Enforce encrypt_mandatory flag (#1)

hamir-suspect · web-flow · commit 51676dd93405 · 2026-03-26T16:00:49.000+01:00
diff --git a/src/esaml_sp.erl b/src/esaml_sp.erl
@@ -259,6 +259,15 @@ validate_assertion(Xml, DuplicateFun, SP = #esaml_sp{}) ->
                 _ -> {error, bad_saml}
             end
         end,
+        fun(X) ->
+            if SP#esaml_sp.encrypt_mandatory ->
+                case xmerl_xpath:string("/samlp:Response/saml:EncryptedAssertion", X, [{namespace, Ns}]) of
+                    [_] -> X;  % Encrypted assertion found, continue
+                    _ -> {error, encryption_required}
+                end;
+            true -> X  % Not mandatory, continue
+            end
+        end,
         fun(X) ->
             case xmerl_xpath:string("/samlp:Response/saml:EncryptedAssertion", X, [{namespace, Ns}]) of
                 [A1] ->
