update saml controller and views

because of using another gem (saml_idp)
2022-08-18 11:39:43 +02:00 · 2022-08-18 11:39:43 +02:00 · efbec80af8
commit efbec80af8
parent 0ccb85b139
5 changed files with 91 additions and 27 deletions
--- a/app/controllers/saml_idp_controller.rb
+++ b/app/controllers/saml_idp_controller.rb
@ -1,28 +1,38 @@
 class SamlIdpController < ActionController::Base
  include SamlIdp::Controller

-  before_action :validate_saml_request
-
  def new
-    if super_admin_signed_in?
-      @saml_response = encode_SAMLResponse(current_super_admin.email, saml_attributes)
-      render :template => "saml_idp/idp/saml_post", :layout => false
+    if validate_saml_request
+      render template: 'saml_idp/new'
    else
-      redirect_to root_path, alert: t("errors.messages.saml_not_authorized")
+      head :forbidden
    end
  end

-  def metadata
-    render layout: false, content_type: "application/xml", formats: :xml
+  def show
+    render xml: SamlIdp.metadata.signed
+  end
+
+  def create
+    if validate_saml_request
+      if super_admin_signed_in?
+        @saml_response = idp_make_saml_response(current_super_admin)
+        render template: 'saml_idp/saml_post', layout: false
+      else
+        redirect_to root_path, alert: t("errors.messages.saml_not_authorized")
+      end
+    else
+      head :forbidden
+    end
  end

  private

-  def saml_attributes
-    admin_attributes = %[<saml:AttributeStatement><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><saml:AttributeValue>#{current_super_admin.email}</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue>ds|#{current_super_admin.id}</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>]
-    {
-      issuer_uri: saml_auth_url,
-      attributes_provider: admin_attributes
+  def idp_make_saml_response(super_admin)
+    encode_response super_admin, encryption: {
+      cert: saml_request.service_provider.cert,
+      block_encryption: 'aes256-cbc',
+      key_transport: 'rsa-oaep-mgf1p'
    }
  end
 end
--- a/app/views/saml_idp/new.html.erb
+++ b/app/views/saml_idp/new.html.erb
@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+  </head>
+  <body onload="document.forms[0].submit();" style="visibility:hidden;">
+    <%= form_tag do %>
+      <%= hidden_field_tag("SAMLRequest", params[:SAMLRequest]) %>
+      <%= hidden_field_tag("RelayState", params[:RelayState]) %>
+    <% end %>
+  </body>
+</html>
--- a/app/views/saml_idp/saml_post.html.erb
+++ b/app/views/saml_idp/saml_post.html.erb
@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+  </head>
+  <body onload="document.forms[0].submit();" style="visibility:hidden;">
+    <%= form_tag(saml_acs_url) do %>
+      <%= hidden_field_tag("SAMLResponse", @saml_response) %>
+      <%= hidden_field_tag("RelayState", params[:RelayState]) %>
+      <%= submit_tag "Submit" %>
+    <% end %>
+  </body>
+</html>
--- a/config/routes.rb
+++ b/config/routes.rb
@ -3,7 +3,7 @@ Rails.application.routes.draw do

  get '/saml/auth' => 'saml_idp#new'
  post '/saml/auth' => 'saml_idp#create'
-  get '/saml/metadata' => 'saml_idp#metadata'
+  get '/saml/metadata' => 'saml_idp#show'

  #
  # Manager
--- a/spec/controllers/saml_idp_controller_spec.rb
+++ b/spec/controllers/saml_idp_controller_spec.rb
@ -1,23 +1,50 @@
 describe SamlIdpController do
+  before do
+    allow_any_instance_of(SamlIdpController).to receive(:validate_saml_request).and_return(valid_saml_request)
+  end
+
  describe '#new' do
    let(:action) { get :new }

-    context 'without superadmin connected' do
-      it { expect(action).to redirect_to root_path }
-
-      it "display alert" do
-        action
-        expect(flash[:alert]).to eq("Vous n’êtes pas autorisé à accéder à ce service.")
-      end
+    context 'with invalid saml request' do
+      let(:valid_saml_request) { false }
+      it { expect(action).to have_http_status(:forbidden) }
    end

-    context 'with superadmin connected' do
-      let(:superadmin) { create(:super_admin) }
-      before { sign_in superadmin }
+    context 'with valid saml request' do
+      let(:valid_saml_request) { true }

-      it 'encode saml response' do
-        expect(subject).to receive(:encode_SAMLResponse).with(superadmin.email, anything())
-        action
+      it { expect(action).to have_http_status(:ok) }
+    end
+  end
+  describe '#create' do
+    let(:action) { post :create }
+
+    context 'with invalid saml request' do
+      let(:valid_saml_request) { false }
+      it { expect(action).to have_http_status(:forbidden) }
+    end
+
+    context 'with valid saml request' do
+      let(:valid_saml_request) { true }
+
+      context 'without superadmin connected' do
+        it { expect(action).to redirect_to root_path }
+
+        it "display alert" do
+          action
+          expect(flash[:alert]).to eq("Vous n’êtes pas autorisé à accéder à ce service.")
+        end
+      end
+
+      context 'with superadmin connected' do
+        let(:superadmin) { create(:super_admin) }
+        before { sign_in superadmin }
+
+        it 'encode saml response' do
+          expect(subject).to receive(:idp_make_saml_response).with(superadmin)
+          action
+        end
      end
    end
  end