Add separate :want_assertions_encrypted flag to settings.security

irvingreid · irvingreid · commit 0a25d2740fb0 · 2017-01-04T10:28:51.000-05:00
diff --git a/lib/onelogin/ruby-saml/metadata.rb b/lib/onelogin/ruby-saml/metadata.rb
@@ -36,17 +36,23 @@ def generate(settings, pretty_print=false)
         cert = settings.get_sp_cert
         if cert
           cert_text = Base64.encode64(cert.to_der).gsub("\n", '')
-          kd = sp_sso.add_element "md:KeyDescriptor", { "use" => "signing" }
-          ki = kd.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
-          xd = ki.add_element "ds:X509Data"
-          xc = xd.add_element "ds:X509Certificate"
-          xc.text = cert_text
 
-          kd2 = sp_sso.add_element "md:KeyDescriptor", { "use" => "encryption" }
-          ki2 = kd2.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
-          xd2 = ki2.add_element "ds:X509Data"
-          xc2 = xd2.add_element "ds:X509Certificate"
-          xc2.text = cert_text
+          if settings.security[:authn_requests_signed]
+            cert_text = Base64.encode64(cert.to_der).gsub("\n", '')
+            kd = sp_sso.add_element "md:KeyDescriptor", { "use" => "signing" }
+            ki = kd.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+            xd = ki.add_element "ds:X509Data"
+            xc = xd.add_element "ds:X509Certificate"
+            xc.text = cert_text
+          end
+
+          if settings.security[:want_assertions_encrypted]
+            kd2 = sp_sso.add_element "md:KeyDescriptor", { "use" => "encryption" }
+            ki2 = kd2.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+            xd2 = ki2.add_element "ds:X509Data"
+            xc2 = xd2.add_element "ds:X509Certificate"
+            xc2.text = cert_text
+          end
         end
 
         root.attributes["ID"] = OneLogin::RubySaml::Utils.uuid
diff --git a/test/metadata_test.rb b/test/metadata_test.rb
@@ -89,7 +89,7 @@ class MetadataTest < Minitest::Test
       end
     end
 
-    describe "when auth requests are signed" do
+    describe "with a sign/encrypt certificate" do
       let(:key_descriptors) do
         REXML::XPath.match(
           xml_doc,
@@ -111,24 +111,43 @@ class MetadataTest < Minitest::Test
         settings.certificate = ruby_saml_cert_text
       end
 
-      it "generates Service Provider Metadata with AuthnRequestsSigned" do
-        settings.security[:authn_requests_signed] = true
-        assert_equal "true", spsso_descriptor.attribute("AuthnRequestsSigned").value
-        assert_equal ruby_saml_cert.to_der, cert.to_der
+      describe "and signed authentication requests" do
+        before do
+          settings.security[:authn_requests_signed] = true
+        end
 
-        assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+        it "generates Service Provider Metadata with AuthnRequestsSigned" do
+          assert_equal "true", spsso_descriptor.attribute("AuthnRequestsSigned").value
+          assert_equal ruby_saml_cert.to_der, cert.to_der
+
+          assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+        end
+
+        it "generates Service Provider Metadata with X509Certificate for sign" do
+          assert_equal 1, key_descriptors.length
+          assert_equal "signing", key_descriptors[0].attribute("use").value
+
+          assert_equal 1, cert_nodes.length
+          assert_equal ruby_saml_cert.to_der, cert.to_der
+
+          assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+        end
       end
 
-      it "generates Service Provider Metadata with X509Certificate for sign and encrypt" do
-        assert_equal 2, key_descriptors.length
-        assert_equal "signing", key_descriptors[0].attribute("use").value
-        assert_equal "encryption", key_descriptors[1].attribute("use").value
+      describe "and encrypted assertions" do
+        before do
+          settings.security[:want_assertions_encrypted] = true
+        end
+
+        it "generates Service Provider Metadata with X509Certificate for encrypt" do
+          assert_equal 1, key_descriptors.length
+          assert_equal "encryption", key_descriptors[0].attribute("use").value
 
-        assert_equal 2, cert_nodes.length
-        assert_equal ruby_saml_cert.to_der, cert.to_der
-        assert_equal cert_nodes[0].text, cert_nodes[1].text
+          assert_equal 1, cert_nodes.length
+          assert_equal ruby_saml_cert.to_der, cert.to_der
 
-        assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+          assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+        end
       end
     end
 
