From 407c0173aba63732038fc0d5d1f53a1555f4adb1 Mon Sep 17 00:00:00 2001
From: Du Peng <gnepud@gmail.com>
Date: Wed, 27 Mar 2024 14:41:30 +0100
Subject: [PATCH] (feat) add sp certificate for saml provider

---
 CHANGELOG.md                                  |  1 +
 .../api/auth_providers_controller.rb          |  3 +-
 .../authentication-provider/provider-form.tsx |  2 +-
 .../authentication-provider/saml-form.tsx     | 30 ++++++++++++++-----
 .../models/authentication-provider.ts         |  4 +++
 .../api/auth_providers/show.json.jbuilder     |  6 ++--
 .../auth_provider/provider.json.jbuilder      |  3 +-
 config/initializers/devise.rb                 |  6 ++++
 config/locales/app.admin.de.yml               |  4 +++
 config/locales/app.admin.en.yml               |  4 +++
 config/locales/app.admin.es-MX.yml            |  4 +++
 config/locales/app.admin.es.yml               |  4 +++
 config/locales/app.admin.fr.yml               |  4 +++
 config/locales/app.admin.it.yml               |  4 +++
 config/locales/app.admin.no.yml               |  4 +++
 config/locales/app.admin.pt.yml               |  4 +++
 config/locales/app.admin.sv.yml               |  4 +++
 config/locales/app.admin.zu.yml               |  4 +++
 ...614_add_sp_certificate_to_saml_provider.rb | 10 +++++++
 db/structure.sql                              |  9 ++++--
 20 files changed, 100 insertions(+), 14 deletions(-)
 create mode 100644 db/migrate/20240327095614_add_sp_certificate_to_saml_provider.rb

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d08c05844..79d13df4e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,7 @@
 
 - improvement: add loader for create/delete availability slot
 - improvement: allow admin configure memeber's profile gender/birthday as required
+- improvement: add sp certificate for saml provider
 - Fix a bug: unable to update a space with a deleted machine
 - Fix a bug: unable to get invoice payment details if the account code is same for card/transfer payment method
 - updates translations
diff --git a/app/controllers/api/auth_providers_controller.rb b/app/controllers/api/auth_providers_controller.rb
index 642236355..907e41e8b 100644
--- a/app/controllers/api/auth_providers_controller.rb
+++ b/app/controllers/api/auth_providers_controller.rb
@@ -108,7 +108,8 @@ class API::AuthProvidersController < API::APIController
     elsif params['auth_provider']['providable_type'] == SamlProvider.name
       params.require(:auth_provider)
             .permit(:id, :name, :providable_type,
-                    providable_attributes: [:id, :sp_entity_id, :idp_sso_service_url, :profile_url, :idp_cert_fingerprint, :idp_cert, :idp_slo_service_url],
+                    providable_attributes: %i[id sp_entity_id idp_sso_service_url profile_url idp_cert_fingerprint idp_cert
+                                              idp_slo_service_url authn_requests_signed want_assertions_signed sp_certificate sp_private_key],
                     auth_provider_mappings_attributes: [:id, :local_model, :local_field, :api_field, :api_endpoint, :api_data_type,
                                                         :_destroy, { transformation: [:type, :format, :true_value, :false_value,
                                                                                       { mapping: %i[from to] }] }])
diff --git a/app/frontend/src/javascript/components/authentication-provider/provider-form.tsx b/app/frontend/src/javascript/components/authentication-provider/provider-form.tsx
index 5eb8227b6..8ae761d6f 100644
--- a/app/frontend/src/javascript/components/authentication-provider/provider-form.tsx
+++ b/app/frontend/src/javascript/components/authentication-provider/provider-form.tsx
@@ -118,7 +118,7 @@ export const ProviderForm: React.FC<ProviderFormProps> = ({ action, provider, on
                                                                         currentFormValues={output.providable_attributes as OpenIdConnectProvider}
                                                                         formState={formState}
                                                                         setValue={setValue} />}
-      {providableType === 'SamlProvider' && <SamlForm register={register} strategyName={strategyName} formState={formState} />}
+      {providableType === 'SamlProvider' && <SamlForm register={register} control={control} strategyName={strategyName} formState={formState} />}
       {providableType && providableType !== 'DatabaseProvider' && <DataMappingForm register={register}
                                                                                    control={control}
                                                                                    formState={formState}
diff --git a/app/frontend/src/javascript/components/authentication-provider/saml-form.tsx b/app/frontend/src/javascript/components/authentication-provider/saml-form.tsx
index 70a16603a..f96e16e09 100644
--- a/app/frontend/src/javascript/components/authentication-provider/saml-form.tsx
+++ b/app/frontend/src/javascript/components/authentication-provider/saml-form.tsx
@@ -1,12 +1,13 @@
 import { FormInput } from '../form/form-input';
-import { UseFormRegister, FormState } from 'react-hook-form';
+import { FormSwitch } from '../form/form-switch';
+import { UseFormRegister, FormState, Control } from 'react-hook-form';
 import { FieldValues } from 'react-hook-form/dist/types/fields';
 import { useTranslation } from 'react-i18next';
 import { FabOutputCopy } from '../base/fab-output-copy';
-import ValidationLib from '../../lib/validation';
 
-interface SamlFormProps<TFieldValues> {
+interface SamlFormProps<TFieldValues, TContext extends object> {
   register: UseFormRegister<TFieldValues>,
+  control: Control<TFieldValues, TContext>,
   formState: FormState<TFieldValues>,
   strategyName?: string,
 }
@@ -14,7 +15,7 @@ interface SamlFormProps<TFieldValues> {
 /**
  * Partial form to fill the OAuth2 settings for a new/existing authentication provider.
  */
-export const SamlForm = <TFieldValues extends FieldValues>({ register, strategyName, formState }: SamlFormProps<TFieldValues>) => {
+export const SamlForm = <TFieldValues extends FieldValues, TContext extends object>({ register, strategyName, formState, control }: SamlFormProps<TFieldValues, TContext>) => {
   const { t } = useTranslation('admin');
 
   /**
@@ -39,7 +40,7 @@ export const SamlForm = <TFieldValues extends FieldValues>({ register, strategyN
                  placeholder="https://sso.example.net..."
                  label={t('app.admin.authentication.saml_form.idp_sso_service_url')}
                  tooltip={t('app.admin.authentication.saml_form.idp_sso_service_url_help')}
-                 rules={{ required: true, pattern: ValidationLib.urlRegex }}
+                 rules={{ required: true }}
                  formState={formState} />
       <FormInput id="providable_attributes.idp_cert_fingerprint"
                  register={register}
@@ -56,14 +57,29 @@ export const SamlForm = <TFieldValues extends FieldValues>({ register, strategyN
                  placeholder="https://exemple.net/user..."
                  label={t('app.admin.authentication.saml_form.profile_edition_url')}
                  tooltip={t('app.admin.authentication.saml_form.profile_edition_url_help')}
-                 rules={{ required: true, pattern: ValidationLib.urlRegex }}
+                 rules={{ required: true }}
                  formState={formState} />
       <FormInput id="providable_attributes.idp_slo_service_url"
                  register={register}
                  placeholder="https://sso.exemple.net..."
                  label={t('app.admin.authentication.saml_form.idp_slo_service_url')}
                  tooltip={t('app.admin.authentication.saml_form.idp_slo_service_url_help')}
-                 rules={{ pattern: ValidationLib.urlRegex }}
+                 formState={formState} />
+      <FormSwitch id="providable_attributes.authn_requests_signed" control={control}
+                  formState={formState}
+                  label={t('app.admin.authentication.saml_form.authn_requests_signed')} />
+      <FormSwitch id="providable_attributes.want_assertions_signed" control={control}
+                  formState={formState}
+                  label={t('app.admin.authentication.saml_form.want_assertions_signed')} />
+      <FormInput id="providable_attributes.sp_certificate"
+                 register={register}
+                 placeholder="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----"
+                 label={t('app.admin.authentication.saml_form.sp_certificate')}
+                 formState={formState} />
+      <FormInput id="providable_attributes.sp_private_key"
+                 register={register}
+                 placeholder="-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----"
+                 label={t('app.admin.authentication.saml_form.sp_private_key')}
                  formState={formState} />
     </div>
   );
diff --git a/app/frontend/src/javascript/models/authentication-provider.ts b/app/frontend/src/javascript/models/authentication-provider.ts
index f56c94bf8..3e406185c 100644
--- a/app/frontend/src/javascript/models/authentication-provider.ts
+++ b/app/frontend/src/javascript/models/authentication-provider.ts
@@ -73,6 +73,10 @@ export interface SamlProvider {
   idp_cert: string,
   profile_url: string,
   idp_slo_service_url: string,
+  sp_certificate: string,
+  sp_private_key: string,
+  authn_requests_signed: boolean,
+  want_assertions_signed: boolean
 }
 
 export interface MappingFields {
diff --git a/app/views/api/auth_providers/show.json.jbuilder b/app/views/api/auth_providers/show.json.jbuilder
index 18a2ab3e0..9a5f48295 100644
--- a/app/views/api/auth_providers/show.json.jbuilder
+++ b/app/views/api/auth_providers/show.json.jbuilder
@@ -6,7 +6,8 @@ json.partial! 'api/auth_providers/auth_provider', auth_provider: @provider
 
 if @provider.providable_type == OAuth2Provider.name
   json.providable_attributes do
-    json.extract! @provider.providable, :id, :base_url, :token_endpoint, :authorization_endpoint, :profile_url, :client_id, :client_secret, :scopes
+    json.extract! @provider.providable, :id, :base_url, :token_endpoint, :authorization_endpoint, :profile_url, :client_id, :client_secret,
+                  :scopes
   end
 end
 
@@ -22,6 +23,7 @@ end
 
 if @provider.providable_type == SamlProvider.name
   json.providable_attributes do
-    json.extract! @provider.providable, :id, :sp_entity_id, :idp_sso_service_url, :profile_url, :idp_cert_fingerprint, :idp_cert, :idp_slo_service_url
+    json.extract! @provider.providable, :id, :sp_entity_id, :idp_sso_service_url, :profile_url, :idp_cert_fingerprint, :idp_cert, :idp_slo_service_url,
+                  :authn_requests_signed, :want_assertions_signed, :sp_certificate, :sp_private_key
   end
 end
diff --git a/app/views/auth_provider/provider.json.jbuilder b/app/views/auth_provider/provider.json.jbuilder
index dda5a9a72..149f91f89 100644
--- a/app/views/auth_provider/provider.json.jbuilder
+++ b/app/views/auth_provider/provider.json.jbuilder
@@ -23,6 +23,7 @@ end
 
 if provider.providable_type == 'SamlProvider'
   json.providable_attributes do
-    json.extract! provider.providable, :id, :sp_entity_id, :idp_sso_service_url, :profile_url, :idp_cert_fingerprint, :idp_cert, :idp_slo_service_url
+    json.extract! provider.providable, :id, :sp_entity_id, :idp_sso_service_url, :profile_url, :idp_cert_fingerprint, :idp_cert, :idp_slo_service_url,
+                  :authn_requests_signed, :want_assertions_signed, :sp_certificate, :sp_private_key
   end
 end
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 716ff45ca..4b334e06c 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -253,6 +253,12 @@ Devise.setup do |config|
                       idp_slo_service_url: active_provider.providable.idp_slo_service_url,
                       idp_cert: active_provider.providable.idp_cert,
                       idp_cert_fingerprint: active_provider.providable.idp_cert_fingerprint,
+                      certificate: active_provider.providable.sp_certificate,
+                      private_key: active_provider.providable.sp_private_key,
+                      security: OneLogin::RubySaml::Settings::DEFAULTS[:security].merge({
+                        authn_requests_signed: active_provider.providable.authn_requests_signed,
+                        want_assertions_signed: active_provider.providable.want_assertions_signed
+                      }),
                       strategy_class: OmniAuth::Strategies::SsoSamlProvider
     end
   end
diff --git a/config/locales/app.admin.de.yml b/config/locales/app.admin.de.yml
index 4dbe34465..1ff86dfe4 100644
--- a/config/locales/app.admin.de.yml
+++ b/config/locales/app.admin.de.yml
@@ -1571,6 +1571,10 @@ de:
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
           idp_slo_service_url: "Single logout request URL"
           idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
+          authn_requests_signed: "Authentification requests signed"
+          want_assertions_signed: "Want assertions signed"
+          sp_certificate: "Service provider certificate"
+          sp_private_key: "Service provider private key"
         provider_form:
           name: "Name"
           authentication_type: "Authentifizierungsart"
diff --git a/config/locales/app.admin.en.yml b/config/locales/app.admin.en.yml
index f9b091480..638870a94 100644
--- a/config/locales/app.admin.en.yml
+++ b/config/locales/app.admin.en.yml
@@ -1571,6 +1571,10 @@ en:
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
           idp_slo_service_url: "Single logout request URL"
           idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
+          authn_requests_signed: "Authentification requests signed"
+          want_assertions_signed: "Want assertions signed"
+          sp_certificate: "Service provider certificate"
+          sp_private_key: "Service provider private key"
         provider_form:
           name: "Name"
           authentication_type: "Authentication type"
diff --git a/config/locales/app.admin.es-MX.yml b/config/locales/app.admin.es-MX.yml
index 2e772a303..c65a77ac8 100644
--- a/config/locales/app.admin.es-MX.yml
+++ b/config/locales/app.admin.es-MX.yml
@@ -1571,6 +1571,10 @@ es-MX:
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
           idp_slo_service_url: "Single logout request URL"
           idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
+          authn_requests_signed: "Authentification requests signed"
+          want_assertions_signed: "Want assertions signed"
+          sp_certificate: "Service provider certificate"
+          sp_private_key: "Service provider private key"
         provider_form:
           name: "Nombre"
           authentication_type: "Tipo de autenticación"
diff --git a/config/locales/app.admin.es.yml b/config/locales/app.admin.es.yml
index d0cd55b50..e92699ac9 100644
--- a/config/locales/app.admin.es.yml
+++ b/config/locales/app.admin.es.yml
@@ -1571,6 +1571,10 @@ es:
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
           idp_slo_service_url: "Single logout request URL"
           idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
+          authn_requests_signed: "Authentification requests signed"
+          want_assertions_signed: "Want assertions signed"
+          sp_certificate: "Service provider certificate"
+          sp_private_key: "Service provider private key"
         provider_form:
           name: "Nombre"
           authentication_type: "Tipo de autenticación"
diff --git a/config/locales/app.admin.fr.yml b/config/locales/app.admin.fr.yml
index e0a1f6f4e..a702c40f9 100644
--- a/config/locales/app.admin.fr.yml
+++ b/config/locales/app.admin.fr.yml
@@ -1571,6 +1571,10 @@ fr:
           profile_edition_url_help: "L'URL de la page où l'utilisateur peut modifier son profil."
           idp_slo_service_url: "URL de demande de déconnexion"
           idp_slo_service_url_help: "L'URL à laquelle la requête d'authentification doit être envoyée. Cela serait sur le fournisseur d'identité."
+          authn_requests_signed: "Demandes d'authentification signées"
+          want_assertions_signed: "Exiger des Assertions signées"
+          sp_certificate: "Certificat du SP"
+          sp_private_key: "Clé privée du SP"
         provider_form:
           name: "Nom"
           authentication_type: "Type d'authentification"
diff --git a/config/locales/app.admin.it.yml b/config/locales/app.admin.it.yml
index 76b9d7feb..3ed8cb14b 100644
--- a/config/locales/app.admin.it.yml
+++ b/config/locales/app.admin.it.yml
@@ -1571,6 +1571,10 @@ it:
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
           idp_slo_service_url: "Single logout request URL"
           idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
+          authn_requests_signed: "Authentification requests signed"
+          want_assertions_signed: "Want assertions signed"
+          sp_certificate: "Service provider certificate"
+          sp_private_key: "Service provider private key"
         provider_form:
           name: "Nome"
           authentication_type: "Tipo di autenticazione"
diff --git a/config/locales/app.admin.no.yml b/config/locales/app.admin.no.yml
index dab311ed5..82b568749 100644
--- a/config/locales/app.admin.no.yml
+++ b/config/locales/app.admin.no.yml
@@ -1571,6 +1571,10 @@
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
           idp_slo_service_url: "Single logout request URL"
           idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
+          authn_requests_signed: "Authentification requests signed"
+          want_assertions_signed: "Want assertions signed"
+          sp_certificate: "Service provider certificate"
+          sp_private_key: "Service provider private key"
         provider_form:
           name: "Name"
           authentication_type: "Authentication type"
diff --git a/config/locales/app.admin.pt.yml b/config/locales/app.admin.pt.yml
index 390135ae7..815fa3f8c 100644
--- a/config/locales/app.admin.pt.yml
+++ b/config/locales/app.admin.pt.yml
@@ -1571,6 +1571,10 @@ pt:
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
           idp_slo_service_url: "Single logout request URL"
           idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
+          authn_requests_signed: "Authentification requests signed"
+          want_assertions_signed: "Want assertions signed"
+          sp_certificate: "Service provider certificate"
+          sp_private_key: "Service provider private key"
         provider_form:
           name: "Nome"
           authentication_type: "Tipo de autenticação"
diff --git a/config/locales/app.admin.sv.yml b/config/locales/app.admin.sv.yml
index 9e906aedc..5387a3d0d 100644
--- a/config/locales/app.admin.sv.yml
+++ b/config/locales/app.admin.sv.yml
@@ -1571,6 +1571,10 @@ sv:
           profile_edition_url_help: "URL till sidan där användaren kan redigera sin profil."
           idp_slo_service_url: "Single logout request URL"
           idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
+          authn_requests_signed: "Authentification requests signed"
+          want_assertions_signed: "Want assertions signed"
+          sp_certificate: "Service provider certificate"
+          sp_private_key: "Service provider private key"
         provider_form:
           name: "Namn"
           authentication_type: "Autentiseringstyp"
diff --git a/config/locales/app.admin.zu.yml b/config/locales/app.admin.zu.yml
index 54b7b2132..bd8568d13 100644
--- a/config/locales/app.admin.zu.yml
+++ b/config/locales/app.admin.zu.yml
@@ -1571,6 +1571,10 @@ zu:
           profile_edition_url_help: "crwdns38162:0crwdne38162:0"
           idp_slo_service_url: "crwdns38176:0crwdne38176:0"
           idp_slo_service_url_help: "crwdns38178:0crwdne38178:0"
+          authn_requests_signed: "crwdns38200:0crwdne38200:0"
+          want_assertions_signed: "crwdns38202:0crwdne38202:0"
+          sp_certificate: "crwdns38204:0crwdne38204:0"
+          sp_private_key: "crwdns38206:0crwdne38206:0"
         provider_form:
           name: "crwdns26204:0crwdne26204:0"
           authentication_type: "crwdns26206:0crwdne26206:0"
diff --git a/db/migrate/20240327095614_add_sp_certificate_to_saml_provider.rb b/db/migrate/20240327095614_add_sp_certificate_to_saml_provider.rb
new file mode 100644
index 000000000..a77330de5
--- /dev/null
+++ b/db/migrate/20240327095614_add_sp_certificate_to_saml_provider.rb
@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class AddSpCertificateToSamlProvider < ActiveRecord::Migration[7.0]
+  def change
+    add_column :saml_providers, :sp_certificate, :string
+    add_column :saml_providers, :sp_private_key, :string
+    add_column :saml_providers, :authn_requests_signed, :boolean, default: false
+    add_column :saml_providers, :want_assertions_signed, :boolean, default: false
+  end
+end
diff --git a/db/structure.sql b/db/structure.sql
index edf633649..0caddd176 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -3279,7 +3279,11 @@ CREATE TABLE public.saml_providers (
     profile_url character varying,
     idp_cert character varying,
     idp_cert_fingerprint character varying,
-    idp_slo_service_url character varying
+    idp_slo_service_url character varying,
+    sp_certificate character varying,
+    sp_private_key character varying,
+    authn_requests_signed boolean DEFAULT false,
+    want_assertions_signed boolean DEFAULT false
 );
 
 
@@ -9326,6 +9330,7 @@ INSERT INTO "schema_migrations" (version) VALUES
 ('20240116163703'),
 ('20240126145351'),
 ('20240126192110'),
-('20240220140225');
+('20240220140225'),
+('20240327095614');