saml_idp 0.7.2 → 0.11.0

data/lib/saml_idp/saml_response.rb

@@ -17,6 +17,7 @@ module SamlIdp
     attr_accessor :expiry
     attr_accessor :encryption_opts
     attr_accessor :session_expiry
+    attr_accessor :signed_message_opts
 
     def initialize(reference_id,
           response_id,
@@ -29,7 +30,8 @@ module SamlIdp
           authn_context_classref,
           expiry=60*60,
           encryption_opts=nil,
-          session_expiry=0
+          session_expiry=0,
+          signed_message_opts
           )
       self.reference_id = reference_id
       self.response_id = response_id
@@ -45,10 +47,11 @@ module SamlIdp
       self.expiry = expiry
       self.encryption_opts = encryption_opts
       self.session_expiry = session_expiry
+      self.signed_message_opts = signed_message_opts
     end
 
     def build
-      @built ||= response_builder.encoded
+      @built ||= encoded_message
     end
 
     def signed_assertion
@@ -60,8 +63,17 @@ module SamlIdp
     end
     private :signed_assertion
 
+    def encoded_message
+      if signed_message_opts
+        response_builder.encoded(signed_message: true)
+      else
+        response_builder.encoded(signed_message: false)
+      end
+    end
+    private :encoded_message
+
     def response_builder
-      ResponseBuilder.new(response_id, issuer_uri, saml_acs_url, saml_request_id, signed_assertion)
+      ResponseBuilder.new(response_id, issuer_uri, saml_acs_url, saml_request_id, signed_assertion, algorithm)
     end
     private :response_builder
 

data/lib/saml_idp/service_provider.rb

@@ -13,6 +13,7 @@ module SamlIdp
     attribute :validate_signature
     attribute :acs_url
     attribute :assertion_consumer_logout_service_url
+    attribute :response_hosts
 
     delegate :config, to: :SamlIdp
 
@@ -21,18 +22,13 @@ module SamlIdp
     end
 
     def valid_signature?(doc, require_signature = false)
-      if require_signature || should_validate_signature?
+      if require_signature || attributes[:validate_signature]
         doc.valid_signature?(fingerprint)
       else
         true
       end
     end
 
-    def should_validate_signature?
-      attributes[:validate_signature] ||
-        current_metadata.respond_to?(:sign_assertions?) && current_metadata.sign_assertions?
-    end
-
     def refresh_metadata
       fresh = fresh_incoming_metadata
       if valid_signature?(fresh.document)
@@ -46,6 +42,19 @@ module SamlIdp
       @current_metadata ||= get_current_or_build
     end
 
+    def acceptable_response_hosts
+      hosts = Array(self.response_hosts)
+      hosts.push(metadata_url_host) if metadata_url_host
+
+      hosts
+    end
+
+    def metadata_url_host
+      if metadata_url.present?
+        URI(metadata_url).host
+      end
+    end
+
     def get_current_or_build
       persisted = metadata_getter[identifier, self]
       if persisted.is_a? Hash

data/lib/saml_idp/signable.rb

@@ -108,8 +108,7 @@ module SamlIdp
       canon_algorithm = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
       canon_hashed_element = noko_raw.canonicalize(canon_algorithm, inclusive_namespaces)
       digest_algorithm = get_algorithm
-
-      hash                          = digest_algorithm.digest(canon_hashed_element)
+      hash = digest_algorithm.digest(canon_hashed_element)
       Base64.strict_encode64(hash).gsub(/\n/, '')
     end
     private :digest

data/lib/saml_idp/version.rb

@@ -1,4 +1,4 @@
 # encoding: utf-8
 module SamlIdp
-  VERSION = '0.7.2'
+  VERSION = '0.11.0'
 end

data/lib/saml_idp/xml_security.rb

@@ -108,7 +108,7 @@ module SamlIdp
           canon_algorithm               = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod', 'ds' => DSIG)
           canon_hashed_element          = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
 
-          digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod"))
+          digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod", {'ds' => DSIG}))
 
           hash                          = digest_algorithm.digest(canon_hashed_element)
           digest_value                  = Base64.decode64(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG}).text)

data/saml_idp.gemspec

@@ -7,28 +7,29 @@ Gem::Specification.new do |s|
   s.version = SamlIdp::VERSION
   s.platform = Gem::Platform::RUBY
   s.authors = ["Jon Phenow"]
-  s.email = %q{jon.phenow@sportngin.com}
-  s.homepage = %q{http://github.com/sportngin/saml_idp}
-  s.summary = %q{SAML Indentity Provider in ruby}
-  s.description = %q{SAML IdP (Identity Provider) library in ruby}
+  s.email = 'jon.phenow@sportngin.com'
+  s.homepage = 'https://github.com/saml-idp/saml_idp'
+  s.summary = 'SAML Indentity Provider for Ruby'
+  s.description = 'SAML IdP (Identity Provider) Library for Ruby'
   s.date = Time.now.utc.strftime("%Y-%m-%d")
-  s.files = Dir.glob("app/**/*") + Dir.glob("lib/**/*") + [
-     "LICENSE",
-     "README.md",
-     "Gemfile",
-     "saml_idp.gemspec"
-  ]
+  s.files = Dir['app/**/*', 'lib/**/*', 'LICENSE', 'README.md', 'Gemfile', 'saml_idp.gemspec']
   s.required_ruby_version = '>= 2.2'
-  s.license = "LICENSE"
+  s.license = 'MIT'
   s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.require_paths = ["lib"]
-  s.rdoc_options = ["--charset=UTF-8"]
+  s.rdoc_options = ['--charset=UTF-8']
+  s.metadata = {
+    'homepage_uri'      => 'https://github.com/saml-idp/saml_idp',
+    'source_code_uri'   => 'https://github.com/saml-idp/saml_idp',
+    'bug_tracker_uri'   => 'https://github.com/saml-idp/saml_idp/issues',
+    'documentation_uri' => "http://rdoc.info/gems/saml_idp/#{SamlIdp::VERSION}"
+  }
 
   s.post_install_message = <<-INST
 If you're just recently updating saml_idp - please be aware we've changed the default
 certificate. See the PR and a description of why we've done this here:
-https://github.com/sportngin/saml_idp/pull/29
+https://github.com/saml-idp/saml_idp/pull/29
 
 If you just need to see the certificate `bundle open saml_idp` and go to
 `lib/saml_idp/default.rb`
@@ -43,17 +44,18 @@ section of the README.
   INST
 
   s.add_dependency('activesupport', '>= 3.2')
-  s.add_dependency('uuid', '~> 2.3')
-  s.add_dependency('builder', '~> 3.0')
+  s.add_dependency('builder', '>= 3.0')
   s.add_dependency('nokogiri', '>= 1.6.2')
 
-  s.add_development_dependency('rake', '~> 10.4.2')
-  s.add_development_dependency('simplecov', '~> 0.12')
-  s.add_development_dependency('rspec', '~> 2.5')
-  s.add_development_dependency('ruby-saml', '~> 1.3')
-  s.add_development_dependency('rails', '~> 3.2')
-  s.add_development_dependency('capybara', '~> 2.11.0')
-  s.add_development_dependency('timecop', '~> 0.8')
+  s.add_development_dependency('rake')
+  s.add_development_dependency('simplecov')
+  s.add_development_dependency('rspec', '>= 3.7.0')
+  s.add_development_dependency('ruby-saml', '>= 1.7.2')
+  s.add_development_dependency('rails', '>= 3.2')
+  s.add_development_dependency('activeresource', '>= 3.2')
+  s.add_development_dependency('capybara', '>= 2.16')
+  s.add_development_dependency('timecop', '>= 0.8')
   s.add_development_dependency('xmlenc', '>= 0.6.4')
+  s.add_development_dependency('appraisal')
+  s.add_development_dependency('byebug')
 end
-

data/spec/acceptance/idp_controller_spec.rb

@@ -4,11 +4,12 @@ feature 'IdpController' do
   scenario 'Login via default signup page' do
     saml_request = make_saml_request("http://foo.example.com/saml/consume")
     visit "/saml/auth?SAMLRequest=#{CGI.escape(saml_request)}"
-    fill_in 'Email', :with => "foo@example.com"
-    fill_in 'Password', :with => "okidoki"
+    expect(status_code).to eq(200)
+    fill_in 'email', :with => "foo@example.com"
+    fill_in 'password', :with => "okidoki"
     click_button 'Sign in'
     click_button 'Submit'   # simulating onload
-    current_url.should == 'http://foo.example.com/saml/consume'
-    page.should have_content "foo@example.com"
+    expect(current_url).to eq('http://foo.example.com/saml/consume')
+    expect(page).to have_content "foo@example.com"
   end
 end

data/spec/lib/saml_idp/algorithmable_spec.rb

@@ -9,11 +9,11 @@ module SamlIdp
       end
 
       it "finds algorithm class" do
-        algorithm.should == OpenSSL::Digest::SHA256
+        expect(algorithm).to eq(OpenSSL::Digest::SHA256)
       end
 
       it "finds the name" do
-        algorithm_name.should == "sha256"
+        expect(algorithm_name).to eq("sha256")
       end
     end
 
@@ -23,11 +23,11 @@ module SamlIdp
       end
 
       it "finds algorithm class" do
-        algorithm.should == OpenSSL::Digest::SHA512
+        expect(algorithm).to eq(OpenSSL::Digest::SHA512)
       end
 
       it "finds the name" do
-        algorithm_name.should == "sha512"
+        expect(algorithm_name).to eq("sha512")
       end
     end
 
@@ -37,11 +37,11 @@ module SamlIdp
       end
 
       it "finds algorithm class" do
-        algorithm.should == OpenSSL::Digest::SHA1
+        expect(algorithm).to eq(OpenSSL::Digest::SHA1)
       end
 
       it "finds the name" do
-        algorithm_name.should == "sha1"
+        expect(algorithm_name).to eq("sha1")
       end
     end
   end

data/spec/lib/saml_idp/assertion_builder_spec.rb

@@ -36,14 +36,14 @@ module SamlIdp
 
       it "builds a legit raw XML file" do
         Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
-          subject.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>"
+          expect(subject.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
         end
       end
     end
 
     it "builds a legit raw XML file" do
       Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
-        subject.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>"
+        expect(subject.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
       end
     end
 
@@ -55,12 +55,12 @@ module SamlIdp
             email_address: ->(p) { "foo@example.com" }
           }
         }
-        SamlIdp.stub(config: config)
+        allow(SamlIdp).to receive(:config).and_return(config)
       end
 
       it "doesn't include attribute statement" do
         Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
-          subject.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>"
+          expect(subject.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>")
         end
       end
     end
@@ -81,7 +81,7 @@ module SamlIdp
           expiry
         )
         Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
-          builder.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"emailAddress\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>"
+          expect(builder.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"emailAddress\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
         end
       end
     end
@@ -100,14 +100,14 @@ module SamlIdp
         encryption_opts
       )
       encrypted_xml = builder.encrypt
-      encrypted_xml.should_not match(audience_uri)
+      expect(encrypted_xml).to_not match(audience_uri)
     end
 
     describe "with custom session_expiry configuration" do
       let(:config) { SamlIdp::Configurator.new }
       before do
         config.session_expiry = 8
-        SamlIdp.stub(config: config)
+        allow(SamlIdp).to receive(:config).and_return(config)
       end
 
       it "sets default session_expiry from config" do
@@ -123,7 +123,7 @@ module SamlIdp
           expiry,
           encryption_opts
         )
-        builder.session_expiry.should == 8
+        expect(builder.session_expiry).to eq(8)
       end
     end
   end

data/spec/lib/saml_idp/attribute_decorator_spec.rb

@@ -12,19 +12,19 @@ module SamlIdp
     let(:values) { nil }
 
     it "has a valid name" do
-      subject.name.should be_nil
+      expect(subject.name).to be_nil
     end
 
     it "has a valid friendly_name" do
-      subject.friendly_name.should be_nil
+      expect(subject.friendly_name).to be_nil
     end
 
     it "has a valid name_format" do
-      subject.name_format.should == Saml::XML::Namespaces::Formats::Attr::URI
+      expect(subject.name_format).to eq(Saml::XML::Namespaces::Formats::Attr::URI)
     end
 
     it "has a valid values" do
-      subject.values.should == []
+      expect(subject.values).to eq []
     end
 
     describe "with values set" do
@@ -34,19 +34,19 @@ module SamlIdp
       let(:values) { :val }
 
       it "has a valid name" do
-        subject.name.should == name
+        expect(subject.name).to eq(name)
       end
 
       it "has a valid friendly_name" do
-        subject.friendly_name.should == friendly_name
+        expect(subject.friendly_name).to eq(friendly_name)
       end
 
       it "has a valid name_format" do
-        subject.name_format.should == name_format
+        expect(subject.name_format).to eq(name_format)
       end
 
       it "has a valid values" do
-        subject.values.should == [values]
+        expect(subject.values).to eq [values]
       end
     end
   end

data/spec/lib/saml_idp/configurator_spec.rb

@@ -9,6 +9,7 @@ module SamlIdp
     it { should respond_to :base_saml_location }
     it { should respond_to :reference_id_generator }
     it { should respond_to :attribute_service_location }
+    it { should respond_to :single_service_redirect_location }
     it { should respond_to :single_service_post_location }
     it { should respond_to :single_logout_service_post_location }
     it { should respond_to :single_logout_service_redirect_location }
@@ -18,32 +19,32 @@ module SamlIdp
     it { should respond_to :session_expiry }
 
     it "has a valid x509_certificate" do
-      subject.x509_certificate.should == Default::X509_CERTIFICATE
+      expect(subject.x509_certificate).to eq(Default::X509_CERTIFICATE)
     end
 
     it "has a valid secret_key" do
-      subject.secret_key.should == Default::SECRET_KEY
+      expect(subject.secret_key).to eq(Default::SECRET_KEY)
     end
 
     it "has a valid algorithm" do
-      subject.algorithm.should == :sha1
+      expect(subject.algorithm).to eq(:sha1)
     end
 
     it "has a valid reference_id_generator" do
-      subject.reference_id_generator.should respond_to :call
+      expect(subject.reference_id_generator).to respond_to :call
     end
 
 
     it "can call service provider finder" do
-      subject.service_provider.finder.should respond_to :call
+      expect(subject.service_provider.finder).to respond_to :call
     end
 
     it "can call service provider metadata persister" do
-      subject.service_provider.metadata_persister.should respond_to :call
+      expect(subject.service_provider.metadata_persister).to respond_to :call
     end
 
     it 'has a valid session_expiry' do
-      subject.session_expiry.should == 0
+      expect(subject.session_expiry).to eq(0)
     end
   end
 end

data/spec/lib/saml_idp/controller_spec.rb

@@ -7,6 +7,9 @@ describe SamlIdp::Controller do
   def render(*)
   end
 
+  def head(*)
+  end
+
   def params
     @params ||= {}
   end
@@ -14,8 +17,32 @@ describe SamlIdp::Controller do
   it "should find the SAML ACS URL" do
     requested_saml_acs_url = "https://example.com/saml/consume"
     params[:SAMLRequest] = make_saml_request(requested_saml_acs_url)
-    validate_saml_request
-    saml_acs_url.should == requested_saml_acs_url
+    expect(validate_saml_request).to eq(true)
+    expect(saml_acs_url).to eq(requested_saml_acs_url)
+  end
+
+  context "When SP metadata required to validate auth request signature" do
+    before do
+      idp_configure("https://foo.example.com/saml/consume", true)
+      params[:SAMLRequest] = make_saml_request("https://foo.example.com/saml/consume", true)
+    end
+
+    it 'SP metadata sign_authn_request attribute should be true' do
+      # Signed auth request will be true in the metadata
+      expect(SamlIdp.config.service_provider.persisted_metadata_getter.call(nil,nil)[:sign_authn_request]).to eq(true)
+    end
+
+    it 'should call xml signature validation method' do
+      signed_doc = SamlIdp::XMLSecurity::SignedDocument.new(params[:SAMLRequest])
+      allow(signed_doc).to receive(:validate).and_return(true)
+      allow(SamlIdp::XMLSecurity::SignedDocument).to receive(:new).and_return(signed_doc)
+      validate_saml_request
+      expect(signed_doc).to have_received(:validate).once
+    end
+
+    it 'should successfully validate signature' do
+      expect(validate_saml_request).to eq(true)
+    end
   end
 
   context "SAML Responses" do
@@ -32,36 +59,36 @@ describe SamlIdp::Controller do
       it "should create a SAML Response" do
         saml_response = encode_response(principal, { audience_uri: 'http://example.com/issuer', issuer_uri: 'http://example.com', acs_url: 'https://foo.example.com/saml/consume' })
         response = OneLogin::RubySaml::Response.new(saml_response)
-        response.name_id.should == "foo@example.com"
-        response.issuers.first.should == "http://example.com"
+        expect(response.name_id).to eq("foo@example.com")
+        expect(response.issuers.first).to eq("http://example.com")
         response.settings = saml_settings
-        response.is_valid?.should be_truthy
+        expect(response.is_valid?).to be_truthy
       end
     end
 
     context "solicited Response" do
       before(:each) do
         params[:SAMLRequest] = make_saml_request
-        validate_saml_request
+        expect(validate_saml_request).to eq(true)
       end
 
       it "should create a SAML Response" do
         saml_response = encode_response(principal)
         response = OneLogin::RubySaml::Response.new(saml_response)
-        response.name_id.should == "foo@example.com"
-        response.issuers.first.should == "http://example.com"
+        expect(response.name_id).to eq("foo@example.com")
+        expect(response.issuers.first).to eq("http://example.com")
         response.settings = saml_settings
-        response.is_valid?.should be_truthy
+        expect(response.is_valid?).to be_truthy
       end
 
       it "should create a SAML Logout Response" do
         params[:SAMLRequest] = make_saml_logout_request
-        validate_saml_request
+        expect(validate_saml_request).to eq(true)
         expect(saml_request.logout_request?).to eq true
         saml_response = encode_response(principal)
         response = OneLogin::RubySaml::Logoutresponse.new(saml_response, saml_settings)
-        response.validate.should == true
-        response.issuer.should == "http://example.com"
+        expect(response.validate).to eq(true)
+        expect(response.issuer).to eq("http://example.com")
       end
 
 
@@ -70,10 +97,10 @@ describe SamlIdp::Controller do
           self.algorithm = algorithm_name
           saml_response = encode_response(principal)
           response = OneLogin::RubySaml::Response.new(saml_response)
-          response.name_id.should == "foo@example.com"
-          response.issuers.first.should == "http://example.com"
+          expect(response.name_id).to eq("foo@example.com")
+          expect(response.issuers.first).to eq("http://example.com")
           response.settings = saml_settings
-          response.is_valid?.should be_truthy
+          expect(response.is_valid?).to be_truthy
         end
 
         it "should encrypt SAML Response assertion" do
@@ -82,11 +109,11 @@ describe SamlIdp::Controller do
           resp_settings = saml_settings
           resp_settings.private_key = SamlIdp::Default::SECRET_KEY
           response = OneLogin::RubySaml::Response.new(saml_response, settings: resp_settings)
-          response.document.to_s.should_not match("foo@example.com")
-          response.decrypted_document.to_s.should match("foo@example.com")
-          response.name_id.should == "foo@example.com"
-          response.issuers.first.should == "http://example.com"
-          response.is_valid?.should be_truthy
+          expect(response.document.to_s).to_not match("foo@example.com")
+          expect(response.decrypted_document.to_s).to match("foo@example.com")
+          expect(response.name_id).to eq("foo@example.com")
+          expect(response.issuers.first).to eq("http://example.com")
+          expect(response.is_valid?).to be_truthy
         end
       end
     end