adding SAML2024 example certs + references, updating tests to use them

config/application.yml.default

@@ -409,7 +409,7 @@ development:
   risc_notifications_local_enabled: true
   s3_report_bucket_prefix: ''
   s3_report_public_bucket_prefix: ''
-  saml_endpoint_configs: '[{"suffix":"2023","secret_key_passphrase":"trust-but-verify"}]'
+  saml_endpoint_configs: '[{"suffix":"2023","secret_key_passphrase":"trust-but-verify"},{"suffix":"2024","secret_key_passphrase":"trust-but-verify"}]'
   scrypt_cost: 10000$8$1$
   secret_key_base: development_secret_key_base
   session_encryption_key: 27bad3c25711099429c1afdfd1890910f3b59f5a4faec1c85e945cb8b02b02f261ba501d99cfbb4fab394e0102de6fecf8ffe260f322f610db3e96b2a775c120
@@ -566,7 +566,7 @@ test:
   reset_password_email_window_in_minutes: 80
   s3_report_bucket_prefix: ''
   s3_report_public_bucket_prefix: ''
-  saml_endpoint_configs: '[{"suffix":"2023","secret_key_passphrase":"trust-but-verify"},{"suffix":"2022","secret_key_passphrase":"trust-but-verify","comment":"this extra year is needed to demonstrate how handling multiple live years works in spec/requests/saml_requests_spec.rb"}]'
+  saml_endpoint_configs: '[{"suffix":"2024","secret_key_passphrase":"trust-but-verify"},{"suffix":"2023","secret_key_passphrase":"trust-but-verify","comment":"this extra year is needed to demonstrate how handling multiple live years works in spec/requests/saml_requests_spec.rb"}]'
   scrypt_cost: 800$8$1$
   secret_key_base: test_secret_key_base
   session_encryption_key: 27bad3c25711099429c1afdfd1890910f3b59f5a4faec1c85e945cb8b02b02f261ba501d99cfbb4fab394e0102de6fecf8ffe260f322f610db3e96b2a775c120

config/artifacts.example/local/saml2024.crt

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID+TCCAuGgAwIBAgIUUS6s9Rb+KY0fT0qKKgqPPJij/HMwDQYJKoZIhvcNAQEL
+BQAwgYsxCzAJBgNVBAYTAlVTMR0wGwYDVQQIDBREaXN0cmljdCBvZiBDb2x1bWJp
+YTETMBEGA1UEBwwKV2FzaGluZ3RvbjEMMAoGA1UECgwDR1NBMRIwEAYDVQQLDAlM
+b2dpbi5nb3YxJjAkBgNVBAMMHWxvZ2luLmdvdi5pZGVudGl0eXNhbmRib3guZ292
+MB4XDTI0MDEyMjIwMTcwN1oXDTI1MDQwMTIwMTcwN1owgYsxCzAJBgNVBAYTAlVT
+MR0wGwYDVQQIDBREaXN0cmljdCBvZiBDb2x1bWJpYTETMBEGA1UEBwwKV2FzaGlu
+Z3RvbjEMMAoGA1UECgwDR1NBMRIwEAYDVQQLDAlMb2dpbi5nb3YxJjAkBgNVBAMM
+HWxvZ2luLmdvdi5pZGVudGl0eXNhbmRib3guZ292MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAhmcFFn4b56vHlGBQ1Lx6AXz17sqKnCc6sJ+9csP1RtQB
+I0NpPHB2z9Di1PNk/ElK7V7yh3uMu4FJYw30GZFUl2f/ttsDkNHrwfh/jzbMNjrO
+Sc0P25oem4uOUfeGH9jtMhKa+HZLOaOmcyWFKkYR2mwacEbQJ1CWviHtP8AzHUPS
+bHklAmusRLuygTjq0+QRJZgSezGqwU1L3ixPq+gMzPtMS+fxsMOVo2eosip440gz
+4rcqUUogtD2hV8EQi3+GIkGYuMTS81ug/385TCPEhzWMnNmDi3HykOZeRNb4GfCY
+w0Yx+v+cb7BPD5EdxUHNwliHvSiRAeYqLjBjuNUfKQIDAQABo1MwUTAdBgNVHQ4E
+FgQUusictYnNM2TbIt5STz2lkYN1sI8wHwYDVR0jBBgwFoAUusictYnNM2TbIt5S
+Tz2lkYN1sI8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEATuLF
+4kHeP7FY9Wzm3DfF+m/5wUhJEtbsF8J9Wq8duhQ4/gtZVJgMDUKLsnSDLCtWiRls
+FXquI8tlo32JsVo5NfZI9WYsub7192iCYpqE+x5G+94tt5vAayoF7GKGPxatyldx
+AQUz7RUzwqas7NCYXQ0p7wZrMqF8z2yvaUgL55v8TJIb7RP+D8b47Cmzx7IYmx3C
+o30vZWysQe61Bv880hG11YJsBAc0hmyWlokJYZZVm+xcjKkm6aFyyAbeCe0Kh68Q
+U7f9YkpFv/sW2RIvZ/Z0gvxjJE+YJBwOwPDDHdkb0ZmKOJvlaabi5lkTZvUtTHXb
+5Hu7DxRRt91dm77MlQ==
+-----END CERTIFICATE-----

config/artifacts.example/local/saml2024.key.enc

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFJDBWBgkqhkiG9w0BBQ0wSTAxBgkqhkiG9w0BBQwwJAQQvoM9ufOajK6ZqU1g
+ECKI4AICCAAwDAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIsXGfRQ2OkcUEggTI
+aC8OvHbA1vvBJNmci+1P6m8vqNwip+J4Xq0jQsam2YLwr+YTCQck/FcxG6LUGtqD
+cGjGtf4e4DIY8qF6pRgysf8nUsmR5RfKYENybjPITPV1IG6aGt1QrdRZYgKRJOwq
+9z2BSu3oUEMOVqStG4bLG7dPoKx4ufXF4iTunA5jESWeduME9j0ey2m3EwqJv84Y
+/QeHJK5ruSoQJUJ8OZWlpc4Oz+V6j5l+8iPTO4DX3b8LVVQsl5kcv53gKFP7n4xo
+ys0xICBA1QuXoUV3MUhO+EIUpNP0oegTE7Xn8dR+wnUxr8r3u2SU+tjCBCNGwhiA
+unIXS9qAJsSy+VljG3ukGN1we/QzjckiwUZohEUuYqNWOyVFcW8ahBcSSpzYg0CZ
+djK9jfdkHbv6r0gPVhwJjeostOY73uej8ts9Gy0mE+JD4Zfgi5ZyYzxOOu42ELgt
+RcPn8CKctGRdkGh9EaTomtnapm2dN2XX7XPlm0691+ZKLDcV8ZJZfY9dKLbCak4T
+6IsmTdtlMhXJHXfuFU0+qykHy214C6BfmKzZob0Xdz8VD1XzdgilRZ05TOah6reY
+Amyc2n9wsT+T+o6AlwqMXcC/IPFI/XFO5IHKp5hJSe9yz2dfPofxdFPLQTK4bcx8
+isAZZeZp1MuvR5AoDK/ppsQp+7XiwWo1pg8FSCehKwuEZlEKTU7kU6bXd99aSZEq
+F/DOTPlHi7oNAz54tDPh+nV/VSr7Gao2EELVfy6g4p09+ErRhGNfo0xuVGFXkZ3h
+aW9yq3IaJbJGQU0zMSfR5vDwUuIXR8LlHdB0qUfVP6yJtlYhHblcXzCiKIJRyKZA
+5HR2bde+xPPDAf5RF0lrKjM7OH3wUPO/3j1cUYv6TGT2L1HeCfMsf8gVIN9wcYqf
+VCfsqmVH/0tv1ff8QgByNOFck80lVUKQcPumE957fPAfagChDlKlOu2uSWeiFLJZ
+XnPpValoN4TVB1cul/ol3WX478HHl/Nq/ki/wSvu3GOwq0BQE6B8PyeerCWjGskR
+9aoxXLkkZuTdVfDxg9EJGzhekNj7yRSfzykHJofoPl4BrhZlhRUySQUq7CZzbk8W
+QeEyMxDayEGRn3na4x9gLNml8x06nn9BWZP7PYAvM8OvGjvRX+OaEB+4sR4ZwYAx
+fPpuc/FMHJp4A/vOyuzM7BT1ks1YTQUl8f5/+qi5BThVW3ywd0yB9oQjb2JtYN/G
+SmGXHPgozDisaED6uAQJm21ht+GYKkff+bC8h+6IKuqCytXZbFhSHkTbVedhoYfH
+lHyt0XAJLwVXIIkfCHPrTlveujnYyGkjAVeghxYis2J0cantAP2Y585j8gXo9jiW
++fxuNEJ0ioRW6UIZ6N01pc4peLCpesBIFn8SQOg/xIhA19epW1JVtfGwYzHn6zVN
+tE3AnX3l0iqry7gchRuCcAsUN7e3PxphNPVhKzqr2azjunPKpKf7/sM8J61+t/oi
+iyWcAxQ0nohAjcIBFohJxv+qNQdMwa/9KaOgGHMKyvtguAukVNGDF9iqCLQ6SQwB
+Higw8ryEN5/7zDDDISAmfLzIKTiXOUM3/abF86C1Zuf3YsiYd18hY4tnSp5aKOTJ
+zeTbvfC3w3vU8XVuZexpCEYyWe/aSjE1
+-----END ENCRYPTED PRIVATE KEY-----

config/initializers/app_artifacts.rb

@@ -4,6 +4,8 @@
   # When adding or removing certs, make sure to update the 'saml_endpoint_configs' config
   store.add_artifact(:saml_2023_cert, '/%<env>s/saml2023.crt')
   store.add_artifact(:saml_2023_key, '/%<env>s/saml2023.key.enc')
+  store.add_artifact(:saml_2024_cert, '/%<env>s/saml2024.crt')
+  store.add_artifact(:saml_2024_key, '/%<env>s/saml2024.key.enc')
 
   store.add_artifact(:oidc_private_key, '/%<env>s/oidc.key') { |k| OpenSSL::PKey::RSA.new(k) }
   store.add_artifact(:oidc_public_key, '/%<env>s/oidc.pub') { |k| OpenSSL::PKey::RSA.new(k) }

spec/controllers/application_controller_spec.rb

@@ -481,7 +481,7 @@ def index
     end
 
     context 'with a SAML request' do
-      let(:sp_session_request_url) { '/api/saml/auth2023' }
+      let(:sp_session_request_url) { '/api/saml/auth2024' }
       it 'returns the saml completion url' do
         expect(url_with_updated_params).to eq complete_saml_url
       end

spec/controllers/saml_idp_controller_spec.rb

@@ -135,7 +135,7 @@
       let(:blank_cert_element_req) do
         <<-XML.gsub(/^[\s\t]*|[\s\t]*\n/, '')
           <?xml version="1.0"?>
-          <samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://www.example.com/api/saml/logout2023" ID="_223d186c-35a0-4d1f-b81a-c473ad496415" IssueInstant="2024-01-11T18:22:03Z" Version="2.0">
+          <samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://www.example.com/api/saml/logout2024" ID="_223d186c-35a0-4d1f-b81a-c473ad496415" IssueInstant="2024-01-11T18:22:03Z" Version="2.0">
             <saml:Issuer>http://localhost:3000</saml:Issuer>
             <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
               <ds:SignedInfo>
@@ -1368,7 +1368,7 @@ def name_id_version(format_urn)
       let(:blank_cert_element_req) do
         <<-XML.gsub(/^[\s\t]*|[\s\t]*\n/, '')
           <?xml version="1.0"?>
-          <samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://localhost:3000/test/saml/decode_assertion" Destination="http://www.example.com/api/saml/auth2023" ID="_6b15011e-abfe-4c55-925f-6a5b3872a64c" IssueInstant="2024-01-11T18:03:38Z" Version="2.0">
+          <samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://localhost:3000/test/saml/decode_assertion" Destination="http://www.example.com/api/saml/auth2024" ID="_6b15011e-abfe-4c55-925f-6a5b3872a64c" IssueInstant="2024-01-11T18:03:38Z" Version="2.0">
             <saml:Issuer>http://localhost:3000</saml:Issuer>
             <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
               <ds:SignedInfo>
@@ -1670,7 +1670,7 @@ def name_id_version(format_urn)
 
     describe 'HEAD /api/saml/auth', type: :request do
       it 'responds with "403 Forbidden"' do
-        head '/api/saml/auth2023?SAMLRequest=bang!'
+        head '/api/saml/auth2024?SAMLRequest=bang!'
 
         expect(response.status).to eq(403)
       end
@@ -1846,7 +1846,7 @@ def name_id_version(format_urn)
             ds: Saml::XML::Namespaces::SIGNATURE,
           )
 
-          crt = AppArtifacts.store.saml_2023_cert
+          crt = AppArtifacts.store.saml_2024_cert
           expect(element.text).to eq(crt.split("\n")[1...-1].join("\n").delete("\n"))
         end
 

spec/features/saml/multiple_endpoints_spec.rb

@@ -4,7 +4,7 @@
   include SamlAuthHelper
   include IdvHelper
 
-  let(:endpoint_suffix) { '2023' }
+  let(:endpoint_suffix) { '2024' }
   let(:user) { create(:user, :fully_registered) }
 
   let(:endpoint_saml_settings) do

spec/lib/app_artifacts_spec.rb

@@ -43,10 +43,10 @@
     context 'when running locally' do
       it 'reads the artifact from the example folder' do
         store = instance.build do |store|
-          store.add_artifact(:test_artifact, '/%<env>s/saml2023.crt')
+          store.add_artifact(:test_artifact, '/%<env>s/saml2024.crt')
         end
 
-        file_path = Rails.root.join('config', 'artifacts.example', 'local', 'saml2023.crt')
+        file_path = Rails.root.join('config', 'artifacts.example', 'local', 'saml2024.crt')
         contents = File.read(file_path)
         expect(store.test_artifact).to eq(contents)
         expect(store['test_artifact']).to eq(contents)
@@ -65,12 +65,12 @@
 
     it 'allows a block to be used to transform values' do
       store = instance.build do |store|
-        store.add_artifact(:test_artifact, '/%<env>s/saml2023.crt') do |cert|
+        store.add_artifact(:test_artifact, '/%<env>s/saml2024.crt') do |cert|
           OpenSSL::X509::Certificate.new(cert)
         end
       end
 
-      file_path = Rails.root.join('config', 'artifacts.example', 'local', 'saml2023.crt')
+      file_path = Rails.root.join('config', 'artifacts.example', 'local', 'saml2024.crt')
       contents = File.read(file_path)
       expect(store.test_artifact).to be_a(OpenSSL::X509::Certificate)
       expect(store.test_artifact.to_pem).to eq(contents)
@@ -80,7 +80,7 @@
   describe '#method_missing' do
     it 'runs methods based on the configd artifact keys' do
       store = instance.build do |store|
-        store.add_artifact(:test_artifact, '/%<env>s/saml2023.crt')
+        store.add_artifact(:test_artifact, '/%<env>s/saml2024.crt')
       end
 
       expect { store.test_artifact }.to_not raise_error

spec/requests/saml_requests_spec.rb

@@ -28,7 +28,7 @@
     let(:cookie_regex) { /\A(?<cookie>\w+)=/ }
 
     it 'renders a form for the SAML year that was requested' do
-      path_year = '2022'
+      path_year = '2023'
 
       overridden_saml_settings = saml_settings(
         overrides: {

spec/services/saml_endpoint_spec.rb

@@ -1,15 +1,15 @@
 require 'rails_helper'
 
 RSpec.describe SamlEndpoint do
-  let(:year) { '2023' }
+  let(:year) { '2024' }
 
   subject { described_class.new(year) }
 
   describe '.suffixes' do
     it 'should list the suffixes that are configured' do
       result = described_class.suffixes
 
-      expect(result).to eq(%w[2023 2022])
+      expect(result).to eq(%w[2024 2023])
     end
   end
 
@@ -19,13 +19,13 @@
 
       expect(result).to eq(
         [
-          { suffix: '2023', secret_key_passphrase: 'trust-but-verify' },
+          { suffix: '2024', secret_key_passphrase: 'trust-but-verify' },
           {
             # rubocop:disable Layout/LineLength
             comment: 'this extra year is needed to demonstrate how handling multiple live years works in spec/requests/saml_requests_spec.rb',
             # rubocop:enable Layout/LineLength
             secret_key_passphrase: 'trust-but-verify',
-            suffix: '2022',
+            suffix: '2023',
           },
         ],
       )
@@ -38,7 +38,7 @@
         subject.secret_key.to_pem,
       ).to eq(
         OpenSSL::PKey::RSA.new(
-          AppArtifacts.store.saml_2023_key,
+          AppArtifacts.store.saml_2024_key,
           'trust-but-verify',
         ).to_pem,
       )
@@ -68,7 +68,7 @@
       expect(
         subject.x509_certificate,
       ).to eq(
-        AppArtifacts.store.saml_2023_cert,
+        AppArtifacts.store.saml_2024_cert,
       )
     end
   end
@@ -77,7 +77,7 @@
     it 'returns the saml metadata with the suffix added to the urls' do
       result = subject.saml_metadata
 
-      expect(result.configurator.single_service_post_location).to match(%r{api/saml/auth2023\Z})
+      expect(result.configurator.single_service_post_location).to match(%r{api/saml/auth2024\Z})
     end
 
     it 'does not include the SingLogoutService endpoints when configured' do
@@ -95,10 +95,10 @@
       result = subject.saml_metadata
 
       expect(result.configurator.single_logout_service_post_location).to match(
-        %r{api/saml/logout2023\Z},
+        %r{api/saml/logout2024\Z},
       )
       expect(result.configurator.remote_logout_service_post_location).to match(
-        %r{api/saml/remotelogout2023\Z},
+        %r{api/saml/remotelogout2024\Z},
       )
     end
   end

spec/support/saml_auth_helper.rb

@@ -2,7 +2,7 @@
 
 ## GET /api/saml/auth helper methods
 module SamlAuthHelper
-  PATH_YEAR = '2023'
+  PATH_YEAR = '2024'
   SP_ISSUER = 'http://localhost:3000'
 
   def saml_settings(overrides: {})
@@ -136,7 +136,7 @@ def saml_test_sp_key
   end
 
   def saml_test_idp_cert
-    AppArtifacts.store.saml_2023_cert
+    AppArtifacts.store.saml_2024_cert
   end
 
   public