saml_idp 0.14.0 → 0.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 847e2cafec28e67417685e6ba1173aa88ac489172e0e31fa51f2bbab37ef5d10
-  data.tar.gz: 8d9ace44b46770b3ca7481461bd16fce9dfc0e2b9925a4a2b5460a780cfddce3
+  metadata.gz: 4da444f25fd4d8cb2b53d847ee3ffa44adab3b2c4b64be57a6935c0922acf1a8
+  data.tar.gz: ff0beb64e76c37a0bbcb098f0bd5a50b4d15ff124d63d9c01d421f4693f6fa2d
 SHA512:
-  metadata.gz: 6aa29d58babddddc81037fe220276241a355d81a15acb3639a9cc6df935f531bf1fe53e3c5599d49640080776c357ebf6348559ac034313ad64f82f80a7824a0
-  data.tar.gz: 9f5b83fd6459476d81c2dc2d3f0e79c401ba01474856f201c5a32615da8e22e4c416d220ef82985205f69f1d87a560a80c3bbae552a39ec4bdb49cc0a1baafa0
+  metadata.gz: 1fe91e27e817106e66738c73c670ce064c18b18e9528f7aef3c2a4dc87658c9262877b7a62f491c29ff371d39e0306721bc1f97af7ec3fb6fd1d23b8550b32ce
+  data.tar.gz: d6ee196976da4fe1af818bca3183632372ef2e1e3059891e75a13dc39caa9fb86c3d312c384d926877f9e14cfbd751d566d517742e72e0bb77e276e446a88aed

data/README.md

@@ -42,10 +42,11 @@ Check out our Wiki page for Rails integration
 
 #### Signed assertions and Signed Response
 
-By default SAML Assertion will be signed with an algorithm which defined to `config.algorithm`. Because SAML assertions contain secure information used for authentication such as NameID.
+By default SAML Assertion will be signed with an algorithm which defined to `config.algorithm`, because SAML assertions contain secure information used for authentication such as NameID.
+Besides that, signing assertions could be optional and can be defined with `config.signed_assertion` option. Setting this configuration flag to `false` will add raw assertions on the response instead of signed ones. If the response is encrypted the `config.signed_assertion` will be ignored and all assertions will be signed.
 
 Signing SAML Response is optional, but some security perspective SP services might require Response message itself must be signed.
-For that, you can enable it with `config.signed_message` option. [More about SAML spec](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf#page=68)
+For that, you can enable it with `signed_message: true` option for `encode_response(user_email, signed_message: true)` method. [More about SAML spec](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf#page=68)
 
 #### Signing algorithm
 
@@ -85,7 +86,9 @@ CERT
   # config.attribute_service_location = "#{base}/saml/attributes"
   # config.single_service_post_location = "#{base}/saml/auth"
   # config.session_expiry = 86400                                 # Default: 0 which means never
-  # config.signed_message = true                                  # Default: false which means unsigned SAML Response
+  # config.signed_assertion = false                               # Default: true which means signed assertions on the SAML Response
+  # config.compress = true                                        # Default: false which means the SAML Response is not being compressed
+  # config.logger = ::Logger.new($stdout)                         # Default: if in Rails context - Rails.logger, else ->(msg) { puts msg }. Works with either a Ruby Logger or a lambda
 
   # Principal (e.g. User) is passed in when you `encode_response`
   #
@@ -219,7 +222,7 @@ The gem provides an helper to generate a fingerprint for a X.509 certificate.
 The second parameter is optional and default to your configuration `SamlIdp.config.algorithm`
 
 ```ruby
-  Fingerprint.certificate_digest(x509_cert, :sha512)
+  SamlIdp::Fingerprint.certificate_digest(x509_cert, :sha512)
 ```
 
 ## Service Providers

data/lib/saml_idp/configurator.rb

@@ -22,6 +22,7 @@ module SamlIdp
     attr_accessor :service_provider
     attr_accessor :assertion_consumer_service_hosts
     attr_accessor :session_expiry
+    attr_accessor :logger
 
     def initialize
       self.x509_certificate = Default::X509_CERTIFICATE
@@ -34,6 +35,7 @@ module SamlIdp
       self.service_provider.persisted_metadata_getter = ->(id, service_provider) {  }
       self.session_expiry = 0
       self.attributes = {}
+      self.logger = defined?(::Rails) ? Rails.logger : ->(msg) { puts msg }
     end
 
     # formats

data/lib/saml_idp/controller.rb

@@ -1,4 +1,3 @@
-# encoding: utf-8
 require 'openssl'
 require 'base64'
 require 'time'
@@ -36,9 +35,8 @@ module SamlIdp
     def validate_saml_request(raw_saml_request = params[:SAMLRequest])
       decode_request(raw_saml_request)
       return true if valid_saml_request?
-      if defined?(::Rails)
-        head :forbidden
-      end
+
+      head :forbidden if defined?(::Rails)
       false
     end
 
@@ -60,9 +58,13 @@ module SamlIdp
       expiry = opts[:expiry] || 60*60
       session_expiry = opts[:session_expiry]
       encryption_opts = opts[:encryption] || nil
+      name_id_formats_opts = opts[:name_id_formats] || nil
+      asserted_attributes_opts = opts[:attributes] || nil
       signed_message_opts = opts[:signed_message] || false
       name_id_formats_opts = opts[:name_id_formats] || nil
       asserted_attributes_opts = opts[:attributes] || nil
+      signed_assertion_opts = opts[:signed_assertion] || true
+      compress_opts = opts[:compress] || false
 
       SamlResponse.new(
         reference_id,
@@ -77,13 +79,15 @@ module SamlIdp
         expiry,
         encryption_opts,
         session_expiry,
-        signed_message_opts,
         name_id_formats_opts,
-        asserted_attributes_opts
+        asserted_attributes_opts,
+        signed_assertion_opts,
+        signed_message_opts,
+        compress_opts
       ).build
     end
 
-    def encode_logout_response(principal, opts = {})
+    def encode_logout_response(_principal, opts = {})
       SamlIdp::LogoutResponseBuilder.new(
         get_saml_response_id,
         (opts[:issuer_uri] || issuer_uri),

data/lib/saml_idp/request.rb

@@ -1,5 +1,6 @@
 require 'saml_idp/xml_security'
 require 'saml_idp/service_provider'
+require 'logger'
 module SamlIdp
   class Request
     def self.from_deflated_request(raw)
@@ -77,10 +78,10 @@ module SamlIdp
     end
 
     def log(msg)
-      if defined?(::Rails) && Rails.logger
-        Rails.logger.info msg
+      if config.logger.class <= ::Logger
+        config.logger.info msg
       else
-        puts msg
+        config.logger.call msg
       end
     end
 

data/lib/saml_idp/response_builder.rb

@@ -23,21 +23,21 @@ module SamlIdp
       self.raw_algorithm = raw_algorithm
     end
 
-    def encoded(signed_message: false)
-      @encoded ||= signed_message ? encode_signed_message : encode_raw_message
+    def encoded(signed_message: false, compress: false)
+      @encoded ||= signed_message ? encode_signed_message(compress) : encode_raw_message(compress)
     end
 
     def raw
       build
     end
 
-    def encode_raw_message
-      Base64.strict_encode64(raw)
+    def encode_raw_message(compress)
+      Base64.strict_encode64(compress ? deflate(raw) : raw)
     end
     private :encode_raw_message
 
-    def encode_signed_message
-      Base64.strict_encode64(signed)
+    def encode_signed_message(compress)
+      Base64.strict_encode64(compress ? deflate(signed) : signed)
     end
     private :encode_signed_message
 
@@ -66,11 +66,17 @@ module SamlIdp
     def response_id_string
       "_#{response_id}"
     end
+    alias_method :reference_id, :response_id
     private :response_id_string
 
     def now_iso
       Time.now.utc.iso8601
     end
     private :now_iso
+
+    def deflate(inflated)
+      Zlib::Deflate.deflate(inflated, 9)[2..-5]
+    end
+    private :deflate
   end
 end

data/lib/saml_idp/saml_response.rb

@@ -1,8 +1,9 @@
+# frozen_string_literal: true
+
 require 'saml_idp/assertion_builder'
 require 'saml_idp/response_builder'
 module SamlIdp
   class SamlResponse
-    attr_accessor :assertion_with_signature
     attr_accessor :reference_id
     attr_accessor :response_id
     attr_accessor :issuer_uri
@@ -17,27 +18,32 @@ module SamlIdp
     attr_accessor :expiry
     attr_accessor :encryption_opts
     attr_accessor :session_expiry
-    attr_accessor :signed_message_opts
     attr_accessor :name_id_formats_opts
     attr_accessor :asserted_attributes_opts
+    attr_accessor :signed_message_opts
+    attr_accessor :signed_assertion_opts
+    attr_accessor :compression_opts
 
     def initialize(
-        reference_id,
-        response_id,
-        issuer_uri,
-        principal,
-        audience_uri,
-        saml_request_id,
-        saml_acs_url,
-        algorithm,
-        authn_context_classref,
-        expiry=60*60,
-        encryption_opts=nil,
-        session_expiry=0,
-        signed_message_opts=false,
-        name_id_formats_opts = nil,
-        asserted_attributes_opts = nil
+      reference_id,
+      response_id,
+      issuer_uri,
+      principal,
+      audience_uri,
+      saml_request_id,
+      saml_acs_url,
+      algorithm,
+      authn_context_classref,
+      expiry = 60 * 60,
+      encryption_opts = nil,
+      session_expiry = 0,
+      name_id_formats_opts = nil,
+      asserted_attributes_opts = nil,
+      signed_message_opts = false,
+      signed_assertion_opts = true,
+      compression_opts = false
     )
+
       self.reference_id = reference_id
       self.response_id = response_id
       self.issuer_uri = issuer_uri
@@ -55,26 +61,32 @@ module SamlIdp
       self.signed_message_opts = signed_message_opts
       self.name_id_formats_opts = name_id_formats_opts
       self.asserted_attributes_opts = asserted_attributes_opts
+      self.signed_assertion_opts = signed_assertion_opts
+      self.name_id_formats_opts = name_id_formats_opts
+      self.asserted_attributes_opts = asserted_attributes_opts
+      self.compression_opts = compression_opts
     end
 
     def build
-      @built ||= encoded_message
+      @build ||= encoded_message
     end
 
     def signed_assertion
       if encryption_opts
         assertion_builder.encrypt(sign: true)
-      else
+      elsif signed_assertion_opts
         assertion_builder.signed
+      else
+        assertion_builder.raw
       end
     end
     private :signed_assertion
 
     def encoded_message
       if signed_message_opts
-        response_builder.encoded(signed_message: true)
+        response_builder.encoded(signed_message: true, compress: compression_opts)
       else
-        response_builder.encoded(signed_message: false)
+        response_builder.encoded(signed_message: false, compress: compression_opts)
       end
     end
     private :encoded_message
@@ -85,19 +97,20 @@ module SamlIdp
     private :response_builder
 
     def assertion_builder
-      @assertion_builder ||= AssertionBuilder.new reference_id,
-        issuer_uri,
-        principal,
-        audience_uri,
-        saml_request_id,
-        saml_acs_url,
-        algorithm,
-        authn_context_classref,
-        expiry,
-        encryption_opts,
-        session_expiry,
-        name_id_formats_opts,
-        asserted_attributes_opts
+      @assertion_builder ||=
+        AssertionBuilder.new SecureRandom.uuid,
+                             issuer_uri,
+                             principal,
+                             audience_uri,
+                             saml_request_id,
+                             saml_acs_url,
+                             algorithm,
+                             authn_context_classref,
+                             expiry,
+                             encryption_opts,
+                             session_expiry,
+                             name_id_formats_opts,
+                             asserted_attributes_opts
     end
     private :assertion_builder
   end

data/lib/saml_idp/version.rb

@@ -1,4 +1,4 @@
 # encoding: utf-8
 module SamlIdp
-  VERSION = '0.14.0'
+  VERSION = '0.15.0'
 end

data/saml_idp.gemspec

@@ -1,62 +1,62 @@
 # -*- encoding: utf-8 -*-
-$:.push File.expand_path("../lib", __FILE__)
-require "saml_idp/version"
+
+$LOAD_PATH.push File.expand_path('lib', __dir__)
+require 'saml_idp/version'
 
 Gem::Specification.new do |s|
   s.name = %q{saml_idp}
   s.version = SamlIdp::VERSION
   s.platform = Gem::Platform::RUBY
-  s.authors = ["Jon Phenow"]
+  s.authors = ['Jon Phenow']
   s.email = 'jon.phenow@sportngin.com'
   s.homepage = 'https://github.com/saml-idp/saml_idp'
   s.summary = 'SAML Indentity Provider for Ruby'
   s.description = 'SAML IdP (Identity Provider) Library for Ruby'
-  s.date = Time.now.utc.strftime("%Y-%m-%d")
+  s.date = Time.now.utc.strftime('%Y-%m-%d')
   s.files = Dir['lib/**/*', 'LICENSE', 'README.md', 'Gemfile', 'saml_idp.gemspec']
   s.required_ruby_version = '>= 2.5'
   s.license = 'MIT'
   s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
-  s.require_paths = ["lib"]
+  s.require_paths = ['lib']
   s.rdoc_options = ['--charset=UTF-8']
   s.metadata = {
-    'homepage_uri'      => 'https://github.com/saml-idp/saml_idp',
-    'source_code_uri'   => 'https://github.com/saml-idp/saml_idp',
-    'bug_tracker_uri'   => 'https://github.com/saml-idp/saml_idp/issues',
+    'homepage_uri' => 'https://github.com/saml-idp/saml_idp',
+    'source_code_uri' => 'https://github.com/saml-idp/saml_idp',
+    'bug_tracker_uri' => 'https://github.com/saml-idp/saml_idp/issues',
     'documentation_uri' => "http://rdoc.info/gems/saml_idp/#{SamlIdp::VERSION}"
   }
 
   s.post_install_message = <<-INST
-If you're just recently updating saml_idp - please be aware we've changed the default
-certificate. See the PR and a description of why we've done this here:
-https://github.com/saml-idp/saml_idp/pull/29
-
-If you just need to see the certificate `bundle open saml_idp` and go to
-`lib/saml_idp/default.rb`
+    If you're just recently updating saml_idp - please be aware we've changed the default
+    certificate. See the PR and a description of why we've done this here:
+    https://github.com/saml-idp/saml_idp/pull/29
 
-Similarly, please see the README about certificates - you should avoid using the
-defaults in a Production environment. Post any issues you to github.
+    If you just need to see the certificate `bundle open saml_idp` and go to
+    `lib/saml_idp/default.rb`
 
-** New in Version 0.3.0 **
+    Similarly, please see the README about certificates - you should avoid using the
+    defaults in a Production environment. Post any issues you to github.
 
-Encrypted Assertions require the xmlenc gem. See the example in the Controller
-section of the README.
+    ** New in Version 0.3.0 **
+    Encrypted Assertions require the xmlenc gem. See the example in the Controller
+    section of the README.
   INST
 
   s.add_dependency('activesupport', '>= 5.2')
   s.add_dependency('builder', '>= 3.0')
   s.add_dependency('nokogiri', '>= 1.6.2')
-  s.add_dependency('xmlenc', '>= 0.7.1')
   s.add_dependency('rexml')
+  s.add_dependency('xmlenc', '>= 0.7.1')
 
+  s.add_development_dependency('activeresource', '>= 5.1')
+  s.add_development_dependency('appraisal')
+  s.add_development_dependency('byebug')
+  s.add_development_dependency('capybara', '>= 2.16')
+  s.add_development_dependency('rails', '>= 5.2')
   s.add_development_dependency('rake')
-  s.add_development_dependency('simplecov')
   s.add_development_dependency('rspec', '>= 3.7.0')
   s.add_development_dependency('ruby-saml', '>= 1.7.2')
-  s.add_development_dependency('rails', '>= 5.2')
-  s.add_development_dependency('activeresource', '>= 5.1')
-  s.add_development_dependency('capybara', '>= 2.16')
+  s.add_development_dependency('simplecov')
   s.add_development_dependency('timecop', '>= 0.8')
-  s.add_development_dependency('appraisal')
-  s.add_development_dependency('byebug')
 end

data/spec/lib/saml_idp/assertion_builder_spec.rb

@@ -199,5 +199,75 @@ module SamlIdp
         expect(builder.session_expiry).to eq(8)
       end
     end
+
+    describe "with name_id_formats_opt" do
+      let(:name_id_formats_opt) {
+        {
+            persistent: -> (principal) {
+              principal.unique_identifier
+            }
+        }
+      }
+      it "delegates name_id_formats to opts" do
+        UserWithUniqueId = Struct.new(:unique_identifier, :email, :asserted_attributes)
+        principal = UserWithUniqueId.new('unique_identifier_123456', 'foo@example.com',  { emailAddress: { getter: :email } })
+        builder = described_class.new(
+            reference_id,
+            issuer_uri,
+            principal,
+            audience_uri,
+            saml_request_id,
+            saml_acs_url,
+            algorithm,
+            authn_context_classref,
+            expiry,
+            encryption_opts,
+            session_expiry,
+            name_id_formats_opt,
+            asserted_attributes_opt
+        )
+        Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+          expect(builder.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\">unique_identifier_123456</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"emailAddress\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
+        end
+      end
+    end
+
+    describe "with asserted_attributes_opt" do
+      let(:asserted_attributes_opt) {
+        {
+            'GivenName' => {
+                getter: :first_name
+            },
+            'SurName' => {
+                getter: -> (principal) {
+                    principal.last_name
+                }
+            }
+        }
+      }
+
+      it "delegates asserted_attributes to opts" do
+        UserWithName = Struct.new(:email, :first_name, :last_name)
+        principal = UserWithName.new('foo@example.com', 'George', 'Washington')
+        builder = described_class.new(
+            reference_id,
+            issuer_uri,
+            principal,
+            audience_uri,
+            saml_request_id,
+            saml_acs_url,
+            algorithm,
+            authn_context_classref,
+            expiry,
+            encryption_opts,
+            session_expiry,
+            name_id_formats_opt,
+            asserted_attributes_opt
+        )
+        Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+          expect(builder.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"GivenName\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"GivenName\"><AttributeValue>George</AttributeValue></Attribute><Attribute Name=\"SurName\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"SurName\"><AttributeValue>Washington</AttributeValue></Attribute></AttributeStatement></Assertion>")
+        end
+      end
+    end
   end
 end

data/spec/lib/saml_idp/configurator_spec.rb

@@ -17,6 +17,7 @@ module SamlIdp
     it { should respond_to :attributes }
     it { should respond_to :service_provider }
     it { should respond_to :session_expiry }
+    it { should respond_to :logger }
 
     it "has a valid x509_certificate" do
       expect(subject.x509_certificate).to eq(Default::X509_CERTIFICATE)

data/spec/lib/saml_idp/request_spec.rb

@@ -1,7 +1,10 @@
 require 'spec_helper'
 module SamlIdp
   describe Request do
-    let(:raw_authn_request) { "<samlp:AuthnRequest AssertionConsumerServiceURL='http://localhost:3000/saml/consume' Destination='http://localhost:1337/saml/auth' ID='_af43d1a0-e111-0130-661a-3c0754403fdb' IssueInstant='2013-08-06T22:01:35Z' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>localhost:3000</saml:Issuer><samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'/><samlp:RequestedAuthnContext Comparison='exact'><saml:AuthnContextClassRef xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>" }
+    let(:issuer) { 'localhost:3000' }
+    let(:raw_authn_request) do
+      "<samlp:AuthnRequest AssertionConsumerServiceURL='http://localhost:3000/saml/consume' Destination='http://localhost:1337/saml/auth' ID='_af43d1a0-e111-0130-661a-3c0754403fdb' IssueInstant='2013-08-06T22:01:35Z' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>#{issuer}</saml:Issuer><samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'/><samlp:RequestedAuthnContext Comparison='exact'><saml:AuthnContextClassRef xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>"
+    end
 
     describe "deflated request" do
       let(:deflated_request) { Base64.encode64(Zlib::Deflate.deflate(raw_authn_request, 9)[2..-5]) }
@@ -57,16 +60,47 @@ module SamlIdp
         expect(subject.request['ID']).to eq(subject.request_id)
       end
 
-      it "has a valid authn context" do
-        expect(subject.requested_authn_context).to eq("urn:oasis:names:tc:SAML:2.0:ac:classes:Password")
+      it 'has a valid authn context' do
+        expect(subject.requested_authn_context).to eq('urn:oasis:names:tc:SAML:2.0:ac:classes:Password')
       end
 
-      it "does not permit empty issuer" do
-        raw_req = raw_authn_request.gsub('localhost:3000', '')
-        authn_request = described_class.new raw_req
-        expect(authn_request.issuer).to_not eq('')
-        expect(authn_request.issuer).to be_nil
-        expect(authn_request.valid?).to eq(false)
+      context 'the issuer is empty' do
+        let(:issuer) { nil }
+        let(:logger) { ->(msg) { puts msg } }
+
+        before do
+          allow(SamlIdp.config).to receive(:logger).and_return(logger)
+        end
+
+        it 'is invalid' do
+          expect(subject.issuer).to_not eq('')
+          expect(subject.issuer).to be_nil
+          expect(subject.valid?).to eq(false)
+        end
+
+        context 'a Ruby Logger is configured' do
+          let(:logger) { Logger.new($stdout) }
+
+          before do
+            allow(logger).to receive(:info)
+          end
+
+          it 'logs an error message' do
+            expect(subject.valid?).to be false
+            expect(logger).to have_received(:info).with('Unable to find service provider for issuer ')
+          end
+        end
+
+        context 'a logger lambda is configured' do
+          let(:logger) { double }
+
+          before { allow(logger).to receive(:call) }
+
+          it 'logs an error message' do
+            expect(subject.valid?).to be false
+            expect(logger).to have_received(:call).with('Unable to find service provider for issuer ')
+          end
+        end
       end
     end
 

data/spec/lib/saml_idp/saml_response_spec.rb

@@ -26,6 +26,8 @@ module SamlIdp
     end
     let(:signed_response_opts) { true }
     let(:unsigned_response_opts) { false }
+    let(:signed_assertion_opts) { true }
+    let(:compress_opts) { false }
     let(:subject_encrypted) { described_class.new(reference_id,
                                   response_id,
                                   issuer_uri,
@@ -38,7 +40,11 @@ module SamlIdp
                                   expiry,
                                   encryption_opts,
                                   session_expiry,
-                                  unsigned_response_opts
+                                  nil,
+                                  nil,
+                                  unsigned_response_opts,
+                                  signed_assertion_opts,
+                                  compress_opts
                                  )
     }
 
@@ -54,7 +60,11 @@ module SamlIdp
                                   expiry,
                                   nil,
                                   session_expiry,
-                                  signed_response_opts
+                                  nil,
+                                  nil,
+                                  signed_response_opts,
+                                  signed_assertion_opts,
+                                  compress_opts
                                  )
     }
 
@@ -70,15 +80,97 @@ module SamlIdp
       expect(subject.build).to be_present
     end
 
-    it "builds encrypted" do
-      expect(subject_encrypted.build).to_not match(audience_uri)
-      encoded_xml = subject_encrypted.build
-      resp_settings = saml_settings(saml_acs_url)
-      resp_settings.private_key = Default::SECRET_KEY
-      resp_settings.issuer = audience_uri
-      saml_resp = OneLogin::RubySaml::Response.new(encoded_xml, settings: resp_settings)
-      saml_resp.soft = false
-      expect(saml_resp.is_valid?).to eq(true)
+    context "encrypted" do
+      it "builds encrypted" do
+        expect(subject_encrypted.build).to_not match(audience_uri)
+        encoded_xml = subject_encrypted.build
+        resp_settings = saml_settings(saml_acs_url)
+        resp_settings.private_key = Default::SECRET_KEY
+        resp_settings.issuer = audience_uri
+        saml_resp = OneLogin::RubySaml::Response.new(encoded_xml, settings: resp_settings)
+        saml_resp.soft = false
+        expect(saml_resp.is_valid?).to eq(true)
+      end
+    end
+
+    context "signed response" do
+      let(:resp_settings) do
+        resp_settings = saml_settings(saml_acs_url)
+        resp_settings.private_key = Default::SECRET_KEY
+        resp_settings.issuer = audience_uri
+        resp_settings
+      end
+
+      it "will build signed valid response" do
+        expect { subject.build }.not_to raise_error
+        signed_encoded_xml = subject.build
+        saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+        expect(
+          Nokogiri::XML(saml_resp.response).at_xpath(
+          "//p:Response//ds:Signature",
+          {
+            "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+            "ds" => "http://www.w3.org/2000/09/xmldsig#"
+          }
+        )).to be_present
+        expect(saml_resp.send(:validate_signature)).to eq(true)
+        expect(saml_resp.is_valid?).to eq(true)
+      end
+
+      context "when signed_assertion_opts is true" do
+        it "builds a signed assertion" do
+          expect { subject.build }.not_to raise_error
+          signed_encoded_xml = subject.build
+          saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+          expect(
+            Nokogiri::XML(saml_resp.response).at_xpath(
+            "//p:Response//a:Assertion//ds:Signature",
+            {
+              "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+              "a" => "urn:oasis:names:tc:SAML:2.0:assertion",
+              "ds" => "http://www.w3.org/2000/09/xmldsig#"
+            }
+          )).to be_present
+        end
+      end
+
+      context "when signed_assertion_opts is false" do
+        let(:signed_assertion_opts) { false }
+
+        it "builds a raw assertion" do
+          expect { subject.build }.not_to raise_error
+          signed_encoded_xml = subject.build
+          saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+          expect(
+            Nokogiri::XML(saml_resp.response).at_xpath(
+            "//p:Response//a:Assertion",
+            {
+              "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+              "a" => "urn:oasis:names:tc:SAML:2.0:assertion"
+            }
+          )).to be_present
+
+          expect(
+            Nokogiri::XML(saml_resp.response).at_xpath(
+            "//p:Response//Assertion//ds:Signature",
+            {
+              "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+              "ds" => "http://www.w3.org/2000/09/xmldsig#"
+            }
+          )).to_not be_present
+        end
+      end
+
+      context "when compress opts is true" do
+        let(:compress_opts) { true }
+        it "will build a compressed valid response" do
+          expect { subject.build }.not_to raise_error
+          compressed_signed_encoded_xml = subject.build
+          saml_resp = OneLogin::RubySaml::Response.new(compressed_signed_encoded_xml, settings: resp_settings)
+          expect(saml_resp.send(:validate_signature)).to eq(true)
+          expect(saml_resp.is_valid?).to eq(true)
+        end
+      end
     end
 
     it "will build signed valid response" do

data/spec/rails_app/app/controllers/saml_idp_controller.rb

@@ -1,48 +1,61 @@
 class SamlIdpController < ApplicationController
-    include SamlIdp::Controller
+  include SamlIdp::Controller
 
+  if Rails::VERSION::MAJOR >= 4
+    before_action :add_view_path, only: [:new, :create, :logout]
     before_action :validate_saml_request, only: [:new, :create, :logout]
-
-    def new
-      render template: "saml_idp/idp/new"
+  else
+    before_filter :add_view_path, only: [:new, :create, :logout]
+    before_filter :validate_saml_request, only: [:new, :create, :logout]
+  end
+
+  def new
+    render template: "saml_idp/idp/new"
+  end
+
+  def show
+    render xml: SamlIdp.metadata.signed
+  end
+
+  def create
+    unless params[:email].blank? && params[:password].blank?
+      person = idp_authenticate(params[:email], params[:password])
+      if person.nil?
+        @saml_idp_fail_msg = "Incorrect email or password."
+      else
+        @saml_response = idp_make_saml_response(person)
+        render :template => "saml_idp/idp/saml_post", :layout => false
+        return
+      end
     end
+    render :template => "saml_idp/idp/new"
+  end
 
-    def show
-      render xml: SamlIdp.metadata.signed
-    end
+  def logout
+    idp_logout
+    @saml_response = idp_make_saml_response(nil)
+    render :template => "saml_idp/idp/saml_post", :layout => false
+  end
 
-    def create
-      unless params[:email].blank? && params[:password].blank?
-        person = idp_authenticate(params[:email], params[:password])
-        if person.nil?
-          @saml_idp_fail_msg = "Incorrect email or password."
-        else
-          @saml_response = idp_make_saml_response(person)
-          render :template => "saml_idp/idp/saml_post", :layout => false
-          return
-        end
-      end
-      render :template => "saml_idp/idp/new"
-    end
+  def idp_logout
+    raise NotImplementedError
+  end
+  private :idp_logout
 
-    def logout
-      idp_logout
-      @saml_response = idp_make_saml_response(nil)
-      render :template => "saml_idp/idp/saml_post", :layout => false
-    end
+  def idp_authenticate(email, password)
+    { :email => email }
+  end
+  protected :idp_authenticate
 
-    def idp_logout
-      raise NotImplementedError
-    end
-    private :idp_logout
+  def idp_make_saml_response(person)
+    encode_response(person[:email])
+  end
+  protected :idp_make_saml_response
 
-    def idp_authenticate(email, password)
-      { :email => email }
-    end
-    protected :idp_authenticate
+  private
+
+  def add_view_path
+    prepend_view_path("app/views")
+  end
 
-    def idp_make_saml_response(person)
-      encode_response(person[:email])
-    end
-    protected :idp_make_saml_response
 end

data/spec/rails_app/config/application.rb

@@ -18,6 +18,7 @@ module RailsApp
 
     # Custom directories with classes and modules you want to be autoloadable.
     # config.autoload_paths += %W(#{config.root}/extras)
+    config.autoload_paths += %w[app/controllers]
 
     # Only load the plugins named here, in the order given (default is alphabetical).
     # :all can be used as a placeholder for all plugins not explicitly named.

data/spec/rails_app/config/boot.rb

@@ -3,4 +3,4 @@ require 'rubygems'
 # Set up gems listed in the Gemfile.
 ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
 
-require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])
+require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml_idp
 version: !ruby/object:Gem::Version
-  version: 0.14.0
+  version: 0.15.0
 platform: ruby
 authors:
 - Jon Phenow
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-07-26 00:00:00.000000000 Z
+date: 2023-05-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -53,49 +53,49 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 1.6.2
 - !ruby/object:Gem::Dependency
-  name: xmlenc
+  name: rexml
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.7.1
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.7.1
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: rexml
+  name: xmlenc
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.7.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.7.1
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: activeresource
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '5.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '5.1'
 - !ruby/object:Gem::Dependency
-  name: simplecov
+  name: appraisal
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -109,33 +109,33 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: byebug
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.7.0
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.7.0
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: ruby-saml
+  name: capybara
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.7.2
+        version: '2.16'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.7.2
+        version: '2.16'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -151,49 +151,49 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '5.2'
 - !ruby/object:Gem::Dependency
-  name: activeresource
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.1'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.1'
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: capybara
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.16'
+        version: 3.7.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.16'
+        version: 3.7.0
 - !ruby/object:Gem::Dependency
-  name: timecop
+  name: ruby-saml
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: 1.7.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: 1.7.2
 - !ruby/object:Gem::Dependency
-  name: appraisal
+  name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -207,19 +207,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: byebug
+  name: timecop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.8'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.8'
 description: SAML IdP (Identity Provider) Library for Ruby
 email: jon.phenow@sportngin.com
 executables: []
@@ -365,22 +365,21 @@ metadata:
   homepage_uri: https://github.com/saml-idp/saml_idp
   source_code_uri: https://github.com/saml-idp/saml_idp
   bug_tracker_uri: https://github.com/saml-idp/saml_idp/issues
-  documentation_uri: http://rdoc.info/gems/saml_idp/0.14.0
-post_install_message: |
-  If you're just recently updating saml_idp - please be aware we've changed the default
-  certificate. See the PR and a description of why we've done this here:
-  https://github.com/saml-idp/saml_idp/pull/29
-
-  If you just need to see the certificate `bundle open saml_idp` and go to
-  `lib/saml_idp/default.rb`
+  documentation_uri: http://rdoc.info/gems/saml_idp/0.15.0
+post_install_message: |2
+      If you're just recently updating saml_idp - please be aware we've changed the default
+      certificate. See the PR and a description of why we've done this here:
+      https://github.com/saml-idp/saml_idp/pull/29
 
-  Similarly, please see the README about certificates - you should avoid using the
-  defaults in a Production environment. Post any issues you to github.
+      If you just need to see the certificate `bundle open saml_idp` and go to
+      `lib/saml_idp/default.rb`
 
-  ** New in Version 0.3.0 **
+      Similarly, please see the README about certificates - you should avoid using the
+      defaults in a Production environment. Post any issues you to github.
 
-  Encrypted Assertions require the xmlenc gem. See the example in the Controller
-  section of the README.
+      ** New in Version 0.3.0 **
+      Encrypted Assertions require the xmlenc gem. See the example in the Controller
+      section of the README.
 rdoc_options:
 - "--charset=UTF-8"
 require_paths:
@@ -396,8 +395,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key: 
+rubygems_version: 3.3.7
+signing_key:
 specification_version: 4
 summary: SAML Indentity Provider for Ruby
 test_files: