From 37532754534f76b3e8f817c490d325b84d2e8a27 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Sat, 20 Jun 2020 21:51:52 +0200 Subject: [PATCH] providers/saml: make metadata accessible without authentication --- .../migrations/0004_auto_20200620_1950.py | 22 +++++++++++++++++++ passbook/providers/saml/models.py | 6 +++-- passbook/providers/saml/processors/base.py | 4 +++- .../providers/saml/processors/salesforce.py | 4 +++- passbook/providers/saml/utils/xml_render.py | 4 +++- passbook/providers/saml/views.py | 14 +++++------- 6 files changed, 41 insertions(+), 13 deletions(-) create mode 100644 passbook/providers/saml/migrations/0004_auto_20200620_1950.py diff --git a/passbook/providers/saml/migrations/0004_auto_20200620_1950.py b/passbook/providers/saml/migrations/0004_auto_20200620_1950.py new file mode 100644 index 000000000..175baeb5d --- /dev/null +++ b/passbook/providers/saml/migrations/0004_auto_20200620_1950.py @@ -0,0 +1,22 @@ +# Generated by Django 3.0.7 on 2020-06-20 19:50 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ("passbook_providers_saml", "0003_samlprovider_sp_binding"), + ] + + operations = [ + migrations.AlterField( + model_name="samlprovider", + name="sp_binding", + field=models.TextField( + choices=[("redirect", "Redirect"), ("post", "Post")], + default="redirect", + verbose_name="Service Prodier Binding", + ), + ), + ] diff --git a/passbook/providers/saml/models.py b/passbook/providers/saml/models.py index ee4fa31a5..bcb1f7f57 100644 --- a/passbook/providers/saml/models.py +++ b/passbook/providers/saml/models.py @@ -34,7 +34,9 @@ class SAMLProvider(Provider): audience = models.TextField(default="") issuer = models.TextField(help_text=_("Also known as EntityID")) sp_binding = models.TextField( - choices=SAMLBindings.choices, default=SAMLBindings.REDIRECT + choices=SAMLBindings.choices, + default=SAMLBindings.REDIRECT, + verbose_name=_("Service Prodier Binding"), ) assertion_valid_not_before = models.TextField( @@ -142,7 +144,7 @@ class SAMLProvider(Provider): # pylint: disable=no-member metadata = DescriptorDownloadView.get_metadata(request, self) return render_to_string( - "saml/idp/admin_metadata_modal.html", + "providers/saml/admin_metadata_modal.html", {"provider": self, "metadata": metadata}, ) except Provider.application.RelatedObjectDoesNotExist: diff --git a/passbook/providers/saml/processors/base.py b/passbook/providers/saml/processors/base.py index d80201510..05228a0b0 100644 --- a/passbook/providers/saml/processors/base.py +++ b/passbook/providers/saml/processors/base.py @@ -132,7 +132,9 @@ class Processor: continue self._assertion_params["ATTRIBUTES"] = attributes self._assertion_xml = get_assertion_xml( - "providers/saml/xml/assertions/generic.xml", self._assertion_params, signed=True + "providers/saml/xml/assertions/generic.xml", + self._assertion_params, + signed=True, ) def _format_response(self): diff --git a/passbook/providers/saml/processors/salesforce.py b/passbook/providers/saml/processors/salesforce.py index 2c43ca10d..715b93c7f 100644 --- a/passbook/providers/saml/processors/salesforce.py +++ b/passbook/providers/saml/processors/salesforce.py @@ -10,5 +10,7 @@ class SalesForceProcessor(GenericProcessor): def _format_assertion(self): super()._format_assertion() self._assertion_xml = get_assertion_xml( - "providers/saml/xml/assertions/salesforce.xml", self._assertion_params, signed=True + "providers/saml/xml/assertions/salesforce.xml", + self._assertion_params, + signed=True, ) diff --git a/passbook/providers/saml/utils/xml_render.py b/passbook/providers/saml/utils/xml_render.py index 58f1d37bb..55a2dfb16 100644 --- a/passbook/providers/saml/utils/xml_render.py +++ b/passbook/providers/saml/utils/xml_render.py @@ -48,7 +48,9 @@ def _get_in_response_to(params): def _get_subject(params): """Insert Subject. Modifies the params dict.""" - params["SUBJECT_STATEMENT"] = render_to_string("providers/saml/xml/subject.xml", params) + params["SUBJECT_STATEMENT"] = render_to_string( + "providers/saml/xml/subject.xml", params + ) def get_assertion_xml(template, parameters, signed=False): diff --git a/passbook/providers/saml/views.py b/passbook/providers/saml/views.py index 5b7ce4bd8..187a012af 100644 --- a/passbook/providers/saml/views.py +++ b/passbook/providers/saml/views.py @@ -229,7 +229,7 @@ class SAMLFlowFinalView(StageView): return bad_request_message(request, "Invalid sp_binding specified") -class DescriptorDownloadView(LoginRequiredMixin, SAMLAccessMixin, View): +class DescriptorDownloadView(View): """Replies with the XML Metadata IDSSODescriptor.""" @staticmethod @@ -263,14 +263,12 @@ class DescriptorDownloadView(LoginRequiredMixin, SAMLAccessMixin, View): def get(self, request: HttpRequest, application_slug: str) -> HttpResponse: """Replies with the XML Metadata IDSSODescriptor.""" - self.application = get_object_or_404(Application, slug=application_slug) - self.provider: SAMLProvider = get_object_or_404( - SAMLProvider, pk=self.application.provider_id + application = get_object_or_404(Application, slug=application_slug) + provider: SAMLProvider = get_object_or_404( + SAMLProvider, pk=application.provider_id ) - if not self._has_access(): - raise PermissionDenied() try: - metadata = DescriptorDownloadView.get_metadata(request, self.provider) + metadata = DescriptorDownloadView.get_metadata(request, provider) except Provider.application.RelatedObjectDoesNotExist: # pylint: disable=no-member return bad_request_message( request, "Provider is not assigned to an application." @@ -279,5 +277,5 @@ class DescriptorDownloadView(LoginRequiredMixin, SAMLAccessMixin, View): response = HttpResponse(metadata, content_type="application/xml") response[ "Content-Disposition" - ] = f'attachment; filename="{self.provider.name}_passbook_meta.xml"' + ] = f'attachment; filename="{provider.name}_passbook_meta.xml"' return response