saml_idp 0.7.2 → 0.16.0

data/spec/lib/saml_idp/assertion_builder_spec.rb

@@ -19,6 +19,9 @@ module SamlIdp
         key_transport: 'rsa-oaep-mgf1p',
       }
     end
+    let(:session_expiry) { nil }
+    let(:name_id_formats_opt) { nil }
+    let(:asserted_attributes_opt) { nil }
     subject { described_class.new(
       reference_id,
       issuer_uri,
@@ -36,14 +39,14 @@ module SamlIdp
 
       it "builds a legit raw XML file" do
         Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
-          subject.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>"
+          expect(subject.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
         end
       end
     end
 
     it "builds a legit raw XML file" do
       Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
-        subject.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>"
+        expect(subject.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
       end
     end
 
@@ -55,12 +58,12 @@ module SamlIdp
             email_address: ->(p) { "foo@example.com" }
           }
         }
-        SamlIdp.stub(config: config)
+        allow(SamlIdp).to receive(:config).and_return(config)
       end
 
       it "doesn't include attribute statement" do
         Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
-          subject.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>"
+          expect(subject.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>")
         end
       end
     end
@@ -81,7 +84,7 @@ module SamlIdp
           expiry
         )
         Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
-          builder.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"emailAddress\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>"
+          expect(builder.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"emailAddress\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
         end
       end
     end
@@ -100,14 +103,84 @@ module SamlIdp
         encryption_opts
       )
       encrypted_xml = builder.encrypt
-      encrypted_xml.should_not match(audience_uri)
+      expect(encrypted_xml).to_not match(audience_uri)
+    end
+
+    describe "with name_id_formats_opt" do
+      let(:name_id_formats_opt) {
+        {
+            persistent: -> (principal) {
+              principal.unique_identifier
+            }
+        }
+      }
+      it "delegates name_id_formats to opts" do
+        UserWithUniqueId = Struct.new(:unique_identifier, :email, :asserted_attributes)
+        principal = UserWithUniqueId.new('unique_identifier_123456', 'foo@example.com',  { emailAddress: { getter: :email } })
+        builder = described_class.new(
+            reference_id,
+            issuer_uri,
+            principal,
+            audience_uri,
+            saml_request_id,
+            saml_acs_url,
+            algorithm,
+            authn_context_classref,
+            expiry,
+            encryption_opts,
+            session_expiry,
+            name_id_formats_opt,
+            asserted_attributes_opt
+        )
+        Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+          expect(builder.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\">unique_identifier_123456</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"emailAddress\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
+        end
+      end
+    end
+
+    describe "with asserted_attributes_opt" do
+      let(:asserted_attributes_opt) {
+        {
+            'GivenName' => {
+                getter: :first_name
+            },
+            'SurName' => {
+                getter: -> (principal) {
+                    principal.last_name
+                }
+            }
+        }
+      }
+
+      it "delegates asserted_attributes to opts" do
+        UserWithName = Struct.new(:email, :first_name, :last_name)
+        principal = UserWithName.new('foo@example.com', 'George', 'Washington')
+        builder = described_class.new(
+            reference_id,
+            issuer_uri,
+            principal,
+            audience_uri,
+            saml_request_id,
+            saml_acs_url,
+            algorithm,
+            authn_context_classref,
+            expiry,
+            encryption_opts,
+            session_expiry,
+            name_id_formats_opt,
+            asserted_attributes_opt
+        )
+        Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+          expect(builder.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"GivenName\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"GivenName\"><AttributeValue>George</AttributeValue></Attribute><Attribute Name=\"SurName\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"SurName\"><AttributeValue>Washington</AttributeValue></Attribute></AttributeStatement></Assertion>")
+        end
+      end
     end
 
     describe "with custom session_expiry configuration" do
       let(:config) { SamlIdp::Configurator.new }
       before do
         config.session_expiry = 8
-        SamlIdp.stub(config: config)
+        allow(SamlIdp).to receive(:config).and_return(config)
       end
 
       it "sets default session_expiry from config" do
@@ -123,7 +196,77 @@ module SamlIdp
           expiry,
           encryption_opts
         )
-        builder.session_expiry.should == 8
+        expect(builder.session_expiry).to eq(8)
+      end
+    end
+
+    describe "with name_id_formats_opt" do
+      let(:name_id_formats_opt) {
+        {
+            persistent: -> (principal) {
+              principal.unique_identifier
+            }
+        }
+      }
+      it "delegates name_id_formats to opts" do
+        UserWithUniqueId = Struct.new(:unique_identifier, :email, :asserted_attributes)
+        principal = UserWithUniqueId.new('unique_identifier_123456', 'foo@example.com',  { emailAddress: { getter: :email } })
+        builder = described_class.new(
+            reference_id,
+            issuer_uri,
+            principal,
+            audience_uri,
+            saml_request_id,
+            saml_acs_url,
+            algorithm,
+            authn_context_classref,
+            expiry,
+            encryption_opts,
+            session_expiry,
+            name_id_formats_opt,
+            asserted_attributes_opt
+        )
+        Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+          expect(builder.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\">unique_identifier_123456</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"emailAddress\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
+        end
+      end
+    end
+
+    describe "with asserted_attributes_opt" do
+      let(:asserted_attributes_opt) {
+        {
+            'GivenName' => {
+                getter: :first_name
+            },
+            'SurName' => {
+                getter: -> (principal) {
+                    principal.last_name
+                }
+            }
+        }
+      }
+
+      it "delegates asserted_attributes to opts" do
+        UserWithName = Struct.new(:email, :first_name, :last_name)
+        principal = UserWithName.new('foo@example.com', 'George', 'Washington')
+        builder = described_class.new(
+            reference_id,
+            issuer_uri,
+            principal,
+            audience_uri,
+            saml_request_id,
+            saml_acs_url,
+            algorithm,
+            authn_context_classref,
+            expiry,
+            encryption_opts,
+            session_expiry,
+            name_id_formats_opt,
+            asserted_attributes_opt
+        )
+        Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+          expect(builder.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"GivenName\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"GivenName\"><AttributeValue>George</AttributeValue></Attribute><Attribute Name=\"SurName\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"SurName\"><AttributeValue>Washington</AttributeValue></Attribute></AttributeStatement></Assertion>")
+        end
       end
     end
   end

data/spec/lib/saml_idp/attribute_decorator_spec.rb

@@ -12,19 +12,19 @@ module SamlIdp
     let(:values) { nil }
 
     it "has a valid name" do
-      subject.name.should be_nil
+      expect(subject.name).to be_nil
     end
 
     it "has a valid friendly_name" do
-      subject.friendly_name.should be_nil
+      expect(subject.friendly_name).to be_nil
     end
 
     it "has a valid name_format" do
-      subject.name_format.should == Saml::XML::Namespaces::Formats::Attr::URI
+      expect(subject.name_format).to eq(Saml::XML::Namespaces::Formats::Attr::URI)
     end
 
     it "has a valid values" do
-      subject.values.should == []
+      expect(subject.values).to eq []
     end
 
     describe "with values set" do
@@ -34,19 +34,19 @@ module SamlIdp
       let(:values) { :val }
 
       it "has a valid name" do
-        subject.name.should == name
+        expect(subject.name).to eq(name)
       end
 
       it "has a valid friendly_name" do
-        subject.friendly_name.should == friendly_name
+        expect(subject.friendly_name).to eq(friendly_name)
       end
 
       it "has a valid name_format" do
-        subject.name_format.should == name_format
+        expect(subject.name_format).to eq(name_format)
       end
 
       it "has a valid values" do
-        subject.values.should == [values]
+        expect(subject.values).to eq [values]
       end
     end
   end

data/spec/lib/saml_idp/configurator_spec.rb

@@ -9,6 +9,7 @@ module SamlIdp
     it { should respond_to :base_saml_location }
     it { should respond_to :reference_id_generator }
     it { should respond_to :attribute_service_location }
+    it { should respond_to :single_service_redirect_location }
     it { should respond_to :single_service_post_location }
     it { should respond_to :single_logout_service_post_location }
     it { should respond_to :single_logout_service_redirect_location }
@@ -16,34 +17,35 @@ module SamlIdp
     it { should respond_to :attributes }
     it { should respond_to :service_provider }
     it { should respond_to :session_expiry }
+    it { should respond_to :logger }
 
     it "has a valid x509_certificate" do
-      subject.x509_certificate.should == Default::X509_CERTIFICATE
+      expect(subject.x509_certificate).to eq(Default::X509_CERTIFICATE)
     end
 
     it "has a valid secret_key" do
-      subject.secret_key.should == Default::SECRET_KEY
+      expect(subject.secret_key).to eq(Default::SECRET_KEY)
     end
 
     it "has a valid algorithm" do
-      subject.algorithm.should == :sha1
+      expect(subject.algorithm).to eq(:sha1)
     end
 
     it "has a valid reference_id_generator" do
-      subject.reference_id_generator.should respond_to :call
+      expect(subject.reference_id_generator).to respond_to :call
     end
 
 
     it "can call service provider finder" do
-      subject.service_provider.finder.should respond_to :call
+      expect(subject.service_provider.finder).to respond_to :call
     end
 
     it "can call service provider metadata persister" do
-      subject.service_provider.metadata_persister.should respond_to :call
+      expect(subject.service_provider.metadata_persister).to respond_to :call
     end
 
     it 'has a valid session_expiry' do
-      subject.session_expiry.should == 0
+      expect(subject.session_expiry).to eq(0)
     end
   end
 end

data/spec/lib/saml_idp/controller_spec.rb

@@ -7,6 +7,9 @@ describe SamlIdp::Controller do
   def render(*)
   end
 
+  def head(*)
+  end
+
   def params
     @params ||= {}
   end
@@ -14,8 +17,32 @@ describe SamlIdp::Controller do
   it "should find the SAML ACS URL" do
     requested_saml_acs_url = "https://example.com/saml/consume"
     params[:SAMLRequest] = make_saml_request(requested_saml_acs_url)
-    validate_saml_request
-    saml_acs_url.should == requested_saml_acs_url
+    expect(validate_saml_request).to eq(true)
+    expect(saml_acs_url).to eq(requested_saml_acs_url)
+  end
+
+  context "When SP metadata required to validate auth request signature" do
+    before do
+      idp_configure("https://foo.example.com/saml/consume", true)
+      params[:SAMLRequest] = make_saml_request("https://foo.example.com/saml/consume", true)
+    end
+
+    it 'SP metadata sign_authn_request attribute should be true' do
+      # Signed auth request will be true in the metadata
+      expect(SamlIdp.config.service_provider.persisted_metadata_getter.call(nil,nil)[:sign_authn_request]).to eq(true)
+    end
+
+    it 'should call xml signature validation method' do
+      signed_doc = SamlIdp::XMLSecurity::SignedDocument.new(params[:SAMLRequest])
+      allow(signed_doc).to receive(:validate).and_return(true)
+      allow(SamlIdp::XMLSecurity::SignedDocument).to receive(:new).and_return(signed_doc)
+      validate_saml_request
+      expect(signed_doc).to have_received(:validate).once
+    end
+
+    it 'should successfully validate signature' do
+      expect(validate_saml_request).to eq(true)
+    end
   end
 
   context "SAML Responses" do
@@ -32,48 +59,54 @@ describe SamlIdp::Controller do
       it "should create a SAML Response" do
         saml_response = encode_response(principal, { audience_uri: 'http://example.com/issuer', issuer_uri: 'http://example.com', acs_url: 'https://foo.example.com/saml/consume' })
         response = OneLogin::RubySaml::Response.new(saml_response)
-        response.name_id.should == "foo@example.com"
-        response.issuers.first.should == "http://example.com"
+        expect(response.name_id).to eq("foo@example.com")
+        expect(response.issuers.first).to eq("http://example.com")
         response.settings = saml_settings
-        response.is_valid?.should be_truthy
+        expect(response.is_valid?).to be_truthy
       end
     end
 
     context "solicited Response" do
       before(:each) do
         params[:SAMLRequest] = make_saml_request
-        validate_saml_request
+        expect(validate_saml_request).to eq(true)
       end
 
       it "should create a SAML Response" do
         saml_response = encode_response(principal)
         response = OneLogin::RubySaml::Response.new(saml_response)
-        response.name_id.should == "foo@example.com"
-        response.issuers.first.should == "http://example.com"
+        expect(response.name_id).to eq("foo@example.com")
+        expect(response.issuers.first).to eq("http://example.com")
         response.settings = saml_settings
-        response.is_valid?.should be_truthy
+        expect(response.is_valid?).to be_truthy
       end
 
       it "should create a SAML Logout Response" do
         params[:SAMLRequest] = make_saml_logout_request
-        validate_saml_request
+        expect(validate_saml_request).to eq(true)
         expect(saml_request.logout_request?).to eq true
         saml_response = encode_response(principal)
         response = OneLogin::RubySaml::Logoutresponse.new(saml_response, saml_settings)
-        response.validate.should == true
-        response.issuer.should == "http://example.com"
+        expect(response.validate).to eq(true)
+        expect(response.issuer).to eq("http://example.com")
       end
 
+      it "should by default create a SAML Response with a signed assertion" do
+        saml_response = encode_response(principal)
+        response = OneLogin::RubySaml::Response.new(saml_response)
+        response.settings = saml_settings("https://foo.example.com/saml/consume", true)
+        expect(response.is_valid?).to be_truthy
+      end
 
       [:sha1, :sha256, :sha384, :sha512].each do |algorithm_name|
         it "should create a SAML Response using the #{algorithm_name} algorithm" do
           self.algorithm = algorithm_name
           saml_response = encode_response(principal)
           response = OneLogin::RubySaml::Response.new(saml_response)
-          response.name_id.should == "foo@example.com"
-          response.issuers.first.should == "http://example.com"
+          expect(response.name_id).to eq("foo@example.com")
+          expect(response.issuers.first).to eq("http://example.com")
           response.settings = saml_settings
-          response.is_valid?.should be_truthy
+          expect(response.is_valid?).to be_truthy
         end
 
         it "should encrypt SAML Response assertion" do
@@ -82,11 +115,11 @@ describe SamlIdp::Controller do
           resp_settings = saml_settings
           resp_settings.private_key = SamlIdp::Default::SECRET_KEY
           response = OneLogin::RubySaml::Response.new(saml_response, settings: resp_settings)
-          response.document.to_s.should_not match("foo@example.com")
-          response.decrypted_document.to_s.should match("foo@example.com")
-          response.name_id.should == "foo@example.com"
-          response.issuers.first.should == "http://example.com"
-          response.is_valid?.should be_truthy
+          expect(response.document.to_s).to_not match("foo@example.com")
+          expect(response.decrypted_document.to_s).to match("foo@example.com")
+          expect(response.name_id).to eq("foo@example.com")
+          expect(response.issuers.first).to eq("http://example.com")
+          expect(response.is_valid?).to be_truthy
         end
       end
     end

data/spec/lib/saml_idp/encryptor_spec.rb

@@ -5,11 +5,11 @@ require 'saml_idp/encryptor'
 module SamlIdp
   describe Encryptor do
     let (:encryption_opts) do
-      {   
+      {
         cert: Default::X509_CERTIFICATE,
         block_encryption: 'aes256-cbc',
         key_transport: 'rsa-oaep-mgf1p',
-      }   
+      }
     end
 
     subject { described_class.new encryption_opts }
@@ -17,11 +17,11 @@ module SamlIdp
     it "encrypts XML" do
       raw_xml = '<foo>bar</foo>'
       encrypted_xml = subject.encrypt(raw_xml)
-      encrypted_xml.should_not match 'bar'
+      expect(encrypted_xml).to_not match raw_xml
       encrypted_doc = Nokogiri::XML::Document.parse(encrypted_xml)
       encrypted_data = Xmlenc::EncryptedData.new(encrypted_doc.at_xpath('//xenc:EncryptedData', Xmlenc::NAMESPACES))
       decrypted_xml = encrypted_data.decrypt(subject.encryption_key)
-      decrypted_xml.should == raw_xml
+      expect(decrypted_xml).to eq(raw_xml)
     end
   end
 end

data/spec/lib/saml_idp/fingerprint_spec.rb

@@ -0,0 +1,14 @@
+require 'spec_helper'
+
+module SamlIdp
+  describe Fingerprint do
+    describe "certificate_digest" do
+      let(:cert) { sp_x509_cert }
+      let(:fingerprint) { "a2:cb:f6:6b:bc:2a:33:b9:4f:f3:c3:7e:26:a4:21:cd:41:83:ef:26:88:fa:ba:71:37:40:07:3e:d5:76:04:b7" }
+
+      it "returns the fingerprint string" do
+        expect(Fingerprint.certificate_digest(cert, :sha256)).to eq(fingerprint)
+      end
+    end
+  end
+end

data/spec/lib/saml_idp/incoming_metadata_spec.rb

@@ -0,0 +1,60 @@
+require 'spec_helper'
+module SamlIdp
+
+  metadata_1 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="false">
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
+  metadata_2 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
+  metadata_3 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true">
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
+  metadata_4 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
+  describe IncomingMetadata do
+    it 'should properly set sign_assertions to false' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_1)
+      expect(metadata.sign_assertions).to eq(false)
+      expect(metadata.sign_authn_request).to eq(false)
+    end
+
+    it 'should properly set entity_id as https://test-saml.com/saml' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_1)
+      expect(metadata.entity_id).to eq('https://test-saml.com/saml')
+    end
+
+    it 'should properly set sign_assertions to true' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_2)
+      expect(metadata.sign_assertions).to eq(true)
+      expect(metadata.sign_authn_request).to eq(true)
+    end
+
+    it 'should properly set sign_assertions to false when WantAssertionsSigned is not included' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_3)
+      expect(metadata.sign_assertions).to eq(false)
+    end
+
+    it 'should properly set sign_authn_request to false when AuthnRequestsSigned is not included' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_4)
+      expect(metadata.sign_authn_request).to eq(false)
+    end
+  end
+end