(feat) add sp certificate for saml provider

CHANGELOG.md

@@ -4,6 +4,7 @@
 
 - improvement: add loader for create/delete availability slot
 - improvement: allow admin configure memeber's profile gender/birthday as required
+- improvement: add sp certificate for saml provider
 - Fix a bug: unable to update a space with a deleted machine
 - Fix a bug: unable to get invoice payment details if the account code is same for card/transfer payment method
 - updates translations

app/controllers/api/auth_providers_controller.rb

@@ -108,7 +108,8 @@ class API::AuthProvidersController < API::APIController
     elsif params['auth_provider']['providable_type'] == SamlProvider.name
       params.require(:auth_provider)
             .permit(:id, :name, :providable_type,
-                    providable_attributes: [:id, :sp_entity_id, :idp_sso_service_url, :profile_url, :idp_cert_fingerprint, :idp_cert, :idp_slo_service_url],
+                    providable_attributes: %i[id sp_entity_id idp_sso_service_url profile_url idp_cert_fingerprint idp_cert
+                                              idp_slo_service_url authn_requests_signed want_assertions_signed sp_certificate sp_private_key],
                     auth_provider_mappings_attributes: [:id, :local_model, :local_field, :api_field, :api_endpoint, :api_data_type,
                                                         :_destroy, { transformation: [:type, :format, :true_value, :false_value,
                                                                                       { mapping: %i[from to] }] }])

app/frontend/src/javascript/components/authentication-provider/provider-form.tsx

@@ -118,7 +118,7 @@ export const ProviderForm: React.FC<ProviderFormProps> = ({ action, provider, on
                                                                         currentFormValues={output.providable_attributes as OpenIdConnectProvider}
                                                                         formState={formState}
                                                                         setValue={setValue} />}
-      {providableType === 'SamlProvider' && <SamlForm register={register} strategyName={strategyName} formState={formState} />}
+      {providableType === 'SamlProvider' && <SamlForm register={register} control={control} strategyName={strategyName} formState={formState} />}
       {providableType && providableType !== 'DatabaseProvider' && <DataMappingForm register={register}
                                                                                    control={control}
                                                                                    formState={formState}

app/frontend/src/javascript/components/authentication-provider/saml-form.tsx

@@ -1,12 +1,13 @@
 import { FormInput } from '../form/form-input';
-import { UseFormRegister, FormState } from 'react-hook-form';
+import { FormSwitch } from '../form/form-switch';
+import { UseFormRegister, FormState, Control } from 'react-hook-form';
 import { FieldValues } from 'react-hook-form/dist/types/fields';
 import { useTranslation } from 'react-i18next';
 import { FabOutputCopy } from '../base/fab-output-copy';
-import ValidationLib from '../../lib/validation';
 
-interface SamlFormProps<TFieldValues> {
+interface SamlFormProps<TFieldValues, TContext extends object> {
   register: UseFormRegister<TFieldValues>,
+  control: Control<TFieldValues, TContext>,
   formState: FormState<TFieldValues>,
   strategyName?: string,
 }
@@ -14,7 +15,7 @@ interface SamlFormProps<TFieldValues> {
 /**
  * Partial form to fill the OAuth2 settings for a new/existing authentication provider.
  */
-export const SamlForm = <TFieldValues extends FieldValues>({ register, strategyName, formState }: SamlFormProps<TFieldValues>) => {
+export const SamlForm = <TFieldValues extends FieldValues, TContext extends object>({ register, strategyName, formState, control }: SamlFormProps<TFieldValues, TContext>) => {
   const { t } = useTranslation('admin');
 
   /**
@@ -39,7 +40,7 @@ export const SamlForm = <TFieldValues extends FieldValues>({ register, strategyN
                  placeholder="https://sso.example.net..."
                  label={t('app.admin.authentication.saml_form.idp_sso_service_url')}
                  tooltip={t('app.admin.authentication.saml_form.idp_sso_service_url_help')}
-                 rules={{ required: true, pattern: ValidationLib.urlRegex }}
+                 rules={{ required: true }}
                  formState={formState} />
       <FormInput id="providable_attributes.idp_cert_fingerprint"
                  register={register}
@@ -56,14 +57,29 @@ export const SamlForm = <TFieldValues extends FieldValues>({ register, strategyN
                  placeholder="https://exemple.net/user..."
                  label={t('app.admin.authentication.saml_form.profile_edition_url')}
                  tooltip={t('app.admin.authentication.saml_form.profile_edition_url_help')}
-                 rules={{ required: true, pattern: ValidationLib.urlRegex }}
+                 rules={{ required: true }}
                  formState={formState} />
       <FormInput id="providable_attributes.idp_slo_service_url"
                  register={register}
                  placeholder="https://sso.exemple.net..."
                  label={t('app.admin.authentication.saml_form.idp_slo_service_url')}
                  tooltip={t('app.admin.authentication.saml_form.idp_slo_service_url_help')}
-                 rules={{ pattern: ValidationLib.urlRegex }}
+                 formState={formState} />
+      <FormSwitch id="providable_attributes.authn_requests_signed" control={control}
+                  formState={formState}
+                  label={t('app.admin.authentication.saml_form.authn_requests_signed')} />
+      <FormSwitch id="providable_attributes.want_assertions_signed" control={control}
+                  formState={formState}
+                  label={t('app.admin.authentication.saml_form.want_assertions_signed')} />
+      <FormInput id="providable_attributes.sp_certificate"
+                 register={register}
+                 placeholder="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----"
+                 label={t('app.admin.authentication.saml_form.sp_certificate')}
+                 formState={formState} />
+      <FormInput id="providable_attributes.sp_private_key"
+                 register={register}
+                 placeholder="-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----"
+                 label={t('app.admin.authentication.saml_form.sp_private_key')}
                  formState={formState} />
     </div>
   );

app/frontend/src/javascript/models/authentication-provider.ts

@@ -73,6 +73,10 @@ export interface SamlProvider {
   idp_cert: string,
   profile_url: string,
   idp_slo_service_url: string,
+  sp_certificate: string,
+  sp_private_key: string,
+  authn_requests_signed: boolean,
+  want_assertions_signed: boolean
 }
 
 export interface MappingFields {

app/views/api/auth_providers/show.json.jbuilder

@@ -6,7 +6,8 @@ json.partial! 'api/auth_providers/auth_provider', auth_provider: @provider
 
 if @provider.providable_type == OAuth2Provider.name
   json.providable_attributes do
-    json.extract! @provider.providable, :id, :base_url, :token_endpoint, :authorization_endpoint, :profile_url, :client_id, :client_secret, :scopes
+    json.extract! @provider.providable, :id, :base_url, :token_endpoint, :authorization_endpoint, :profile_url, :client_id, :client_secret,
+                  :scopes
   end
 end
 
@@ -22,6 +23,7 @@ end
 
 if @provider.providable_type == SamlProvider.name
   json.providable_attributes do
-    json.extract! @provider.providable, :id, :sp_entity_id, :idp_sso_service_url, :profile_url, :idp_cert_fingerprint, :idp_cert, :idp_slo_service_url
+    json.extract! @provider.providable, :id, :sp_entity_id, :idp_sso_service_url, :profile_url, :idp_cert_fingerprint, :idp_cert, :idp_slo_service_url,
+                  :authn_requests_signed, :want_assertions_signed, :sp_certificate, :sp_private_key
   end
 end

app/views/auth_provider/provider.json.jbuilder

@@ -23,6 +23,7 @@ end
 
 if provider.providable_type == 'SamlProvider'
   json.providable_attributes do
-    json.extract! provider.providable, :id, :sp_entity_id, :idp_sso_service_url, :profile_url, :idp_cert_fingerprint, :idp_cert, :idp_slo_service_url
+    json.extract! provider.providable, :id, :sp_entity_id, :idp_sso_service_url, :profile_url, :idp_cert_fingerprint, :idp_cert, :idp_slo_service_url,
+                  :authn_requests_signed, :want_assertions_signed, :sp_certificate, :sp_private_key
   end
 end

config/initializers/devise.rb

@@ -253,6 +253,12 @@ Devise.setup do |config|
                       idp_slo_service_url: active_provider.providable.idp_slo_service_url,
                       idp_cert: active_provider.providable.idp_cert,
                       idp_cert_fingerprint: active_provider.providable.idp_cert_fingerprint,
+                      certificate: active_provider.providable.sp_certificate,
+                      private_key: active_provider.providable.sp_private_key,
+                      security: OneLogin::RubySaml::Settings::DEFAULTS[:security].merge({
+                        authn_requests_signed: active_provider.providable.authn_requests_signed,
+                        want_assertions_signed: active_provider.providable.want_assertions_signed
+                      }),
                       strategy_class: OmniAuth::Strategies::SsoSamlProvider
     end
   end

config/locales/app.admin.de.yml

@@ -1571,6 +1571,10 @@ de:
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
           idp_slo_service_url: "Single logout request URL"
           idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
+          authn_requests_signed: "Authentification requests signed"
+          want_assertions_signed: "Want assertions signed"
+          sp_certificate: "Service provider certificate"
+          sp_private_key: "Service provider private key"
         provider_form:
           name: "Name"
           authentication_type: "Authentifizierungsart"

config/locales/app.admin.en.yml

@@ -1571,6 +1571,10 @@ en:
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
           idp_slo_service_url: "Single logout request URL"
           idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
+          authn_requests_signed: "Authentification requests signed"
+          want_assertions_signed: "Want assertions signed"
+          sp_certificate: "Service provider certificate"
+          sp_private_key: "Service provider private key"
         provider_form:
           name: "Name"
           authentication_type: "Authentication type"

config/locales/app.admin.es-MX.yml

@@ -1571,6 +1571,10 @@ es-MX:
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
           idp_slo_service_url: "Single logout request URL"
           idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
+          authn_requests_signed: "Authentification requests signed"
+          want_assertions_signed: "Want assertions signed"
+          sp_certificate: "Service provider certificate"
+          sp_private_key: "Service provider private key"
         provider_form:
           name: "Nombre"
           authentication_type: "Tipo de autenticación"

config/locales/app.admin.es.yml

@@ -1571,6 +1571,10 @@ es:
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
           idp_slo_service_url: "Single logout request URL"
           idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
+          authn_requests_signed: "Authentification requests signed"
+          want_assertions_signed: "Want assertions signed"
+          sp_certificate: "Service provider certificate"
+          sp_private_key: "Service provider private key"
         provider_form:
           name: "Nombre"
           authentication_type: "Tipo de autenticación"

config/locales/app.admin.fr.yml

@@ -1571,6 +1571,10 @@ fr:
           profile_edition_url_help: "L'URL de la page où l'utilisateur peut modifier son profil."
           idp_slo_service_url: "URL de demande de déconnexion"
           idp_slo_service_url_help: "L'URL à laquelle la requête d'authentification doit être envoyée. Cela serait sur le fournisseur d'identité."
+          authn_requests_signed: "Demandes d'authentification signées"
+          want_assertions_signed: "Exiger des Assertions signées"
+          sp_certificate: "Certificat du SP"
+          sp_private_key: "Clé privée du SP"
         provider_form:
           name: "Nom"
           authentication_type: "Type d'authentification"

config/locales/app.admin.it.yml

@@ -1571,6 +1571,10 @@ it:
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
           idp_slo_service_url: "Single logout request URL"
           idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
+          authn_requests_signed: "Authentification requests signed"
+          want_assertions_signed: "Want assertions signed"
+          sp_certificate: "Service provider certificate"
+          sp_private_key: "Service provider private key"
         provider_form:
           name: "Nome"
           authentication_type: "Tipo di autenticazione"

config/locales/app.admin.no.yml

@@ -1571,6 +1571,10 @@
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
           idp_slo_service_url: "Single logout request URL"
           idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
+          authn_requests_signed: "Authentification requests signed"
+          want_assertions_signed: "Want assertions signed"
+          sp_certificate: "Service provider certificate"
+          sp_private_key: "Service provider private key"
         provider_form:
           name: "Name"
           authentication_type: "Authentication type"

config/locales/app.admin.pt.yml

@@ -1571,6 +1571,10 @@ pt:
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
           idp_slo_service_url: "Single logout request URL"
           idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
+          authn_requests_signed: "Authentification requests signed"
+          want_assertions_signed: "Want assertions signed"
+          sp_certificate: "Service provider certificate"
+          sp_private_key: "Service provider private key"
         provider_form:
           name: "Nome"
           authentication_type: "Tipo de autenticação"

config/locales/app.admin.sv.yml

@@ -1571,6 +1571,10 @@ sv:
           profile_edition_url_help: "URL till sidan där användaren kan redigera sin profil."
           idp_slo_service_url: "Single logout request URL"
           idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
+          authn_requests_signed: "Authentification requests signed"
+          want_assertions_signed: "Want assertions signed"
+          sp_certificate: "Service provider certificate"
+          sp_private_key: "Service provider private key"
         provider_form:
           name: "Namn"
           authentication_type: "Autentiseringstyp"

config/locales/app.admin.zu.yml

@@ -1571,6 +1571,10 @@ zu:
           profile_edition_url_help: "crwdns38162:0crwdne38162:0"
           idp_slo_service_url: "crwdns38176:0crwdne38176:0"
           idp_slo_service_url_help: "crwdns38178:0crwdne38178:0"
+          authn_requests_signed: "crwdns38200:0crwdne38200:0"
+          want_assertions_signed: "crwdns38202:0crwdne38202:0"
+          sp_certificate: "crwdns38204:0crwdne38204:0"
+          sp_private_key: "crwdns38206:0crwdne38206:0"
         provider_form:
           name: "crwdns26204:0crwdne26204:0"
           authentication_type: "crwdns26206:0crwdne26206:0"

db/migrate/20240327095614_add_sp_certificate_to_saml_provider.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class AddSpCertificateToSamlProvider < ActiveRecord::Migration[7.0]
+  def change
+    add_column :saml_providers, :sp_certificate, :string
+    add_column :saml_providers, :sp_private_key, :string
+    add_column :saml_providers, :authn_requests_signed, :boolean, default: false
+    add_column :saml_providers, :want_assertions_signed, :boolean, default: false
+  end
+end

db/structure.sql

@@ -3279,7 +3279,11 @@ CREATE TABLE public.saml_providers (
     profile_url character varying,
     idp_cert character varying,
     idp_cert_fingerprint character varying,
-    idp_slo_service_url character varying
+    idp_slo_service_url character varying,
+    sp_certificate character varying,
+    sp_private_key character varying,
+    authn_requests_signed boolean DEFAULT false,
+    want_assertions_signed boolean DEFAULT false
 );
 
 
@@ -9326,6 +9330,7 @@ INSERT INTO "schema_migrations" (version) VALUES
 ('20240116163703'),
 ('20240126145351'),
 ('20240126192110'),
-('20240220140225');
+('20240220140225'),
+('20240327095614');