ruby-saml 0.9.1 → 0.9.2

data/lib/onelogin/ruby-saml/settings.rb

@@ -1,3 +1,7 @@
+require "xml_security"
+require "onelogin/ruby-saml/attribute_service"
+require "onelogin/ruby-saml/utils"
+
 module OneLogin
   module RubySaml
     class Settings
@@ -5,7 +9,10 @@ module OneLogin
         config = DEFAULTS.merge(overrides)
         config.each do |k,v|
           acc = "#{k.to_s}=".to_sym
-          self.send(acc, v) if self.respond_to? acc
+          if self.respond_to? acc
+            value = v.is_a?(Hash) ? v.dup : v
+            self.send(acc, value)
+          end
         end
         @attribute_consuming_service = AttributeService.new
       end
@@ -16,6 +23,7 @@ module OneLogin
       attr_accessor :idp_slo_target_url
       attr_accessor :idp_cert
       attr_accessor :idp_cert_fingerprint
+      attr_accessor :idp_cert_fingerprint_algorithm
       # SP Data
       attr_accessor :issuer
       attr_accessor :assertion_consumer_service_url
@@ -97,20 +105,22 @@ module OneLogin
       private
 
       DEFAULTS = {
-        :assertion_consumer_service_binding        => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-        :single_logout_service_binding             => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+        :assertion_consumer_service_binding        => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
+        :single_logout_service_binding             => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze,
+        :idp_cert_fingerprint_algorithm            => XMLSecurity::Document::SHA1,
         :compress_request                          => true,
         :compress_response                         => true,
         :security                                  => {
           :authn_requests_signed    => false,
           :logout_requests_signed   => false,
-          :logout_responses_signed   => false,
+          :logout_responses_signed  => false,
+          :metadata_signed          => false,
           :embed_sign               => false,
           :digest_method            => XMLSecurity::Document::SHA1,
-          :signature_method         => XMLSecurity::Document::SHA1
-        },
+          :signature_method         => XMLSecurity::Document::RSA_SHA1
+        }.freeze,
         :double_quote_xml_attribute_values         => false,
-      }
+      }.freeze
     end
   end
 end

data/lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -2,6 +2,8 @@ require 'zlib'
 require 'time'
 require 'nokogiri'
 
+require "onelogin/ruby-saml/saml_message"
+
 # Only supports SAML 2.0
 module OneLogin
   module RubySaml

data/lib/onelogin/ruby-saml/slo_logoutresponse.rb

@@ -1,6 +1,7 @@
 require "uuid"
 
 require "onelogin/ruby-saml/logging"
+require "onelogin/ruby-saml/saml_message"
 
 module OneLogin
   module RubySaml
@@ -25,7 +26,10 @@ module OneLogin
       end
 
       def create_params(settings, request_id = nil, logout_message = nil, params = {})
-        params = {} if params.nil?
+        # The method expects :RelayState but sometimes we get 'RelayState' instead.
+        # Based on the HashWithIndifferentAccess value in Rails we could experience
+        # conflicts so this line will solve them.
+        relay_state = params[:RelayState] || params['RelayState']
 
         response_doc = create_logout_response_xml_doc(settings, request_id, logout_message)
         response_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
@@ -40,10 +44,10 @@ module OneLogin
         response_params = {"SAMLResponse" => base64_response}
 
         if settings.security[:logout_responses_signed] && !settings.security[:embed_sign] && settings.private_key
-          params['SigAlg']    = XMLSecurity::Document::SHA1
+          params['SigAlg']    = settings.security[:signature_method]
           url_string          = "SAMLResponse=#{CGI.escape(base64_response)}"
-          url_string         += "&RelayState=#{CGI.escape(params['RelayState'])}" if params['RelayState']
-          url_string         += "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+          url_string         << "&RelayState=#{CGI.escape(relay_state)}" if relay_state
+          url_string         << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
           private_key         = settings.get_sp_key()
           signature           = private_key.sign(XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method]).new, url_string)
           params['Signature'] = encode(signature)
@@ -86,7 +90,7 @@ module OneLogin
           issuer.text = settings.issuer
         end
 
-        # embebed sign
+        # embed signature
         if settings.security[:logout_responses_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
           private_key = settings.get_sp_key()
           cert = settings.get_sp_cert()

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '0.9.1'
+    VERSION = '0.9.2'
   end
 end

data/lib/ruby-saml.rb

@@ -1,16 +1 @@
-require 'onelogin/ruby-saml/logging'
-require 'onelogin/ruby-saml/saml_message'
-require 'onelogin/ruby-saml/authrequest'
-require 'onelogin/ruby-saml/logoutrequest'
-require 'onelogin/ruby-saml/logoutresponse'
-require 'onelogin/ruby-saml/attributes'
-require 'onelogin/ruby-saml/slo_logoutrequest'
-require 'onelogin/ruby-saml/slo_logoutresponse'
-require 'onelogin/ruby-saml/response'
-require 'onelogin/ruby-saml/settings'
-require 'onelogin/ruby-saml/attribute_service'
-require 'onelogin/ruby-saml/validation_error'
-require 'onelogin/ruby-saml/metadata'
-require 'onelogin/ruby-saml/idp_metadata_parser'
-require 'onelogin/ruby-saml/utils'
-require 'onelogin/ruby-saml/version'
+require 'onelogin/ruby-saml'

data/lib/xml_security.rb

@@ -56,9 +56,10 @@ module XMLSecurity
       algorithm = element
       if algorithm.is_a?(REXML::Element)
         algorithm = element.attribute("Algorithm").value
-        algorithm = algorithm && algorithm =~ /sha(.*?)$/i && $1.to_i
       end
 
+      algorithm = algorithm && algorithm =~ /(rsa-)?sha(.*?)$/i && $2.to_i
+
       case algorithm
       when 256 then OpenSSL::Digest::SHA256
       when 384 then OpenSSL::Digest::SHA384
@@ -71,15 +72,25 @@ module XMLSecurity
   end
 
   class Document < BaseDocument
-    SHA1            = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
-    SHA256          = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
-    SHA384          = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
-    SHA512          = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
+    RSA_SHA1            = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+    RSA_SHA256            = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+    RSA_SHA384            = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
+    RSA_SHA512            = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
+    SHA1            = "http://www.w3.org/2000/09/xmldsig#sha1"
+    SHA256          = "http://www.w3.org/2001/04/xmldsig-more#sha256"
+    SHA384          = "http://www.w3.org/2001/04/xmldsig-more#sha384"
+    SHA512          = "http://www.w3.org/2001/04/xmldsig-more#sha512"
     ENVELOPED_SIG   = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
-    INC_PREFIX_LIST = "#default samlp saml ds xs xsi"
+    INC_PREFIX_LIST = "#default samlp saml ds xs xsi md"
 
     attr_accessor :uuid
 
+    def uuid
+      @uuid ||= begin
+        document.root.nil? ? nil : document.root.attributes['ID']
+      end
+    end
+
     #<Signature>
       #<SignedInfo>
         #<CanonicalizationMethod />
@@ -95,9 +106,8 @@ module XMLSecurity
       #<KeyInfo />
       #<Object />
     #</Signature>
-    def sign_document(private_key, certificate, signature_method = SHA1, digest_method = SHA1)
+    def sign_document(private_key, certificate, signature_method = RSA_SHA1, digest_method = SHA1)
       noko = Nokogiri.parse(self.to_s)
-      canon_doc = noko.canonicalize(canon_algorithm(C14N))
 
       signature_element = REXML::Element.new("ds:Signature").add_namespace('ds', DSIG)
       signed_info_element = signature_element.add_element("ds:SignedInfo")
@@ -110,16 +120,19 @@ module XMLSecurity
       # Add Transforms
       transforms_element = reference_element.add_element("ds:Transforms")
       transforms_element.add_element("ds:Transform", {"Algorithm" => ENVELOPED_SIG})
-      transforms_element.add_element("ds:Transform", {"Algorithm" => C14N})
-      transforms_element.add_element("ds:InclusiveNamespaces", {"xmlns" => C14N, "PrefixList" => INC_PREFIX_LIST})
+      c14element = transforms_element.add_element("ds:Transform", {"Algorithm" => C14N})
+      c14element.add_element("ec:InclusiveNamespaces", {"xmlns:ec" => C14N, "PrefixList" => INC_PREFIX_LIST})
 
       digest_method_element = reference_element.add_element("ds:DigestMethod", {"Algorithm" => digest_method})
+      inclusive_namespaces = INC_PREFIX_LIST.split(" ")
+      canon_doc = noko.canonicalize(canon_algorithm(C14N), inclusive_namespaces)
       reference_element.add_element("ds:DigestValue").text = compute_digest(canon_doc, algorithm(digest_method_element))
 
       # add SignatureValue
       noko_sig_element = Nokogiri.parse(signature_element.to_s)
       noko_signed_info_element = noko_sig_element.at_xpath('//ds:Signature/ds:SignedInfo', 'ds' => DSIG)
       canon_string = noko_signed_info_element.canonicalize(canon_algorithm(C14N))
+
       signature = compute_signature(private_key, algorithm(signature_method).new, canon_string)
       signature_element.add_element("ds:SignatureValue").text = signature
 
@@ -137,7 +150,11 @@ module XMLSecurity
       if issuer_element
         self.root.insert_after issuer_element, signature_element
       else
-        self.root.add_element(signature_element)
+        if sp_sso_descriptor = self.elements["/md:EntityDescriptor"]
+          self.root.insert_before sp_sso_descriptor, signature_element
+        else
+          self.root.add_element(signature_element)
+        end
       end
     end
 
@@ -165,7 +182,7 @@ module XMLSecurity
       extract_signed_element_id
     end
 
-    def validate_document(idp_cert_fingerprint, soft = true)
+    def validate_document(idp_cert_fingerprint, soft = true, options = {})
       # get cert from response
       cert_element = REXML::XPath.first(self, "//ds:X509Certificate", { "ds"=>DSIG })
       unless cert_element
@@ -175,13 +192,18 @@ module XMLSecurity
           raise OneLogin::RubySaml::ValidationError.new("Certificate element missing in response (ds:X509Certificate)")
         end
       end
-      base64_cert  = cert_element.text
-      cert_text    = Base64.decode64(base64_cert)
-      cert         = OpenSSL::X509::Certificate.new(cert_text)
+      base64_cert = cert_element.text
+      cert_text = Base64.decode64(base64_cert)
+      cert = OpenSSL::X509::Certificate.new(cert_text)
 
-      # check cert matches registered idp cert
-      fingerprint = Digest::SHA1.hexdigest(cert.to_der)
+      if options[:fingerprint_alg]
+        fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(options[:fingerprint_alg]).new
+      else
+        fingerprint_alg = OpenSSL::Digest::SHA1.new
+      end
+      fingerprint = fingerprint_alg.hexdigest(cert.to_der)
 
+      # check cert matches registered idp cert
       if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
         @errors << "Fingerprint mismatch"
         return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Fingerprint mismatch"))

data/ruby-saml.gemspec

@@ -26,12 +26,11 @@ Gem::Specification.new do |s|
   s.test_files = `git ls-files test/*`.split("\n")
 
   s.add_runtime_dependency('uuid', '~> 2.3')
-  if RUBY_VERSION < '1.9'
-    # 1.8.7
-    s.add_runtime_dependency('nokogiri', '~> 1.5.10')
-  else
-    s.add_runtime_dependency('nokogiri', '~> 1.6.0')
-  end
+
+  # Because runtime dependencies are determined at build time, we cannot make
+  # Nokogiri's version dependent on the Ruby version, even though we would
+  # have liked to constrain Ruby 1.8.7 to install only the 1.5.x versions.
+  s.add_runtime_dependency('nokogiri', '>= 1.5.10')
 
   s.add_development_dependency('minitest', '~> 5.5')
   s.add_development_dependency('mocha',    '~> 0.14')

data/test/idp_metadata_parser_test.rb

@@ -1,6 +1,6 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-require 'net/http'
-require 'net/https'
+
+require 'onelogin/ruby-saml/idp_metadata_parser'
 
 class IdpMetadataParserTest < Minitest::Test
 
@@ -14,9 +14,11 @@ class IdpMetadataParserTest < Minitest::Test
 
       settings = idp_metadata_parser.parse(idp_metadata)
 
+      assert_equal "https://example.hello.com/access/saml/idp.xml", settings.idp_entity_id
       assert_equal "https://example.hello.com/access/saml/login", settings.idp_sso_target_url
       assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
       assert_equal "https://example.hello.com/access/saml/logout", settings.idp_slo_target_url
+      assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", settings.name_identifier_format
     end
   end
 
@@ -37,9 +39,11 @@ class IdpMetadataParserTest < Minitest::Test
       idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
       settings = idp_metadata_parser.parse_remote(@url)
 
+      assert_equal "https://example.hello.com/access/saml/idp.xml", settings.idp_entity_id
       assert_equal "https://example.hello.com/access/saml/login", settings.idp_sso_target_url
       assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
       assert_equal "https://example.hello.com/access/saml/logout", settings.idp_slo_target_url
+      assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", settings.name_identifier_format
       assert_equal OpenSSL::SSL::VERIFY_PEER, @http.verify_mode
     end
 

data/test/logoutrequest_test.rb

@@ -1,5 +1,7 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
+require 'onelogin/ruby-saml/logoutrequest'
+
 class RequestTest < Minitest::Test
 
   describe "Logoutrequest" do
@@ -88,7 +90,7 @@ class RequestTest < Minitest::Test
       end
     end
 
-    describe "when the settings indicate to sign (embebed) the logout request" do
+    describe "when the settings indicate to sign (embedded) logout request" do
       it "created a signed logout request" do
         settings = OneLogin::RubySaml::Settings.new
         settings.idp_slo_target_url = "http://example.com?field=value"
@@ -104,6 +106,8 @@ class RequestTest < Minitest::Test
 
         inflated = decode_saml_request_payload(unauth_url)
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
       end
 
       it "create a signed logout request with 256 digest and signature methods" do
@@ -114,7 +118,7 @@ class RequestTest < Minitest::Test
         # sign the logout request
         settings.security[:logout_requests_signed] = true
         settings.security[:embed_sign] = true
-        settings.security[:signature_method] = XMLSecurity::Document::SHA256
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
         settings.security[:digest_method] = XMLSecurity::Document::SHA512
         settings.certificate  = ruby_saml_cert_text
         settings.private_key = ruby_saml_key_text
@@ -123,34 +127,58 @@ class RequestTest < Minitest::Test
         request_xml = Base64.decode64(params["SAMLRequest"])
 
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-        request_xml =~ /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256'\/>/
-        request_xml =~ /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha512'\/>/
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], request_xml
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#sha512'/>], request_xml
       end
     end
 
-    describe "when the settings indicate to sign the logout request" do
-      it "create a signature parameter" do
-        settings = OneLogin::RubySaml::Settings.new
-        settings.compress_request = false
-        settings.idp_slo_target_url = "http://example.com?field=value"
-        settings.name_identifier_value = "f00f00"
-        settings.security[:logout_requests_signed] = true
-        settings.security[:embed_sign] = false
-        settings.security[:signature_method] = XMLSecurity::Document::SHA1
-        settings.certificate  = ruby_saml_cert_text
-        settings.private_key = ruby_saml_key_text
+    describe "#create_params when the settings indicate to sign the logout request" do
+      def setup
+        @settings = OneLogin::RubySaml::Settings.new
+        @settings.compress_request = false
+        @settings.idp_sso_target_url = "http://example.com?field=value"
+        @settings.name_identifier_value = "f00f00"
+        @settings.security[:logout_requests_signed] = true
+        @settings.security[:embed_sign] = false
+        @settings.certificate  = ruby_saml_cert_text
+        @settings.private_key = ruby_saml_key_text
+        @cert = OpenSSL::X509::Certificate.new(ruby_saml_cert_text)
+      end
 
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
+      it "create a signature parameter with RSA_SHA1 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(@settings, :RelayState => 'http://example.com')
+        assert params['SAMLRequest']
+        assert params[:RelayState]
         assert params['Signature']
-        assert params['SigAlg'] == XMLSecurity::Document::SHA1
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
 
-        # signature_method only affects the embedeed signature
-        settings.security[:signature_method] = XMLSecurity::Document::SHA256
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
+        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA1
+        assert @cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+
+      it "create a signature parameter with RSA_SHA256 and validate it" do
+        @settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(@settings, :RelayState => 'http://example.com')
         assert params['Signature']
-        assert params['SigAlg'] == XMLSecurity::Document::SHA1
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA256
+
+        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA256 
+        assert @cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string) 
       end
-    end
 
+    end
   end
 end

data/test/logoutresponse_test.rb

@@ -1,5 +1,6 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-require 'rexml/document'
+
+require 'onelogin/ruby-saml/logoutresponse'
 require 'responses/logoutresponse_fixtures'
 
 class RubySamlTest < Minitest::Test

data/test/metadata_test.rb

@@ -1,88 +1,133 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
+require 'onelogin/ruby-saml/metadata'
+
 class MetadataTest < Minitest::Test
 
   describe 'Metadata' do
-    def setup
-      @settings = OneLogin::RubySaml::Settings.new
-      @settings.issuer = "https://example.com"
-      @settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
-      @settings.assertion_consumer_service_url = "https://foo.example/saml/consume"
-      @settings.security[:authn_requests_signed] = false
+    let(:settings)          { OneLogin::RubySaml::Settings.new }
+    let(:xml_text)          { OneLogin::RubySaml::Metadata.new.generate(settings, false) }
+    let(:xml_doc)           { REXML::Document.new(xml_text) }
+    let(:spsso_descriptor)  { REXML::XPath.first(xml_doc, "//md:SPSSODescriptor") }
+    let(:acs)               { REXML::XPath.first(xml_doc, "//md:AssertionConsumerService") }
+
+    before do
+      settings.issuer = "https://example.com"
+      settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+      settings.assertion_consumer_service_url = "https://foo.example/saml/consume"
     end
 
-    it "generates Service Provider Metadata with X509Certificate" do
-      @settings.security[:authn_requests_signed] = true
-      @settings.certificate = ruby_saml_cert_text
+    it "generates Pretty Print Service Provider Metadata" do
+      xml_text = OneLogin::RubySaml::Metadata.new.generate(settings, true)
+      # assert correct xml declaration
+      start = "<?xml version='1.0' encoding='UTF-8'?>\n<md:EntityDescriptor"
+      assert_equal xml_text[0..start.length-1],start
 
-      xml_text = OneLogin::RubySaml::Metadata.new.generate(@settings)
+      assert_equal "https://example.com", REXML::XPath.first(xml_doc, "//md:EntityDescriptor").attribute("entityID").value
 
-      # assert xml_text can be parsed into an xml doc
-      xml_doc = REXML::Document.new(xml_text)
+      assert_equal "urn:oasis:names:tc:SAML:2.0:protocol", spsso_descriptor.attribute("protocolSupportEnumeration").value
+      assert_equal "false", spsso_descriptor.attribute("AuthnRequestsSigned").value
+      assert_equal "false", spsso_descriptor.attribute("WantAssertionsSigned").value
 
-      spsso_descriptor = REXML::XPath.first(xml_doc, "//md:SPSSODescriptor")
-      assert_equal "true", spsso_descriptor.attribute("AuthnRequestsSigned").value
+      assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", REXML::XPath.first(xml_doc, "//md:NameIDFormat").text.strip
 
-      cert_node = REXML::XPath.first(xml_doc, "//md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate", {
-        "md" => "urn:oasis:names:tc:SAML:2.0:metadata",
-        "ds" => "http://www.w3.org/2000/09/xmldsig#"
-      })
-      cert_text = cert_node.text
-      cert = OpenSSL::X509::Certificate.new(Base64.decode64(cert_text))
-      assert_equal ruby_saml_cert.to_der, cert.to_der
+      assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", acs.attribute("Binding").value
+      assert_equal "https://foo.example/saml/consume", acs.attribute("Location").value      
     end
 
     it "generates Service Provider Metadata" do
-      settings = OneLogin::RubySaml::Settings.new
-      settings.issuer = "https://example.com"
-      settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
-      settings.assertion_consumer_service_url = "https://foo.example/saml/consume"
-      settings.security[:authn_requests_signed] = false
-
-      xml_text = OneLogin::RubySaml::Metadata.new.generate(settings)
-
       # assert correct xml declaration
-      start = "<?xml version='1.0' encoding='UTF-8'?>\n<md:EntityDescriptor"
-      assert xml_text[0..start.length-1] == start
-
-      # assert xml_text can be parsed into an xml doc
-      xml_doc = REXML::Document.new(xml_text)
+      start = "<?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor"
+      assert_equal xml_text[0..start.length-1], start
 
       assert_equal "https://example.com", REXML::XPath.first(xml_doc, "//md:EntityDescriptor").attribute("entityID").value
 
-      spsso_descriptor = REXML::XPath.first(xml_doc, "//md:SPSSODescriptor")
       assert_equal "urn:oasis:names:tc:SAML:2.0:protocol", spsso_descriptor.attribute("protocolSupportEnumeration").value
       assert_equal "false", spsso_descriptor.attribute("AuthnRequestsSigned").value
       assert_equal "false", spsso_descriptor.attribute("WantAssertionsSigned").value
 
       assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", REXML::XPath.first(xml_doc, "//md:NameIDFormat").text.strip
 
-      acs = REXML::XPath.first(xml_doc, "//md:AssertionConsumerService")
       assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", acs.attribute("Binding").value
       assert_equal "https://foo.example/saml/consume", acs.attribute("Location").value
     end
 
-    it "generates attribute service if configured" do
-      settings = OneLogin::RubySaml::Settings.new
-      settings.issuer = "https://example.com"
-      settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
-      settings.assertion_consumer_service_url = "https://foo.example/saml/consume"
-      settings.attribute_consuming_service.configure do
-        service_name "Test Service"
-        add_attribute(:name => "Name", :name_format => "Name Format", :friendly_name => "Friendly Name", :attribute_value => "Attribute Value")
+    describe "when auth requests are signed" do
+      let(:cert_node) do
+        REXML::XPath.first(
+          xml_doc,
+          "//md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
+          "md" => "urn:oasis:names:tc:SAML:2.0:metadata",
+          "ds" => "http://www.w3.org/2000/09/xmldsig#"
+        )
+      end
+      let(:cert)  { OpenSSL::X509::Certificate.new(Base64.decode64(cert_node.text)) }
+
+      before do
+        settings.security[:authn_requests_signed] = true
+        settings.certificate = ruby_saml_cert_text
       end
 
-      xml_text = OneLogin::RubySaml::Metadata.new.generate(settings)
-      xml_doc = REXML::Document.new(xml_text)
-      acs = REXML::XPath.first(xml_doc, "//md:AttributeConsumingService")
-      assert_equal "true", acs.attribute("isDefault").value
-      assert_equal "1", acs.attribute("index").value
-      assert_equal REXML::XPath.first(xml_doc, "//md:ServiceName").text.strip, "Test Service"
-      req_attr = REXML::XPath.first(xml_doc, "//md:RequestedAttribute")
-      assert_equal "Name", req_attr.attribute("Name").value
-      assert_equal "Name Format", req_attr.attribute("NameFormat").value
-      assert_equal "Friendly Name", req_attr.attribute("FriendlyName").value
-      assert_equal "Attribute Value", REXML::XPath.first(xml_doc, "//md:AttributeValue").text.strip
+      it "generates Service Provider Metadata with X509Certificate" do
+        assert_equal "true", spsso_descriptor.attribute("AuthnRequestsSigned").value
+        assert_equal ruby_saml_cert.to_der, cert.to_der
+      end
+    end
+
+    describe "when attribute service is configured" do
+      let(:attr_svc)  { REXML::XPath.first(xml_doc, "//md:AttributeConsumingService") }
+      let(:req_attr)  { REXML::XPath.first(xml_doc, "//md:RequestedAttribute") }
+
+      before do
+        settings.attribute_consuming_service.configure do
+          service_name "Test Service"
+          add_attribute(:name => "Name", :name_format => "Name Format", :friendly_name => "Friendly Name", :attribute_value => "Attribute Value")
+        end
+      end
+
+      it "generates attribute service" do
+        assert_equal "true", attr_svc.attribute("isDefault").value
+        assert_equal "1", attr_svc.attribute("index").value
+        assert_equal REXML::XPath.first(xml_doc, "//md:ServiceName").text.strip, "Test Service"
+
+        assert_equal "Name", req_attr.attribute("Name").value
+        assert_equal "Name Format", req_attr.attribute("NameFormat").value
+        assert_equal "Friendly Name", req_attr.attribute("FriendlyName").value
+        assert_equal "Attribute Value", REXML::XPath.first(xml_doc, "//md:AttributeValue").text.strip
+      end
+    end
+
+    describe "when the settings indicate to sign (embedded) metadata" do
+      before do
+        settings.security[:metadata_signed] = true
+        settings.certificate = ruby_saml_cert_text
+        settings.private_key = ruby_saml_key_text
+      end
+
+      it "creates a signed metadata" do
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>]m, xml_text
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], xml_text
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], xml_text
+        signed_metadata = XMLSecurity::SignedDocument.new(xml_text)
+        assert signed_metadata.validate_document(ruby_saml_cert_fingerprint, false)        
+      end
+
+      describe "when digest and signature methods are specified" do
+        before do
+          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+          settings.security[:digest_method] = XMLSecurity::Document::SHA512
+        end
+
+        it "creates a signed metadata with specified digest and signature methods" do
+          assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>]m, xml_text
+          assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], xml_text
+          assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#sha512'/>], xml_text
+
+          signed_metadata_2 = XMLSecurity::SignedDocument.new(xml_text)
+
+          assert signed_metadata_2.validate_document(ruby_saml_cert_fingerprint, false)          
+        end
+      end
     end
   end
 end