add/lock in saml_2023 references, remove saml_2021 ones

config/application.yml.default

@@ -398,7 +398,7 @@ development:
   recurring_jobs_disabled_names: "[]"
   s3_report_bucket_prefix: ''
   s3_report_public_bucket_prefix: ''
-  saml_endpoint_configs: '[{"suffix":"2021","secret_key_passphrase":"trust-but-verify"},{"suffix":"2022","secret_key_passphrase":"trust-but-verify"}]'
+  saml_endpoint_configs: '[{"suffix":"2022","secret_key_passphrase":"trust-but-verify"},{"suffix":"2023","secret_key_passphrase":"trust-but-verify"}]'
   scrypt_cost: 10000$8$1$
   secret_key_base: development_secret_key_base
   session_encryption_key: 27bad3c25711099429c1afdfd1890910f3b59f5a4faec1c85e945cb8b02b02f261ba501d99cfbb4fab394e0102de6fecf8ffe260f322f610db3e96b2a775c120
@@ -567,7 +567,7 @@ test:
   reset_password_email_window_in_minutes: 80
   s3_report_bucket_prefix: ''
   s3_report_public_bucket_prefix: ''
-  saml_endpoint_configs: '[{"suffix":"2022","secret_key_passphrase":"trust-but-verify"}]'
+  saml_endpoint_configs: '[{"suffix":"2023","secret_key_passphrase":"trust-but-verify"}]'
   saml_internal_post: true
   scrypt_cost: 800$8$1$
   secret_key_base: test_secret_key_base

config/artifacts.example/local/saml2023.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDajCCAlICCQCbZpJCM572hTANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJV
+UzEdMBsGA1UECAwURGlzdHJpY3Qgb2YgQ29sdW1iaWExEzARBgNVBAcMCldhc2hp
+bmd0b24xDDAKBgNVBAoMA0dTQTESMBAGA1UECwwJTG9naW4uZ292MRIwEAYDVQQD
+DAlsb2dpbi5nb3YwHhcNMjMwNDA0MTYwNzIxWhcNMjQwNDAyMTYwNzIxWjB3MQsw
+CQYDVQQGEwJVUzEdMBsGA1UECAwURGlzdHJpY3Qgb2YgQ29sdW1iaWExEzARBgNV
+BAcMCldhc2hpbmd0b24xDDAKBgNVBAoMA0dTQTESMBAGA1UECwwJTG9naW4uZ292
+MRIwEAYDVQQDDAlsb2dpbi5nb3YwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCdToDm3/j0j0PMjca8bc7H0H3FNSTW4l6hpUSywkC/kg2fZ5W6f0hIYYID
+TbDYAkpeIiKKE/FDI3TlaQT9+LLe6AbkelLmteS+wMehCPtaBPeRfHKaRNQKsSTk
+c5JAf4OWaZKj+F3Fu0e5+dJ2nuYcT2VV7DLoG3KKTw+pcHuXCQZfrPbquyyNbKvo
+K4ELVIueQQ5F3EiahP3XchGw+H5FCH5QJPVl57WaCB2gLM8kueELKIzta7roIYHf
+GEhdaC71ZYCjGRvsKtAqomNdL2Je67E56dEwJ1fWS242PkSvQTH5vtkYzelE2H9m
+V+sPf5lLfc599iLZoTemEe5p6NydAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAH88
+Yl+KbT3NPjrXH7SITWr1wOIemJ8b2/vukz7aS9TiTJnlw6IzsLnD+tiJa1q5CO23
+3/NCaa6piocbD1fC/H7PB6lXu+0ypMwpaStTThpxbpQ6bMUklxKKFyuaX5RpNZn4
+YicYGEnCr7h70+R/01ztgYNOzNdgM6MjHMvEnb8KVkuckuCE1JUoX+LxaE9cxkxX
+Auwdct14efBFuyB2HgvWUvqvjN9NDhfS6BG5FgTZWpWJnn7xmjUNUfq1VC4XHQsv
+mqoPiDhR1GwB191ZVz7Rq00yysfr7tSUJeWp//5GPZRjSZsrs1wtO6x/tFjngELl
+d0/LPNS3OWvaMvvGzgc=
+-----END CERTIFICATE-----

config/artifacts.example/local/saml2023.key.enc

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIfgN2KJrydvECAggA
+MB0GCWCGSAFlAwQBKgQQEF8wtPY1ps4bJfQ4sV0xeQSCBND598BOsn9cAgqBGUEE
+yQgCp+DIpDKFmgwXOiFjjuY1H3vsAFh0lhOoWN2z2UsAWUq8RwWs41UNSajgUllq
+wPP3dm+U2BG661AmZEj5+fJ6ckCLX+BZHcv2bjx7cRF8oMv3Z1wlmTvxyARcFlct
+b5Rxjl+moDwuBGFUaCg80hL2NZmUSuf/GZ5bj5yHZqGdc/KAXRts6knqLfsBxhrh
+uECYUaz11NRN+JCNg8TcQSUJs01QVrhS7MrNhr1WGIwdIYg0AsqHqluzKr4nzjqG
+u8vfRV7oraUhNDKrfXfxjGcyy/o4zYnuJO3zBRWPV4Ueesf3efGY3bNyZzoY2BrD
+ZlpQwHf7NmANZqHnCAH9dDrk3mcNkfPEnSs/oguhIk05ZHMaZeGR+bIJd1LjxjLY
+KOhgw9u+I4WR35GsZRFArwUnHfvAcLTwBbsChMk7ykj16F/rdIknMWiyZX3p31Cm
+ZW/tB5j4lm9caA9iPn/d3S/H7O3zG3SSuwQvrwQguImqEegMq2FA6MLT+66R+DU/
+AB/M8WgwIhaLWr136GhGBjJO4Tm21DrNjHzS8NYWcXL8PWdDgagwbTGAL6jLLulr
+iCrkEsQoNzX11WiwYgmhrPLKVqophHK4v3dzuY+naMV5GekqhPA+8IfWZfvmizb7
+LVoxb6TKBI0U3p31lhRI9car+Yxa7z5ZSAl0n03TCeZOYvUmKAwj81E23g1XC3Fx
++xB+nrDWQQjvD+ZRXQxqUg58o0qitM9tKsIkh2Qj4IRpATTyTyNO40seGni8AWsU
+ftsll8OVWEdHlnOGLNjSPC/uVMYSa8YOcv+xIqErty2Q40yrOsXufX0ompzONNZH
+rUbifoY3T8En88m7wCDBQAw38pUdgPniL0VyADdvkc4To5pjkK7B4g7fD+WbjdrD
+V7UhU+4wxZkSK9ijaq/4Cj/ZIg5m29qOoCtI/vn2A/DnhLJmomQ8B21xgtUsa/pM
+Pi1Z4rz2OLEND1EPuJSm/xijxVGUgYpkOYHoRQmvbpPst9FvXPIXcBdpahbVvqOq
+Iv8LcKatTKqTjxyXoOxxUWQ16MYXaOSk8sEbDYqp/YK2N9ItIPiHiYio/Wt+uQM8
+/VbyZGY+e0O9mAGtoWLDuqCziH5HHXjH7sX0mJmrVCc8V7eKewEEYT6jCjvOMG+V
+tABCJQXoaOV8Tk5f3rMDVYg+DQaqFfuvOEahj0CLm4xLuEK9mGvNz7HjxgPjRfS1
+CFn93oBKnhJbzeEkNEHWw2sG1/twiOjhSkMs5CbdcpAjm6wNoKE3/e23HbUuFGos
+yOb/2mm5oAr/EjBCUSilyNSkIuUTzIKnootLJ4bxHmTHFlpJlYvFBKWT7RIRT21g
+LErRAgUHF/f93yNjgEbdzf8lzKfYWBnZK1E2RGbVay3W1OtQQ7Om01CbKd0THt9y
+4bwD/rS29+xa4NVImMXmq/aftLLoedaY9TWHz2FOInXhms9vw0wsehmc1aoQ1yrl
+DVx+T7raO6YJ8MK385ryjupsZd4J5dYcvHjlkpnZOyvVyzfdNqHvVhtfd765d5rw
+GyX2UKPByjECQskxKjeqadjZ8zaAecW/4ujg0wcmdX7l4lfXcdy6+0WiPr3qBwQE
+hrcBC92oNEzyorgjdcMEz2RATw==
+-----END ENCRYPTED PRIVATE KEY-----

config/initializers/app_artifacts.rb

@@ -2,8 +2,6 @@
 
 AppArtifacts.setup do |store|
   # When adding or removing certs, make sure to update the 'saml_endpoint_configs' config
-  store.add_artifact(:saml_2021_cert, '/%<env>s/saml2021.crt')
-  store.add_artifact(:saml_2021_key, '/%<env>s/saml2021.key.enc')
   store.add_artifact(:saml_2022_cert, '/%<env>s/saml2022.crt')
   store.add_artifact(:saml_2022_key, '/%<env>s/saml2022.key.enc')
   store.add_artifact(:saml_2023_cert, '/%<env>s/saml2023.crt')

spec/controllers/application_controller_spec.rb

@@ -402,7 +402,7 @@ def index
     end
 
     context 'with a SAML request' do
-      let(:sp_session_request_url) { '/api/saml/auth2022' }
+      let(:sp_session_request_url) { '/api/saml/auth2023' }
       it 'returns the saml completion url' do
         expect(url_with_updated_params).to eq complete_saml_url
       end
@@ -440,9 +440,9 @@ def index
     context 'with saml_internal_post feature flag set to false' do
       before { allow(IdentityConfig.store).to receive(:saml_internal_post).and_return false }
       context 'with a SAML request' do
-        let(:sp_session_request_url) { '/api/saml/auth2022?SAMLRequest=blah' }
+        let(:sp_session_request_url) { '/api/saml/auth2023?SAMLRequest=blah' }
         it 'returns the original request url' do
-          expect(url_with_updated_params).to eq '/api/saml/auth2022?SAMLRequest=blah'
+          expect(url_with_updated_params).to eq '/api/saml/auth2023?SAMLRequest=blah'
         end
       end
 

spec/controllers/saml_completion_controller_spec.rb

@@ -20,7 +20,7 @@
           Signature: signature,
         }
       end
-      let(:sp_session_request_url) { 'http://example.gov/api/saml/auth2022' }
+      let(:sp_session_request_url) { 'http://example.gov/api/saml/auth2023' }
 
       before do
         expect(controller).to receive(:sp_session).at_least(:once).and_return(

spec/controllers/saml_idp_controller_spec.rb

@@ -562,7 +562,7 @@ def name_id_version(format_urn)
             authn_context_comparison: 'exact',
             requested_ial: authn_context,
             service_provider: sp1_issuer,
-            endpoint: '/api/saml/auth2022',
+            endpoint: '/api/saml/auth2023',
             idv: false,
             finish_profile: false,
             request_signed: true,
@@ -703,7 +703,7 @@ def name_id_version(format_urn)
             authn_context_comparison: 'minimum',
             requested_ial: 'ialmax',
             service_provider: sp1_issuer,
-            endpoint: '/api/saml/auth2022',
+            endpoint: '/api/saml/auth2023',
             idv: false,
             finish_profile: false,
             request_signed: true,
@@ -1241,7 +1241,7 @@ def name_id_version(format_urn)
           authn_context_comparison: 'exact',
           requested_ial: Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF,
           service_provider: 'http://localhost:3000',
-          endpoint: '/api/saml/auth2022',
+          endpoint: '/api/saml/auth2023',
           idv: false,
           finish_profile: false,
           request_signed: false,
@@ -1282,7 +1282,7 @@ def name_id_version(format_urn)
           authn_context_comparison: 'exact',
           requested_ial: 'none',
           service_provider: 'http://localhost:3000',
-          endpoint: '/api/saml/auth2022',
+          endpoint: '/api/saml/auth2023',
           idv: false,
           finish_profile: false,
           request_signed: true,
@@ -1319,7 +1319,7 @@ def name_id_version(format_urn)
           authn_context_comparison: 'exact',
           requested_ial: Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF,
           service_provider: 'http://localhost:3000',
-          endpoint: '/api/saml/auth2022',
+          endpoint: '/api/saml/auth2023',
           idv: false,
           finish_profile: false,
           request_signed: true,
@@ -1354,7 +1354,7 @@ def name_id_version(format_urn)
           authn_context_comparison: 'exact',
           requested_ial: Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF,
           service_provider: auth_settings.issuer,
-          endpoint: '/api/saml/auth2022',
+          endpoint: '/api/saml/auth2023',
           idv: false,
           finish_profile: false,
           request_signed: true,
@@ -1426,7 +1426,7 @@ def name_id_version(format_urn)
           authn_context_comparison: 'exact',
           requested_ial: Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF,
           service_provider: 'http://localhost:3000',
-          endpoint: '/api/saml/auth2022',
+          endpoint: '/api/saml/auth2023',
           idv: false,
           finish_profile: false,
           request_signed: true,
@@ -1458,7 +1458,7 @@ def name_id_version(format_urn)
           authn_context_comparison: 'exact',
           requested_ial: Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF,
           service_provider: auth_settings.issuer,
-          endpoint: '/api/saml/auth2022',
+          endpoint: '/api/saml/auth2023',
           idv: false,
           finish_profile: false,
           request_signed: true,
@@ -1490,7 +1490,7 @@ def name_id_version(format_urn)
           authn_context_comparison: 'exact',
           requested_ial: Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF,
           service_provider: 'http://localhost:3000',
-          endpoint: '/api/saml/auth2022',
+          endpoint: '/api/saml/auth2023',
           idv: false,
           finish_profile: false,
           request_signed: true,
@@ -1505,7 +1505,7 @@ def name_id_version(format_urn)
 
     describe 'HEAD /api/saml/auth', type: :request do
       it 'responds with "403 Forbidden"' do
-        head '/api/saml/auth2022?SAMLRequest=bang!'
+        head '/api/saml/auth2023?SAMLRequest=bang!'
 
         expect(response.status).to eq(403)
       end
@@ -1677,7 +1677,7 @@ def name_id_version(format_urn)
             ds: Saml::XML::Namespaces::SIGNATURE,
           )
 
-          crt = AppArtifacts.store.saml_2022_cert
+          crt = AppArtifacts.store.saml_2023_cert
           expect(element.text).to eq(crt.split("\n")[1...-1].join("\n").delete("\n"))
         end
 
@@ -1980,7 +1980,7 @@ def stub_auth
           authn_context_comparison: 'exact',
           requested_ial: Saml::Idp::Constants::IAL2_AUTHN_CONTEXT_CLASSREF,
           service_provider: 'http://localhost:3000',
-          endpoint: '/api/saml/auth2022',
+          endpoint: '/api/saml/auth2023',
           idv: true,
           finish_profile: false,
           request_signed: false,
@@ -2025,7 +2025,7 @@ def stub_requested_attributes
           authn_context_comparison: 'exact',
           requested_ial: Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF,
           service_provider: 'http://localhost:3000',
-          endpoint: '/api/saml/auth2022',
+          endpoint: '/api/saml/auth2023',
           idv: false,
           finish_profile: false,
           request_signed: true,
@@ -2061,7 +2061,7 @@ def stub_requested_attributes
           authn_context_comparison: 'exact',
           requested_ial: Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF,
           service_provider: 'http://localhost:3000',
-          endpoint: '/api/saml/auth2022',
+          endpoint: '/api/saml/auth2023',
           idv: false,
           finish_profile: true,
           request_signed: true,

spec/features/reports/authorization_count_spec.rb

@@ -306,7 +306,7 @@ def expect_ial1_and_ial2_count(issuer)
 
   def reset_monthly_auth_count_and_login(user)
     SpReturnLog.delete_all
-    visit api_saml_logout2022_path
+    visit api_saml_logout2023_path
     sign_in_live_with_2fa(user)
   end
 end

spec/features/saml/multiple_endpoints_spec.rb

@@ -4,7 +4,7 @@
   include SamlAuthHelper
   include IdvHelper
 
-  let(:endpoint_suffix) { '2022' }
+  let(:endpoint_suffix) { '2023' }
   let(:user) { create(:user, :signed_up) }
 
   let(:endpoint_saml_settings) do

spec/features/saml/redirect_uri_validation_spec.rb

@@ -6,7 +6,7 @@
   context 'when redirect_uri param is included in SAML request' do
     it 'uses the return_to_sp_url URL and not the redirect_uri' do
       user = create(:user, :signed_up)
-      visit api_saml_auth2022_path(
+      visit api_saml_auth2023_path(
         SAMLRequest: CGI.unescape(saml_request(saml_settings)),
         redirect_uri: 'http://evil.com',
         state: '123abc',

spec/features/saml/saml_logout_spec.rb

@@ -120,7 +120,7 @@
           },
         )
 
-        expect(current_path).to eq(api_saml_logout2022_path)
+        expect(current_path).to eq(api_saml_logout2023_path)
         expect(page.driver.status_code).to eq(400)
 
         # The user should be signed in
@@ -134,7 +134,7 @@
     it 'logs the user out and redirects to the sign in page' do
       sign_in_and_2fa_user(user)
 
-      visit api_saml_logout2022_path
+      visit api_saml_logout2023_path
 
       expect(page).to have_content(t('devise.sessions.signed_out'))
       expect(page).to have_current_path(root_path)

spec/features/saml/saml_spec.rb

@@ -226,7 +226,7 @@
 
       it 'redirects to root' do
         travel(Devise.timeout_in + 1.second) do
-          visit api_saml_logout2022_url
+          visit api_saml_logout2023_url
           expect(page.current_path).to eq('/')
         end
       end

spec/lib/app_artifacts_spec.rb

@@ -43,10 +43,10 @@
     context 'when running locally' do
       it 'reads the artifact from the example folder' do
         store = instance.build do |store|
-          store.add_artifact(:test_artifact, '/%<env>s/saml2021.crt')
+          store.add_artifact(:test_artifact, '/%<env>s/saml2022.crt')
         end
 
-        file_path = Rails.root.join('config', 'artifacts.example', 'local', 'saml2021.crt')
+        file_path = Rails.root.join('config', 'artifacts.example', 'local', 'saml2022.crt')
         contents = File.read(file_path)
         expect(store.test_artifact).to eq(contents)
         expect(store['test_artifact']).to eq(contents)
@@ -65,12 +65,12 @@
 
     it 'allows a block to be used to transform values' do
       store = instance.build do |store|
-        store.add_artifact(:test_artifact, '/%<env>s/saml2021.crt') do |cert|
+        store.add_artifact(:test_artifact, '/%<env>s/saml2022.crt') do |cert|
           OpenSSL::X509::Certificate.new(cert)
         end
       end
 
-      file_path = Rails.root.join('config', 'artifacts.example', 'local', 'saml2021.crt')
+      file_path = Rails.root.join('config', 'artifacts.example', 'local', 'saml2022.crt')
       contents = File.read(file_path)
       expect(store.test_artifact).to be_a(OpenSSL::X509::Certificate)
       expect(store.test_artifact.to_pem).to eq(contents)
@@ -80,7 +80,7 @@
   describe '#method_missing' do
     it 'runs methods based on the configd artifact keys' do
       store = instance.build do |store|
-        store.add_artifact(:test_artifact, '/%<env>s/saml2021.crt')
+        store.add_artifact(:test_artifact, '/%<env>s/saml2022.crt')
       end
 
       expect { store.test_artifact }.to_not raise_error