providers/saml: make metadata accessible without authentication

passbook/providers/saml/migrations/0004_auto_20200620_1950.py

@@ -0,0 +1,22 @@
+# Generated by Django 3.0.7 on 2020-06-20 19:50
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_providers_saml", "0003_samlprovider_sp_binding"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="samlprovider",
+            name="sp_binding",
+            field=models.TextField(
+                choices=[("redirect", "Redirect"), ("post", "Post")],
+                default="redirect",
+                verbose_name="Service Prodier Binding",
+            ),
+        ),
+    ]

passbook/providers/saml/models.py

@@ -34,7 +34,9 @@ class SAMLProvider(Provider):
     audience = models.TextField(default="")
     issuer = models.TextField(help_text=_("Also known as EntityID"))
     sp_binding = models.TextField(
-        choices=SAMLBindings.choices, default=SAMLBindings.REDIRECT
+        choices=SAMLBindings.choices,
+        default=SAMLBindings.REDIRECT,
+        verbose_name=_("Service Prodier Binding"),
     )
 
     assertion_valid_not_before = models.TextField(
@@ -142,7 +144,7 @@ class SAMLProvider(Provider):
             # pylint: disable=no-member
             metadata = DescriptorDownloadView.get_metadata(request, self)
             return render_to_string(
-                "saml/idp/admin_metadata_modal.html",
+                "providers/saml/admin_metadata_modal.html",
                 {"provider": self, "metadata": metadata},
             )
         except Provider.application.RelatedObjectDoesNotExist:

passbook/providers/saml/processors/base.py

@@ -132,7 +132,9 @@ class Processor:
                 continue
         self._assertion_params["ATTRIBUTES"] = attributes
         self._assertion_xml = get_assertion_xml(
-            "providers/saml/xml/assertions/generic.xml", self._assertion_params, signed=True
+            "providers/saml/xml/assertions/generic.xml",
+            self._assertion_params,
+            signed=True,
         )
 
     def _format_response(self):

passbook/providers/saml/processors/salesforce.py

@@ -10,5 +10,7 @@ class SalesForceProcessor(GenericProcessor):
     def _format_assertion(self):
         super()._format_assertion()
         self._assertion_xml = get_assertion_xml(
-            "providers/saml/xml/assertions/salesforce.xml", self._assertion_params, signed=True
+            "providers/saml/xml/assertions/salesforce.xml",
+            self._assertion_params,
+            signed=True,
         )

passbook/providers/saml/utils/xml_render.py

@@ -48,7 +48,9 @@ def _get_in_response_to(params):
 
 def _get_subject(params):
     """Insert Subject. Modifies the params dict."""
-    params["SUBJECT_STATEMENT"] = render_to_string("providers/saml/xml/subject.xml", params)
+    params["SUBJECT_STATEMENT"] = render_to_string(
+        "providers/saml/xml/subject.xml", params
+    )
 
 
 def get_assertion_xml(template, parameters, signed=False):

passbook/providers/saml/views.py

@@ -229,7 +229,7 @@ class SAMLFlowFinalView(StageView):
         return bad_request_message(request, "Invalid sp_binding specified")
 
 
-class DescriptorDownloadView(LoginRequiredMixin, SAMLAccessMixin, View):
+class DescriptorDownloadView(View):
     """Replies with the XML Metadata IDSSODescriptor."""
 
     @staticmethod
@@ -263,14 +263,12 @@ class DescriptorDownloadView(LoginRequiredMixin, SAMLAccessMixin, View):
 
     def get(self, request: HttpRequest, application_slug: str) -> HttpResponse:
         """Replies with the XML Metadata IDSSODescriptor."""
-        self.application = get_object_or_404(Application, slug=application_slug)
-        self.provider: SAMLProvider = get_object_or_404(
-            SAMLProvider, pk=self.application.provider_id
+        application = get_object_or_404(Application, slug=application_slug)
+        provider: SAMLProvider = get_object_or_404(
+            SAMLProvider, pk=application.provider_id
         )
-        if not self._has_access():
-            raise PermissionDenied()
         try:
-            metadata = DescriptorDownloadView.get_metadata(request, self.provider)
+            metadata = DescriptorDownloadView.get_metadata(request, provider)
         except Provider.application.RelatedObjectDoesNotExist:  # pylint: disable=no-member
             return bad_request_message(
                 request, "Provider is not assigned to an application."
@@ -279,5 +277,5 @@ class DescriptorDownloadView(LoginRequiredMixin, SAMLAccessMixin, View):
             response = HttpResponse(metadata, content_type="application/xml")
             response[
                 "Content-Disposition"
-            ] = f'attachment; filename="{self.provider.name}_passbook_meta.xml"'
+            ] = f'attachment; filename="{provider.name}_passbook_meta.xml"'
             return response