providers/saml: fix metadata rendering when no singing keypair is selected

closes PASSBOOK-44
This commit is contained in:
Jens Langhammer 2020-04-10 21:54:23 +02:00
parent 9a1270c693
commit 5f4452470b
2 changed files with 6 additions and 11 deletions

View file

@ -1,6 +1,7 @@
<?xml version="1.0"?> <?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="{{ entity_id }}"> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="{{ entity_id }}">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
{% if cert_public_key %}
<md:KeyDescriptor use="signing"> <md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data> <ds:X509Data>
@ -8,13 +9,7 @@
</ds:X509Data> </ds:X509Data>
</ds:KeyInfo> </ds:KeyInfo>
</md:KeyDescriptor> </md:KeyDescriptor>
<md:KeyDescriptor use="encryption"> {% endif %}
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>{{ cert_public_key }}</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>{{ subject_format }}</md:NameIDFormat> <md:NameIDFormat>{{ subject_format }}</md:NameIDFormat>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="{{ slo_url }}"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="{{ slo_url }}"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="{{ sso_post_url }}"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="{{ sso_post_url }}"/>

View file

@ -274,19 +274,19 @@ class DescriptorDownloadView(AccessRequiredView):
kwargs={"application": provider.application.slug}, kwargs={"application": provider.application.slug},
) )
) )
pubkey = strip_pem_header(
provider.signing_kp.certificate_data.replace("\r", "")
).replace("\n", "")
subject_format = provider.processor.subject_format subject_format = provider.processor.subject_format
ctx = { ctx = {
"entity_id": entity_id, "entity_id": entity_id,
"cert_public_key": pubkey,
"slo_url": slo_url, "slo_url": slo_url,
# Currently, the same endpoint accepts POST and REDIRECT # Currently, the same endpoint accepts POST and REDIRECT
"sso_post_url": sso_post_url, "sso_post_url": sso_post_url,
"sso_redirect_url": sso_post_url, "sso_redirect_url": sso_post_url,
"subject_format": subject_format, "subject_format": subject_format,
} }
if provider.signing_kp:
ctx["cert_public_key"] = strip_pem_header(
provider.signing_kp.certificate_data.replace("\r", "")
).replace("\n", "")
return render_to_string("saml/xml/metadata.xml", ctx) return render_to_string("saml/xml/metadata.xml", ctx)
# pylint: disable=unused-argument # pylint: disable=unused-argument