Fix SAML metadata signing

This requires an update on XML::Sig
(see perl-net-saml2/perl-XML-Sig#40)

Fixes: #61

Signed-off-by: Wesley Schwengle <wesley@opndev.io>

Author: waterkip

.gitignore

@@ -22,3 +22,5 @@ xt/testapp/sign-nopw-cert-dsa.pem
 xt/testapp/sign-private-dsa.pem
 Release-*
 xt/testapp/IdPs/*/*
+/Net-SAML2-*/**
+/Net-SAML2-*.tar.gz

Makefile.PL

@@ -68,7 +68,7 @@ my %WriteMakefileArgs = (
     "URI::URL" => 0,
     "XML::LibXML::XPathContext" => 0
   },
-  "VERSION" => "0.55",
+  "VERSION" => "0.56",
   "test" => {
     "TESTS" => "t/*.t t/author/*.t"
   }

README

@@ -2,7 +2,7 @@ NAME
     Net::SAML2 - SAML2 bindings and protocol implementation
 
 VERSION
-    version 0.55
+    version 0.56
 
 SYNOPSIS
       See TUTORIAL.md for implementation documentation and

lib/Net/SAML2/SP.pm

@@ -327,14 +327,15 @@ sub generate_metadata {
     return $x->EntityDescriptor(
         $md,
         {
-            entityID => $self->id },
+            entityID => $self->id,
+            ID       => $self->generate_sp_desciptor_id(),
+        },
         $x->SPSSODescriptor(
             $md,
             { AuthnRequestsSigned => $self->authnreq_signed,
               WantAssertionsSigned => $self->want_assertions_signed,
               errorURL => $self->url . $self->error_url,
               protocolSupportEnumeration => 'urn:oasis:names:tc:SAML:2.0:protocol',
-              ID => $self->generate_sp_desciptor_id(),
             },
             $x->KeyDescriptor(
                 $md,
@@ -438,6 +439,8 @@ sub metadata {
             sig_hash    => 'sha256',
             digest_hash => 'sha256',
             x509        => 1,
+            ns          => { md => 'urn:oasis:names:tc:SAML:2.0:metadata' },
+            id_attr     => '/md:EntityDescriptor[@ID]',
         }
     );
     return $signer->sign($metadata);

t/02-create-sp.t

@@ -11,9 +11,8 @@ my $xpath = get_xpath(
     ds => 'http://www.w3.org/2000/09/xmldsig#'
 );
 
-my $nodes = $xpath->findnodes('//md:EntityDescriptor/md:SPSSODescriptor');
-is($nodes->size, 1, "We have one PSSODescriptor");
-my $node = $nodes->get_node(1);
+my $node
+    = get_single_node_ok($xpath, '//md:EntityDescriptor/md:SPSSODescriptor');
 ok(!$node->getAttribute('WantAssertionsSigned'),
     'Wants assertions to be signed');
 ok(
@@ -37,54 +36,120 @@ if (is(@ssos, 2, "Got two assertionConsumerService(s)")) {
     );
 }
 
+get_single_node_ok($xpath, '//ds:Signature');
+
+{
+    my $sp = net_saml2_sp(sign_metadata => 0);
+    my $xpath = get_xpath(
+        $sp->metadata,
+        md => 'urn:oasis:names:tc:SAML:2.0:metadata',
+        ds => 'http://www.w3.org/2000/09/xmldsig#'
+    );
+
+    my $nodes = $xpath->findnodes('//ds:Signature');
+    is($nodes->size(), 0, "We don't have any ds:Signature present");
+
+}
+
 {
     my $sp = Net::SAML2::SP->new(
-        id               => 'http://localhost:3000',
-        url              => 'http://localhost:3000',
-        cert             => 't/sign-nopw-cert.pem',
-        key              => 't/sign-nopw-cert.pem',
-        cacert           => 't/cacert.pem',
-        org_name         => 'Test',
-        org_display_name => 'Test',
+        id     => 'Some entity ID',
+        url    => 'http://localhost:3000',
+        cert   => 't/sign-nopw-cert.pem',
+        key    => 't/sign-nopw-cert.pem',
+        cacert => 't/cacert.pem',
+
+        org_name         => 'Net::SAML2::SP',
+        org_display_name => 'Net::SAML2::SP testsuite',
         org_contact      => 'test@example.com',
+
         org_url          => 'http://www.example.com',
         slo_url_soap     => '/slo-soap',
         slo_url_redirect => '/sls-redirect-response',
         slo_url_post     => '/sls-post-response',
         acs_url_post     => '/consumer-post',
         acs_url_artifact => '/consumer-artifact',
-        org_name         => 'Net::SAML2 Saml2Test',
-        org_display_name => 'Saml2Test app for Net::SAML2',
-        org_contact      => 'saml2test@example.com',
         error_url        => '/error',
     );
 
-    my $xpath = get_xpath($sp->metadata,
-        md => 'urn:oasis:names:tc:SAML:2.0:metadata');
-    my $nodes = $xpath->findnodes('//md:EntityDescriptor/md:SPSSODescriptor');
-    is($nodes->size, 1, "We have one PSSODescriptor");
-    my $node = $nodes->get_node(1);
-    ok($node->getAttribute('WantAssertionsSigned'),
-        'Wants assertions to be signed');
-    ok(
-        $node->getAttribute('AuthnRequestsSigned'),
-        '.. and also authn requests to be signed'
-    );
-}
-
-$nodes = $xpath->findnodes('//ds:Signature');
-is($nodes->size(), 1, "We have a signed metadata document ds:Signature present");
-
-{
-    my $sp = net_saml2_sp(sign_metadata => 0);
-    my $xpath = get_xpath(
+    my $xpc = get_xpath(
         $sp->metadata,
         md => 'urn:oasis:names:tc:SAML:2.0:metadata',
         ds => 'http://www.w3.org/2000/09/xmldsig#'
     );
 
-    my $nodes = $xpath->findnodes('//ds:Signature');
-    is($nodes->size(), 0, "We don't have any ds:Signature present");
+    my $node = get_single_node_ok($xpc, '/md:EntityDescriptor');
+    is(
+        $node->getAttribute('entityID'),
+        'Some entity ID',
+        '.. has the correct entity ID'
+    );
+
+    ok($node->getAttribute('ID'), '.. has an ID');
+
+    {
+        # Test ContactPerson
+        my $node = get_single_node_ok($xpc, '/node()/md:ContactPerson');
+        my $p    = $node->nodePath();
+
+        my $company = get_single_node_ok($xpc, "$p/md:Company");
+        is(
+            $company->textContent,
+            'Net::SAML2::SP testsuite',
+            "Got the correct company name for the contact person"
+        );
+
+        my $email = get_single_node_ok($xpc, "$p/md:EmailAddress");
+        is($email->textContent, 'test@example.com',
+            ".. and the correct email");
+    }
+
+    {
+        # Test Organisation
+        my $node = get_single_node_ok($xpc, '/node()/md:Organization');
+        my $p    = $node->nodePath();
+
+        my $name = get_single_node_ok($xpc, "$p/md:OrganizationName");
+        is(
+            $name->textContent,
+            'Net::SAML2::SP',
+            "Got the correct company name"
+        );
+
+        my $display_name
+            = get_single_node_ok($xpc, "$p/md:OrganizationDisplayName");
+        is(
+            $display_name->textContent,
+            'Net::SAML2::SP testsuite',
+            ".. and the correct display name"
+        );
+
+        my $url = get_single_node_ok($xpc, "$p/md:OrganizationURL");
+        is($url->textContent, 'http://www.example.com',
+            ".. and the correct URI");
+    }
+
+    {
+        # Test SPSSODescriptor
+        my $node = get_single_node_ok($xpc, '/node()/md:SPSSODescriptor');
+        is($node->getAttribute('AuthnRequestsSigned'),
+            '1', '.. and authn request needs signing');
+        is($node->getAttribute('WantAssertionsSigned'),
+            '1', '.. as does assertions');
+        is(
+            $node->getAttribute('errorURL'),
+            'http://localhost:3000/error',
+            'Got the correct error URI'
+        );
+
+        # TODO: Add more tests for other metadata parts
+
+    }
+
+    {
+        # Test Signature
+        my $node = get_single_node_ok($xpc, '/node()/ds:Signature');
+    }
 
 }
 

t/lib/Test/Net/SAML2/Util.pm

@@ -10,6 +10,7 @@ our @EXPORT = qw(
     get_xpath
     test_xml_attribute_ok
     test_xml_value_ok
+    get_single_node_ok
     net_saml2_sp
     looks_like_a_cert
     net_saml2_binding_redirect_request
@@ -216,6 +217,14 @@ sub get_xpath {
     return $xp;
 }
 
+sub get_single_node_ok {
+    my $xpc = shift;
+    my $xpath = shift;
+    my $nodes = $xpc->findnodes($xpath);
+    is($nodes->size, 1, "Got 1 node for $xpath");
+    return $nodes->get_node(1);
+}
+
 sub test_xml_attribute_ok {
     my ($xpath, $search, $value) = @_;