saml_idp 0.0.1

data/spec/lib/saml_idp/configurator_spec.rb

@@ -0,0 +1,30 @@
+require 'spec_helper'
+module SamlIdp
+  describe Configurator do
+    it { should respond_to :x509_certificate }
+    it { should respond_to :secret_key }
+    it { should respond_to :algorithm }
+    it { should respond_to :organization_name }
+    it { should respond_to :organization_url }
+    it { should respond_to :base_saml_location }
+    it { should respond_to :reference_id_generator }
+    it { should respond_to :attribute_service_location }
+    it { should respond_to :single_service_post_location }
+    it { should respond_to :name_id }
+    it { should respond_to :attributes }
+    it { should respond_to :service_provider }
+
+    its(:x509_certificate) { should == Default::X509_CERTIFICATE }
+    its(:secret_key) { should == Default::SECRET_KEY }
+    its(:algorithm) { should == :sha1 }
+    its(:reference_id_generator) { should respond_to :call }
+
+    it "can call service provider finder" do
+      subject.service_provider.finder.should respond_to :call
+    end
+
+    it "can call service provider metadata persister" do
+      subject.service_provider.metadata_persister.should respond_to :call
+    end
+  end
+end

data/spec/lib/saml_idp/controller_spec.rb

@@ -0,0 +1,51 @@
+# encoding: utf-8
+require 'spec_helper'
+
+describe SamlIdp::Controller do
+  include SamlIdp::Controller
+
+  def render(*)
+  end
+
+  def params
+    @params ||= {}
+  end
+
+  it "should find the SAML ACS URL" do
+    requested_saml_acs_url = "https://example.com/saml/consume"
+    params[:SAMLRequest] = make_saml_request(requested_saml_acs_url)
+    validate_saml_request
+    saml_acs_url.should == requested_saml_acs_url
+  end
+
+  context "SAML Responses" do
+    before(:each) do
+      params[:SAMLRequest] = make_saml_request
+      validate_saml_request
+    end
+
+    let(:principal) { double email_address: "foo@example.com" }
+
+    it "should create a SAML Response" do
+      saml_response = encode_response(principal)
+      response = Onelogin::Saml::Response.new(saml_response)
+      response.name_id.should == "foo@example.com"
+      response.issuer.should == "http://example.com"
+      response.settings = saml_settings
+      response.is_valid?.should be_true
+    end
+
+    [:sha1, :sha256, :sha384, :sha512].each do |algorithm_name|
+      it "should create a SAML Response using the #{algorithm_name} algorithm" do
+        self.algorithm = algorithm_name
+        saml_response = encode_response(principal)
+        response = Onelogin::Saml::Response.new(saml_response)
+        response.name_id.should == "foo@example.com"
+        response.issuer.should == "http://example.com"
+        response.settings = saml_settings
+        response.is_valid?.should be_true
+      end
+    end
+  end
+
+end

data/spec/lib/saml_idp/metadata_builder_spec.rb

@@ -0,0 +1,9 @@
+require 'spec_helper'
+module SamlIdp
+  describe MetadataBuilder do
+    its(:fresh) { should_not be_empty }
+    it "signs valid xml" do
+      Saml::XML::Document.parse(subject.signed).valid_signature?(Default::FINGERPRINT).should be_true
+    end
+  end
+end

data/spec/lib/saml_idp/name_id_formatter_spec.rb

@@ -0,0 +1,39 @@
+require 'spec_helper'
+module SamlIdp
+  describe NameIdFormatter do
+    subject { described_class.new list }
+
+    describe "with one item" do
+      let(:list) { { email_address: ->() { "foo@example.com" } } }
+
+      its(:all) { should == ["urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"] }
+    end
+
+    describe "with hash describing versions" do
+      let(:list) {
+        {
+          "1.1" => { email_address: -> {} },
+          "2.0" => { undefined: -> {} },
+        }
+      }
+
+      its(:all) {
+        should == [
+          "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+          "urn:oasis:names:tc:SAML:2.0:nameid-format:undefined",
+        ]
+      }
+    end
+
+    describe "with actual list" do
+      let(:list) { [:email_address, :undefined] }
+
+      its(:all) {
+        should == [
+          "urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress",
+          "urn:oasis:names:tc:SAML:2.0:nameid-format:undefined",
+        ]
+      }
+    end
+  end
+end

data/spec/lib/saml_idp/request_spec.rb

@@ -0,0 +1,14 @@
+require 'spec_helper'
+module SamlIdp
+  describe Request do
+    let(:raw_request) { "<samlp:AuthnRequest AssertionConsumerServiceURL='http://localhost:3000/saml/consume' Destination='http://localhost:1337/saml/auth' ID='_af43d1a0-e111-0130-661a-3c0754403fdb' IssueInstant='2013-08-06T22:01:35Z' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>localhost:3000</saml:Issuer><samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'/></samlp:AuthnRequest>" }
+    subject { described_class.new raw_request }
+
+    its(:request_id) { should == "_af43d1a0-e111-0130-661a-3c0754403fdb" }
+    its(:acs_url) { should == "http://localhost:3000/saml/consume" }
+    its(:service_provider) { should be_a ServiceProvider }
+    its(:service_provider?) { should be_true }
+    its(:issuer) { should == "localhost:3000" }
+    its(:valid_signature?) { should be_true }
+  end
+end

data/spec/lib/saml_idp/response_builder_spec.rb

@@ -0,0 +1,32 @@
+require 'spec_helper'
+module SamlIdp
+  describe ResponseBuilder do
+    let(:response_id) { "abc" }
+    let(:issuer_uri) { "http://example.com" }
+    let(:saml_acs_url) { "http://sportngin.com" }
+    let(:saml_request_id) { "134" }
+    let(:assertion_and_signature) { "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2013-07-31T05:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><signature>stuff</signature><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">jon.phenow@sportngin.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2013-07-31T05:03:00Z\" Recipient=\"http://saml.acs.url\"/></SubjectConfirmation></Subject><Conditions NotBefore=\"2013-07-31T04:59:55Z\" NotOnOrAfter=\"2013-07-31T06:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\"><AttributeValue>jon.phenow@sportngin.com</AttributeValue></Attribute></AttributeStatement><AuthnStatment AuthnInstant=\"2013-07-31T05:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatment></Assertion>" }
+    subject { described_class.new(
+      response_id,
+      issuer_uri,
+      saml_acs_url,
+      saml_request_id,
+      assertion_and_signature
+    ) }
+
+    before do
+      Timecop.freeze(Time.local(1990))
+    end
+
+    after do
+      Timecop.return
+    end
+
+
+    it "builds a legit raw XML file" do
+      Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+        subject.raw.should == "<samlp:Response ID=\"_abc\" Version=\"2.0\" IssueInstant=\"2010-06-01T13:00:00Z\" Destination=\"http://sportngin.com\" Consent=\"urn:oasis:names:tc:SAML:2.0:consent:unspecified\" InResponseTo=\"134\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"><Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\">http://example.com</Issuer><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/></samlp:Status><Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2013-07-31T05:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><signature>stuff</signature><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">jon.phenow@sportngin.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2013-07-31T05:03:00Z\" Recipient=\"http://saml.acs.url\"/></SubjectConfirmation></Subject><Conditions NotBefore=\"2013-07-31T04:59:55Z\" NotOnOrAfter=\"2013-07-31T06:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\"><AttributeValue>jon.phenow@sportngin.com</AttributeValue></Attribute></AttributeStatement><AuthnStatment AuthnInstant=\"2013-07-31T05:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatment></Assertion></samlp:Response>"
+      end
+    end
+  end
+end

data/spec/lib/saml_idp/saml_response_spec.rb

@@ -0,0 +1,27 @@
+require 'spec_helper'
+module SamlIdp
+  describe SamlResponse do
+    let(:reference_id) { "123" }
+    let(:response_id) { "abc" }
+    let(:issuer_uri) { "localhost" }
+    let(:name_id) { "name" }
+    let(:audience_uri) { "localhost/audience" }
+    let(:saml_request_id) { "abc123" }
+    let(:saml_acs_url) { "localhost/acs" }
+    let(:algorithm) { :sha1 }
+    let(:secret_key) { Default::SECRET_KEY }
+    let(:x509_certificate) { Default::X509_CERTIFICATE }
+    subject { described_class.new(reference_id,
+                                  response_id,
+                                  issuer_uri,
+                                  name_id,
+                                  audience_uri,
+                                  saml_request_id,
+                                  saml_acs_url,
+                                  algorithm
+                                 )
+    }
+
+    its(:build) { should be_present }
+  end
+end

data/spec/lib/saml_idp/service_provider_spec.rb

@@ -0,0 +1,21 @@
+require 'spec_helper'
+module SamlIdp
+  describe ServiceProvider do
+    subject { described_class.new attributes }
+    let(:attributes) { {} }
+
+    it { should respond_to :fingerprint }
+    it { should respond_to :metadata_url }
+    it { should_not be_valid }
+
+    describe "with attributes" do
+      let(:attributes) { { fingerprint: fingerprint, metadata_url: metadata_url } }
+      let(:fingerprint) { Default::FINGERPRINT }
+      let(:metadata_url) { "http://localhost:3000/metadata" }
+
+      its(:fingerprint) { should == fingerprint }
+      its(:metadata_url) { should == metadata_url }
+      it { should be_valid }
+    end
+  end
+end

data/spec/lib/saml_idp/signable_spec.rb

@@ -0,0 +1,74 @@
+# encoding: utf-8
+require 'spec_helper'
+class MockSignable
+  include SamlIdp::Signable
+
+  def raw
+    builder = Builder::XmlMarkup.new
+    builder.body do |body|
+      sign body
+    end
+  end
+
+  def reference_id
+    "abc"
+  end
+
+  def digest
+    algorithm.digest raw
+  end
+
+  def algorithm
+    OpenSSL::Digest::SHA1
+  end
+end
+
+module SamlIdp
+  describe MockSignable do
+    let(:signature_regex) { %r{<ds:Signature xmlns:ds=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#\">} }
+    let(:info_regex) { %r{<ds:SignedInfo xmlns:ds=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#\">} }
+    let(:canon) do
+      %r{<ds:CanonicalizationMethod Algorithm=\"http:\/\/www.w3.org\/2001\/10\/xml-exc-c14n#\"><\/ds:CanonicalizationMethod>}
+    end
+    let(:sig_method) do
+      %r{<ds:SignatureMethod Algorithm=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1\"><\/ds:SignatureMethod>}
+    end
+    let(:reference) { %r{<ds:Reference URI=\"#_abc\">} }
+    let(:transforms) { %r{<ds:Transforms>} }
+    let(:enveloped) { %r{<ds:Transform Algorithm=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#enveloped-signature\"><\/ds:Transform>} }
+    let(:c14n) { %r{<ds:Transform Algorithm=\"http:\/\/www.w3.org\/2001\/10\/xml-exc-c14n#\"><\/ds:Transform>} }
+    let(:end_transforms) { %r{<\/ds:Transforms>} }
+    let(:digest_method) { %r{<ds:DigestMethod Algorithm=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#sha1\"><\/ds:DigestMethod>} }
+    let(:digest_value) { %r{<ds:DigestValue>\S+<\/ds:DigestValue>} }
+    let(:end_reference) { %r{<\/ds:Reference>} }
+    let(:end_info) { %r{<\/ds:SignedInfo>} }
+    let(:sig_val) { %r{<ds:SignatureValue>\S+<\/ds:SignatureValue>} }
+    let(:key_info) { %r{<KeyInfo xmlns=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#\">} }
+    let(:x509) { %r{<ds:X509Data><ds:X509Certificate>\S+<\/ds:X509Certificate><\/ds:X509Data>} }
+    let(:end_rest) { %r{<\/KeyInfo><\/ds:Signature>} }
+
+    let(:all_regex) do
+      Regexp.new [
+        signature_regex,
+        info_regex,
+        canon,
+        sig_method,
+        reference,
+        transforms,
+        enveloped,
+        c14n,
+        end_transforms,
+        digest_method,
+        digest_value,
+        end_reference,
+        end_info,
+        sig_val,
+        key_info,
+        x509,
+        end_rest,
+      ].map(&:to_s).join(".*")
+    end
+
+    its(:signed) { should match all_regex }
+  end
+end

data/spec/lib/saml_idp/signature_builder_spec.rb

@@ -0,0 +1,19 @@
+require 'spec_helper'
+module SamlIdp
+  describe SignatureBuilder do
+    let(:signed) { "jvEbD/rsiPKmoXy7Lhm+FGn88NPGlap4EcPZ2fvjBnk03YESs87FXAIiZZEzN5xq4sBZksUmZe2bV3rrr9sxQNgQawmrrvr66ot7cJiv0ETFArr6kQIZaR5g/V0M4ydxvrfefp6cQVI0hXvmxi830pq0tISiO4J7tyBNX/kvhZk=" }
+    let(:raw_info) { "<ds:SignedInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/><ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha256\"/><ds:Reference URI=\"#_abc\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha256\"/><ds:DigestValue>em8csGAWynywpe8S4nN64o56/4DosXi2XWMY6RJ6YfA=</ds:DigestValue></ds:Reference></ds:SignedInfo>" }
+    let(:signed_info) { double raw: raw_info, signed: signed }
+    subject { described_class.new(
+      signed_info
+    ) }
+
+    before do
+      Time.stub now: Time.parse("Jul 31 2013")
+    end
+
+    it "builds a legit raw XML file" do
+      subject.raw.should == "<ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:SignedInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/><ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha256\"/><ds:Reference URI=\"#_abc\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha256\"/><ds:DigestValue>em8csGAWynywpe8S4nN64o56/4DosXi2XWMY6RJ6YfA=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>jvEbD/rsiPKmoXy7Lhm+FGn88NPGlap4EcPZ2fvjBnk03YESs87FXAIiZZEzN5xq4sBZksUmZe2bV3rrr9sxQNgQawmrrvr66ot7cJiv0ETFArr6kQIZaR5g/V0M4ydxvrfefp6cQVI0hXvmxi830pq0tISiO4J7tyBNX/kvhZk=</ds:SignatureValue><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF5T0RBeU1qSXlPRm9YRFRNeU1EUXkKTXpBeU1qSXlPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXVCeXdQTmxDMUZvcEdMWWZGOTZTb3RpSwo4Tmo2L25XMDg0TzRvbVJNaWZ6eTd4OTU1UkxFeTY3M3EyYWlKTkIzTHZFNlh2a3Q5Y0d0eHROb09YdzFnMlV2CkhLcGxkUWJyNmJPRWpMTmVETlc3ajBvYitKclJ2QVVPSzlDUmdkeXc1TUM2bHdxVlFRNUMxRG5hVC8yZlNCRmoKYXNCRlRSMjRkRXBmVHk4SGZLRUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJRTkJHbW10M3l0S3BjSmFCYVlOYm55VTJ4a2F6QVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVEUVJwcHJkOHJTcVhDV2dXbURXNThsTnNaR3VoZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FBRQpjVlVQQlg3dVptenFaSmZ5K3RVUE9UNUltTlFqOFZFMmxlcmhuRmpuR1BIbUhJcWhwemdud0hRdWpKZnMvYTMwCjlXbTVxd2NDYUMxZU81Y1dqY0cweDNPamRsbHNnWURhdGw1R0F1bXRCeDhKM05oV1JxTlVnaXRDSWtRbHhISXcKVWZnUWFDdXNoWWdEREw1WWJJUWErK2VnQ2dwSVorVDBEajVvUmV3Ly9BPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature>"
+    end
+  end
+end

data/spec/lib/saml_idp/signed_info_builder_spec.rb

@@ -0,0 +1,25 @@
+require 'spec_helper'
+module SamlIdp
+  describe SignedInfoBuilder do
+    let(:reference_id) { "abc" }
+    let(:digest) { "em8csGAWynywpe8S4nN64o56/4DosXi2XWMY6RJ6YfA=" }
+    let(:algorithm) { :sha256 }
+    subject { described_class.new(
+      reference_id,
+      digest,
+      algorithm
+    ) }
+
+    before do
+      Time.stub now: Time.parse("Jul 31 2013")
+    end
+
+    it "builds a legit raw XML file" do
+      subject.raw.should == "<ds:SignedInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha256\"></ds:SignatureMethod><ds:Reference URI=\"#_abc\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"></ds:Transform><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha256\"></ds:DigestMethod><ds:DigestValue>em8csGAWynywpe8S4nN64o56/4DosXi2XWMY6RJ6YfA=</ds:DigestValue></ds:Reference></ds:SignedInfo>"
+    end
+
+    it "builds a legit digest of the XML file" do
+      subject.signed.should == "MZd0Trzk+iQiHeMf5lKI0eXkTj5RQUBQH5j81jNNR/Ndf7Q1tIxsygcAM+CeWdt/Es8/Hvxe/nHmaXkkAB0BR5p8Pfrpv90wL1D+w6zeOLDNw9/+kn9E6Syu/2NMxrFetiVM7WwZcAJRA4WHRqxk6IIHIIf/Y3pf1tqKNWe6UgY="
+    end
+  end
+end

data/spec/rails_app/.gitignore

@@ -0,0 +1,15 @@
+# See http://help.github.com/ignore-files/ for more about ignoring files.
+#
+# If you find yourself ignoring temporary files generated by your text editor
+# or operating system, you probably want to add a global ignore instead:
+#   git config --global core.excludesfile ~/.gitignore_global
+
+# Ignore bundler config
+/.bundle
+
+# Ignore the default SQLite database.
+/db/*.sqlite3
+
+# Ignore all logfiles and tempfiles.
+/log/*.log
+/tmp

data/spec/rails_app/README.rdoc

@@ -0,0 +1,261 @@
+== Welcome to Rails
+
+Rails is a web-application framework that includes everything needed to create
+database-backed web applications according to the Model-View-Control pattern.
+
+This pattern splits the view (also called the presentation) into "dumb"
+templates that are primarily responsible for inserting pre-built data in between
+HTML tags. The model contains the "smart" domain objects (such as Account,
+Product, Person, Post) that holds all the business logic and knows how to
+persist themselves to a database. The controller handles the incoming requests
+(such as Save New Account, Update Product, Show Post) by manipulating the model
+and directing data to the view.
+
+In Rails, the model is handled by what's called an object-relational mapping
+layer entitled Active Record. This layer allows you to present the data from
+database rows as objects and embellish these data objects with business logic
+methods. You can read more about Active Record in
+link:files/vendor/rails/activerecord/README.html.
+
+The controller and view are handled by the Action Pack, which handles both
+layers by its two parts: Action View and Action Controller. These two layers
+are bundled in a single package due to their heavy interdependence. This is
+unlike the relationship between the Active Record and Action Pack that is much
+more separate. Each of these packages can be used independently outside of
+Rails. You can read more about Action Pack in
+link:files/vendor/rails/actionpack/README.html.
+
+
+== Getting Started
+
+1. At the command prompt, create a new Rails application:
+       <tt>rails new myapp</tt> (where <tt>myapp</tt> is the application name)
+
+2. Change directory to <tt>myapp</tt> and start the web server:
+       <tt>cd myapp; rails server</tt> (run with --help for options)
+
+3. Go to http://localhost:3000/ and you'll see:
+       "Welcome aboard: You're riding Ruby on Rails!"
+
+4. Follow the guidelines to start developing your application. You can find
+the following resources handy:
+
+* The Getting Started Guide: http://guides.rubyonrails.org/getting_started.html
+* Ruby on Rails Tutorial Book: http://www.railstutorial.org/
+
+
+== Debugging Rails
+
+Sometimes your application goes wrong. Fortunately there are a lot of tools that
+will help you debug it and get it back on the rails.
+
+First area to check is the application log files. Have "tail -f" commands
+running on the server.log and development.log. Rails will automatically display
+debugging and runtime information to these files. Debugging info will also be
+shown in the browser on requests from 127.0.0.1.
+
+You can also log your own messages directly into the log file from your code
+using the Ruby logger class from inside your controllers. Example:
+
+  class WeblogController < ActionController::Base
+    def destroy
+      @weblog = Weblog.find(params[:id])
+      @weblog.destroy
+      logger.info("#{Time.now} Destroyed Weblog ID ##{@weblog.id}!")
+    end
+  end
+
+The result will be a message in your log file along the lines of:
+
+  Mon Oct 08 14:22:29 +1000 2007 Destroyed Weblog ID #1!
+
+More information on how to use the logger is at http://www.ruby-doc.org/core/
+
+Also, Ruby documentation can be found at http://www.ruby-lang.org/. There are
+several books available online as well:
+
+* Programming Ruby: http://www.ruby-doc.org/docs/ProgrammingRuby/ (Pickaxe)
+* Learn to Program: http://pine.fm/LearnToProgram/ (a beginners guide)
+
+These two books will bring you up to speed on the Ruby language and also on
+programming in general.
+
+
+== Debugger
+
+Debugger support is available through the debugger command when you start your
+Mongrel or WEBrick server with --debugger. This means that you can break out of
+execution at any point in the code, investigate and change the model, and then,
+resume execution! You need to install ruby-debug to run the server in debugging
+mode. With gems, use <tt>sudo gem install ruby-debug</tt>. Example:
+
+  class WeblogController < ActionController::Base
+    def index
+      @posts = Post.all
+      debugger
+    end
+  end
+
+So the controller will accept the action, run the first line, then present you
+with a IRB prompt in the server window. Here you can do things like:
+
+  >> @posts.inspect
+  => "[#<Post:0x14a6be8
+          @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>,
+       #<Post:0x14a6620
+          @attributes={"title"=>"Rails", "body"=>"Only ten..", "id"=>"2"}>]"
+  >> @posts.first.title = "hello from a debugger"
+  => "hello from a debugger"
+
+...and even better, you can examine how your runtime objects actually work:
+
+  >> f = @posts.first
+  => #<Post:0x13630c4 @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>
+  >> f.
+  Display all 152 possibilities? (y or n)
+
+Finally, when you're ready to resume execution, you can enter "cont".
+
+
+== Console
+
+The console is a Ruby shell, which allows you to interact with your
+application's domain model. Here you'll have all parts of the application
+configured, just like it is when the application is running. You can inspect
+domain models, change values, and save to the database. Starting the script
+without arguments will launch it in the development environment.
+
+To start the console, run <tt>rails console</tt> from the application
+directory.
+
+Options:
+
+* Passing the <tt>-s, --sandbox</tt> argument will rollback any modifications
+  made to the database.
+* Passing an environment name as an argument will load the corresponding
+  environment. Example: <tt>rails console production</tt>.
+
+To reload your controllers and models after launching the console run
+<tt>reload!</tt>
+
+More information about irb can be found at:
+link:http://www.rubycentral.org/pickaxe/irb.html
+
+
+== dbconsole
+
+You can go to the command line of your database directly through <tt>rails
+dbconsole</tt>. You would be connected to the database with the credentials
+defined in database.yml. Starting the script without arguments will connect you
+to the development database. Passing an argument will connect you to a different
+database, like <tt>rails dbconsole production</tt>. Currently works for MySQL,
+PostgreSQL and SQLite 3.
+
+== Description of Contents
+
+The default directory structure of a generated Ruby on Rails application:
+
+  |-- app
+  |   |-- assets
+  |       |-- images
+  |       |-- javascripts
+  |       `-- stylesheets
+  |   |-- controllers
+  |   |-- helpers
+  |   |-- mailers
+  |   |-- models
+  |   `-- views
+  |       `-- layouts
+  |-- config
+  |   |-- environments
+  |   |-- initializers
+  |   `-- locales
+  |-- db
+  |-- doc
+  |-- lib
+  |   `-- tasks
+  |-- log
+  |-- public
+  |-- script
+  |-- test
+  |   |-- fixtures
+  |   |-- functional
+  |   |-- integration
+  |   |-- performance
+  |   `-- unit
+  |-- tmp
+  |   |-- cache
+  |   |-- pids
+  |   |-- sessions
+  |   `-- sockets
+  `-- vendor
+      |-- assets
+          `-- stylesheets
+      `-- plugins
+
+app
+  Holds all the code that's specific to this particular application.
+
+app/assets
+  Contains subdirectories for images, stylesheets, and JavaScript files.
+
+app/controllers
+  Holds controllers that should be named like weblogs_controller.rb for
+  automated URL mapping. All controllers should descend from
+  ApplicationController which itself descends from ActionController::Base.
+
+app/models
+  Holds models that should be named like post.rb. Models descend from
+  ActiveRecord::Base by default.
+
+app/views
+  Holds the template files for the view that should be named like
+  weblogs/index.html.erb for the WeblogsController#index action. All views use
+  eRuby syntax by default.
+
+app/views/layouts
+  Holds the template files for layouts to be used with views. This models the
+  common header/footer method of wrapping views. In your views, define a layout
+  using the <tt>layout :default</tt> and create a file named default.html.erb.
+  Inside default.html.erb, call <% yield %> to render the view using this
+  layout.
+
+app/helpers
+  Holds view helpers that should be named like weblogs_helper.rb. These are
+  generated for you automatically when using generators for controllers.
+  Helpers can be used to wrap functionality for your views into methods.
+
+config
+  Configuration files for the Rails environment, the routing map, the database,
+  and other dependencies.
+
+db
+  Contains the database schema in schema.rb. db/migrate contains all the
+  sequence of Migrations for your schema.
+
+doc
+  This directory is where your application documentation will be stored when
+  generated using <tt>rake doc:app</tt>
+
+lib
+  Application specific libraries. Basically, any kind of custom code that
+  doesn't belong under controllers, models, or helpers. This directory is in
+  the load path.
+
+public
+  The directory available for the web server. Also contains the dispatchers and the
+  default HTML files. This should be set as the DOCUMENT_ROOT of your web
+  server.
+
+script
+  Helper scripts for automation and generation.
+
+test
+  Unit and functional tests along with fixtures. When using the rails generate
+  command, template test files will be generated for you and placed in this
+  directory.
+
+vendor
+  External libraries that the application depends on. Also includes the plugins
+  subdirectory. If the app has frozen rails, those gems also go here, under
+  vendor/rails/. This directory is in the load path.