Publish KeyDescriptor[use=encryption] only when required

pitbulk · pitbulk · commit ec4f4ab6f8ed · 2017-05-18T12:35:22.000+02:00
diff --git a/src/onelogin/saml2/metadata.py b/src/onelogin/saml2/metadata.py
@@ -229,7 +229,7 @@ def __add_x509_key_descriptors(root, cert, signing):
         key_descriptor.set('use', ('encryption', 'signing')[signing])
 
     @staticmethod
-    def add_x509_key_descriptors(metadata, cert=None):
+    def add_x509_key_descriptors(metadata, cert=None, add_encryption=True):
         """
         Adds the x509 descriptors (sign/encryption) to the metadata
         The same cert will be used for sign/encrypt
@@ -240,6 +240,9 @@ def add_x509_key_descriptors(metadata, cert=None):
         :param cert: x509 cert
         :type cert: string
 
+        :param add_encryption: Determines if the KeyDescriptor[use="encryption"] should be added.
+        :type add_encryption: boolean
+
         :returns: Metadata with KeyDescriptors
         :rtype: string
         """
@@ -256,6 +259,7 @@ def add_x509_key_descriptors(metadata, cert=None):
         except StopIteration:
             raise Exception('Malformed metadata.')
 
-        OneLogin_Saml2_Metadata.__add_x509_key_descriptors(sp_sso_descriptor, cert, False)
+        if add_encryption:
+            OneLogin_Saml2_Metadata.__add_x509_key_descriptors(sp_sso_descriptor, cert, False)
         OneLogin_Saml2_Metadata.__add_x509_key_descriptors(sp_sso_descriptor, cert, True)
         return OneLogin_Saml2_XML.to_string(root)
diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
@@ -617,11 +617,13 @@ def get_sp_metadata(self):
             self.get_contacts(), self.get_organization()
         )
 
+        add_encryption = self.__security['wantNameIdEncrypted'] or self.__security['wantAssertionsEncrypted']
+
         cert_new = self.get_sp_cert_new()
-        metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert_new)
+        metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert_new, add_encryption)
 
         cert = self.get_sp_cert()
-        metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert)
+        metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert, add_encryption)
 
         # Sign metadata
         if 'signMetadata' in self.__security and self.__security['signMetadata'] is not False:
diff --git a/tests/src/OneLogin/saml2_tests/settings_test.py b/tests/src/OneLogin/saml2_tests/settings_test.py
@@ -399,7 +399,10 @@ def testGetSPMetadata(self):
         Tests the getSPMetadata method of the OneLogin_Saml2_Settings
         Case unsigned metadata
         """
-        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        settings_info = self.loadSettingsJSON()
+        settings_info['security']['wantNameIdEncrypted'] = False
+        settings_info['security']['wantAssertionsEncrypted'] = False
+        settings = OneLogin_Saml2_Settings(settings_info)
         metadata = compat.to_string(settings.get_sp_metadata())
 
         self.assertNotEqual(len(metadata), 0)
@@ -410,6 +413,14 @@ def testGetSPMetadata(self):
         self.assertIn('<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://stuff.com/endpoints/endpoints/acs.php" index="1"/>', metadata)
         self.assertIn('<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://stuff.com/endpoints/endpoints/sls.php"/>', metadata)
         self.assertIn('<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>', metadata)
+        self.assertEqual(1, metadata.count('<md:KeyDescriptor'))
+        self.assertEqual(1, metadata.count('<md:KeyDescriptor use="signing"'))
+        self.assertEqual(0, metadata.count('<md:KeyDescriptor use="encryption"'))
+
+        settings_info['security']['wantNameIdEncrypted'] = False
+        settings_info['security']['wantAssertionsEncrypted'] = True
+        settings = OneLogin_Saml2_Settings(settings_info)
+        metadata = compat.to_string(settings.get_sp_metadata())
         self.assertEqual(2, metadata.count('<md:KeyDescriptor'))
         self.assertEqual(1, metadata.count('<md:KeyDescriptor use="signing"'))
         self.assertEqual(1, metadata.count('<md:KeyDescriptor use="encryption"'))
@@ -419,11 +430,21 @@ def testGetSPMetadataWithx509certNew(self):
         Tests the getSPMetadata method of the OneLogin_Saml2_Settings
         Case with x509certNew
         """
-        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON('settings7.json'))
+        settings_info = self.loadSettingsJSON('settings7.json')
+        settings_info['security']['wantNameIdEncrypted'] = False
+        settings_info['security']['wantAssertionsEncrypted'] = False
+        settings = OneLogin_Saml2_Settings(settings_info)
         metadata = compat.to_string(settings.get_sp_metadata())
-
         self.assertNotEqual(len(metadata), 0)
         self.assertIn('<md:SPSSODescriptor', metadata)
+        self.assertEquals(2, metadata.count('<md:KeyDescriptor'))
+        self.assertEquals(2, metadata.count('<md:KeyDescriptor use="signing"'))
+        self.assertEquals(0, metadata.count('<md:KeyDescriptor use="encryption"'))
+
+        settings_info['security']['wantNameIdEncrypted'] = True
+        settings_info['security']['wantAssertionsEncrypted'] = False
+        settings = OneLogin_Saml2_Settings(settings_info)
+        metadata = settings.get_sp_metadata()
         self.assertEqual(4, metadata.count('<md:KeyDescriptor'))
         self.assertEqual(2, metadata.count('<md:KeyDescriptor use="signing"'))
         self.assertEqual(2, metadata.count('<md:KeyDescriptor use="encryption"'))
