Add ability to sign metadata.

Author: Umofomia

README.md

@@ -336,9 +336,10 @@ In order to be able to sign we need first to define the private key and the publ
 The settings related to sign are stored in the `security` attribute of the settings:
 
 ```ruby
-  settings.security[:authn_requests_signed]  = true     # Enable or not signature on AuthNRequest
-  settings.security[:logout_requests_signed] = true     # Enable or not signature on Logout Request
+  settings.security[:authn_requests_signed]   = true     # Enable or not signature on AuthNRequest
+  settings.security[:logout_requests_signed]  = true     # Enable or not signature on Logout Request
   settings.security[:logout_responses_signed] = true     # Enable or not signature on Logout Response
+  settings.security[:metadata_signed]         = true     # Enable or not signature on Metadata
 
   settings.security[:digest_method]    = XMLSecurity::Document::SHA1
   settings.security[:signature_method] = XMLSecurity::Document::SHA1

lib/onelogin/ruby-saml/authrequest.rb

@@ -111,7 +111,7 @@ def create_authentication_xml_doc(settings)
           end
         end
 
-        # embebed sign
+        # embed signature
         if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign] 
           private_key = settings.get_sp_key()
           cert = settings.get_sp_cert()

lib/onelogin/ruby-saml/logoutrequest.rb

@@ -88,7 +88,7 @@ def create_logout_request_xml_doc(settings)
           sessionindex.text = settings.sessionindex
         end
 
-        # embebed sign
+        # embed signature
         if settings.security[:logout_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
           private_key = settings.get_sp_key()
           cert = settings.get_sp_cert()

lib/onelogin/ruby-saml/metadata.rb

@@ -13,7 +13,7 @@ module RubySaml
     include REXML
     class Metadata
       def generate(settings)
-        meta_doc = REXML::Document.new
+        meta_doc = XMLSecurity::Document.new
         root = meta_doc.add_element "md:EntityDescriptor", {
             "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata"
         }
@@ -85,6 +85,13 @@ def generate(settings)
         #  <md:XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
 
         meta_doc << REXML::XMLDecl.new("1.0", "UTF-8")
+
+        # embed signature
+        if settings.security[:metadata_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
+          private_key = settings.get_sp_key()
+          meta_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+        end
+
         ret = ""
         # pretty print the XML so IdP administrators can easily see what the SP supports
         meta_doc.write(ret, 1)

lib/onelogin/ruby-saml/slo_logoutresponse.rb

@@ -86,7 +86,7 @@ def create_logout_response_xml_doc(settings, request_id = nil, logout_message =
           issuer.text = settings.issuer
         end
 
-        # embebed sign
+        # embed signature
         if settings.security[:logout_responses_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
           private_key = settings.get_sp_key()
           cert = settings.get_sp_cert()

test/logoutrequest_test.rb

@@ -88,7 +88,7 @@ class RequestTest < Minitest::Test
       end
     end
 
-    describe "when the settings indicate to sign (embebed) the logout request" do
+    describe "when the settings indicate to sign (embedded) the logout request" do
       it "created a signed logout request" do
         settings = OneLogin::RubySaml::Settings.new
         settings.idp_slo_target_url = "http://example.com?field=value"

test/metadata_test.rb

@@ -84,5 +84,42 @@ def setup
       assert_equal "Friendly Name", req_attr.attribute("FriendlyName").value
       assert_equal "Attribute Value", REXML::XPath.first(xml_doc, "//md:AttributeValue").text.strip
     end
+
+    describe "when the settings indicate to sign (embedded) the metadata" do
+      it "create a signed metadata" do
+        settings = OneLogin::RubySaml::Settings.new
+        settings.issuer = "https://example.com"
+        settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+        settings.assertion_consumer_service_url = "https://foo.example/saml/consume"
+        settings.security[:metadata_signed] = true
+        settings.security[:embed_sign] = true
+        settings.certificate = ruby_saml_cert_text
+        settings.private_key = ruby_saml_key_text
+        xml_text = OneLogin::RubySaml::Metadata.new.generate(settings)
+
+        assert_match %r[<ds:SignatureValue>\s*([a-zA-Z0-9/+=]+)\s*</ds:SignatureValue>]m, xml_text
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], xml_text
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], xml_text
+      end
+
+      it "create a signed metadata with 256 digest and signature methods" do
+        settings = OneLogin::RubySaml::Settings.new
+        settings.issuer = "https://example.com"
+        settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+        settings.assertion_consumer_service_url = "https://foo.example/saml/consume"
+        settings.security[:metadata_signed] = true
+        settings.security[:embed_sign] = true
+        settings.security[:signature_method] = XMLSecurity::Document::SHA256
+        settings.security[:digest_method] = XMLSecurity::Document::SHA512
+        settings.certificate = ruby_saml_cert_text
+        settings.private_key = ruby_saml_key_text
+
+        xml_text = OneLogin::RubySaml::Metadata.new.generate(settings)
+
+        assert_match %r[<ds:SignatureValue>\s*([a-zA-Z0-9/+=]+)\s*</ds:SignatureValue>]m, xml_text
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], xml_text
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'/>], xml_text
+      end
+    end
   end
 end

test/request_test.rb

@@ -143,7 +143,7 @@ class RequestTest < Minitest::Test
       end
     end
 
-    describe "when the settings indicate to sign (embebed) the request" do
+    describe "when the settings indicate to sign (embedded) the request" do
       it "create a signed request" do
         settings = OneLogin::RubySaml::Settings.new
         settings.compress_request = false

test/slo_logoutresponse_test.rb

@@ -65,7 +65,7 @@ class SloLogoutresponseTest < Minitest::Test
       assert_match /<samlp:StatusMessage>Custom Logout Message<\/samlp:StatusMessage>/, inflated
     end
 
-    describe "when the settings indicate to sign (embebed) the logout response" do
+    describe "when the settings indicate to sign (embedded) the logout response" do
       it "create a signed logout response" do
         settings = OneLogin::RubySaml::Settings.new
         settings.compress_response = false