add tests for signing metadata

zendesk-mradmacher · zendesk-mradmacher · commit 5379215dd6dd · 2025-10-27T13:15:26.000+01:00
diff --git a/test/unit/test_response_signature_wrapping_attack.rb b/test/unit/test_response_signature_wrapping_attack.rb
@@ -59,7 +59,6 @@
       # According to SAML schema, the <Signature> needs to be placed after <Issuer>.
       metadata_signature_doc = metadata_doc.xpath("md:EntityDescriptor/ds:Signature", Samlr::NS_MAP).first
       response_doc.at("/samlp:Response/saml:Issuer", Samlr::NS_MAP).add_next_sibling(metadata_signature_doc.dup)
-
       crafted_saml_response = Samlr::Response.new(Base64.encode64(response_doc.to_xml), fingerprint: fingerprint)
 
       # Checks for duplicate values of the ID attribute.
diff --git a/test/unit/tools/test_metadata_builder.rb b/test/unit/tools/test_metadata_builder.rb
@@ -2,25 +2,38 @@
 
 describe Samlr::Tools::MetadataBuilder do
   describe "#build" do
-    before do
-      @xml = Samlr::Tools::MetadataBuilder.build({
+    let(:options) do
+      {
         :entity_id            => "https://sp.example.com/saml2",
         :name_identity_format => "identity_format",
         :consumer_service_url => "https://support.sp.example.com/"
-      })
-
-      @doc = Nokogiri::XML(@xml) { |c| c.strict }
+      }
     end
+    let(:xml) { Samlr::Tools::MetadataBuilder.build(options) }
+    let(:doc) { Nokogiri::XML(xml) { |c| c.strict } }
 
     it "generates a metadata document" do
-      assert_equal "EntityDescriptor", @doc.root.name
-      assert_equal "identity_format", @doc.at("//md:NameIDFormat", { "md" => Samlr::NS_MAP["md"] }).text
+      assert_equal "EntityDescriptor", doc.root.name
+      assert_equal "identity_format", doc.at("//md:NameIDFormat", { "md" => Samlr::NS_MAP["md"] }).text
     end
 
     it "validates against schemas" do
-      result = Samlr::Tools.validate(:document => @xml, :schema => Samlr::META_SCHEMA)
+      result = Samlr::Tools.validate(:document => xml, :schema => Samlr::META_SCHEMA)
       assert result
     end
 
+    it "does not sign metadata by default" do
+      assert_nil doc.xpath("md:EntityDescriptor/ds:Signature", Samlr::NS_MAP).first
+    end
+
+    describe "when prompted to add a signature" do
+      before do
+        options[:sign_metadata] = true
+      end
+
+      it "signs metadata" do
+        refute_nil doc.xpath("md:EntityDescriptor/ds:Signature", Samlr::NS_MAP).first
+      end
+    end
   end
 end
