Metadata spec

SAML-Toolkits · Jul 10, 2024 · e92177f · e92177f
1 parent 1d89633
commit e92177f
Showing 1 changed file with 63 additions and 60 deletions.
diff --git a/test/metadata_test.rb b/test/metadata_test.rb
@@ -328,82 +328,85 @@ class MetadataTest < Minitest::Test
       end
     end
 
-    describe "when the settings indicate to sign (embedded) metadata" do
-      before do
-        settings.security[:metadata_signed] = true
-        settings.certificate = ruby_saml_cert_text
-        settings.private_key = ruby_saml_key_text
-      end
-
-      it "creates a signed metadata" do
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>]m, xml_text
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], xml_text
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'/>], xml_text
-
-        signed_metadata = RubySaml::XML::SignedDocument.new(xml_text)
-        assert signed_metadata.validate_document(ruby_saml_cert_fingerprint, false)
-
-        assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
-      end
-
-      describe "when digest and signature methods are specified" do
+    with_each_key_algorithm do |algorithm|
+      describe "when the settings indicate to sign (embedded) metadata" do
         before do
-          settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA256
-          settings.security[:digest_method] = RubySaml::XML::Document::SHA512
+          settings.security[:metadata_signed] = true
+          cert, pkey = CertificateHelper.generate_pair(algorithm)
+          @fingerprint = OpenSSL::Digest.new('SHA256', cert.to_der).to_s
+          settings.certificate, settings.private_key = [cert, pkey].map(&:to_pem)
         end
 
-        it "creates a signed metadata with specified digest and signature methods" do
+        it "creates a signed metadata" do
           assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>]m, xml_text
-          assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], xml_text
-          assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha512'/>], xml_text
+          assert_match signature_method_matcher(algorithm), xml_text
+          assert_match %r[<ds:DigestMethod Algorithm='http://www\.w3\.org/2001/04/xmlenc#sha256'/>], xml_text
 
           signed_metadata = RubySaml::XML::SignedDocument.new(xml_text)
-          assert signed_metadata.validate_document(ruby_saml_cert_fingerprint, false)
+          assert signed_metadata.validate_document(@fingerprint, false)
 
           assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
         end
-      end
 
-      describe "when custom metadata elements have been inserted" do
-        let(:xml_text) { subclass.new.generate(settings, false) }
-        let(:subclass) do
-          Class.new(RubySaml::Metadata) do
-            def add_extras(root, _settings)
-              idp = REXML::Element.new("md:IDPSSODescriptor")
-              idp.attributes['protocolSupportEnumeration'] = 'urn:oasis:names:tc:SAML:2.0:protocol'
-
-              nid = REXML::Element.new("md:NameIDFormat")
-              nid.text = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
-              idp.add_element(nid)
-
-              sso = REXML::Element.new("md:SingleSignOnService")
-              sso.attributes['Binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
-              sso.attributes['Location'] = 'https://foobar.com/sso'
-              idp.add_element(sso)
-              root.insert_before(root.children[0], idp)
-
-              org = REXML::Element.new("md:Organization")
-              org.add_element("md:OrganizationName", 'xml:lang' => "en-US").text = 'ACME Inc.'
-              org.add_element("md:OrganizationDisplayName", 'xml:lang' => "en-US").text = 'ACME'
-              org.add_element("md:OrganizationURL", 'xml:lang' => "en-US").text = 'https://www.acme.com'
-              root.insert_after(root.children[3], org)
-            end
+        describe "when digest and signature methods are specified" do
+          before do
+            settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA256
+            settings.security[:digest_method] = RubySaml::XML::Document::SHA512
+          end
+
+          it "creates a signed metadata with specified digest and signature methods" do
+            assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>]m, xml_text
+            assert_match signature_method_matcher(algorithm), xml_text
+            assert_match %r[<ds:DigestMethod Algorithm='http://www\.w3\.org/2001/04/xmlenc#sha512'/>], xml_text
+
+            signed_metadata = RubySaml::XML::SignedDocument.new(xml_text)
+            assert signed_metadata.validate_document(@fingerprint, false)
+
+            assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
           end
         end
 
-        it "inserts signature as the first child of root element" do
-          first_child = xml_doc.root.children[0]
-          assert_equal first_child.prefix, 'ds'
-          assert_equal first_child.name, 'Signature'
+        describe "when custom metadata elements have been inserted" do
+          let(:xml_text) { subclass.new.generate(settings, false) }
+          let(:subclass) do
+            Class.new(RubySaml::Metadata) do
+              def add_extras(root, _settings)
+                idp = REXML::Element.new("md:IDPSSODescriptor")
+                idp.attributes['protocolSupportEnumeration'] = 'urn:oasis:names:tc:SAML:2.0:protocol'
+
+                nid = REXML::Element.new("md:NameIDFormat")
+                nid.text = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+                idp.add_element(nid)
+
+                sso = REXML::Element.new("md:SingleSignOnService")
+                sso.attributes['Binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
+                sso.attributes['Location'] = 'https://foobar.com/sso'
+                idp.add_element(sso)
+                root.insert_before(root.children[0], idp)
+
+                org = REXML::Element.new("md:Organization")
+                org.add_element("md:OrganizationName", 'xml:lang' => "en-US").text = 'ACME Inc.'
+                org.add_element("md:OrganizationDisplayName", 'xml:lang' => "en-US").text = 'ACME'
+                org.add_element("md:OrganizationURL", 'xml:lang' => "en-US").text = 'https://www.acme.com'
+                root.insert_after(root.children[3], org)
+              end
+            end
+          end
 
-          assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>]m, xml_text
-          assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], xml_text
-          assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'/>], xml_text
+          it "inserts signature as the first child of root element" do
+            first_child = xml_doc.root.children[0]
+            assert_equal first_child.prefix, 'ds'
+            assert_equal first_child.name, 'Signature'
 
-          signed_metadata = RubySaml::XML::SignedDocument.new(xml_text)
-          assert signed_metadata.validate_document(ruby_saml_cert_fingerprint, false)
+            assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>]m, xml_text
+            assert_match signature_method_matcher(algorithm), xml_text
+            assert_match %r[<ds:DigestMethod Algorithm='http://www\.w3\.org/2001/04/xmlenc#sha256'/>], xml_text
 
-          assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+            signed_metadata = RubySaml::XML::SignedDocument.new(xml_text)
+            assert signed_metadata.validate_document(@fingerprint, false)
+
+            assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+          end
         end
       end
     end