Never cache metadata when protect.metadata is set to true

tvdijen · tvdijen · commit 79ce63763bff · 2024-02-02T22:22:20.000+01:00
diff --git a/modules/saml/src/Controller/Metadata.php b/modules/saml/src/Controller/Metadata.php
@@ -73,7 +73,8 @@ public function metadata(Request $request): Response
         }
 
         // check if valid local session exists
-        if ($this->config->getOptionalBoolean('admin.protectmetadata', false)) {
+        $protectedMetadata = $this->config->getOptionalBoolean('admin.protectmetadata', false);
+        if ($protectedMetadata) {
             $response = $this->authUtils->requireAdmin();
             if ($response instanceof Response) {
                 return $response;
@@ -99,7 +100,12 @@ public function metadata(Request $request): Response
 
             $response = new Response();
             $response->setEtag(hash('sha256', $metaxml));
-            $response->setPublic();
+            $response->setCache([
+                'no_cache' => $protectedMetadata === true,
+                'public' => $protectedMetadata === false,
+                'private' => $protectedMetadata === true,
+            ]);
+
             if ($response->isNotModified($request)) {
                 return $response;
             }
diff --git a/modules/saml/src/Controller/ServiceProvider.php b/modules/saml/src/Controller/ServiceProvider.php
@@ -601,7 +601,8 @@ public function singleLogoutService(Request $request, string $sourceId): Respons
      */
     public function metadata(Request $request, string $sourceId): Response
     {
-        if ($this->config->getOptionalBoolean('admin.protectmetadata', false)) {
+        $protectedMetadata = $this->config->getOptionalBoolean('admin.protectmetadata', false);
+        if ($protectedMetadata) {
             $response = $this->authUtils->requireAdmin();
             if ($response instanceof Response) {
                 return $response;
@@ -643,7 +644,12 @@ public function metadata(Request $request, string $sourceId): Response
 
         $response = new Response();
         $response->setEtag(hash('sha256', $metaxml));
-        $response->setPublic();
+        $response->setCache([
+            'no_cache' => $protectedMetadata === true,
+            'public' => $protectedMetadata === false,
+            'private' => $protectedMetadata === true,
+        ]);
+
         if ($response->isNotModified($request)) {
             return $response;
         }
diff --git a/tests/modules/saml/src/Controller/MetadataTest.php b/tests/modules/saml/src/Controller/MetadataTest.php
@@ -161,6 +161,12 @@ public function testMetadataAccess(bool $authenticated, bool $protected): void
         $result = $c->metadata($request);
 
         $this->assertInstanceOf(Response::class, $result);
+
+        if ($protected === true) {
+            $this->assertEquals('no-cache, private', $result->headers->get('cache-control'));
+        } else {
+            $this->assertEquals('public', $result->headers->get('cache-control'));
+        }
     }
 
     public static function provideMetadataAccess(): array
diff --git a/tests/modules/saml/src/Controller/ServiceProviderTest.php b/tests/modules/saml/src/Controller/ServiceProviderTest.php
@@ -526,6 +526,12 @@ public function testMetadataAccess(bool $authenticated, bool $protected): void
 
         $result = $c->metadata($request, 'phpunit');
         $this->assertInstanceOf(Response::class, $result);
+
+        if ($protected === true) {
+            $this->assertEquals('no-cache, private', $result->headers->get('cache-control'));
+        } else {
+            $this->assertEquals('public', $result->headers->get('cache-control'));
+        }
     }
 
     public static function provideMetadataAccess(): array
