From 28cb402a049ab7ab09afb655e4adabeb91814fe6 Mon Sep 17 00:00:00 2001
From: Omar Khan <omar@opencraft.com>
Date: Fri, 5 Feb 2016 13:46:12 +0700
Subject: [PATCH] Return 404 response from third party auth login when SAML
 disabled

---
 common/djangoapps/third_party_auth/saml.py           | 12 +++++++-----
 .../djangoapps/third_party_auth/tests/test_views.py  |  6 ++++++
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/common/djangoapps/third_party_auth/saml.py b/common/djangoapps/third_party_auth/saml.py
index 61f7e0d8f5..68898434e4 100644
--- a/common/djangoapps/third_party_auth/saml.py
+++ b/common/djangoapps/third_party_auth/saml.py
@@ -2,6 +2,7 @@
 Slightly customized python-social-auth backend for SAML 2.0 support
 """
 import logging
+from django.http import Http404
 from social.backends.saml import SAMLAuth, OID_EDU_PERSON_ENTITLEMENT
 from social.exceptions import AuthForbidden, AuthMissingParameter
 
@@ -25,9 +26,6 @@ class SAMLAuthBackend(SAMLAuth):  # pylint: disable=abstract-method
         if not hasattr(self, '_config'):
             from .models import SAMLConfiguration
             self._config = SAMLConfiguration.current()  # pylint: disable=attribute-defined-outside-init
-        if not self._config.enabled:
-            from django.core.exceptions import ImproperlyConfigured
-            raise ImproperlyConfigured("SAML Authentication is not enabled.")
         try:
             return self._config.get_setting(name)
         except KeyError:
@@ -35,14 +33,18 @@ class SAMLAuthBackend(SAMLAuth):  # pylint: disable=abstract-method
 
     def auth_url(self):
         """
-        Check that the request includes an 'idp' parameter before getting the
-        URL to which we must redirect in order to authenticate the user.
+        Check that SAML is enabled and that the request includes an 'idp'
+        parameter before getting the URL to which we must redirect in order to
+        authenticate the user.
 
+        raise Http404 if SAML is disabled
         raise AuthMissingParameter if the 'idp' parameter is missing.
 
         TODO: remove this method once the fix is merged upstream:
         https://github.com/omab/python-social-auth/pull/821
         """
+        if not self._config.enabled:
+            raise Http404
         if 'idp' not in self.strategy.request_data():
             raise AuthMissingParameter(self, 'idp')
         return super(SAMLAuthBackend, self).auth_url()
diff --git a/common/djangoapps/third_party_auth/tests/test_views.py b/common/djangoapps/third_party_auth/tests/test_views.py
index 538c82eb46..29d14b065b 100644
--- a/common/djangoapps/third_party_auth/tests/test_views.py
+++ b/common/djangoapps/third_party_auth/tests/test_views.py
@@ -143,3 +143,9 @@ class SAMLAuthTest(SAMLTestCase):
         self.enable_saml()
         response = self.client.get(self.LOGIN_URL)
         self.assertEqual(response.status_code, 302)
+
+    def test_login_disabled(self):
+        """ When SAML is not enabled, the login view should return 404 """
+        self.enable_saml(enabled=False)
+        response = self.client.get(self.LOGIN_URL)
+        self.assertEqual(response.status_code, 404)