From a0fbc75bf3fc2ca76aaf153d40d31868e2a7be91 Mon Sep 17 00:00:00 2001
From: Chris Barth <chrisjbarth@hotmail.com>
Date: Fri, 26 Apr 2019 16:09:17 -0400
Subject: [PATCH 1/2] Fix broken tests

---
 lib/passport-saml/saml.js |   4 +-
 multiSamlStrategy.js      |   2 +-
 test/multiSamlStrategy.js | 112 ++++--
 test/samlTests.js         | 162 +++++---
 test/tests.js             | 761 ++++++++++++++++++++++++--------------
 5 files changed, 679 insertions(+), 362 deletions(-)

diff --git a/lib/passport-saml/saml.js b/lib/passport-saml/saml.js
index 31b10703..dac0020d 100644
--- a/lib/passport-saml/saml.js
+++ b/lib/passport-saml/saml.js
@@ -756,7 +756,7 @@ SAML.prototype.validateRedirect = function(container, callback) {
     var dom = new xmldom.DOMParser().parseFromString(inflated.toString());
     var parserConfig = {
       explicitRoot: true,
-      explicitCharKey: true,
+      explicitCharkey: true,
       tagNameProcessors: [xml2js.processors.stripPrefix]
     };
     var parser = new xml2js.Parser(parserConfig);
@@ -1154,7 +1154,7 @@ function processValidlySignedPostRequest(self, doc, callback) {
       }
       var sessionIndex = request.SessionIndex;
       if (sessionIndex) {
-        profile.sessionIndex = sessionIndex[0];
+        profile.sessionIndex = sessionIndex[0]._;
       }
 
       callback(null, profile, true);
diff --git a/multiSamlStrategy.js b/multiSamlStrategy.js
index 123d84e4..46f8bdb1 100644
--- a/multiSamlStrategy.js
+++ b/multiSamlStrategy.js
@@ -52,7 +52,7 @@ MultiSamlStrategy.prototype.logout = function (req, options) {
 MultiSamlStrategy.prototype.generateServiceProviderMetadata = function( req, decryptionCert, signingCert, next ) {
   var self = this;
 
-  return this._getSamlOptions(req, function (err, samlOptions) {
+  return this._options.getSamlOptions(req, function (err, samlOptions) {
     if (err) {
       return next(err);
     }
diff --git a/test/multiSamlStrategy.js b/test/multiSamlStrategy.js
index 1acc0912..72939ded 100644
--- a/test/multiSamlStrategy.js
+++ b/test/multiSamlStrategy.js
@@ -32,9 +32,13 @@ describe('strategy#authenticate', function() {
   it('calls super with request and auth options', function(done) {
     var superAuthenticateStub = this.superAuthenticateStub;
     function getSamlOptions (req, fn) {
-      fn();
-      sinon.assert.calledOnce(superAuthenticateStub);
-      done();
+      try {
+        fn();
+        sinon.assert.calledOnce(superAuthenticateStub);
+        done();
+      } catch (err2) {
+        done(err2);
+      }
     };
 
     var strategy = new MultiSamlStrategy({
@@ -48,10 +52,14 @@ describe('strategy#authenticate', function() {
       passReqToCallback: true,
       authnRequestBinding: 'HTTP-POST',
       getSamlOptions: function (req, fn) {
-        fn();
-        strategy._passReqToCallback.should.eql(true);
-        strategy._authnRequestBinding.should.eql('HTTP-POST');
-        done();
+        try {
+          fn();
+          strategy._passReqToCallback.should.eql(true);
+          strategy._authnRequestBinding.should.eql('HTTP-POST');
+          done();
+        } catch (err2) {
+          done(err2);
+        }
       }
     };
 
@@ -74,12 +82,16 @@ describe('strategy#authenticate', function() {
     };
 
     function getSamlOptions (req, fn) {
-      fn(null, samlOptions);
-      strategy._saml.options.should.containEql(Object.assign({},
-        { cacheProvider: 'mock cache provider' },
-        samlOptions
-      ));
-      done();
+      try {
+        fn(null, samlOptions);
+        strategy._saml.options.should.containEql(Object.assign({},
+          { cacheProvider: 'mock cache provider' },
+          samlOptions
+        ));
+        done();
+      } catch (err2) {
+        done(err2);
+      }
     }
 
     var strategy = new MultiSamlStrategy(
@@ -102,9 +114,13 @@ describe('strategy#logout', function() {
   it('calls super with request and auth options', function(done) {
     var superAuthenticateStub = this.superAuthenticateStub;
     function getSamlOptions (req, fn) {
-      fn();
-      sinon.assert.calledOnce(superAuthenticateStub);
-      done();
+      try {
+        fn();
+        sinon.assert.calledOnce(superAuthenticateStub);
+        done();
+      } catch (err2) {
+        done(err2);
+      }
     };
 
     var strategy = new MultiSamlStrategy({ getSamlOptions: getSamlOptions }, verify);
@@ -116,10 +132,14 @@ describe('strategy#logout', function() {
       passReqToCallback: true,
       authnRequestBinding: 'HTTP-POST',
       getSamlOptions: function (req, fn) {
-        fn();
-        strategy._passReqToCallback.should.eql(true);
-        strategy._authnRequestBinding.should.eql('HTTP-POST');
-        done();
+        try {
+          fn();
+          strategy._passReqToCallback.should.eql(true);
+          strategy._authnRequestBinding.should.eql('HTTP-POST');
+          done();
+        } catch (err2) {
+          done(err2);
+        }
       }
     };
 
@@ -142,9 +162,13 @@ describe('strategy#logout', function() {
     };
 
     function getSamlOptions (req, fn) {
-      fn(null, samlOptions);
-      strategy._saml.options.should.containEql(samlOptions);
-      done();
+      try {
+        fn(null, samlOptions);
+        strategy._saml.options.should.containEql(samlOptions);
+        done();
+      } catch (err2) {
+        done(err2);
+      }
     }
 
     var strategy = new MultiSamlStrategy(
@@ -167,11 +191,15 @@ describe('strategy#generateServiceProviderMetadata', function() {
   it('calls super with request and generateServiceProviderMetadata options', function(done) {
     var superGenerateServiceProviderMetadata = this.superGenerateServiceProviderMetadata;
     function getSamlOptions (req, fn) {
-      fn();
-      sinon.assert.calledOnce(superGenerateServiceProviderMetadata);
-      superGenerateServiceProviderMetadata.calledWith('bar', 'baz');
-      req.should.eql('foo');
-      done();
+      try {
+        fn();
+        sinon.assert.calledOnce(superGenerateServiceProviderMetadata);
+        superGenerateServiceProviderMetadata.calledWith('bar', 'baz');
+        req.should.eql('foo');
+        done();
+      } catch (err2) {
+        done(err2);
+      }
     };
 
 
@@ -184,10 +212,14 @@ describe('strategy#generateServiceProviderMetadata', function() {
       passReqToCallback: true,
       authnRequestBinding: 'HTTP-POST',
       getSamlOptions: function (req, fn) {
-        fn();
-        strategy._passReqToCallback.should.eql(true);
-        strategy._authnRequestBinding.should.eql('HTTP-POST');
-        done();
+        try {
+          fn();
+          strategy._passReqToCallback.should.eql(true);
+          strategy._authnRequestBinding.should.eql('HTTP-POST');
+          done();
+        } catch (err2) {
+          done(err2);
+        }
       }
     };
 
@@ -204,8 +236,12 @@ describe('strategy#generateServiceProviderMetadata', function() {
 
     var strategy = new MultiSamlStrategy(passportOptions, verify);
     strategy.generateServiceProviderMetadata('foo', 'bar', 'baz', function (error, result) {
-      should(error).equal('My error');
-      done();
+      try {
+        should(error).equal('My error');
+        done();
+      } catch (err2) {
+        done(err2);
+      }
     });
   });
 
@@ -218,8 +254,12 @@ describe('strategy#generateServiceProviderMetadata', function() {
 
     var strategy = new MultiSamlStrategy(passportOptions, verify);
     strategy.generateServiceProviderMetadata('foo', 'bar', 'baz', function (error, result) {
-      should(result).equal('My Metadata Result');
-      done();
+      try {
+        should(result).equal('My Metadata Result');
+        done();
+      } catch (err2) {
+        done(err2);
+      }
     });
   });
 });
diff --git a/test/samlTests.js b/test/samlTests.js
index 3a44cce6..8ea66ba7 100644
--- a/test/samlTests.js
+++ b/test/samlTests.js
@@ -35,42 +35,66 @@ describe('SAML.js', function () {
     describe('getAuthorizeUrl', function () {
       it('calls callback with right host', function (done) {
         saml.getAuthorizeUrl(req, {}, function (err, target) {
-          url.parse(target).host.should.equal('exampleidp.com');
-          done();
+          try {
+            url.parse(target).host.should.equal('exampleidp.com');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       it('calls callback with right protocol', function (done) {
         saml.getAuthorizeUrl(req, {}, function (err, target) {
-          url.parse(target).protocol.should.equal('https:');
-          done();
+          try {
+            url.parse(target).protocol.should.equal('https:');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       it('calls callback with right path', function (done) {
         saml.getAuthorizeUrl(req, {}, function (err, target) {
-          url.parse(target).pathname.should.equal('/path');
-          done();
+          try {
+            url.parse(target).pathname.should.equal('/path');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       it('calls callback with original query string', function (done) {
         saml.getAuthorizeUrl(req, {}, function (err, target) {
-          url.parse(target, true).query['key'].should.equal('value');
-          done();
+          try {
+            url.parse(target, true).query['key'].should.equal('value');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       it('calls callback with additional run-time params in query string', function (done) {
         saml.getAuthorizeUrl(req, options, function (err, target) {
-          Object.keys(url.parse(target, true).query).should.have.length(3);
-          url.parse(target, true).query['key'].should.equal('value');
-          url.parse(target, true).query['SAMLRequest'].should.not.be.empty();
-          url.parse(target, true).query['additionalKey'].should.equal('additionalValue');
-          done();
+          try {
+            Object.keys(url.parse(target, true).query).should.have.length(3);
+            url.parse(target, true).query['key'].should.equal('value');
+            url.parse(target, true).query['SAMLRequest'].should.not.be.empty();
+            url.parse(target, true).query['additionalKey'].should.equal('additionalValue');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       // NOTE: This test only tests existence of the assertion, not the correctness
       it('calls callback with saml request object', function (done) {
         saml.getAuthorizeUrl(req, {}, function (err, target) {
-          should(url.parse(target, true).query).have.property('SAMLRequest');
-          done();
+          try {
+            should(url.parse(target, true).query).have.property('SAMLRequest');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
     });
@@ -78,42 +102,66 @@ describe('SAML.js', function () {
     describe('getLogoutUrl', function () {
       it('calls callback with right host', function (done) {
         saml.getLogoutUrl(req, {}, function (err, target) {
-          url.parse(target).host.should.equal('exampleidp.com');
-          done();
+          try {
+            url.parse(target).host.should.equal('exampleidp.com');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       it('calls callback with right protocol', function (done) {
         saml.getLogoutUrl(req, {}, function (err, target) {
-          url.parse(target).protocol.should.equal('https:');
-          done();
+          try {
+            url.parse(target).protocol.should.equal('https:');
+            done();
+          } catch(err2) {
+            done(err2);
+          }
         });
       });
       it('calls callback with right path', function (done) {
         saml.getLogoutUrl(req, {}, function (err, target) {
-          url.parse(target).pathname.should.equal('/path');
-          done();
+          try {
+            url.parse(target).pathname.should.equal('/path');
+            done();
+          } catch(err2) {
+            done(err2);
+          }
         });
       });
       it('calls callback with original query string', function (done) {
         saml.getLogoutUrl(req, {}, function (err, target) {
-          url.parse(target, true).query['key'].should.equal('value');
-          done();
+          try {
+            url.parse(target, true).query['key'].should.equal('value');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       it('calls callback with additional run-time params in query string', function (done) {
         saml.getLogoutUrl(req, options, function (err, target) {
-          Object.keys(url.parse(target, true).query).should.have.length(3);
-          url.parse(target, true).query['key'].should.equal('value');
-          url.parse(target, true).query['SAMLRequest'].should.not.be.empty();
-          url.parse(target, true).query['additionalKey'].should.equal('additionalValue');
-          done();
+          try {
+            Object.keys(url.parse(target, true).query).should.have.length(3);
+            url.parse(target, true).query['key'].should.equal('value');
+            url.parse(target, true).query['SAMLRequest'].should.not.be.empty();
+            url.parse(target, true).query['additionalKey'].should.equal('additionalValue');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       // NOTE: This test only tests existence of the assertion, not the correctness
       it('calls callback with saml request object', function (done) {
         saml.getLogoutUrl(req, {}, function (err, target) {
-          should(url.parse(target, true).query).have.property('SAMLRequest');
-          done();
+          try {
+            should(url.parse(target, true).query).have.property('SAMLRequest');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
     });
@@ -121,42 +169,66 @@ describe('SAML.js', function () {
     describe('getLogoutResponseUrl', function () {
       it('calls callback with right host', function (done) {
         saml.getLogoutResponseUrl(req, {}, function (err, target) {
-          url.parse(target).host.should.equal('exampleidp.com');
-          done();
+          try {
+            url.parse(target).host.should.equal('exampleidp.com');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       it('calls callback with right protocol', function (done) {
         saml.getLogoutResponseUrl(req, {}, function (err, target) {
-          url.parse(target).protocol.should.equal('https:');
-          done();
+          try {
+            url.parse(target).protocol.should.equal('https:');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       it('calls callback with right path', function (done) {
         saml.getLogoutResponseUrl(req, {}, function (err, target) {
-          url.parse(target).pathname.should.equal('/path');
-          done();
+          try {
+            url.parse(target).pathname.should.equal('/path');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       it('calls callback with original query string', function (done) {
         saml.getLogoutResponseUrl(req, {}, function (err, target) {
-          url.parse(target, true).query['key'].should.equal('value');
-          done();
+          try {
+            url.parse(target, true).query['key'].should.equal('value');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       it('calls callback with additional run-time params in query string', function (done) {
         saml.getLogoutResponseUrl(req, options, function (err, target) {
-          Object.keys(url.parse(target, true).query).should.have.length(3);
-          url.parse(target, true).query['key'].should.equal('value');
-          url.parse(target, true).query['SAMLResponse'].should.not.be.empty();
-          url.parse(target, true).query['additionalKey'].should.equal('additionalValue');
-          done();
+          try {
+            Object.keys(url.parse(target, true).query).should.have.length(3);
+            url.parse(target, true).query['key'].should.equal('value');
+            url.parse(target, true).query['SAMLResponse'].should.not.be.empty();
+            url.parse(target, true).query['additionalKey'].should.equal('additionalValue');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       // NOTE: This test only tests existence of the assertion, not the correctness
       it('calls callback with saml response object', function (done) {
         saml.getLogoutResponseUrl(req, {}, function (err, target) {
-          should(url.parse(target, true).query).have.property('SAMLResponse');
-          done();
+          try {
+            should(url.parse(target, true).query).have.property('SAMLResponse');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
     });
diff --git a/test/tests.js b/test/tests.js
index eccb5dad..5c35abd2 100644
--- a/test/tests.js
+++ b/test/tests.js
@@ -129,14 +129,18 @@ describe( 'passport-saml /', function() {
           };
 
           request(requestOpts, function (err, response, body) {
-            should.not.exist(err);
-            response.statusCode.should.equal(check.expectedStatusCode);
-            if (response.statusCode == 200) {
-              userSerialized.should.be.true;
-              if (check.expectedNameIDStartsWith)
-                profile.nameID.should.startWith(check.expectedNameIDStartsWith);
+            try {
+              should.not.exist(err);
+              response.statusCode.should.equal(check.expectedStatusCode);
+              if (response.statusCode == 200) {
+                userSerialized.should.be.true;
+                if (check.expectedNameIDStartsWith)
+                  profile.nameID.should.startWith(check.expectedNameIDStartsWith);
+              }
+              done();
+            } catch (err2) {
+              done(err2);
             }
-            done();
           });
         });
       };
@@ -177,17 +181,21 @@ describe( 'passport-saml /', function() {
             form: check.samlResponse
           };
           request(requestOpts, function (err, response, body) {
-            should.not.exist(err);
-            response.statusCode.should.equal(check.expectedStatusCode);
-            if (response.statusCode == 200) {
-              should.exist(passedRequest);
-              passedRequest.url.should.eql('/login');
-              passedRequest.method.should.eql('POST');
-              should(passedRequest.body).match(check.samlResponse);
-            } else {
-              should.not.exist(passedRequest);
+            try {
+              should.not.exist(err);
+              response.statusCode.should.equal(check.expectedStatusCode);
+              if (response.statusCode == 200) {
+                should.exist(passedRequest);
+                passedRequest.url.should.eql('/login');
+                passedRequest.method.should.eql('POST');
+                should(passedRequest.body).match(check.samlResponse);
+              } else {
+                should.not.exist(passedRequest);
+              }
+              done();
+            } catch (err2) {
+              done(err2);
             }
-            done();
           });
         });
       };
@@ -514,34 +522,46 @@ describe( 'passport-saml /', function() {
           };
 
           request(requestOpts, function(err, response, body) {
-            should.not.exist(err);
-
-            var encodedSamlRequest;
-            if ( check.config.authnRequestBinding === "HTTP-POST" ) {
-              response.statusCode.should.equal(200);
-              body.should.match(/<!DOCTYPE html>[^]*<input.*name="SAMLRequest"[^]*<\/html>/);
-              encodedSamlRequest = body.match( /<input.*name="SAMLRequest" value="([^"]*)"/ )[1];
-            } else {
-              response.statusCode.should.equal(302);
-              var query = response.headers.location.match( /^[^\?]*\?(.*)$/ )[1];
-              encodedSamlRequest = querystring.parse( query ).SAMLRequest;
-            }
-
-            var buffer = Buffer.from(encodedSamlRequest, 'base64');
-            if (check.config.skipRequestCompression)
-              helper(null, buffer);
-            else
-              zlib.inflateRaw( buffer, helper );
-
-            function helper(err, samlRequest) {
-              should.not.exist( err );
-              parseString( samlRequest.toString(), function( err, doc ) {
-                should.not.exist( err );
-                delete doc['samlp:AuthnRequest']['$']["ID"];
-                delete doc['samlp:AuthnRequest']['$']["IssueInstant"];
-                doc.should.eql( check.result );
-                done();
-              });
+            try {
+              should.not.exist(err);
+
+              var encodedSamlRequest;
+              if ( check.config.authnRequestBinding === "HTTP-POST" ) {
+                response.statusCode.should.equal(200);
+                body.should.match(/<!DOCTYPE html>[^]*<input.*name="SAMLRequest"[^]*<\/html>/);
+                encodedSamlRequest = body.match( /<input.*name="SAMLRequest" value="([^"]*)"/ )[1];
+              } else {
+                response.statusCode.should.equal(302);
+                var query = response.headers.location.match( /^[^\?]*\?(.*)$/ )[1];
+                encodedSamlRequest = querystring.parse( query ).SAMLRequest;
+              }
+  
+              var buffer = Buffer.from(encodedSamlRequest, 'base64');
+              if (check.config.skipRequestCompression)
+                helper(null, buffer);
+              else
+                zlib.inflateRaw( buffer, helper );
+  
+              function helper(err, samlRequest) {
+                try {
+                  should.not.exist( err );
+                  parseString( samlRequest.toString(), function( err, doc ) {
+                    try {
+                      should.not.exist( err );
+                      delete doc['samlp:AuthnRequest']['$']["ID"];
+                      delete doc['samlp:AuthnRequest']['$']["IssueInstant"];
+                      doc.should.eql( check.result );
+                      done();
+                    } catch (err2) {
+                      done(err2);
+                    }
+                  });
+                } catch (err2) {
+                  done(err2);
+                }
+              }
+            } catch (err2) {
+              done(err2);
             }
           });
         });
@@ -565,12 +585,11 @@ describe( 'passport-saml /', function() {
       }).throw('Invalid property: cert must not be empty');
     });
 
-    it( 'generateUniqueID should generate 20 char IDs', function( done ) {
+    it( 'generateUniqueID should generate 20 char IDs', function() {
       var samlObj = new SAML( { entryPoint: "foo" } );
       for(var i = 0; i < 200; i++){
           samlObj.generateUniqueID().length.should.eql(20);
       }
-      done();
     });
 
     it( 'generateLogoutRequest', function( done ) {
@@ -598,10 +617,14 @@ describe( 'passport-saml /', function() {
 
       logoutRequestPromise.then(function(logoutRequest) {
         parseString( logoutRequest, function( err, doc ) {
-          delete doc['samlp:LogoutRequest']['$']["ID"];
-          delete doc['samlp:LogoutRequest']['$']["IssueInstant"];
-          doc.should.eql( expectedRequest );
-          done();
+          try {
+            delete doc['samlp:LogoutRequest']['$']["ID"];
+            delete doc['samlp:LogoutRequest']['$']["IssueInstant"];
+            doc.should.eql( expectedRequest );
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       })
     });
@@ -635,10 +658,14 @@ describe( 'passport-saml /', function() {
 
       logoutRequestPromise.then(function(logoutRequest) {
         parseString( logoutRequest, function( err, doc ) {
-          delete doc['samlp:LogoutRequest']['$']["ID"];
-          delete doc['samlp:LogoutRequest']['$']["IssueInstant"];
-          doc.should.eql( expectedRequest );
-          done();
+          try {
+            delete doc['samlp:LogoutRequest']['$']["ID"];
+            delete doc['samlp:LogoutRequest']['$']["IssueInstant"];
+            doc.should.eql( expectedRequest );
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       })
     });
@@ -660,10 +687,14 @@ describe( 'passport-saml /', function() {
       var samlObj = new SAML( { entryPoint: "foo" } );
       var logoutRequest = samlObj.generateLogoutResponse({}, { ID: "quux" });
       parseString( logoutRequest, function( err, doc ) {
-        delete doc['samlp:LogoutResponse']['$']["ID"];
-        delete doc['samlp:LogoutResponse']['$']["IssueInstant"];
-        doc.should.eql( expectedResponse );
-        done();
+        try {
+          delete doc['samlp:LogoutResponse']['$']["ID"];
+          delete doc['samlp:LogoutResponse']['$']["IssueInstant"];
+          doc.should.eql( expectedResponse );
+          done();
+        } catch (err2) {
+          done(err2);
+        }
       });
     });
 
@@ -696,10 +727,14 @@ describe( 'passport-saml /', function() {
 
       logoutRequestPromise.then(function(logoutRequest) {
         parseString( logoutRequest, function( err, doc ) {
-          delete doc['samlp:LogoutRequest']['$']["ID"];
-          delete doc['samlp:LogoutRequest']['$']["IssueInstant"];
-          doc.should.eql( expectedRequest );
-          done();
+          try {
+            delete doc['samlp:LogoutRequest']['$']["ID"];
+            delete doc['samlp:LogoutRequest']['$']["IssueInstant"];
+            doc.should.eql( expectedRequest );
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       })
     });
@@ -734,15 +769,18 @@ describe( 'passport-saml /', function() {
 
       logoutRequestPromise.then(function(logoutRequest) {
         parseString( logoutRequest, function( err, doc ) {
-
-          var id = doc['samlp:LogoutRequest']['$']["ID"];
-          var issueInstant = doc['samlp:LogoutRequest']['$']["IssueInstant"];
-
-          id.should.be.an.instanceOf(String);
-          issueInstant.should.be.an.instanceOf(String);
-          cacheSaveSpy.called.should.eql(true);
-          cacheSaveSpy.calledWith(id, issueInstant).should.eql(true);
-          done();
+          try {
+            var id = doc['samlp:LogoutRequest']['$']["ID"];
+            var issueInstant = doc['samlp:LogoutRequest']['$']["IssueInstant"];
+  
+            id.should.be.an.instanceOf(String);
+            issueInstant.should.be.an.instanceOf(String);
+            cacheSaveSpy.called.should.eql(true);
+            cacheSaveSpy.calledWith(id, issueInstant).should.eql(true);
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       })
     });
@@ -761,7 +799,7 @@ describe( 'passport-saml /', function() {
         metadata.split( '\n' ).should.eql( expectedMetadata.split( '\n' ) );
       }
 
-      it( 'config with callbackUrl and decryptionPvk should pass', function( done ) {
+      it( 'config with callbackUrl and decryptionPvk should pass', function() {
         var samlConfig = {
           issuer: 'http://example.serviceprovider.com',
           callbackUrl: 'http://example.serviceprovider.com/saml/callback',
@@ -771,10 +809,9 @@ describe( 'passport-saml /', function() {
         var expectedMetadata = fs.readFileSync(__dirname + '/static/expected metadata.xml', 'utf-8');
 
         testMetadata( samlConfig, expectedMetadata );
-        done();
       });
 
-      it( 'config with callbackUrl should pass', function( done ) {
+      it( 'config with callbackUrl should pass', function() {
         var samlConfig = {
           issuer: 'http://example.serviceprovider.com',
           callbackUrl: 'http://example.serviceprovider.com/saml/callback',
@@ -783,10 +820,9 @@ describe( 'passport-saml /', function() {
         var expectedMetadata = fs.readFileSync(__dirname + '/static/expected metadata without key.xml', 'utf-8');
 
         testMetadata( samlConfig, expectedMetadata );
-        done();
       });
 
-      it( 'config with protocol, path, host, and decryptionPvk should pass', function( done ) {
+      it( 'config with protocol, path, host, and decryptionPvk should pass', function() {
         var samlConfig = {
           issuer: 'http://example.serviceprovider.com',
           protocol: 'http://',
@@ -798,10 +834,9 @@ describe( 'passport-saml /', function() {
         var expectedMetadata = fs.readFileSync(__dirname + '/static/expected metadata.xml', 'utf-8');
 
         testMetadata( samlConfig, expectedMetadata );
-        done();
       });
 
-      it( 'config with protocol, path, and host should pass', function( done ) {
+      it( 'config with protocol, path, and host should pass', function() {
         var samlConfig = {
           issuer: 'http://example.serviceprovider.com',
           protocol: 'http://',
@@ -812,10 +847,9 @@ describe( 'passport-saml /', function() {
         var expectedMetadata = fs.readFileSync(__dirname + '/static/expected metadata without key.xml', 'utf-8');
 
         testMetadata( samlConfig, expectedMetadata );
-        done();
       });
 
-      it( 'config with protocol, path, host, decryptionPvk and privateCert should pass', function( done ) {
+      it( 'config with protocol, path, host, decryptionPvk and privateCert should pass', function() {
         var samlConfig = {
           issuer: 'http://example.serviceprovider.com',
           protocol: 'http://',
@@ -829,12 +863,11 @@ describe( 'passport-saml /', function() {
         var signingCert = fs.readFileSync(__dirname + '/static/acme_tools_com.cert').toString();
 
         testMetadata( samlConfig, expectedMetadata, signingCert );
-        done();
       });
 
   });
 
-    it('generateServiceProviderMetadata contains logout callback url', function (done) {
+    it('generateServiceProviderMetadata contains logout callback url', function () {
       var samlConfig = {
         issuer: 'http://example.serviceprovider.com',
         callbackUrl: 'http://example.serviceprovider.com/saml/callback',
@@ -848,7 +881,6 @@ describe( 'passport-saml /', function() {
       var metadata = samlObj.generateServiceProviderMetadata(decryptionCert);
       metadata.should.containEql('SingleLogoutService');
       metadata.should.containEql(samlConfig.logoutCallbackUrl);
-      done();
     });
 
     it('#certToPEM should generate valid certificate', function(done){
@@ -872,10 +904,13 @@ describe( 'passport-saml /', function() {
       it('response with junk content should explain the XML or base64 is not valid', function(done) {
         var samlObj = new SAML( { cert: TEST_CERT });
         samlObj.validatePostResponse({SAMLResponse: "BOOM"} , function( err, profile, logout ) {
-          should.exist( err );
-          err.message.should.match( /SAMLResponse is not valid base64-encoded XML/ );
-//          should.exist( err.statusXml );
-          done();
+          try {
+            should.exist( err );
+            err.message.should.match( /SAMLResponse is not valid base64-encoded XML/ );
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       it('response with error status message should generate appropriate error', function(done) {
@@ -886,11 +921,15 @@ describe( 'passport-saml /', function() {
         cert: '-----BEGIN CERTIFICATE-----'+TEST_CERT+'-----END CERTIFICATE-----',
         });
         samlObj.validatePostResponse( container, function( err, profile, logout ) {
-          should.exist( err );
-          err.message.should.match( /Responder/ );
-          err.message.should.match( /Required NameID format not supported/ );
-          should.exist( err.statusXml );
-          done();
+          try {
+            should.exist( err );
+            err.message.should.match( /Responder/ );
+            err.message.should.match( /Required NameID format not supported/ );
+            should.exist( err.statusXml );
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
 
@@ -900,11 +939,15 @@ describe( 'passport-saml /', function() {
         var container = { SAMLResponse: base64xml };
         var samlObj = new SAML( {} );
         samlObj.validatePostResponse( container, function( err, profile, logout ) {
-          should.exist( err );
-          err.message.should.match( /Responder/ );
-          err.message.should.match( /InvalidNameIDPolicy/ );
-          should.exist( err.statusXml );
-          done();
+          try {
+            should.exist( err );
+            err.message.should.match( /Responder/ );
+            err.message.should.match( /InvalidNameIDPolicy/ );
+            should.exist( err.statusXml );
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
 
@@ -918,16 +961,20 @@ describe( 'passport-saml /', function() {
         var samlObj = new SAML();
 
         samlObj.validatePostResponse(container, function(err, profile) {
-          should.not.exist(err);
-          profile.issuer.should.eql("https://evil-corp.com");
-          profile.nameID.should.eql("vincent.vega@evil-corp.com");
-          should(profile).have.property("evil-corp.egroupid").eql("vincent.vega@evil-corp.com");
-          // attributes without attributeValue child should be ignored
-          should(profile).not.have.property("evilcorp.roles");
-
-          fakeClock.restore();
-
-          done();
+          try {
+            should.not.exist(err);
+            profile.issuer.should.eql("https://evil-corp.com");
+            profile.nameID.should.eql("vincent.vega@evil-corp.com");
+            should(profile).have.property("evil-corp.egroupid").eql("vincent.vega@evil-corp.com");
+            // attributes without attributeValue child should be ignored
+            should(profile).not.have.property("evilcorp.roles");
+  
+            fakeClock.restore();
+  
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
 
@@ -953,9 +1000,13 @@ describe( 'passport-saml /', function() {
           var container = { SAMLResponse: base64xml };
           var samlObj = new SAML( samlConfig );
           samlObj.validatePostResponse( container, function( err, profile, logout ) {
-            should.not.exist( err );
-            profile.nameID.should.startWith( 'ploer' );
-            done();
+            try {
+              should.not.exist( err );
+              profile.nameID.should.startWith( 'ploer' );
+              done();
+            } catch (err2) {
+              done(err2);
+            }
           });
         });
 
@@ -967,9 +1018,13 @@ describe( 'passport-saml /', function() {
           var container = { SAMLResponse: base64xml };
           var samlObj = new SAML( samlConfig );
           samlObj.validatePostResponse( container, function( err, profile, logout ) {
-            should.exist( err );
-            err.message.should.match(/Invalid signature/);
-            done();
+            try {
+              should.exist( err );
+              err.message.should.match(/Invalid signature/);
+              done();
+            } catch (err2) {
+              done(err2);
+            }
           });
         });
 
@@ -982,9 +1037,13 @@ describe( 'passport-saml /', function() {
           var container = { SAMLResponse: base64xml };
           var samlObj = new SAML( samlConfig );
           samlObj.validatePostResponse( container, function( err, profile, logout ) {
-            should.exist( err );
-            err.message.should.match(/Invalid signature/);
-            done();
+            try {
+              should.exist( err );
+              err.message.should.match(/Invalid signature/);
+              done();
+            } catch (err2) {
+              done(err2);
+            }
           });
         });
 
@@ -997,9 +1056,13 @@ describe( 'passport-saml /', function() {
           var container = { SAMLResponse: base64xml };
           var samlObj = new SAML( samlConfig );
           samlObj.validatePostResponse( container, function( err, profile, logout ) {
-            should.exist( err );
-            err.message.should.match(/Invalid signature/);
-            done();
+            try {
+              should.exist( err );
+              err.message.should.match(/Invalid signature/);
+              done();
+            } catch (err2) {
+              done(err2);
+            }
           });
         });
 
@@ -1015,9 +1078,13 @@ describe( 'passport-saml /', function() {
           var container = { SAMLResponse: base64xml };
           var samlObj = new SAML( samlConfig );
           samlObj.validatePostResponse( container, function( err, profile, logout ) {
-            should.exist( err );
-            err.message.should.match(/Invalid signature/);
-            done();
+            try {
+              should.exist( err );
+              err.message.should.match(/Invalid signature/);
+              done();
+            } catch (err2) {
+              done(err2);
+            }
           });
         });
 
@@ -1036,9 +1103,13 @@ describe( 'passport-saml /', function() {
           var container = { SAMLResponse: base64xml };
           var samlObj = new SAML( multiCertSamlConfig );
           samlObj.validatePostResponse( container, function( err, profile, logout ) {
-            should.not.exist( err );
-            profile.nameID.should.startWith( 'ploer' );
-            done();
+            try {
+              should.not.exist( err );
+              profile.nameID.should.startWith( 'ploer' );
+              done();
+            } catch (err2) {
+              done(err2);
+            }
           });
         });
 
@@ -1054,9 +1125,13 @@ describe( 'passport-saml /', function() {
           var container = { SAMLResponse: base64xml };
           var samlObj = new SAML( functionCertSamlConfig );
           samlObj.validatePostResponse( container, function( err, profile, logout ) {
-            should.not.exist( err );
-            profile.nameID.should.startWith( 'ploer' );
-            done();
+            try {
+              should.not.exist( err );
+              profile.nameID.should.startWith( 'ploer' );
+              done();
+            } catch (err2) {
+              done(err2);
+            }
           });
         });
 
@@ -1076,9 +1151,13 @@ describe( 'passport-saml /', function() {
           var container = { SAMLResponse: base64xml };
           var samlObj = new SAML( functionMultiCertSamlConfig );
           samlObj.validatePostResponse( container, function( err, profile, logout ) {
-            should.not.exist( err );
-            profile.nameID.should.startWith( 'ploer' );
-            done();
+            try {
+              should.not.exist( err );
+              profile.nameID.should.startWith( 'ploer' );
+              done();
+            } catch (err2) {
+              done(err2);
+            }
           });
         });
 
@@ -1095,8 +1174,12 @@ describe( 'passport-saml /', function() {
           var container = { SAMLResponse: base64xml };
           var samlObj = new SAML( functionErrorCertSamlConfig );
           samlObj.validatePostResponse( container, function( err, profile, logout ) {
-            err.should.eql( errorToReturn );
-            done();
+            try {
+              err.should.eql( errorToReturn );
+              done();
+            } catch (err2) {
+              done(err2);
+            }
           });
         });
       });
@@ -1129,11 +1212,15 @@ describe( 'passport-saml /', function() {
         var samlObj = new SAML( samlConfig );
         samlObj.generateUniqueID = function () { return '12345678901234567890' };
         samlObj.getAuthorizeUrl({}, {}, function(err, url) {
-          var qry = require('querystring').parse(require('url').parse(url).query);
-          qry.SigAlg.should.match('http://www.w3.org/2001/04/xmldsig-more#rsa-sha256');
-          qry.Signature.should.match('hel9NaoLU0brY/VhrQsY+lTtuAbTsT/ul6nZ/eVlSMXQRaKn5LTbKadzxmPghX7s4xoHwdah+yZHK/0u4StYSj4b5MKcqbsJapVr2R7H90z8YfGfR2C/G0Gng721YV9Da6VBzKg8Was91zQotgsMpZ9pGX1kPKi6cgFwPwM4NEFugn8AYgXEriNvO5+Q23K/MdBT2bgwRTj2FQCWTuQcgwbyWHXoquHztZ0lbh8UhY5BfQRv7c6D9XPkQEMMQFQeME4PIEg3JnynwFZk5wwhkphMd5nXxau+zt7Nfp4fRm0G8WYnxV1etBnWimwSglZVaSHFYeQBRsC2wvKSiVS8JA==');
-          qry.customQueryStringParam.should.match('CustomQueryStringParamValue');
-          done();
+          try {
+            var qry = require('querystring').parse(require('url').parse(url).query);
+            qry.SigAlg.should.match('http://www.w3.org/2001/04/xmldsig-more#rsa-sha256');
+            qry.Signature.should.match('hel9NaoLU0brY/VhrQsY+lTtuAbTsT/ul6nZ/eVlSMXQRaKn5LTbKadzxmPghX7s4xoHwdah+yZHK/0u4StYSj4b5MKcqbsJapVr2R7H90z8YfGfR2C/G0Gng721YV9Da6VBzKg8Was91zQotgsMpZ9pGX1kPKi6cgFwPwM4NEFugn8AYgXEriNvO5+Q23K/MdBT2bgwRTj2FQCWTuQcgwbyWHXoquHztZ0lbh8UhY5BfQRv7c6D9XPkQEMMQFQeME4PIEg3JnynwFZk5wwhkphMd5nXxau+zt7Nfp4fRm0G8WYnxV1etBnWimwSglZVaSHFYeQBRsC2wvKSiVS8JA==');
+            qry.customQueryStringParam.should.match('CustomQueryStringParamValue');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
 
@@ -1154,9 +1241,13 @@ describe( 'passport-saml /', function() {
 
         var request = '<?xml version=\\"1.0\\"?><samlp:AuthnRequest xmlns:samlp=\\"urn:oasis:names:tc:SAML:2.0:protocol\\" ID=\\"_ea40a8ab177df048d645\\" Version=\\"2.0\\" IssueInstant=\\"2017-08-22T19:30:01.363Z\\" ProtocolBinding=\\"urn:oasis:names$tc:SAML:2.0:bindings:HTTP-POST\\" AssertionConsumerServiceURL=\\"https://example.com/login/callback\\" Destination=\\"https://www.example.com\\"><saml:Issuer xmlns:saml=\\"urn:oasis:names:tc:SAML:2.0:assertion\\">onelogin_saml</saml:Issuer><s$mlp:NameIDPolicy xmlns:samlp=\\"urn:oasis:names:tc:SAML:2.0:protocol\\" Format=\\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\\" AllowCreate=\\"true\\"/><samlp:RequestedAuthnContext xmlns:samlp=\\"urn:oasis:names:tc:SAML:2.0:protoc$l\\" Comparison=\\"exact\\"><saml:AuthnContextClassRef xmlns:saml=\\"urn:oasis:names:tc:SAML:2.0:assertion\\">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp$AuthnRequest>';
         samlObj.requestToUrl(request, null, 'authorize', {}, function(err) {
+          try {
             should.exist(err);
             err.message.should.eql('"entryPoint" config parameter is required for signed messages');
             done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
 
@@ -1176,17 +1267,21 @@ describe( 'passport-saml /', function() {
         var samlObj = new SAML( samlConfig );
         samlObj.generateUniqueID = function () { return '12345678901234567890' };
         samlObj.getAuthorizeUrl({}, {}, function(err, url) {
-          var qry = require('querystring').parse(require('url').parse(url).query);
-          qry.SigAlg.should.match('http://www.w3.org/2000/09/xmldsig#rsa-sha1');
-          qry.Signature.should.match('MeFo+LjufxP5A+sCRwzR/YH/RV6W14aYSFjUdie62JxkI6hDcVhoSZQUJ3wtWMhL59gJj05tTFnXAZRqUQVsavyy41cmUZVeCsat0gaHBQOILXpp9deB0iSJt1EVQTOJkVx8uu2/WYu/bBiH7w2bpwuCf1gJhlqZb/ca3B6yjHSMjnnVfc2LbNPWHpE5464lrs79VjDXf9GQWfrBr95dh3P51IAb7C+77KDWQUl9WfZfyyuEgS83vyZ0UGOxT4AObJ6NOcLs8+iidDdWJJkBaKQev6U+AghCjLQUYOrflivLIIyqATKu2q9PbOse6Phmnxok50+broXSG23+e+742Q==');
-          qry.customQueryStringParam.should.match('CustomQueryStringParamValue');
-          done();
+          try {
+            var qry = require('querystring').parse(require('url').parse(url).query);
+            qry.SigAlg.should.match('http://www.w3.org/2000/09/xmldsig#rsa-sha1');
+            qry.Signature.should.match('MeFo+LjufxP5A+sCRwzR/YH/RV6W14aYSFjUdie62JxkI6hDcVhoSZQUJ3wtWMhL59gJj05tTFnXAZRqUQVsavyy41cmUZVeCsat0gaHBQOILXpp9deB0iSJt1EVQTOJkVx8uu2/WYu/bBiH7w2bpwuCf1gJhlqZb/ca3B6yjHSMjnnVfc2LbNPWHpE5464lrs79VjDXf9GQWfrBr95dh3P51IAb7C+77KDWQUl9WfZfyyuEgS83vyZ0UGOxT4AObJ6NOcLs8+iidDdWJJkBaKQev6U+AghCjLQUYOrflivLIIyqATKu2q9PbOse6Phmnxok50+broXSG23+e+742Q==');
+            qry.customQueryStringParam.should.match('CustomQueryStringParamValue');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
     });
 
     describe( 'getAdditionalParams checks /', function() {
-      it ( 'should not pass any additional params by default', function( done ) {
+      it ( 'should not pass any additional params by default', function() {
         var samlConfig = {
           entryPoint: 'https://app.onelogin.com/trust/saml2/http-post/sso/371755',
         };
@@ -1196,11 +1291,9 @@ describe( 'passport-saml /', function() {
           var additionalParams = samlObj.getAdditionalParams({}, operation);
           additionalParams.should.be.empty
         });
-
-        done();
       });
 
-      it ( 'should not pass any additional params by default apart from the RelayState in request query', function( done ) {
+      it ( 'should not pass any additional params by default apart from the RelayState in request query', function() {
         var samlConfig = {
           entryPoint: 'https://app.onelogin.com/trust/saml2/http-post/sso/371755',
         };
@@ -1212,11 +1305,9 @@ describe( 'passport-saml /', function() {
           Object.keys(additionalParams).should.have.length(1);
           additionalParams.should.containEql({'RelayState': 'test'});
         });
-
-        done();
       });
 
-      it ( 'should not pass any additional params by default apart from the RelayState in request body', function( done ) {
+      it ( 'should not pass any additional params by default apart from the RelayState in request body', function() {
         var samlConfig = {
           entryPoint: 'https://app.onelogin.com/trust/saml2/http-post/sso/371755',
         };
@@ -1228,11 +1319,9 @@ describe( 'passport-saml /', function() {
           Object.keys(additionalParams).should.have.length(1);
           additionalParams.should.containEql({'RelayState': 'test'});
         });
-
-        done();
       });
 
-      it ( 'should pass additional params with all operations if set in additionalParams', function( done ) {
+      it ( 'should pass additional params with all operations if set in additionalParams', function() {
         var samlConfig = {
           entryPoint: 'https://app.onelogin.com/trust/saml2/http-post/sso/371755',
           additionalParams: {
@@ -1246,11 +1335,9 @@ describe( 'passport-saml /', function() {
           Object.keys(additionalParams).should.have.length(1);
           additionalParams.should.containEql({'queryParam': 'queryParamValue'});
         });
-
-        done();
       });
 
-      it ( 'should pass additional params with "authorize" operations if set in additionalAuthorizeParams', function( done ) {
+      it ( 'should pass additional params with "authorize" operations if set in additionalAuthorizeParams', function() {
         var samlConfig = {
           entryPoint: 'https://app.onelogin.com/trust/saml2/http-post/sso/371755',
           additionalAuthorizeParams: {
@@ -1265,11 +1352,9 @@ describe( 'passport-saml /', function() {
 
         var additionalLogoutParams = samlObj.getAdditionalParams({}, 'logout');
         additionalLogoutParams.should.be.empty;
-
-        done();
       });
 
-      it ( 'should pass additional params with "logout" operations if set in additionalLogoutParams', function( done ) {
+      it ( 'should pass additional params with "logout" operations if set in additionalLogoutParams', function() {
         var samlConfig = {
           entryPoint: 'https://app.onelogin.com/trust/saml2/http-post/sso/371755',
           additionalLogoutParams: {
@@ -1284,11 +1369,9 @@ describe( 'passport-saml /', function() {
         var additionalLogoutParams = samlObj.getAdditionalParams({}, 'logout');
         Object.keys(additionalLogoutParams).should.have.length(1);
         additionalLogoutParams.should.containEql({'queryParam': 'queryParamValue'});
-
-        done();
       });
 
-      it ( 'should merge additionalLogoutParams and additionalAuthorizeParams with additionalParams', function( done ) {
+      it ( 'should merge additionalLogoutParams and additionalAuthorizeParams with additionalParams', function() {
         var samlConfig = {
           entryPoint: 'https://app.onelogin.com/trust/saml2/http-post/sso/371755',
           additionalParams: {
@@ -1310,11 +1393,9 @@ describe( 'passport-saml /', function() {
         var additionalLogoutParams = samlObj.getAdditionalParams({}, 'logout');
         Object.keys(additionalLogoutParams).should.have.length(2);
         additionalLogoutParams.should.containEql({'queryParam1': 'queryParamValue', 'queryParam2': 'queryParamValueLogout'});
-
-        done();
       });
 
-      it ( 'should merge run-time params additionalLogoutParams and additionalAuthorizeParams with additionalParams', function( done ) {
+      it ( 'should merge run-time params additionalLogoutParams and additionalAuthorizeParams with additionalParams', function() {
         var samlConfig = {
           entryPoint: 'https://app.onelogin.com/trust/saml2/http-post/sso/371755',
           additionalParams: {
@@ -1345,11 +1426,9 @@ describe( 'passport-saml /', function() {
         additionalLogoutParams.should.containEql({'queryParam1': 'queryParamValue',
           'queryParam2': 'queryParamValueLogout',
           'queryParam3': 'queryParamRuntimeValue'});
-
-        done();
       });
 
-      it ( 'should prioritize additionalLogoutParams and additionalAuthorizeParams over additionalParams', function( done ) {
+      it ( 'should prioritize additionalLogoutParams and additionalAuthorizeParams over additionalParams', function() {
         var samlConfig = {
           entryPoint: 'https://app.onelogin.com/trust/saml2/http-post/sso/371755',
           additionalParams: {
@@ -1371,11 +1450,9 @@ describe( 'passport-saml /', function() {
         var additionalLogoutParams = samlObj.getAdditionalParams({}, 'logout');
         Object.keys(additionalLogoutParams).should.have.length(1);
         additionalLogoutParams.should.containEql({'queryParam': 'queryParamValueLogout'});
-
-        done();
       });
 
-      it ( 'should prioritize run-time params over all other params', function( done ) {
+      it ( 'should prioritize run-time params over all other params', function() {
         var samlConfig = {
           entryPoint: 'https://app.onelogin.com/trust/saml2/http-post/sso/371755',
           additionalParams: {
@@ -1402,11 +1479,9 @@ describe( 'passport-saml /', function() {
         var additionalLogoutParams = samlObj.getAdditionalParams({}, 'logout', options.additionalParams);
         Object.keys(additionalLogoutParams).should.have.length(1);
         additionalLogoutParams.should.containEql({'queryParam': 'queryParamRuntimeValue'});
-
-        done();
       });
 
-      it('should check the value of the option `RACComparison`', function(done) {
+      it('should check the value of the option `RACComparison`', function() {
         var samlObjBadComparisonType = new SAML({ RACComparison: 'bad_value' });
         should.equal(samlObjBadComparisonType.options.RACComparison, 'exact', ['the default value of the option `RACComparison` must be exact']);
 
@@ -1415,9 +1490,7 @@ describe( 'passport-saml /', function() {
             samlObjValidComparisonType = new SAML( {RACComparison: RACComparison} );
             should.equal(samlObjValidComparisonType.options.RACComparison, RACComparison);
         });
-        done();
       });
-
     });
 
     describe( 'InResponseTo validation checks /', function(){
@@ -1454,8 +1527,12 @@ describe( 'passport-saml /', function() {
           should.not.exist( err );
           profile.nameID.should.startWith( 'ploer' );
           samlObj.cacheProvider.get(requestId, function(err, value){
+            try {
               should.not.exist(value);
               done();
+            } catch (err2) {
+              done(err2);
+            }
           });
 
         });
@@ -1479,9 +1556,13 @@ describe( 'passport-saml /', function() {
         fakeClock = sinon.useFakeTimers(Date.parse('2014-05-28T00:13:09Z'));
 
         samlObj.validatePostResponse( container, function( err, profile, logout ) {
-          should.exist( err );
-          err.message.should.match( 'InResponseTo is not valid' );
-          done();
+          try {
+            should.exist( err );
+            err.message.should.match( 'InResponseTo is not valid' );
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
 
@@ -1507,8 +1588,12 @@ describe( 'passport-saml /', function() {
           should.not.exist( err );
           profile.nameID.should.startWith( 'UIS/jochen-work' );
           samlObj.cacheProvider.get(requestId, function(err, value){
+            try {
               should.not.exist(value);
               done();
+            } catch (err2) {
+              done(err2);
+            }
           });
         });
       });
@@ -1532,9 +1617,13 @@ describe( 'passport-saml /', function() {
         samlObj.cacheProvider.save(requestId, new Date().toISOString(), function(){});
 
         samlObj.validatePostResponse( container, function( err, profile, logout ) {
-          should.exist( err );
-          err.message.should.eql('InResponseTo is missing from response');
-          done();
+          try {
+            should.exist( err );
+            err.message.should.eql('InResponseTo is missing from response');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
 
@@ -1560,9 +1649,13 @@ describe( 'passport-saml /', function() {
           should.not.exist( err );
           profile.nameID.should.startWith( 'UIS/jochen-work' );
           samlObj.cacheProvider.get(requestId, function(err, value){
+            try {
               should.exist(value);
               value.should.eql('2014-06-05T12:07:07.662Z');
               done();
+            } catch (err2) {
+              done(err2);
+            }
           });
         });
       });
@@ -1595,8 +1688,12 @@ describe( 'passport-saml /', function() {
           profile['vz::name'].should.equal( 'Test User' );
           profile['net::ip'].should.equal( '::1' );
           samlObj.cacheProvider.get(requestId, function(err, value){
+            try {
               should.not.exist(value);
               done();
+            } catch (err2) {
+              done(err2);
+            }
           });
         });
       });
@@ -1616,8 +1713,12 @@ describe( 'passport-saml /', function() {
 
           setTimeout(function(){
             samlObj.cacheProvider.get(requestId, function(err, value){
-              should.not.exist(value);
-              done();
+              try {
+                should.not.exist(value);
+                done();
+              } catch (err2) {
+                done(err2);
+              }
             });
           }, 300);
         });
@@ -1652,10 +1753,14 @@ describe( 'passport-saml /', function() {
 
             // Let the expiration timer run again and we should have no more cached
             setTimeout(function(){
-                samlObj.cacheProvider.get(requestId, function(err, value){
-                    should.not.exist(value);
-                    done();
-                });
+              samlObj.cacheProvider.get(requestId, function(err, value){
+                try {
+                  should.not.exist(value);
+                  done();
+                } catch (err2) {
+                  done(err2);
+                }
+              });
             }, 300)
           }, 300);
         });
@@ -1690,9 +1795,13 @@ describe( 'passport-saml /', function() {
         fakeClock = sinon.useFakeTimers(Date.parse('2014-05-28T00:13:09Z'));
 
         samlObj.validatePostResponse( container, function( err, profile, logout ) {
-          should.not.exist( err );
-          profile.nameID.should.startWith( 'ploer' );
-          done();
+          try {
+            should.not.exist( err );
+            profile.nameID.should.startWith( 'ploer' );
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
 
@@ -1709,9 +1818,13 @@ describe( 'passport-saml /', function() {
         fakeClock = sinon.useFakeTimers(Date.parse('2014-05-28T00:13:08Z'));
 
         samlObj.validatePostResponse( container, function( err, profile, logout ) {
+          try {
             should.not.exist( err );
             profile.nameID.should.startWith( 'ploer' );
             done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
 
@@ -1728,9 +1841,13 @@ describe( 'passport-saml /', function() {
         fakeClock = sinon.useFakeTimers(Date.parse('2014-05-28T00:13:07Z'));
 
         samlObj.validatePostResponse( container, function( err, profile, logout ) {
-          should.exist( err );
-          err.message.should.match( 'SAML assertion not yet valid' );
-          done();
+          try {
+            should.exist( err );
+            err.message.should.match( 'SAML assertion not yet valid' );
+            done();
+          } catch (erro2) {
+            done(err2);
+          }
         });
       });
 
@@ -1747,9 +1864,13 @@ describe( 'passport-saml /', function() {
         fakeClock = sinon.useFakeTimers(Date.parse('2014-05-28T00:19:08Z'));
 
         samlObj.validatePostResponse( container, function( err, profile, logout ) {
-          should.exist( err );
-          err.message.should.match( 'SAML assertion expired' );
-          done();
+          try {
+            should.exist( err );
+            err.message.should.match( 'SAML assertion expired' );
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
 
@@ -1766,9 +1887,13 @@ describe( 'passport-saml /', function() {
         fakeClock = sinon.useFakeTimers(Date.parse('2014-05-28T00:19:09Z'));
 
         samlObj.validatePostResponse( container, function( err, profile, logout ) {
-          should.exist( err );
-          err.message.should.match( 'SAML assertion expired' );
-          done();
+          try {
+            should.exist( err );
+            err.message.should.match( 'SAML assertion expired' );
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
 
@@ -1791,9 +1916,13 @@ describe( 'passport-saml /', function() {
         fakeClock = sinon.useFakeTimers(Date.parse('2014-05-28T00:20:09Z'));
 
         samlObj.validatePostResponse( container, function( err, profile, logout ) {
-          should.not.exist( err );
-          profile.nameID.should.startWith( 'ploer' );
-          done();
+          try {
+            should.not.exist( err );
+            profile.nameID.should.startWith( 'ploer' );
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
 
@@ -1812,9 +1941,13 @@ describe( 'passport-saml /', function() {
         var samlObj = new SAML( samlConfig );
 
         samlObj.validatePostResponse( container, function( err, profile, logout ) {
-          should.exist( err );
-          err.message.should.match( 'SAML assertion has no AudienceRestriction' );
-          done();
+          try {
+            should.exist( err );
+            err.message.should.match( 'SAML assertion has no AudienceRestriction' );
+            done();
+          } catch(err2) {
+            done(err2);
+          }
         });
       });
 
@@ -1833,9 +1966,13 @@ describe( 'passport-saml /', function() {
         var samlObj = new SAML( samlConfig );
 
         samlObj.validatePostResponse( container, function( err, profile, logout ) {
-          should.exist( err );
-          err.message.should.match( 'SAML assertion audience mismatch' );
-          done();
+          try {
+            should.exist( err );
+            err.message.should.match( 'SAML assertion audience mismatch' );
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
 
@@ -1854,9 +1991,13 @@ describe( 'passport-saml /', function() {
         var samlObj = new SAML( samlConfig );
 
         samlObj.validatePostResponse( container, function( err, profile, logout ) {
-          should.not.exist( err );
-          profile.nameID.should.startWith( 'ploer' );
-          done();
+          try {
+            should.not.exist( err );
+            profile.nameID.should.startWith( 'ploer' );
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
 
@@ -1875,8 +2016,12 @@ describe( 'passport-saml /', function() {
         SAMLRequest: "asdf"
       };
       samlObj.validatePostRequest(body, function(err) {
-        should.exist(err);
-        done();
+        try {
+          should.exist(err);
+          done();
+        } catch (err2) {
+          done(err2);
+        }
       });
     });
     it('errors if bad signature', function(done) {
@@ -1884,9 +2029,13 @@ describe( 'passport-saml /', function() {
         SAMLRequest: fs.readFileSync(__dirname + '/static/logout_request_with_bad_signature.xml', 'base64')
       };
       samlObj.validatePostRequest(body, function(err) {
-        should.exist(err);
-        err.should.eql(new Error('Invalid signature on documentElement'));
-        done();
+        try {
+          should.exist(err);
+          err.should.eql(new Error('Invalid signature on documentElement'));
+          done();
+        } catch (err2) {
+          done(err2);
+        }
       });
     });
     it('returns profile for valid signature', function(done) {
@@ -1894,14 +2043,18 @@ describe( 'passport-saml /', function() {
         SAMLRequest: fs.readFileSync(__dirname + '/static/logout_request_with_good_signature.xml', 'base64')
       };
       samlObj.validatePostRequest(body, function(err, profile) {
-        should.not.exist(err);
-        profile.should.eql({
-          ID: 'pfxd4d369e8-9ea1-780c-aff8-a1d11a9862a1',
-          issuer: 'http://sp.example.com/demo1/metadata.php',
-          nameID: 'ONELOGIN_f92cc1834efc0f73e9c09f482fce80037a6251e7',
-          nameIDFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
-        });
-        done();
+        try {
+          should.not.exist(err);
+          profile.should.eql({
+            ID: 'pfxd4d369e8-9ea1-780c-aff8-a1d11a9862a1',
+            issuer: 'http://sp.example.com/demo1/metadata.php',
+            nameID: 'ONELOGIN_f92cc1834efc0f73e9c09f482fce80037a6251e7',
+            nameIDFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+          });
+          done();
+        } catch (err2) {
+          done(err2);
+        }
       });
     });
     it('returns profile for valid signature including session index', function(done) {
@@ -1909,15 +2062,19 @@ describe( 'passport-saml /', function() {
         SAMLRequest: fs.readFileSync(__dirname + '/static/logout_request_with_session_index.xml', 'base64')
       };
       samlObj.validatePostRequest(body, function(err, profile) {
-        should.not.exist(err);
-        profile.should.eql({
-          ID: 'pfxd4d369e8-9ea1-780c-aff8-a1d11a9862a1',
-          issuer: 'http://sp.example.com/demo1/metadata.php',
-          nameID: 'ONELOGIN_f92cc1834efc0f73e9c09f482fce80037a6251e7',
-          nameIDFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
-          sessionIndex: '1'
-        });
-        done();
+        try {
+          should.not.exist(err);
+          profile.should.eql({
+            ID: 'pfxd4d369e8-9ea1-780c-aff8-a1d11a9862a1',
+            issuer: 'http://sp.example.com/demo1/metadata.php',
+            nameID: 'ONELOGIN_f92cc1834efc0f73e9c09f482fce80037a6251e7',
+            nameIDFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+            sessionIndex: '1'
+          });
+          done();
+        } catch (err2) {
+          done(err2);
+        }
       });
     });
 	  it('errors if bad privateCert to requestToURL', function(done){
@@ -1952,9 +2109,13 @@ describe( 'passport-saml /', function() {
 		  });
         var request = '<?xml version=\\"1.0\\"?><samlp:AuthnRequest xmlns:samlp=\\"urn:oasis:names:tc:SAML:2.0:protocol\\" ID=\\"_ea40a8ab177df048d645\\" Version=\\"2.0\\" IssueInstant=\\"2017-08-22T19:30:01.363Z\\" ProtocolBinding=\\"urn:oasis:names$tc:SAML:2.0:bindings:HTTP-POST\\" AssertionConsumerServiceURL=\\"https://example.com/login/callback\\" Destination=\\"https://www.example.com\\"><saml:Issuer xmlns:saml=\\"urn:oasis:names:tc:SAML:2.0:assertion\\">onelogin_saml</saml:Issuer><s$mlp:NameIDPolicy xmlns:samlp=\\"urn:oasis:names:tc:SAML:2.0:protocol\\" Format=\\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\\" AllowCreate=\\"true\\"/><samlp:RequestedAuthnContext xmlns:samlp=\\"urn:oasis:names:tc:SAML:2.0:protoc$l\\" Comparison=\\"exact\\"><saml:AuthnContextClassRef xmlns:saml=\\"urn:oasis:names:tc:SAML:2.0:assertion\\">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp$AuthnRequest>';
         samlObj.requestToUrl(request, null, 'authorize', {}, function(err) {
+          try {
             should.exist(err);
             err.message.should.containEql('no start line');
             done();
+          } catch (err2) {
+            done(err2);
+          }
         });
 	  });
   });
@@ -1978,47 +2139,67 @@ describe( 'passport-saml /', function() {
           SAMLRequest: "asdf"
         };
         samlObj.validateRedirect(body, function(err) {
-          should.exist(err);
-          done();
+          try {
+            should.exist(err);
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       it('errors if idpIssuer is set and issuer is wrong', function(done) {
         samlObj.options.idpIssuer = 'foo';
         samlObj.validateRedirect(this.request, function(err) {
-          should.exist(err);
-          err.should.eql(
-            'Unknown SAML issuer. Expected: foo Received: http://localhost:20000/saml2/idp/metadata.php'
-          );
-          done();
+          try {
+            should.exist(err);
+            err.should.eql(
+              'Unknown SAML issuer. Expected: foo Received: http://localhost:20000/saml2/idp/metadata.php'
+            );
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       it('errors if request has expired', function(done) {
         this.clock.restore();
         samlObj.validateRedirect(this.request, function(err) {
-          should.exist(err);
-          err.message.should.eql('SAML assertion expired');
-          done();
+          try {
+            should.exist(err);
+            err.message.should.eql('SAML assertion expired');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       it('errors if request has a bad signature', function(done) {
         this.request.Signature = 'foo';
         samlObj.validateRedirect(this.request, function(err) {
-          should.exist(err);
-          err.should.eql('Invalid signature');
-          done();
+          try {
+            should.exist(err);
+            err.should.eql('Invalid signature');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       it('returns profile for valid signature including session index', function(done) {
         samlObj.validateRedirect(this.request, function(err, profile) {
-          should.not.exist(err);
-          profile.should.eql({
-            ID: '_8f0effde308adfb6ae7f1e29b414957fc320f5636f',
-            issuer: 'http://localhost:20000/saml2/idp/metadata.php',
-            nameID: 'stavros@workable.com',
-            nameIDFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
-            sessionIndex: '_00bf7b2d5d9d3c970217eecefb1194bef3362a618e'
-          });
-          done();
+          try {
+            should.not.exist(err);
+            profile.should.eql({
+              ID: '_8f0effde308adfb6ae7f1e29b414957fc320f5636f',
+              issuer: 'http://localhost:20000/saml2/idp/metadata.php',
+              nameID: 'stavros@workable.com',
+              nameIDFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+              sessionIndex: '_00bf7b2d5d9d3c970217eecefb1194bef3362a618e'
+            });
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
     });
@@ -2042,52 +2223,76 @@ describe( 'passport-saml /', function() {
           SAMLRequest: "asdf"
         };
         samlObj.validateRedirect(body, function(err) {
-          should.exist(err);
-          done();
+          try {
+            should.exist(err);
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       it('errors if idpIssuer is set and wrong issuer', function(done) {
         samlObj.options.idpIssuer = 'foo';
         samlObj.validateRedirect(this.request, function(err) {
-          should.exist(err);
-          err.should.eql(
-            'Unknown SAML issuer. Expected: foo Received: http://localhost:20000/saml2/idp/metadata.php'
-          );
-          done();
+          try {
+            should.exist(err);
+            err.should.eql(
+              'Unknown SAML issuer. Expected: foo Received: http://localhost:20000/saml2/idp/metadata.php'
+            );
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       it('errors if unsuccessful', function(done) {
         this.request = require('./static/sp_slo_redirect_failure');
         samlObj.validateRedirect(this.request, function(err) {
-          should.exist(err);
-          err.should.eql(
-            'Bad status code: urn:oasis:names:tc:SAML:2.0:status:Requester'
-          );
-          done();
+          try {
+            should.exist(err);
+            err.should.eql(
+              'Bad status code: urn:oasis:names:tc:SAML:2.0:status:Requester'
+            );
+            done();
+          } catch(err2) {
+            done(err2);
+          }
         });
       });
       it('errors if InResponseTo is not found', function(done) {
         samlObj.validateRedirect(this.request, function(err) {
-          should.exist(err);
-          err.message.should.eql('InResponseTo is not valid');
-          done();
+          try {
+            should.exist(err);
+            err.message.should.eql('InResponseTo is not valid');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       it('errors if bad signature', function(done) {
         samlObj.cacheProvider.save('_79db1e7ad12ca1d63e5b', new Date().toISOString(), function(){});
         this.request.Signature = 'foo';
         samlObj.validateRedirect(this.request, function(err) {
-          should.exist(err);
-          err.should.eql('Invalid signature');
-          done();
+          try {
+            should.exist(err);
+            err.should.eql('Invalid signature');
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
       it('returns true for valid signature', function(done) {
         samlObj.cacheProvider.save('_79db1e7ad12ca1d63e5b', new Date().toISOString(), function(){});
         samlObj.validateRedirect(this.request, function(err, _data, success) {
-          should.not.exist(err);
-          success.should.eql(true);
-          done();
+          try {
+            should.not.exist(err);
+            success.should.eql(true);
+            done();
+          } catch (err2) {
+            done(err2);
+          }
         });
       });
     });

From 2d8f9c000b843a606fc88e051c2301e7bb0dd621 Mon Sep 17 00:00:00 2001
From: Chris Barth <chrisjbarth@hotmail.com>
Date: Mon, 29 Apr 2019 14:56:29 -0400
Subject: [PATCH 2/2] Improve code consistency; fix error handling bugs

---
 multiSamlStrategy.js | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/multiSamlStrategy.js b/multiSamlStrategy.js
index 46f8bdb1..00f4ea75 100644
--- a/multiSamlStrategy.js
+++ b/multiSamlStrategy.js
@@ -36,29 +36,33 @@ MultiSamlStrategy.prototype.authenticate = function (req, options) {
   });
 };
 
-MultiSamlStrategy.prototype.logout = function (req, options) {
+MultiSamlStrategy.prototype.logout = function (req, callback) {
   var self = this;
 
   this._options.getSamlOptions(req, function (err, samlOptions) {
     if (err) {
-      return self.error(err);
+      return callback(err);
     }
 
     self._saml = new saml.SAML(Object.assign({}, self._options, samlOptions));
-    self.constructor.super_.prototype.logout.call(self, req, options);
+    self.constructor.super_.prototype.logout.call(self, req, callback);
   });
 };
 
-MultiSamlStrategy.prototype.generateServiceProviderMetadata = function( req, decryptionCert, signingCert, next ) {
+MultiSamlStrategy.prototype.generateServiceProviderMetadata = function( req, decryptionCert, signingCert, callback ) {
+  if (typeof callback !== 'function') {
+    throw new Error("Metadata can't be provided synchronously for MultiSamlStrategy.");
+  }
+
   var self = this;
 
   return this._options.getSamlOptions(req, function (err, samlOptions) {
     if (err) {
-      return next(err);
+      return callback(err);
     }
 
-    self._saml = new saml.SAML(samlOptions);
-    return next(null, self.constructor.super_.prototype.generateServiceProviderMetadata.call(self, decryptionCert, signingCert ));
+    self._saml = new saml.SAML(Object.assign({}, self._options, samlOptions));
+    return callback(null, self.constructor.super_.prototype.generateServiceProviderMetadata.call(self, decryptionCert, signingCert ));
   });
 };