auth_saml: warn if mellon key settings are not set (#68935)

2022-09-14 17:30:18 +02:00 · 2022-09-14 17:30:18 +02:00 · b568ead741
parent 770a1b14b4
commit b568ead741
3 changed files with 29 additions and 0 deletions
--- a/src/authentic2_auth_saml/models.py
+++ b/src/authentic2_auth_saml/models.py
@ -14,6 +14,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

+from django.conf import settings
 from django.contrib.postgres.fields import JSONField
 from django.core.exceptions import ValidationError
 from django.db import models
@ -182,6 +183,11 @@ class SAMLAuthenticator(BaseAuthenticator):
            request, login_url='mellon_login', params={'entityID': settings['ENTITY_ID']}
        )

+    def has_signing_key(self):
+        return bool(
+            getattr(settings, 'MELLON_PRIVATE_KEY', '') and getattr(settings, 'MELLON_PUBLIC_KEYS', '')
+        )
+
    def login(self, request, *args, **kwargs):
        from . import views

--- a/src/authentic2_auth_saml/templates/authentic2_auth_saml/authenticator_detail.html
+++ b/src/authentic2_auth_saml/templates/authentic2_auth_saml/authenticator_detail.html
@ -1,6 +1,16 @@
 {% extends 'authentic2/authenticators/authenticator_detail.html' %}
 {% load i18n %}

+{% block content %}
+{% if not object.has_signing_key %}
+<div class="warningnotice">
+  {% trans "Signing key is missing. You need to set MELLON_PUBLIC_KEYS and MELLON_PRIVATE_KEY settings, otherwise assertions will not be signed." %}
+</div>
+{% endif %}
+
+{{ block.super }}
+{% endblock %}
+
 {% block extra-tab-buttons %}
  <button aria-controls="panel-samlattributelookup" aria-selected="false" id="tab-samlattributelookup" role="tab" tabindex="-1">{% trans "Lookup by attributes" %}</button>
  <button aria-controls="panel-renameattributeaction" aria-selected="false" id="tab-renameattributeaction" role="tab" tabindex="-1">{% trans "Rename attributes" %}</button>
--- a/tests/test_manager_authenticators.py
+++ b/tests/test_manager_authenticators.py
@ -334,6 +334,19 @@ def test_authenticators_saml_hide_metadata_url_advanced_fields(app, superuser, o
    assert 'Metadata HTTP timeout' in resp.text


+def test_authenticators_saml_missing_signing_key(app, superuser, settings):
+    authenticator = SAMLAuthenticator.objects.create(slug='idp1')
+
+    resp = login(app, superuser)
+    resp = app.get(authenticator.get_absolute_url())
+    assert 'Signing key is missing' in resp.text
+
+    settings.MELLON_PRIVATE_KEY = 'xxx'
+    settings.MELLON_PUBLIC_KEYS = ['yyy']
+    resp = app.get(authenticator.get_absolute_url())
+    assert 'Signing key is missing' not in resp.text
+
+
 def test_authenticators_saml_attribute_lookup(app, superuser):
    authenticator = SAMLAuthenticator.objects.create(metadata='meta1.xml', slug='idp1')
    resp = login(app, superuser, path=authenticator.get_absolute_url())