samlr 2.0.0

data/lib/samlr/tools/timestamp.rb

@@ -0,0 +1,26 @@
+module Samlr
+  module Tools
+    module Timestamp
+
+      # Generate a current timestamp in ISO8601 format
+      def self.stamp(time = Time.now)
+        time.utc.iso8601
+      end
+
+      def self.parse(value)
+        Time.iso8601(value)
+      end
+
+      # Is the current time on or after the given time?
+      def self.not_on_or_after?(time)
+        Time.now.to_i <= (time.to_i + Samlr.jitter.to_i)
+      end
+
+      # True when the current time is not before the given time
+      def self.not_before?(time)
+        Time.now.to_i >= (time.to_i - Samlr.jitter.to_i)
+      end
+
+    end
+  end
+end

data/samlr.gemspec

@@ -0,0 +1,19 @@
+Gem::Specification.new "samlr", "2.0.0" do |s|
+  s.summary     = "Ruby tools for SAML"
+  s.description = "Helps you implement a SAML SP"
+  s.authors     = ["Morten Primdahl"]
+  s.email       = "primdahl@me.com"
+  s.homepage    = "http://github.com/zendesk/samlr"
+  s.files       = `git ls-files`.split("\n")
+  s.license     = "Apache License Version 2.0"
+
+  s.add_runtime_dependency("nokogiri", ">= 1.5.5")
+  s.add_runtime_dependency("uuidtools", ">= 2.1.3")
+  s.add_runtime_dependency("trollop", ">= 1.16.2")
+
+  s.add_development_dependency("rake")
+  s.add_development_dependency("bundler")
+  s.add_development_dependency("minitest")
+
+  s.executables << "samlr"
+end

data/test/fixtures/default_samlr_certificate.pem

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBjTCCATegAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEU
+MBIGA1UECgwLZXhhbXBsZS5vcmcxHTAbBgNVBAsMFFphbWwgUmVzcG9uc2VCdWls
+ZGVyMQswCQYDVQQDDAJDQTAeFw0xMjA4MDgwMjAxMDlaFw0zMjA4MDMwMjAxMTRa
+ME8xCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtleGFtcGxlLm9yZzEdMBsGA1UECwwU
+WmFtbCBSZXNwb25zZUJ1aWxkZXIxCzAJBgNVBAMMAkNBMFwwDQYJKoZIhvcNAQEB
+BQADSwAwSAJBALb9pPmyHrbZJMDLLkVsHzzXvP7DFcPiYdaNU50l5znRr8ZGhwRZ
+FAwKroOxXwhK5e9lz06C+kGqnL1v10h1BEUCAwEAATANBgkqhkiG9w0BAQUFAANB
+AKU10RznL2p7xRhO9vOh0CY+gWYmT2kbkLTVRYLApghQFAW8EzIHC/NggfEHM554
+ykzbbPwjSvM7cRBBDHYuWoY=
+-----END CERTIFICATE-----

data/test/fixtures/default_samlr_private_key.pem

@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOwIBAAJBALb9pPmyHrbZJMDLLkVsHzzXvP7DFcPiYdaNU50l5znRr8ZGhwRZ
+FAwKroOxXwhK5e9lz06C+kGqnL1v10h1BEUCAwEAAQJADZ4QgdhkerzsBEDaf6YN
+KQzw7pB79SjKmRnJSB+C9oVo8SE5cDyaomwCCnnYFJm8ACJzCVXhA0eElTtWvkqT
+wQIhAN+rx2zckCPEBH+pxJ6HOkmDG28EUOP3J2llTUA/zArxAiEA0XCgPzCnWdcH
+eJN8z7QLLEGJ/JFTZpgr959RQYuBBpUCIEhrEsehZh3eYmJ/MgTt3aZdh61bJWGZ
+7S3HucpanZLRAiEAzucLd8Fx4f/aYpSZXXtI+lx4m6lZkeXMsaCTHkRZn40CIQDX
+fYUO1wQNBw/mXihtz+jal+kCP7xu0zrOhTQR+UXL9A==
+-----END RSA PRIVATE KEY-----

data/test/fixtures/no_cert_response.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="samlr-a61f02dc-c4df-11e2-ac02-a4b197fffe98" InResponseTo="samlr-a61c3746-c4df-11e2-ac02-a4b197fffe98" Version="2.0" IssueInstant="2013-05-25T02:06:01Z" Destination="https://example.org/saml/endpoint"><saml:Issuer>ResponseBuilder IdP</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#samlr-a61f02dc-c4df-11e2-ac02-a4b197fffe98"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default samlp saml ds xs xsi"/></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>4Eqkol24EsDrPhY9crTX+TJ8SNM=</DigestValue></Reference></SignedInfo><SignatureValue>hXwitIsw2ZY9/vQCY9feMYf0jn22VdSBDS6ai7F9Ay8QbWQ+R6WI9+k3WatAXMzxnz8lrF3XhL8HoQPac4RCeA==</SignatureValue></Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="samlr-a61f0872-c4df-11e2-ac02-a4b197fffe98" IssueInstant="2013-05-25T02:06:01Z" Version="2.0"><saml:Issuer>ResponseBuilder IdP</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#samlr-a61f0872-c4df-11e2-ac02-a4b197fffe98"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default samlp saml ds xs xsi"/></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>3Hd1NIIArmJNLnxjTYG9YY5T1Bw=</DigestValue></Reference></SignedInfo><SignatureValue>NFL3r1Fu0PnKQVUsG6o0l+qjYydGlxTR9w5h06ef+85EjFR4YnJJ7p5p0vSeFuOyvoJZ8OmfbJy9h+1Vbmveig==</SignatureValue></Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">someone@example.org</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="samlr-a61c3746-c4df-11e2-ac02-a4b197fffe98" NotOnOrAfter="2013-05-25T02:07:01Z" Recipient="https://example.org/saml/endpoint"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2013-05-25T02:05:01Z" NotOnOrAfter="2013-05-25T02:07:01Z"><saml:AudienceRestriction><saml:Audience>example.org</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2013-05-25T02:06:01Z" SessionIndex="samlr-a61f0872-c4df-11e2-ac02-a4b197fffe98"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>

data/test/fixtures/sample_metadata.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://sp.example.com/saml2">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:NameIDFormat>identity_format</md:NameIDFormat>
+    <md:AssertionConsumerService index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://support.sp.example.com/"/>
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>

data/test/fixtures/sample_response.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="samlr-26a4eb6c-e271-11e1-a29c-000a27020041" InResponseTo="samlr-26a4e82e-e271-11e1-a29c-000a27020041" Version="2.0" IssueInstant="2012-08-09T22:25:40Z" Destination="https://example.org/saml/endpoint"><saml:Issuer>ResponseBuilder IdP</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#samlr-26a4eb6c-e271-11e1-a29c-000a27020041"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default samlp saml ds xs xsi"/></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>n4k8S7PsriEcj2en2fXnMwgWruU=</DigestValue></Reference></SignedInfo><SignatureValue>pNUUwVRL92E5tFk1+p77geJqV62PuaG5x27Dn+Xi4ff18NSMLb/XmbL2PJIakYOtwMuwQiNX9qioY3Pt1o/CMw==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIBjTCCATegAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLZXhhbXBsZS5vcmcxHTAbBgNVBAsMFFphbWwgUmVzcG9uc2VCdWlsZGVyMQswCQYDVQQDDAJDQTAeFw0xMjA4MDgwMjAxMDlaFw0zMjA4MDMwMjAxMTRaME8xCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtleGFtcGxlLm9yZzEdMBsGA1UECwwUWmFtbCBSZXNwb25zZUJ1aWxkZXIxCzAJBgNVBAMMAkNBMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALb9pPmyHrbZJMDLLkVsHzzXvP7DFcPiYdaNU50l5znRr8ZGhwRZFAwKroOxXwhK5e9lz06C+kGqnL1v10h1BEUCAwEAATANBgkqhkiG9w0BAQUFAANBAKU10RznL2p7xRhO9vOh0CY+gWYmT2kbkLTVRYLApghQFAW8EzIHC/NggfEHM554ykzbbPwjSvM7cRBBDHYuWoY=</X509Certificate></X509Data></KeyInfo></Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="samlr-26a4ed1a-e271-11e1-a29c-000a27020041" IssueInstant="2012-08-09T22:25:40Z" Version="2.0"><saml:Issuer>ResponseBuilder IdP</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#samlr-26a4ed1a-e271-11e1-a29c-000a27020041"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default samlp saml ds xs xsi"/></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>f6uCnv1PdZqKp/0dz6YtfSFaiHQ=</DigestValue></Reference></SignedInfo><SignatureValue>VqW1I4hlWN3ciKjZ1WUaouvita1e7CldZB0UQKtVrnIdO+6XI7R3i12jfDAKmclQ1E6VrNIdV4/D5eGTRjdTjQ==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIBjTCCATegAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLZXhhbXBsZS5vcmcxHTAbBgNVBAsMFFphbWwgUmVzcG9uc2VCdWlsZGVyMQswCQYDVQQDDAJDQTAeFw0xMjA4MDgwMjAxMDlaFw0zMjA4MDMwMjAxMTRaME8xCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtleGFtcGxlLm9yZzEdMBsGA1UECwwUWmFtbCBSZXNwb25zZUJ1aWxkZXIxCzAJBgNVBAMMAkNBMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALb9pPmyHrbZJMDLLkVsHzzXvP7DFcPiYdaNU50l5znRr8ZGhwRZFAwKroOxXwhK5e9lz06C+kGqnL1v10h1BEUCAwEAATANBgkqhkiG9w0BAQUFAANBAKU10RznL2p7xRhO9vOh0CY+gWYmT2kbkLTVRYLApghQFAW8EzIHC/NggfEHM554ykzbbPwjSvM7cRBBDHYuWoY=</X509Certificate></X509Data></KeyInfo></Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">someone@example.org</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="samlr-26a4e82e-e271-11e1-a29c-000a27020041" NotOnOrAfter="2012-08-09T22:26:40Z" Recipient="https://example.org/saml/endpoint"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2012-08-09T22:24:40Z" NotOnOrAfter="2012-08-09T22:26:40Z"><saml:AudienceRestriction><saml:Audience>example.org</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2012-08-09T22:25:40Z" SessionIndex="samlr-26a4ed1a-e271-11e1-a29c-000a27020041"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>

data/test/test_helper.rb

@@ -0,0 +1,55 @@
+require "bundler"
+require "minitest/autorun"
+
+Bundler.require
+
+require "time"
+require "base64"
+require "tmpdir"
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), "..", "lib"))
+
+require "samlr"
+require "samlr/tools/response_builder"
+require "samlr/tools/certificate_builder"
+
+FIXTURE_PATH     = File.join(File.dirname(__FILE__), "fixtures")
+TEST_CERTIFICATE = Samlr::Tools::CertificateBuilder.load(FIXTURE_PATH, "default_samlr")
+
+def saml_response_document(options = {})
+  # Test defaults
+  options = {
+    :destination     => "https://example.org/saml/endpoint",
+    :in_response_to  => Samlr::Tools.uuid,
+    :name_id         => "someone@example.org",
+    :audience        => "example.org",
+    :not_on_or_after => Samlr::Tools::Timestamp.stamp(Time.now + 60),
+    :not_before      => Samlr::Tools::Timestamp.stamp(Time.now - 60),
+    :response_id     => Samlr::Tools.uuid
+  }.merge(options)
+
+  Samlr::Tools::ResponseBuilder.build(options)
+end
+
+def saml_response(options = {})
+  fingerprint   = options[:fingerprint]
+  fingerprint ||= options[:certificate] ? Samlr::Fingerprint.x509(options[:certificate].x509) : nil
+
+  Samlr::Response.new(saml_response_document(options), :fingerprint => fingerprint)
+end
+
+# A response that never changes. Useful for digest checks etc.
+def fixed_saml_response(options = {})
+  options = {
+    :certificate     => TEST_CERTIFICATE,
+    :issue_instant   => Samlr::Tools::Timestamp.stamp(Time.at(1344379365)),
+    :response_id     => "samlr123",
+    :assertion_id    => "samlr456",
+    :in_response_to  => "samlr789",
+    :attributes      => { "tags" => "mean horse", "things" => [ "one", "two", "three" ] },
+    :not_on_or_after => Samlr::Tools::Timestamp.stamp(Time.at(1344379365 + 60)),
+    :not_before      => Samlr::Tools::Timestamp.stamp(Time.at(1344379365 - 60))
+  }.merge(options)
+
+  saml_response(options)
+end

data/test/unit/test_assertion.rb

@@ -0,0 +1,54 @@
+require File.expand_path("test/test_helper")
+require "time"
+
+describe Samlr::Assertion do
+  subject { fixed_saml_response.assertion }
+
+  describe "#skip_conditions?" do
+    it "reflects the passed options" do
+      assert Samlr::Assertion.new(nil, :skip_conditions => true).send(:skip_conditions?)
+      refute Samlr::Assertion.new(nil, :skip_conditions => false).send(:skip_conditions?)
+    end
+  end
+
+  describe "#attributes" do
+    it "returns a hash of assertion attributes" do
+      assert_equal subject.attributes[:tags], "mean horse"
+      assert_equal subject.attributes["tags"], "mean horse"
+    end
+
+    it "turns multiple attribute values into an array" do
+      assert_equal subject.attributes["things"].sort, [ "one", "two", "three" ].sort
+    end
+  end
+
+  describe "#name_id" do
+    it "returns the body of the NameID element" do
+      assert_equal "someone@example.org", subject.name_id
+    end
+  end
+
+  describe "#verify!" do
+    before do
+      @unsatisfied_condition = Samlr::Condition.new("NotBefore" => Samlr::Tools::Timestamp.stamp(Time.now + 60))
+    end
+
+    describe "when conditions are not met" do
+      it "should raise" do
+        subject.stub(:conditions, @unsatisfied_condition) do
+          assert_raises(Samlr::ConditionsError) { subject.verify! }
+        end
+      end
+
+      describe "and conditions are to be skipped" do
+        it "should pass" do
+          subject.stub(:skip_conditions?, true) do
+            subject.stub(:conditions, @unsatisfied_condition) do
+              assert subject.verify!
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/test/unit/test_condition.rb

@@ -0,0 +1,71 @@
+require File.expand_path("test/test_helper")
+
+def condition(before, after)
+  Samlr::Condition.new(
+    "NotBefore"    => before ? before.utc.iso8601 : nil,
+    "NotOnOrAfter" => after  ? after.utc.iso8601  : nil
+  )
+end
+
+describe Samlr::Condition do
+  before do
+    @not_before = (Time.now - 10*60)
+    @not_after  = (Time.now + 10*60)
+  end
+
+  describe "verify!" do
+    describe "when the lower time has not been met" do
+      before  { @not_before = (Time.now + 5*60) }
+      subject { condition(@not_before, @not_after) }
+
+      it "raises an exception" do
+        assert subject.not_on_or_after_satisfied?
+        refute subject.not_before_satisfied?
+
+        begin
+          subject.verify!
+          flunk "Expected exception"
+        rescue Samlr::ConditionsError => e
+          assert_match /Not before/, e.message
+        end
+      end
+    end
+
+    describe "when the upper time has been exceeded" do
+      before { @not_after = (Time.now - 5*60) }
+      subject { condition(@not_before, @not_after) }
+
+      it "raises an exception" do
+        refute subject.not_on_or_after_satisfied?
+        assert subject.not_before_satisfied?
+
+        begin
+          subject.verify!
+          flunk "Expected exception"
+        rescue Samlr::ConditionsError => e
+          assert_match /Not on or after/, e.message
+        end
+      end
+    end
+
+    describe "when no time boundary has been exeeded" do
+      subject { condition(@not_before, @not_after) }
+
+      it "returns true" do
+        assert subject.verify!
+      end
+    end
+  end
+
+  describe "#not_before_satisfied?" do
+    it "returns true when passed a nil value" do
+      assert Samlr::Condition.new({}).not_before_satisfied?
+    end
+  end
+
+  describe "#not_on_or_after_satisfied?" do
+    it "returns true when passed a nil value" do
+      assert Samlr::Condition.new({}).not_on_or_after_satisfied?
+    end
+  end
+end

data/test/unit/test_fingerprint.rb

@@ -0,0 +1,45 @@
+require File.expand_path("test/test_helper")
+
+describe Samlr::Fingerprint do
+  describe "#new" do
+    it "generates an invalid fingerprint for nil" do
+      refute Samlr::Fingerprint.new(nil).valid?
+    end
+  end
+
+  describe "::normalize!" do
+    it "converts input to fingerprint normal form" do
+      assert_equal "AF:44", Samlr::Fingerprint.normalize("aF44 :-+6t")
+    end
+  end
+
+  describe "#==" do
+    it "compares two fingerprints" do
+      assert (Samlr::Fingerprint.new("aa:33") == Samlr::Fingerprint.new("AA:33"))
+      assert (Samlr::Fingerprint.new("aa:33") != Samlr::Fingerprint.new("AA:34"))
+      assert (Samlr::Fingerprint.new("") != Samlr::Fingerprint.new(""))
+    end
+  end
+
+  describe "#compare!" do
+    it "raises when fingerprints do not equal" do
+      assert_raises(Samlr::FingerprintError) do
+        Samlr::Fingerprint.new("aa:34").compare!(Samlr::Fingerprint.new("bb:35"))
+      end
+    end
+
+    it "stores fingerprints on the exception" do
+      begin
+        Samlr::Fingerprint.new("aa:34").compare!(Samlr::Fingerprint.new("bb:35"))
+        flunk "Exception expected"
+      rescue Samlr::FingerprintError => e
+        assert_equal "Fingerprint mismatch", e.message
+        assert_equal "AA:34 vs. BB:35", e.details
+      end
+    end
+
+    it "doesn't raise when fingerprints are equal" do
+      assert Samlr::Fingerprint.new("aa:34").compare!(Samlr::Fingerprint.new("aa:34"))
+    end
+  end
+end

data/test/unit/test_logout_request.rb

@@ -0,0 +1,39 @@
+require File.expand_path("test/test_helper")
+
+describe Samlr::LogoutRequest do
+  before do
+    @request = Samlr::LogoutRequest.new(
+      :issuer => "https://sp.example.com/saml2",
+      :name_id => "test@test.com"
+    )
+  end
+
+  describe "#body" do
+    it "should return the generated XML" do
+      document = Nokogiri::XML(@request.body) { |c| c.strict }
+      assert document.at("/samlp:LogoutRequest", Samlr::NS_MAP)
+    end
+
+    it "should delegate the building to the LogoutRequestBuilder" do
+      Samlr::Tools::LogoutRequestBuilder.stub(:build, "hello") do
+        assert_match "hello", @request.body
+      end
+    end
+  end
+
+  describe "#param" do
+    it "returns the encoded body" do
+      @request.stub(:body, "hello") do
+        assert_equal Samlr::Tools.encode("hello"), @request.param
+      end
+    end
+  end
+
+  describe "#url" do
+    it "returns a valid URL" do
+      @request.stub(:param, "hello") do
+        assert_equal("https://foo.com/?SAMLRequest=hello&foo=bar", @request.url("https://foo.com/", :foo => "bar"))
+      end
+    end
+  end
+end

data/test/unit/test_reference.rb

@@ -0,0 +1,32 @@
+require File.expand_path("test/test_helper")
+
+describe Samlr::Reference do
+  before do
+    @response  = fixed_saml_response
+    @reference = @response.signature.send(:references).first
+  end
+
+  describe "#uri" do
+    it "should return the normalized URI" do
+      assert_equal "samlr123", @reference.uri
+    end
+  end
+
+  describe "#digest_method" do
+    it "should return the digest implementation" do
+      assert_equal OpenSSL::Digest::SHA1, @reference.digest_method
+    end
+  end
+
+  describe "#digest_value" do
+    it "should return the verbatim value" do
+      assert_equal "OSVXSTu8W+eGao6muxUHXcKQwZU=", @reference.digest_value
+    end
+  end
+
+  describe "namespaces" do
+    it "should return the inclusive namespaces" do
+      assert_equal ["#default", "samlp", "saml", "ds", "xs", "xsi"].sort, @reference.namespaces.sort
+    end
+  end
+end

data/test/unit/test_request.rb

@@ -0,0 +1,34 @@
+require File.expand_path("test/test_helper")
+
+describe Samlr::Request do
+  before { @request = Samlr::Request.new }
+
+  describe "#body" do
+    it "should return the generated XML" do
+      document = Nokogiri::XML(@request.body) { |c| c.strict }
+      assert document.at("/samlp:AuthnRequest", Samlr::NS_MAP)
+    end
+
+    it "should delegate the building to the RequestBuilder" do
+      Samlr::Tools::RequestBuilder.stub(:build, "hello") do
+        assert_match "hello", @request.body
+      end
+    end
+  end
+
+  describe "#param" do
+    it "returns the encoded body" do
+      @request.stub(:body, "hello") do
+        assert_equal Samlr::Tools.encode("hello"), @request.param
+      end
+    end
+  end
+
+  describe "#url" do
+    it "returns a valid URL" do
+      @request.stub(:param, "hello") do
+        assert_equal("https://foo.com/?SAMLRequest=hello&foo=bar", @request.url("https://foo.com/", :foo => "bar"))
+      end
+    end
+  end
+end

data/test/unit/test_response.rb

@@ -0,0 +1,94 @@
+require File.expand_path("test/test_helper")
+
+describe Samlr::Response do
+
+  subject { fixed_saml_response }
+
+  describe "#name_id" do
+    it "delegates to the assertion" do
+      subject.assertion.stub(:name_id, "george") do
+        assert_equal("george", subject.name_id)
+      end
+    end
+  end
+
+  describe "#attributes" do
+    it "delegates to the assertion" do
+      subject.assertion.stub(:attributes, { :name => "george" }) do
+        assert_equal({ :name => "george" }, subject.attributes)
+      end
+    end
+  end
+
+  describe "#location" do
+    it "should return proper assertion location" do
+      assert_equal "//saml:Assertion[@ID='samlr456']", subject.assertion.location
+    end
+  end
+
+  describe "XSW attack" do
+    it "should not validate if SAML response is hacked" do
+      document = saml_response_document(:certificate => TEST_CERTIFICATE)
+
+      modified_document = Nokogiri::XML(document)
+
+      original_assertion = modified_document.xpath("/samlp:Response/saml:Assertion", Samlr::NS_MAP).first
+
+      response_signature = modified_document.xpath("/samlp:Response/ds:Signature", Samlr::NS_MAP).first
+
+      extensions = Nokogiri::XML::Node.new "Extensions", modified_document
+      extensions << original_assertion.to_xml(:save_with => Nokogiri::XML::Node::SaveOptions::AS_XML)
+      response_signature.add_next_sibling(extensions)
+      response_signature.remove()
+
+      modified_document.xpath("/samlp:Response/samlp:Extensions/saml:Assertion/ds:Signature", Samlr::NS_MAP).remove
+      modified_document.xpath("/samlp:Response/saml:Assertion/saml:Subject/saml:NameID", Samlr::NS_MAP).first.content="evil@example.org"
+      modified_document.xpath("/samlp:Response/saml:Assertion", Samlr::NS_MAP).first["ID"] = "evil_id"
+
+      response = Samlr::Response.new(modified_document.to_xml(:save_with => Nokogiri::XML::Node::SaveOptions::AS_XML), {:certificate => TEST_CERTIFICATE.x509})
+      assert_raises(Samlr::FormatError) { response.verify! }
+    end
+  end
+
+  describe "::parse" do
+    before { @document = saml_response_document(:certificate => TEST_CERTIFICATE) }
+
+    describe "when given a raw XML response" do
+      it "constructs and XML document" do
+        assert_equal Nokogiri::XML::Document, Samlr::Response.parse(@document).class
+      end
+    end
+
+    describe "when given a Base64 encoded response" do
+      subject { Base64.encode64(@document) }
+
+      it "constructs and XML document" do
+        assert_equal Nokogiri::XML::Document, Samlr::Response.parse(subject).class
+      end
+    end
+
+    describe "when given an invalid string" do
+      it "fails" do
+        assert_raises(Samlr::FormatError) { Samlr::Response.parse("hello") }
+      end
+    end
+
+    describe "when given a malformed XML response" do
+      subject { saml_response_document(:certificate => TEST_CERTIFICATE).gsub("Assertion", "AyCaramba") }
+      after   { Samlr.validation_mode = :reject }
+
+      describe "and Samlr.validation_mode == :log" do
+        before { Samlr.validation_mode = :log }
+        it "does not raise" do
+          assert Samlr::Response.parse(subject)
+        end
+      end
+
+      describe "and Samlr.validation_mode != :log" do
+        it "raises" do
+          assert_raises(Samlr::FormatError) { Samlr::Response.parse(subject) }
+        end
+      end
+    end
+  end
+end