saml_idp 0.9.0 → 1.0.0

data/spec/lib/saml_idp/request_spec.rb

@@ -1,106 +1,195 @@
 require 'spec_helper'
-module SamlIdp
-  describe Request do
-    let(:raw_authn_request) { "<samlp:AuthnRequest AssertionConsumerServiceURL='http://localhost:3000/saml/consume' Destination='http://localhost:1337/saml/auth' ID='_af43d1a0-e111-0130-661a-3c0754403fdb' IssueInstant='2013-08-06T22:01:35Z' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>localhost:3000</saml:Issuer><samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'/><samlp:RequestedAuthnContext Comparison='exact'><saml:AuthnContextClassRef xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>" }
 
-    describe "deflated request" do
-      let(:deflated_request) { Base64.encode64(Zlib::Deflate.deflate(raw_authn_request, 9)[2..-5]) }
+RSpec.describe SamlIdp::Request, type: :model do
+  let(:valid_saml_request) { make_saml_request("https://foo.example.com/saml/consume", true) }
+  let(:valid_logout_request) { make_saml_sp_slo_request(security_options: { embed_sign: true })['SAMLRequest'] }
+  let(:invalid_saml_request) { "invalid_saml_request" }
+  let(:external_attributes) { { saml_request: valid_saml_request, relay_state: "state" } }
 
-      subject { described_class.from_deflated_request deflated_request }
+  describe ".from_deflated_request" do
+    context "when request is valid and deflated" do
+      it "inflates and decodes the request" do
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
 
-      it "inflates" do
-        expect(subject.request_id).to eq("_af43d1a0-e111-0130-661a-3c0754403fdb")
+        expect { Saml::XML::Document.parse(request.raw_xml) }.not_to raise_error
       end
+    end
 
-      it "handles invalid SAML" do
-        req = described_class.from_deflated_request "bang!"
-        expect(req.valid?).to eq(false)
+    context "when request is invalid" do
+      it "returns an empty inflated string" do
+        request = SamlIdp::Request.from_deflated_request(nil)
+        expect(request.raw_xml).to eq("")
       end
     end
+  end
 
-    describe "authn request" do
-      subject { described_class.new raw_authn_request }
-
-      it "has a valid request_id" do
-        expect(subject.request_id).to eq("_af43d1a0-e111-0130-661a-3c0754403fdb")
-      end
+  describe "#logout_request?" do
+    it "returns true for a valid logout request" do
+      request = SamlIdp::Request.from_deflated_request(valid_logout_request)
+      expect(request.logout_request?).to be true
+    end
 
-      it "has a valid acs_url" do
-        expect(subject.acs_url).to eq("http://localhost:3000/saml/consume")
-      end
+    it "returns false for a non-logout request" do
+      request = SamlIdp::Request.from_deflated_request(valid_saml_request)
+      expect(request.logout_request?).to be false
+    end
+  end
 
-      it "has a valid service_provider" do
-        expect(subject.service_provider).to be_a ServiceProvider
-      end
+  describe "#authn_request?" do
+    it "returns true for a valid authn request" do
+      request = SamlIdp::Request.from_deflated_request(valid_saml_request)
+      expect(request.authn_request?).to be true
+    end
 
-      it "has a valid service_provider" do
-        expect(subject.service_provider).to be_truthy
-      end
+    it "returns false for a non-authn request" do
+      request = SamlIdp::Request.from_deflated_request(valid_logout_request)
+      expect(request.authn_request?).to be false
+    end
+  end
 
-      it "has a valid issuer" do
-        expect(subject.issuer).to eq("localhost:3000")
-      end
+  describe "#valid?" do
+    let(:sp_issuer) { "test_issuer" }
+    let(:valid_service_provider) do 
+      instance_double(
+        "SamlIdp::ServiceProvider",
+        valid?: true,
+        acs_url: 'https://foo.example.com/saml/consume',
+        current_metadata: instance_double("Metadata", sign_authn_request?: true),
+        assertion_consumer_logout_service_url: 'https://foo.example.com/saml/logout',
+        sign_authn_request: true,
+        acceptable_response_hosts: ["foo.example.com"],
+        cert: sp_x509_cert,
+        fingerprint: SamlIdp::Fingerprint.certificate_digest(sp_x509_cert, :sha256),
+      )
+    end
+    
+    before do
+      allow_any_instance_of(SamlIdp::Request).to receive(:service_provider).and_return(valid_service_provider)
+      allow_any_instance_of(SamlIdp::Request).to receive(:issuer).and_return(sp_issuer)
+    end
 
-      it "has a valid valid_signature" do
-        expect(subject.valid_signature?).to be_truthy
+    context "when the request is valid" do
+      it "returns true for a valid authn request" do
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
+        expect(request.errors).to be_empty
+        expect(request.valid?).to be true
       end
 
-      it "should return acs_url for response_url" do
-        expect(subject.response_url).to eq(subject.acs_url)
+      it "returns true for a valid logout request" do
+        request = SamlIdp::Request.from_deflated_request(valid_logout_request)
+        expect(request.errors).to be_empty
+        expect(request.valid?).to be true
       end
+    end
 
-      it "is a authn request" do
-        expect(subject.authn_request?).to eq(true)
-      end
+    context 'when signature provided as external param' do
+      let!(:uri_query) { make_saml_sp_slo_request(security_options: { embed_sign: false }) }
+      let(:raw_saml_request) { uri_query['SAMLRequest'] }
+      let(:relay_state) { uri_query['RelayState'] }
+      let(:siging_algorithm) { uri_query['SigAlg'] }
+      let(:signature) { uri_query['Signature'] }
 
-      it "fetches internal request" do
-        expect(subject.request['ID']).to eq(subject.request_id)
+      subject do
+        described_class.from_deflated_request(
+          raw_saml_request,
+          saml_request: raw_saml_request,
+          relay_state: relay_state,
+          sig_algorithm: siging_algorithm,
+          signature: signature
+        )
       end
 
-      it "has a valid authn context" do
-        expect(subject.requested_authn_context).to eq("urn:oasis:names:tc:SAML:2.0:ac:classes:Password")
+      it "should validate the request" do
+        expect(subject.valid_external_signature?).to be true
+        expect(subject.errors).to be_empty
       end
 
-      it "does not permit empty issuer" do
-        raw_req = raw_authn_request.gsub('localhost:3000', '')
-        authn_request = described_class.new raw_req
-        expect(authn_request.issuer).to_not eq('')
-        expect(authn_request.issuer).to be_nil
-        expect(authn_request.valid?).to eq(false)
+      it "should collect errors when the signature is invalid" do
+        allow(subject).to receive(:valid_external_signature?).and_return(false)
+        expect(subject.valid?).to eq(false)
+        expect(subject.errors).to include(:invalid_external_signature)
       end
     end
 
-    describe "logout request" do
-      let(:raw_logout_request) { "<LogoutRequest ID='_some_response_id' Version='2.0' IssueInstant='2010-06-01T13:00:00Z' Destination='http://localhost:3000/saml/logout' xmlns='urn:oasis:names:tc:SAML:2.0:protocol'><Issuer xmlns='urn:oasis:names:tc:SAML:2.0:assertion'>http://example.com</Issuer><NameID xmlns='urn:oasis:names:tc:SAML:2.0:assertion' Format='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'>some_name_id</NameID><SessionIndex>abc123index</SessionIndex></LogoutRequest>" }
-
-      subject { described_class.new raw_logout_request }
+    context "when the service provider is invalid" do
+      it "returns false and logs an error" do
+        allow_any_instance_of(SamlIdp::Request).to receive(:service_provider?).and_return(false)
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
 
-      it "has a valid request_id" do
-        expect(subject.request_id).to eq('_some_response_id')
+        expect(request.valid?).to be false
+        expect(request.errors).to include(:sp_not_found)
       end
+    end
 
-      it "should be flagged as a logout_request" do
-        expect(subject.logout_request?).to eq(true)
+    context "when empty certificate for authn request validation" do
+      let(:valid_service_provider) do 
+        instance_double(
+          "SamlIdp::ServiceProvider",
+          valid?: true,
+          acs_url: 'https://foo.example.com/saml/consume',
+          current_metadata: instance_double("Metadata", sign_authn_request?: true),
+          assertion_consumer_logout_service_url: 'https://foo.example.com/saml/logout',
+          sign_authn_request: true,
+          acceptable_response_hosts: ["foo.example.com"],
+          cert: nil,
+          fingerprint: nil,
+        )
+      end
+      it "returns false and logs an error" do
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
+
+        expect(request.valid?).to be false
+        expect(request.errors).to include(:empty_certificate)
       end
+    end
 
-      it "should have a valid name_id" do
-        expect(subject.name_id).to eq('some_name_id')
+    context "when empty certificate for logout validation" do
+      let(:valid_service_provider) do 
+        instance_double(
+          "SamlIdp::ServiceProvider",
+          valid?: true,
+          acs_url: 'https://foo.example.com/saml/consume',
+          current_metadata: instance_double("Metadata", sign_authn_request?: true),
+          assertion_consumer_logout_service_url: 'https://foo.example.com/saml/logout',
+          sign_authn_request: true,
+          acceptable_response_hosts: ["foo.example.com"],
+          cert: nil,
+          fingerprint: nil,
+        )
       end
 
-      it "should have a session index" do
-        expect(subject.session_index).to eq('abc123index')
+      before do
+        allow_any_instance_of(SamlIdp::Request).to receive(:authn_request?).and_return(false)
+        allow_any_instance_of(SamlIdp::Request).to receive(:logout_request?).and_return(true)
       end
 
-      it "should have a valid issuer" do
-        expect(subject.issuer).to eq('http://example.com')
+      it "returns false and logs an error" do
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
+
+        expect(request.valid?).to be false
+        expect(request.errors).to include(:empty_certificate)
       end
+    end
 
-      it "fetches internal request" do
-        expect(subject.request['ID']).to eq(subject.request_id)
+    context "when both authn and logout requests are present" do
+      it "returns false and logs an error" do
+        allow_any_instance_of(SamlIdp::Request).to receive(:authn_request?).and_return(true)
+        allow_any_instance_of(SamlIdp::Request).to receive(:logout_request?).and_return(true)
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
+
+        expect(request.valid?).to be false
+        expect(request.errors).to include(:unaccepted_request)
       end
+    end
+
+    context "when the signature is invalid" do
+      it "returns false and logs an error" do
+        allow_any_instance_of(SamlIdp::Request).to receive(:valid_signature?).and_return(false)
+        allow_any_instance_of(SamlIdp::Request).to receive(:log)
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
 
-      it "should return logout_url for response_url" do
-        expect(subject.response_url).to eq(subject.logout_url)
+        expect(request.valid?).to be false
+        expect(request.errors).to include(:invalid_embedded_signature)
       end
     end
   end

data/spec/lib/saml_idp/response_builder_spec.rb

@@ -6,12 +6,14 @@ module SamlIdp
     let(:saml_acs_url) { "http://sportngin.com" }
     let(:saml_request_id) { "134" }
     let(:assertion_and_signature) { "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2013-07-31T05:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><signature>stuff</signature><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">jon.phenow@sportngin.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2013-07-31T05:03:00Z\" Recipient=\"http://saml.acs.url\"/></SubjectConfirmation></Subject><Conditions NotBefore=\"2013-07-31T04:59:55Z\" NotOnOrAfter=\"2013-07-31T06:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\"><AttributeValue>jon.phenow@sportngin.com</AttributeValue></Attribute></AttributeStatement><AuthnStatment AuthnInstant=\"2013-07-31T05:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatment></Assertion>" }
+    let(:algorithm) { :sha256 }
     subject { described_class.new(
       response_id,
       issuer_uri,
       saml_acs_url,
       saml_request_id,
-      assertion_and_signature
+      assertion_and_signature,
+      algorithm
     ) }
 
     before do

data/spec/lib/saml_idp/saml_response_spec.rb

@@ -24,6 +24,10 @@ module SamlIdp
         key_transport: 'rsa-oaep-mgf1p',
       }
     end
+    let(:signed_response_opts) { true }
+    let(:unsigned_response_opts) { false }
+    let(:signed_assertion_opts) { true }
+    let(:compress_opts) { false }
     let(:subject_encrypted) { described_class.new(reference_id,
                                   response_id,
                                   issuer_uri,
@@ -35,7 +39,12 @@ module SamlIdp
                                   authn_context_classref,
                                   expiry,
                                   encryption_opts,
-                                  session_expiry
+                                  session_expiry,
+                                  nil,
+                                  nil,
+                                  unsigned_response_opts,
+                                  signed_assertion_opts,
+                                  compress_opts
                                  )
     }
 
@@ -50,7 +59,12 @@ module SamlIdp
                                   authn_context_classref,
                                   expiry,
                                   nil,
-                                  session_expiry
+                                  session_expiry,
+                                  nil,
+                                  nil,
+                                  signed_response_opts,
+                                  signed_assertion_opts,
+                                  compress_opts
                                  )
     }
 
@@ -66,17 +80,137 @@ module SamlIdp
       expect(subject.build).to be_present
     end
 
-    it "builds encrypted" do
-      expect(subject_encrypted.build).to_not match(audience_uri)
-      encoded_xml = subject_encrypted.build
+    context "encrypted" do
+      it "builds encrypted" do
+        expect(subject_encrypted.build).to_not match(audience_uri)
+        encoded_xml = subject_encrypted.build
+        resp_settings = saml_settings(saml_acs_url)
+        resp_settings.private_key = Default::SECRET_KEY
+        resp_settings.issuer = audience_uri
+        saml_resp = OneLogin::RubySaml::Response.new(encoded_xml, settings: resp_settings)
+        saml_resp.soft = false
+        expect(saml_resp.is_valid?).to eq(true)
+      end
+    end
+
+    context "signed response" do
+      let(:resp_settings) do
+        resp_settings = saml_settings(saml_acs_url)
+        resp_settings.private_key = Default::SECRET_KEY
+        resp_settings.issuer = audience_uri
+        resp_settings
+      end
+
+      it "will build signed valid response" do
+        expect { subject.build }.not_to raise_error
+        signed_encoded_xml = subject.build
+        saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+        expect(
+          Nokogiri::XML(saml_resp.response).at_xpath(
+          "//p:Response//ds:Signature",
+          {
+            "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+            "ds" => "http://www.w3.org/2000/09/xmldsig#"
+          }
+        )).to be_present
+        expect(saml_resp.send(:validate_signature)).to eq(true)
+        expect(saml_resp.is_valid?).to eq(true)
+      end
+
+      context "when signed_assertion_opts is true" do
+        it "builds a signed assertion" do
+          expect { subject.build }.not_to raise_error
+          signed_encoded_xml = subject.build
+          saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+          expect(
+            Nokogiri::XML(saml_resp.response).at_xpath(
+            "//p:Response//a:Assertion//ds:Signature",
+            {
+              "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+              "a" => "urn:oasis:names:tc:SAML:2.0:assertion",
+              "ds" => "http://www.w3.org/2000/09/xmldsig#"
+            }
+          )).to be_present
+        end
+      end
+
+      context "when signed_assertion_opts is false" do
+        let(:signed_assertion_opts) { false }
+
+        it "builds a raw assertion" do
+          expect { subject.build }.not_to raise_error
+          signed_encoded_xml = subject.build
+          saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+          expect(
+            Nokogiri::XML(saml_resp.response).at_xpath(
+            "//p:Response//a:Assertion",
+            {
+              "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+              "a" => "urn:oasis:names:tc:SAML:2.0:assertion"
+            }
+          )).to be_present
+
+          expect(
+            Nokogiri::XML(saml_resp.response).at_xpath(
+            "//p:Response//Assertion//ds:Signature",
+            {
+              "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+              "ds" => "http://www.w3.org/2000/09/xmldsig#"
+            }
+          )).to_not be_present
+        end
+      end
+
+      context "when compress opts is true" do
+        let(:compress_opts) { true }
+        it "will build a compressed valid response" do
+          expect { subject.build }.not_to raise_error
+          compressed_signed_encoded_xml = subject.build
+          saml_resp = OneLogin::RubySaml::Response.new(compressed_signed_encoded_xml, settings: resp_settings)
+          expect(saml_resp.send(:validate_signature)).to eq(true)
+          expect(saml_resp.is_valid?).to eq(true)
+        end
+      end
+    end
+
+    it "will build signed valid response" do
+      expect { subject.build }.not_to raise_error
+      signed_encoded_xml = subject.build
       resp_settings = saml_settings(saml_acs_url)
       resp_settings.private_key = Default::SECRET_KEY
       resp_settings.issuer = audience_uri
-      saml_resp = OneLogin::RubySaml::Response.new(encoded_xml, settings: resp_settings)
-      saml_resp.soft = false
+      saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+      expect(
+        Nokogiri::XML(saml_resp.response).at_xpath(
+        "//p:Response//ds:Signature",
+        {
+          "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+          "ds" => "http://www.w3.org/2000/09/xmldsig#"
+        }
+      )).to be_present
+      expect(saml_resp.send(:validate_signature)).to eq(true)
       expect(saml_resp.is_valid?).to eq(true)
     end
 
+    it "will pass reference_id as SessionIndex" do
+      expect { subject.build }.not_to raise_error
+      signed_encoded_xml = subject.build
+      resp_settings = saml_settings(saml_acs_url)
+      resp_settings.private_key = Default::SECRET_KEY
+      resp_settings.issuer = audience_uri
+      saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+
+      expect(
+        Nokogiri::XML(saml_resp.response).at_xpath(
+          "//saml:AuthnStatement/@SessionIndex",
+          {
+            "samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+            "saml" => "urn:oasis:names:tc:SAML:2.0:assertion"
+          }
+        ).value
+      ).to eq("_#{reference_id}")
+    end
+
     it "sets session expiration" do
       saml_resp = OneLogin::RubySaml::Response.new(subject.build)
       expect(saml_resp.session_expires_at).to eq Time.local(1990, "jan", 2).iso8601

data/spec/rails_app/app/controllers/saml_controller.rb

@@ -2,11 +2,7 @@ class SamlController < ApplicationController
 
   def consume
     response = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
-    if Gem::Requirement.new('< 4.1') =~ Gem::Version.new(Rails.version)
-      render :text => response.name_id
-    else
-      render :plain => response.name_id
-    end
+    render :plain => response.name_id
   end
 
 end

data/spec/rails_app/app/controllers/saml_idp_controller.rb

@@ -1,9 +1,61 @@
-class SamlIdpController < SamlIdp::IdpController
+class SamlIdpController < ApplicationController
+  include SamlIdp::Controller
+
+  if Rails::VERSION::MAJOR >= 4
+    before_action :add_view_path, only: [:new, :create, :logout]
+    before_action :validate_saml_request, only: [:new, :create, :logout]
+  else
+    before_filter :add_view_path, only: [:new, :create, :logout]
+    before_filter :validate_saml_request, only: [:new, :create, :logout]
+  end
+
+  def new
+    render template: "saml_idp/idp/new"
+  end
+
+  def show
+    render xml: SamlIdp.metadata.signed
+  end
+
+  def create
+    unless params[:email].blank? && params[:password].blank?
+      person = idp_authenticate(params[:email], params[:password])
+      if person.nil?
+        @saml_idp_fail_msg = "Incorrect email or password."
+      else
+        @saml_response = idp_make_saml_response(person)
+        render :template => "saml_idp/idp/saml_post", :layout => false
+        return
+      end
+    end
+    render :template => "saml_idp/idp/new"
+  end
+
+  def logout
+    idp_logout
+    @saml_response = idp_make_saml_response(nil)
+    render :template => "saml_idp/idp/saml_post", :layout => false
+  end
+
+  def idp_logout
+    raise NotImplementedError
+  end
+  private :idp_logout
+
   def idp_authenticate(email, password)
     { :email => email }
   end
+  protected :idp_authenticate
 
-  def idp_make_saml_response(user)
-    encode_response(user[:email])
+  def idp_make_saml_response(person)
+    encode_response(person[:email])
   end
+  protected :idp_make_saml_response
+
+  private
+
+  def add_view_path
+    prepend_view_path("app/views")
+  end
+
 end

data/{app → spec/rails_app/app}/views/saml_idp/idp/new.html.erb

@@ -1,22 +1,21 @@
 <% if @saml_idp_fail_msg %>
   <div id="saml_idp_fail_msg" class="flash error"><%= @saml_idp_fail_msg %></div>
 <% end %>
-
 <%= form_tag do %>
   <%= hidden_field_tag("SAMLRequest", params[:SAMLRequest]) %>
   <%= hidden_field_tag("RelayState", params[:RelayState]) %>
+  <%= hidden_field_tag("SigAlg", params[:SigAlg]) %>
+  <%= hidden_field_tag("Signature", params[:Signature]) %>
 
   <p>
     <%= label_tag :email %>
     <%= email_field_tag :email, params[:email], :autocapitalize => "off", :autocorrect => "off", :autofocus => "autofocus", :spellcheck => "false", :size => 30, :class => "email_pwd txt" %>
   </p>
-
   <p>
     <%= label_tag :password %>
     <%= password_field_tag :password, params[:password], :autocapitalize => "off", :autocorrect => "off", :spellcheck => "false", :size => 30, :class => "email_pwd txt" %>
   </p>
-
   <p>
     <%= submit_tag "Sign in", :class => "button big blueish" %>
   </p>
-<% end %>
+<% end %>

data/{app → spec/rails_app/app}/views/saml_idp/idp/saml_post.html.erb

@@ -11,4 +11,4 @@
       <%= submit_tag "Submit" %>
     <% end %>
   </body>
-</html>
+</html>

data/spec/rails_app/config/application.rb

@@ -18,6 +18,7 @@ module RailsApp
 
     # Custom directories with classes and modules you want to be autoloadable.
     # config.autoload_paths += %W(#{config.root}/extras)
+    config.autoload_paths += %w[app/controllers]
 
     # Only load the plugins named here, in the order given (default is alphabetical).
     # :all can be used as a placeholder for all plugins not explicitly named.

data/spec/rails_app/config/boot.rb

@@ -3,4 +3,4 @@ require 'rubygems'
 # Set up gems listed in the Gemfile.
 ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
 
-require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])
+require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])

data/spec/rails_app/config/environments/development.rb

@@ -29,4 +29,6 @@ RailsApp::Application.configure do
   # Log the query plan for queries taking more than this (works
   # with SQLite, MySQL, and PostgreSQL)
   #config.active_record.auto_explain_threshold_in_seconds = 0.5
+
+  config.hosts << "foo.example.com" if config.respond_to?(:hosts)
 end

data/spec/spec_helper.rb

@@ -43,9 +43,28 @@ RSpec.configure do |config|
       }
     end
   end
+
+  # To reset to default config
+  config.after do
+    SamlIdp.instance_variable_set(:@config, nil)
+    SamlIdp.configure do |c|
+      c.attributes = {
+        emailAddress: {
+          name: "email-address",
+          getter: ->(p) { "foo@example.com" }
+        }
+      }
+
+      c.name_id.formats = {
+        "1.1" => {
+          email_address: ->(p) { "foo@example.com" }
+        }
+      }
+    end
+  end
 end
 
 SamlIdp::Default::SERVICE_PROVIDER[:metadata_url] = 'https://example.com/meta'
 SamlIdp::Default::SERVICE_PROVIDER[:response_hosts] = ['foo.example.com']
 SamlIdp::Default::SERVICE_PROVIDER[:assertion_consumer_logout_service_url] = 'https://foo.example.com/saml/logout'
-Capybara.default_host = "https://app.example.com"
+Capybara.default_host = "https://foo.example.com"

data/spec/support/certificates/sp_cert_req.csr

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIByTCCATICAQAwgYgxCzAJBgNVBAYTAmpwMQ4wDAYDVQQIDAVUb2t5bzELMAkG
+A1UECgwCR1MxIDAeBgNVBAMMF2h0dHBzOi8vZm9vLmV4YW1wbGUuY29tMQwwCgYD
+VQQHDANGb28xDDAKBgNVBAsMA0JvbzEeMBwGCSqGSIb3DQEJARYPZm9vQGV4YW1w
+bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8DVj2mVLQV7AjT+cn
+Lv3kDnQFvAo3RdUeGGhplsYFacYByzNRD/jeguu1ahrvznDyZN8p3yB7OPbmt0r0
+aGr+yYzPh6brgkf5u6FMtWTj94vLQuT/uyQGuzdBkiLb5mAWRMtm43oHXDK0v25J
+tsG1PJnntkXfBDpFP1eWLO+jZwIDAQABoAAwDQYJKoZIhvcNAQENBQADgYEAd/J6
+5zjrMhgjxuaMuWCiNN7IS4F9SKy+gEmhkpNVCpChbpggruaEIoERjDP/TkZn2dgL
+VUeHTZB92t+wWfQbHNvEfbzqlV3XkuHkxewCwofnIV/k+8zG1Al5ELSKHehItxig
+rnTuBrFYsd2j4HEVqLzm4NyCfL+xzn/D4U2ec50=
+-----END CERTIFICATE REQUEST-----

data/spec/support/certificates/sp_private_key.pem

@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALwNWPaZUtBXsCNP
+5ycu/eQOdAW8CjdF1R4YaGmWxgVpxgHLM1EP+N6C67VqGu/OcPJk3ynfIHs49ua3
+SvRoav7JjM+HpuuCR/m7oUy1ZOP3i8tC5P+7JAa7N0GSItvmYBZEy2bjegdcMrS/
+bkm2wbU8mee2Rd8EOkU/V5Ys76NnAgMBAAECgYEArwclVHCkebIECPnnxbqhKNCj
+AGtifsuKbrZ9CDoDGSq31xeQLdTV6BSm2nVlmOnmilWEuG4qx0Xf2CGlrBI78kmv
+vHCfFdaGnTxbmYnD0HN0u4RK2trsxWO+rEkJk14JE2eVD6ZRPrq1UOSMgGPrQSMb
+SuwAHUu/j94eL8BXuhECQQD3jTlo3Y4VPWttP6XPNqKDP+jRYJs5G0Bch//S9Qy7
+QzmU9/yAUk0BEOyqYcLxinjJhoq6bR2fiIibn+77z3jtAkEAwnhLwkGYOb7Nt3V6
+dQLKx1BP9dnYH7qG/sCmAs7GHPv4LGluaz4zsh2pdEDF/Xar4gwTzUpxYo8FpkCH
+rf4nIwJAVfWnGr/cR4nVVNFGHUcGdXbqvFHEdLb+yWK8NZ+79Qap5w2Zk2GAtb8P
+vzZFQCRqPuhGIegj4jLB5PBLRwtLHQJBAJiWyWL4ExikRUhBTr/HXBL+Sm9u6i0j
+L89unBQx6LNPZhB6/Z/6Y5fLvG2ycWgLGJ06usLnOYaLEHS9x3hXpp8CQQCdtQHw
+xeLBPhRDpfWWbSmFr+bFxyD/4iQHTHToIs3kaecn6OJ4rczIFpGm2Bm7f4X7F3H3
+DDy4jZ0R6iDqCcQD
+-----END PRIVATE KEY-----