advertise in SAML metadata if we'll sign auth requests

This reverts commit b55c6a341b, and slightly changes the logic to only advertise if _all_ auth providers will sign. it also sets the value explicitly to false if all auth providers will not sign. it leaves it unspecified if there are mixed providers Change-Id: If7ee606ef14876bb6e3e3d69c197fa014b6ca8fa Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/344843 Reviewed-by: Jacob Burroughs <jburroughs@instructure.com> Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> QA-Review: Cody Cutrer <cody@instructure.com> Product-Review: Cody Cutrer <cody@instructure.com>
2024-04-09 08:34:20 -06:00 · 2024-04-09 08:34:20 -06:00 · a67659472a
parent 963193c99b
commit a67659472a
2 changed files with 39 additions and 0 deletions
--- a/app/models/authentication_provider/saml.rb
+++ b/app/models/authentication_provider/saml.rb
@ -433,6 +433,12 @@ class AuthenticationProvider::SAML < AuthenticationProvider::Delegated
                         HostUrl.context_hosts(account, current_host),
                         include_all_encryption_certificates:)
    prior_configs = Set.new
+
+    sp = entity.roles.last
+    unless aps.empty?
+      sp.authn_requests_signed = true if aps.all?(&:sig_alg)
+      sp.authn_requests_signed = false if aps.none?(&:sig_alg)
+    end
    aps.each do |ap|
      federated_attributes = ap.federated_attributes
      next if federated_attributes.empty?
--- a/spec/models/authentication_provider/saml_spec.rb
+++ b/spec/models/authentication_provider/saml_spec.rb
@ -213,5 +213,38 @@ describe AuthenticationProvider::SAML do
      expect(entity.roles.last.attribute_consuming_services.first.requested_attributes.length).to eq 1
      expect(entity.roles.last.attribute_consuming_services.first.requested_attributes.first.name).to eq "name"
    end
+
+    it "signals if requests will be signed" do
+      ap = @account.authentication_providers.new(auth_type: "saml")
+      ap.sig_alg = "rsa-sha1"
+      ap.save!
+      # ignore invalid saml key configuration in specs
+      allow(AuthenticationProvider::SAML).to receive(:private_keys).and_return({})
+      entity = AuthenticationProvider::SAML.sp_metadata_for_account(@account)
+      expect(entity.roles.last.authn_requests_signed?).to be true
+    end
+
+    it "signals if requests will not be signed" do
+      ap = @account.authentication_providers.new(auth_type: "saml")
+      ap.sig_alg = nil
+      ap.save!
+      # ignore invalid saml key configuration in specs
+      allow(AuthenticationProvider::SAML).to receive(:private_keys).and_return({})
+      entity = AuthenticationProvider::SAML.sp_metadata_for_account(@account)
+      expect(entity.roles.last.authn_requests_signed?).to be false
+    end
+
+    it "does not signals if requests will be signed with mixed providers" do
+      ap = @account.authentication_providers.new(auth_type: "saml")
+      ap.sig_alg = "rsa-sha1"
+      ap.save!
+      ap = @account.authentication_providers.new(auth_type: "saml")
+      ap.sig_alg = nil
+      ap.save!
+      # ignore invalid saml key configuration in specs
+      allow(AuthenticationProvider::SAML).to receive(:private_keys).and_return({})
+      entity = AuthenticationProvider::SAML.sp_metadata_for_account(@account)
+      expect(entity.roles.last.authn_requests_signed?).to be_nil
+    end
  end
 end