From 2297db97eb2644fbb1a1c83cdbc43bcef5ef2057 Mon Sep 17 00:00:00 2001
From: Scott Cantor <cantor.2@osu.edu>
Date: Wed, 11 May 2016 14:29:41 -0400
Subject: [PATCH] SSPCPP-608 - Allow AuthnRequests to be signed at the
 SessionInitiator level

https://issues.shibboleth.net/jira/browse/SSPCPP-608
---
 schemas/shibboleth-2.0-native-sp-config.xsd  | 16 ++++++++++++++++
 shibsp/handler/impl/AbstractHandler.cpp      |  5 ++++-
 shibsp/handler/impl/SAML2LogoutInitiator.cpp |  4 +++-
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/schemas/shibboleth-2.0-native-sp-config.xsd b/schemas/shibboleth-2.0-native-sp-config.xsd
index 582ed12..7095253 100644
--- a/schemas/shibboleth-2.0-native-sp-config.xsd
+++ b/schemas/shibboleth-2.0-native-sp-config.xsd
@@ -563,6 +563,18 @@
       <documentation>Used to ignore NoPassive errors in AssertionConsumerService endpoints</documentation>
     </annotation>
   </attribute>
+
+  <attribute name="signing" type="conf:bindingBoolean">
+    <annotation>
+      <documentation>Used to override signing property in SingleLogoutService/etc endpoints</documentation>
+    </annotation>
+  </attribute>
+
+  <attribute name="encryption" type="conf:bindingBoolean">
+    <annotation>
+      <documentation>Used to override encryption property in SingleLogoutService/etc endpoints</documentation>
+    </annotation>
+  </attribute>
   
   <attributeGroup name="SessionInitiatorGroup">
     <annotation>
@@ -586,6 +598,8 @@
     <attribute name="requestDelegation" type="boolean"/>
     <attribute name="target" type="anyURI"/>
     <attribute name="discoveryPolicy" type="conf:string"/>
+    <attribute name="signing" type="conf:bindingBoolean"/>
+    <attribute name="encryption" type="conf:bindingBoolean"/>    
     <anyAttribute namespace="##any" processContents="lax"/>
   </attributeGroup>
 
@@ -619,6 +633,8 @@
     <attribute name="outgoingBindings" type="conf:listOfURIs"/>
     <attribute name="template" type="anyURI"/>
     <attribute name="postArtifact" type="boolean"/>
+    <attribute name="signing" type="conf:bindingBoolean"/>
+    <attribute name="encryption" type="conf:bindingBoolean"/>    
     <anyAttribute namespace="##any" processContents="lax"/>
   </attributeGroup>
 
diff --git a/shibsp/handler/impl/AbstractHandler.cpp b/shibsp/handler/impl/AbstractHandler.cpp
index 9b1c410..f364221 100644
--- a/shibsp/handler/impl/AbstractHandler.cpp
+++ b/shibsp/handler/impl/AbstractHandler.cpp
@@ -517,7 +517,10 @@ long AbstractHandler::sendMessage(
 {
     const EntityDescriptor* entity = role ? dynamic_cast<const EntityDescriptor*>(role->getParent()) : nullptr;
     const PropertySet* relyingParty = application.getRelyingParty(entity);
-    pair<bool,const char*> flag = relyingParty->getString("signing");
+    pair<bool,const char*> flag = getString("signing",
+        !getElement() || XMLString::equals(getElement()->getNamespaceURI(), shibspconstants::SHIB2SPCONFIG_NS) ? nullptr : m_configNS.get());
+    if (!flag.first)
+        flag = relyingParty->getString("signing");
     if (SPConfig::shouldSignOrEncrypt(flag.first ? flag.second : defaultSigningProperty, destination, encoder.isUserAgentPresent())) {
         CredentialResolver* credResolver = application.getCredentialResolver();
         if (credResolver) {
diff --git a/shibsp/handler/impl/SAML2LogoutInitiator.cpp b/shibsp/handler/impl/SAML2LogoutInitiator.cpp
index 37c150b..d70a991 100644
--- a/shibsp/handler/impl/SAML2LogoutInitiator.cpp
+++ b/shibsp/handler/impl/SAML2LogoutInitiator.cpp
@@ -518,7 +518,9 @@ auto_ptr<LogoutRequest> SAML2LogoutInitiator::buildRequest(
     }
 
     const NameID* nameid = session.getNameID();
-    pair<bool,const char*> flag = relyingParty->getString("encryption");
+    pair<bool, const char*> flag = getString("encryption");
+    if (!flag.first)
+        flag = relyingParty->getString("encryption");
     auto_ptr_char dest(endpoint);
     if (SPConfig::shouldSignOrEncrypt(flag.first ? flag.second : "conditional", dest.get(), encoder != nullptr)) {
         try {
-- 
2.1.4