test/response_test.rb in ruby-saml-1.1.1 vs test/response_test.rb in ruby-saml-1.1.2

@@ -202,11 +202,11 @@
         it "raise when there is no valid audience" do
           settings.idp_cert_fingerprint = signature_fingerprint_1
           settings.issuer = 'invalid'
           response_valid_signed.settings = settings
           response_valid_signed.soft = false
-          error_msg = "#{response_valid_signed.settings.issuer} is not a valid audience for this Response"
+          error_msg = "#{response_valid_signed.settings.issuer} is not a valid audience for this Response - Valid audiences: https://someone.example.com/audience"
           assert_raises(OneLogin::RubySaml::ValidationError, error_msg) do
             response_valid_signed.is_valid?
           end
           assert_includes response_valid_signed.errors, error_msg
         end
@@ -366,11 +366,11 @@
         it "return false when there is no valid audience" do
           settings.idp_cert_fingerprint = signature_fingerprint_1
           settings.issuer = 'invalid'
           response_valid_signed.settings = settings
           response_valid_signed.is_valid?
-          assert_includes response_valid_signed.errors, "#{response_valid_signed.settings.issuer} is not a valid audience for this Response"
+          assert_includes response_valid_signed.errors, "#{response_valid_signed.settings.issuer} is not a valid audience for this Response - Valid audiences: https://someone.example.com/audience"
         end
 
         it "return false when no ID present in the SAML Response" do
           settings.idp_cert_fingerprint = signature_fingerprint_1
           response_no_id.settings = settings
@@ -409,14 +409,29 @@
 
       it "return false when the audience is valid" do
         response.settings = settings
         response.settings.issuer = 'invalid_audience'
         assert !response.send(:validate_audience)
-        assert_includes response.errors, "#{response.settings.issuer} is not a valid audience for this Response"
+        assert_includes response.errors, "#{response.settings.issuer} is not a valid audience for this Response - Valid audiences: {audience}"
       end
     end
 
+    describe "#validate_destination" do
+      it "return true when the destination of the SAML Response matches the assertion consumer service url" do
+        response.settings = settings
+        assert response.send(:validate_destination)
+        assert_empty response.errors
+      end
+
+      it "return false when the destination of the SAML Response does not match the assertion consumer service url" do
+        response.settings = settings
+        response.settings.assertion_consumer_service_url = 'invalid_acs'
+        assert !response.send(:validate_destination)
+        assert_includes response.errors, "The response was received at #{response.destination} instead of #{response.settings.assertion_consumer_service_url}"
+      end
+    end
+
     describe "#validate_issuer" do
       it "return true when the issuer of the Message/Assertion matches the IdP entityId" do
         response_valid_signed.settings = settings
         assert response_valid_signed.send(:validate_issuer)
 
@@ -549,11 +564,11 @@
 
       it "return false when there is no valid audience" do
         response_invalid_audience.settings = settings
         response_invalid_audience.settings.issuer = "https://invalid.example.com/audience"
         assert !response_invalid_audience.send(:validate_audience)
-        assert_includes response_invalid_audience.errors, "#{response_invalid_audience.settings.issuer} is not a valid audience for this Response"
+        assert_includes response_invalid_audience.errors, "#{response_invalid_audience.settings.issuer} is not a valid audience for this Response - Valid audiences: http://invalid.audience.com"
       end
     end
 
     describe "#validate_issuer" do
       it "return true when the issuer of the Message/Assertion matches the IdP entityId or it was empty" do
@@ -727,9 +742,20 @@
         settings.idp_cert = ruby_saml_cert_text
         response_valid_signed_without_x509certificate.settings = settings
         assert response_valid_signed_without_x509certificate.send(:validate_signature)
         assert_empty response_valid_signed_without_x509certificate.errors
       end
+
+      it "return false when signature wrapping attack" do
+        signature_wrapping_attack = read_invalid_response("signature_wrapping_attack.xml.base64")
+        response_wrapped = OneLogin::RubySaml::Response.new(signature_wrapping_attack)
+        response_wrapped.stubs(:conditions).returns(nil)
+        response_wrapped.stubs(:validate_subject_confirmation).returns(true)
+        settings.idp_cert_fingerprint = "afe71c28ef740bc87425be13a2263d37971da1f9"
+        response_wrapped.settings = settings
+        assert !response_wrapped.send(:validate_signature)
+        assert_includes response_wrapped.errors, "Invalid Signature on SAML Response"
+       end
     end
 
     describe "#nameid" do
       it "extract the value of the name id element" do
         assert_equal "support@onelogin.com", response.nameid