diff --git a/config/application.yml.default b/config/application.yml.default index 85d074759e5..3e6f8c72cfe 100644 --- a/config/application.yml.default +++ b/config/application.yml.default @@ -409,7 +409,7 @@ development: risc_notifications_local_enabled: true s3_report_bucket_prefix: '' s3_report_public_bucket_prefix: '' - saml_endpoint_configs: '[{"suffix":"2023","secret_key_passphrase":"trust-but-verify"}]' + saml_endpoint_configs: '[{"suffix":"2023","secret_key_passphrase":"trust-but-verify"},{"suffix":"2024","secret_key_passphrase":"trust-but-verify"}]' scrypt_cost: 10000$8$1$ secret_key_base: development_secret_key_base session_encryption_key: 27bad3c25711099429c1afdfd1890910f3b59f5a4faec1c85e945cb8b02b02f261ba501d99cfbb4fab394e0102de6fecf8ffe260f322f610db3e96b2a775c120 @@ -566,7 +566,7 @@ test: reset_password_email_window_in_minutes: 80 s3_report_bucket_prefix: '' s3_report_public_bucket_prefix: '' - saml_endpoint_configs: '[{"suffix":"2023","secret_key_passphrase":"trust-but-verify"},{"suffix":"2022","secret_key_passphrase":"trust-but-verify","comment":"this extra year is needed to demonstrate how handling multiple live years works in spec/requests/saml_requests_spec.rb"}]' + saml_endpoint_configs: '[{"suffix":"2024","secret_key_passphrase":"trust-but-verify"},{"suffix":"2023","secret_key_passphrase":"trust-but-verify","comment":"this extra year is needed to demonstrate how handling multiple live years works in spec/requests/saml_requests_spec.rb"}]' scrypt_cost: 800$8$1$ secret_key_base: test_secret_key_base session_encryption_key: 27bad3c25711099429c1afdfd1890910f3b59f5a4faec1c85e945cb8b02b02f261ba501d99cfbb4fab394e0102de6fecf8ffe260f322f610db3e96b2a775c120 diff --git a/config/artifacts.example/local/saml2024.crt b/config/artifacts.example/local/saml2024.crt new file mode 100644 index 00000000000..40d05d80385 --- /dev/null +++ b/config/artifacts.example/local/saml2024.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID+TCCAuGgAwIBAgIUUS6s9Rb+KY0fT0qKKgqPPJij/HMwDQYJKoZIhvcNAQEL +BQAwgYsxCzAJBgNVBAYTAlVTMR0wGwYDVQQIDBREaXN0cmljdCBvZiBDb2x1bWJp +YTETMBEGA1UEBwwKV2FzaGluZ3RvbjEMMAoGA1UECgwDR1NBMRIwEAYDVQQLDAlM +b2dpbi5nb3YxJjAkBgNVBAMMHWxvZ2luLmdvdi5pZGVudGl0eXNhbmRib3guZ292 +MB4XDTI0MDEyMjIwMTcwN1oXDTI1MDQwMTIwMTcwN1owgYsxCzAJBgNVBAYTAlVT +MR0wGwYDVQQIDBREaXN0cmljdCBvZiBDb2x1bWJpYTETMBEGA1UEBwwKV2FzaGlu +Z3RvbjEMMAoGA1UECgwDR1NBMRIwEAYDVQQLDAlMb2dpbi5nb3YxJjAkBgNVBAMM +HWxvZ2luLmdvdi5pZGVudGl0eXNhbmRib3guZ292MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAhmcFFn4b56vHlGBQ1Lx6AXz17sqKnCc6sJ+9csP1RtQB +I0NpPHB2z9Di1PNk/ElK7V7yh3uMu4FJYw30GZFUl2f/ttsDkNHrwfh/jzbMNjrO +Sc0P25oem4uOUfeGH9jtMhKa+HZLOaOmcyWFKkYR2mwacEbQJ1CWviHtP8AzHUPS +bHklAmusRLuygTjq0+QRJZgSezGqwU1L3ixPq+gMzPtMS+fxsMOVo2eosip440gz +4rcqUUogtD2hV8EQi3+GIkGYuMTS81ug/385TCPEhzWMnNmDi3HykOZeRNb4GfCY +w0Yx+v+cb7BPD5EdxUHNwliHvSiRAeYqLjBjuNUfKQIDAQABo1MwUTAdBgNVHQ4E +FgQUusictYnNM2TbIt5STz2lkYN1sI8wHwYDVR0jBBgwFoAUusictYnNM2TbIt5S +Tz2lkYN1sI8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEATuLF +4kHeP7FY9Wzm3DfF+m/5wUhJEtbsF8J9Wq8duhQ4/gtZVJgMDUKLsnSDLCtWiRls +FXquI8tlo32JsVo5NfZI9WYsub7192iCYpqE+x5G+94tt5vAayoF7GKGPxatyldx +AQUz7RUzwqas7NCYXQ0p7wZrMqF8z2yvaUgL55v8TJIb7RP+D8b47Cmzx7IYmx3C +o30vZWysQe61Bv880hG11YJsBAc0hmyWlokJYZZVm+xcjKkm6aFyyAbeCe0Kh68Q +U7f9YkpFv/sW2RIvZ/Z0gvxjJE+YJBwOwPDDHdkb0ZmKOJvlaabi5lkTZvUtTHXb +5Hu7DxRRt91dm77MlQ== +-----END CERTIFICATE----- diff --git a/config/artifacts.example/local/saml2024.key.enc b/config/artifacts.example/local/saml2024.key.enc new file mode 100644 index 00000000000..490aa909281 --- /dev/null +++ b/config/artifacts.example/local/saml2024.key.enc @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFJDBWBgkqhkiG9w0BBQ0wSTAxBgkqhkiG9w0BBQwwJAQQvoM9ufOajK6ZqU1g +ECKI4AICCAAwDAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIsXGfRQ2OkcUEggTI +aC8OvHbA1vvBJNmci+1P6m8vqNwip+J4Xq0jQsam2YLwr+YTCQck/FcxG6LUGtqD +cGjGtf4e4DIY8qF6pRgysf8nUsmR5RfKYENybjPITPV1IG6aGt1QrdRZYgKRJOwq +9z2BSu3oUEMOVqStG4bLG7dPoKx4ufXF4iTunA5jESWeduME9j0ey2m3EwqJv84Y +/QeHJK5ruSoQJUJ8OZWlpc4Oz+V6j5l+8iPTO4DX3b8LVVQsl5kcv53gKFP7n4xo +ys0xICBA1QuXoUV3MUhO+EIUpNP0oegTE7Xn8dR+wnUxr8r3u2SU+tjCBCNGwhiA +unIXS9qAJsSy+VljG3ukGN1we/QzjckiwUZohEUuYqNWOyVFcW8ahBcSSpzYg0CZ +djK9jfdkHbv6r0gPVhwJjeostOY73uej8ts9Gy0mE+JD4Zfgi5ZyYzxOOu42ELgt +RcPn8CKctGRdkGh9EaTomtnapm2dN2XX7XPlm0691+ZKLDcV8ZJZfY9dKLbCak4T +6IsmTdtlMhXJHXfuFU0+qykHy214C6BfmKzZob0Xdz8VD1XzdgilRZ05TOah6reY +Amyc2n9wsT+T+o6AlwqMXcC/IPFI/XFO5IHKp5hJSe9yz2dfPofxdFPLQTK4bcx8 +isAZZeZp1MuvR5AoDK/ppsQp+7XiwWo1pg8FSCehKwuEZlEKTU7kU6bXd99aSZEq +F/DOTPlHi7oNAz54tDPh+nV/VSr7Gao2EELVfy6g4p09+ErRhGNfo0xuVGFXkZ3h +aW9yq3IaJbJGQU0zMSfR5vDwUuIXR8LlHdB0qUfVP6yJtlYhHblcXzCiKIJRyKZA +5HR2bde+xPPDAf5RF0lrKjM7OH3wUPO/3j1cUYv6TGT2L1HeCfMsf8gVIN9wcYqf +VCfsqmVH/0tv1ff8QgByNOFck80lVUKQcPumE957fPAfagChDlKlOu2uSWeiFLJZ +XnPpValoN4TVB1cul/ol3WX478HHl/Nq/ki/wSvu3GOwq0BQE6B8PyeerCWjGskR +9aoxXLkkZuTdVfDxg9EJGzhekNj7yRSfzykHJofoPl4BrhZlhRUySQUq7CZzbk8W +QeEyMxDayEGRn3na4x9gLNml8x06nn9BWZP7PYAvM8OvGjvRX+OaEB+4sR4ZwYAx +fPpuc/FMHJp4A/vOyuzM7BT1ks1YTQUl8f5/+qi5BThVW3ywd0yB9oQjb2JtYN/G +SmGXHPgozDisaED6uAQJm21ht+GYKkff+bC8h+6IKuqCytXZbFhSHkTbVedhoYfH +lHyt0XAJLwVXIIkfCHPrTlveujnYyGkjAVeghxYis2J0cantAP2Y585j8gXo9jiW ++fxuNEJ0ioRW6UIZ6N01pc4peLCpesBIFn8SQOg/xIhA19epW1JVtfGwYzHn6zVN +tE3AnX3l0iqry7gchRuCcAsUN7e3PxphNPVhKzqr2azjunPKpKf7/sM8J61+t/oi +iyWcAxQ0nohAjcIBFohJxv+qNQdMwa/9KaOgGHMKyvtguAukVNGDF9iqCLQ6SQwB +Higw8ryEN5/7zDDDISAmfLzIKTiXOUM3/abF86C1Zuf3YsiYd18hY4tnSp5aKOTJ +zeTbvfC3w3vU8XVuZexpCEYyWe/aSjE1 +-----END ENCRYPTED PRIVATE KEY----- diff --git a/config/initializers/app_artifacts.rb b/config/initializers/app_artifacts.rb index bb084ab5e54..6d008630e68 100644 --- a/config/initializers/app_artifacts.rb +++ b/config/initializers/app_artifacts.rb @@ -4,6 +4,8 @@ # When adding or removing certs, make sure to update the 'saml_endpoint_configs' config store.add_artifact(:saml_2023_cert, '/%s/saml2023.crt') store.add_artifact(:saml_2023_key, '/%s/saml2023.key.enc') + store.add_artifact(:saml_2024_cert, '/%s/saml2024.crt') + store.add_artifact(:saml_2024_key, '/%s/saml2024.key.enc') store.add_artifact(:oidc_private_key, '/%s/oidc.key') { |k| OpenSSL::PKey::RSA.new(k) } store.add_artifact(:oidc_public_key, '/%s/oidc.pub') { |k| OpenSSL::PKey::RSA.new(k) } diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb index 4ea74a63f1d..67ec6865114 100644 --- a/spec/controllers/application_controller_spec.rb +++ b/spec/controllers/application_controller_spec.rb @@ -481,7 +481,7 @@ def index end context 'with a SAML request' do - let(:sp_session_request_url) { '/api/saml/auth2023' } + let(:sp_session_request_url) { '/api/saml/auth2024' } it 'returns the saml completion url' do expect(url_with_updated_params).to eq complete_saml_url end diff --git a/spec/controllers/saml_idp_controller_spec.rb b/spec/controllers/saml_idp_controller_spec.rb index 8fe8842de91..95e75febd83 100644 --- a/spec/controllers/saml_idp_controller_spec.rb +++ b/spec/controllers/saml_idp_controller_spec.rb @@ -135,7 +135,7 @@ let(:blank_cert_element_req) do <<-XML.gsub(/^[\s\t]*|[\s\t]*\n/, '') - + http://localhost:3000 @@ -1368,7 +1368,7 @@ def name_id_version(format_urn) let(:blank_cert_element_req) do <<-XML.gsub(/^[\s\t]*|[\s\t]*\n/, '') - + http://localhost:3000 @@ -1670,7 +1670,7 @@ def name_id_version(format_urn) describe 'HEAD /api/saml/auth', type: :request do it 'responds with "403 Forbidden"' do - head '/api/saml/auth2023?SAMLRequest=bang!' + head '/api/saml/auth2024?SAMLRequest=bang!' expect(response.status).to eq(403) end @@ -1846,7 +1846,7 @@ def name_id_version(format_urn) ds: Saml::XML::Namespaces::SIGNATURE, ) - crt = AppArtifacts.store.saml_2023_cert + crt = AppArtifacts.store.saml_2024_cert expect(element.text).to eq(crt.split("\n")[1...-1].join("\n").delete("\n")) end diff --git a/spec/features/saml/multiple_endpoints_spec.rb b/spec/features/saml/multiple_endpoints_spec.rb index f697730c730..1cd42bcfba9 100644 --- a/spec/features/saml/multiple_endpoints_spec.rb +++ b/spec/features/saml/multiple_endpoints_spec.rb @@ -4,7 +4,7 @@ include SamlAuthHelper include IdvHelper - let(:endpoint_suffix) { '2023' } + let(:endpoint_suffix) { '2024' } let(:user) { create(:user, :fully_registered) } let(:endpoint_saml_settings) do diff --git a/spec/lib/app_artifacts_spec.rb b/spec/lib/app_artifacts_spec.rb index f6cf1c6acd0..55f305c487f 100644 --- a/spec/lib/app_artifacts_spec.rb +++ b/spec/lib/app_artifacts_spec.rb @@ -43,10 +43,10 @@ context 'when running locally' do it 'reads the artifact from the example folder' do store = instance.build do |store| - store.add_artifact(:test_artifact, '/%s/saml2023.crt') + store.add_artifact(:test_artifact, '/%s/saml2024.crt') end - file_path = Rails.root.join('config', 'artifacts.example', 'local', 'saml2023.crt') + file_path = Rails.root.join('config', 'artifacts.example', 'local', 'saml2024.crt') contents = File.read(file_path) expect(store.test_artifact).to eq(contents) expect(store['test_artifact']).to eq(contents) @@ -65,12 +65,12 @@ it 'allows a block to be used to transform values' do store = instance.build do |store| - store.add_artifact(:test_artifact, '/%s/saml2023.crt') do |cert| + store.add_artifact(:test_artifact, '/%s/saml2024.crt') do |cert| OpenSSL::X509::Certificate.new(cert) end end - file_path = Rails.root.join('config', 'artifacts.example', 'local', 'saml2023.crt') + file_path = Rails.root.join('config', 'artifacts.example', 'local', 'saml2024.crt') contents = File.read(file_path) expect(store.test_artifact).to be_a(OpenSSL::X509::Certificate) expect(store.test_artifact.to_pem).to eq(contents) @@ -80,7 +80,7 @@ describe '#method_missing' do it 'runs methods based on the configd artifact keys' do store = instance.build do |store| - store.add_artifact(:test_artifact, '/%s/saml2023.crt') + store.add_artifact(:test_artifact, '/%s/saml2024.crt') end expect { store.test_artifact }.to_not raise_error diff --git a/spec/requests/saml_requests_spec.rb b/spec/requests/saml_requests_spec.rb index 1603977bd4e..cc43e2db1ff 100644 --- a/spec/requests/saml_requests_spec.rb +++ b/spec/requests/saml_requests_spec.rb @@ -28,7 +28,7 @@ let(:cookie_regex) { /\A(?\w+)=/ } it 'renders a form for the SAML year that was requested' do - path_year = '2022' + path_year = '2023' overridden_saml_settings = saml_settings( overrides: { diff --git a/spec/services/saml_endpoint_spec.rb b/spec/services/saml_endpoint_spec.rb index ddbd7cb9a9b..9be00583054 100644 --- a/spec/services/saml_endpoint_spec.rb +++ b/spec/services/saml_endpoint_spec.rb @@ -1,7 +1,7 @@ require 'rails_helper' RSpec.describe SamlEndpoint do - let(:year) { '2023' } + let(:year) { '2024' } subject { described_class.new(year) } @@ -9,7 +9,7 @@ it 'should list the suffixes that are configured' do result = described_class.suffixes - expect(result).to eq(%w[2023 2022]) + expect(result).to eq(%w[2024 2023]) end end @@ -19,13 +19,13 @@ expect(result).to eq( [ - { suffix: '2023', secret_key_passphrase: 'trust-but-verify' }, + { suffix: '2024', secret_key_passphrase: 'trust-but-verify' }, { # rubocop:disable Layout/LineLength comment: 'this extra year is needed to demonstrate how handling multiple live years works in spec/requests/saml_requests_spec.rb', # rubocop:enable Layout/LineLength secret_key_passphrase: 'trust-but-verify', - suffix: '2022', + suffix: '2023', }, ], ) @@ -38,7 +38,7 @@ subject.secret_key.to_pem, ).to eq( OpenSSL::PKey::RSA.new( - AppArtifacts.store.saml_2023_key, + AppArtifacts.store.saml_2024_key, 'trust-but-verify', ).to_pem, ) @@ -68,7 +68,7 @@ expect( subject.x509_certificate, ).to eq( - AppArtifacts.store.saml_2023_cert, + AppArtifacts.store.saml_2024_cert, ) end end @@ -77,7 +77,7 @@ it 'returns the saml metadata with the suffix added to the urls' do result = subject.saml_metadata - expect(result.configurator.single_service_post_location).to match(%r{api/saml/auth2023\Z}) + expect(result.configurator.single_service_post_location).to match(%r{api/saml/auth2024\Z}) end it 'does not include the SingLogoutService endpoints when configured' do @@ -95,10 +95,10 @@ result = subject.saml_metadata expect(result.configurator.single_logout_service_post_location).to match( - %r{api/saml/logout2023\Z}, + %r{api/saml/logout2024\Z}, ) expect(result.configurator.remote_logout_service_post_location).to match( - %r{api/saml/remotelogout2023\Z}, + %r{api/saml/remotelogout2024\Z}, ) end end diff --git a/spec/support/saml_auth_helper.rb b/spec/support/saml_auth_helper.rb index d89bc561cd4..d3512f222df 100644 --- a/spec/support/saml_auth_helper.rb +++ b/spec/support/saml_auth_helper.rb @@ -2,7 +2,7 @@ ## GET /api/saml/auth helper methods module SamlAuthHelper - PATH_YEAR = '2023' + PATH_YEAR = '2024' SP_ISSUER = 'http://localhost:3000' def saml_settings(overrides: {}) @@ -136,7 +136,7 @@ def saml_test_sp_key end def saml_test_idp_cert - AppArtifacts.store.saml_2023_cert + AppArtifacts.store.saml_2024_cert end public