From 68954623ed227ec2e72650eeca70a47c01097fe1 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Tue, 26 Nov 2024 08:18:18 -0600 Subject: [PATCH] Log requesting signing and certificate serial in SAML Auth Request event changelog: Internal, Logging, Log requesting signing and certificate serial in SAML Auth Request event --- app/controllers/saml_idp_controller.rb | 2 ++ app/services/analytics_events.rb | 6 ++++++ spec/controllers/saml_idp_controller_spec.rb | 13 +++++++++++++ spec/features/saml/saml_spec.rb | 6 ++++++ 4 files changed, 27 insertions(+) diff --git a/app/controllers/saml_idp_controller.rb b/app/controllers/saml_idp_controller.rb index 764f0e22fe8..55083feb324 100644 --- a/app/controllers/saml_idp_controller.rb +++ b/app/controllers/saml_idp_controller.rb @@ -180,6 +180,8 @@ def log_external_saml_auth_request force_authn: saml_request&.force_authn?, final_auth_request: sp_session[:final_auth_request], service_provider: saml_request&.issuer, + request_signed: saml_request.signed?, + matching_cert_serial:, unknown_authn_contexts:, user_fully_authenticated: user_fully_authenticated?, ) diff --git a/app/services/analytics_events.rb b/app/services/analytics_events.rb index 2bcf7b14be0..2bc84a7d2cb 100644 --- a/app/services/analytics_events.rb +++ b/app/services/analytics_events.rb @@ -6505,6 +6505,8 @@ def saml_auth( # @param [Boolean] force_authn # @param [Boolean] final_auth_request # @param [String] service_provider + # @param [Boolean] request_signed + # @param [String] matching_cert_serial # @param [String] unknown_authn_contexts space separated list of unknown contexts # @param [Boolean] user_fully_authenticated # An external request for SAML Authentication was received @@ -6516,6 +6518,8 @@ def saml_auth_request( force_authn:, final_auth_request:, service_provider:, + request_signed:, + matching_cert_serial:, unknown_authn_contexts:, user_fully_authenticated:, **extra @@ -6529,6 +6533,8 @@ def saml_auth_request( force_authn:, final_auth_request:, service_provider:, + request_signed:, + matching_cert_serial:, unknown_authn_contexts:, user_fully_authenticated:, **extra, diff --git a/spec/controllers/saml_idp_controller_spec.rb b/spec/controllers/saml_idp_controller_spec.rb index 40b9f4fd4cf..c2f6cacea8d 100644 --- a/spec/controllers/saml_idp_controller_spec.rb +++ b/spec/controllers/saml_idp_controller_spec.rb @@ -779,6 +779,8 @@ def name_id_version(format_urn) requested_ial: Saml::Idp::Constants::IAL2_AUTHN_CONTEXT_CLASSREF, service_provider: sp1_issuer, force_authn: false, + request_signed: true, + matching_cert_serial: saml_test_sp_cert_serial, user_fully_authenticated: true, } ) @@ -930,6 +932,8 @@ def name_id_version(format_urn) requested_ial: 'ialmax', service_provider: sp1_issuer, force_authn: false, + request_signed: true, + matching_cert_serial: saml_test_sp_cert_serial, user_fully_authenticated: true, } ) @@ -1221,6 +1225,8 @@ def name_id_version(format_urn) requested_ial: Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF, service_provider: 'http://localhost:3000', requested_aal_authn_context: Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF, + request_signed: true, + matching_cert_serial: saml_test_sp_cert_serial, force_authn: true, user_fully_authenticated: false, } @@ -2030,6 +2036,8 @@ def name_id_version(format_urn) requested_ial: Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF, service_provider: 'http://localhost:3000', requested_aal_authn_context: Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF, + request_signed: true, + matching_cert_serial: saml_test_sp_cert_serial, force_authn: false, user_fully_authenticated: false, } @@ -2464,6 +2472,7 @@ def name_id_version(format_urn) service_provider: 'http://localhost:3000', requested_aal_authn_context: Saml::Idp::Constants::AAL2_AUTHN_CONTEXT_CLASSREF, force_authn: false, + request_signed: false, user_fully_authenticated: true, } ) @@ -2515,6 +2524,8 @@ def stub_requested_attributes service_provider: 'http://localhost:3000', requested_aal_authn_context: Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF, force_authn: false, + request_signed: true, + matching_cert_serial: saml_test_sp_cert_serial, user_fully_authenticated: true, } ) @@ -2565,6 +2576,8 @@ def stub_requested_attributes service_provider: 'http://localhost:3000', requested_aal_authn_context: Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF, force_authn: false, + request_signed: true, + matching_cert_serial: saml_test_sp_cert_serial, user_fully_authenticated: true, } ) diff --git a/spec/features/saml/saml_spec.rb b/spec/features/saml/saml_spec.rb index 73cb1f469d3..d0bee87d559 100644 --- a/spec/features/saml/saml_spec.rb +++ b/spec/features/saml/saml_spec.rb @@ -508,6 +508,8 @@ service_provider: 'http://localhost:3000', requested_aal_authn_context: Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF, force_authn: false, + matching_cert_serial: saml_test_sp_cert_serial, + request_signed: true, user_fully_authenticated: false }], ) expect(fake_analytics.events['SAML Auth'].count).to eq 2 @@ -551,6 +553,8 @@ requested_ial: 'http://idmanagement.gov/ns/assurance/ial/2', service_provider: 'saml_sp_ial2', force_authn: false, + matching_cert_serial: saml_test_sp_cert_serial, + request_signed: true, user_fully_authenticated: false, }, ], @@ -581,6 +585,8 @@ service_provider: 'http://localhost:3000', requested_aal_authn_context: Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF, force_authn: false, + matching_cert_serial: saml_test_sp_cert_serial, + request_signed: true, user_fully_authenticated: false }], ) expect(fake_analytics.events['SAML Auth'].count).to eq 2