Related to #207 Add ability to sign metadata (Test improved, prettyprint optional on metadata generator, signature position fixed). Fix algorithm calculator

pitbulk · pitbulk · commit e96becf57a72 · 2015-03-25T03:10:49.000+01:00
diff --git a/lib/onelogin/ruby-saml/metadata.rb b/lib/onelogin/ruby-saml/metadata.rb
@@ -1,4 +1,5 @@
 require "uri"
+require "uuid"
 
 require "onelogin/ruby-saml/logging"
 
@@ -9,7 +10,7 @@
 module OneLogin
   module RubySaml
     class Metadata
-      def generate(settings)
+      def generate(settings, pretty_print=true)
         meta_doc = XMLSecurity::Document.new
         root = meta_doc.add_element "md:EntityDescriptor", {
             "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata"
@@ -20,6 +21,7 @@ def generate(settings)
             # However we would like assertions signed if idp_cert_fingerprint or idp_cert is set
             "WantAssertionsSigned" => !!(settings.idp_cert_fingerprint || settings.idp_cert)
         }
+        root.attributes["ID"] = "_" + UUID.new.generate
         if settings.issuer
           root.attributes["entityID"] = settings.issuer
         end
@@ -91,7 +93,11 @@ def generate(settings)
 
         ret = ""
         # pretty print the XML so IdP administrators can easily see what the SP supports
-        meta_doc.write(ret, 1)
+        if pretty_print
+          meta_doc.write(ret, 1)
+        else 
+          ret = meta_doc.to_s
+        end
 
         return ret
       end
diff --git a/lib/onelogin/ruby-saml/settings.rb b/lib/onelogin/ruby-saml/settings.rb
@@ -111,7 +111,8 @@ def get_sp_key
         :security                                  => {
           :authn_requests_signed    => false,
           :logout_requests_signed   => false,
-          :logout_responses_signed   => false,
+          :logout_responses_signed  => false,
+          :metadata_signed          => false,
           :embed_sign               => false,
           :digest_method            => XMLSecurity::Document::SHA1,
           :signature_method         => XMLSecurity::Document::RSA_SHA1
diff --git a/lib/xml_security.rb b/lib/xml_security.rb
@@ -56,9 +56,10 @@ def algorithm(element)
       algorithm = element
       if algorithm.is_a?(REXML::Element)
         algorithm = element.attribute("Algorithm").value
-        algorithm = algorithm && algorithm =~ /sha(.*?)$/i && $1.to_i
       end
 
+      algorithm = algorithm && algorithm =~ /(rsa-)?sha(.*?)$/i && $2.to_i
+
       case algorithm
       when 256 then OpenSSL::Digest::SHA256
       when 384 then OpenSSL::Digest::SHA384
@@ -80,7 +81,7 @@ class Document < BaseDocument
     SHA384          = "http://www.w3.org/2001/04/xmldsig-more#sha384"
     SHA512          = "http://www.w3.org/2001/04/xmldsig-more#sha512"
     ENVELOPED_SIG   = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
-    INC_PREFIX_LIST = "#default samlp saml ds xs xsi"
+    INC_PREFIX_LIST = "#default samlp saml ds xs xsi md"
 
     attr_accessor :uuid
 
@@ -119,8 +120,6 @@ def sign_document(private_key, certificate, signature_method = RSA_SHA1, digest_
       # Add Transforms
       transforms_element = reference_element.add_element("ds:Transforms")
       transforms_element.add_element("ds:Transform", {"Algorithm" => ENVELOPED_SIG})
-      #transforms_element.add_element("ds:Transform", {"Algorithm" => C14N})
-      #transforms_element.add_element("ds:InclusiveNamespaces", {"xmlns" => C14N, "PrefixList" => INC_PREFIX_LIST})
       c14element = transforms_element.add_element("ds:Transform", {"Algorithm" => C14N})
       c14element.add_element("ec:InclusiveNamespaces", {"xmlns:ec" => C14N, "PrefixList" => INC_PREFIX_LIST})
 
@@ -133,6 +132,7 @@ def sign_document(private_key, certificate, signature_method = RSA_SHA1, digest_
       noko_sig_element = Nokogiri.parse(signature_element.to_s)
       noko_signed_info_element = noko_sig_element.at_xpath('//ds:Signature/ds:SignedInfo', 'ds' => DSIG)
       canon_string = noko_signed_info_element.canonicalize(canon_algorithm(C14N))
+
       signature = compute_signature(private_key, algorithm(signature_method).new, canon_string)
       signature_element.add_element("ds:SignatureValue").text = signature
 
@@ -150,7 +150,11 @@ def sign_document(private_key, certificate, signature_method = RSA_SHA1, digest_
       if issuer_element
         self.root.insert_after issuer_element, signature_element
       else
-        self.root.add_element(signature_element)
+        if sp_sso_descriptor = self.elements["/md:EntityDescriptor"]
+          self.root.insert_before sp_sso_descriptor, signature_element
+        else
+          self.root.add_element(signature_element)
+        end
       end
     end
 
diff --git a/test/metadata_test.rb b/test/metadata_test.rb
@@ -6,7 +6,7 @@ class MetadataTest < Minitest::Test
 
   describe 'Metadata' do
     let(:settings)          { OneLogin::RubySaml::Settings.new }
-    let(:xml_text)          { OneLogin::RubySaml::Metadata.new.generate(settings) }
+    let(:xml_text)          { OneLogin::RubySaml::Metadata.new.generate(settings, false) }
     let(:xml_doc)           { REXML::Document.new(xml_text) }
     let(:spsso_descriptor)  { REXML::XPath.first(xml_doc, "//md:SPSSODescriptor") }
     let(:acs)               { REXML::XPath.first(xml_doc, "//md:AssertionConsumerService") }
@@ -17,9 +17,15 @@ class MetadataTest < Minitest::Test
       settings.assertion_consumer_service_url = "https://foo.example/saml/consume"
     end
 
+    it "generates Pretty Print Service Provider Metadata" do
+      start = "<?xml version='1.0' encoding='UTF-8'?>\n<md:EntityDescriptor"
+      xml_text_2 = OneLogin::RubySaml::Metadata.new.generate(settings, true)
+      assert xml_text_2[0..start.length-1] == start
+    end
+
     it "generates Service Provider Metadata" do
       # assert correct xml declaration
-      start = "<?xml version='1.0' encoding='UTF-8'?>\n<md:EntityDescriptor"
+      start = "<?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor"
       assert xml_text[0..start.length-1] == start
 
       assert_equal "https://example.com", REXML::XPath.first(xml_doc, "//md:EntityDescriptor").attribute("entityID").value
@@ -89,19 +95,25 @@ class MetadataTest < Minitest::Test
       it "creates a signed metadata" do
         assert_match %r[<ds:SignatureValue>\s*([a-zA-Z0-9/+=]+)\s*</ds:SignatureValue>]m, xml_text
         assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], xml_text
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], xml_text
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], xml_text
+        signed_metadata = XMLSecurity::SignedDocument.new(xml_text)
+        assert signed_metadata.validate_document(ruby_saml_cert_fingerprint, false)        
       end
 
       describe "when digest and signature methods are specified" do
         before do
-          settings.security[:signature_method] = XMLSecurity::Document::SHA256
+          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
           settings.security[:digest_method] = XMLSecurity::Document::SHA512
         end
 
         it "creates a signed metadata with specified digest and signature methods" do
           assert_match %r[<ds:SignatureValue>\s*([a-zA-Z0-9/+=]+)\s*</ds:SignatureValue>]m, xml_text
           assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], xml_text
-          assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'/>], xml_text
+          assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#sha512'/>], xml_text
+
+          signed_metadata_2 = XMLSecurity::SignedDocument.new(xml_text)
+
+          assert signed_metadata_2.validate_document(ruby_saml_cert_fingerprint, false)          
         end
       end
     end
