ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

advertise in SAML metadata if we'll sign auth requests 

This reverts commit b55c6a341b, and
slightly changes the logic to only advertise if _all_ auth providers
will sign. it also sets the value explicitly to false if all auth
providers will not sign. it leaves it unspecified if there are mixed
providers

Change-Id: If7ee606ef14876bb6e3e3d69c197fa014b6ca8fa
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/344843
Reviewed-by: Jacob Burroughs <jburroughs@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
This commit is contained in:
Cody Cutrer 2024-04-09 08:34:20 -06:00
parent 963193c99b
commit a67659472a
2 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
app/models/authentication_provider/saml.rb
View File

@ -433,6 +433,12 @@ class AuthenticationProvider::SAML < AuthenticationProvider::Delegated
HostUrl.context_hosts(account, current_host), HostUrl.context_hosts(account, current_host),
include_all_encryption_certificates:) include_all_encryption_certificates:)
prior_configs = Set.new prior_configs = Set.new
sp = entity.roles.last
unless aps.empty?
sp.authn_requests_signed = true if aps.all?(&:sig_alg)
sp.authn_requests_signed = false if aps.none?(&:sig_alg)
end
aps.each do |ap| aps.each do |ap|
federated_attributes = ap.federated_attributes federated_attributes = ap.federated_attributes
next if federated_attributes.empty? next if federated_attributes.empty?

33
spec/models/authentication_provider/saml_spec.rb
View File

@ -213,5 +213,38 @@ describe AuthenticationProvider::SAML do
expect(entity.roles.last.attribute_consuming_services.first.requested_attributes.length).to eq 1 expect(entity.roles.last.attribute_consuming_services.first.requested_attributes.length).to eq 1
expect(entity.roles.last.attribute_consuming_services.first.requested_attributes.first.name).to eq "name" expect(entity.roles.last.attribute_consuming_services.first.requested_attributes.first.name).to eq "name"
end end
it "signals if requests will be signed" do
ap = @account.authentication_providers.new(auth_type: "saml")
ap.sig_alg = "rsa-sha1"
ap.save!
# ignore invalid saml key configuration in specs
allow(AuthenticationProvider::SAML).to receive(:private_keys).and_return({})
entity = AuthenticationProvider::SAML.sp_metadata_for_account(@account)
expect(entity.roles.last.authn_requests_signed?).to be true
end
it "signals if requests will not be signed" do
ap = @account.authentication_providers.new(auth_type: "saml")
ap.sig_alg = nil
ap.save!
# ignore invalid saml key configuration in specs
allow(AuthenticationProvider::SAML).to receive(:private_keys).and_return({})
entity = AuthenticationProvider::SAML.sp_metadata_for_account(@account)
expect(entity.roles.last.authn_requests_signed?).to be false
end
it "does not signals if requests will be signed with mixed providers" do
ap = @account.authentication_providers.new(auth_type: "saml")
ap.sig_alg = "rsa-sha1"
ap.save!
ap = @account.authentication_providers.new(auth_type: "saml")
ap.sig_alg = nil
ap.save!
# ignore invalid saml key configuration in specs
allow(AuthenticationProvider::SAML).to receive(:private_keys).and_return({})
entity = AuthenticationProvider::SAML.sp_metadata_for_account(@account)
expect(entity.roles.last.authn_requests_signed?).to be_nil
end
end end
end end