Merge pull request #7680 from betagouv/saml-with-metadata
update saml idp. Utilise une gem permettant l'intégration saml avec Dolist
This commit is contained in:
commit
9c27128c8b
11 changed files with 143 additions and 35 deletions
2
Gemfile
2
Gemfile
|
@ -72,7 +72,7 @@ gem 'rake-progressbar', require: false
|
|||
gem 'rexml' # add missing gem due to ruby3 (https://github.com/Shopify/bootsnap/issues/325)
|
||||
gem 'rgeo-geojson'
|
||||
gem 'rqrcode'
|
||||
gem 'ruby-saml-idp'
|
||||
gem 'saml_idp'
|
||||
gem 'sanitize-url'
|
||||
gem 'sassc-rails' # Use SCSS for stylesheets
|
||||
gem 'sentry-delayed_job'
|
||||
|
|
16
Gemfile.lock
16
Gemfile.lock
|
@ -633,13 +633,18 @@ GEM
|
|||
ruby-graphviz (1.2.5)
|
||||
rexml
|
||||
ruby-progressbar (1.11.0)
|
||||
ruby-saml-idp (0.3.5)
|
||||
ruby-vips (2.1.4)
|
||||
ffi (~> 1.12)
|
||||
ruby2_keywords (0.0.5)
|
||||
ruby_parser (3.15.1)
|
||||
sexp_processor (~> 4.9)
|
||||
rubyzip (2.3.0)
|
||||
saml_idp (0.14.0)
|
||||
activesupport (>= 5.2)
|
||||
builder (>= 3.0)
|
||||
nokogiri (>= 1.6.2)
|
||||
rexml
|
||||
xmlenc (>= 0.7.1)
|
||||
sanitize (6.0.0)
|
||||
crass (~> 1.0.2)
|
||||
nokogiri (>= 1.12.0)
|
||||
|
@ -780,6 +785,13 @@ GEM
|
|||
websocket-driver (0.7.5)
|
||||
websocket-extensions (>= 0.1.0)
|
||||
websocket-extensions (0.1.5)
|
||||
xmlenc (0.8.0)
|
||||
activemodel (>= 3.0.0)
|
||||
activesupport (>= 3.0.0)
|
||||
nokogiri (>= 1.6.0, < 2.0.0)
|
||||
xmlmapper (>= 0.7.3)
|
||||
xmlmapper (0.8.1)
|
||||
nokogiri (~> 1.11)
|
||||
xpath (3.2.0)
|
||||
nokogiri (~> 1.8)
|
||||
zeitwerk (2.6.0)
|
||||
|
@ -889,7 +901,7 @@ DEPENDENCIES
|
|||
rubocop-performance
|
||||
rubocop-rails
|
||||
rubocop-rspec
|
||||
ruby-saml-idp
|
||||
saml_idp
|
||||
sanitize-url
|
||||
sassc-rails
|
||||
scss_lint
|
||||
|
|
|
@ -1,28 +1,38 @@
|
|||
class SamlIdpController < ActionController::Base
|
||||
include SamlIdp::Controller
|
||||
|
||||
before_action :validate_saml_request
|
||||
|
||||
def new
|
||||
if super_admin_signed_in?
|
||||
@saml_response = encode_SAMLResponse(current_super_admin.email, saml_attributes)
|
||||
render :template => "saml_idp/idp/saml_post", :layout => false
|
||||
if validate_saml_request
|
||||
render template: 'saml_idp/new'
|
||||
else
|
||||
redirect_to root_path, alert: t("errors.messages.saml_not_authorized")
|
||||
head :forbidden
|
||||
end
|
||||
end
|
||||
|
||||
def metadata
|
||||
render layout: false, content_type: "application/xml", formats: :xml
|
||||
def show
|
||||
render xml: SamlIdp.metadata.signed
|
||||
end
|
||||
|
||||
def create
|
||||
if validate_saml_request
|
||||
if super_admin_signed_in?
|
||||
@saml_response = idp_make_saml_response(current_super_admin)
|
||||
render template: 'saml_idp/saml_post', layout: false
|
||||
else
|
||||
redirect_to root_path, alert: t("errors.messages.saml_not_authorized")
|
||||
end
|
||||
else
|
||||
head :forbidden
|
||||
end
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def saml_attributes
|
||||
admin_attributes = %[<saml:AttributeStatement><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><saml:AttributeValue>#{current_super_admin.email}</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue>ds|#{current_super_admin.id}</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>]
|
||||
{
|
||||
issuer_uri: saml_auth_url,
|
||||
attributes_provider: admin_attributes
|
||||
def idp_make_saml_response(super_admin)
|
||||
encode_response super_admin, encryption: {
|
||||
cert: saml_request.service_provider.cert,
|
||||
block_encryption: 'aes256-cbc',
|
||||
key_transport: 'rsa-oaep-mgf1p'
|
||||
}
|
||||
end
|
||||
end
|
||||
|
|
|
@ -28,4 +28,7 @@ as defined by the routes in the `admin/` namespace
|
|||
<% if Rails.application.secrets.sendinblue[:enabled] && ENV["SAML_IDP_ENABLED"] == "enabled" %>
|
||||
<%= link_to "Sendinblue", ENV.fetch("SENDINBLUE_LOGIN_URL"), class: "navigation__link", target: '_blank' %>
|
||||
<% end %>
|
||||
<% if ENV.fetch("SAML_IDP_ENABLED") == "enabled" && ENV["DOLIST_LOGIN_URL"].present? %>
|
||||
<%= link_to "Dolist", ENV.fetch("DOLIST_LOGIN_URL"), class: "navigation__link", target: '_blank' %>
|
||||
<% end %>
|
||||
</nav>
|
||||
|
|
13
app/views/saml_idp/new.html.erb
Normal file
13
app/views/saml_idp/new.html.erb
Normal file
|
@ -0,0 +1,13 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
|
||||
</head>
|
||||
<body onload="document.forms[0].submit();" style="visibility:hidden;">
|
||||
<%= form_tag do %>
|
||||
<%= hidden_field_tag("SAMLRequest", params[:SAMLRequest]) %>
|
||||
<%= hidden_field_tag("RelayState", params[:RelayState]) %>
|
||||
<% end %>
|
||||
</body>
|
||||
</html>
|
14
app/views/saml_idp/saml_post.html.erb
Normal file
14
app/views/saml_idp/saml_post.html.erb
Normal file
|
@ -0,0 +1,14 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
|
||||
</head>
|
||||
<body onload="document.forms[0].submit();" style="visibility:hidden;">
|
||||
<%= form_tag(saml_acs_url) do %>
|
||||
<%= hidden_field_tag("SAMLResponse", @saml_response) %>
|
||||
<%= hidden_field_tag("RelayState", params[:RelayState]) %>
|
||||
<%= submit_tag "Submit" %>
|
||||
<% end %>
|
||||
</body>
|
||||
</html>
|
|
@ -44,10 +44,8 @@ FOG_OPENSTACK_URL=""
|
|||
FOG_OPENSTACK_REGION=""
|
||||
DS_PROXY_URL=""
|
||||
|
||||
# SAML Identity provider
|
||||
# SAML
|
||||
SAML_IDP_ENABLED="disabled"
|
||||
SAML_IDP_CERTIFICATE=""
|
||||
SAML_IDP_SECRET_KEY="-----BEGIN RSA PRIVATE KEY-----\nblabla+blabla\n-----END RSA PRIVATE KEY-----\n"
|
||||
|
||||
# External service: authentication through France Connect
|
||||
FC_PARTICULIER_ID=""
|
||||
|
|
|
@ -148,3 +148,10 @@ DATAGOUV_API_KEY="thisisasecret"
|
|||
DATAGOUV_API_URL="https://www.data.gouv.fr/api/1"
|
||||
DATAGOUV_DESCRIPTIF_DEMARCHES_DATASET="datasetid"
|
||||
DATAGOUV_DESCRIPTIF_DEMARCHES_RESOURCE="resourceid"
|
||||
|
||||
# SAML
|
||||
SAML_IDP_CERTIFICATE="idpcertificate"
|
||||
SAML_IDP_SECRET_KEY="-----BEGIN RSA PRIVATE KEY-----\nblabla+blabla\n-----END RSA PRIVATE KEY-----\n"
|
||||
SAML_DOLIST_CERTIFICATE="spcertificate"
|
||||
SAML_DOLIST_HOST="dolisthoname"
|
||||
DOLIST_LOGIN_URL="https://clientpreprod.dolist.net"
|
||||
|
|
|
@ -2,6 +2,30 @@
|
|||
# So we fetch env var directly here
|
||||
|
||||
if ENV['SAML_IDP_ENABLED'] == 'enabled'
|
||||
SamlIdp.config.x509_certificate = ENV.fetch("SAML_IDP_CERTIFICATE")
|
||||
SamlIdp.config.secret_key = ENV.fetch("SAML_IDP_SECRET_KEY")
|
||||
SamlIdp.configure do |config|
|
||||
config.base_saml_location = "https://#{ENV['APP_HOST']}/saml/metadata"
|
||||
config.x509_certificate = ENV.fetch("SAML_IDP_CERTIFICATE")
|
||||
config.secret_key = ENV.fetch("SAML_IDP_SECRET_KEY")
|
||||
|
||||
config.name_id.formats = {
|
||||
"1.1" => {
|
||||
email_address: -> (principal) { principal.email }
|
||||
},
|
||||
"2.0" => {
|
||||
transient: -> (principal) { principal.email },
|
||||
persistent: -> (p) { p.id }
|
||||
}
|
||||
}
|
||||
|
||||
service_providers = {
|
||||
"https://#{ENV.fetch('SAML_DOLIST_HOST')}" => {
|
||||
response_hosts: [ENV.fetch('SAML_DOLIST_HOST')],
|
||||
cert: ENV.fetch("SAML_DOLIST_CERTIFICATE")
|
||||
}
|
||||
}
|
||||
|
||||
config.service_provider.finder = -> (entity_id) do
|
||||
service_providers[entity_id]
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -3,7 +3,7 @@ Rails.application.routes.draw do
|
|||
|
||||
get '/saml/auth' => 'saml_idp#new'
|
||||
post '/saml/auth' => 'saml_idp#create'
|
||||
get '/saml/metadata' => 'saml_idp#metadata'
|
||||
get '/saml/metadata' => 'saml_idp#show'
|
||||
|
||||
#
|
||||
# Manager
|
||||
|
|
|
@ -1,23 +1,50 @@
|
|||
describe SamlIdpController do
|
||||
before do
|
||||
allow_any_instance_of(SamlIdpController).to receive(:validate_saml_request).and_return(valid_saml_request)
|
||||
end
|
||||
|
||||
describe '#new' do
|
||||
let(:action) { get :new }
|
||||
|
||||
context 'without superadmin connected' do
|
||||
it { expect(action).to redirect_to root_path }
|
||||
|
||||
it "display alert" do
|
||||
action
|
||||
expect(flash[:alert]).to eq("Vous n’êtes pas autorisé à accéder à ce service.")
|
||||
end
|
||||
context 'with invalid saml request' do
|
||||
let(:valid_saml_request) { false }
|
||||
it { expect(action).to have_http_status(:forbidden) }
|
||||
end
|
||||
|
||||
context 'with superadmin connected' do
|
||||
let(:superadmin) { create(:super_admin) }
|
||||
before { sign_in superadmin }
|
||||
context 'with valid saml request' do
|
||||
let(:valid_saml_request) { true }
|
||||
|
||||
it 'encode saml response' do
|
||||
expect(subject).to receive(:encode_SAMLResponse).with(superadmin.email, anything())
|
||||
action
|
||||
it { expect(action).to have_http_status(:ok) }
|
||||
end
|
||||
end
|
||||
describe '#create' do
|
||||
let(:action) { post :create }
|
||||
|
||||
context 'with invalid saml request' do
|
||||
let(:valid_saml_request) { false }
|
||||
it { expect(action).to have_http_status(:forbidden) }
|
||||
end
|
||||
|
||||
context 'with valid saml request' do
|
||||
let(:valid_saml_request) { true }
|
||||
|
||||
context 'without superadmin connected' do
|
||||
it { expect(action).to redirect_to root_path }
|
||||
|
||||
it "display alert" do
|
||||
action
|
||||
expect(flash[:alert]).to eq("Vous n’êtes pas autorisé à accéder à ce service.")
|
||||
end
|
||||
end
|
||||
|
||||
context 'with superadmin connected' do
|
||||
let(:superadmin) { create(:super_admin) }
|
||||
before { sign_in superadmin }
|
||||
|
||||
it 'encode saml response' do
|
||||
expect(subject).to receive(:idp_make_saml_response).with(superadmin)
|
||||
action
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue