Skip to content

[skip release notes] Allow SP to send skip_encryption for non-encrypted SAML response (LG-3859) #4503

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
solipet merged 4 commits into from
Dec 11, 2020
Merged

[skip release notes] Allow SP to send skip_encryption for non-encrypted SAML response (LG-3859) #4503

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e734bd0
LG-3859: allow SP to send skip_encryption for non-encrypted SAML resp…
solipet Dec 10, 2020
973e2c4
use a guard
solipet Dec 10, 2020
3c6ba87
add #skip_encryption_allowed to NullServiceProvider
solipet Dec 10, 2020
8e9dcda
Apply suggestions from code review
solipet Dec 10, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 10 additions & 1 deletion app/controllers/concerns/saml_idp_auth_concern.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,12 +148,21 @@ def saml_response
name_id_format: name_id_format,
authn_context_classref: requested_authn_context,
reference_id: active_identity.session_uuid,
encryption: current_service_provider.encryption_opts,
encryption: encryption_opts,
signature: saml_response_signature_options,
signed_response_message: current_service_provider.signed_response_message_requested,
)
end

def encryption_opts
query_params = UriService.params(request.original_url)
if query_params[:skip_encryption].present? && current_service_provider.skip_encryption_allowed
nil
else
current_service_provider.encryption_opts
end
end

def saml_response_signature_options
endpoint = SamlEndpoint.new(request)
{
Expand Down
4 changes: 4 additions & 0 deletions app/models/null_service_provider.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,10 @@ def encrypt_responses?

def encryption_opts; end

def skip_encryption_allowed
false
end

def allow_prompt_login
false
end
Expand Down
8 changes: 8 additions & 0 deletions app/models/service_provider.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,14 @@ def encryption_opts
}
end

def skip_encryption_allowed
config = AppConfig.env.skip_encryption_allowed_list
return false if config.blank?

@allowed_list ||= JSON.parse(config)
@allowed_list.include? issuer
end

def live?
active? && approved?
end
Expand Down
2 changes: 2 additions & 0 deletions config/application.yml.default
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,7 @@ development:
scrypt_cost: 10000$8$1$
secret_key_base: development_secret_key_base
session_encryption_key: 27bad3c25711099429c1afdfd1890910f3b59f5a4faec1c85e945cb8b02b02f261ba501d99cfbb4fab394e0102de6fecf8ffe260f322f610db3e96b2a775c120
skip_encryption_allowed_list: '["urn:gov:gsa:SAML:2.0.profiles:sp:sso:localhost"]'
sps_over_quota_limit_notify_email_list: '[]'
telephony_adapter: test
use_dashboard_service_providers: 'true'
Expand Down Expand Up @@ -342,6 +343,7 @@ production:
scrypt_cost: 10000$8$1$
secret_key_base:
session_encryption_key:
skip_encryption_allowed_list: '["urn:gov:gsa:SAML:2.0.profiles:sp:sso:dev", "urn:gov:gsa:SAML:2.0.profiles:sp:sso:int"]'
sps_over_quota_limit_notify_email_list: '[]'
telephony_adapter: pinpoint
use_dashboard_service_providers: 'false'
Expand Down
19 changes: 19 additions & 0 deletions spec/models/service_provider_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,4 +174,23 @@
end
end
end

describe '#skip_encryption_allowed' do
context 'SP in allowed list' do
before do
allow(AppConfig.env).to receive(:skip_encryption_allowed_list).
and_return('["http://localhost:3000"]')
end

it 'allows the SP to optionally skip encrypting the SAML response' do
expect(service_provider.skip_encryption_allowed).to be(true)
end
end

context 'SP not in allowed list' do
it 'does not allow the SP to optionally skip encrypting the SAML response' do
expect(service_provider.skip_encryption_allowed).to be(false)
end
end
end
end