saml_idp 0.7.2 → 1.0.0

data/spec/lib/saml_idp/saml_response_spec.rb

@@ -24,6 +24,10 @@ module SamlIdp
         key_transport: 'rsa-oaep-mgf1p',
       }
     end
+    let(:signed_response_opts) { true }
+    let(:unsigned_response_opts) { false }
+    let(:signed_assertion_opts) { true }
+    let(:compress_opts) { false }
     let(:subject_encrypted) { described_class.new(reference_id,
                                   response_id,
                                   issuer_uri,
@@ -35,7 +39,12 @@ module SamlIdp
                                   authn_context_classref,
                                   expiry,
                                   encryption_opts,
-                                  session_expiry
+                                  session_expiry,
+                                  nil,
+                                  nil,
+                                  unsigned_response_opts,
+                                  signed_assertion_opts,
+                                  compress_opts
                                  )
     }
 
@@ -50,7 +59,12 @@ module SamlIdp
                                   authn_context_classref,
                                   expiry,
                                   nil,
-                                  session_expiry
+                                  session_expiry,
+                                  nil,
+                                  nil,
+                                  signed_response_opts,
+                                  signed_assertion_opts,
+                                  compress_opts
                                  )
     }
 
@@ -63,23 +77,143 @@ module SamlIdp
     end
 
     it "has a valid build" do
-      subject.build.should be_present
+      expect(subject.build).to be_present
+    end
+
+    context "encrypted" do
+      it "builds encrypted" do
+        expect(subject_encrypted.build).to_not match(audience_uri)
+        encoded_xml = subject_encrypted.build
+        resp_settings = saml_settings(saml_acs_url)
+        resp_settings.private_key = Default::SECRET_KEY
+        resp_settings.issuer = audience_uri
+        saml_resp = OneLogin::RubySaml::Response.new(encoded_xml, settings: resp_settings)
+        saml_resp.soft = false
+        expect(saml_resp.is_valid?).to eq(true)
+      end
+    end
+
+    context "signed response" do
+      let(:resp_settings) do
+        resp_settings = saml_settings(saml_acs_url)
+        resp_settings.private_key = Default::SECRET_KEY
+        resp_settings.issuer = audience_uri
+        resp_settings
+      end
+
+      it "will build signed valid response" do
+        expect { subject.build }.not_to raise_error
+        signed_encoded_xml = subject.build
+        saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+        expect(
+          Nokogiri::XML(saml_resp.response).at_xpath(
+          "//p:Response//ds:Signature",
+          {
+            "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+            "ds" => "http://www.w3.org/2000/09/xmldsig#"
+          }
+        )).to be_present
+        expect(saml_resp.send(:validate_signature)).to eq(true)
+        expect(saml_resp.is_valid?).to eq(true)
+      end
+
+      context "when signed_assertion_opts is true" do
+        it "builds a signed assertion" do
+          expect { subject.build }.not_to raise_error
+          signed_encoded_xml = subject.build
+          saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+          expect(
+            Nokogiri::XML(saml_resp.response).at_xpath(
+            "//p:Response//a:Assertion//ds:Signature",
+            {
+              "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+              "a" => "urn:oasis:names:tc:SAML:2.0:assertion",
+              "ds" => "http://www.w3.org/2000/09/xmldsig#"
+            }
+          )).to be_present
+        end
+      end
+
+      context "when signed_assertion_opts is false" do
+        let(:signed_assertion_opts) { false }
+
+        it "builds a raw assertion" do
+          expect { subject.build }.not_to raise_error
+          signed_encoded_xml = subject.build
+          saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+          expect(
+            Nokogiri::XML(saml_resp.response).at_xpath(
+            "//p:Response//a:Assertion",
+            {
+              "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+              "a" => "urn:oasis:names:tc:SAML:2.0:assertion"
+            }
+          )).to be_present
+
+          expect(
+            Nokogiri::XML(saml_resp.response).at_xpath(
+            "//p:Response//Assertion//ds:Signature",
+            {
+              "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+              "ds" => "http://www.w3.org/2000/09/xmldsig#"
+            }
+          )).to_not be_present
+        end
+      end
+
+      context "when compress opts is true" do
+        let(:compress_opts) { true }
+        it "will build a compressed valid response" do
+          expect { subject.build }.not_to raise_error
+          compressed_signed_encoded_xml = subject.build
+          saml_resp = OneLogin::RubySaml::Response.new(compressed_signed_encoded_xml, settings: resp_settings)
+          expect(saml_resp.send(:validate_signature)).to eq(true)
+          expect(saml_resp.is_valid?).to eq(true)
+        end
+      end
     end
 
-    it "builds encrypted" do
-      subject_encrypted.build.should_not match(audience_uri)
-      encoded_xml = subject_encrypted.build
+    it "will build signed valid response" do
+      expect { subject.build }.not_to raise_error
+      signed_encoded_xml = subject.build
       resp_settings = saml_settings(saml_acs_url)
       resp_settings.private_key = Default::SECRET_KEY
       resp_settings.issuer = audience_uri
-      saml_resp = OneLogin::RubySaml::Response.new(encoded_xml, settings: resp_settings)
-      saml_resp.soft = false
-      saml_resp.is_valid?.should == true
+      saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+      expect(
+        Nokogiri::XML(saml_resp.response).at_xpath(
+        "//p:Response//ds:Signature",
+        {
+          "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+          "ds" => "http://www.w3.org/2000/09/xmldsig#"
+        }
+      )).to be_present
+      expect(saml_resp.send(:validate_signature)).to eq(true)
+      expect(saml_resp.is_valid?).to eq(true)
+    end
+
+    it "will pass reference_id as SessionIndex" do
+      expect { subject.build }.not_to raise_error
+      signed_encoded_xml = subject.build
+      resp_settings = saml_settings(saml_acs_url)
+      resp_settings.private_key = Default::SECRET_KEY
+      resp_settings.issuer = audience_uri
+      saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+
+      expect(
+        Nokogiri::XML(saml_resp.response).at_xpath(
+          "//saml:AuthnStatement/@SessionIndex",
+          {
+            "samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+            "saml" => "urn:oasis:names:tc:SAML:2.0:assertion"
+          }
+        ).value
+      ).to eq("_#{reference_id}")
     end
 
     it "sets session expiration" do
       saml_resp = OneLogin::RubySaml::Response.new(subject.build)
-      saml_resp.session_expires_at.should == Time.local(1990, "jan", 2).iso8601
+      expect(saml_resp.session_expires_at).to eq Time.local(1990, "jan", 2).iso8601
     end
 
     context "session expiration is set to 0" do
@@ -89,14 +223,14 @@ module SamlIdp
         resp_settings = saml_settings(saml_acs_url)
         resp_settings.issuer = audience_uri
         saml_resp = OneLogin::RubySaml::Response.new(subject.build, settings: resp_settings)
-        saml_resp.is_valid?.should == true
+        expect(saml_resp.is_valid?).to eq(true)
       end
 
       it "doesn't set a session expiration" do
         resp_settings = saml_settings(saml_acs_url)
         resp_settings.issuer = audience_uri
         saml_resp = OneLogin::RubySaml::Response.new(subject.build, settings: resp_settings)
-        saml_resp.session_expires_at.should be_nil
+        expect(saml_resp.session_expires_at).to be_nil
       end
     end
   end

data/spec/lib/saml_idp/service_provider_spec.rb

@@ -14,11 +14,11 @@ module SamlIdp
       let(:metadata_url) { "http://localhost:3000/metadata" }
 
       it "has a valid fingerprint" do
-        subject.fingerprint.should == fingerprint
+        expect(subject.fingerprint).to eq(fingerprint)
       end
 
       it "has a valid metadata_url" do
-        subject.metadata_url.should == metadata_url
+        expect(subject.metadata_url).to eq(metadata_url)
       end
 
       it { should be_valid }

data/spec/lib/saml_idp/signable_spec.rb

@@ -70,7 +70,7 @@ module SamlIdp
     end
 
     it "has a valid signed" do
-      subject.signed.should match all_regex
+      expect(subject.signed).to match all_regex
     end
 
   end

data/spec/lib/saml_idp/signature_builder_spec.rb

@@ -9,11 +9,11 @@ module SamlIdp
     ) }
 
     before do
-      Time.stub now: Time.parse("Jul 31 2013")
+      allow(Time).to receive(:now).and_return Time.parse("Jul 31 2013")
     end
 
     it "builds a legit raw XML file" do
-      subject.raw.should == "<ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:SignedInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/><ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha256\"/><ds:Reference URI=\"#_abc\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha256\"/><ds:DigestValue>em8csGAWynywpe8S4nN64o56/4DosXi2XWMY6RJ6YfA=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>jvEbD/rsiPKmoXy7Lhm+FGn88NPGlap4EcPZ2fvjBnk03YESs87FXAIiZZEzN5xq4sBZksUmZe2bV3rrr9sxQNgQawmrrvr66ot7cJiv0ETFArr6kQIZaR5g/V0M4ydxvrfefp6cQVI0hXvmxi830pq0tISiO4J7tyBNX/kvhZk=</ds:SignatureValue><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDqzCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBhjELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MQwwCgYDVQQKDANQSVQxCTAHBgNVBAsMADEYMBYGA1UEAwwPbGF3cmVuY2VwaXQuY29tMSUwIwYJKoZIhvcNAQkBDBZsYXdyZW5jZS5waXRAZ21haWwuY29tMB4XDTEyMDQyODAyMjIyOFoXDTMyMDQyMzAyMjIyOFowgYYxCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTEMMAoGA1UECgwDUElUMQkwBwYDVQQLDAAxGDAWBgNVBAMMD2xhd3JlbmNlcGl0LmNvbTElMCMGCSqGSIb3DQEJAQwWbGF3cmVuY2UucGl0QGdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuBywPNlC1FopGLYfF96SotiK8Nj6/nW084O4omRMifzy7x955RLEy673q2aiJNB3LvE6Xvkt9cGtxtNoOXw1g2UvHKpldQbr6bOEjLNeDNW7j0ob+JrRvAUOK9CRgdyw5MC6lwqVQQ5C1DnaT/2fSBFjasBFTR24dEpfTy8HfKECAwEAAaOCASUwggEhMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgUgMB0GA1UdDgQWBBQNBGmmt3ytKpcJaBaYNbnyU2xkazATBgNVHSUEDDAKBggrBgEFBQcDATAdBglghkgBhvhCAQ0EEBYOVGVzdCBYNTA5IGNlcnQwgbMGA1UdIwSBqzCBqIAUDQRpprd8rSqXCWgWmDW58lNsZGuhgYykgYkwgYYxCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTEMMAoGA1UECgwDUElUMQkwBwYDVQQLDAAxGDAWBgNVBAMMD2xhd3JlbmNlcGl0LmNvbTElMCMGCSqGSIb3DQEJAQwWbGF3cmVuY2UucGl0QGdtYWlsLmNvbYIBATANBgkqhkiG9w0BAQsFAAOBgQAEcVUPBX7uZmzqZJfy+tUPOT5ImNQj8VE2lerhnFjnGPHmHIqhpzgnwHQujJfs/a309Wm5qwcCaC1eO5cWjcG0x3OjdllsgYDatl5GAumtBx8J3NhWRqNUgitCIkQlxHIwUfgQaCushYgDDL5YbIQa++egCgpIZ+T0Dj5oRew//A==</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature>"
+      expect(subject.raw).to eq("<ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:SignedInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/><ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha256\"/><ds:Reference URI=\"#_abc\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha256\"/><ds:DigestValue>em8csGAWynywpe8S4nN64o56/4DosXi2XWMY6RJ6YfA=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>jvEbD/rsiPKmoXy7Lhm+FGn88NPGlap4EcPZ2fvjBnk03YESs87FXAIiZZEzN5xq4sBZksUmZe2bV3rrr9sxQNgQawmrrvr66ot7cJiv0ETFArr6kQIZaR5g/V0M4ydxvrfefp6cQVI0hXvmxi830pq0tISiO4J7tyBNX/kvhZk=</ds:SignatureValue><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDqzCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBhjELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MQwwCgYDVQQKDANQSVQxCTAHBgNVBAsMADEYMBYGA1UEAwwPbGF3cmVuY2VwaXQuY29tMSUwIwYJKoZIhvcNAQkBDBZsYXdyZW5jZS5waXRAZ21haWwuY29tMB4XDTEyMDQyODAyMjIyOFoXDTMyMDQyMzAyMjIyOFowgYYxCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTEMMAoGA1UECgwDUElUMQkwBwYDVQQLDAAxGDAWBgNVBAMMD2xhd3JlbmNlcGl0LmNvbTElMCMGCSqGSIb3DQEJAQwWbGF3cmVuY2UucGl0QGdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuBywPNlC1FopGLYfF96SotiK8Nj6/nW084O4omRMifzy7x955RLEy673q2aiJNB3LvE6Xvkt9cGtxtNoOXw1g2UvHKpldQbr6bOEjLNeDNW7j0ob+JrRvAUOK9CRgdyw5MC6lwqVQQ5C1DnaT/2fSBFjasBFTR24dEpfTy8HfKECAwEAAaOCASUwggEhMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgUgMB0GA1UdDgQWBBQNBGmmt3ytKpcJaBaYNbnyU2xkazATBgNVHSUEDDAKBggrBgEFBQcDATAdBglghkgBhvhCAQ0EEBYOVGVzdCBYNTA5IGNlcnQwgbMGA1UdIwSBqzCBqIAUDQRpprd8rSqXCWgWmDW58lNsZGuhgYykgYkwgYYxCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTEMMAoGA1UECgwDUElUMQkwBwYDVQQLDAAxGDAWBgNVBAMMD2xhd3JlbmNlcGl0LmNvbTElMCMGCSqGSIb3DQEJAQwWbGF3cmVuY2UucGl0QGdtYWlsLmNvbYIBATANBgkqhkiG9w0BAQsFAAOBgQAEcVUPBX7uZmzqZJfy+tUPOT5ImNQj8VE2lerhnFjnGPHmHIqhpzgnwHQujJfs/a309Wm5qwcCaC1eO5cWjcG0x3OjdllsgYDatl5GAumtBx8J3NhWRqNUgitCIkQlxHIwUfgQaCushYgDDL5YbIQa++egCgpIZ+T0Dj5oRew//A==</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature>")
     end
   end
 end

data/spec/lib/saml_idp/signed_info_builder_spec.rb

@@ -11,15 +11,15 @@ module SamlIdp
     ) }
 
     before do
-      Time.stub now: Time.parse("Jul 31 2013")
+      allow(Time).to receive(:now).and_return Time.parse("Jul 31 2013")
     end
 
     it "builds a legit raw XML file" do
-      subject.raw.should == "<ds:SignedInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"></ds:SignatureMethod><ds:Reference URI=\"#_abc\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"></ds:Transform><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></ds:DigestMethod><ds:DigestValue>em8csGAWynywpe8S4nN64o56/4DosXi2XWMY6RJ6YfA=</ds:DigestValue></ds:Reference></ds:SignedInfo>"
+      expect(subject.raw).to eq("<ds:SignedInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"></ds:SignatureMethod><ds:Reference URI=\"#_abc\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"></ds:Transform><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></ds:DigestMethod><ds:DigestValue>em8csGAWynywpe8S4nN64o56/4DosXi2XWMY6RJ6YfA=</ds:DigestValue></ds:Reference></ds:SignedInfo>")
     end
 
     it "builds a legit digest of the XML file" do
-      subject.signed.should == "hKLeWLRgatHcV6N5Fc8aKveqNp6Y/J4m2WSYp0awGFtsCTa/2nab32wI3du+3kuuIy59EDKeUhHVxEfyhoHUo6xTZuO2N7XcTpSonuZ/CB3WjozC2Q/9elss3z1rOC3154v5pW4puirLPRoG+Pwi8SmptxNRHczr6NvmfYmmGfo="
+      expect(subject.signed).to eq("hKLeWLRgatHcV6N5Fc8aKveqNp6Y/J4m2WSYp0awGFtsCTa/2nab32wI3du+3kuuIy59EDKeUhHVxEfyhoHUo6xTZuO2N7XcTpSonuZ/CB3WjozC2Q/9elss3z1rOC3154v5pW4puirLPRoG+Pwi8SmptxNRHczr6NvmfYmmGfo=")
     end
   end
 end

data/spec/rails_app/app/controllers/saml_controller.rb

@@ -2,7 +2,7 @@ class SamlController < ApplicationController
 
   def consume
     response = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
-    render :text => response.name_id
+    render :plain => response.name_id
   end
 
 end

data/spec/rails_app/app/controllers/saml_idp_controller.rb

@@ -1,9 +1,61 @@
-class SamlIdpController < SamlIdp::IdpController
+class SamlIdpController < ApplicationController
+  include SamlIdp::Controller
+
+  if Rails::VERSION::MAJOR >= 4
+    before_action :add_view_path, only: [:new, :create, :logout]
+    before_action :validate_saml_request, only: [:new, :create, :logout]
+  else
+    before_filter :add_view_path, only: [:new, :create, :logout]
+    before_filter :validate_saml_request, only: [:new, :create, :logout]
+  end
+
+  def new
+    render template: "saml_idp/idp/new"
+  end
+
+  def show
+    render xml: SamlIdp.metadata.signed
+  end
+
+  def create
+    unless params[:email].blank? && params[:password].blank?
+      person = idp_authenticate(params[:email], params[:password])
+      if person.nil?
+        @saml_idp_fail_msg = "Incorrect email or password."
+      else
+        @saml_response = idp_make_saml_response(person)
+        render :template => "saml_idp/idp/saml_post", :layout => false
+        return
+      end
+    end
+    render :template => "saml_idp/idp/new"
+  end
+
+  def logout
+    idp_logout
+    @saml_response = idp_make_saml_response(nil)
+    render :template => "saml_idp/idp/saml_post", :layout => false
+  end
+
+  def idp_logout
+    raise NotImplementedError
+  end
+  private :idp_logout
+
   def idp_authenticate(email, password)
     { :email => email }
   end
+  protected :idp_authenticate
 
-  def idp_make_saml_response(user)
-    encode_response(user[:email])
+  def idp_make_saml_response(person)
+    encode_response(person[:email])
   end
+  protected :idp_make_saml_response
+
+  private
+
+  def add_view_path
+    prepend_view_path("app/views")
+  end
+
 end

data/{app → spec/rails_app/app}/views/saml_idp/idp/new.html.erb

@@ -1,22 +1,21 @@
 <% if @saml_idp_fail_msg %>
   <div id="saml_idp_fail_msg" class="flash error"><%= @saml_idp_fail_msg %></div>
 <% end %>
-
 <%= form_tag do %>
   <%= hidden_field_tag("SAMLRequest", params[:SAMLRequest]) %>
   <%= hidden_field_tag("RelayState", params[:RelayState]) %>
+  <%= hidden_field_tag("SigAlg", params[:SigAlg]) %>
+  <%= hidden_field_tag("Signature", params[:Signature]) %>
 
   <p>
     <%= label_tag :email %>
     <%= email_field_tag :email, params[:email], :autocapitalize => "off", :autocorrect => "off", :autofocus => "autofocus", :spellcheck => "false", :size => 30, :class => "email_pwd txt" %>
   </p>
-
   <p>
     <%= label_tag :password %>
     <%= password_field_tag :password, params[:password], :autocapitalize => "off", :autocorrect => "off", :spellcheck => "false", :size => 30, :class => "email_pwd txt" %>
   </p>
-
   <p>
     <%= submit_tag "Sign in", :class => "button big blueish" %>
   </p>
-<% end %>
+<% end %>

data/{app → spec/rails_app/app}/views/saml_idp/idp/saml_post.html.erb

@@ -11,4 +11,4 @@
       <%= submit_tag "Submit" %>
     <% end %>
   </body>
-</html>
+</html>

data/spec/rails_app/config/application.rb

@@ -18,6 +18,7 @@ module RailsApp
 
     # Custom directories with classes and modules you want to be autoloadable.
     # config.autoload_paths += %W(#{config.root}/extras)
+    config.autoload_paths += %w[app/controllers]
 
     # Only load the plugins named here, in the order given (default is alphabetical).
     # :all can be used as a placeholder for all plugins not explicitly named.
@@ -50,11 +51,5 @@ module RailsApp
     # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
     # parameters by using an attr_accessible or attr_protected declaration.
     # config.active_record.whitelist_attributes = true
-
-    # Enable the asset pipeline
-    config.assets.enabled = true
-
-    # Version of your assets, change this if you want to expire all your assets
-    config.assets.version = '1.0'
   end
 end

data/spec/rails_app/config/boot.rb

@@ -3,4 +3,4 @@ require 'rubygems'
 # Set up gems listed in the Gemfile.
 ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
 
-require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])
+require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])

data/spec/rails_app/config/environments/development.rb

@@ -4,6 +4,7 @@ RailsApp::Application.configure do
   # In the development environment your application's code is reloaded on
   # every request. This slows down response time but is perfect for development
   # since you don't have to restart the web server when you make code changes.
+  config.eager_load = false if config.respond_to?(:eager_load)
   config.cache_classes = false
 
   # Log error messages when you accidentally call methods on nil.
@@ -29,9 +30,5 @@ RailsApp::Application.configure do
   # with SQLite, MySQL, and PostgreSQL)
   #config.active_record.auto_explain_threshold_in_seconds = 0.5
 
-  # Do not compress assets
-  config.assets.compress = false
-
-  # Expands the lines which load the assets
-  config.assets.debug = true
+  config.hosts << "foo.example.com" if config.respond_to?(:hosts)
 end

data/spec/rails_app/config/environments/production.rb

@@ -2,6 +2,7 @@ RailsApp::Application.configure do
   # Settings specified here will take precedence over those in config/application.rb
 
   # Code is not reloaded between requests
+  config.eager_load = true if config.respond_to?(:eager_load)
   config.cache_classes = true
 
   # Full error reports are disabled and caching is turned on

data/spec/rails_app/config/environments/test.rb

@@ -5,6 +5,7 @@ RailsApp::Application.configure do
   # test suite. You never need to work with it otherwise. Remember that
   # your test database is "scratch space" for the test suite and is wiped
   # and recreated between test runs. Don't rely on the data there!
+  config.eager_load = true if config.respond_to?(:eager_load)
   config.cache_classes = true
 
   # Configure static asset server for tests with Cache-Control for performance

data/spec/spec_helper.rb

@@ -43,6 +43,28 @@ RSpec.configure do |config|
       }
     end
   end
+
+  # To reset to default config
+  config.after do
+    SamlIdp.instance_variable_set(:@config, nil)
+    SamlIdp.configure do |c|
+      c.attributes = {
+        emailAddress: {
+          name: "email-address",
+          getter: ->(p) { "foo@example.com" }
+        }
+      }
+
+      c.name_id.formats = {
+        "1.1" => {
+          email_address: ->(p) { "foo@example.com" }
+        }
+      }
+    end
+  end
 end
 
-Capybara.default_host = "https://app.example.com"
+SamlIdp::Default::SERVICE_PROVIDER[:metadata_url] = 'https://example.com/meta'
+SamlIdp::Default::SERVICE_PROVIDER[:response_hosts] = ['foo.example.com']
+SamlIdp::Default::SERVICE_PROVIDER[:assertion_consumer_logout_service_url] = 'https://foo.example.com/saml/logout'
+Capybara.default_host = "https://foo.example.com"

data/spec/support/certificates/sp_cert_req.csr

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIByTCCATICAQAwgYgxCzAJBgNVBAYTAmpwMQ4wDAYDVQQIDAVUb2t5bzELMAkG
+A1UECgwCR1MxIDAeBgNVBAMMF2h0dHBzOi8vZm9vLmV4YW1wbGUuY29tMQwwCgYD
+VQQHDANGb28xDDAKBgNVBAsMA0JvbzEeMBwGCSqGSIb3DQEJARYPZm9vQGV4YW1w
+bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8DVj2mVLQV7AjT+cn
+Lv3kDnQFvAo3RdUeGGhplsYFacYByzNRD/jeguu1ahrvznDyZN8p3yB7OPbmt0r0
+aGr+yYzPh6brgkf5u6FMtWTj94vLQuT/uyQGuzdBkiLb5mAWRMtm43oHXDK0v25J
+tsG1PJnntkXfBDpFP1eWLO+jZwIDAQABoAAwDQYJKoZIhvcNAQENBQADgYEAd/J6
+5zjrMhgjxuaMuWCiNN7IS4F9SKy+gEmhkpNVCpChbpggruaEIoERjDP/TkZn2dgL
+VUeHTZB92t+wWfQbHNvEfbzqlV3XkuHkxewCwofnIV/k+8zG1Al5ELSKHehItxig
+rnTuBrFYsd2j4HEVqLzm4NyCfL+xzn/D4U2ec50=
+-----END CERTIFICATE REQUEST-----

data/spec/support/certificates/sp_private_key.pem

@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALwNWPaZUtBXsCNP
+5ycu/eQOdAW8CjdF1R4YaGmWxgVpxgHLM1EP+N6C67VqGu/OcPJk3ynfIHs49ua3
+SvRoav7JjM+HpuuCR/m7oUy1ZOP3i8tC5P+7JAa7N0GSItvmYBZEy2bjegdcMrS/
+bkm2wbU8mee2Rd8EOkU/V5Ys76NnAgMBAAECgYEArwclVHCkebIECPnnxbqhKNCj
+AGtifsuKbrZ9CDoDGSq31xeQLdTV6BSm2nVlmOnmilWEuG4qx0Xf2CGlrBI78kmv
+vHCfFdaGnTxbmYnD0HN0u4RK2trsxWO+rEkJk14JE2eVD6ZRPrq1UOSMgGPrQSMb
+SuwAHUu/j94eL8BXuhECQQD3jTlo3Y4VPWttP6XPNqKDP+jRYJs5G0Bch//S9Qy7
+QzmU9/yAUk0BEOyqYcLxinjJhoq6bR2fiIibn+77z3jtAkEAwnhLwkGYOb7Nt3V6
+dQLKx1BP9dnYH7qG/sCmAs7GHPv4LGluaz4zsh2pdEDF/Xar4gwTzUpxYo8FpkCH
+rf4nIwJAVfWnGr/cR4nVVNFGHUcGdXbqvFHEdLb+yWK8NZ+79Qap5w2Zk2GAtb8P
+vzZFQCRqPuhGIegj4jLB5PBLRwtLHQJBAJiWyWL4ExikRUhBTr/HXBL+Sm9u6i0j
+L89unBQx6LNPZhB6/Z/6Y5fLvG2ycWgLGJ06usLnOYaLEHS9x3hXpp8CQQCdtQHw
+xeLBPhRDpfWWbSmFr+bFxyD/4iQHTHToIs3kaecn6OJ4rczIFpGm2Bm7f4X7F3H3
+DDy4jZ0R6iDqCcQD
+-----END PRIVATE KEY-----

data/spec/support/certificates/sp_x509_cert.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC2DCCAkGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBiDELMAkGA1UEBhMCanAx
+DjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJHUzEgMB4GA1UEAwwXaHR0cHM6Ly9m
+b28uZXhhbXBsZS5jb20xDDAKBgNVBAcMA0ZvbzEMMAoGA1UECwwDQm9vMR4wHAYJ
+KoZIhvcNAQkBFg9mb29AZXhhbXBsZS5jb20wHhcNMjAwMTIzMDYyMzI5WhcNNDcw
+NjA5MDYyMzI5WjCBiDELMAkGA1UEBhMCanAxDjAMBgNVBAgMBVRva3lvMQswCQYD
+VQQKDAJHUzEgMB4GA1UEAwwXaHR0cHM6Ly9mb28uZXhhbXBsZS5jb20xDDAKBgNV
+BAcMA0ZvbzEMMAoGA1UECwwDQm9vMR4wHAYJKoZIhvcNAQkBFg9mb29AZXhhbXBs
+ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALwNWPaZUtBXsCNP5ycu
+/eQOdAW8CjdF1R4YaGmWxgVpxgHLM1EP+N6C67VqGu/OcPJk3ynfIHs49ua3SvRo
+av7JjM+HpuuCR/m7oUy1ZOP3i8tC5P+7JAa7N0GSItvmYBZEy2bjegdcMrS/bkm2
+wbU8mee2Rd8EOkU/V5Ys76NnAgMBAAGjUDBOMB0GA1UdDgQWBBQMtOtrh2VS/mh4
+awGbKA37vVnw+zAfBgNVHSMEGDAWgBQMtOtrh2VS/mh4awGbKA37vVnw+zAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAHjTTm4Hyx1rfzygknc6q1dYwpEv
+/3AsPiTnF4AfH/5kGIIXNzwg0ADsziFMJYRRR9eMu97CHQbr8gHt99P8uaen6cmJ
+4VCwJLP2N8gZrycssimA3M83DWRRVZbxZhpuUWNajtYIxwyUbB7eRSJgz3Tc0opF
+933YwucWuFzKSqn3
+-----END CERTIFICATE-----