providers/saml: fix signing and verification kp not being set correctly

2020-12-30 22:07:30 +01:00 · 2020-12-30 22:07:30 +01:00 · 412f5b9210
parent a9e53cd52a
commit 412f5b9210
3 changed files with 10 additions and 5 deletions
--- a/authentik/providers/saml/processors/metadata_parser.py
+++ b/authentik/providers/saml/processors/metadata_parser.py
@ -10,7 +10,6 @@ from lxml import etree  # nosec
 from structlog import get_logger

 from authentik.crypto.models import CertificateKeyPair
-from authentik.flows.models import Flow, FlowDesignation
 from authentik.providers.saml.models import SAMLBindings, SAMLProvider
 from authentik.providers.saml.utils.encoding import PEM_FOOTER, PEM_HEADER
 from authentik.sources.saml.processors.constants import (
@ -56,10 +55,14 @@ class ServiceProviderMetadata:
        provider.issuer = self.entity_id
        provider.sp_binding = self.acs_binding
        provider.acs_url = self.acs_location
-        if self.signing_keypair:
+        if self.signing_keypair and self.auth_n_request_signed:
            self.signing_keypair.name = f"Provider {name} - SAML Signing Certificate"
            self.signing_keypair.save()
-            provider.signing_kp = self.signing_keypair
+            provider.verification_kp = self.signing_keypair
+        if self.assertion_signed:
+            provider.signing_kp = CertificateKeyPair.objects.exclude(
+                key_data__iexact=""
+            ).first()
        return provider


--- a/authentik/providers/saml/tests/test_metadata.py
+++ b/authentik/providers/saml/tests/test_metadata.py
@ -84,7 +84,9 @@ class TestServiceProviderMetadataParser(TestCase):
            provider.issuer, "http://localhost:8080/apps/user_saml/saml/metadata"
        )
        self.assertEqual(provider.sp_binding, SAMLBindings.POST)
-        self.assertEqual(provider.signing_kp.certificate_data, CERT)
+        self.assertEqual(provider.verification_kp.certificate_data, CERT)
+        self.assertIsNotNone(provider.signing_kp)
+        self.assertEqual(provider.audience, "")

    def test_with_signing_cert_invalid_signature(self):
        """Test Metadata with signing cert (invalid signature)"""
--- a/authentik/providers/saml/views.py
+++ b/authentik/providers/saml/views.py
@ -277,7 +277,7 @@ class MetadataImportView(LoginRequiredMixin, FormView):
            LOGGER.warning(exc)
            messages.error(
                self.request,
-                _("Failed to import Metadata: %(message)s", {"message": str(exc)}),
+                _("Failed to import Metadata: %(message)s" % {"message": str(exc)}),
            )
            return super().form_invalid(form)
        return super().form_valid(form)