saml_idp 0.7.2 → 1.0.0

data/spec/lib/saml_idp/incoming_metadata_spec.rb

@@ -0,0 +1,134 @@
+require 'spec_helper'
+
+module SamlIdp
+
+  metadata_1 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="false">
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
+  metadata_2 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
+  metadata_3 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true">
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
+  metadata_4 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
+  metadata_5 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor>
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnht3GR...</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
+  metadata_6 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmw6vGr...</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
+  metadata_7 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="encryption">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1dX3Gr...</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
+  describe IncomingMetadata do
+    it 'should properly set sign_assertions to false' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_1)
+      expect(metadata.sign_assertions).to eq(false)
+    end
+
+    it 'should properly set entity_id as https://test-saml.com/saml' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_1)
+      expect(metadata.entity_id).to eq('https://test-saml.com/saml')
+    end
+
+    it 'should properly set sign_assertions to true' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_2)
+      expect(metadata.sign_assertions).to eq(true)
+      expect(metadata.sign_authn_request).to eq(true)
+    end
+
+    it 'should properly set sign_assertions to false when WantAssertionsSigned is not included' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_3)
+      expect(metadata.sign_assertions).to eq(false)
+    end
+
+    it 'should properly set sign_authn_request to false when AuthnRequestsSigned is not included' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_4)
+      expect(metadata.sign_authn_request).to eq(false)
+    end
+
+    it 'should properly set unspecified_certificate when present' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_5)
+      expect(metadata.unspecified_certificate).to eq('MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnht3GR...')
+    end
+
+    it 'should return empty unspecified_certificate when not present' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_1)
+      expect(metadata.unspecified_certificate).to eq('')
+    end
+
+    it 'should properly set signing_certificate when present but not unspecified_certificate' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_6)
+      expect(metadata.signing_certificate).to eq('MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmw6vGr...')
+      expect(metadata.unspecified_certificate).to eq('')
+    end
+
+    it 'should return empty signing_certificate when not present' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_1)
+      expect(metadata.signing_certificate).to eq('')
+    end
+
+    it 'should properly set encryption_certificate when present but not unspecified_certificate' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_7)
+      expect(metadata.encryption_certificate).to eq('MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1dX3Gr...')
+      expect(metadata.unspecified_certificate).to eq('')
+    end
+
+    it 'should return empty encryption_certificate when not present' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_1)
+      expect(metadata.encryption_certificate).to eq('')
+    end
+  end
+end

data/spec/lib/saml_idp/metadata_builder_spec.rb

@@ -2,18 +2,39 @@ require 'spec_helper'
 module SamlIdp
   describe MetadataBuilder do
     it "has a valid fresh" do
-      subject.fresh.should_not be_empty
+      expect(subject.fresh).to_not be_empty
     end
 
     it "signs valid xml" do
-      Saml::XML::Document.parse(subject.signed).valid_signature?(Default::FINGERPRINT).should be_truthy
+      expect(Saml::XML::Document.parse(subject.signed).valid_signature?("", Default::FINGERPRINT)).to be_truthy
     end
 
     it "includes logout element" do
       subject.configurator.single_logout_service_post_location = 'https://example.com/saml/logout'
-      subject.fresh.should match(
-        '<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/logout"/>'
-      )
+      subject.configurator.single_logout_service_redirect_location = 'https://example.com/saml/logout'
+      expect(subject.fresh).to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/logout"/>')
+      expect(subject.fresh).to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/saml/logout"/>')
+    end
+
+    it 'will not includes empty logout endpoint' do
+      subject.configurator.single_logout_service_post_location = ''
+      subject.configurator.single_logout_service_redirect_location = nil
+      expect(subject.fresh).not_to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"')
+      expect(subject.fresh).not_to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"')
+    end
+
+    it 'will includes sso element' do
+      subject.configurator.single_service_post_location = 'https://example.com/saml/sso'
+      subject.configurator.single_service_redirect_location = 'https://example.com/saml/sso'
+      expect(subject.fresh).to match('<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/sso"/>')
+      expect(subject.fresh).to match('<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/saml/sso"/>')
+    end
+
+    it 'will not includes empty sso element' do
+      subject.configurator.single_service_post_location = ''
+      subject.configurator.single_service_redirect_location = nil
+      expect(subject.fresh).not_to match('<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"')
+      expect(subject.fresh).not_to match('<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"')
     end
 
     context "technical contact" do
@@ -32,31 +53,23 @@ module SamlIdp
         subject.configurator.technical_contact.telephone     = "1-800-555-5555"
         subject.configurator.technical_contact.email_address = "acme@example.com"
 
-        subject.fresh.should match(
-          '<ContactPerson contactType="technical"><Company>ACME Corporation</Company><GivenName>Road</GivenName><SurName>Runner</SurName><EmailAddress>mailto:acme@example.com</EmailAddress><TelephoneNumber>1-800-555-5555</TelephoneNumber></ContactPerson>'
-        )
+        expect(subject.fresh).to match('<ContactPerson contactType="technical"><Company>ACME Corporation</Company><GivenName>Road</GivenName><SurName>Runner</SurName><EmailAddress>mailto:acme@example.com</EmailAddress><TelephoneNumber>1-800-555-5555</TelephoneNumber></ContactPerson>')
       end
 
       it "no fields" do
-        subject.fresh.should match(
-          '<ContactPerson contactType="technical"></ContactPerson>'
-        )
+        expect(subject.fresh).to match('<ContactPerson contactType="technical"></ContactPerson>')
       end
 
       it "just email" do
         subject.configurator.technical_contact.email_address = "acme@example.com"
-        subject.fresh.should match(
-          '<ContactPerson contactType="technical"><EmailAddress>mailto:acme@example.com</EmailAddress></ContactPerson>'
-        )
+        expect(subject.fresh).to match('<ContactPerson contactType="technical"><EmailAddress>mailto:acme@example.com</EmailAddress></ContactPerson>')
       end
 
     end
 
     it "includes logout element as HTTP Redirect" do
       subject.configurator.single_logout_service_redirect_location = 'https://example.com/saml/logout'
-      subject.fresh.should match(
-        '<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/saml/logout"/>'
-      )
+      expect(subject.fresh).to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/saml/logout"/>')
     end
   end
 end

data/spec/lib/saml_idp/name_id_formatter_spec.rb

@@ -7,7 +7,7 @@ module SamlIdp
       let(:list) { { email_address: ->() { "foo@example.com" } } }
 
       it "has a valid all" do
-        subject.all.should == ["urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"]
+        expect(subject.all).to eq ["urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"]
       end
 
     end
@@ -21,7 +21,7 @@ module SamlIdp
       }
 
       it "has a valid all" do
-        subject.all.should == [
+        expect(subject.all).to eq [
           "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
           "urn:oasis:names:tc:SAML:2.0:nameid-format:undefined",
         ]
@@ -32,7 +32,7 @@ module SamlIdp
       let(:list) { [:email_address, :undefined] }
 
       it "has a valid all" do
-        subject.all.should == [
+        expect(subject.all).to eq [
           "urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress",
           "urn:oasis:names:tc:SAML:2.0:nameid-format:undefined",
         ]

data/spec/lib/saml_idp/request_spec.rb

@@ -1,106 +1,195 @@
 require 'spec_helper'
-module SamlIdp
-  describe Request do
-    let(:raw_authn_request) { "<samlp:AuthnRequest AssertionConsumerServiceURL='http://localhost:3000/saml/consume' Destination='http://localhost:1337/saml/auth' ID='_af43d1a0-e111-0130-661a-3c0754403fdb' IssueInstant='2013-08-06T22:01:35Z' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>localhost:3000</saml:Issuer><samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'/><samlp:RequestedAuthnContext Comparison='exact'><saml:AuthnContextClassRef xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>" }
 
-    describe "deflated request" do
-      let(:deflated_request) { Base64.encode64(Zlib::Deflate.deflate(raw_authn_request, 9)[2..-5]) }
+RSpec.describe SamlIdp::Request, type: :model do
+  let(:valid_saml_request) { make_saml_request("https://foo.example.com/saml/consume", true) }
+  let(:valid_logout_request) { make_saml_sp_slo_request(security_options: { embed_sign: true })['SAMLRequest'] }
+  let(:invalid_saml_request) { "invalid_saml_request" }
+  let(:external_attributes) { { saml_request: valid_saml_request, relay_state: "state" } }
 
-      subject { described_class.from_deflated_request deflated_request }
+  describe ".from_deflated_request" do
+    context "when request is valid and deflated" do
+      it "inflates and decodes the request" do
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
 
-      it "inflates" do
-        subject.request_id.should == "_af43d1a0-e111-0130-661a-3c0754403fdb"
+        expect { Saml::XML::Document.parse(request.raw_xml) }.not_to raise_error
       end
+    end
 
-      it "handles invalid SAML" do
-        req = described_class.from_deflated_request "bang!"
-        req.valid?.should == false
+    context "when request is invalid" do
+      it "returns an empty inflated string" do
+        request = SamlIdp::Request.from_deflated_request(nil)
+        expect(request.raw_xml).to eq("")
       end
     end
+  end
 
-    describe "authn request" do
-      subject { described_class.new raw_authn_request }
-
-      it "has a valid request_id" do
-        subject.request_id.should == "_af43d1a0-e111-0130-661a-3c0754403fdb"
-      end
+  describe "#logout_request?" do
+    it "returns true for a valid logout request" do
+      request = SamlIdp::Request.from_deflated_request(valid_logout_request)
+      expect(request.logout_request?).to be true
+    end
 
-      it "has a valid acs_url" do
-        subject.acs_url.should == "http://localhost:3000/saml/consume"
-      end
+    it "returns false for a non-logout request" do
+      request = SamlIdp::Request.from_deflated_request(valid_saml_request)
+      expect(request.logout_request?).to be false
+    end
+  end
 
-      it "has a valid service_provider" do
-        subject.service_provider.should be_a ServiceProvider
-      end
+  describe "#authn_request?" do
+    it "returns true for a valid authn request" do
+      request = SamlIdp::Request.from_deflated_request(valid_saml_request)
+      expect(request.authn_request?).to be true
+    end
 
-      it "has a valid service_provider" do
-        subject.service_provider.should be_truthy
-      end
+    it "returns false for a non-authn request" do
+      request = SamlIdp::Request.from_deflated_request(valid_logout_request)
+      expect(request.authn_request?).to be false
+    end
+  end
 
-      it "has a valid issuer" do
-        subject.issuer.should == "localhost:3000"
-      end
+  describe "#valid?" do
+    let(:sp_issuer) { "test_issuer" }
+    let(:valid_service_provider) do 
+      instance_double(
+        "SamlIdp::ServiceProvider",
+        valid?: true,
+        acs_url: 'https://foo.example.com/saml/consume',
+        current_metadata: instance_double("Metadata", sign_authn_request?: true),
+        assertion_consumer_logout_service_url: 'https://foo.example.com/saml/logout',
+        sign_authn_request: true,
+        acceptable_response_hosts: ["foo.example.com"],
+        cert: sp_x509_cert,
+        fingerprint: SamlIdp::Fingerprint.certificate_digest(sp_x509_cert, :sha256),
+      )
+    end
+    
+    before do
+      allow_any_instance_of(SamlIdp::Request).to receive(:service_provider).and_return(valid_service_provider)
+      allow_any_instance_of(SamlIdp::Request).to receive(:issuer).and_return(sp_issuer)
+    end
 
-      it "has a valid valid_signature" do
-        subject.valid_signature?.should be_truthy
+    context "when the request is valid" do
+      it "returns true for a valid authn request" do
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
+        expect(request.errors).to be_empty
+        expect(request.valid?).to be true
       end
 
-      it "should return acs_url for response_url" do
-        subject.response_url.should == subject.acs_url
+      it "returns true for a valid logout request" do
+        request = SamlIdp::Request.from_deflated_request(valid_logout_request)
+        expect(request.errors).to be_empty
+        expect(request.valid?).to be true
       end
+    end
 
-      it "is a authn request" do
-        subject.authn_request?.should == true
-      end
+    context 'when signature provided as external param' do
+      let!(:uri_query) { make_saml_sp_slo_request(security_options: { embed_sign: false }) }
+      let(:raw_saml_request) { uri_query['SAMLRequest'] }
+      let(:relay_state) { uri_query['RelayState'] }
+      let(:siging_algorithm) { uri_query['SigAlg'] }
+      let(:signature) { uri_query['Signature'] }
 
-      it "fetches internal request" do
-        subject.request['ID'].should == subject.request_id
+      subject do
+        described_class.from_deflated_request(
+          raw_saml_request,
+          saml_request: raw_saml_request,
+          relay_state: relay_state,
+          sig_algorithm: siging_algorithm,
+          signature: signature
+        )
       end
 
-      it "has a valid authn context" do
-        subject.requested_authn_context.should == "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+      it "should validate the request" do
+        expect(subject.valid_external_signature?).to be true
+        expect(subject.errors).to be_empty
       end
 
-      it "does not permit empty issuer" do
-        raw_req = raw_authn_request.gsub('localhost:3000', '')
-        authn_request = described_class.new raw_req
-        authn_request.issuer.should_not == ''
-        authn_request.issuer.should == nil
-        authn_request.valid?.should == false
+      it "should collect errors when the signature is invalid" do
+        allow(subject).to receive(:valid_external_signature?).and_return(false)
+        expect(subject.valid?).to eq(false)
+        expect(subject.errors).to include(:invalid_external_signature)
       end
     end
 
-    describe "logout request" do
-      let(:raw_logout_request) { "<LogoutRequest ID='_some_response_id' Version='2.0' IssueInstant='2010-06-01T13:00:00Z' Destination='http://localhost:3000/saml/logout' xmlns='urn:oasis:names:tc:SAML:2.0:protocol'><Issuer xmlns='urn:oasis:names:tc:SAML:2.0:assertion'>http://example.com</Issuer><NameID xmlns='urn:oasis:names:tc:SAML:2.0:assertion' Format='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'>some_name_id</NameID><SessionIndex>abc123index</SessionIndex></LogoutRequest>" }
-
-      subject { described_class.new raw_logout_request }
+    context "when the service provider is invalid" do
+      it "returns false and logs an error" do
+        allow_any_instance_of(SamlIdp::Request).to receive(:service_provider?).and_return(false)
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
 
-      it "has a valid request_id" do
-        subject.request_id.should == '_some_response_id'
+        expect(request.valid?).to be false
+        expect(request.errors).to include(:sp_not_found)
       end
+    end
 
-      it "should be flagged as a logout_request" do
-        subject.logout_request?.should == true
+    context "when empty certificate for authn request validation" do
+      let(:valid_service_provider) do 
+        instance_double(
+          "SamlIdp::ServiceProvider",
+          valid?: true,
+          acs_url: 'https://foo.example.com/saml/consume',
+          current_metadata: instance_double("Metadata", sign_authn_request?: true),
+          assertion_consumer_logout_service_url: 'https://foo.example.com/saml/logout',
+          sign_authn_request: true,
+          acceptable_response_hosts: ["foo.example.com"],
+          cert: nil,
+          fingerprint: nil,
+        )
+      end
+      it "returns false and logs an error" do
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
+
+        expect(request.valid?).to be false
+        expect(request.errors).to include(:empty_certificate)
       end
+    end
 
-      it "should have a valid name_id" do
-        subject.name_id.should == 'some_name_id'
+    context "when empty certificate for logout validation" do
+      let(:valid_service_provider) do 
+        instance_double(
+          "SamlIdp::ServiceProvider",
+          valid?: true,
+          acs_url: 'https://foo.example.com/saml/consume',
+          current_metadata: instance_double("Metadata", sign_authn_request?: true),
+          assertion_consumer_logout_service_url: 'https://foo.example.com/saml/logout',
+          sign_authn_request: true,
+          acceptable_response_hosts: ["foo.example.com"],
+          cert: nil,
+          fingerprint: nil,
+        )
       end
 
-      it "should have a session index" do
-        subject.session_index.should == 'abc123index'
+      before do
+        allow_any_instance_of(SamlIdp::Request).to receive(:authn_request?).and_return(false)
+        allow_any_instance_of(SamlIdp::Request).to receive(:logout_request?).and_return(true)
       end
 
-      it "should have a valid issuer" do
-        subject.issuer.should == 'http://example.com'
+      it "returns false and logs an error" do
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
+
+        expect(request.valid?).to be false
+        expect(request.errors).to include(:empty_certificate)
       end
+    end
 
-      it "fetches internal request" do
-        subject.request['ID'].should == subject.request_id
+    context "when both authn and logout requests are present" do
+      it "returns false and logs an error" do
+        allow_any_instance_of(SamlIdp::Request).to receive(:authn_request?).and_return(true)
+        allow_any_instance_of(SamlIdp::Request).to receive(:logout_request?).and_return(true)
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
+
+        expect(request.valid?).to be false
+        expect(request.errors).to include(:unaccepted_request)
       end
+    end
+
+    context "when the signature is invalid" do
+      it "returns false and logs an error" do
+        allow_any_instance_of(SamlIdp::Request).to receive(:valid_signature?).and_return(false)
+        allow_any_instance_of(SamlIdp::Request).to receive(:log)
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
 
-      it "should return logout_url for response_url" do
-        subject.response_url.should == subject.logout_url
+        expect(request.valid?).to be false
+        expect(request.errors).to include(:invalid_embedded_signature)
       end
     end
   end

data/spec/lib/saml_idp/response_builder_spec.rb

@@ -6,12 +6,14 @@ module SamlIdp
     let(:saml_acs_url) { "http://sportngin.com" }
     let(:saml_request_id) { "134" }
     let(:assertion_and_signature) { "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2013-07-31T05:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><signature>stuff</signature><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">jon.phenow@sportngin.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2013-07-31T05:03:00Z\" Recipient=\"http://saml.acs.url\"/></SubjectConfirmation></Subject><Conditions NotBefore=\"2013-07-31T04:59:55Z\" NotOnOrAfter=\"2013-07-31T06:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\"><AttributeValue>jon.phenow@sportngin.com</AttributeValue></Attribute></AttributeStatement><AuthnStatment AuthnInstant=\"2013-07-31T05:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatment></Assertion>" }
+    let(:algorithm) { :sha256 }
     subject { described_class.new(
       response_id,
       issuer_uri,
       saml_acs_url,
       saml_request_id,
-      assertion_and_signature
+      assertion_and_signature,
+      algorithm
     ) }
 
     before do
@@ -25,7 +27,7 @@ module SamlIdp
 
     it "builds a legit raw XML file" do
       Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
-        subject.raw.should == "<samlp:Response ID=\"_abc\" Version=\"2.0\" IssueInstant=\"2010-06-01T13:00:00Z\" Destination=\"http://sportngin.com\" Consent=\"urn:oasis:names:tc:SAML:2.0:consent:unspecified\" InResponseTo=\"134\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"><Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\">http://example.com</Issuer><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/></samlp:Status><Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2013-07-31T05:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><signature>stuff</signature><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">jon.phenow@sportngin.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2013-07-31T05:03:00Z\" Recipient=\"http://saml.acs.url\"/></SubjectConfirmation></Subject><Conditions NotBefore=\"2013-07-31T04:59:55Z\" NotOnOrAfter=\"2013-07-31T06:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\"><AttributeValue>jon.phenow@sportngin.com</AttributeValue></Attribute></AttributeStatement><AuthnStatment AuthnInstant=\"2013-07-31T05:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatment></Assertion></samlp:Response>"
+        expect(subject.raw).to eq("<samlp:Response ID=\"_abc\" Version=\"2.0\" IssueInstant=\"2010-06-01T13:00:00Z\" Destination=\"http://sportngin.com\" Consent=\"urn:oasis:names:tc:SAML:2.0:consent:unspecified\" InResponseTo=\"134\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"><Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\">http://example.com</Issuer><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/></samlp:Status><Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2013-07-31T05:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><signature>stuff</signature><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">jon.phenow@sportngin.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2013-07-31T05:03:00Z\" Recipient=\"http://saml.acs.url\"/></SubjectConfirmation></Subject><Conditions NotBefore=\"2013-07-31T04:59:55Z\" NotOnOrAfter=\"2013-07-31T06:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\"><AttributeValue>jon.phenow@sportngin.com</AttributeValue></Attribute></AttributeStatement><AuthnStatment AuthnInstant=\"2013-07-31T05:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatment></Assertion></samlp:Response>")
       end
     end
 
@@ -34,7 +36,7 @@ module SamlIdp
 
       it "builds a legit raw XML file without a request ID" do
         Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
-          subject.raw.should == "<samlp:Response ID=\"_abc\" Version=\"2.0\" IssueInstant=\"2010-06-01T13:00:00Z\" Destination=\"http://sportngin.com\" Consent=\"urn:oasis:names:tc:SAML:2.0:consent:unspecified\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"><Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\">http://example.com</Issuer><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/></samlp:Status><Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2013-07-31T05:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><signature>stuff</signature><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">jon.phenow@sportngin.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2013-07-31T05:03:00Z\" Recipient=\"http://saml.acs.url\"/></SubjectConfirmation></Subject><Conditions NotBefore=\"2013-07-31T04:59:55Z\" NotOnOrAfter=\"2013-07-31T06:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\"><AttributeValue>jon.phenow@sportngin.com</AttributeValue></Attribute></AttributeStatement><AuthnStatment AuthnInstant=\"2013-07-31T05:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatment></Assertion></samlp:Response>"
+          expect(subject.raw).to eq("<samlp:Response ID=\"_abc\" Version=\"2.0\" IssueInstant=\"2010-06-01T13:00:00Z\" Destination=\"http://sportngin.com\" Consent=\"urn:oasis:names:tc:SAML:2.0:consent:unspecified\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"><Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\">http://example.com</Issuer><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/></samlp:Status><Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2013-07-31T05:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><signature>stuff</signature><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">jon.phenow@sportngin.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2013-07-31T05:03:00Z\" Recipient=\"http://saml.acs.url\"/></SubjectConfirmation></Subject><Conditions NotBefore=\"2013-07-31T04:59:55Z\" NotOnOrAfter=\"2013-07-31T06:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\"><AttributeValue>jon.phenow@sportngin.com</AttributeValue></Attribute></AttributeStatement><AuthnStatment AuthnInstant=\"2013-07-31T05:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatment></Assertion></samlp:Response>")
         end
       end
     end