providers/saml: fix metadata being inaccessible without authentication

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-08-01 14:50:17 +02:00
parent d70b81fe43
commit f875149983
2 changed files with 14 additions and 2 deletions

View file

@ -2,7 +2,8 @@
from xml.etree.ElementTree import ParseError # nosec from xml.etree.ElementTree import ParseError # nosec
from defusedxml.ElementTree import fromstring from defusedxml.ElementTree import fromstring
from django.http.response import HttpResponse from django.http.response import Http404, HttpResponse
from django.shortcuts import get_object_or_404
from django.urls import reverse from django.urls import reverse
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
from drf_spectacular.types import OpenApiTypes from drf_spectacular.types import OpenApiTypes
@ -114,7 +115,11 @@ class SAMLProviderViewSet(UsedByMixin, ModelViewSet):
# pylint: disable=invalid-name, unused-argument # pylint: disable=invalid-name, unused-argument
def metadata(self, request: Request, pk: int) -> Response: def metadata(self, request: Request, pk: int) -> Response:
"""Return metadata as XML string""" """Return metadata as XML string"""
provider = self.get_object() # We don't use self.get_object() on purpose as this view is un-authenticated
try:
provider = get_object_or_404(SAMLProvider, pk=pk)
except ValueError:
raise Http404
try: try:
metadata = MetadataProcessor(provider, request).build_entity_descriptor() metadata = MetadataProcessor(provider, request).build_entity_descriptor()
if "download" in request._request.GET: if "download" in request._request.GET:

View file

@ -20,6 +20,7 @@ class TestSAMLProviderAPI(APITestCase):
def test_metadata(self): def test_metadata(self):
"""Test metadata export (normal)""" """Test metadata export (normal)"""
self.client.logout()
provider = SAMLProvider.objects.create( provider = SAMLProvider.objects.create(
name="test", name="test",
authorization_flow=Flow.objects.get( authorization_flow=Flow.objects.get(
@ -34,6 +35,7 @@ class TestSAMLProviderAPI(APITestCase):
def test_metadata_download(self): def test_metadata_download(self):
"""Test metadata export (download)""" """Test metadata export (download)"""
self.client.logout()
provider = SAMLProvider.objects.create( provider = SAMLProvider.objects.create(
name="test", name="test",
authorization_flow=Flow.objects.get( authorization_flow=Flow.objects.get(
@ -50,6 +52,7 @@ class TestSAMLProviderAPI(APITestCase):
def test_metadata_invalid(self): def test_metadata_invalid(self):
"""Test metadata export (invalid)""" """Test metadata export (invalid)"""
self.client.logout()
# Provider without application # Provider without application
provider = SAMLProvider.objects.create( provider = SAMLProvider.objects.create(
name="test", name="test",
@ -61,6 +64,10 @@ class TestSAMLProviderAPI(APITestCase):
reverse("authentik_api:samlprovider-metadata", kwargs={"pk": provider.pk}), reverse("authentik_api:samlprovider-metadata", kwargs={"pk": provider.pk}),
) )
self.assertEqual(200, response.status_code) self.assertEqual(200, response.status_code)
response = self.client.get(
reverse("authentik_api:samlprovider-metadata", kwargs={"pk": "abc"}),
)
self.assertEqual(404, response.status_code)
def test_import_success(self): def test_import_success(self):
"""Test metadata import (success case)""" """Test metadata import (success case)"""