use the current account domain in context_host saml settings lookups

Change-Id: I53729d77055e8225583e612ca81fc578f948ff5f
Reviewed-on: https://gerrit.instructure.com/5965
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Zach Wily <zach@instructure.com>

app/controllers/accounts_controller.rb

@@ -419,7 +419,7 @@ class AccountsController < ApplicationController
     # servers need to be able to access it without being authenticated.
     # It is used to disclose our SAML configuration settings.
     if @domain_root_account.account_authorization_config and @domain_root_account.account_authorization_config.auth_type == 'saml'
-      settings = @domain_root_account.account_authorization_config.saml_settings
+      settings = @domain_root_account.account_authorization_config.saml_settings(request.env['canvas.account_domain'])
       render :xml => Onelogin::Saml::MetaData.create(settings)
     else
       render :xml => ""

app/controllers/application_controller.rb

@@ -181,7 +181,7 @@ class ApplicationController < ActionController::Base
       @files_domain = @account_domain && @account_domain.host_type == 'files'
       format.html { 
         store_location if request.get?
-        return if !@current_user && initiate_delegated_login
+        return if !@current_user && initiate_delegated_login(request.env['canvas.account_domain'])
         render :template => "shared/unauthorized", :layout => "application", :status => :unauthorized 
       }
       format.zip { redirect_to(url_for(params)) }

app/controllers/pseudonym_sessions_controller.rb

@@ -82,7 +82,7 @@ class PseudonymSessionsController < ApplicationController
 
       initiate_cas_login(cas_client)
     elsif @is_saml && !params[:no_auto]
-      initiate_saml_login
+      initiate_saml_login(request.env['canvas.account_domain'])
     else
       render :action => "new"
     end
@@ -166,7 +166,7 @@ class PseudonymSessionsController < ApplicationController
     if @domain_root_account.saml_authentication? and session[:name_id]
       # logout at the saml identity provider
       # once logged out it'll be redirected to here again
-      settings = @domain_root_account.account_authorization_config.saml_settings
+      settings = @domain_root_account.account_authorization_config.saml_settings(request.env['canvas.account_domain'])
       request = Onelogin::Saml::LogOutRequest.create(settings, session)
       reset_session
       session[:delegated_message] = message if message
@@ -204,7 +204,7 @@ class PseudonymSessionsController < ApplicationController
   
   def saml_consume
     if @domain_root_account.saml_authentication? && params[:SAMLResponse]
-      settings = @domain_root_account.account_authorization_config.saml_settings
+      settings = @domain_root_account.account_authorization_config.saml_settings(request.env['canvas.account_domain'])
       response = saml_response(params[:SAMLResponse], settings)
 
       logger.info "Attempting SAML login for #{response.name_id} in account #{@domain_root_account.id}"

app/models/account_authorization_config.rb

@@ -77,13 +77,13 @@ class AccountAuthorizationConfig < ActiveRecord::Base
     Canvas::Security.decrypt_password(self.auth_crypted_password, self.auth_password_salt, 'instructure_auth')
   end
 
-  def saml_settings
+  def saml_settings(preferred_account_domain=nil)
     return nil unless self.auth_type == 'saml'
     app_config = Setting.from_config('saml')
     raise "This Canvas instance isn't configured for SAML" unless app_config
 
     unless @saml_settings
-      domain = HostUrl.context_host(self.account)
+      domain = HostUrl.context_host(self.account, preferred_account_domain)
       @saml_settings = Onelogin::Saml::Settings.new
 
       @saml_settings.issuer = self.entity_id || app_config[:entity_id]

lib/authentication_methods.rb

@@ -225,7 +225,7 @@ module AuthenticationMethods
     reset_session_saving_keys(:return_to, :oauth2)
   end
 
-  def initiate_delegated_login
+  def initiate_delegated_login(preferred_account_domain=nil)
     is_delegated = @domain_root_account.delegated_authentication? && !params[:canvas_login]
     is_cas = @domain_root_account.cas_authentication? && is_delegated
     is_saml = @domain_root_account.saml_authentication? && is_delegated
@@ -233,7 +233,7 @@ module AuthenticationMethods
       initiate_cas_login
       return true
     elsif is_saml
-      initiate_saml_login
+      initiate_saml_login(preferred_account_domain)
       return true
     end
     false
@@ -251,9 +251,9 @@ module AuthenticationMethods
     end
   end
 
-  def initiate_saml_login
+  def initiate_saml_login(preferred_account_domain=nil)
     reset_session_for_login
-    settings = @domain_root_account.account_authorization_config.saml_settings
+    settings = @domain_root_account.account_authorization_config.saml_settings(preferred_account_domain)
     request = Onelogin::Saml::AuthRequest.create(settings)
     redirect_to(request)
   end

lib/host_url.rb

@@ -24,7 +24,7 @@ class HostUrl
     @@file_host = nil
     @@domain_config = nil
 
-    def context_host(context=nil)
+    def context_host(context=nil, preferred_account_domain=nil)
       default_host
     end