Allow no certs if block_encryption is set to 'none' (#11616)

* changelog: Bug Fixes, SAML Integration, Adding condition to allow no certs if integration has block_encryption set to none
18F · Dec 10, 2024 · 6759e64 · 6759e64
1 parent 9b8cf52
commit 6759e64
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 16 deletions.
diff --git a/app/services/saml_request_validator.rb b/app/services/saml_request_validator.rb
@@ -77,6 +77,7 @@ def registered_cert_exists
     # if there is no service provider, this error has already been added
     return if service_provider.blank?
     return if service_provider.certs.present?
+    return unless service_provider.encrypt_responses?
 
     errors.add(
       :service_provider, :no_cert_registered,

diff --git a/spec/controllers/saml_idp_controller_spec.rb b/spec/controllers/saml_idp_controller_spec.rb
@@ -1365,6 +1365,27 @@ def name_id_version(format_urn)
           ),
         )
       end
+
+      context 'when service provider has block_encryption set to none' do
+        before do
+          service_provider.update!(block_encryption: 'none')
+        end
+
+        it 'is succesful' do
+          user = create(:user, :fully_registered)
+          stub_analytics
+
+          generate_saml_response(user, settings)
+
+          expect(response.body).to_not include(t('errors.messages.no_cert_registered'))
+          expect(@analytics).to have_logged_event(
+            'SAML Auth',
+            hash_including(
+              success: true,
+            ),
+          )
+        end
+      end
     end
 
     context 'service provider has multiple certs' do

diff --git a/spec/services/saml_request_validator_spec.rb b/spec/services/saml_request_validator_spec.rb
@@ -51,24 +51,38 @@
 
       context 'when the sp has no certs registered' do
         before { sp.update!(certs: nil) }
-        let(:errors) do
-          {
-            service_provider: [t('errors.messages.no_cert_registered')],
-          }
-        end
-        let(:error_details) do
-          {
-            service_provider: {
-              no_cert_registered: true,
-            },
-          }
+
+        context 'when it has block_encryption turned on' do
+          before { sp.update!(block_encryption: 'aes256-cbc') }
+          let(:errors) do
+            {
+              service_provider: [t('errors.messages.no_cert_registered')],
+            }
+          end
+          let(:error_details) do
+            {
+              service_provider: {
+                no_cert_registered: true,
+              },
+            }
+          end
+
+          it 'returns an error' do
+            expect(response.to_h).to include(
+              errors:,
+              error_details:,
+            )
+          end
         end
 
-        it 'returns an error' do
-          expect(response.to_h).to include(
-            errors:,
-            error_details:,
-          )
+        context 'when block encryption is not turned on' do
+          it 'is valid' do
+            expect(response.to_h).to include(
+              success: true,
+              errors: {},
+              **extra,
+            )
+          end
         end
       end