diff --git a/Gemfile b/Gemfile index 7fa7f177668..1d6e7ba2769 100644 --- a/Gemfile +++ b/Gemfile @@ -14,7 +14,7 @@ gem 'rails', '~> 6.1.3' @proofer_gem ||= { github: '18F/identity-proofer-gem', ref: 'v2.8.0' } @saml_gem ||= { github: '18F/saml_idp', tag: 'v0.13.0-18f' } @telephony_gem ||= { github: '18f/identity-telephony', tag: 'v0.2.0' } -@validations_gem ||= { github: '18F/identity-validations', branch: 'main' } +@validations_gem ||= { github: '18F/identity-validations', tag: 'v0.4.0' } gem 'aamva', @aamva_api_gem gem 'identity-doc-auth', @doc_auth_gem diff --git a/Gemfile.lock b/Gemfile.lock index 68ac2de7492..aaf92f5bacc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -59,10 +59,10 @@ GIT GIT remote: https://github.com/18F/identity-validations.git - revision: 26253af02f472d3023062efd5c7a3920b0db5f9c - branch: main + revision: fc8bfdd3903b737ee218a0ab515a244031536b4d + tag: v0.4.0 specs: - identity_validations (0.3.2) + identity_validations (0.4.0) GIT remote: https://github.com/18F/saml_idp.git diff --git a/app/models/null_service_provider.rb b/app/models/null_service_provider.rb index 6549be57bc5..b3c0228029a 100644 --- a/app/models/null_service_provider.rb +++ b/app/models/null_service_provider.rb @@ -14,7 +14,6 @@ class NullServiceProvider assertion_consumer_logout_service_url attribute_bundle block_encryption - cert certs created_at default_aal diff --git a/app/models/service_provider.rb b/app/models/service_provider.rb index b555a62ce0c..7ddfa67c9a5 100644 --- a/app/models/service_provider.rb +++ b/app/models/service_provider.rb @@ -2,7 +2,7 @@ require 'identity_validations' class ServiceProvider < ApplicationRecord - self.ignored_columns = %w[deal_id agency aal fingerprint] + self.ignored_columns = %w[deal_id agency aal fingerprint cert] belongs_to :agency @@ -34,7 +34,7 @@ def metadata # @return [Array] def ssl_certs - @ssl_certs ||= (certs.presence || Array(cert)).select(&:present?).map do |cert| + @ssl_certs ||= Array(certs).select(&:present?).map do |cert| OpenSSL::X509::Certificate.new(load_cert(cert)) end end diff --git a/app/services/service_provider_updater.rb b/app/services/service_provider_updater.rb index c9f5e15a96f..bf4f155caa2 100644 --- a/app/services/service_provider_updater.rb +++ b/app/services/service_provider_updater.rb @@ -7,6 +7,10 @@ class ServiceProviderUpdater updated_at ].to_set.freeze + SP_IGNORED_ATTRIBUTES = %i[ + cert + ] + def run dashboard_service_providers.each do |service_provider| update_local_caches(HashWithIndifferentAccess.new(service_provider)) @@ -43,7 +47,7 @@ def sync_model(sp, cleaned_attributes) end def cleaned_service_provider(service_provider) - service_provider.except(*SP_PROTECTED_ATTRIBUTES) + service_provider.except(*SP_PROTECTED_ATTRIBUTES, *SP_IGNORED_ATTRIBUTES) end def url diff --git a/config/service_providers.localdev.yml b/config/service_providers.localdev.yml index a79c56b33e6..0f54b5e3727 100644 --- a/config/service_providers.localdev.yml +++ b/config/service_providers.localdev.yml @@ -32,7 +32,8 @@ test: - 'http://example.com/auth/result' - 'http://example.com/logout' friendly_name: 'Test SP' - cert: 'saml_test_sp' + certs: + - 'saml_test_sp' logo: 'generic.svg' ial: 2 attribute_bundle: @@ -54,7 +55,8 @@ test: - 'http://example.com/auth/result' - 'http://example.com/logout' friendly_name: 'Test SP' - cert: 'saml_test_sp' + certs: + - 'saml_test_sp' logo: 'generic.svg' ial: 2 default_aal: 3 @@ -76,7 +78,8 @@ test: - 'http://example.com/auth/result' - 'http://example.com/logout' friendly_name: 'Test SP requesting signed response message' - cert: 'saml_test_sp' + certs: + - 'saml_test_sp' logo: 'generic.svg' ial: 1 attribute_bundle: @@ -96,7 +99,8 @@ test: - 'http://example.com/auth/result' - 'http://example.com/logout' friendly_name: 'Test SP requesting signed response message' - cert: 'saml_test_sp' + certs: + - 'saml_test_sp' logo: 'generic.svg' ial: 1 attribute_bundle: @@ -109,7 +113,8 @@ test: acs_url: 'http://example.com/test/saml/decode_assertion' assertion_consumer_logout_service_url: 'http://example.com/test/saml/decode_slo_request' block_encryption: 'aes256-cbc' - cert: 'saml_test_sp' + certs: + - 'saml_test_sp' friendly_name: 'Test SP' allow_prompt_login: true @@ -117,7 +122,8 @@ test: acs_url: 'http://example.com/test/saml/decode_assertion' assertion_consumer_logout_service_url: 'http://example.com/test/saml/decode_slo_request' block_encryption: 'aes256-cbc' - cert: 'saml_test_sp' + certs: + - 'saml_test_sp' ial: 2 friendly_name: 'Test SP' allow_prompt_login: true @@ -138,7 +144,8 @@ test: redirect_uris: - 'gov.gsa.openidconnect.test://result' - 'gov.gsa.openidconnect.test://result/signout' - cert: 'saml_test_sp' + certs: + - 'saml_test_sp' friendly_name: 'Example iOS App' agency: '18F' agency_id: 1 @@ -152,7 +159,8 @@ test: redirect_uris: - 'gov.gsa.openidconnect.test://result' - 'gov.gsa.openidconnect.test://result/signout' - cert: 'saml_test_sp' + certs: + - 'saml_test_sp' friendly_name: 'Example app that disallows prompt=login' agency: '18F' agency_id: 1 @@ -165,7 +173,8 @@ test: redirect_uris: - 'gov.gsa.openidconnect.test://result' - 'gov.gsa.openidconnect.test://result/logout' - cert: 'saml_test_sp' + certs: + - 'saml_test_sp' friendly_name: 'Example iOS App' agency: '18F' agency_id: 1 @@ -179,7 +188,8 @@ test: - 'http://localhost:7654/auth/result' - 'https://example.com' - 'http://www.example.com/test/oidc' - cert: 'saml_test_sp' + certs: + - 'saml_test_sp' friendly_name: 'Test SP' assertion_consumer_logout_service_url: '' ial: 2 @@ -191,7 +201,8 @@ test: - 'http://localhost:7654/auth/result' - 'https://example.com' - 'http://www.example.com/test/oidc' - cert: 'saml_test_sp' + certs: + - 'saml_test_sp' friendly_name: 'Test SP' assertion_consumer_logout_service_url: '' ial: 2 @@ -202,7 +213,8 @@ test: redirect_uris: - 'http://localhost:7654/auth/result' - 'https://example.com' - cert: 'saml_test_sp' + certs: + - 'saml_test_sp' friendly_name: 'Test SP' assertion_consumer_logout_service_url: '' ial: 2 @@ -211,7 +223,8 @@ test: 'test_sp_with_default_help_text': agency_id: 2 - cert: 'saml_test_sp' + certs: + - 'saml_test_sp' friendly_name: 'Test SP with default help text' ial: 2 help_text: @@ -255,7 +268,8 @@ test: 'test_sp_with_custom_help_text': agency_id: 2 - cert: 'saml_test_sp' + certs: + - 'saml_test_sp' friendly_name: 'Test SP with custom help text' ial: 2 help_text: @@ -278,7 +292,8 @@ test: assertion_consumer_logout_service_url: 'http://localhost:3000/test/saml/decode_slo_request' sp_initiated_login_url: 'http://localhost:3000/test/saml' block_encryption: 'none' - cert: 'saml_test_sp' + certs: + - 'saml_test_sp' agency: 'Test Government Agency' agency_id: 1 uuid_priority: 10 @@ -297,7 +312,8 @@ test: redirect_uris: - 'gov.gsa.openidconnect.test://result' - 'gov.gsa.openidconnect.test://result/signout' - cert: 'saml_test_sp' + certs: + - 'saml_test_sp' friendly_name: 'Example iOS App (inactive)' agency: '18F' agency_id: 1 @@ -316,7 +332,8 @@ development: assertion_consumer_logout_service_url: 'http://localhost:3000/test/saml/decode_slo_request' block_encryption: 'aes256-cbc' sp_initiated_login_url: 'http://localhost:3000/test/saml' - cert: 'saml_test_sp' + certs: + - 'saml_test_sp' logo: 'generic.svg' agency: 'GSA' friendly_name: 'Awesome test SP' @@ -327,7 +344,8 @@ development: sp_initiated_login_url: 'http://localhost:4567/test/saml' assertion_consumer_logout_service_url: 'http://localhost:4567/slo_logout' block_encryption: 'aes256-cbc' - cert: 'sp_sinatra_demo' + certs: + - 'sp_sinatra_demo' ial: 2 attribute_bundle: - email @@ -337,7 +355,8 @@ development: assertion_consumer_logout_service_url: 'http://localhost:3000/auth/saml/logout' sp_initiated_login_url: 'http://localhost:3000/admin/sign_in' block_encryption: 'aes256-cbc' - cert: 'sp_micropurchase' + certs: + - 'sp_micropurchase' agency: 'TTS Acquisition' logo: '18f.svg' friendly_name: 'Micro-purchase Dev' @@ -350,7 +369,8 @@ development: assertion_consumer_logout_service_url: 'http://localhost:3003/auth/saml/logout' sp_initiated_login_url: 'http://localhost:3003/login' block_encryption: 'aes256-cbc' - cert: 'sp_rails_demo' + certs: + - 'sp_rails_demo' agency: '18F' agency_id: 1 uuid_priority: 10 @@ -367,7 +387,8 @@ development: agency_id: 2 uuid_priority: 30 logo: '18f.svg' - cert: 'identity_dashboard_cert' + certs: + - 'identity_dashboard_cert' return_to_sp_url: 'http://localhost:3001' redirect_uris: - 'http://localhost:3001/auth/logindotgov/callback' @@ -390,12 +411,14 @@ development: - 'http://localhost:9292/' - 'http://localhost:9292/auth/result' - 'http://localhost:9292/logout' - cert: 'sp_sinatra_demo' + certs: + - 'sp_sinatra_demo' friendly_name: 'Example Sinatra App' 'urn:gov:gsa:openidconnect:sp:expressjs': agency: 'GSA' - cert: 'sp_expressjs_demo' + certs: + - 'sp_expressjs_demo' friendly_name: 'Example OIDC Client (Express.js)' logo: '18f.svg' redirect_uris: @@ -404,7 +427,8 @@ development: 'urn:gov:gsa:openidconnect:sp:gin': agency: 'GSA' - cert: 'sp_gin_demo' + certs: + - 'sp_gin_demo' friendly_name: 'Example OIDC Client (Gin)' logo: '18f.svg' redirect_uris: @@ -413,7 +437,8 @@ development: 'urn:gov:gsa:openidconnect:sp:phoenix': agency: 'GSA' - cert: 'sp_phoenix_demo' + certs: + - 'sp_phoenix_demo' friendly_name: 'Example OIDC Client (Phoenix)' logo: '18f.svg' redirect_uris: diff --git a/config/service_providers.yml.old b/config/service_providers.yml.old deleted file mode 100644 index 97d483fac12..00000000000 --- a/config/service_providers.yml.old +++ /dev/null @@ -1,395 +0,0 @@ -test: - 'http://localhost:3000': - acs_url: 'http://localhost:3000/test/saml/decode_assertion' - assertion_consumer_logout_service_url: 'http://localhost:3000/test/saml/decode_slo_request' - sp_initiated_login_url: 'http://localhost:3000/test/saml' - block_encryption: 'none' - cert: 'saml_test_sp' - agency: 'Test Government Agency' - agency_id: 1 - uuid_priority: 10 - friendly_name: 'Your friendly Government Agency' - logo: 'generic.svg' - return_to_sp_url: 'http://localhost:3000' - redirect_uris: - - 'x-example-app://idp_return' - attribute_bundle: - - email - - phone - allow_prompt_login: true - - 'https://rp1.serviceprovider.com/auth/saml/metadata': - agency_id: 2 - acs_url: 'http://example.com/test/saml/decode_assertion' - assertion_consumer_logout_service_url: 'http://example.com/test/saml/decode_slo_request' - block_encryption: 'aes256-cbc' - sp_initiated_login_url: 'https://example.com/auth/saml/login' - failure_to_proof_url: 'https://example.com/' - redirect_uris: - - 'http://example.com/' - - 'http://example.com/auth/result' - - 'http://example.com/logout' - friendly_name: 'Test SP' - cert: 'saml_test_sp' - logo: 'generic.svg' - ial: 2 - attribute_bundle: - - first_name - - last_name - - ssn - - zipcode - allow_prompt_login: true - - 'https://aal3.serviceprovider.com/auth/saml/metadata': - agency_id: 2 - acs_url: 'http://example.com/test/saml/decode_assertion' - assertion_consumer_logout_service_url: 'http://example.com/test/saml/decode_slo_request' - block_encryption: 'aes256-cbc' - sp_initiated_login_url: 'https://example.com/auth/saml/login' - failure_to_proof_url: 'https://example.com/' - redirect_uris: - - 'http://example.com/' - - 'http://example.com/auth/result' - - 'http://example.com/logout' - friendly_name: 'Test SP' - cert: 'saml_test_sp' - logo: 'generic.svg' - ial: 2 - aal: 3 - attribute_bundle: - - first_name - - last_name - - ssn - - zipcode - allow_prompt_login: true - - 'test_saml_sp_not_requesting_signed_response_message': - agency_id: 2 - acs_url: 'http://example.com/test/saml/decode_assertion' - assertion_consumer_logout_service_url: 'http://example.com/test/saml/decode_slo_request' - sp_initiated_login_url: 'https://example.com/auth/saml/login' - failure_to_proof_url: 'https://example.com/' - redirect_uris: - - 'http://example.com/' - - 'http://example.com/auth/result' - - 'http://example.com/logout' - friendly_name: 'Test SP requesting signed response message' - cert: 'saml_test_sp' - logo: 'generic.svg' - ial: 1 - attribute_bundle: - - email - allow_prompt_login: true - block_encryption: 'none' - signed_response_message_requested: false - - 'test_saml_sp_requesting_signed_response_message': - agency_id: 2 - acs_url: 'http://example.com/test/saml/decode_assertion' - assertion_consumer_logout_service_url: 'http://example.com/test/saml/decode_slo_request' - sp_initiated_login_url: 'https://example.com/auth/saml/login' - failure_to_proof_url: 'https://example.com/' - redirect_uris: - - 'http://example.com/' - - 'http://example.com/auth/result' - - 'http://example.com/logout' - friendly_name: 'Test SP requesting signed response message' - cert: 'saml_test_sp' - logo: 'generic.svg' - ial: 1 - attribute_bundle: - - email - allow_prompt_login: true - block_encryption: 'none' - signed_response_message_requested: true - - 'https://rp2.serviceprovider.com/auth/saml/metadata': - acs_url: 'http://example.com/test/saml/decode_assertion' - assertion_consumer_logout_service_url: 'http://example.com/test/saml/decode_slo_request' - block_encryption: 'aes256-cbc' - cert: 'saml_test_sp' - friendly_name: 'Test SP' - allow_prompt_login: true - - 'http://test.host': - acs_url: 'http://test.host/test/saml/decode_assertion' - block_encryption: 'aes256-cbc' - metadata_url: 'http://test.host/test/saml/metadata' - sp_initiated_login_url: 'http://test.host/test/saml' - friendly_name: 'Test SP' - allow_prompt_login: true - launch_date: '2020-03-01' - iaa: 'ABC123-2020' - iaa_start_date: '2020-01-01' - iaa_end_date: '2020-12-31' - - 'urn:gov:gsa:openidconnect:test': - redirect_uris: - - 'gov.gsa.openidconnect.test://result' - - 'gov.gsa.openidconnect.test://result/signout' - cert: 'saml_test_sp' - friendly_name: 'Example iOS App' - agency: '18F' - agency_id: 1 - uuid_priority: 20 - logo: 'generic.svg' - ial: 2 - push_notification_url: http://localhost/push_notifications - allow_prompt_login: true - - 'urn:gov:gsa:openidconnect:test_prompt_login_banned': - redirect_uris: - - 'gov.gsa.openidconnect.test://result' - - 'gov.gsa.openidconnect.test://result/signout' - cert: 'saml_test_sp' - friendly_name: 'Example app that disallows prompt=login' - agency: '18F' - agency_id: 1 - uuid_priority: 20 - logo: 'generic.svg' - ial: 1 - allow_prompt_login: false - - 'urn:gov:gsa:openidconnect:test:loa1': - redirect_uris: - - 'gov.gsa.openidconnect.test://result' - - 'gov.gsa.openidconnect.test://result/logout' - cert: 'saml_test_sp' - friendly_name: 'Example iOS App' - agency: '18F' - agency_id: 1 - uuid_priority: 20 - logo: 'generic.svg' - allow_prompt_login: true - - 'urn:gov:gsa:openidconnect:sp:server': - agency_id: 2 - redirect_uris: - - 'http://localhost:7654/auth/result' - - 'https://example.com' - - 'http://www.example.com/test/oidc' - cert: 'saml_test_sp' - friendly_name: 'Test SP' - assertion_consumer_logout_service_url: '' - ial: 2 - allow_prompt_login: true - - 'urn:gov:gsa:openidconnect:sp:server_requiring_aal3': - agency_id: 2 - redirect_uris: - - 'http://localhost:7654/auth/result' - - 'https://example.com' - cert: 'saml_test_sp' - friendly_name: 'Test SP' - assertion_consumer_logout_service_url: '' - ial: 2 - aal: 3 - allow_prompt_login: true - - 'test_sp_with_default_help_text': - agency_id: 2 - cert: 'saml_test_sp' - friendly_name: 'Test SP with default help text' - ial: 2 - help_text: - sign_in: - en: First time here from %{sp_name}?

Your old %{sp_name} username - and password won’t work. Please create a login.gov - account using the same email address you use for %{sp_name}.

Learn - more - es: ¿Ha venido de %{sp_name}?

Si tiene un perfil de %{sp_name} - existente, favor de usar la dirección de correo electrónico primaria o secundaria - que usó para %{sp_name} para crear un nueva cuenta - de login.gov

Obtenga más información. - fr: Êtes-vous venu(e) de %{sp_name}?

Si vous avez déjà un profil - %{sp_name}, veuillez utiliser l'adresse e-mail principale ou secondaire - que vous avez utilisée pour %{sp_name} pour créer - votre nouveau compte login.gov

En - savoir plus. - sign_up: - en: Please create a login.gov account using the same email address you - use for %{sp_name}

Learn more - es: Por favor crea un login.gov cuenta usando la misma dirección de correo - electrónico que utiliza para %{sp_name}.

Obtenga - más información. - fr: Veuillez créer un compte login.gov avec la même adresse e-mail que - vous avez utilisée pour %{sp_name}.

En - savoir plus. - forgot_password: - en: Your old %{sp_name} username and password won’t work. Please - create a login.gov account using the same - email address you use for %{sp_name}.

Learn - more - es: Si tiene un perfil de %{sp_name} existente, favor de usar - la dirección de correo electrónico primaria o secundaria que usó para %{sp_name} - para crear su nueva cuenta de login.gov.

Obtenga más información. - fr: Si vous avez déjà un profil %{sp_name}, veuillez utiliser - l'adresse e-mail principale ou secondaire que vous avez utilisée pour %{sp_name} - pour créer votre nouveau compte login.gov -

En savoir plus. - allow_prompt_login: true - - 'test_sp_with_custom_help_text': - agency_id: 2 - cert: 'saml_test_sp' - friendly_name: 'Test SP with custom help text' - ial: 2 - help_text: - sign_in: - en: "custom sign in help text for %{sp_name}" - es: "" - fr: "" - sign_up: - en: "" - es: "" - fr: "" - forgot_password: - en: "" - es: "" - fr: "" - allow_prompt_login: true - -development: - 'https://rp1.serviceprovider.com/auth/saml/metadata': - agency_id: 2 - metadata_url: 'http://localhost:3000/test/saml/metadata' - acs_url: 'http://localhost:3000/test/saml/decode_assertion' - assertion_consumer_logout_service_url: 'http://localhost:3000/test/saml/decode_slo_request' - block_encryption: 'aes256-cbc' - sp_initiated_login_url: 'http://localhost:3000/test/saml' - cert: 'saml_test_sp' - fingerprint: '08:79:F5:B1:B8:CC:EC:8F:5C:2A:58:03:30:14:C9:E6:F1:67:78:F1:97:E8:3A:88:EB:8E:70:92:25:D2:2F:32' - logo: 'generic.svg' - agency: 'GSA' - friendly_name: 'Awesome test SP' - - 'urn:gov:gsa:SAML:2.0.profiles:sp:sso:localhost': - friendly_name: 'Test SAML SP' - acs_url: 'http://localhost:4567/consume' - sp_initiated_login_url: 'http://localhost:4567/test/saml' - assertion_consumer_logout_service_url: 'http://localhost:4567/slo_logout' - block_encryption: 'aes256-cbc' - cert: 'sp_sinatra_demo' - ial: 2 - attribute_bundle: - - email - - 'urn:gov:gsa:SAML:2.0.profiles:sp:sso:localhost-micropurchase': - acs_url: 'http://localhost:3000/auth/saml/callback' - assertion_consumer_logout_service_url: 'http://localhost:3000/auth/saml/logout' - sp_initiated_login_url: 'http://localhost:3000/admin/sign_in' - block_encryption: 'aes256-cbc' - cert: 'sp_micropurchase' - agency: 'TTS Acquisition' - logo: '18f.svg' - friendly_name: 'Micro-purchase Dev' - return_to_sp_url: 'http://localhost:3000' - attribute_bundle: - - email - - 'urn:gov:gsa:SAML:2.0.profiles:sp:sso:localhost-rails': - acs_url: 'http://localhost:3003/auth/saml/callback' - assertion_consumer_logout_service_url: 'http://localhost:3003/auth/saml/logout' - sp_initiated_login_url: 'http://localhost:3003/login' - block_encryption: 'aes256-cbc' - cert: 'sp_rails_demo' - agency: '18F' - agency_id: 1 - uuid_priority: 10 - friendly_name: '18F Test Service Provider' - logo: 'generic.svg' - return_to_sp_url: 'http://localhost:3003' - attribute_bundle: - - email - ial: 2 - - 'urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:dashboard': - friendly_name: 'Dashboard' - agency: 'GSA' - agency_id: 2 - uuid_priority: 30 - logo: '18f.svg' - cert: 'identity_dashboard_cert' - return_to_sp_url: 'http://localhost:3001' - redirect_uris: - - 'http://localhost:3001/auth/logindotgov/callback' - - 'http://localhost:3001' - - 'urn:gov:gsa:openidconnect:development': - redirect_uris: - - 'gov.gsa.openidconnect.development://result' - friendly_name: 'Example iOS App' - agency: '18F' - agency_id: 1 - uuid_priority: 20 - logo: 'generic.svg' - - 'urn:gov:gsa:openidconnect:sp:sinatra': - agency_id: 1 - ial: 2 - push_notification_url: http://localhost:9292/api/push_notifications - redirect_uris: - - 'http://localhost:9292/' - - 'http://localhost:9292/auth/result' - - 'http://localhost:9292/logout' - cert: 'sp_sinatra_demo' - friendly_name: 'Example Sinatra App' - - 'urn:gov:gsa:openidconnect:sp:expressjs': - agency: 'GSA' - cert: 'sp_expressjs_demo' - friendly_name: 'Example OIDC Client (Express.js)' - logo: '18f.svg' - redirect_uris: - - 'http://localhost:9393/' - - 'http://localhost:9393/auth/login-gov/callback' - - 'urn:gov:gsa:openidconnect:sp:gin': - agency: 'GSA' - cert: 'sp_gin_demo' - friendly_name: 'Example OIDC Client (Gin)' - logo: '18f.svg' - redirect_uris: - - 'http://localhost:8080/' - - 'http://localhost:8080/auth/login-gov/callback' - - 'urn:gov:gsa:openidconnect:sp:phoenix': - agency: 'GSA' - cert: 'sp_phoenix_demo' - friendly_name: 'Example OIDC Client (Phoenix)' - logo: '18f.svg' - redirect_uris: - - 'http://localhost:4000/' - - 'http://localhost:4000/auth/result' - - 'urn:gov:gsa:SAML:2.0.profiles:sp:sso:gsa:oyk_sml': - agency: 'GSA' - friendly_name: 'Ruby client test app' - cert: 'ruby_client' - logo: '18f.sv' - redirect_uris: - - 'http://localhost:4567/' - ial: 1 - attribute_bundle: - - email - acs_url: 'http://localhost:4567/auth/saml/sso' - -# These are fake production service providers needed for the -# ServiceProviderSeeder tests. They are not actually used in production. -# -# Production service providers come from identity-idp-config and shouldn't be -# added here. -# -production: - - 'urn:gov:login:test-providers:fake-prod-sp': - friendly_name: 'Fake/Test stub SP for prod' - restrict_to_deploy_env: 'prod' - - 'urn:gov:login:test-providers:fake-staging-sp': - friendly_name: 'Fake/Test stub SP for staging' - restrict_to_deploy_env: 'staging' - - 'urn:gov:login:test-providers:fake-unrestricted-sp': - friendly_name: 'Fake/Test stub SP, env unrestricted' diff --git a/spec/controllers/saml_idp_controller_spec.rb b/spec/controllers/saml_idp_controller_spec.rb index 3a88987af24..c37a807d916 100644 --- a/spec/controllers/saml_idp_controller_spec.rb +++ b/spec/controllers/saml_idp_controller_spec.rb @@ -48,7 +48,6 @@ let(:service_provider) do create( :service_provider, - cert: nil, # override singular cert certs: ['sp_sinatra_demo', 'saml_test_sp'], active: true, assertion_consumer_logout_service_url: 'https://example.com', @@ -481,7 +480,6 @@ def name_id_version(format_urn) let(:service_provider) do create( :service_provider, - cert: nil, # override singular cert certs: ['saml_test_sp2', 'saml_test_sp'], active: true, ) diff --git a/spec/controllers/service_provider_controller_spec.rb b/spec/controllers/service_provider_controller_spec.rb index cb72cf9ae8d..ca4a0c174bc 100644 --- a/spec/controllers/service_provider_controller_spec.rb +++ b/spec/controllers/service_provider_controller_spec.rb @@ -16,7 +16,7 @@ acs_url: 'http://sp.example.org/saml/login', assertion_consumer_logout_service_url: 'http://sp.example.org/saml/logout', block_encryption: 'aes256-cbc', - cert: saml_test_sp_cert, + certs: [saml_test_sp_cert], active: true, }, ] diff --git a/spec/factories/service_providers.rb b/spec/factories/service_providers.rb index e53e46c4a04..e9fc5665b84 100644 --- a/spec/factories/service_providers.rb +++ b/spec/factories/service_providers.rb @@ -2,7 +2,7 @@ Faker::Config.locale = :en factory :service_provider do - cert { 'saml_test_sp' } + certs { ['saml_test_sp'] } friendly_name { 'Test Service Provider' } issuer { SecureRandom.uuid } return_to_sp_url { '/' } diff --git a/spec/features/saml/saml_spec.rb b/spec/features/saml/saml_spec.rb index 1d4e921cc95..f4a9885184e 100644 --- a/spec/features/saml/saml_spec.rb +++ b/spec/features/saml/saml_spec.rb @@ -185,7 +185,7 @@ class MockSession; end issuer: dashboard_sp_issuer, friendly_name: 'Sample Dashboard ServiceProvider', acs_url: 'http://sp.example.org/saml/login', - cert: saml_test_sp_cert, + certs: [saml_test_sp_cert], active: true, }, ] diff --git a/spec/forms/openid_connect_token_form_spec.rb b/spec/forms/openid_connect_token_form_spec.rb index 9ac738f4892..401620cb42f 100644 --- a/spec/forms/openid_connect_token_form_spec.rb +++ b/spec/forms/openid_connect_token_form_spec.rb @@ -26,7 +26,6 @@ let(:service_provider) do create( :service_provider, - cert: nil, certs: ['saml_test_sp2', 'saml_test_sp'], ) end diff --git a/spec/forms/security_event_form_spec.rb b/spec/forms/security_event_form_spec.rb index 36dd4e35b23..396243d1039 100644 --- a/spec/forms/security_event_form_spec.rb +++ b/spec/forms/security_event_form_spec.rb @@ -199,7 +199,7 @@ end context 'when the issuer does not have a public key registered' do - before { service_provider.update(cert: nil) } + before { service_provider.update(certs: []) } it 'is invalid' do expect(valid?).to eq(false) diff --git a/spec/models/service_provider_spec.rb b/spec/models/service_provider_spec.rb index a8fca23bb06..042000f55b3 100644 --- a/spec/models/service_provider_spec.rb +++ b/spec/models/service_provider_spec.rb @@ -72,19 +72,19 @@ end it 'accepts a blank certificate' do - sp = build(:service_provider, redirect_uris: [], cert: '') + sp = build(:service_provider, redirect_uris: [], certs: ['']) expect(sp).to be_valid end it 'fails if certificate is present but not x509' do - sp = build(:service_provider, redirect_uris: [], cert: 'saml_test_invalid_sp') + sp = build(:service_provider, redirect_uris: [], certs: ['saml_test_invalid_sp']) expect(sp).to_not be_valid end it 'accepts a valid x509 certificate' do - sp = build(:service_provider, redirect_uris: [], cert: 'saml_test_sp') + sp = build(:service_provider, redirect_uris: [], certs: ['saml_test_sp']) expect(sp).to be_valid end @@ -203,16 +203,8 @@ end describe '#ssl_certs' do - context 'with an empty string singular cert' do - let(:service_provider) { build(:service_provider, cert: '', certs: nil) } - - it 'is the empty array' do - expect(service_provider.ssl_certs).to eq([]) - end - end - context 'with an empty string plural cert' do - let(:service_provider) { build(:service_provider, cert: nil, certs: ['']) } + let(:service_provider) { build(:service_provider, certs: ['']) } it 'is the empty array' do expect(service_provider.ssl_certs).to eq([]) @@ -221,28 +213,8 @@ let(:pem) { Rails.root.join('certs', 'sp', 'saml_test_sp.crt').read } - context 'with the PEM of a cert in the singular column' do - let(:service_provider) { build(:service_provider, cert: pem, certs: nil) } - - it 'is an array of the X509 cert' do - expect(service_provider.ssl_certs.length).to eq(1) - expect(service_provider.ssl_certs.first).to be_kind_of(OpenSSL::X509::Certificate) - expect(service_provider.ssl_certs.first.to_pem).to eq(pem) - end - end - context 'with the PEM of a cert in the plural column' do - let(:service_provider) { build(:service_provider, cert: nil, certs: [pem]) } - - it 'is an array of the X509 cert' do - expect(service_provider.ssl_certs.length).to eq(1) - expect(service_provider.ssl_certs.first).to be_kind_of(OpenSSL::X509::Certificate) - expect(service_provider.ssl_certs.first.to_pem).to eq(pem) - end - end - - context 'with the name of a cert in the singular column' do - let(:service_provider) { build(:service_provider, cert: 'saml_test_sp', certs: nil) } + let(:service_provider) { build(:service_provider, certs: [pem]) } it 'is an array of the X509 cert' do expect(service_provider.ssl_certs.length).to eq(1) @@ -252,7 +224,7 @@ end context 'with the name of a cert in the plural column' do - let(:service_provider) { build(:service_provider, cert: nil, certs: ['saml_test_sp']) } + let(:service_provider) { build(:service_provider, certs: ['saml_test_sp']) } it 'is an array of the X509 cert' do expect(service_provider.ssl_certs.length).to eq(1) diff --git a/spec/services/service_provider_seeder_spec.rb b/spec/services/service_provider_seeder_spec.rb index 4fa4127f28b..3c05e4ab77b 100644 --- a/spec/services/service_provider_seeder_spec.rb +++ b/spec/services/service_provider_seeder_spec.rb @@ -150,7 +150,7 @@ acs_url: 'http://example.com/test/saml/decode_assertion', assertion_consumer_logout_service_url: 'http://example.com/test/saml/decode_slo_request', block_encryption: 'aes256-cbc', - cert: 'saml_test_sp', + certs: ['saml_test_sp'], redirect_uris: [''], }, } diff --git a/spec/services/service_provider_updater_spec.rb b/spec/services/service_provider_updater_spec.rb index 072dd935f61..1961e9b9a0b 100644 --- a/spec/services/service_provider_updater_spec.rb +++ b/spec/services/service_provider_updater_spec.rb @@ -25,7 +25,7 @@ acs_url: 'http://sp.example.org/saml/login', assertion_consumer_logout_service_url: 'http://sp.example.org/saml/logout', block_encryption: 'aes256-cbc', - cert: saml_test_sp_cert, + certs: [saml_test_sp_cert], active: true, native: true, approved: true, @@ -48,7 +48,7 @@ acs_url: 'http://oldsp.example.org/saml/login', assertion_consumer_logout_service_url: 'http://oldsp.example.org/saml/logout', block_encryption: 'aes256-cbc', - cert: saml_test_sp_cert, + certs: [saml_test_sp_cert], active: false, } end @@ -201,7 +201,7 @@ acs_url: 'http://sp.example.org/saml/login', assertion_consumer_logout_service_url: 'http://sp.example.org/saml/logout', block_encryption: 'aes256-cbc', - cert: saml_test_sp_cert, + certs: [saml_test_sp_cert], active: true, native: false, approved: true, @@ -219,6 +219,28 @@ end end + context 'dashboard has the old singular cert attribute' do + let(:dashboard_service_providers) do + [ + { + issuer: 'aaaaaa', + friendly_name: 'a service provider', + agency_id: agency_1.id, + redirect_uris: openid_connect_redirect_uris, + active: true, + cert: 'aaaa', + }, + ] + end + + it 'ignores the old column' do + stub_request(:get, fake_dashboard_url).to_return( + status: 200, + body: dashboard_service_providers.to_json, + ) + expect { subject.run }.to_not raise_error + end + end context 'GET request to dashboard raises an error' do it 'logs error and does not affect registry' do allow(Rails.logger).to receive(:error)