Check for x509Cert of the IdP when loading settings, even if the security index was not provided

pitbulk · pitbulk · commit c12a61a58b4d · 2020-11-25T18:40:08.000+01:00
diff --git a/lib/Saml2/Settings.php b/lib/Saml2/Settings.php
@@ -564,19 +564,19 @@ public function checkIdPSettings($settings)
                 $errors[] = 'idp_slo_response_url_invalid';
             }
 
-            if (isset($settings['security'])) {
-                $security = $settings['security'];
+            $existsX509 = isset($idp['x509cert']) && !empty($idp['x509cert']);
+            $existsMultiX509Sign = isset($idp['x509certMulti']) && isset($idp['x509certMulti']['signing']) && !empty($idp['x509certMulti']['signing']);
+            $existsFingerprint = isset($idp['certFingerprint']) && !empty($idp['certFingerprint']);
+
+            if (!($existsX509 || $existsFingerprint || $existsMultiX509Sign)
+            ) {
+                $errors[] = 'idp_cert_or_fingerprint_not_found_and_required';
+            }
 
-                $existsX509 = isset($idp['x509cert']) && !empty($idp['x509cert']);
-                $existsMultiX509Sign = isset($idp['x509certMulti']) && isset($idp['x509certMulti']['signing']) && !empty($idp['x509certMulti']['signing']);
+            if (isset($settings['security'])) {
                 $existsMultiX509Enc = isset($idp['x509certMulti']) && isset($idp['x509certMulti']['encryption']) && !empty($idp['x509certMulti']['encryption']);
 
-                $existsFingerprint = isset($idp['certFingerprint']) && !empty($idp['certFingerprint']);
-                if (!($existsX509 || $existsFingerprint || $existsMultiX509Sign)
-                ) {
-                    $errors[] = 'idp_cert_or_fingerprint_not_found_and_required';
-                }
-                if ((isset($security['nameIdEncrypted']) && $security['nameIdEncrypted'] == true)
+                if ((isset($settings['security']['nameIdEncrypted']) && $settings['security']['nameIdEncrypted'] == true)
                     && !($existsX509 || $existsMultiX509Enc)
                 ) {
                     $errors[] = 'idp_cert_not_found_and_required';
diff --git a/tests/src/OneLogin/Saml/AuthRequestTest.php b/tests/src/OneLogin/Saml/AuthRequestTest.php
@@ -15,6 +15,8 @@ public function setUp()
         $settings = new OneLogin_Saml_Settings;
         $settings->idpSingleSignOnUrl = 'http://stuff.com/';
         $settings->spReturnUrl = 'http://sp.stuff.com/';
+        $cert = file_get_contents(TEST_ROOT . '/data/customPath/certs/sp.crt');
+        $settings->idpPublicCertificate = $cert;
         $this->_settings = $settings;
     }
 
diff --git a/tests/src/OneLogin/Saml2/SettingsTest.php b/tests/src/OneLogin/Saml2/SettingsTest.php
@@ -53,6 +53,8 @@ public function testLoadSettingsFromObject()
         $settingsObj = new OneLogin_Saml_Settings;
         $settingsObj->idpSingleSignOnUrl = 'http://stuff.com/';
         $settingsObj->spReturnUrl = 'http://sp.stuff.com/';
+        $cert = file_get_contents(TEST_ROOT . '/data/customPath/certs/sp.crt');
+        $settingsObj->idpPublicCertificate = $cert;
 
         $settings = new OneLogin_Saml2_Settings($settingsObj);
 

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,8 @@ public function setUp()`
`15`	`15`	`$settings = new OneLogin_Saml_Settings;`
`16`	`16`	`$settings->idpSingleSignOnUrl = 'http://stuff.com';`
`17`	`17`	`$settings->spReturnUrl = 'http://sp.stuff.com';`
	`18`	`+ $cert = file_get_contents(TEST_ROOT . '/data/customPath/certs/sp.crt');`
	`19`	`+ $settings->idpPublicCertificate = $cert;`
`18`	`20`	`$this->_settings = $settings;`
`19`	`21`	`}`
`20`	`22`