From e8f3b87b176abfe0a60da7cd0d8cb2d27ac65ddf Mon Sep 17 00:00:00 2001
From: Mateusz Mandera <mateusz.mandera@zulip.com>
Date: Fri, 5 Nov 2021 12:17:54 +0100
Subject: [PATCH] saml: Sign LogoutRequests and LogoutResponses if certs are
 set up.

---
 zproject/computed_settings.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/zproject/computed_settings.py b/zproject/computed_settings.py
index 54e91428b7..45949c06dc 100644
--- a/zproject/computed_settings.py
+++ b/zproject/computed_settings.py
@@ -1109,6 +1109,15 @@ if PRODUCTION:
         "/etc/zulip/saml/zulip-private-key.key"
     )
 
+    if SOCIAL_AUTH_SAML_SP_PUBLIC_CERT and SOCIAL_AUTH_SAML_SP_PRIVATE_KEY:
+        # If the certificates are set up, it's certainly desirable to sign
+        # LogoutRequests and LogoutResponses unless explicitly specified otherwise
+        # in the configuration.
+        if "logoutRequestSigned" not in SOCIAL_AUTH_SAML_SECURITY_CONFIG:
+            SOCIAL_AUTH_SAML_SECURITY_CONFIG["logoutRequestSigned"] = True
+        if "logoutResponseSigned" not in SOCIAL_AUTH_SAML_SECURITY_CONFIG:
+            SOCIAL_AUTH_SAML_SECURITY_CONFIG["logoutResponseSigned"] = True
+
 if "signatureAlgorithm" not in SOCIAL_AUTH_SAML_SECURITY_CONFIG:
     # If the configuration doesn't explicitly specify the algorithm,
     # we set RSA1 with SHA256 to override the python3-saml default, which uses