Merge pull request #367 from PagerDuty/IMS-141-separate-signing-encryption

Add separate :want_assertions_encrypted flag to settings.security

Author: pitbulk

lib/onelogin/ruby-saml/metadata.rb

@@ -42,11 +42,13 @@ def generate(settings, pretty_print=false)
           xc = xd.add_element "ds:X509Certificate"
           xc.text = cert_text
 
-          kd2 = sp_sso.add_element "md:KeyDescriptor", { "use" => "encryption" }
-          ki2 = kd2.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
-          xd2 = ki2.add_element "ds:X509Data"
-          xc2 = xd2.add_element "ds:X509Certificate"
-          xc2.text = cert_text
+          if settings.security[:want_assertions_encrypted]
+            kd2 = sp_sso.add_element "md:KeyDescriptor", { "use" => "encryption" }
+            ki2 = kd2.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+            xd2 = ki2.add_element "ds:X509Data"
+            xc2 = xd2.add_element "ds:X509Certificate"
+            xc2.text = cert_text
+          end
         end
 
         root.attributes["ID"] = OneLogin::RubySaml::Utils.uuid

test/metadata_test.rb

@@ -89,7 +89,7 @@ class MetadataTest < Minitest::Test
       end
     end
 
-    describe "when auth requests are signed" do
+    describe "with a sign/encrypt certificate" do
       let(:key_descriptors) do
         REXML::XPath.match(
           xml_doc,
@@ -111,24 +111,42 @@ class MetadataTest < Minitest::Test
         settings.certificate = ruby_saml_cert_text
       end
 
-      it "generates Service Provider Metadata with AuthnRequestsSigned" do
-        settings.security[:authn_requests_signed] = true
-        assert_equal "true", spsso_descriptor.attribute("AuthnRequestsSigned").value
+      it "generates Service Provider Metadata with X509Certificate for sign" do
+        assert_equal 1, key_descriptors.length
+        assert_equal "signing", key_descriptors[0].attribute("use").value
+
+        assert_equal 1, cert_nodes.length
         assert_equal ruby_saml_cert.to_der, cert.to_der
 
         assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
       end
 
-      it "generates Service Provider Metadata with X509Certificate for sign and encrypt" do
-        assert_equal 2, key_descriptors.length
-        assert_equal "signing", key_descriptors[0].attribute("use").value
-        assert_equal "encryption", key_descriptors[1].attribute("use").value
+      describe "and signed authentication requests" do
+        before do
+          settings.security[:authn_requests_signed] = true
+        end
 
-        assert_equal 2, cert_nodes.length
-        assert_equal ruby_saml_cert.to_der, cert.to_der
-        assert_equal cert_nodes[0].text, cert_nodes[1].text
+        it "generates Service Provider Metadata with AuthnRequestsSigned" do
+          assert_equal "true", spsso_descriptor.attribute("AuthnRequestsSigned").value
+          assert_equal ruby_saml_cert.to_der, cert.to_der
 
-        assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+          assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+        end
+      end
+
+      describe "and encrypted assertions" do
+        before do
+          settings.security[:want_assertions_encrypted] = true
+        end
+
+        it "generates Service Provider Metadata with X509Certificate for encrypt" do
+          assert_equal 2, key_descriptors.length
+          assert_equal "encryption", key_descriptors[1].attribute("use").value
+
+          assert_equal 2, cert_nodes.length
+          assert_equal cert_nodes[0].text, cert_nodes[1].text
+          assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+        end
       end
     end