From bd172b35d419995207c31649da21ddc8f566ed32 Mon Sep 17 00:00:00 2001
From: Guru Khalsa <guru@zoomforth.com>
Date: Thu, 28 Jun 2018 15:12:19 -0700
Subject: [PATCH 1/3] Revert "#194 Publish KeyDescriptor[use=encryption] only
 when required"

This reverts commit 3d9245ab21477a7d1b5a6013ba7f1e6bfb295b3f.

Conflicts:
	src/onelogin/saml2/metadata.py
---
 src/onelogin/saml2/metadata.py                | 20 ++++++--------
 src/onelogin/saml2/settings.py                |  6 ++---
 .../src/OneLogin/saml2_tests/settings_test.py | 26 ++-----------------
 3 files changed, 12 insertions(+), 40 deletions(-)

diff --git a/src/onelogin/saml2/metadata.py b/src/onelogin/saml2/metadata.py
index 212c0e95..11adbf49 100644
--- a/src/onelogin/saml2/metadata.py
+++ b/src/onelogin/saml2/metadata.py
@@ -227,7 +227,7 @@ def sign_metadata(metadata, key, cert, sign_algorithm=OneLogin_Saml2_Constants.R
         return OneLogin_Saml2_Utils.add_sign(metadata, key, cert, False, sign_algorithm, digest_algorithm)
 
     @staticmethod
-    def add_x509_key_descriptors(metadata, cert=None, add_encryption=True):
+    def add_x509_key_descriptors(metadata, cert=None):
         """
         Adds the x509 descriptors (sign/encryption) to the metadata
         The same cert will be used for sign/encrypt
@@ -238,9 +238,6 @@ def add_x509_key_descriptors(metadata, cert=None, add_encryption=True):
         :param cert: x509 cert
         :type cert: string
 
-        :param add_encryption: Determines if the KeyDescriptor[use="encryption"] should be added.
-        :type add_encryption: boolean
-
         :returns: Metadata with KeyDescriptors
         :rtype: string
         """
@@ -268,18 +265,17 @@ def add_x509_key_descriptors(metadata, cert=None, add_encryption=True):
 
         sp_sso_descriptor = entity_descriptor.getElementsByTagName('md:SPSSODescriptor')[0]
         sp_sso_descriptor.insertBefore(key_descriptor.cloneNode(True), sp_sso_descriptor.firstChild)
-        if add_encryption:
-            sp_sso_descriptor.insertBefore(key_descriptor.cloneNode(True), sp_sso_descriptor.firstChild)
 
         signing = xml.getElementsByTagName('md:KeyDescriptor')[0]
         signing.setAttribute('use', 'signing')
+
+        encryption = xml.getElementsByTagName('md:KeyDescriptor')[1]
+        encryption.setAttribute('use', 'encryption')
+
         signing.appendChild(key_info)
-        signing.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS)
+        encryption.appendChild(key_info.cloneNode(True))
 
-        if add_encryption:
-            encryption = xml.getElementsByTagName('md:KeyDescriptor')[1]
-            encryption.setAttribute('use', 'encryption')
-            encryption.appendChild(key_info.cloneNode(True))
-            encryption.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS)
+        signing.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS)
+        encryption.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS)
 
         return xml.toxml()
diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index f3c53be1..de3200c9 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -622,13 +622,11 @@ def get_sp_metadata(self):
             self.get_contacts(), self.get_organization()
         )
 
-        add_encryption = self.__security['wantNameIdEncrypted'] or self.__security['wantAssertionsEncrypted']
-
         cert_new = self.get_sp_cert_new()
-        metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert_new, add_encryption)
+        metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert_new)
 
         cert = self.get_sp_cert()
-        metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert, add_encryption)
+        metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert)
 
         # Sign metadata
         if 'signMetadata' in self.__security and self.__security['signMetadata'] is not False:
diff --git a/tests/src/OneLogin/saml2_tests/settings_test.py b/tests/src/OneLogin/saml2_tests/settings_test.py
index 4b79715d..bca6de7a 100644
--- a/tests/src/OneLogin/saml2_tests/settings_test.py
+++ b/tests/src/OneLogin/saml2_tests/settings_test.py
@@ -341,10 +341,7 @@ def testGetSPMetadata(self):
         Tests the getSPMetadata method of the OneLogin_Saml2_Settings
         Case unsigned metadata
         """
-        settings_info = self.loadSettingsJSON()
-        settings_info['security']['wantNameIdEncrypted'] = False
-        settings_info['security']['wantAssertionsEncrypted'] = False
-        settings = OneLogin_Saml2_Settings(settings_info)
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
         metadata = settings.get_sp_metadata()
 
         self.assertNotEqual(len(metadata), 0)
@@ -355,14 +352,6 @@ def testGetSPMetadata(self):
         self.assertIn('<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://stuff.com/endpoints/endpoints/acs.php" index="1"/>', metadata)
         self.assertIn('<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://stuff.com/endpoints/endpoints/sls.php"/>', metadata)
         self.assertIn('<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>', metadata)
-        self.assertEquals(1, metadata.count('<md:KeyDescriptor'))
-        self.assertEquals(1, metadata.count('<md:KeyDescriptor use="signing"'))
-        self.assertEquals(0, metadata.count('<md:KeyDescriptor use="encryption"'))
-
-        settings_info['security']['wantNameIdEncrypted'] = False
-        settings_info['security']['wantAssertionsEncrypted'] = True
-        settings = OneLogin_Saml2_Settings(settings_info)
-        metadata = settings.get_sp_metadata()
         self.assertEquals(2, metadata.count('<md:KeyDescriptor'))
         self.assertEquals(1, metadata.count('<md:KeyDescriptor use="signing"'))
         self.assertEquals(1, metadata.count('<md:KeyDescriptor use="encryption"'))
@@ -372,22 +361,11 @@ def testGetSPMetadataWithx509certNew(self):
         Tests the getSPMetadata method of the OneLogin_Saml2_Settings
         Case with x509certNew
         """
-        settings_info = self.loadSettingsJSON('settings7.json')
-        settings_info['security']['wantNameIdEncrypted'] = False
-        settings_info['security']['wantAssertionsEncrypted'] = False
-        settings = OneLogin_Saml2_Settings(settings_info)
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON('settings7.json'))
         metadata = settings.get_sp_metadata()
 
         self.assertNotEqual(len(metadata), 0)
         self.assertIn('<md:SPSSODescriptor', metadata)
-        self.assertEquals(2, metadata.count('<md:KeyDescriptor'))
-        self.assertEquals(2, metadata.count('<md:KeyDescriptor use="signing"'))
-        self.assertEquals(0, metadata.count('<md:KeyDescriptor use="encryption"'))
-
-        settings_info['security']['wantNameIdEncrypted'] = True
-        settings_info['security']['wantAssertionsEncrypted'] = False
-        settings = OneLogin_Saml2_Settings(settings_info)
-        metadata = settings.get_sp_metadata()
         self.assertEquals(4, metadata.count('<md:KeyDescriptor'))
         self.assertEquals(2, metadata.count('<md:KeyDescriptor use="signing"'))
         self.assertEquals(2, metadata.count('<md:KeyDescriptor use="encryption"'))

From e1cc5e353435aa70589938a0ebbb05552bd50a28 Mon Sep 17 00:00:00 2001
From: Guru Khalsa <guru@zoomforth.com>
Date: Thu, 28 Jun 2018 15:25:00 -0700
Subject: [PATCH 2/3] add setup info

---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 mode change 100644 => 100755 setup.py

diff --git a/setup.py b/setup.py
old mode 100644
new mode 100755
index e5598ec3..1d76876b
--- a/setup.py
+++ b/setup.py
@@ -10,7 +10,7 @@
 setup(
     name='python-saml',
     version='2.4.1',
-    description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
+    description='Modified by Zoomforth. Onelogin Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Intended Audience :: Developers',

From ec4160c3db9dbdda00fa62ce66bf09bc1deda8aa Mon Sep 17 00:00:00 2001
From: Guru Khalsa <guru@zoomforth.com>
Date: Thu, 28 Jun 2018 16:28:43 -0700
Subject: [PATCH 3/3] Revert "Revert "#194 Publish
 KeyDescriptor[use=encryption] only when required""

This reverts commit bd172b35d419995207c31649da21ddc8f566ed32.
---
 src/onelogin/saml2/metadata.py                | 20 ++++++++------
 src/onelogin/saml2/settings.py                |  6 +++--
 .../src/OneLogin/saml2_tests/settings_test.py | 26 +++++++++++++++++--
 3 files changed, 40 insertions(+), 12 deletions(-)

diff --git a/src/onelogin/saml2/metadata.py b/src/onelogin/saml2/metadata.py
index 11adbf49..212c0e95 100644
--- a/src/onelogin/saml2/metadata.py
+++ b/src/onelogin/saml2/metadata.py
@@ -227,7 +227,7 @@ def sign_metadata(metadata, key, cert, sign_algorithm=OneLogin_Saml2_Constants.R
         return OneLogin_Saml2_Utils.add_sign(metadata, key, cert, False, sign_algorithm, digest_algorithm)
 
     @staticmethod
-    def add_x509_key_descriptors(metadata, cert=None):
+    def add_x509_key_descriptors(metadata, cert=None, add_encryption=True):
         """
         Adds the x509 descriptors (sign/encryption) to the metadata
         The same cert will be used for sign/encrypt
@@ -238,6 +238,9 @@ def add_x509_key_descriptors(metadata, cert=None):
         :param cert: x509 cert
         :type cert: string
 
+        :param add_encryption: Determines if the KeyDescriptor[use="encryption"] should be added.
+        :type add_encryption: boolean
+
         :returns: Metadata with KeyDescriptors
         :rtype: string
         """
@@ -265,17 +268,18 @@ def add_x509_key_descriptors(metadata, cert=None):
 
         sp_sso_descriptor = entity_descriptor.getElementsByTagName('md:SPSSODescriptor')[0]
         sp_sso_descriptor.insertBefore(key_descriptor.cloneNode(True), sp_sso_descriptor.firstChild)
+        if add_encryption:
+            sp_sso_descriptor.insertBefore(key_descriptor.cloneNode(True), sp_sso_descriptor.firstChild)
 
         signing = xml.getElementsByTagName('md:KeyDescriptor')[0]
         signing.setAttribute('use', 'signing')
-
-        encryption = xml.getElementsByTagName('md:KeyDescriptor')[1]
-        encryption.setAttribute('use', 'encryption')
-
         signing.appendChild(key_info)
-        encryption.appendChild(key_info.cloneNode(True))
-
         signing.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS)
-        encryption.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS)
+
+        if add_encryption:
+            encryption = xml.getElementsByTagName('md:KeyDescriptor')[1]
+            encryption.setAttribute('use', 'encryption')
+            encryption.appendChild(key_info.cloneNode(True))
+            encryption.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS)
 
         return xml.toxml()
diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index de3200c9..f3c53be1 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -622,11 +622,13 @@ def get_sp_metadata(self):
             self.get_contacts(), self.get_organization()
         )
 
+        add_encryption = self.__security['wantNameIdEncrypted'] or self.__security['wantAssertionsEncrypted']
+
         cert_new = self.get_sp_cert_new()
-        metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert_new)
+        metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert_new, add_encryption)
 
         cert = self.get_sp_cert()
-        metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert)
+        metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert, add_encryption)
 
         # Sign metadata
         if 'signMetadata' in self.__security and self.__security['signMetadata'] is not False:
diff --git a/tests/src/OneLogin/saml2_tests/settings_test.py b/tests/src/OneLogin/saml2_tests/settings_test.py
index bca6de7a..4b79715d 100644
--- a/tests/src/OneLogin/saml2_tests/settings_test.py
+++ b/tests/src/OneLogin/saml2_tests/settings_test.py
@@ -341,7 +341,10 @@ def testGetSPMetadata(self):
         Tests the getSPMetadata method of the OneLogin_Saml2_Settings
         Case unsigned metadata
         """
-        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        settings_info = self.loadSettingsJSON()
+        settings_info['security']['wantNameIdEncrypted'] = False
+        settings_info['security']['wantAssertionsEncrypted'] = False
+        settings = OneLogin_Saml2_Settings(settings_info)
         metadata = settings.get_sp_metadata()
 
         self.assertNotEqual(len(metadata), 0)
@@ -352,6 +355,14 @@ def testGetSPMetadata(self):
         self.assertIn('<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://stuff.com/endpoints/endpoints/acs.php" index="1"/>', metadata)
         self.assertIn('<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://stuff.com/endpoints/endpoints/sls.php"/>', metadata)
         self.assertIn('<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>', metadata)
+        self.assertEquals(1, metadata.count('<md:KeyDescriptor'))
+        self.assertEquals(1, metadata.count('<md:KeyDescriptor use="signing"'))
+        self.assertEquals(0, metadata.count('<md:KeyDescriptor use="encryption"'))
+
+        settings_info['security']['wantNameIdEncrypted'] = False
+        settings_info['security']['wantAssertionsEncrypted'] = True
+        settings = OneLogin_Saml2_Settings(settings_info)
+        metadata = settings.get_sp_metadata()
         self.assertEquals(2, metadata.count('<md:KeyDescriptor'))
         self.assertEquals(1, metadata.count('<md:KeyDescriptor use="signing"'))
         self.assertEquals(1, metadata.count('<md:KeyDescriptor use="encryption"'))
@@ -361,11 +372,22 @@ def testGetSPMetadataWithx509certNew(self):
         Tests the getSPMetadata method of the OneLogin_Saml2_Settings
         Case with x509certNew
         """
-        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON('settings7.json'))
+        settings_info = self.loadSettingsJSON('settings7.json')
+        settings_info['security']['wantNameIdEncrypted'] = False
+        settings_info['security']['wantAssertionsEncrypted'] = False
+        settings = OneLogin_Saml2_Settings(settings_info)
         metadata = settings.get_sp_metadata()
 
         self.assertNotEqual(len(metadata), 0)
         self.assertIn('<md:SPSSODescriptor', metadata)
+        self.assertEquals(2, metadata.count('<md:KeyDescriptor'))
+        self.assertEquals(2, metadata.count('<md:KeyDescriptor use="signing"'))
+        self.assertEquals(0, metadata.count('<md:KeyDescriptor use="encryption"'))
+
+        settings_info['security']['wantNameIdEncrypted'] = True
+        settings_info['security']['wantAssertionsEncrypted'] = False
+        settings = OneLogin_Saml2_Settings(settings_info)
+        metadata = settings.get_sp_metadata()
         self.assertEquals(4, metadata.count('<md:KeyDescriptor'))
         self.assertEquals(2, metadata.count('<md:KeyDescriptor use="signing"'))
         self.assertEquals(2, metadata.count('<md:KeyDescriptor use="encryption"'))