saml_idp 0.7.2 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 67d795e966607dc7c0553d2889e7da7e33b0ba92
-  data.tar.gz: c5eb9c3ab9ae64be8ad5e412a94ad8600b329bbd
+SHA256:
+  metadata.gz: 33008cf3468ff0038f5308fb5820edc2023c071d1d0a046c6778f9fd393d96da
+  data.tar.gz: 95e3adfcc852d0384ae3fa5c8740a820f16db073f83aef78bdba524d3581f8ed
 SHA512:
-  metadata.gz: 4d41a8d82d518fc503b50d7206c1f12a59e822aa73dcd03f067d25521404446f66aba9d6c6ec478bfa7b9bb9794859c92d530e41cdae5ebcf5fe26e61f96e0a9
-  data.tar.gz: c143f75f4326f1f1b927b91b5226797881d2bf2ea69155a4769d3805bd628d199f08edd5466529865cdffe57b2fc657cda3f100138a86aa3040af1e8682f0d10
+  metadata.gz: e66b93acbc0ab6b965258a6ba2c205e4563e197206b94c50dbd5a7603a36ebda7c2dc47d57932b821dcbd4a4e3e033616d2c6879141222b0496a0faa1811af6f
+  data.tar.gz: d3aee5f5466e2b7c70cb9434eb6c0fe3036d55335ec65555c489124ce4d4889e4051969d8f1cc87e2b3a523f1fbbc447a8a609a86e62a4ffd53f0cf4a7f31285

data/Gemfile

@@ -1,2 +1,2 @@
-source "http://rubygems.org"
+source "https://rubygems.org"
 gemspec

data/README.md

@@ -1,8 +1,8 @@
 # Ruby SAML Identity Provider (IdP)
 Forked from https://github.com/lawrencepit/ruby-saml-idp
 
-[![Build Status](https://travis-ci.org/sportngin/saml_idp.png)](https://travis-ci.org/sportngin/saml_idp)
-[![Gem Version](https://badge.fury.io/rb/saml_idp.png)](http://badge.fury.io/rb/saml_idp)
+[![Build Status](https://travis-ci.org/saml-idp/saml_idp.svg)](https://travis-ci.org/saml-idp/saml_idp)
+[![Gem Version](https://badge.fury.io/rb/saml_idp.svg)](http://badge.fury.io/rb/saml_idp)
 
 The ruby SAML Identity Provider library is for implementing the server side of SAML authentication. It allows
 your application to act as an IdP (Identity Provider) using the
@@ -93,6 +93,8 @@ CERT
   # config.organization_url = "http://example.com"
   # config.base_saml_location = "#{base}/saml"
   # config.reference_id_generator                                 # Default: -> { UUID.generate }
+  # config.single_logout_service_post_location = "#{base}/saml/logout"
+  # config.single_logout_service_redirect_location = "#{base}/saml/logout"
   # config.attribute_service_location = "#{base}/saml/attributes"
   # config.single_service_post_location = "#{base}/saml/auth"
   # config.session_expiry = 86400                                 # Default: 0 which means never
@@ -169,7 +171,11 @@ CERT
   service_providers = {
     "some-issuer-url.com/saml" => {
       fingerprint: "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D",
-      metadata_url: "http://some-issuer-url.com/saml/metadata"
+      metadata_url: "http://some-issuer-url.com/saml/metadata",
+
+      # We now validate AssertionConsumerServiceURL will match the MetadataURL set above.
+      # *If* it's not going to match your Metadata URL's Host, then set this so we can validate the host using this list
+      response_hosts: ["foo.some-issuer-url.com"]
     },
   }
 
@@ -177,7 +183,7 @@ CERT
   # settings is an IncomingMetadata object which has a to_h method that needs to be persisted
   config.service_provider.metadata_persister = ->(identifier, settings) {
     fname = identifier.to_s.gsub(/\/|:/,"_")
-    `mkdir -p #{Rails.root.join("cache/saml/metadata")}`
+    FileUtils.mkdir_p(Rails.root.join('cache', 'saml', 'metadata').to_s)
     File.open Rails.root.join("cache/saml/metadata/#{fname}"), "r+b" do |f|
       Marshal.dump settings.to_h, f
     end
@@ -188,7 +194,7 @@ CERT
   # `service_provider` you should return the settings.to_h from above
   config.service_provider.persisted_metadata_getter = ->(identifier, service_provider){
     fname = identifier.to_s.gsub(/\/|:/,"_")
-    `mkdir -p #{Rails.root.join("cache/saml/metadata")}`
+    FileUtils.mkdir_p(Rails.root.join('cache', 'saml', 'metadata').to_s)
     full_filename = Rails.root.join("cache/saml/metadata/#{fname}")
     if File.file?(full_filename)
       File.open full_filename, "rb" do |f|

data/lib/saml_idp/configurator.rb

@@ -17,6 +17,7 @@ module SamlIdp
     attr_accessor :single_logout_service_redirect_location
     attr_accessor :attributes
     attr_accessor :service_provider
+    attr_accessor :assertion_consumer_service_hosts
     attr_accessor :session_expiry
 
     def initialize

data/lib/saml_idp/controller.rb

@@ -35,13 +35,13 @@ module SamlIdp
 
     def validate_saml_request(raw_saml_request = params[:SAMLRequest])
       decode_request(raw_saml_request)
-      unless valid_saml_request?
-        if Rails::VERSION::MAJOR >= 4
-          head :forbidden
-        else
-          render nothing: true, status: :forbidden
-        end
+      return true if valid_saml_request?
+      if Rails::VERSION::MAJOR >= 4
+        head :forbidden
+      else
+        render nothing: true, status: :forbidden
       end
+      false
     end
 
     def decode_request(raw_saml_request)

data/lib/saml_idp/incoming_metadata.rb

@@ -22,7 +22,10 @@ module SamlIdp
         ds: signature_namespace,
         md: metadata_namespace
       ).first
-      doc ? !!doc["WantAssertionsSigned"] : false
+      if (doc && !doc['WantAssertionsSigned'].nil?)
+        return doc['WantAssertionsSigned'].strip.downcase == 'true'
+      end
+      return false
     end
     hashable :sign_assertions
 

data/lib/saml_idp/request.rb

@@ -105,6 +105,11 @@ module SamlIdp
         return false
       end
 
+      if !service_provider.acceptable_response_hosts.include?(response_host)
+        log "No acceptable AssertionConsumerServiceURL, either configure them via config.service_provider.response_hosts or match to your metadata_url host"
+        return false
+      end
+
       return true
     end
 
@@ -136,6 +141,14 @@ module SamlIdp
       @_session_index ||= xpath("//samlp:SessionIndex", samlp: samlp).first.try(:content)
     end
 
+    def response_host
+      uri = URI(response_url)
+      if uri
+        uri.host
+      end
+    end
+    private :response_host
+
     def document
       @_document ||= Saml::XML::Document.parse(raw_xml)
     end

data/lib/saml_idp/service_provider.rb

@@ -13,6 +13,7 @@ module SamlIdp
     attribute :validate_signature
     attribute :acs_url
     attribute :assertion_consumer_logout_service_url
+    attribute :response_hosts
 
     delegate :config, to: :SamlIdp
 
@@ -46,6 +47,19 @@ module SamlIdp
       @current_metadata ||= get_current_or_build
     end
 
+    def acceptable_response_hosts
+      hosts = Array(self.response_hosts)
+      hosts.push(metadata_url_host) if metadata_url_host
+
+      hosts
+    end
+
+    def metadata_url_host
+      if metadata_url.present?
+        URI(metadata_url).host
+      end
+    end
+
     def get_current_or_build
       persisted = metadata_getter[identifier, self]
       if persisted.is_a? Hash

data/lib/saml_idp/version.rb

@@ -1,4 +1,4 @@
 # encoding: utf-8
 module SamlIdp
-  VERSION = '0.7.2'
+  VERSION = '0.8.0'
 end

data/saml_idp.gemspec

@@ -7,28 +7,29 @@ Gem::Specification.new do |s|
   s.version = SamlIdp::VERSION
   s.platform = Gem::Platform::RUBY
   s.authors = ["Jon Phenow"]
-  s.email = %q{jon.phenow@sportngin.com}
-  s.homepage = %q{http://github.com/sportngin/saml_idp}
-  s.summary = %q{SAML Indentity Provider in ruby}
-  s.description = %q{SAML IdP (Identity Provider) library in ruby}
+  s.email = 'jon.phenow@sportngin.com'
+  s.homepage = 'https://github.com/saml-idp/saml_idp'
+  s.summary = 'SAML Indentity Provider for Ruby'
+  s.description = 'SAML IdP (Identity Provider) Library for Ruby'
   s.date = Time.now.utc.strftime("%Y-%m-%d")
-  s.files = Dir.glob("app/**/*") + Dir.glob("lib/**/*") + [
-     "LICENSE",
-     "README.md",
-     "Gemfile",
-     "saml_idp.gemspec"
-  ]
+  s.files = Dir['app/**/*', 'lib/**/*', 'LICENSE', 'README.md', 'Gemfile', 'saml_idp.gemspec']
   s.required_ruby_version = '>= 2.2'
-  s.license = "LICENSE"
+  s.license = 'MIT'
   s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.require_paths = ["lib"]
-  s.rdoc_options = ["--charset=UTF-8"]
+  s.rdoc_options = ['--charset=UTF-8']
+  s.metadata = {
+    'homepage_uri'      => 'https://github.com/saml-idp/saml_idp',
+    'source_code_uri'   => 'https://github.com/saml-idp/saml_idp',
+    'bug_tracker_uri'   => 'https://github.com/saml-idp/saml_idp/issues',
+    'documentation_uri' => "http://rdoc.info/gems/saml_idp/#{SamlIdp::VERSION}"
+  }
 
   s.post_install_message = <<-INST
 If you're just recently updating saml_idp - please be aware we've changed the default
 certificate. See the PR and a description of why we've done this here:
-https://github.com/sportngin/saml_idp/pull/29
+https://github.com/saml-idp/saml_idp/pull/29
 
 If you just need to see the certificate `bundle open saml_idp` and go to
 `lib/saml_idp/default.rb`
@@ -43,17 +44,19 @@ section of the README.
   INST
 
   s.add_dependency('activesupport', '>= 3.2')
-  s.add_dependency('uuid', '~> 2.3')
-  s.add_dependency('builder', '~> 3.0')
+  s.add_dependency('uuid', '>= 2.3')
+  s.add_dependency('builder', '>= 3.0')
   s.add_dependency('nokogiri', '>= 1.6.2')
 
-  s.add_development_dependency('rake', '~> 10.4.2')
-  s.add_development_dependency('simplecov', '~> 0.12')
-  s.add_development_dependency('rspec', '~> 2.5')
-  s.add_development_dependency('ruby-saml', '~> 1.3')
-  s.add_development_dependency('rails', '~> 3.2')
-  s.add_development_dependency('capybara', '~> 2.11.0')
-  s.add_development_dependency('timecop', '~> 0.8')
+  s.add_development_dependency('rake')
+  s.add_development_dependency('simplecov')
+  s.add_development_dependency('rspec', '>= 3.7.0')
+  s.add_development_dependency('ruby-saml', '>= 1.5')
+  s.add_development_dependency('rails', '>= 3.2')
+  s.add_development_dependency('activeresource', '>= 3.2')
+  s.add_development_dependency('capybara', '>= 2.16')
+  s.add_development_dependency('timecop', '>= 0.8')
   s.add_development_dependency('xmlenc', '>= 0.6.4')
+  s.add_development_dependency('appraisal')
 end
 

data/spec/acceptance/idp_controller_spec.rb

@@ -4,11 +4,12 @@ feature 'IdpController' do
   scenario 'Login via default signup page' do
     saml_request = make_saml_request("http://foo.example.com/saml/consume")
     visit "/saml/auth?SAMLRequest=#{CGI.escape(saml_request)}"
-    fill_in 'Email', :with => "foo@example.com"
-    fill_in 'Password', :with => "okidoki"
+    expect(status_code).to eq(200)
+    fill_in 'email', :with => "foo@example.com"
+    fill_in 'password', :with => "okidoki"
     click_button 'Sign in'
     click_button 'Submit'   # simulating onload
-    current_url.should == 'http://foo.example.com/saml/consume'
-    page.should have_content "foo@example.com"
+    expect(current_url).to eq('http://foo.example.com/saml/consume')
+    expect(page).to have_content "foo@example.com"
   end
 end

data/spec/lib/saml_idp/algorithmable_spec.rb

@@ -9,11 +9,11 @@ module SamlIdp
       end
 
       it "finds algorithm class" do
-        algorithm.should == OpenSSL::Digest::SHA256
+        expect(algorithm).to eq(OpenSSL::Digest::SHA256)
       end
 
       it "finds the name" do
-        algorithm_name.should == "sha256"
+        expect(algorithm_name).to eq("sha256")
       end
     end
 
@@ -23,11 +23,11 @@ module SamlIdp
       end
 
       it "finds algorithm class" do
-        algorithm.should == OpenSSL::Digest::SHA512
+        expect(algorithm).to eq(OpenSSL::Digest::SHA512)
       end
 
       it "finds the name" do
-        algorithm_name.should == "sha512"
+        expect(algorithm_name).to eq("sha512")
       end
     end
 
@@ -37,11 +37,11 @@ module SamlIdp
       end
 
       it "finds algorithm class" do
-        algorithm.should == OpenSSL::Digest::SHA1
+        expect(algorithm).to eq(OpenSSL::Digest::SHA1)
       end
 
       it "finds the name" do
-        algorithm_name.should == "sha1"
+        expect(algorithm_name).to eq("sha1")
       end
     end
   end

data/spec/lib/saml_idp/assertion_builder_spec.rb

@@ -36,14 +36,14 @@ module SamlIdp
 
       it "builds a legit raw XML file" do
         Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
-          subject.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>"
+          expect(subject.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
         end
       end
     end
 
     it "builds a legit raw XML file" do
       Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
-        subject.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>"
+        expect(subject.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
       end
     end
 
@@ -55,12 +55,12 @@ module SamlIdp
             email_address: ->(p) { "foo@example.com" }
           }
         }
-        SamlIdp.stub(config: config)
+        allow(SamlIdp).to receive(:config).and_return(config)
       end
 
       it "doesn't include attribute statement" do
         Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
-          subject.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>"
+          expect(subject.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>")
         end
       end
     end
@@ -81,7 +81,7 @@ module SamlIdp
           expiry
         )
         Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
-          builder.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"emailAddress\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>"
+          expect(builder.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"emailAddress\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
         end
       end
     end
@@ -100,14 +100,14 @@ module SamlIdp
         encryption_opts
       )
       encrypted_xml = builder.encrypt
-      encrypted_xml.should_not match(audience_uri)
+      expect(encrypted_xml).to_not match(audience_uri)
     end
 
     describe "with custom session_expiry configuration" do
       let(:config) { SamlIdp::Configurator.new }
       before do
         config.session_expiry = 8
-        SamlIdp.stub(config: config)
+        allow(SamlIdp).to receive(:config).and_return(config)
       end
 
       it "sets default session_expiry from config" do
@@ -123,7 +123,7 @@ module SamlIdp
           expiry,
           encryption_opts
         )
-        builder.session_expiry.should == 8
+        expect(builder.session_expiry).to eq(8)
       end
     end
   end

data/spec/lib/saml_idp/attribute_decorator_spec.rb

@@ -12,19 +12,19 @@ module SamlIdp
     let(:values) { nil }
 
     it "has a valid name" do
-      subject.name.should be_nil
+      expect(subject.name).to be_nil
     end
 
     it "has a valid friendly_name" do
-      subject.friendly_name.should be_nil
+      expect(subject.friendly_name).to be_nil
     end
 
     it "has a valid name_format" do
-      subject.name_format.should == Saml::XML::Namespaces::Formats::Attr::URI
+      expect(subject.name_format).to eq(Saml::XML::Namespaces::Formats::Attr::URI)
     end
 
     it "has a valid values" do
-      subject.values.should == []
+      expect(subject.values).to eq []
     end
 
     describe "with values set" do
@@ -34,19 +34,19 @@ module SamlIdp
       let(:values) { :val }
 
       it "has a valid name" do
-        subject.name.should == name
+        expect(subject.name).to eq(name)
       end
 
       it "has a valid friendly_name" do
-        subject.friendly_name.should == friendly_name
+        expect(subject.friendly_name).to eq(friendly_name)
       end
 
       it "has a valid name_format" do
-        subject.name_format.should == name_format
+        expect(subject.name_format).to eq(name_format)
       end
 
       it "has a valid values" do
-        subject.values.should == [values]
+        expect(subject.values).to eq [values]
       end
     end
   end

data/spec/lib/saml_idp/configurator_spec.rb

@@ -18,32 +18,32 @@ module SamlIdp
     it { should respond_to :session_expiry }
 
     it "has a valid x509_certificate" do
-      subject.x509_certificate.should == Default::X509_CERTIFICATE
+      expect(subject.x509_certificate).to eq(Default::X509_CERTIFICATE)
     end
 
     it "has a valid secret_key" do
-      subject.secret_key.should == Default::SECRET_KEY
+      expect(subject.secret_key).to eq(Default::SECRET_KEY)
     end
 
     it "has a valid algorithm" do
-      subject.algorithm.should == :sha1
+      expect(subject.algorithm).to eq(:sha1)
     end
 
     it "has a valid reference_id_generator" do
-      subject.reference_id_generator.should respond_to :call
+      expect(subject.reference_id_generator).to respond_to :call
     end
 
 
     it "can call service provider finder" do
-      subject.service_provider.finder.should respond_to :call
+      expect(subject.service_provider.finder).to respond_to :call
     end
 
     it "can call service provider metadata persister" do
-      subject.service_provider.metadata_persister.should respond_to :call
+      expect(subject.service_provider.metadata_persister).to respond_to :call
     end
 
     it 'has a valid session_expiry' do
-      subject.session_expiry.should == 0
+      expect(subject.session_expiry).to eq(0)
     end
   end
 end