providers/saml: fix metadata rendering when no singing keypair is selected

closes PASSBOOK-44
2020-04-10 21:54:23 +02:00 · 2020-04-10 21:54:23 +02:00 · 5f4452470b
parent 9a1270c693
commit 5f4452470b
2 changed files with 6 additions and 11 deletions
--- a/passbook/providers/saml/templates/saml/xml/metadata.xml
+++ b/passbook/providers/saml/templates/saml/xml/metadata.xml
@ -1,6 +1,7 @@
 <?xml version="1.0"?>
 <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="{{ entity_id }}">
  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    {% if cert_public_key %}
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
@ -8,13 +9,7 @@
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
-    <md:KeyDescriptor use="encryption">
-      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-        <ds:X509Data>
-          <ds:X509Certificate>{{ cert_public_key }}</ds:X509Certificate>
-        </ds:X509Data>
-      </ds:KeyInfo>
-    </md:KeyDescriptor>
+    {% endif %}
    <md:NameIDFormat>{{ subject_format }}</md:NameIDFormat>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="{{ slo_url }}"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="{{ sso_post_url }}"/>
--- a/passbook/providers/saml/views.py
+++ b/passbook/providers/saml/views.py
@ -274,19 +274,19 @@ class DescriptorDownloadView(AccessRequiredView):
                kwargs={"application": provider.application.slug},
            )
        )
-        pubkey = strip_pem_header(
-            provider.signing_kp.certificate_data.replace("\r", "")
-        ).replace("\n", "")
        subject_format = provider.processor.subject_format
        ctx = {
            "entity_id": entity_id,
-            "cert_public_key": pubkey,
            "slo_url": slo_url,
            # Currently, the same endpoint accepts POST and REDIRECT
            "sso_post_url": sso_post_url,
            "sso_redirect_url": sso_post_url,
            "subject_format": subject_format,
        }
+        if provider.signing_kp:
+            ctx["cert_public_key"] = strip_pem_header(
+                provider.signing_kp.certificate_data.replace("\r", "")
+            ).replace("\n", "")
        return render_to_string("saml/xml/metadata.xml", ctx)

    # pylint: disable=unused-argument