Merge pull request #7680 from betagouv/saml-with-metadata

update saml idp. Utilise une gem permettant l'intégration saml avec Dolist
2022-08-23 15:18:35 +02:00 · 2022-08-23 15:18:35 +02:00 · 9c27128c8b
commit 9c27128c8b
parent ee499da8e8 d4cdf1fb96
11 changed files with 143 additions and 35 deletions
--- a/2
+++ b/2
@ -72,7 +72,7 @@ gem 'rake-progressbar', require: false
 gem 'rexml' # add missing gem due to ruby3 (https://github.com/Shopify/bootsnap/issues/325)
 gem 'rgeo-geojson'
 gem 'rqrcode'
-gem 'ruby-saml-idp'
+gem 'saml_idp'
 gem 'sanitize-url'
 gem 'sassc-rails' # Use SCSS for stylesheets
 gem 'sentry-delayed_job'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -633,13 +633,18 @@ GEM
    ruby-graphviz (1.2.5)
      rexml
    ruby-progressbar (1.11.0)
-    ruby-saml-idp (0.3.5)
    ruby-vips (2.1.4)
      ffi (~> 1.12)
    ruby2_keywords (0.0.5)
    ruby_parser (3.15.1)
      sexp_processor (~> 4.9)
    rubyzip (2.3.0)
+    saml_idp (0.14.0)
+      activesupport (>= 5.2)
+      builder (>= 3.0)
+      nokogiri (>= 1.6.2)
+      rexml
+      xmlenc (>= 0.7.1)
    sanitize (6.0.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.12.0)
@ -780,6 +785,13 @@ GEM
    websocket-driver (0.7.5)
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.5)
+    xmlenc (0.8.0)
+      activemodel (>= 3.0.0)
+      activesupport (>= 3.0.0)
+      nokogiri (>= 1.6.0, < 2.0.0)
+      xmlmapper (>= 0.7.3)
+    xmlmapper (0.8.1)
+      nokogiri (~> 1.11)
    xpath (3.2.0)
      nokogiri (~> 1.8)
    zeitwerk (2.6.0)
@ -889,7 +901,7 @@ DEPENDENCIES
  rubocop-performance
  rubocop-rails
  rubocop-rspec
-  ruby-saml-idp
+  saml_idp
  sanitize-url
  sassc-rails
  scss_lint
--- a/app/controllers/saml_idp_controller.rb
+++ b/app/controllers/saml_idp_controller.rb
@ -1,28 +1,38 @@
 class SamlIdpController < ActionController::Base
  include SamlIdp::Controller

-  before_action :validate_saml_request
-
  def new
-    if super_admin_signed_in?
-      @saml_response = encode_SAMLResponse(current_super_admin.email, saml_attributes)
-      render :template => "saml_idp/idp/saml_post", :layout => false
+    if validate_saml_request
+      render template: 'saml_idp/new'
    else
-      redirect_to root_path, alert: t("errors.messages.saml_not_authorized")
+      head :forbidden
    end
  end

-  def metadata
-    render layout: false, content_type: "application/xml", formats: :xml
+  def show
+    render xml: SamlIdp.metadata.signed
+  end
+
+  def create
+    if validate_saml_request
+      if super_admin_signed_in?
+        @saml_response = idp_make_saml_response(current_super_admin)
+        render template: 'saml_idp/saml_post', layout: false
+      else
+        redirect_to root_path, alert: t("errors.messages.saml_not_authorized")
+      end
+    else
+      head :forbidden
+    end
  end

  private

-  def saml_attributes
-    admin_attributes = %[<saml:AttributeStatement><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><saml:AttributeValue>#{current_super_admin.email}</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue>ds|#{current_super_admin.id}</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>]
-    {
-      issuer_uri: saml_auth_url,
-      attributes_provider: admin_attributes
+  def idp_make_saml_response(super_admin)
+    encode_response super_admin, encryption: {
+      cert: saml_request.service_provider.cert,
+      block_encryption: 'aes256-cbc',
+      key_transport: 'rsa-oaep-mgf1p'
    }
  end
 end
--- a/app/views/manager/application/_navigation.html.erb
+++ b/app/views/manager/application/_navigation.html.erb
@ -28,4 +28,7 @@ as defined by the routes in the `admin/` namespace
  <% if Rails.application.secrets.sendinblue[:enabled] && ENV["SAML_IDP_ENABLED"] == "enabled" %>
    <%= link_to "Sendinblue", ENV.fetch("SENDINBLUE_LOGIN_URL"), class: "navigation__link", target: '_blank' %>
  <% end %>
+  <% if ENV.fetch("SAML_IDP_ENABLED") == "enabled" && ENV["DOLIST_LOGIN_URL"].present? %>
+    <%= link_to "Dolist", ENV.fetch("DOLIST_LOGIN_URL"), class: "navigation__link", target: '_blank' %>
+  <% end %>
 </nav>
--- a/app/views/saml_idp/new.html.erb
+++ b/app/views/saml_idp/new.html.erb
@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+  </head>
+  <body onload="document.forms[0].submit();" style="visibility:hidden;">
+    <%= form_tag do %>
+      <%= hidden_field_tag("SAMLRequest", params[:SAMLRequest]) %>
+      <%= hidden_field_tag("RelayState", params[:RelayState]) %>
+    <% end %>
+  </body>
+</html>
--- a/app/views/saml_idp/saml_post.html.erb
+++ b/app/views/saml_idp/saml_post.html.erb
@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+  </head>
+  <body onload="document.forms[0].submit();" style="visibility:hidden;">
+    <%= form_tag(saml_acs_url) do %>
+      <%= hidden_field_tag("SAMLResponse", @saml_response) %>
+      <%= hidden_field_tag("RelayState", params[:RelayState]) %>
+      <%= submit_tag "Submit" %>
+    <% end %>
+  </body>
+</html>
--- a/config/env.example
+++ b/config/env.example
@ -44,10 +44,8 @@ FOG_OPENSTACK_URL=""
 FOG_OPENSTACK_REGION=""
 DS_PROXY_URL=""

-# SAML Identity provider
+# SAML
 SAML_IDP_ENABLED="disabled"
-SAML_IDP_CERTIFICATE=""
-SAML_IDP_SECRET_KEY="-----BEGIN RSA PRIVATE KEY-----\nblabla+blabla\n-----END RSA PRIVATE KEY-----\n"

 # External service: authentication through France Connect
 FC_PARTICULIER_ID=""
--- a/config/env.example.optional
+++ b/config/env.example.optional
@ -148,3 +148,10 @@ DATAGOUV_API_KEY="thisisasecret"
 DATAGOUV_API_URL="https://www.data.gouv.fr/api/1"
 DATAGOUV_DESCRIPTIF_DEMARCHES_DATASET="datasetid"
 DATAGOUV_DESCRIPTIF_DEMARCHES_RESOURCE="resourceid"
+
+# SAML
+SAML_IDP_CERTIFICATE="idpcertificate"
+SAML_IDP_SECRET_KEY="-----BEGIN RSA PRIVATE KEY-----\nblabla+blabla\n-----END RSA PRIVATE KEY-----\n"
+SAML_DOLIST_CERTIFICATE="spcertificate"
+SAML_DOLIST_HOST="dolisthoname"
+DOLIST_LOGIN_URL="https://clientpreprod.dolist.net"
--- a/config/initializers/saml_idp.rb
+++ b/config/initializers/saml_idp.rb
@ -2,6 +2,30 @@
 # So we fetch env var directly here

 if ENV['SAML_IDP_ENABLED'] == 'enabled'
-  SamlIdp.config.x509_certificate = ENV.fetch("SAML_IDP_CERTIFICATE")
-  SamlIdp.config.secret_key = ENV.fetch("SAML_IDP_SECRET_KEY")
+  SamlIdp.configure do |config|
+    config.base_saml_location = "https://#{ENV['APP_HOST']}/saml/metadata"
+    config.x509_certificate = ENV.fetch("SAML_IDP_CERTIFICATE")
+    config.secret_key = ENV.fetch("SAML_IDP_SECRET_KEY")
+
+    config.name_id.formats = {
+      "1.1" => {
+        email_address: -> (principal) { principal.email }
+      },
+      "2.0" => {
+        transient: -> (principal) { principal.email },
+        persistent: -> (p) { p.id }
+      }
+    }
+
+    service_providers = {
+      "https://#{ENV.fetch('SAML_DOLIST_HOST')}" => {
+        response_hosts: [ENV.fetch('SAML_DOLIST_HOST')],
+        cert: ENV.fetch("SAML_DOLIST_CERTIFICATE")
+      }
+    }
+
+    config.service_provider.finder = -> (entity_id) do
+      service_providers[entity_id]
+    end
+  end
 end
--- a/config/routes.rb
+++ b/config/routes.rb
@ -3,7 +3,7 @@ Rails.application.routes.draw do

  get '/saml/auth' => 'saml_idp#new'
  post '/saml/auth' => 'saml_idp#create'
-  get '/saml/metadata' => 'saml_idp#metadata'
+  get '/saml/metadata' => 'saml_idp#show'

  #
  # Manager
--- a/spec/controllers/saml_idp_controller_spec.rb
+++ b/spec/controllers/saml_idp_controller_spec.rb
@ -1,23 +1,50 @@
 describe SamlIdpController do
+  before do
+    allow_any_instance_of(SamlIdpController).to receive(:validate_saml_request).and_return(valid_saml_request)
+  end
+
  describe '#new' do
    let(:action) { get :new }

-    context 'without superadmin connected' do
-      it { expect(action).to redirect_to root_path }
-
-      it "display alert" do
-        action
-        expect(flash[:alert]).to eq("Vous n’êtes pas autorisé à accéder à ce service.")
-      end
+    context 'with invalid saml request' do
+      let(:valid_saml_request) { false }
+      it { expect(action).to have_http_status(:forbidden) }
    end

-    context 'with superadmin connected' do
-      let(:superadmin) { create(:super_admin) }
-      before { sign_in superadmin }
+    context 'with valid saml request' do
+      let(:valid_saml_request) { true }

-      it 'encode saml response' do
-        expect(subject).to receive(:encode_SAMLResponse).with(superadmin.email, anything())
-        action
+      it { expect(action).to have_http_status(:ok) }
+    end
+  end
+  describe '#create' do
+    let(:action) { post :create }
+
+    context 'with invalid saml request' do
+      let(:valid_saml_request) { false }
+      it { expect(action).to have_http_status(:forbidden) }
+    end
+
+    context 'with valid saml request' do
+      let(:valid_saml_request) { true }
+
+      context 'without superadmin connected' do
+        it { expect(action).to redirect_to root_path }
+
+        it "display alert" do
+          action
+          expect(flash[:alert]).to eq("Vous n’êtes pas autorisé à accéder à ce service.")
+        end
+      end
+
+      context 'with superadmin connected' do
+        let(:superadmin) { create(:super_admin) }
+        before { sign_in superadmin }
+
+        it 'encode saml response' do
+          expect(subject).to receive(:idp_make_saml_response).with(superadmin)
+          action
+        end
      end
    end
  end