From 40a2a2690451d108c7c78cf0d875d6ac705ecbaa Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 20 Feb 2020 17:05:11 +0100
Subject: [PATCH] sources/saml: fix Metadata cert including PEM header

---
 .../templates/saml/sp/xml/spssodescriptor.xml | 58 ++-----------------
 passbook/sources/saml/views.py                |  6 +-
 2 files changed, 10 insertions(+), 54 deletions(-)

diff --git a/passbook/sources/saml/templates/saml/sp/xml/spssodescriptor.xml b/passbook/sources/saml/templates/saml/sp/xml/spssodescriptor.xml
index e990f5a91..23e8e6090 100644
--- a/passbook/sources/saml/templates/saml/sp/xml/spssodescriptor.xml
+++ b/passbook/sources/saml/templates/saml/sp/xml/spssodescriptor.xml
@@ -1,10 +1,7 @@
-<md:EntityDescriptor
-  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-  entityID="{{ entity_id }}">
-  <md:SPSSODescriptor
-    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+  xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="{{ entity_id }}">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <md:KeyDescriptor use="signing">
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:X509Data>
@@ -19,52 +16,7 @@
         </ds:X509Data>
       </ds:KeyInfo>
     </md:KeyDescriptor>
-    <md:NameIDFormat>
-      urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
-    </md:NameIDFormat>
-    <md:AssertionConsumerService isDefault="true" index="0"
-      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-      Location="{{ acs_url }}"/>
-{% comment %}
-<!-- Other bits that we might need. -->
-<!-- Ref: saml-metadata-2.0-os.pdf, pg 10, section 2.3... -->
-    <md:NameIDFormat>
-      urn:oasis:names:tc:SAML:2.0:nameid-format:transient
-    </md:NameIDFormat>
-    <md:ArtifactResolutionService isDefault="true" index="0"
-      Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
-      Location="https://sp.example.com/SAML2/ArtifactResolution"/>
-    <md:AssertionConsumerService index="1"
-      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-      Location="https://sp.example.com/SAML2/Artifact"/>
-    <md:AttributeConsumingService isDefault="true" index="1">
-      <md:ServiceName xml:lang="en">
-        Service Provider Portal
-      </md:ServiceName>
-      <md:RequestedAttribute
-        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-        Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
-        FriendlyName="eduPersonAffiliation">
-      </md:RequestedAttribute>
-    </md:AttributeConsumingService>
-{% endcomment %}
+    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
+    <md:AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="{{ acs_url }}"/>
   </md:SPSSODescriptor>
-{% comment %}
-<!-- #TODO: Add support for optional Organization section -->
-{# if org #}
-  <md:Organization>
-    <md:OrganizationName xml:lang="en">{{ org.name }}</md:OrganizationName>
-    <md:OrganizationDisplayName xml:lang="en">{{ org.display_name }}</md:OrganizationDisplayName>
-    <md:OrganizationURL xml:lang="en">{{ org.url }}</md:OrganizationURL>
-  </md:Organization>
-{# endif #}
-<!-- #TODO: Add support for optional ContactPerson section(s) -->
-{# for contact in contacts #}
-  <md:ContactPerson contactType="{{ contact.type }}">
-    <md:GivenName>{{ contact.given_name }}</md:GivenName>
-    <md:SurName>{{ contact.sur_name }}</md:SurName>
-    <md:EmailAddress>{{ contact.email }}</md:EmailAddress>
-  </md:ContactPerson>
-{# endfor #}
-{% endcomment %}
 </md:EntityDescriptor>
diff --git a/passbook/sources/saml/views.py b/passbook/sources/saml/views.py
index 18a07f5ba..eb5bacae4 100644
--- a/passbook/sources/saml/views.py
+++ b/passbook/sources/saml/views.py
@@ -8,6 +8,7 @@ from django.shortcuts import get_object_or_404, redirect, render, reverse
 from django.utils.decorators import method_decorator
 from django.views import View
 from django.views.decorators.csrf import csrf_exempt
+from signxml.util import strip_pem_header
 
 from passbook.providers.saml.utils import get_random_id, render_xml
 from passbook.providers.saml.utils.encoding import nice64
@@ -97,12 +98,15 @@ class MetadataView(View):
         """Replies with the XML Metadata SPSSODescriptor."""
         source: SAMLSource = get_object_or_404(SAMLSource, slug=source_slug)
         entity_id = get_entity_id(request, source)
+        cert_stripped = strip_pem_header(source.signing_cert.replace("\r", "")).replace(
+            "\n", ""
+        )
         return render_xml(
             request,
             "saml/sp/xml/spssodescriptor.xml",
             {
                 "acs_url": build_full_url("acs", request, source),
                 "entity_id": entity_id,
-                "cert_public_key": source.signing_cert,
+                "cert_public_key": cert_stripped,
             },
         )