saml_idp 0.8.0 → 0.15.0

data/spec/lib/saml_idp/request_spec.rb

@@ -1,7 +1,10 @@
 require 'spec_helper'
 module SamlIdp
   describe Request do
-    let(:raw_authn_request) { "<samlp:AuthnRequest AssertionConsumerServiceURL='http://localhost:3000/saml/consume' Destination='http://localhost:1337/saml/auth' ID='_af43d1a0-e111-0130-661a-3c0754403fdb' IssueInstant='2013-08-06T22:01:35Z' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>localhost:3000</saml:Issuer><samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'/><samlp:RequestedAuthnContext Comparison='exact'><saml:AuthnContextClassRef xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>" }
+    let(:issuer) { 'localhost:3000' }
+    let(:raw_authn_request) do
+      "<samlp:AuthnRequest AssertionConsumerServiceURL='http://localhost:3000/saml/consume' Destination='http://localhost:1337/saml/auth' ID='_af43d1a0-e111-0130-661a-3c0754403fdb' IssueInstant='2013-08-06T22:01:35Z' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>#{issuer}</saml:Issuer><samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'/><samlp:RequestedAuthnContext Comparison='exact'><saml:AuthnContextClassRef xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>"
+    end
 
     describe "deflated request" do
       let(:deflated_request) { Base64.encode64(Zlib::Deflate.deflate(raw_authn_request, 9)[2..-5]) }
@@ -57,16 +60,47 @@ module SamlIdp
         expect(subject.request['ID']).to eq(subject.request_id)
       end
 
-      it "has a valid authn context" do
-        expect(subject.requested_authn_context).to eq("urn:oasis:names:tc:SAML:2.0:ac:classes:Password")
+      it 'has a valid authn context' do
+        expect(subject.requested_authn_context).to eq('urn:oasis:names:tc:SAML:2.0:ac:classes:Password')
       end
 
-      it "does not permit empty issuer" do
-        raw_req = raw_authn_request.gsub('localhost:3000', '')
-        authn_request = described_class.new raw_req
-        expect(authn_request.issuer).to_not eq('')
-        expect(authn_request.issuer).to be_nil
-        expect(authn_request.valid?).to eq(false)
+      context 'the issuer is empty' do
+        let(:issuer) { nil }
+        let(:logger) { ->(msg) { puts msg } }
+
+        before do
+          allow(SamlIdp.config).to receive(:logger).and_return(logger)
+        end
+
+        it 'is invalid' do
+          expect(subject.issuer).to_not eq('')
+          expect(subject.issuer).to be_nil
+          expect(subject.valid?).to eq(false)
+        end
+
+        context 'a Ruby Logger is configured' do
+          let(:logger) { Logger.new($stdout) }
+
+          before do
+            allow(logger).to receive(:info)
+          end
+
+          it 'logs an error message' do
+            expect(subject.valid?).to be false
+            expect(logger).to have_received(:info).with('Unable to find service provider for issuer ')
+          end
+        end
+
+        context 'a logger lambda is configured' do
+          let(:logger) { double }
+
+          before { allow(logger).to receive(:call) }
+
+          it 'logs an error message' do
+            expect(subject.valid?).to be false
+            expect(logger).to have_received(:call).with('Unable to find service provider for issuer ')
+          end
+        end
       end
     end
 

data/spec/lib/saml_idp/response_builder_spec.rb

@@ -6,12 +6,14 @@ module SamlIdp
     let(:saml_acs_url) { "http://sportngin.com" }
     let(:saml_request_id) { "134" }
     let(:assertion_and_signature) { "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2013-07-31T05:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><signature>stuff</signature><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">jon.phenow@sportngin.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2013-07-31T05:03:00Z\" Recipient=\"http://saml.acs.url\"/></SubjectConfirmation></Subject><Conditions NotBefore=\"2013-07-31T04:59:55Z\" NotOnOrAfter=\"2013-07-31T06:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\"><AttributeValue>jon.phenow@sportngin.com</AttributeValue></Attribute></AttributeStatement><AuthnStatment AuthnInstant=\"2013-07-31T05:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatment></Assertion>" }
+    let(:algorithm) { :sha256 }
     subject { described_class.new(
       response_id,
       issuer_uri,
       saml_acs_url,
       saml_request_id,
-      assertion_and_signature
+      assertion_and_signature,
+      algorithm
     ) }
 
     before do

data/spec/lib/saml_idp/saml_response_spec.rb

@@ -24,6 +24,10 @@ module SamlIdp
         key_transport: 'rsa-oaep-mgf1p',
       }
     end
+    let(:signed_response_opts) { true }
+    let(:unsigned_response_opts) { false }
+    let(:signed_assertion_opts) { true }
+    let(:compress_opts) { false }
     let(:subject_encrypted) { described_class.new(reference_id,
                                   response_id,
                                   issuer_uri,
@@ -35,7 +39,12 @@ module SamlIdp
                                   authn_context_classref,
                                   expiry,
                                   encryption_opts,
-                                  session_expiry
+                                  session_expiry,
+                                  nil,
+                                  nil,
+                                  unsigned_response_opts,
+                                  signed_assertion_opts,
+                                  compress_opts
                                  )
     }
 
@@ -50,7 +59,12 @@ module SamlIdp
                                   authn_context_classref,
                                   expiry,
                                   nil,
-                                  session_expiry
+                                  session_expiry,
+                                  nil,
+                                  nil,
+                                  signed_response_opts,
+                                  signed_assertion_opts,
+                                  compress_opts
                                  )
     }
 
@@ -66,14 +80,115 @@ module SamlIdp
       expect(subject.build).to be_present
     end
 
-    it "builds encrypted" do
-      expect(subject_encrypted.build).to_not match(audience_uri)
-      encoded_xml = subject_encrypted.build
+    context "encrypted" do
+      it "builds encrypted" do
+        expect(subject_encrypted.build).to_not match(audience_uri)
+        encoded_xml = subject_encrypted.build
+        resp_settings = saml_settings(saml_acs_url)
+        resp_settings.private_key = Default::SECRET_KEY
+        resp_settings.issuer = audience_uri
+        saml_resp = OneLogin::RubySaml::Response.new(encoded_xml, settings: resp_settings)
+        saml_resp.soft = false
+        expect(saml_resp.is_valid?).to eq(true)
+      end
+    end
+
+    context "signed response" do
+      let(:resp_settings) do
+        resp_settings = saml_settings(saml_acs_url)
+        resp_settings.private_key = Default::SECRET_KEY
+        resp_settings.issuer = audience_uri
+        resp_settings
+      end
+
+      it "will build signed valid response" do
+        expect { subject.build }.not_to raise_error
+        signed_encoded_xml = subject.build
+        saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+        expect(
+          Nokogiri::XML(saml_resp.response).at_xpath(
+          "//p:Response//ds:Signature",
+          {
+            "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+            "ds" => "http://www.w3.org/2000/09/xmldsig#"
+          }
+        )).to be_present
+        expect(saml_resp.send(:validate_signature)).to eq(true)
+        expect(saml_resp.is_valid?).to eq(true)
+      end
+
+      context "when signed_assertion_opts is true" do
+        it "builds a signed assertion" do
+          expect { subject.build }.not_to raise_error
+          signed_encoded_xml = subject.build
+          saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+          expect(
+            Nokogiri::XML(saml_resp.response).at_xpath(
+            "//p:Response//a:Assertion//ds:Signature",
+            {
+              "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+              "a" => "urn:oasis:names:tc:SAML:2.0:assertion",
+              "ds" => "http://www.w3.org/2000/09/xmldsig#"
+            }
+          )).to be_present
+        end
+      end
+
+      context "when signed_assertion_opts is false" do
+        let(:signed_assertion_opts) { false }
+
+        it "builds a raw assertion" do
+          expect { subject.build }.not_to raise_error
+          signed_encoded_xml = subject.build
+          saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+          expect(
+            Nokogiri::XML(saml_resp.response).at_xpath(
+            "//p:Response//a:Assertion",
+            {
+              "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+              "a" => "urn:oasis:names:tc:SAML:2.0:assertion"
+            }
+          )).to be_present
+
+          expect(
+            Nokogiri::XML(saml_resp.response).at_xpath(
+            "//p:Response//Assertion//ds:Signature",
+            {
+              "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+              "ds" => "http://www.w3.org/2000/09/xmldsig#"
+            }
+          )).to_not be_present
+        end
+      end
+
+      context "when compress opts is true" do
+        let(:compress_opts) { true }
+        it "will build a compressed valid response" do
+          expect { subject.build }.not_to raise_error
+          compressed_signed_encoded_xml = subject.build
+          saml_resp = OneLogin::RubySaml::Response.new(compressed_signed_encoded_xml, settings: resp_settings)
+          expect(saml_resp.send(:validate_signature)).to eq(true)
+          expect(saml_resp.is_valid?).to eq(true)
+        end
+      end
+    end
+
+    it "will build signed valid response" do
+      expect { subject.build }.not_to raise_error
+      signed_encoded_xml = subject.build
       resp_settings = saml_settings(saml_acs_url)
       resp_settings.private_key = Default::SECRET_KEY
       resp_settings.issuer = audience_uri
-      saml_resp = OneLogin::RubySaml::Response.new(encoded_xml, settings: resp_settings)
-      saml_resp.soft = false
+      saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+      expect(
+        Nokogiri::XML(saml_resp.response).at_xpath(
+        "//p:Response//ds:Signature",
+        {
+          "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+          "ds" => "http://www.w3.org/2000/09/xmldsig#"
+        }
+      )).to be_present
+      expect(saml_resp.send(:validate_signature)).to eq(true)
       expect(saml_resp.is_valid?).to eq(true)
     end
 

data/spec/rails_app/app/controllers/saml_controller.rb

@@ -2,11 +2,7 @@ class SamlController < ApplicationController
 
   def consume
     response = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
-    if Gem::Requirement.new('< 4.1') =~ Gem::Version.new(Rails.version)
-      render :text => response.name_id
-    else
-      render :plain => response.name_id
-    end
+    render :plain => response.name_id
   end
 
 end

data/spec/rails_app/app/controllers/saml_idp_controller.rb

@@ -1,9 +1,61 @@
-class SamlIdpController < SamlIdp::IdpController
+class SamlIdpController < ApplicationController
+  include SamlIdp::Controller
+
+  if Rails::VERSION::MAJOR >= 4
+    before_action :add_view_path, only: [:new, :create, :logout]
+    before_action :validate_saml_request, only: [:new, :create, :logout]
+  else
+    before_filter :add_view_path, only: [:new, :create, :logout]
+    before_filter :validate_saml_request, only: [:new, :create, :logout]
+  end
+
+  def new
+    render template: "saml_idp/idp/new"
+  end
+
+  def show
+    render xml: SamlIdp.metadata.signed
+  end
+
+  def create
+    unless params[:email].blank? && params[:password].blank?
+      person = idp_authenticate(params[:email], params[:password])
+      if person.nil?
+        @saml_idp_fail_msg = "Incorrect email or password."
+      else
+        @saml_response = idp_make_saml_response(person)
+        render :template => "saml_idp/idp/saml_post", :layout => false
+        return
+      end
+    end
+    render :template => "saml_idp/idp/new"
+  end
+
+  def logout
+    idp_logout
+    @saml_response = idp_make_saml_response(nil)
+    render :template => "saml_idp/idp/saml_post", :layout => false
+  end
+
+  def idp_logout
+    raise NotImplementedError
+  end
+  private :idp_logout
+
   def idp_authenticate(email, password)
     { :email => email }
   end
+  protected :idp_authenticate
 
-  def idp_make_saml_response(user)
-    encode_response(user[:email])
+  def idp_make_saml_response(person)
+    encode_response(person[:email])
   end
+  protected :idp_make_saml_response
+
+  private
+
+  def add_view_path
+    prepend_view_path("app/views")
+  end
+
 end

data/{app → spec/rails_app/app}/views/saml_idp/idp/new.html.erb

@@ -1,22 +1,18 @@
 <% if @saml_idp_fail_msg %>
   <div id="saml_idp_fail_msg" class="flash error"><%= @saml_idp_fail_msg %></div>
 <% end %>
-
 <%= form_tag do %>
   <%= hidden_field_tag("SAMLRequest", params[:SAMLRequest]) %>
   <%= hidden_field_tag("RelayState", params[:RelayState]) %>
-
   <p>
     <%= label_tag :email %>
     <%= email_field_tag :email, params[:email], :autocapitalize => "off", :autocorrect => "off", :autofocus => "autofocus", :spellcheck => "false", :size => 30, :class => "email_pwd txt" %>
   </p>
-
   <p>
     <%= label_tag :password %>
     <%= password_field_tag :password, params[:password], :autocapitalize => "off", :autocorrect => "off", :spellcheck => "false", :size => 30, :class => "email_pwd txt" %>
   </p>
-
   <p>
     <%= submit_tag "Sign in", :class => "button big blueish" %>
   </p>
-<% end %>
+<% end %>

data/{app → spec/rails_app/app}/views/saml_idp/idp/saml_post.html.erb

@@ -11,4 +11,4 @@
       <%= submit_tag "Submit" %>
     <% end %>
   </body>
-</html>
+</html>

data/spec/rails_app/config/application.rb

@@ -18,6 +18,7 @@ module RailsApp
 
     # Custom directories with classes and modules you want to be autoloadable.
     # config.autoload_paths += %W(#{config.root}/extras)
+    config.autoload_paths += %w[app/controllers]
 
     # Only load the plugins named here, in the order given (default is alphabetical).
     # :all can be used as a placeholder for all plugins not explicitly named.

data/spec/rails_app/config/boot.rb

@@ -3,4 +3,4 @@ require 'rubygems'
 # Set up gems listed in the Gemfile.
 ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
 
-require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])
+require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])

data/spec/rails_app/config/environments/development.rb

@@ -29,4 +29,6 @@ RailsApp::Application.configure do
   # Log the query plan for queries taking more than this (works
   # with SQLite, MySQL, and PostgreSQL)
   #config.active_record.auto_explain_threshold_in_seconds = 0.5
+
+  config.hosts << "foo.example.com" if config.respond_to?(:hosts)
 end

data/spec/spec_helper.rb

@@ -43,9 +43,28 @@ RSpec.configure do |config|
       }
     end
   end
+
+  # To reset to default config
+  config.after do
+    SamlIdp.instance_variable_set(:@config, nil)
+    SamlIdp.configure do |c|
+      c.attributes = {
+        emailAddress: {
+          name: "email-address",
+          getter: ->(p) { "foo@example.com" }
+        }
+      }
+
+      c.name_id.formats = {
+        "1.1" => {
+          email_address: ->(p) { "foo@example.com" }
+        }
+      }
+    end
+  end
 end
 
 SamlIdp::Default::SERVICE_PROVIDER[:metadata_url] = 'https://example.com/meta'
 SamlIdp::Default::SERVICE_PROVIDER[:response_hosts] = ['foo.example.com']
 SamlIdp::Default::SERVICE_PROVIDER[:assertion_consumer_logout_service_url] = 'https://foo.example.com/saml/logout'
-Capybara.default_host = "https://app.example.com"
+Capybara.default_host = "https://foo.example.com"

data/spec/support/certificates/sp_cert_req.csr

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIByTCCATICAQAwgYgxCzAJBgNVBAYTAmpwMQ4wDAYDVQQIDAVUb2t5bzELMAkG
+A1UECgwCR1MxIDAeBgNVBAMMF2h0dHBzOi8vZm9vLmV4YW1wbGUuY29tMQwwCgYD
+VQQHDANGb28xDDAKBgNVBAsMA0JvbzEeMBwGCSqGSIb3DQEJARYPZm9vQGV4YW1w
+bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8DVj2mVLQV7AjT+cn
+Lv3kDnQFvAo3RdUeGGhplsYFacYByzNRD/jeguu1ahrvznDyZN8p3yB7OPbmt0r0
+aGr+yYzPh6brgkf5u6FMtWTj94vLQuT/uyQGuzdBkiLb5mAWRMtm43oHXDK0v25J
+tsG1PJnntkXfBDpFP1eWLO+jZwIDAQABoAAwDQYJKoZIhvcNAQENBQADgYEAd/J6
+5zjrMhgjxuaMuWCiNN7IS4F9SKy+gEmhkpNVCpChbpggruaEIoERjDP/TkZn2dgL
+VUeHTZB92t+wWfQbHNvEfbzqlV3XkuHkxewCwofnIV/k+8zG1Al5ELSKHehItxig
+rnTuBrFYsd2j4HEVqLzm4NyCfL+xzn/D4U2ec50=
+-----END CERTIFICATE REQUEST-----

data/spec/support/certificates/sp_private_key.pem

@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALwNWPaZUtBXsCNP
+5ycu/eQOdAW8CjdF1R4YaGmWxgVpxgHLM1EP+N6C67VqGu/OcPJk3ynfIHs49ua3
+SvRoav7JjM+HpuuCR/m7oUy1ZOP3i8tC5P+7JAa7N0GSItvmYBZEy2bjegdcMrS/
+bkm2wbU8mee2Rd8EOkU/V5Ys76NnAgMBAAECgYEArwclVHCkebIECPnnxbqhKNCj
+AGtifsuKbrZ9CDoDGSq31xeQLdTV6BSm2nVlmOnmilWEuG4qx0Xf2CGlrBI78kmv
+vHCfFdaGnTxbmYnD0HN0u4RK2trsxWO+rEkJk14JE2eVD6ZRPrq1UOSMgGPrQSMb
+SuwAHUu/j94eL8BXuhECQQD3jTlo3Y4VPWttP6XPNqKDP+jRYJs5G0Bch//S9Qy7
+QzmU9/yAUk0BEOyqYcLxinjJhoq6bR2fiIibn+77z3jtAkEAwnhLwkGYOb7Nt3V6
+dQLKx1BP9dnYH7qG/sCmAs7GHPv4LGluaz4zsh2pdEDF/Xar4gwTzUpxYo8FpkCH
+rf4nIwJAVfWnGr/cR4nVVNFGHUcGdXbqvFHEdLb+yWK8NZ+79Qap5w2Zk2GAtb8P
+vzZFQCRqPuhGIegj4jLB5PBLRwtLHQJBAJiWyWL4ExikRUhBTr/HXBL+Sm9u6i0j
+L89unBQx6LNPZhB6/Z/6Y5fLvG2ycWgLGJ06usLnOYaLEHS9x3hXpp8CQQCdtQHw
+xeLBPhRDpfWWbSmFr+bFxyD/4iQHTHToIs3kaecn6OJ4rczIFpGm2Bm7f4X7F3H3
+DDy4jZ0R6iDqCcQD
+-----END PRIVATE KEY-----

data/spec/support/certificates/sp_x509_cert.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC2DCCAkGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBiDELMAkGA1UEBhMCanAx
+DjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJHUzEgMB4GA1UEAwwXaHR0cHM6Ly9m
+b28uZXhhbXBsZS5jb20xDDAKBgNVBAcMA0ZvbzEMMAoGA1UECwwDQm9vMR4wHAYJ
+KoZIhvcNAQkBFg9mb29AZXhhbXBsZS5jb20wHhcNMjAwMTIzMDYyMzI5WhcNNDcw
+NjA5MDYyMzI5WjCBiDELMAkGA1UEBhMCanAxDjAMBgNVBAgMBVRva3lvMQswCQYD
+VQQKDAJHUzEgMB4GA1UEAwwXaHR0cHM6Ly9mb28uZXhhbXBsZS5jb20xDDAKBgNV
+BAcMA0ZvbzEMMAoGA1UECwwDQm9vMR4wHAYJKoZIhvcNAQkBFg9mb29AZXhhbXBs
+ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALwNWPaZUtBXsCNP5ycu
+/eQOdAW8CjdF1R4YaGmWxgVpxgHLM1EP+N6C67VqGu/OcPJk3ynfIHs49ua3SvRo
+av7JjM+HpuuCR/m7oUy1ZOP3i8tC5P+7JAa7N0GSItvmYBZEy2bjegdcMrS/bkm2
+wbU8mee2Rd8EOkU/V5Ys76NnAgMBAAGjUDBOMB0GA1UdDgQWBBQMtOtrh2VS/mh4
+awGbKA37vVnw+zAfBgNVHSMEGDAWgBQMtOtrh2VS/mh4awGbKA37vVnw+zAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAHjTTm4Hyx1rfzygknc6q1dYwpEv
+/3AsPiTnF4AfH/5kGIIXNzwg0ADsziFMJYRRR9eMu97CHQbr8gHt99P8uaen6cmJ
+4VCwJLP2N8gZrycssimA3M83DWRRVZbxZhpuUWNajtYIxwyUbB7eRSJgz3Tc0opF
+933YwucWuFzKSqn3
+-----END CERTIFICATE-----

data/spec/support/saml_request_macros.rb

@@ -1,9 +1,9 @@
 require 'saml_idp/logout_request_builder'
 
 module SamlRequestMacros
-  def make_saml_request(requested_saml_acs_url = "https://foo.example.com/saml/consume")
+  def make_saml_request(requested_saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false)
     auth_request = OneLogin::RubySaml::Authrequest.new
-    auth_url = auth_request.create(saml_settings(requested_saml_acs_url))
+    auth_url = auth_request.create(saml_settings(requested_saml_acs_url, enable_secure_options))
     CGI.unescape(auth_url.split("=").last)
   end
 
@@ -18,7 +18,12 @@ module SamlRequestMacros
     Base64.strict_encode64(request_builder.signed)
   end
 
-  def saml_settings(saml_acs_url = "https://foo.example.com/saml/consume")
+  def generate_sp_metadata(saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false)
+    sp_metadata = OneLogin::RubySaml::Metadata.new
+    sp_metadata.generate(saml_settings(saml_acs_url, enable_secure_options), true)
+  end
+
+  def saml_settings(saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false)
     settings = OneLogin::RubySaml::Settings.new
     settings.assertion_consumer_service_url = saml_acs_url
     settings.issuer = "http://example.com/issuer"
@@ -26,9 +31,63 @@ module SamlRequestMacros
     settings.assertion_consumer_logout_service_url = 'https://foo.example.com/saml/logout'
     settings.idp_cert_fingerprint = SamlIdp::Default::FINGERPRINT
     settings.name_identifier_format = SamlIdp::Default::NAME_ID_FORMAT
+    add_securty_options(settings) if enable_secure_options
     settings
   end
 
+  def add_securty_options(settings, authn_requests_signed: true, 
+                                    embed_sign: true, 
+                                    logout_requests_signed: true, 
+                                    logout_responses_signed: true,
+                                    digest_method: XMLSecurity::Document::SHA256,
+                                    signature_method: XMLSecurity::Document::RSA_SHA256)
+    # Security section
+    settings.idp_cert = SamlIdp::Default::X509_CERTIFICATE
+    # Signed embedded singature
+    settings.security[:authn_requests_signed] = authn_requests_signed
+    settings.security[:embed_sign] = embed_sign
+    settings.security[:logout_requests_signed] = logout_requests_signed
+    settings.security[:logout_responses_signed] = logout_responses_signed
+    settings.security[:metadata_signed] = digest_method
+    settings.security[:digest_method] = digest_method
+    settings.security[:signature_method] = signature_method
+    settings.private_key = sp_pv_key
+    settings.certificate = sp_x509_cert
+  end
+
+  def idp_configure(saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false)
+    SamlIdp.configure do |config|
+      config.x509_certificate = SamlIdp::Default::X509_CERTIFICATE
+      config.secret_key = SamlIdp::Default::SECRET_KEY
+      config.password = nil
+      config.algorithm = :sha256
+      config.organization_name = 'idp.com'
+      config.organization_url = 'http://idp.com'
+      config.base_saml_location = 'http://idp.com/saml/idp'
+      config.single_logout_service_post_location = 'http://idp.com/saml/idp/logout'
+      config.single_logout_service_redirect_location = 'http://idp.com/saml/idp/logout'
+      config.attribute_service_location = 'http://idp.com/saml/idp/attribute'
+      config.single_service_post_location = 'http://idp.com/saml/idp/sso'
+      config.name_id.formats = SamlIdp::Default::NAME_ID_FORMAT
+      config.service_provider.metadata_persister = lambda { |_identifier, _service_provider|
+        raw_metadata = generate_sp_metadata(saml_acs_url, enable_secure_options)
+        SamlIdp::IncomingMetadata.new(raw_metadata).to_h
+      }
+      config.service_provider.persisted_metadata_getter = lambda { |_identifier, _settings|
+        raw_metadata = generate_sp_metadata(saml_acs_url, enable_secure_options)
+        SamlIdp::IncomingMetadata.new(raw_metadata).to_h
+      }
+      config.service_provider.finder = lambda { |_issuer_or_entity_id|
+        {
+          response_hosts: [URI(saml_acs_url).host],
+          acs_url: saml_acs_url,
+          cert: sp_x509_cert,
+          fingerprint: SamlIdp::Fingerprint.certificate_digest(sp_x509_cert)
+        }
+      }
+    end
+  end
+
   def print_pretty_xml(xml_string)
     doc = REXML::Document.new xml_string
     outbuf = ""

data/spec/support/security_helpers.rb

@@ -58,4 +58,14 @@ module SecurityHelpers
   def r1_signature_2
     @signature2 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'r1_certificate2_base64'))
   end
+
+  # Generated by SAML tool https://www.samltool.com/self_signed_certs.php
+  def sp_pv_key
+    @sp_pv_key ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'sp_private_key.pem'))
+  end
+
+  # Generated by SAML tool https://www.samltool.com/self_signed_certs.php, expired date is 9999
+  def sp_x509_cert
+    @sp_x509_cert ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'sp_x509_cert.crt'))
+  end
 end