Merge branch 'cloudPWR-enhancement/issue102_encryption_is_enabled_in_…

…the_metadata_even_though_its_disabled'

docs/Saml2/classes/OneLogin_Saml2_Metadata.html

@@ -260,7 +260,7 @@ <h3>Response</h3>
                         <div class="element clickable method public  method_addX509KeyDescriptors" data-toggle="collapse" data-target=".method_addX509KeyDescriptors .collapse">
                             <h2>Adds the x509 descriptors (sign/encriptation) to the metadata
 The same cert will be used for sign/encrypt</h2>
-                            <pre>addX509KeyDescriptors(string $metadata, string $cert) : string</pre>
+                            <pre>addX509KeyDescriptors(string $metadata, string $cert, boolean $wantsEncrypted) : string</pre>
                             <div class="labels">
                                                                 <span class="label">static</span>                                                                                                                            </div>
                             <div class="row collapse">
@@ -286,6 +286,10 @@ <h4>$metadata</h4>
                                                 <h4>$cert</h4>
                                                 <code>string</code><p><p>x509 cert</p></p>
                                             </div>
+                                            <div class="subelement argument">
+                                                <h4>$wantsEncrypted</h4>
+                                                <code>boolean</code><p><p>Whether to include the KeyDescriptor for encryption</p></p>
+                                            </div>
 
                                                                             <h3>Response</h3>
                                         <code>string</code><p><p>Metadata with KeyDescriptors</p></p>

lib/Saml2/Metadata.php

@@ -133,10 +133,11 @@ public static function signMetadata($metadata, $key, $cert, $signAlgorithm = XML
      *
      * @param string $metadata SAML Metadata XML
      * @param string $cert     x509 cert
+     * @param boolean $wantsEncrypted Whether to include the KeyDescriptor for encryption
      *
      * @return string Metadata with KeyDescriptors
      */
-    public static function addX509KeyDescriptors($metadata, $cert)
+    public static function addX509KeyDescriptors($metadata, $cert, $wantsEncrypted = true)
     {
         $xml = new DOMDocument();
         $xml->preserveWhiteSpace = false;
@@ -163,16 +164,20 @@ public static function addX509KeyDescriptors($metadata, $cert)
 
         $SPSSODescriptor = $xml->getElementsByTagName('SPSSODescriptor')->item(0);
         $SPSSODescriptor->insertBefore($keyDescriptor->cloneNode(), $SPSSODescriptor->firstChild);
-        $SPSSODescriptor->insertBefore($keyDescriptor->cloneNode(), $SPSSODescriptor->firstChild);
+        if ($wantsEncrypted === true) {
+            $SPSSODescriptor->insertBefore($keyDescriptor->cloneNode(), $SPSSODescriptor->firstChild);
+        }
 
         $signing = $xml->getElementsByTagName('KeyDescriptor')->item(0);
         $signing->setAttribute('use', 'signing');
+        $signing->appendChild($keyInfo);
 
-        $encryption = $xml->getElementsByTagName('KeyDescriptor')->item(1);
-        $encryption->setAttribute('use', 'encryption');
+        if ($wantsEncrypted === true) {
+            $encryption = $xml->getElementsByTagName('KeyDescriptor')->item(1);
+            $encryption->setAttribute('use', 'encryption');
 
-        $signing->appendChild($keyInfo);
-        $encryption->appendChild($keyInfo->cloneNode(true));
+            $encryption->appendChild($keyInfo->cloneNode(true));
+        }
 
         return $xml->saveXML();
     }

lib/Saml2/Settings.php

@@ -671,7 +671,11 @@ public function getSPMetadata()
         $cert = $this->getSPcert();
 
         if (!empty($cert)) {
-            $metadata = OneLogin_Saml2_Metadata::addX509KeyDescriptors($metadata, $cert);
+            $metadata = OneLogin_Saml2_Metadata::addX509KeyDescriptors(
+                $metadata,
+                $cert,
+                $this->_security['wantNameIdEncrypted'] || $this->_security['wantAssertionsEncrypted']
+            );
         }
 
         //Sign Metadata

tests/src/OneLogin/Saml2/MetadataTest.php

@@ -132,6 +132,16 @@ public function testAddX509KeyDescriptors()
         $this->assertContains('<md:KeyDescriptor use="signing"', $metadataWithDescriptors);
         $this->assertContains('<md:KeyDescriptor use="encryption"', $metadataWithDescriptors);
 
+        $metadataWithDescriptors = OneLogin_Saml2_Metadata::addX509KeyDescriptors($metadata, $cert, false);
+
+        $this->assertContains('<md:KeyDescriptor use="signing"', $metadataWithDescriptors);
+        $this->assertNotContains('<md:KeyDescriptor use="encryption"', $metadataWithDescriptors);
+
+        $metadataWithDescriptors = OneLogin_Saml2_Metadata::addX509KeyDescriptors($metadata, $cert, 'foobar');
+
+        $this->assertContains('<md:KeyDescriptor use="signing"', $metadataWithDescriptors);
+        $this->assertNotContains('<md:KeyDescriptor use="encryption"', $metadataWithDescriptors);
+
         try {
             $signedMetadata2 = OneLogin_Saml2_Metadata::addX509KeyDescriptors('', $cert);
             $this->assertFalse(true);