saml2 3.1.2 → 3.1.4

data/spec/lib/attribute_spec.rb

@@ -1,149 +0,0 @@
-# frozen_string_literal: true
-
-require_relative '../spec_helper'
-
-module SAML2
-  describe Attribute do
-    def serialize(attribute)
-      doc = Nokogiri::XML::Builder.new do |builder|
-        builder['saml'].Root('xmlns:saml' => Namespaces::SAML) do |root|
-          attribute.build(root)
-          root.parent.child['xmlns:saml'] = Namespaces::SAML
-        end
-      end.doc
-      doc.root.child.to_s
-    end
-
-    let(:eduPersonPrincipalNameXML) { <<XML.strip
-<saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" FriendlyName="eduPersonPrincipalName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" x500:Encoding="LDAP" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
-  <saml:AttributeValue xsi:type="xs:string">user@domain</saml:AttributeValue>
-</saml:Attribute>
-XML
-  }
-
-    it "should auto-parse X500 attributes" do
-      attr = Attribute.from_xml(Nokogiri::XML(eduPersonPrincipalNameXML).root)
-      expect(attr).to be_instance_of Attribute::X500
-      expect(attr.value).to eq "user@domain"
-      expect(attr.name).to eq Attribute::X500::EduPerson::PRINCIPAL_NAME
-      expect(attr.friendly_name).to eq 'eduPersonPrincipalName'
-      expect(attr.name_format).to eq Attribute::NameFormats::URI
-    end
-
-    it "recognizes and X500 attribute without a NameFormat" do
-      xml = <<-XML
-        <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user@domain</saml:AttributeValue></saml:Attribute>
-      XML
-      attr = Attribute.from_xml(Nokogiri::XML(xml).root)
-      expect(attr).to be_instance_of Attribute::X500
-      expect(attr.value).to eq "user@domain"
-      expect(attr.name).to eq Attribute::X500::EduPerson::PRINCIPAL_NAME
-      expect(attr.friendly_name).to eq 'eduPersonPrincipalName'
-      expect(attr.name_format).to eq nil
-    end
-
-    it "should serialize an X500 attribute correctly" do
-      attr = Attribute.create('eduPersonPrincipalName', 'user@domain')
-      expect(attr).to be_instance_of Attribute::X500
-      expect(attr.value).to eq "user@domain"
-      expect(attr.name).to eq Attribute::X500::EduPerson::PRINCIPAL_NAME
-      expect(attr.friendly_name).to eq 'eduPersonPrincipalName'
-      expect(attr.name_format).to eq Attribute::NameFormats::URI
-
-      expect(serialize(attr)).to eq eduPersonPrincipalNameXML
-    end
-
-    it "should parse and serialize boolean values" do
-      xml = <<XML.strip
-<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
-  <saml:Attribute Name="attr">
-    <saml:AttributeValue xsi:type="xs:boolean">1</saml:AttributeValue>
-  </saml:Attribute>
-</saml:AttributeStatement>
-XML
-
-      stmt = AttributeStatement.from_xml(Nokogiri::XML(xml).root)
-      expect(stmt.attributes.first.value).to eq true
-
-      # serializes canonically
-      expect(serialize(stmt)).to eq(xml.sub('>1<', '>true<'))
-    end
-
-    it "should parse and serialize dateTime values" do
-      xml = <<XML.strip
-<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
-  <saml:Attribute Name="attr">
-    <saml:AttributeValue xsi:type="xs:dateTime">2015-06-29T18:37:03Z</saml:AttributeValue>
-  </saml:Attribute>
-</saml:AttributeStatement>
-XML
-
-      stmt = AttributeStatement.from_xml(Nokogiri::XML(xml).root)
-      expect(stmt.attributes.first.value).to eq Time.at(1435603023)
-
-      # serializes canonically
-      expect(serialize(stmt)).to eq xml
-    end
-
-    it "should parse values with different namespace prefixes" do
-      xml = <<XML.strip
-<saml:Attribute Name="attr" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xssi="http://www.w3.org/2001/XMLSchema-instance">
-  <saml:AttributeValue xssi:type="xsd:boolean">0</saml:AttributeValue>
-</saml:Attribute>
-XML
-
-      attr = Attribute.from_xml(Nokogiri::XML(xml).root)
-      expect(attr.value).to eq false
-    end
-
-    it "should parse untagged values" do
-      xml = <<XML.strip
-<saml:Attribute Name="attr" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
-  <saml:AttributeValue>something</saml:AttributeValue>
-</saml:Attribute>
-XML
-
-      attr = Attribute.from_xml(Nokogiri::XML(xml).root)
-      expect(attr.value).to eq "something"
-    end
-
-  end
-
-  describe AttributeStatement do
-    describe "#to_h" do
-      it "works" do
-        attr_statement = Response.parse(fixture("response_with_attribute_signed.xml")).assertions.first.attribute_statements.first
-        expect(attr_statement.to_h(:friendly_name)).to eq('givenName' => 'cody')
-        expect(attr_statement.to_h(:name)).to eq("urn:oid:2.5.4.42" => 'cody')
-        expect(attr_statement.to_h(:both)).to eq('givenName' => 'cody', "urn:oid:2.5.4.42" => 'cody')
-      end
-
-      it "infers friendly names if possible" do
-        attr_statement = Response.parse(fixture("test3-response.xml")).assertions.first.attribute_statements.first
-        expect(attr_statement.to_h).to eq({
-            'urn:oid:1.3.6.1.4.1.5923.1.1.1.1' => 'member',
-            'urn:oid:1.3.6.1.4.1.5923.1.1.1.6' => 'student@example.edu',
-            'eduPersonAffiliation' => 'member',
-            'eduPersonPrincipalName' => 'student@example.edu'})
-      end
-
-      it "properly combines repeated attributes" do
-        attr_statement = AttributeStatement.from_xml(Nokogiri::XML(<<-XML).root)
-<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
-  <saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
-    <saml2:AttributeValue>02</saml2:AttributeValue>
-  </saml2:Attribute>
-  <saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
-    <saml2:AttributeValue>employee@school.edu</saml2:AttributeValue>
-    <saml2:AttributeValue>students@school.edu</saml2:AttributeValue>
-  </saml2:Attribute>
-</saml2:AttributeStatement>
-        XML
-
-        expect(attr_statement.to_h(:friendly_name)).to eq({
-            'eduPersonScopedAffiliation' => ['02', 'employee@school.edu', 'students@school.edu']
-                                          })
-      end
-    end
-  end
-end

data/spec/lib/authn_request_spec.rb

@@ -1,52 +0,0 @@
-# frozen_string_literal: true
-
-require_relative '../spec_helper'
-
-module SAML2
-  describe AuthnRequest do
-    let(:sp) { Entity.parse(fixture('service_provider.xml')).roles.first }
-    let(:request) { AuthnRequest.parse(fixture('authnrequest.xml')) }
-
-    it "should be valid" do
-      expect(request.valid_schema?).to eq true
-      expect(request.resolve(sp)).to eq true
-      expect(request.assertion_consumer_service.location).to eq "https://siteadmin.test.instructure.com/saml_consume"
-    end
-
-    it "should not be valid if the ACS url is not in the SP" do
-      allow(request).to receive(:assertion_consumer_service_url).and_return("garbage")
-      expect(request.resolve(sp)).to eq false
-    end
-
-    it "should use the default ACS if not specified" do
-      allow(request).to receive(:assertion_consumer_service_url).and_return(nil)
-      expect(request.resolve(sp)).to eq true
-      expect(request.assertion_consumer_service.location).to eq "https://siteadmin.instructure.com/saml_consume"
-    end
-
-    it "should find the ACS by index" do
-      allow(request).to receive(:assertion_consumer_service_url).and_return(nil)
-      allow(request).to receive(:assertion_consumer_service_index).and_return(2)
-      expect(request.resolve(sp)).to eq true
-      expect(request.assertion_consumer_service.location).to eq "https://siteadmin.beta.instructure.com/saml_consume"
-    end
-
-    it "should find the NameID policy" do
-      expect(request.name_id_policy).to eq NameID::Policy.new(true, NameID::Format::PERSISTENT, "moodle.bridge.feide.no")
-    end
-
-    it 'serializes valid XML' do
-      authn_request = AuthnRequest.initiate(NameID.new("entity"),
-        assertion_consumer_service: Endpoint.new('https://somewhere/'))
-      authn_request.requested_authn_context = RequestedAuthnContext.new
-      authn_request.requested_authn_context.class_ref = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
-      authn_request.requested_authn_context.comparison = :exact
-      authn_request.passive = true
-      xml = authn_request.to_s
-      authn_request = AuthnRequest.parse(xml)
-      expect(authn_request).to be_valid_schema
-      expect(authn_request.force_authn?).to eq nil
-      expect(authn_request.passive?).to eq true
-    end
-  end
-end

data/spec/lib/bindings/http_redirect_spec.rb

@@ -1,183 +0,0 @@
-# frozen_string_literal: true
-
-require_relative '../../spec_helper'
-
-require 'openssl'
-
-module SAML2
-  describe Bindings::HTTPRedirect do
-    describe '.decode' do
-      def check_error(wrapped, cause)
-        error = nil
-        begin
-          yield
-        rescue => e
-          error = e
-        end
-        expect(error).not_to be_nil
-        expect(error).to be_a(wrapped)
-        expect(error.cause).to be_a(cause)
-      end
-
-      it "complains about invalid URIs" do
-        check_error(CorruptMessage, URI::InvalidURIError) { Bindings::HTTPRedirect.decode(" ") }
-      end
-
-      it "complains about missing message" do
-        expect { Bindings::HTTPRedirect.decode("http://somewhere/") }.to raise_error(MissingMessage)
-        expect { Bindings::HTTPRedirect.decode("http://somewhere/?RelayState=bob") }.to raise_error(MissingMessage)
-      end
-
-      it "complains about malformed Base64" do
-        check_error(CorruptMessage, ArgumentError) { Bindings::HTTPRedirect.decode("http://somewhere/?SAMLRequest=%^") }
-      end
-
-      it "doesn't allow deflate bombs" do
-        message = double()
-        allow(message).to receive(:destination).and_return("http://somewhere/")
-        allow(message).to receive(:to_s).and_return("\0" * 2 * 1024 * 1024)
-        url = Bindings::HTTPRedirect.encode(message)
-
-        expect { Bindings::HTTPRedirect.decode(url) }.to raise_error(MessageTooLarge)
-      end
-
-      it "complains about malformed deflated data" do
-        check_error(CorruptMessage, Zlib::BufError) { Bindings::HTTPRedirect.decode("http://somewhere/?SAMLRequest=abcd") }
-      end
-
-      it "complains about zlibbed data" do
-        # SAML uses just Deflate, which has no header/footer; Zlib adds a simple header/footer
-        message = Base64.strict_encode64(Zlib::Deflate.deflate('abcd'))
-        check_error(CorruptMessage, Zlib::DataError) { Bindings::HTTPRedirect.decode("http://somewhere/?SAMLRequest=#{message}") }
-      end
-
-      it "validates encoding" do
-        message = double()
-        allow(message).to receive(:destination).and_return("http://somewhere/")
-        allow(message).to receive(:to_s).and_return("hi")
-        url = Bindings::HTTPRedirect.encode(message, relay_state: "abc")
-        url << "&SAMLEncoding=garbage"
-        expect { Bindings::HTTPRedirect.decode(url) }.to raise_error(UnsupportedEncoding)
-      end
-
-      it "returns relay state" do
-        message = double()
-        allow(message).to receive(:destination).and_return("http://somewhere/")
-        allow(message).to receive(:to_s).and_return("hi")
-        url = Bindings::HTTPRedirect.encode(message, relay_state: "abc")
-        allow(Message).to receive(:parse).with("hi").and_return("parsed")
-        message, relay_state = Bindings::HTTPRedirect.decode(url)
-        expect(message).to eq "parsed"
-        expect(relay_state).to eq "abc"
-      end
-
-      context "signature validation" do
-        # taken from logs of another system. It's a good one to test because the Signature
-        # has to be taken out of the middle, so you can't just use the whole query string
-        let(:url) { '/login/saml/logout?SAMLResponse=fZLNasMwEIRfxehuy7KVOhaOobSXQHtpSg%2b9FP2sE4EjGa9U2rev7JBDoOQmLTO7s5%2fUoTyPk3jxRx%2fDG%2bDkHUK2f96Rr%2fpBN4pXMtdcq5xXbJurbb3JN1JCZZpSqQ0n2QfMaL3bkaooSbZHjLB3GKQLqVSyJi95zup3xgVvRdkWVdN%2bkuwZMFgnw%2bo8hTChoNR%2b%2fwbQp8Im%2fxx1iDMU2p%2fp6I%2fW0SXockw5Sfa0xFxGxNkJL9GicPIMKIIWh8fXF5HSCH0RiehwAm0HCyYldNct3%2f2OaK3Yw8AkSKVqXrJqYIpVst4ao0xtymZbD21bbXja7ec8OhQrr%2ftzp9kHr%2f1I%2bm7lMV%2bs900SEeaFB%2bkXHgmHNAMWVyZg4lqgSfVtNSBNiDB09DKh7y7veAgyRLy9PXkD2YccI9xPgKtaHKJO7ZFktO%2fobVf632fp%2fwA%3d&Signature=eZejccsvxyLEZvkNdL3shazIPyBIfRwk0Ny5INfrwzhE40N%2bH4neEo7xoHi2ncJ0LQG6A71oxviVkqPWXUaePuAt3fbxTf%2bLkWPiXo0D6GVebSgPSZIMrsU%2fawfou68yX%2bI5dk8KtFiMOPCf5818oJvCdYjszN5o%2fU80UlJdjiDK%2bMF2rtzx6ZEXs04MoMDWKgouTZUFxNZP3KJeFQumLbK99ZfJVl8Wl4XDTs1DKq7eBJc1IgyH13LELxhHgCZMpARrCX65gCYhjnJWhmyTU4YFzdcwKeulYcP0eTbMEqRy9s1sEaOH%2fTx3I46Fl%2bv7j3GbRiRTwqF9%2bqjAKbJjpw%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2000%2f09%2fxmldsig%23rsa-sha1' }
-        let(:certificate) { OpenSSL::X509::Certificate.new(Base64.decode64('MIIFnzCCBIegAwIBAgIQItX5wssh0ecd46K65PkSNDANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTAeFw0xNjA5MDgwMDAwMDBaFw0xOTEwMjUyMzU5NTlaMIGeMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxSTBHBgNVBAsTQElzc3VlZCB0aHJvdWdoIEl2eSBUZWNoIENvbW11bml0eSBDb2xsZWdlIG9mIEluZGlhbmEgRS1QS0kgTWFuYWcxEzARBgNVBAsTCkNPTU9ETyBTU0wxGTAXBgNVBAMTEGFkZnMuaXZ5dGVjaC5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC58zHz7VsV9S2XZMRjgqiWxBZ6M9y6/3zkrbObJ9hZqO7giCoonNDuELUiNt8pBqF8aHef8qbDOecBBXkz8rPAJL1S6lzvbxHIBuvEy+xOpVdUNMoyOaAYHOI5T6ueL1Q4iGMKfnWuXSvVTyB+9wAF/aWVFSoz+alUOiQtqTYyfgIKzHIAmFX7/SjFA9UjKVtqatcvzWsSWZHL4imeTmPosXXjmJVZnl+jaeFsnmW59o66sdGR+NYkhsBcVRnuP3MdxVgr5xSJMN+/BgZwCncX+4LJq5664eeQcJM5Km9kbQ/jMFhYy765ejszcL0vWe/fS7tdXQCfoKjRZ5LzNEb3AgMBAAGjggHjMIIB3zAfBgNVHSMEGDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUdFr6SnHaXUqLAEdOL9qrTJS/3AYwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQECAgcwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYGZ4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYUGCCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMDEGA1UdEQQqMCiCEGFkZnMuaXZ5dGVjaC5lZHWCFHd3dy5hZGZzLml2eXRlY2guZWR1MA0GCSqGSIb3DQEBCwUAA4IBAQA0dXP0leDcdrr/iKk4nDSCofllPAWE8LE3mD9Yb9K+/oVymxpqNIVJesDPLtf1HqWk6S6eafcYvfzl9aTMcvwEkL27g2l9UQuICkQgqSEY5qTsK//u/2S98JqXep2oRyvxo3UHX+3Ouc3i49hQ0v05Faoeap/ZT3JEsMV2Go9UKRJbYBG9Nqq/CDBuTgyopKJ7fvCtsGxwsvlUAz/NMuNoUphPQ2S+O/SjabjR4XsAGU78Hji2tqJyvPyKPanxc0ioDdnL5lvrk4uZ/6Dy159C5FOFeLU2ZfiNLXRR85KFfhtX954qvX6jmM7CPmcidhzEnZV8fQv9G6XYPfrNL7bh')).public_key }
-        let(:incorrect_certificate) { OpenSSL::X509::Certificate.new(fixture('certificate.pem')).public_key }
-
-        it "validates the signature" do
-          # no exception raised
-          Bindings::HTTPRedirect.decode(url, public_key: certificate)
-        end
-
-        it "raises on invalid signature" do
-          expect { Bindings::HTTPRedirect.decode(url, public_key: incorrect_certificate) }.to raise_error(InvalidSignature)
-        end
-
-        it "raises on unsupported signature algorithm" do
-          x = url.dup
-          # SigAlg is now sha10
-          x << "0"
-          expect { Bindings::HTTPRedirect.decode(x, public_key: certificate) }.to raise_error(UnsupportedSignatureAlgorithm)
-        end
-
-        it "allows the caller to detect an unsigned message" do
-          message = double()
-          allow(message).to receive(:destination).and_return("http://somewhere/")
-          allow(message).to receive(:to_s).and_return("hi")
-          url = Bindings::HTTPRedirect.encode(message)
-          allow(Message).to receive(:parse).with("hi").and_return("parsed")
-
-          expect do
-            Bindings::HTTPRedirect.decode(url) do |_message, sig_alg|
-              expect(sig_alg).to be_nil
-              raise "no signature"
-            end
-          end.to raise_error("no signature")
-        end
-
-        it "requires a signature if a key is passed" do
-          message = double()
-          allow(message).to receive(:destination).and_return("http://somewhere/")
-          allow(message).to receive(:to_s).and_return("hi")
-          url = Bindings::HTTPRedirect.encode(message)
-          allow(Message).to receive(:parse).with("hi").and_return("parsed")
-
-          expect { Bindings::HTTPRedirect.decode(url, public_key: certificate) } .to raise_error(UnsignedMessage)
-        end
-
-        it "notifies the caller which key was used" do
-          called = 0
-          key_used = ->(key) do
-            expect(key).to eq certificate
-            called += 1
-          end
-          Bindings::HTTPRedirect.decode(url,
-                                        public_key: [incorrect_certificate,
-                                                     certificate],
-                                        public_key_used: key_used)
-          expect(called).to eq 1
-        end
-      end
-    end
-
-    describe '.encode' do
-      it 'works' do
-        message = double()
-        allow(message).to receive(:destination).and_return("http://somewhere/")
-        allow(message).to receive(:to_s).and_return("hi")
-        url = Bindings::HTTPRedirect.encode(message, relay_state: "abc")
-        expect(url).to match(%r{^http://somewhere/\?SAMLResponse=(?:.*)&RelayState=abc})
-      end
-
-      it 'signs a message' do
-        message = double()
-        allow(message).to receive(:destination).and_return("http://somewhere/")
-        allow(message).to receive(:to_s).and_return("hi")
-        key = OpenSSL::PKey::RSA.new(fixture('privatekey.key'))
-        url = Bindings::HTTPRedirect.encode(message,
-                                            relay_state: "abc",
-                                            private_key: key)
-
-        # verify the signature
-        allow(Message).to receive(:parse).with("hi").and_return("parsed")
-        Bindings::HTTPRedirect.decode(url) do |_message, sig_alg|
-          expect(sig_alg).to eq Bindings::HTTPRedirect::SigAlgs::RSA_SHA1
-          OpenSSL::X509::Certificate.new(fixture('certificate.pem')).public_key
-        end
-      end
-
-      it 'signs a message with RSA-SHA256' do
-        message = double()
-        allow(message).to receive(:destination).and_return("http://somewhere/")
-        allow(message).to receive(:to_s).and_return("hi")
-        key = OpenSSL::PKey::RSA.new(fixture('privatekey.key'))
-        url = Bindings::HTTPRedirect.encode(message,
-                                            relay_state: "abc",
-                                            private_key: key,
-                                            sig_alg: Bindings::HTTPRedirect::SigAlgs::RSA_SHA256)
-
-        # verify the signature
-        allow(Message).to receive(:parse).with("hi").and_return("parsed")
-        Bindings::HTTPRedirect.decode(url) do |_message, sig_alg|
-          expect(sig_alg).to eq Bindings::HTTPRedirect::SigAlgs::RSA_SHA256
-          OpenSSL::X509::Certificate.new(fixture('certificate.pem')).public_key
-        end
-      end
-
-    end
-  end
-end

data/spec/lib/conditions_spec.rb

@@ -1,74 +0,0 @@
-# frozen_string_literal: true
-
-require_relative '../spec_helper'
-
-module SAML2
-  describe Conditions do
-    it "empty should be valid" do
-      expect(Conditions.new.valid?).to eq true
-    end
-
-    it "should be invalid with unknown condition" do
-      conditions = Conditions.new
-      conditions << Conditions::Condition.new
-      expect(conditions.valid?).to eq false
-    end
-
-    it "should be valid with timestamps" do
-      conditions = Conditions.new
-      now = Time.now.utc
-      conditions.not_before = now - 5
-      conditions.not_on_or_after = now + 30
-      expect(conditions.valid?).to eq true
-    end
-
-    it "should be invalid with out of range timestamps" do
-      conditions = Conditions.new
-      now = Time.now.utc
-      conditions.not_before = now - 35
-      conditions.not_on_or_after = now - 5
-      expect(conditions.valid?).to eq false
-    end
-
-    it "should allow passing now" do
-      conditions = Conditions.new
-      now = Time.now.utc
-      conditions.not_before = now - 35
-      conditions.not_on_or_after = now - 5
-      expect(conditions.valid?(now: now - 10)).to eq true
-    end
-
-    it "should be invalid before indeterminate" do
-      conditions = Conditions.new
-      now = Time.now.utc
-      conditions.not_before = now + 5
-      conditions << Conditions::Condition.new
-      expect(conditions.valid?).to eq false
-    end
-
-    it "should be invalid before indeterminate (actual conditions)" do
-      conditions = Conditions.new
-      conditions << Conditions::Condition.new
-      conditions << Conditions::AudienceRestriction.new('audience')
-      expect(conditions.valid?).to eq false
-    end
-  end
-
-  describe Conditions::AudienceRestriction do
-    it "should be invalid" do
-      expect(Conditions::AudienceRestriction.new('expected').valid?(audience: 'actual')).to eq false
-    end
-
-    it "should be valid" do
-      expect(Conditions::AudienceRestriction.new('expected').valid?(audience: 'expected')).to eq true
-    end
-
-    it "should be valid with an array" do
-      expect(Conditions::AudienceRestriction.new(['expected', 'actual']).valid?(audience: 'actual')).to eq true
-    end
-
-    it "is valid when ignored" do
-      expect(Conditions::AudienceRestriction.new('expected').valid?(audience: 'actual', ignore_audience_condition: true)).to eq true
-    end
-  end
-end

data/spec/lib/entity_spec.rb

@@ -1,58 +0,0 @@
-# frozen_string_literal: true
-
-require_relative '../spec_helper'
-
-module SAML2
-  describe Entity do
-    it "should parse and validate" do
-      entity = Entity.parse(fixture('service_provider.xml'))
-      expect(entity.valid_schema?).to eq true
-    end
-
-    it "should return nil when not valid schema" do
-      entity = Entity.parse("<xml></xml>")
-      expect(entity).to be_nil
-    end
-
-    it "should return nil on non-XML" do
-      entity = Entity.parse("garbage")
-      expect(entity).to be_nil
-    end
-
-    describe "valid schema" do
-      let(:entity) { Entity.parse(fixture('service_provider.xml')) }
-
-      it "should find the id" do
-        expect(entity.entity_id).to eq "http://siteadmin.instructure.com/saml2"
-      end
-
-      it "should parse the organization" do
-        expect(entity.organization.display_name.to_s).to eq 'Canvas'
-        expect(entity.organization.display_name['en']).to eq 'Canvas'
-        expect(entity.organization.display_name['es']).to be_nil
-        expect(entity.organization.display_name[:all]).to eq en: 'Canvas'
-      end
-
-      it "validates metadata from ADFS containing lots of non-SAML schemas" do
-        expect(Entity.parse(fixture('FederationMetadata.xml')).valid_schema?).to eq true
-      end
-    end
-
-    it "should sign correctly" do
-      entity = Entity.parse(fixture('service_provider.xml'))
-      entity.sign(fixture('certificate.pem'), fixture('privatekey.key'))
-      entity2 = Entity.parse(entity.to_s)
-      expect(entity2.valid_schema?).to eq true
-    end
-
-    describe Entity::Group do
-      it "should parse and validate" do
-        group = Entity.parse(fixture('entities.xml'))
-        expect(group).to be_instance_of(Entity::Group)
-        expect(group.valid_schema?).to eq true
-
-        expect(group.map(&:entity_id)).to eq ['urn:entity1', 'urn:entity2']
-      end
-    end
-  end
-end

data/spec/lib/identity_provider_spec.rb

@@ -1,43 +0,0 @@
-# frozen_string_literal: true
-
-require_relative '../spec_helper'
-
-module SAML2
-  describe IdentityProvider do
-    it "should serialize valid xml" do
-      entity = Entity.new
-      entity.entity_id = 'http://sso.canvaslms.com/SAML2'
-      entity.organization = Organization.new('Canvas', 'Canvas by Instructure', 'https://www.canvaslms.com/')
-      contact = Contact.new(Contact::Type::TECHNICAL)
-      contact.company = 'Instructure'
-      contact.email_addresses << 'mailto:ops@instructure.com'
-      entity.contacts << contact
-
-      idp = IdentityProvider.new
-      idp.name_id_formats << NameID::Format::PERSISTENT
-      idp.single_sign_on_services << Endpoint.new('https://sso.canvaslms.com/SAML2/Login')
-      idp.keys << KeyDescriptor.new('somedata', KeyDescriptor::Type::SIGNING)
-
-      entity.roles << idp
-      expect(Schemas.metadata.validate(Nokogiri::XML(entity.to_s))).to eq []
-    end
-
-    describe "valid metadata" do
-      let(:entity) { Entity.parse(fixture('identity_provider.xml')) }
-      let(:idp) { entity.roles.first }
-
-      it "should create the single_sign_on_services array" do
-        expect(idp.single_sign_on_services.length).to eq 3
-        expect(idp.single_sign_on_services.first.location).to eq 'https://sso.school.edu/idp/profile/Shibboleth/SSO'
-      end
-
-      it "should find the signing certificate" do
-        expect(idp.keys.first.x509).to match(/MIIE8TCCA9mgAwIBAgIJAITusxON60cKMA0GCSqGSIb3DQEBBQUAMIGrMQswCQYD/)
-      end
-
-      it "loads identity provider attributes" do
-        expect(idp.want_authn_requests_signed?).to be_truthy
-      end
-    end
-  end
-end

data/spec/lib/indexed_object_spec.rb

@@ -1,71 +0,0 @@
-# frozen_string_literal: true
-
-require_relative '../spec_helper'
-
-module SAML2
-  describe IndexedObject do
-    describe "#default?" do
-      it "always returns a boolean" do
-        acs = Endpoint::Indexed.new('a', 0)
-        expect(acs.default?).to eq false
-        expect(acs.default_defined?).to eq false
-      end
-
-      it "#default_defined? works" do
-        acs = Endpoint::Indexed.new('a', 0, false)
-        expect(acs.default?).to eq false
-        expect(acs.default_defined?).to eq true
-      end
-    end
-
-    context "serialization" do
-      it "doesn't include isDefault when it's nil" do
-        acs = Endpoint::Indexed.new('a', 0)
-        builder = double()
-        expect(builder).to receive(:[]).and_return(builder).ordered
-        expect(builder).to receive(:"AssertionConsumerService").ordered
-        expect(builder).to receive(:parent).and_return(builder).ordered
-        expect(builder).to receive(:children).and_return(builder).ordered
-        expect(builder).to receive(:last).and_return(builder).ordered
-        expect(builder).to receive(:[]=).with("index", 0).ordered
-
-        acs.build(builder,"AssertionConsumerService")
-      end
-    end
-  end
-
-  describe IndexedObject::Array do
-    it "should sort by index" do
-      acses = Endpoint::Indexed::Array.new(
-          [Endpoint::Indexed.new('b', 1),
-           Endpoint::Indexed.new('a', 0)])
-      expect(acses.map(&:location)).to eq ['a', 'b']
-    end
-
-    it "should be accessible by index" do
-      acses = Endpoint::Indexed::Array.new(
-          [Endpoint::Indexed.new('b', 3),
-           Endpoint::Indexed.new('a', 1)])
-      expect(acses.map(&:location)).to eq ['a', 'b']
-      expect(acses[1].location).to eq 'a'
-      expect(acses[3].location).to eq 'b'
-      expect(acses[0]).to be_nil
-    end
-
-    describe "#default" do
-      it "should default to first entry if not otherwise specified" do
-        acses = Endpoint::Indexed::Array.new(
-            [Endpoint::Indexed.new('a', 0),
-             Endpoint::Indexed.new('b', 1)])
-        expect(acses.default.location).to eq 'a'
-      end
-
-      it "should default to a tagged default" do
-        acses = Endpoint::Indexed::Array.new(
-            [Endpoint::Indexed.new('a', 0),
-             Endpoint::Indexed.new('b', 1, true)])
-        expect(acses.default.location).to eq 'b'
-      end
-    end
-  end
-end

data/spec/lib/key_spec.rb

@@ -1,23 +0,0 @@
-# frozen_string_literal: true
-
-require_relative '../spec_helper'
-
-module SAML2
-  describe KeyInfo do
-    describe '.format_fingerprint' do
-      it 'strips non-hexadecimal characters' do
-        expect(KeyInfo.format_fingerprint("\u200F abcdefghijklmnop 1234567890-\n a1")).to eq("ab:cd:ef:12:34:56:78:90:a1")
-      end
-    end
-
-    describe '#certificate' do
-      it "doesn't asplode if the keyinfo is just an rsa key value" do
-        response = Nokogiri::XML(fixture("response_with_rsa_key_value.xml"))
-        key = KeyInfo.from_xml(response.at_xpath('//dsig:KeyInfo', Namespaces::ALL))
-        expect(key.certificate).to be_nil
-        expect(key.fingerprint).to be_nil
-        expect(key.key).not_to be_nil
-      end
-    end
-  end
-end