Merge pull request #43 from timlegge/metadata

timlegge · web-flow · commit 378c8159fb70 · 2021-10-25T19:28:32.000-03:00
Update for Metadata custom urls and signing
diff --git a/lib/Net/SAML2/SP.pm b/lib/Net/SAML2/SP.pm
@@ -98,6 +98,13 @@ has 'cert'   => (isa => 'Str', is => 'ro', required => 1);
 has 'key'    => (isa => 'Str', is => 'ro', required => 1);
 has 'cacert' => (isa => 'Maybe[Str]', is => 'ro', required => 1);
 
+has 'error_url'        => (isa => 'Str', is => 'ro', required => 1);
+has 'slo_url_soap'     => (isa => 'Str', is => 'ro', required => 1);
+has 'slo_url_redirect' => (isa => 'Str', is => 'ro', required => 1);
+has 'slo_url_post'     => (isa => 'Str', is => 'ro', required => 1);
+has 'acs_url_post'     => (isa => 'Str', is => 'ro', required => 1);
+has 'acs_url_artifact' => (isa => 'Str', is => 'ro', required => 1);
+
 has 'org_name'         => (isa => 'Str', is => 'ro', required => 1);
 has 'org_display_name' => (isa => 'Str', is => 'ro', required => 1);
 has 'org_contact'      => (isa => 'Str', is => 'ro', required => 1);
@@ -304,20 +311,23 @@ Returns the metadata XML document for this SP.
 sub metadata {
     my ($self) = @_;
 
+    use Net::SAML2::Util qw/generate_id/;
+
     my $x = XML::Generator->new(':pretty', conformance => 'loose');
     my $md = ['md' => 'urn:oasis:names:tc:SAML:2.0:metadata'];
     my $ds = ['ds' => 'http://www.w3.org/2000/09/xmldsig#'];
 
-    $x->EntityDescriptor(
+    my $metadata = $x->EntityDescriptor(
         $md,
         {
             entityID => $self->id },
         $x->SPSSODescriptor(
             $md,
             { AuthnRequestsSigned => defined($self->authnreq_signed) ? $self->authnreq_signed : '1',
               WantAssertionsSigned => defined($self->want_assertions_signed) ? $self->want_assertions_signed : '1',
-              errorURL => $self->url . '/saml/error',
-              protocolSupportEnumeration => 'urn:oasis:names:tc:SAML:2.0:protocol' },
+              errorURL => $self->url . $self->error_url,
+              protocolSupportEnumeration => 'urn:oasis:names:tc:SAML:2.0:protocol',
+              ID => generate_id()},
             $x->KeyDescriptor(
                 $md,
                 {
@@ -336,29 +346,29 @@ sub metadata {
             $x->SingleLogoutService(
                 $md,
                 { Binding => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
-                  Location  => $self->url . '/saml/slo-soap' },
+                  Location  => $self->url . $self->slo_url_soap },
             ),
             $x->SingleLogoutService(
                 $md,
                 { Binding => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-                  Location  => $self->url . '/saml/sls-redirect-response' },
+                  Location  => $self->url . $self->slo_url_redirect },
             ),
             $x->SingleLogoutService(
                 $md,
                 { Binding => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
-                  Location  => $self->url . '/saml/sls-post-response' },
+                  Location  => $self->url . $self->slo_url_post },
             ),
             $x->AssertionConsumerService(
                 $md,
                 { Binding => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
-                  Location => $self->url . '/saml/consumer-post',
+                  Location => $self->url . $self->acs_url_post,
                   index => '1',
                   isDefault => 'true' },
             ),
             $x->AssertionConsumerService(
                 $md,
                 { Binding => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
-                  Location => $self->url . '/saml/consumer-artifact',
+                  Location => $self->url . $self->acs_url_artifact,
                   index => '2',
                   isDefault => 'false' },
             ),
@@ -398,6 +408,21 @@ sub metadata {
             ),
         )
     );
+
+    use Net::SAML2::XML::Sig;
+
+    my $signer = Net::SAML2::XML::Sig->new({
+                        key => $self->key,
+                        cert => $self->cert,
+                        sig_hash => 'sha256',
+                        digest_hash => 'sha256',
+                        x509 => 1,
+                });
+
+    # create a signature
+    my $signed = $signer->sign($metadata);
+
+    return $signed;
 }
 
 __PACKAGE__->meta->make_immutable;
diff --git a/lib/Net/SAML2/XML/Sig.pm b/lib/Net/SAML2/XML/Sig.pm
@@ -1590,7 +1590,7 @@ sub _signedinfo_xml {
 
     #return qq{<dsig:SignedInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
     return qq{<dsig:SignedInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
-                <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />
+                <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                 <dsig:SignatureMethod Algorithm="$algorithm" />
                 $digest_xml
             </dsig:SignedInfo>};
diff --git a/t/lib/Test/Net/SAML2/Util.pm b/t/lib/Test/Net/SAML2/Util.pm
@@ -42,6 +42,15 @@ sub net_saml2_sp {
         org_display_name => 'Test',
         org_contact      => 'test@example.com',
         org_url          => 'http://www.example.com',
+        slo_url_soap     => '/slo-soap',
+        slo_url_redirect => '/sls-redirect-response',
+        slo_url_post     => '/sls-post-response',
+        acs_url_post     => '/consumer-post',
+        acs_url_artifact => '/consumer-artifact',
+        org_name         => 'Net::SAML2 Saml2Test',
+        org_display_name => 'Saml2Test app for Net::SAML2',
+        org_contact      => 'saml2test@example.com',
+        error_url        => '/error',
         authnreq_signed  => '0',
         want_assertions_signed => '0',
         @_,
diff --git a/xt/testapp/config.yml b/xt/testapp/config.yml
@@ -8,3 +8,12 @@ url: "https://netsaml2-testapp.local"
 cert: "sign-certonly.pem"
 key: "sign-nopw-cert.pem"
 cacert: "saml_cacert.pem"
+slo_url_soap: "/slo-soap"
+slo_url_redirect: "/sls-redirect-response"
+slo_url_post: "/sls-post-response"
+acs_url_post: "/consumer-post"
+acs_url_artifact: "/consumer-artifact"
+org_name: "Net::SAML2 Saml2Test"
+org_display_name: "Saml2Test app for Net::SAML2"
+org_contact: "saml2test@example.com"
+error_url: "/error"
diff --git a/xt/testapp/lib/Saml2Test.pm b/xt/testapp/lib/Saml2Test.pm
@@ -201,10 +201,16 @@ sub _sp {
         cert   => config->{cert},
         key    => config->{key},
         cacert => config->{cacert},
+        slo_url_soap => config->{slo_url_soap},
+        slo_url_redirect => config->{slo_url_redirect},
+        slo_url_post => config->{slo_url_post},
+        acs_url_post => config->{acs_url_post},
+        acs_url_artifact => config->{acs_url_artifact},
+        error_url => config->{error_url},
 		
-        org_name	 => 'Net::SAML2 Saml2Test',
-        org_display_name => 'Saml2Test app for Net::SAML2',
-        org_contact	 => 'saml2test@example.com',
+        org_name	 => config->{org_name},
+        org_display_name => config->{org_display_name},
+        org_contact	 => config->{org_contact},
     );
     return $sp;
 }	
