providers/saml: fix metadata download not being unauthenticated

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-04-01 20:16:07 +02:00
parent 7e63a18d37
commit b299451cab
2 changed files with 8 additions and 4 deletions

View file

@ -3,11 +3,13 @@ from xml.etree.ElementTree import ParseError # nosec
from defusedxml.ElementTree import fromstring from defusedxml.ElementTree import fromstring
from django.http.response import HttpResponse from django.http.response import HttpResponse
from django.shortcuts import get_object_or_404
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
from drf_yasg.utils import swagger_auto_schema from drf_yasg.utils import swagger_auto_schema
from rest_framework.decorators import action from rest_framework.decorators import action
from rest_framework.fields import CharField, FileField, ReadOnlyField from rest_framework.fields import CharField, FileField, ReadOnlyField
from rest_framework.parsers import MultiPartParser from rest_framework.parsers import MultiPartParser
from rest_framework.permissions import AllowAny
from rest_framework.relations import SlugRelatedField from rest_framework.relations import SlugRelatedField
from rest_framework.request import Request from rest_framework.request import Request
from rest_framework.response import Response from rest_framework.response import Response
@ -78,11 +80,12 @@ class SAMLProviderViewSet(ModelViewSet):
serializer_class = SAMLProviderSerializer serializer_class = SAMLProviderSerializer
@swagger_auto_schema(responses={200: SAMLMetadataSerializer(many=False)}) @swagger_auto_schema(responses={200: SAMLMetadataSerializer(many=False)})
@action(methods=["GET"], detail=True) @action(methods=["GET"], detail=True, permission_classes=[AllowAny])
# pylint: disable=invalid-name, unused-argument # pylint: disable=invalid-name, unused-argument
def metadata(self, request: Request, pk: int) -> Response: def metadata(self, request: Request, pk: int) -> Response:
"""Return metadata as XML string""" """Return metadata as XML string"""
provider = self.get_object() # We don't use self.get_object() on purpose as this view is un-authenticated
provider = get_object_or_404(SAMLProvider, pk=pk)
try: try:
metadata = MetadataProcessor(provider, request).build_entity_descriptor() metadata = MetadataProcessor(provider, request).build_entity_descriptor()
if "download" in request._request.GET: if "download" in request._request.GET:

View file

@ -56,9 +56,10 @@ class TestProviderSAML(SeleniumTestCase):
"SP_SSO_BINDING": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "SP_SSO_BINDING": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
"SP_METADATA_URL": ( "SP_METADATA_URL": (
self.url( self.url(
"authentik_providers_saml:metadata", "authentik_api:samlprovider-metadata",
application_slug=provider.application.slug, pk=provider.pk,
) )
+ "?download"
), ),
}, },
) )