saml2 1.0.10 → 1.1.0

data/lib/saml2/sso.rb

@@ -15,11 +15,11 @@ module SAML2
     end
 
     def single_logout_services
-      @single_logout_services ||= load_object_array(@root, 'md:SingleLogoutService', Endpoint)
+      @single_logout_services ||= load_object_array(xml, 'md:SingleLogoutService', Endpoint)
     end
 
     def name_id_formats
-      @name_id_formats ||= load_string_array(@root, 'md:NameIDFormat')
+      @name_id_formats ||= load_string_array(xml, 'md:NameIDFormat')
     end
 
     protected

data/lib/saml2/status.rb

@@ -0,0 +1,28 @@
+require 'saml2/base'
+
+module SAML2
+  class Status < Base
+    SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success".freeze
+
+    attr_accessor :code, :message
+
+    def initialize(code = SUCCESS, message = nil)
+      @code, @message = code, message
+    end
+
+    def from_xml(node)
+      super
+      self.code = node.at_xpath('samlp:StatusCode', Namespaces::ALL)['Value']
+      self.message = load_string_array(xml, 'samlp:StatusMessage')
+    end
+
+    def build(builder)
+      builder['samlp'].Status do |status|
+        status['samlp'].StatusCode(Value: code)
+        Array(message).each do |m|
+          status['samlp'].StatusMessage(m)
+        end
+      end
+    end
+  end
+end

data/lib/saml2/status_response.rb

@@ -0,0 +1,33 @@
+require 'saml2/message'
+require 'saml2/status'
+
+module SAML2
+  class StatusResponse < Message
+    attr_accessor :in_response_to, :status
+
+    def initialize
+      super
+      @status = Status.new
+    end
+
+    def from_xml(node)
+      super
+      @status = nil
+      remove_instance_variable(:@status)
+    end
+
+    def status
+      @status ||= Status.from_xml(xml.at_xpath('samlp:Status', Namespaces::ALL))
+    end
+
+    protected
+
+    def build(status_response)
+      super(status_response)
+
+      status_response.parent['InResponseTo'] = in_response_to if in_response_to
+
+      status.build(status_response)
+    end
+  end
+end

data/lib/saml2/version.rb

@@ -1,3 +1,3 @@
 module SAML2
-  VERSION = '1.0.10'
+  VERSION = '1.1.0'
 end

data/spec/fixtures/identity_provider.xml

@@ -36,6 +36,7 @@
         </ds:X509Data>
       </ds:KeyInfo>
     </KeyDescriptor>
+    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.school.edu/idp/profile/SAML2/Redirect/Logout"
     <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://sso.school.edu:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="1"/>
     <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://sso.school.edu:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="2"/>
     <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://sso.school.edu/idp/profile/Shibboleth/SSO"/>

data/spec/fixtures/response_signed.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_9a15e699-2d04-4ba7-a521-cfa4dcd21f44" Version="2.0" IssueInstant="2015-02-12T22:51:29Z" Destination="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">issuer</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_cdfc3faf-90ad-462f-880d-677483210684" Version="2.0" IssueInstant="2015-02-12T22:51:29Z"><saml:Issuer>issuer</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_9a15e699-2d04-4ba7-a521-cfa4dcd21f44" Version="2.0" IssueInstant="2015-02-12T22:51:29Z" Destination="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"><saml:Issuer>issuer</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="_cdfc3faf-90ad-462f-880d-677483210684" Version="2.0" IssueInstant="2015-02-12T22:51:29Z"><saml:Issuer>issuer</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
 <SignedInfo>
 <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
 <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

data/spec/fixtures/response_with_attribute_signed.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_9a15e699-2d04-4ba7-a521-cfa4dcd21f44" Version="2.0" IssueInstant="2015-02-12T22:51:29Z" Destination="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">issuer</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_cdfc3faf-90ad-462f-880d-677483210684" Version="2.0" IssueInstant="2015-02-12T22:51:29Z"><saml:Issuer>issuer</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_9a15e699-2d04-4ba7-a521-cfa4dcd21f44" Version="2.0" IssueInstant="2015-02-12T22:51:29Z" Destination="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"><saml:Issuer>issuer</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="_cdfc3faf-90ad-462f-880d-677483210684" Version="2.0" IssueInstant="2015-02-12T22:51:29Z"><saml:Issuer>issuer</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
 <SignedInfo>
 <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
 <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

data/spec/lib/attribute_consuming_service_spec.rb

@@ -12,37 +12,37 @@ module SAML2
       end
 
       it "should require name attribute" do
-        -> { acs.create_statement({}) }.must_raise RequiredAttributeMissing
+        expect { acs.create_statement({}) }.to raise_error RequiredAttributeMissing
       end
 
       it "should create a statement" do
         stmt = acs.create_statement('name' => 'cody')
-        stmt.attributes.length.must_equal 1
-        stmt.attributes.first.name.must_equal 'name'
-        stmt.attributes.first.value.must_equal 'cody'
+        expect(stmt.attributes.length).to eq 1
+        expect(stmt.attributes.first.name).to eq 'name'
+        expect(stmt.attributes.first.value).to eq 'cody'
       end
 
       it "should include optional attributes" do
         stmt = acs.create_statement('name' => 'cody', 'age' => 29)
-        stmt.attributes.length.must_equal 2
-        stmt.attributes.first.name.must_equal 'name'
-        stmt.attributes.first.value.must_equal 'cody'
-        stmt.attributes.last.name.must_equal 'age'
-        stmt.attributes.last.value.must_equal 29
+        expect(stmt.attributes.length).to eq 2
+        expect(stmt.attributes.first.name).to eq 'name'
+        expect(stmt.attributes.first.value).to eq 'cody'
+        expect(stmt.attributes.last.name).to eq 'age'
+        expect(stmt.attributes.last.value).to eq 29
       end
 
       it "should ignore extra attributes" do
         stmt = acs.create_statement('name' => 'cody', 'height' => 73)
-        stmt.attributes.length.must_equal 1
-        stmt.attributes.first.name.must_equal 'name'
-        stmt.attributes.first.value.must_equal 'cody'
+        expect(stmt.attributes.length).to eq 1
+        expect(stmt.attributes.first.name).to eq 'name'
+        expect(stmt.attributes.first.value).to eq 'cody'
       end
 
       it "should materialize deferred attributes" do
         stmt = acs.create_statement('name' => -> { 'cody' })
-        stmt.attributes.length.must_equal 1
-        stmt.attributes.first.name.must_equal 'name'
-        stmt.attributes.first.value.must_equal 'cody'
+        expect(stmt.attributes.length).to eq 1
+        expect(stmt.attributes.first.name).to eq 'name'
+        expect(stmt.attributes.first.value).to eq 'cody'
       end
 
       it "should match explicit name formats" do
@@ -50,24 +50,24 @@ module SAML2
         stmt = acs.create_statement([Attribute.new('name', 'cody', nil, 'format'),
                                      Attribute.new('name', 'unspecified'),
                                      Attribute.new('name', 'other', nil, 'otherformat')])
-        stmt.attributes.length.must_equal 1
-        stmt.attributes.first.name.must_equal 'name'
-        stmt.attributes.first.value.must_equal 'cody'
+        expect(stmt.attributes.length).to eq 1
+        expect(stmt.attributes.first.name).to eq 'name'
+        expect(stmt.attributes.first.value).to eq 'cody'
       end
 
       it "should match explicitly requested name formats" do
         acs.requested_attributes.first.name_format = 'format'
         stmt = acs.create_statement('name' => 'cody')
-        stmt.attributes.length.must_equal 1
-        stmt.attributes.first.name.must_equal 'name'
-        stmt.attributes.first.value.must_equal 'cody'
+        expect(stmt.attributes.length).to eq 1
+        expect(stmt.attributes.first.name).to eq 'name'
+        expect(stmt.attributes.first.value).to eq 'cody'
       end
 
       it "should match explicitly provided name formats" do
         stmt = acs.create_statement([Attribute.new('name', 'cody', 'format')])
-        stmt.attributes.length.must_equal 1
-        stmt.attributes.first.name.must_equal 'name'
-        stmt.attributes.first.value.must_equal 'cody'
+        expect(stmt.attributes.length).to eq 1
+        expect(stmt.attributes.first.name).to eq 'name'
+        expect(stmt.attributes.first.value).to eq 'cody'
       end
 
       it "requires that provided attributes match a single default" do
@@ -75,11 +75,11 @@ module SAML2
         attr = RequestedAttribute.new('attr')
         attr.value = 'value'
         acs.requested_attributes << attr
-        -> { acs.create_statement('attr' => 'something') }.must_raise InvalidAttributeValue
+        expect { acs.create_statement('attr' => 'something') }.to raise_error InvalidAttributeValue
         stmt = acs.create_statement('attr' => 'value')
-        stmt.attributes.length.must_equal 1
-        stmt.attributes.first.name.must_equal 'attr'
-        stmt.attributes.first.value.must_equal 'value'
+        expect(stmt.attributes.length).to eq 1
+        expect(stmt.attributes.first.name).to eq 'attr'
+        expect(stmt.attributes.first.value).to eq 'value'
       end
 
       it "requires that provided attributes be from allowed enumeration" do
@@ -87,11 +87,11 @@ module SAML2
         attr = RequestedAttribute.new('attr')
         attr.value = ['value1', 'value2']
         acs.requested_attributes << attr
-        -> { acs.create_statement('attr' => 'something') }.must_raise InvalidAttributeValue
+        expect { acs.create_statement('attr' => 'something') }.to raise_error InvalidAttributeValue
         stmt = acs.create_statement('attr' => 'value1')
-        stmt.attributes.length.must_equal 1
-        stmt.attributes.first.name.must_equal 'attr'
-        stmt.attributes.first.value.must_equal 'value1'
+        expect(stmt.attributes.length).to eq 1
+        expect(stmt.attributes.first.name).to eq 'attr'
+        expect(stmt.attributes.first.value).to eq 'value1'
       end
 
       it "auto-provides missing required attribute with a default" do
@@ -100,9 +100,9 @@ module SAML2
         attr.value = 'value'
         acs.requested_attributes << attr
         stmt = acs.create_statement({})
-        stmt.attributes.length.must_equal 1
-        stmt.attributes.first.name.must_equal 'attr'
-        stmt.attributes.first.value.must_equal 'value'
+        expect(stmt.attributes.length).to eq 1
+        expect(stmt.attributes.first.name).to eq 'attr'
+        expect(stmt.attributes.first.value).to eq 'value'
       end
 
       it "doesn't auto-provide missing required attribute with an enumeration" do
@@ -110,7 +110,7 @@ module SAML2
         attr = RequestedAttribute.new('attr', true)
         attr.value = ['value1', 'value2']
         acs.requested_attributes << attr
-        -> { acs.create_statement({}) }.must_raise RequiredAttributeMissing
+        expect { acs.create_statement({}) }.to raise_error RequiredAttributeMissing
       end
 
       it "doesn't auto-provide missing non-required attribute with a default" do
@@ -119,7 +119,7 @@ module SAML2
         attr.value = 'value'
         acs.requested_attributes << attr
         stmt = acs.create_statement({})
-        assert_nil(stmt)
+        expect(stmt).to be_nil
       end
 
     end

data/spec/lib/attribute_spec.rb

@@ -21,22 +21,22 @@ XML
 
     it "should auto-parse X500 attributes" do
       attr = Attribute.from_xml(Nokogiri::XML(eduPersonPrincipalNameXML).root)
-      attr.must_be_instance_of Attribute::X500
-      attr.value.must_equal "user@domain"
-      attr.name.must_equal Attribute::X500::EduPerson::PRINCIPAL_NAME
-      attr.friendly_name.must_equal 'eduPersonPrincipalName'
-      attr.name_format.must_equal Attribute::NameFormats::URI
+      expect(attr).to be_instance_of Attribute::X500
+      expect(attr.value).to eq "user@domain"
+      expect(attr.name).to eq Attribute::X500::EduPerson::PRINCIPAL_NAME
+      expect(attr.friendly_name).to eq 'eduPersonPrincipalName'
+      expect(attr.name_format).to eq Attribute::NameFormats::URI
     end
 
     it "should serialize an X500 attribute correctly" do
       attr = Attribute.create('eduPersonPrincipalName', 'user@domain')
-      attr.must_be_instance_of Attribute::X500
-      attr.value.must_equal "user@domain"
-      attr.name.must_equal Attribute::X500::EduPerson::PRINCIPAL_NAME
-      attr.friendly_name.must_equal 'eduPersonPrincipalName'
-      attr.name_format.must_equal Attribute::NameFormats::URI
+      expect(attr).to be_instance_of Attribute::X500
+      expect(attr.value).to eq "user@domain"
+      expect(attr.name).to eq Attribute::X500::EduPerson::PRINCIPAL_NAME
+      expect(attr.friendly_name).to eq 'eduPersonPrincipalName'
+      expect(attr.name_format).to eq Attribute::NameFormats::URI
 
-      serialize(attr).must_equal eduPersonPrincipalNameXML
+      expect(serialize(attr)).to eq eduPersonPrincipalNameXML
     end
 
     it "should parse and serialize boolean values" do
@@ -49,10 +49,10 @@ XML
 XML
 
       stmt = AttributeStatement.from_xml(Nokogiri::XML(xml).root)
-      stmt.attributes.first.value.must_equal true
+      expect(stmt.attributes.first.value).to eq true
 
       # serializes canonically
-      serialize(stmt).must_equal(xml.sub('>1<', '>true<'))
+      expect(serialize(stmt)).to eq(xml.sub('>1<', '>true<'))
     end
 
     it "should parse and serialize dateTime values" do
@@ -65,10 +65,10 @@ XML
 XML
 
       stmt = AttributeStatement.from_xml(Nokogiri::XML(xml).root)
-      stmt.attributes.first.value.must_equal Time.at(1435603023)
+      expect(stmt.attributes.first.value).to eq Time.at(1435603023)
 
       # serializes canonically
-      serialize(stmt).must_equal(xml)
+      expect(serialize(stmt)).to eq xml
     end
 
     it "should parse values with different namespace prefixes" do
@@ -79,7 +79,7 @@ XML
 XML
 
       attr = Attribute.from_xml(Nokogiri::XML(xml).root)
-      attr.value.must_equal false
+      expect(attr.value).to eq false
     end
 
     it "should parse untagged values" do
@@ -90,7 +90,7 @@ XML
 XML
 
       attr = Attribute.from_xml(Nokogiri::XML(xml).root)
-      attr.value.must_equal "something"
+      expect(attr.value).to eq "something"
     end
 
   end

data/spec/lib/authn_request_spec.rb

@@ -8,97 +8,41 @@ module SAML2
     describe '.decode' do
       it "should not choke on empty string" do
         authnrequest = AuthnRequest.decode('')
-        authnrequest.valid_schema?.must_equal false
+        expect(authnrequest.valid_schema?).to eq false
       end
 
       it "should not choke on garbage" do
         authnrequest = AuthnRequest.decode('abc')
-        authnrequest.valid_schema?.must_equal false
-      end
-
-      it "doesn't allow deflate bombs" do
-        bomb = <<-BOMB
-        7cExAQAAAMKg9U9tDB+gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAL4G
-BOMB
-        -> { AuthnRequest.decode(bomb) }.must_raise MessageTooLarge
+        expect(authnrequest.valid_schema?).to eq false
       end
     end
 
     it "should be valid" do
-      request.valid_schema?.must_equal true
-      request.resolve(sp).must_equal true
-      request.assertion_consumer_service.location.must_equal "https://siteadmin.test.instructure.com/saml_consume"
+      expect(request.valid_schema?).to eq true
+      expect(request.resolve(sp)).to eq true
+      expect(request.assertion_consumer_service.location).to eq "https://siteadmin.test.instructure.com/saml_consume"
     end
 
     it "should not be valid if the ACS url is not in the SP" do
-      request.stub(:assertion_consumer_service_url, "garbage") do
-        request.resolve(sp).must_equal false
-      end
+      allow(request).to receive(:assertion_consumer_service_url).and_return("garbage")
+      expect(request.resolve(sp)).to eq false
     end
 
     it "should use the default ACS if not specified" do
-      request.stub(:assertion_consumer_service_url, nil) do
-        request.resolve(sp).must_equal true
-        request.assertion_consumer_service.location.must_equal "https://siteadmin.instructure.com/saml_consume"
-      end
+      allow(request).to receive(:assertion_consumer_service_url).and_return(nil)
+      expect(request.resolve(sp)).to eq true
+      expect(request.assertion_consumer_service.location).to eq "https://siteadmin.instructure.com/saml_consume"
     end
 
     it "should find the ACS by index" do
-      request.stub(:assertion_consumer_service_url, nil) do
-        request.stub(:assertion_consumer_service_index, 2) do
-          request.resolve(sp).must_equal true
-          request.assertion_consumer_service.location.must_equal "https://siteadmin.beta.instructure.com/saml_consume"
-        end
-      end
+      allow(request).to receive(:assertion_consumer_service_url).and_return(nil)
+      allow(request).to receive(:assertion_consumer_service_index).and_return(2)
+      expect(request.resolve(sp)).to eq true
+      expect(request.assertion_consumer_service.location).to eq "https://siteadmin.beta.instructure.com/saml_consume"
     end
 
     it "should find the NameID policy" do
-      request.name_id_policy.must_equal NameID::Policy.new(true, NameID::Format::PERSISTENT)
+      expect(request.name_id_policy).to eq NameID::Policy.new(true, NameID::Format::PERSISTENT)
     end
   end
 end

data/spec/lib/bindings/http_redirect_spec.rb

@@ -0,0 +1,151 @@
+require_relative '../../spec_helper'
+
+module SAML2
+  describe Bindings::HTTPRedirect do
+    describe '.decode' do
+      def check_error(wrapped, cause)
+        error = nil
+        begin
+          yield
+        rescue => e
+          error = e
+        end
+        expect(error).not_to be_nil
+        expect(error).to be_a(wrapped)
+        expect(error.cause).to be_a(cause)
+      end
+
+      it "complains about invalid URIs" do
+        check_error(CorruptMessage, URI::InvalidURIError) { Bindings::HTTPRedirect.decode(" ") }
+      end
+
+      it "complains about missing message" do
+        expect { Bindings::HTTPRedirect.decode("http://somewhere/") }.to raise_error(MissingMessage)
+        expect { Bindings::HTTPRedirect.decode("http://somewhere/?RelayState=bob") }.to raise_error(MissingMessage)
+      end
+
+      it "complains about malformed Base64" do
+        check_error(CorruptMessage, ArgumentError) { Bindings::HTTPRedirect.decode("http://somewhere/?SAMLRequest=%^") }
+      end
+
+      it "doesn't allow deflate bombs" do
+        message = "\0" * 2 * 1024 * 1024
+        allow(message).to receive(:destination).and_return("http://somewhere/")
+        url = Bindings::HTTPRedirect.encode(message)
+
+        expect { Bindings::HTTPRedirect.decode(url) }.to raise_error(MessageTooLarge)
+      end
+
+      it "complains about malformed deflated data" do
+        check_error(CorruptMessage, Zlib::BufError) { Bindings::HTTPRedirect.decode("http://somewhere/?SAMLRequest=abcd") }
+      end
+
+      it "complains about zlibbed data" do
+        # SAML uses just Deflate, which has no header/footer; Zlib adds a simple header/footer
+        message = Base64.strict_encode64(Zlib::Deflate.deflate('abcd'))
+        check_error(CorruptMessage, Zlib::DataError) { Bindings::HTTPRedirect.decode("http://somewhere/?SAMLRequest=#{message}") }
+      end
+
+      it "validates encoding" do
+        message = "hi"
+        allow(message).to receive(:destination).and_return("http://somewhere/")
+        url = Bindings::HTTPRedirect.encode(message, relay_state: "abc")
+        url << "&SAMLEncoding=garbage"
+        expect { Bindings::HTTPRedirect.decode(url) }.to raise_error(UnsupportedEncoding)
+      end
+
+      it "returns relay state" do
+        message = "hi"
+        allow(message).to receive(:destination).and_return("http://somewhere/")
+        url = Bindings::HTTPRedirect.encode(message, relay_state: "abc")
+        allow(Message).to receive(:parse).with("hi").and_return("parsed")
+        message, relay_state = Bindings::HTTPRedirect.decode(url)
+        expect(message).to eq "parsed"
+        expect(relay_state).to eq "abc"
+      end
+
+      context "signature validation" do
+        # taken from logs of another system. It's a good one to test because the Signature
+        # has to be taken out of the middle, so you can't just use the whole query string
+        let(:url) { '/login/saml/logout?SAMLResponse=fZLNasMwEIRfxehuy7KVOhaOobSXQHtpSg%2b9FP2sE4EjGa9U2rev7JBDoOQmLTO7s5%2fUoTyPk3jxRx%2fDG%2bDkHUK2f96Rr%2fpBN4pXMtdcq5xXbJurbb3JN1JCZZpSqQ0n2QfMaL3bkaooSbZHjLB3GKQLqVSyJi95zup3xgVvRdkWVdN%2bkuwZMFgnw%2bo8hTChoNR%2b%2fwbQp8Im%2fxx1iDMU2p%2fp6I%2fW0SXockw5Sfa0xFxGxNkJL9GicPIMKIIWh8fXF5HSCH0RiehwAm0HCyYldNct3%2f2OaK3Yw8AkSKVqXrJqYIpVst4ao0xtymZbD21bbXja7ec8OhQrr%2ftzp9kHr%2f1I%2bm7lMV%2bs900SEeaFB%2bkXHgmHNAMWVyZg4lqgSfVtNSBNiDB09DKh7y7veAgyRLy9PXkD2YccI9xPgKtaHKJO7ZFktO%2fobVf632fp%2fwA%3d&Signature=eZejccsvxyLEZvkNdL3shazIPyBIfRwk0Ny5INfrwzhE40N%2bH4neEo7xoHi2ncJ0LQG6A71oxviVkqPWXUaePuAt3fbxTf%2bLkWPiXo0D6GVebSgPSZIMrsU%2fawfou68yX%2bI5dk8KtFiMOPCf5818oJvCdYjszN5o%2fU80UlJdjiDK%2bMF2rtzx6ZEXs04MoMDWKgouTZUFxNZP3KJeFQumLbK99ZfJVl8Wl4XDTs1DKq7eBJc1IgyH13LELxhHgCZMpARrCX65gCYhjnJWhmyTU4YFzdcwKeulYcP0eTbMEqRy9s1sEaOH%2fTx3I46Fl%2bv7j3GbRiRTwqF9%2bqjAKbJjpw%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2000%2f09%2fxmldsig%23rsa-sha1' }
+        let(:certificate) { OpenSSL::X509::Certificate.new(Base64.decode64('MIIFnzCCBIegAwIBAgIQItX5wssh0ecd46K65PkSNDANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTAeFw0xNjA5MDgwMDAwMDBaFw0xOTEwMjUyMzU5NTlaMIGeMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxSTBHBgNVBAsTQElzc3VlZCB0aHJvdWdoIEl2eSBUZWNoIENvbW11bml0eSBDb2xsZWdlIG9mIEluZGlhbmEgRS1QS0kgTWFuYWcxEzARBgNVBAsTCkNPTU9ETyBTU0wxGTAXBgNVBAMTEGFkZnMuaXZ5dGVjaC5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC58zHz7VsV9S2XZMRjgqiWxBZ6M9y6/3zkrbObJ9hZqO7giCoonNDuELUiNt8pBqF8aHef8qbDOecBBXkz8rPAJL1S6lzvbxHIBuvEy+xOpVdUNMoyOaAYHOI5T6ueL1Q4iGMKfnWuXSvVTyB+9wAF/aWVFSoz+alUOiQtqTYyfgIKzHIAmFX7/SjFA9UjKVtqatcvzWsSWZHL4imeTmPosXXjmJVZnl+jaeFsnmW59o66sdGR+NYkhsBcVRnuP3MdxVgr5xSJMN+/BgZwCncX+4LJq5664eeQcJM5Km9kbQ/jMFhYy765ejszcL0vWe/fS7tdXQCfoKjRZ5LzNEb3AgMBAAGjggHjMIIB3zAfBgNVHSMEGDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUdFr6SnHaXUqLAEdOL9qrTJS/3AYwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQECAgcwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYGZ4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYUGCCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMDEGA1UdEQQqMCiCEGFkZnMuaXZ5dGVjaC5lZHWCFHd3dy5hZGZzLml2eXRlY2guZWR1MA0GCSqGSIb3DQEBCwUAA4IBAQA0dXP0leDcdrr/iKk4nDSCofllPAWE8LE3mD9Yb9K+/oVymxpqNIVJesDPLtf1HqWk6S6eafcYvfzl9aTMcvwEkL27g2l9UQuICkQgqSEY5qTsK//u/2S98JqXep2oRyvxo3UHX+3Ouc3i49hQ0v05Faoeap/ZT3JEsMV2Go9UKRJbYBG9Nqq/CDBuTgyopKJ7fvCtsGxwsvlUAz/NMuNoUphPQ2S+O/SjabjR4XsAGU78Hji2tqJyvPyKPanxc0ioDdnL5lvrk4uZ/6Dy159C5FOFeLU2ZfiNLXRR85KFfhtX954qvX6jmM7CPmcidhzEnZV8fQv9G6XYPfrNL7bh')).public_key }
+        let(:incorrect_certificate) { OpenSSL::X509::Certificate.new(fixture('certificate.pem')).public_key }
+
+        it "validates the signature" do
+          # no exception raised
+          Bindings::HTTPRedirect.decode(url, public_key: certificate)
+        end
+
+        it "raises on invalid signature" do
+          expect { Bindings::HTTPRedirect.decode(url, public_key: incorrect_certificate) }.to raise_error(InvalidSignature)
+        end
+
+        it "raises on unsupported signature algorithm" do
+          x = url
+          # SigAlg is now sha10
+          x << "0"
+          expect { Bindings::HTTPRedirect.decode(url, public_key: certificate) }.to raise_error(UnsupportedSignatureAlgorithm)
+        end
+
+        it "allows the caller to detect an unsigned message" do
+          message = "hi"
+          allow(message).to receive(:destination).and_return("http://somewhere/")
+          url = Bindings::HTTPRedirect.encode(message)
+          allow(Message).to receive(:parse).with("hi").and_return("parsed")
+
+          expect do
+            Bindings::HTTPRedirect.decode(url) do |_message, sig_alg|
+              expect(sig_alg).to be_nil
+              raise "no signature"
+            end
+          end.to raise_error("no signature")
+        end
+
+        it "requires a signature if a key is passed" do
+          message = "hi"
+          allow(message).to receive(:destination).and_return("http://somewhere/")
+          url = Bindings::HTTPRedirect.encode(message)
+          allow(Message).to receive(:parse).with("hi").and_return("parsed")
+
+          expect { Bindings::HTTPRedirect.decode(url, public_key: certificate) } .to raise_error(UnsignedMessage)
+        end
+
+        it "notifies the caller which key was used" do
+          called = 0
+          key_used = ->(key) do
+            expect(key).to eq certificate
+            called += 1
+          end
+          Bindings::HTTPRedirect.decode(url,
+                                        public_key: [incorrect_certificate,
+                                                     certificate],
+                                        public_key_used: key_used)
+          expect(called).to eq 1
+        end
+      end
+    end
+
+    describe '.encode' do
+      it 'works' do
+        message = "hi"
+        allow(message).to receive(:destination).and_return("http://somewhere/")
+        url = Bindings::HTTPRedirect.encode(message, relay_state: "abc")
+        expect(url).to match(%r{^http://somewhere/\?SAMLResponse=(?:.*)&RelayState=abc})
+      end
+
+      it 'signs a message' do
+        message = "hi"
+        allow(message).to receive(:destination).and_return("http://somewhere/")
+        key = OpenSSL::PKey::RSA.new(fixture('privatekey.key'))
+        url = Bindings::HTTPRedirect.encode(message, relay_state: "abc", private_key: key)
+
+        # verify the signature
+        allow(Message).to receive(:parse).with("hi").and_return("parsed")
+        Bindings::HTTPRedirect.decode(url) do |_message, sig_alg|
+          expect(sig_alg).not_to be_nil
+          OpenSSL::X509::Certificate.new(fixture('certificate.pem')).public_key
+        end
+      end
+    end
+  end
+end