Skip to content

Commit

Permalink
#194 Publish KeyDescriptor[use=encryption] only when required
Browse files Browse the repository at this point in the history
  • Loading branch information
pitbulk committed May 18, 2017
1 parent a2fb87e commit 3d9245a
Show file tree
Hide file tree
Showing 3 changed files with 41 additions and 14 deletions.
21 changes: 12 additions & 9 deletions src/onelogin/saml2/metadata.py
Original file line number Diff line number Diff line change
Expand Up @@ -227,7 +227,7 @@ def sign_metadata(metadata, key, cert, sign_algorithm=OneLogin_Saml2_Constants.R
return OneLogin_Saml2_Utils.add_sign(metadata, key, cert, False, sign_algorithm, digest_algorithm)

@staticmethod
def add_x509_key_descriptors(metadata, cert=None):
def add_x509_key_descriptors(metadata, cert=None, add_encryption=True):
"""
Adds the x509 descriptors (sign/encryption) to the metadata
The same cert will be used for sign/encrypt
Expand All @@ -238,6 +238,9 @@ def add_x509_key_descriptors(metadata, cert=None):
:param cert: x509 cert
:type cert: string
:param add_encryption: Determines if the KeyDescriptor[use="encryption"] should be added.
:type add_encryption: boolean
:returns: Metadata with KeyDescriptors
:rtype: string
"""
Expand Down Expand Up @@ -265,18 +268,18 @@ def add_x509_key_descriptors(metadata, cert=None):

sp_sso_descriptor = entity_descriptor.getElementsByTagName('md:SPSSODescriptor')[0]
sp_sso_descriptor.insertBefore(key_descriptor.cloneNode(True), sp_sso_descriptor.firstChild)
sp_sso_descriptor.insertBefore(key_descriptor.cloneNode(True), sp_sso_descriptor.firstChild)
if add_encryption:
sp_sso_descriptor.insertBefore(key_descriptor.cloneNode(True), sp_sso_descriptor.firstChild)

signing = xml.getElementsByTagName('md:KeyDescriptor')[0]
signing.setAttribute('use', 'signing')

encryption = xml.getElementsByTagName('md:KeyDescriptor')[1]
encryption.setAttribute('use', 'encryption')

signing.appendChild(key_info)
encryption.appendChild(key_info.cloneNode(True))

signing.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS)
encryption.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS)

if add_encryption:
encryption = xml.getElementsByTagName('md:KeyDescriptor')[1]
encryption.setAttribute('use', 'encryption')
encryption.appendChild(key_info.cloneNode(True))
encryption.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS)

return xml.toxml()
6 changes: 4 additions & 2 deletions src/onelogin/saml2/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -619,11 +619,13 @@ def get_sp_metadata(self):
self.get_contacts(), self.get_organization()
)

add_encryption = self.__security['wantNameIdEncrypted'] or self.__security['wantAssertionsEncrypted']

cert_new = self.get_sp_cert_new()
metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert_new)
metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert_new, add_encryption)

cert = self.get_sp_cert()
metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert)
metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert, add_encryption)

# Sign metadata
if 'signMetadata' in self.__security and self.__security['signMetadata'] is not False:
Expand Down
28 changes: 25 additions & 3 deletions tests/src/OneLogin/saml2_tests/settings_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -341,7 +341,10 @@ def testGetSPMetadata(self):
Tests the getSPMetadata method of the OneLogin_Saml2_Settings
Case unsigned metadata
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
settings_info = self.loadSettingsJSON()
settings_info['security']['wantNameIdEncrypted'] = False
settings_info['security']['wantAssertionsEncrypted'] = False
settings = OneLogin_Saml2_Settings(settings_info)
metadata = settings.get_sp_metadata()

self.assertNotEqual(len(metadata), 0)
Expand All @@ -352,20 +355,39 @@ def testGetSPMetadata(self):
self.assertIn('<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://stuff.com/endpoints/endpoints/acs.php" index="1"/>', metadata)
self.assertIn('<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://stuff.com/endpoints/endpoints/sls.php"/>', metadata)
self.assertIn('<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>', metadata)
self.assertEquals(1, metadata.count('<md:KeyDescriptor'))
self.assertEquals(1, metadata.count('<md:KeyDescriptor use="signing"'))
self.assertEquals(0, metadata.count('<md:KeyDescriptor use="encryption"'))

settings_info['security']['wantNameIdEncrypted'] = False
settings_info['security']['wantAssertionsEncrypted'] = True
settings = OneLogin_Saml2_Settings(settings_info)
metadata = settings.get_sp_metadata()
self.assertEquals(2, metadata.count('<md:KeyDescriptor'))
self.assertEquals(1, metadata.count('<md:KeyDescriptor use="signing"'))
self.assertEquals(1, metadata.count('<md:KeyDescriptor use="encryption"'))
self.assertEquals(1, metadata.count('<md:KeyDescriptor use="encryption"'))

def testGetSPMetadataWithx509certNew(self):
"""
Tests the getSPMetadata method of the OneLogin_Saml2_Settings
Case with x509certNew
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON('settings7.json'))
settings_info = self.loadSettingsJSON('settings7.json')
settings_info['security']['wantNameIdEncrypted'] = False
settings_info['security']['wantAssertionsEncrypted'] = False
settings = OneLogin_Saml2_Settings(settings_info)
metadata = settings.get_sp_metadata()

self.assertNotEqual(len(metadata), 0)
self.assertIn('<md:SPSSODescriptor', metadata)
self.assertEquals(2, metadata.count('<md:KeyDescriptor'))
self.assertEquals(2, metadata.count('<md:KeyDescriptor use="signing"'))
self.assertEquals(0, metadata.count('<md:KeyDescriptor use="encryption"'))

settings_info['security']['wantNameIdEncrypted'] = True
settings_info['security']['wantAssertionsEncrypted'] = False
settings = OneLogin_Saml2_Settings(settings_info)
metadata = settings.get_sp_metadata()
self.assertEquals(4, metadata.count('<md:KeyDescriptor'))
self.assertEquals(2, metadata.count('<md:KeyDescriptor use="signing"'))
self.assertEquals(2, metadata.count('<md:KeyDescriptor use="encryption"'))
Expand Down

0 comments on commit 3d9245a

Please sign in to comment.