tests and fixed accessors

smarek · Dec 1, 2019 · aeb183f · aeb183f
1 parent ebe9554
commit aeb183f
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 4 deletions.
diff --git a/lib/omniauth/strategies/saml.rb b/lib/omniauth/strategies/saml.rb
@@ -37,13 +37,14 @@ def request_phase
         authn_request = OneLogin::RubySaml::Authrequest.new
 
         options[:assertion_consumer_service_url] ||= callback_url
+        settings = OneLogin::RubySaml::Settings.new(options)
+
         if options[:sptype] != false
-          options.extensions[:sptype] = options[:sptype]
+          settings.extensions[:sptype] = options[:sptype]
         end
         if options[:auth_request_include_request_attributes] == true
-          options.extensions[:requested_attributes] = with_requested_attributes
+          settings.extensions[:requested_attributes] = with_requested_attributes
         end
-        settings = OneLogin::RubySaml::Settings.new(options)
 
         redirect(authn_request.create(settings, additional_params_for_authn_request))
       end

diff --git a/spec/omniauth/strategies/saml_spec.rb b/spec/omniauth/strategies/saml_spec.rb
@@ -29,7 +29,9 @@ def post_xml(xml=:example_response, opts = {})
         { :name => 'first_name', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Given name' },
         { :name => 'last_name', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Family name' }
       ],
-      :attribute_service_name             => 'Required attributes'
+      :attribute_service_name             => 'Required attributes',
+      :sptype                             => false,
+      :auth_request_include_request_attributes => false
     }
   end
   let(:strategy) { [OmniAuth::Strategies::SAML, saml_options] }
@@ -115,6 +117,33 @@ def post_xml(xml=:example_response, opts = {})
         expect(query['SigAlg']).to eq XMLSecurity::Document::RSA_SHA256
       end
     end
+
+    context 'when using eidas extensions in authn request' do
+      subject { get '/auth/saml' }
+
+      before do
+        saml_options[:compress_request] = false
+
+        saml_options[:sptype] = 'private'
+        saml_options[:auth_request_include_request_attributes] = true
+      end
+
+      it "should contain correct sptype and RequestedAttributes" do
+        is_expected.to be_redirect
+
+        location = URI.parse(last_response.location)
+        query = Rack::Utils.parse_query location.query
+        expect(query).to have_key('SAMLRequest')
+
+        request = REXML::Document.new(Base64.decode64(query['SAMLRequest']))
+        request.elements.each('/samlp:AuthnRequest/samlp:Extensions/eidas:SPType') do |element|
+          expect(element.text).to match /private/
+        end
+        request.elements.each('/samlp:AuthnRequest/samlp:Extensions/eidas:RequestedAttributes/eidas:RequestedAttribute') do |element|
+          expect(element.attributes['isRequired']).to match /false/
+        end
+      end
+    end
   end
 
   describe 'POST /auth/saml/callback' do
@@ -450,4 +479,5 @@ def test_default_relay_state(static_default_relay_state = nil, &block_default_re
       expect(OmniAuth.strategies).to include(described_class, subclass)
     end
   end
+
 end