :digest_method            => XMLSecurity::Document::SHA1,
-          :signature_method         => XMLSecurity::Document::RSA_SHA1
+          :authn_requests_signed      => false,
+          :logout_requests_signed     => false,
+          :logout_responses_signed    => false,
+          :want_assertions_signed     => false,
+          :want_assertions_encrypted  => false,
+          :want_name_id               => false,
+          :metadata_signed            => false,
+          :embed_sign                 => false,
+          :digest_method              => XMLSecurity::Document::SHA1,
+          :signature_method           => XMLSecurity::Document::RSA_SHA1
         }.freeze,
         :double_quote_xml_attribute_values         => false,
       }.freeze

data/lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -212,7 +212,7 @@ module OneLogin
       def validate_issuer
         return true if settings.nil? || settings.idp_entity_id.nil? || issuer.nil?
 
-        unless URI.parse(issuer) == URI.parse(settings.idp_entity_id)
+        unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
           return append_error("Doesn't match the issuer, expected: <#{settings.idp_entity_id}>, but was: <#{issuer}>")
         end
 

data/lib/onelogin/ruby-saml/utils.rb

@@ -193,6 +193,33 @@ module OneLogin
       def self.uuid
         RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}"
       end
+
+      # Given two strings, attempt to match them as URIs using Rails' parse method.  If they can be parsed,
+      # then the fully-qualified domain name and the host should performa a case-insensitive match, per the
+      # RFC for URIs.  If Rails can not parse the string in to URL pieces, return a boolean match of the
+      # two strings.  This maintains the previous functionality.
+      # @return [Boolean]
+      def self.uri_match?(destination_url, settings_url)
+        dest_uri = URI.parse(destination_url)
+        acs_uri = URI.parse(settings_url)
+
+        if dest_uri.scheme.nil? || acs_uri.scheme.nil? || dest_uri.host.nil? || acs_uri.host.nil?
+          raise URI::InvalidURIError
+        else
+          dest_uri.scheme.downcase == acs_uri.scheme.downcase &&
+            dest_uri.host.downcase == acs_uri.host.downcase &&
+            dest_uri.path == acs_uri.path &&
+            dest_uri.query == acs_uri.query
+        end
+      rescue URI::InvalidURIError
+        original_uri_match?(destination_url, settings_url)
+      end
+
+      # If Rails' URI.parse can't match to valid URL, default back to the original matching service.
+      # @return [Boolean]
+      def self.original_uri_match?(destination_url, settings_url)
+        destination_url == settings_url
+      end
     end
   end
 end

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.4.1'
+    VERSION = '1.4.2'
   end
 end

data/ruby-saml.gemspec

@@ -25,8 +25,6 @@ Gem::Specification.new do |s|
   s.summary = %q{SAML Ruby Tookit}
   s.test_files = `git ls-files test/*`.split("\n")
 
-
-
   # Because runtime dependencies are determined at build time, we cannot make
   # Nokogiri's version dependent on the Ruby version, even though we would
   # have liked to constrain Ruby 1.8.7 to install only the 1.5.x versions.
@@ -36,6 +34,8 @@ Gem::Specification.new do |s|
   elsif RUBY_VERSION < '1.9'
     s.add_runtime_dependency('uuid')
     s.add_runtime_dependency('nokogiri', '<= 1.5.11')
+  elsif RUBY_VERSION < '2.1'
+    s.add_runtime_dependency('nokogiri', '>= 1.5.10', '<= 1.6.8.1')
   else
     s.add_runtime_dependency('nokogiri', '>= 1.5.10')
   end

data/test/logoutresponse_test.rb

@@ -103,7 +103,7 @@ class RubySamlTest < Minitest::Test
 
           assert !logoutresponse.validate
           refute_equal expected_request_id, logoutresponse.in_response_to
-          assert_includes logoutresponse.errors, "Response does not match the request ID, expected: <#{expected_request_id}>, but was: <#{logoutresponse.in_response_to}>"
+          assert_includes logoutresponse.errors, "The InResponseTo of the Logout Response: #{logoutresponse.in_response_to}, does not match the ID of the Logout Request sent by the SP: #{expected_request_id}"
         end
 
         it "invalidate logout response with wrong request status" do
@@ -177,7 +177,7 @@ class RubySamlTest < Minitest::Test
 
           logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings, opts)
           assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }          
-          assert_includes logoutresponse.errors, "Response does not match the request ID, expected: <#{expected_request_id}>, but was: <#{logoutresponse.in_response_to}>"
+          assert_includes logoutresponse.errors, "The InResponseTo of the Logout Response: #{logoutresponse.in_response_to}, does not match the ID of the Logout Request sent by the SP: #{expected_request_id}"
         end
 
         it "raise validation error for wrong request status" do

data/test/metadata_test.rb

@@ -89,7 +89,7 @@ class MetadataTest < Minitest::Test
       end
     end
 
-    describe "when auth requests are signed" do
+    describe "with a sign/encrypt certificate" do
       let(:key_descriptors) do
         REXML::XPath.match(
           xml_doc,
@@ -111,22 +111,68 @@ class MetadataTest < Minitest::Test
         settings.certificate = ruby_saml_cert_text
       end
 
-      it "generates Service Provider Metadata with AuthnRequestsSigned" do
-        settings.security[:authn_requests_signed] = true
-        assert_equal "true", spsso_descriptor.attribute("AuthnRequestsSigned").value
+      it "generates Service Provider Metadata with X509Certificate for sign" do
+        assert_equal 1, key_descriptors.length
+        assert_equal "signing", key_descriptors[0].attribute("use").value
+
+        assert_equal 1, cert_nodes.length
         assert_equal ruby_saml_cert.to_der, cert.to_der
 
         assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
       end
 
-      it "generates Service Provider Metadata with X509Certificate for sign and encrypt" do
-        assert_equal 2, key_descriptors.length
-        assert_equal "signing", key_descriptors[0].attribute("use").value
-        assert_equal "encryption", key_descriptors[1].attribute("use").value
+      describe "and signed authentication requests" do
+        before do
+          settings.security[:authn_requests_signed] = true
+        end
 
-        assert_equal 2, cert_nodes.length
-        assert_equal ruby_saml_cert.to_der, cert.to_der
-        assert_equal cert_nodes[0].text, cert_nodes[1].text
+        it "generates Service Provider Metadata with AuthnRequestsSigned" do
+          assert_equal "true", spsso_descriptor.attribute("AuthnRequestsSigned").value
+          assert_equal ruby_saml_cert.to_der, cert.to_der
+
+          assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+        end
+      end
+
+      describe "and encrypted assertions" do
+        before do
+          settings.security[:want_assertions_encrypted] = true
+        end
+
+        it "generates Service Provider Metadata with X509Certificate for encrypt" do
+          assert_equal 2, key_descriptors.length
+          assert_equal "encryption", key_descriptors[1].attribute("use").value
+
+          assert_equal 2, cert_nodes.length
+          assert_equal cert_nodes[0].text, cert_nodes[1].text
+          assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+        end
+      end
+    end
+
+    describe "when attribute service is configured with multiple attribute values" do
+      let(:attr_svc)  { REXML::XPath.first(xml_doc, "//md:AttributeConsumingService") }
+      let(:req_attr)  { REXML::XPath.first(xml_doc, "//md:RequestedAttribute") }
+
+      before do
+        settings.attribute_consuming_service.configure do
+          service_name "Test Service"
+          add_attribute(:name => "Name", :name_format => "Name Format", :friendly_name => "Friendly Name", :attribute_value => ["Attribute Value One", "Attribute Value Two"])
+        end
+      end
+
+      it "generates attribute service" do
+        assert_equal "true", attr_svc.attribute("isDefault").value
+        assert_equal "1", attr_svc.attribute("index").value
+        assert_equal REXML::XPath.first(xml_doc, "//md:ServiceName").text.strip, "Test Service"
+
+        assert_equal "Name", req_attr.attribute("Name").value
+        assert_equal "Name Format", req_attr.attribute("NameFormat").value
+        assert_equal "Friendly Name", req_attr.attribute("FriendlyName").value
+
+        attribute_values = REXML::XPath.match(xml_doc, "//saml:AttributeValue").map(&:text)
+        assert_equal "Attribute Value One", attribute_values[0]
+        assert_equal "Attribute Value Two", attribute_values[1]
 
         assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
       end

data/test/response_test.rb

@@ -24,6 +24,7 @@ class RubySamlTest < Minitest::Test
     let(:response_no_conditions) { OneLogin::RubySaml::Response.new(read_invalid_response("no_conditions.xml.base64")) }
     let(:response_no_authnstatement) { OneLogin::RubySaml::Response.new(read_invalid_response("no_authnstatement.xml.base64")) }
     let(:response_empty_destination) { OneLogin::RubySaml::Response.new(read_invalid_response("empty_destination.xml.base64")) }
+    let(:response_empty_destination_with_skip) { OneLogin::RubySaml::Response.new(read_invalid_response("empty_destination.xml.base64"), {:skip_destination => true}) }
     let(:response_no_status) { OneLogin::RubySaml::Response.new(read_invalid_response("no_status.xml.base64")) }
     let(:response_no_statuscode) { OneLogin::RubySaml::Response.new(read_invalid_response("no_status_code.xml.base64")) }
     let(:response_statuscode_responder) { OneLogin::RubySaml::Response.new(read_invalid_response("status_code_responder.xml.base64")) }
@@ -435,6 +436,40 @@ class RubySamlTest < Minitest::Test
         assert !response_empty_destination.send(:validate_destination)
         assert_includes response_empty_destination.errors, "The response has an empty Destination value"
       end
+
+      it "return true when the destination of the SAML Response is empty but skip_destination option is used" do
+        response_empty_destination_with_skip.settings = settings
+        assert response_empty_destination_with_skip.send(:validate_destination)
+        assert_empty response_empty_destination.errors
+      end
+
+      it "returns true on a case insensitive match on the domain" do
+        response_valid_signed_without_x509certificate.settings = settings
+        response_valid_signed_without_x509certificate.settings.assertion_consumer_service_url = 'http://APP.muDa.no/sso/consume'
+        assert response_valid_signed_without_x509certificate.send(:validate_destination)
+        assert_empty response_valid_signed_without_x509certificate.errors
+      end
+
+      it "returns true on a case insensitive match on the scheme" do
+        response_valid_signed_without_x509certificate.settings = settings
+        response_valid_signed_without_x509certificate.settings.assertion_consumer_service_url = 'HTTP://app.muda.no/sso/consume'
+        assert response_valid_signed_without_x509certificate.send(:validate_destination)
+        assert_empty response_valid_signed_without_x509certificate.errors
+      end
+
+      it "returns false on a case insenstive match on the path" do
+        response_valid_signed_without_x509certificate.settings = settings
+        response_valid_signed_without_x509certificate.settings.assertion_consumer_service_url = 'http://app.muda.no/SSO/consume'
+        assert !response_valid_signed_without_x509certificate.send(:validate_destination)
+        assert_includes response_valid_signed_without_x509certificate.errors, "The response was received at #{response_valid_signed_without_x509certificate.destination} instead of #{response_valid_signed_without_x509certificate.settings.assertion_consumer_service_url}"
+      end
+
+      it "returns true if it can't parse out a full URI." do
+        response_valid_signed_without_x509certificate.settings = settings
+        response_valid_signed_without_x509certificate.settings.assertion_consumer_service_url = 'presenter'
+        assert !response_valid_signed_without_x509certificate.send(:validate_destination)
+        assert_includes response_valid_signed_without_x509certificate.errors, "The response was received at #{response_valid_signed_without_x509certificate.destination} instead of #{response_valid_signed_without_x509certificate.settings.assertion_consumer_service_url}"
+      end
     end
 
     describe "#validate_issuer" do
@@ -1035,14 +1070,14 @@ class RubySamlTest < Minitest::Test
         end
 
         it "check what happens when trying retrieve attribute that does not exists" do
-          assert_equal nil, response_multiple_attr_values.attributes[:attribute_not_exists]
-          assert_equal nil, response_multiple_attr_values.attributes.single(:attribute_not_exists)
-          assert_equal nil, response_multiple_attr_values.attributes.multi(:attribute_not_exists)
+          assert_nil response_multiple_attr_values.attributes[:attribute_not_exists]
+          assert_nil response_multiple_attr_values.attributes.single(:attribute_not_exists)
+          assert_nil response_multiple_attr_values.attributes.multi(:attribute_not_exists)
 
           OneLogin::RubySaml::Attributes.single_value_compatibility = false
-          assert_equal nil, response_multiple_attr_values.attributes[:attribute_not_exists]
-          assert_equal nil, response_multiple_attr_values.attributes.single(:attribute_not_exists)
-          assert_equal nil, response_multiple_attr_values.attributes.multi(:attribute_not_exists)
+          assert_nil response_multiple_attr_values.attributes[:attribute_not_exists]
+          assert_nil response_multiple_attr_values.attributes.single(:attribute_not_exists)
+          assert_nil response_multiple_attr_values.attributes.multi(:attribute_not_exists)
           OneLogin::RubySaml::Attributes.single_value_compatibility = true
         end
 

data/test/settings_test.rb

@@ -99,13 +99,13 @@ class SettingsTest < Minitest::Test
       it "returns nil when the cert is an empty string" do
         @settings = OneLogin::RubySaml::Settings.new
         @settings.idp_cert = ""
-        assert_equal nil, @settings.get_idp_cert
+        assert_nil @settings.get_idp_cert
       end
 
       it "returns nil when the cert is nil" do
         @settings = OneLogin::RubySaml::Settings.new
         @settings.idp_cert = nil
-        assert_equal nil, @settings.get_idp_cert
+        assert_nil @settings.get_idp_cert
       end
 
       it "returns the certificate when it is valid" do
@@ -127,13 +127,13 @@ class SettingsTest < Minitest::Test
       it "returns nil when the cert is an empty string" do
         @settings = OneLogin::RubySaml::Settings.new
         @settings.certificate = ""
-        assert_equal nil, @settings.get_sp_cert
+        assert_nil @settings.get_sp_cert
       end
 
       it "returns nil when the cert is nil" do
         @settings = OneLogin::RubySaml::Settings.new
         @settings.certificate = nil
-        assert_equal nil, @settings.get_sp_cert
+        assert_nil @settings.get_sp_cert
       end
 
       it "returns the certificate when it is valid" do
@@ -156,13 +156,13 @@ class SettingsTest < Minitest::Test
       it "returns nil when the private key is an empty string" do
         @settings = OneLogin::RubySaml::Settings.new
         @settings.private_key = ""
-        assert_equal nil, @settings.get_sp_key
+        assert_nil @settings.get_sp_key
       end
 
       it "returns nil when the private key is nil" do
         @settings = OneLogin::RubySaml::Settings.new
         @settings.private_key = nil
-        assert_equal nil, @settings.get_sp_key
+        assert_nil @settings.get_sp_key
       end
 
       it "returns the private key when it is valid" do

data/test/slo_logoutrequest_test.rb

@@ -106,7 +106,7 @@ class RubySamlTest < Minitest::Test
    describe "#not_on_or_after" do
       it "extract the value of the NotOnOrAfter attribute" do
         time_value = '2014-07-17T01:01:48Z'
-        assert_equal nil, logout_request.not_on_or_after
+        assert_nil logout_request.not_on_or_after
         logout_request.document.root.attributes['NotOnOrAfter'] = time_value
         assert_equal Time.parse(time_value), logout_request.not_on_or_after
       end

data/test/utils_test.rb

@@ -1,4 +1,4 @@
-require "test_helper"
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
 class UtilsTest < Minitest::Test
   describe ".format_cert" do
@@ -13,7 +13,7 @@ class UtilsTest < Minitest::Test
 
     it "returns nil when the cert is nil" do
       cert = nil
-      assert_equal nil, OneLogin::RubySaml::Utils.format_cert(cert)
+      assert_nil OneLogin::RubySaml::Utils.format_cert(cert)
     end
 
     it "returns the certificate when it is valid" do
@@ -48,7 +48,7 @@ class UtilsTest < Minitest::Test
 
     it "returns nil when the private key is nil" do
       private_key = nil
-      assert_equal nil, OneLogin::RubySaml::Utils.format_private_key(private_key)
+      assert_nil OneLogin::RubySaml::Utils.format_private_key(private_key)
     end
 
     it "returns the private key when it is valid" do
@@ -154,5 +154,55 @@ class UtilsTest < Minitest::Test
         refute_equal OneLogin::RubySaml::Utils.uuid, OneLogin::RubySaml::Utils.uuid
       end
     end
+
+    describe 'uri_match' do
+      it 'matches two urls' do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'http://www.example.com/test?var=stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it 'fails to match two urls' do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'http://www.example.com/othertest?var=stuff'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it "matches two URLs if the scheme case doesn't match" do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'HTTP://www.example.com/test?var=stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it "matches two URLs if the host case doesn't match" do
+        destination = 'http://www.EXAMPLE.com/test?var=stuff'
+        settings = 'http://www.example.com/test?var=stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it "fails to match two URLs if the path case doesn't match" do
+        destination = 'http://www.example.com/TEST?var=stuff'
+        settings = 'http://www.example.com/test?var=stuff'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it "fails to match two URLs if the query case doesn't match" do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'http://www.example.com/test?var=STUFF'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it 'matches two non urls' do
+        destination = 'stuff'
+        settings = 'stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it "fails to match two non urls" do
+        destination = 'stuff'
+        settings = 'not stuff'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 1.4.1
+  version: 1.4.2
 platform: ruby
 authors:
 - OneLogin LLC
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-10-19 00:00:00.000000000 Z
+date: 2017-01-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri