Fix validity checking of certs with idp_cert_multi

opf · Aug 21, 2024 · 97dccd2 · 97dccd2
1 parent a3337fe
commit 97dccd2
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 9 deletions.
diff --git a/modules/auth_saml/app/contracts/saml/providers/base_contract.rb b/modules/auth_saml/app/contracts/saml/providers/base_contract.rb
@@ -55,7 +55,7 @@ def self.model
       attribute :idp_cert
       validates_presence_of :idp_cert,
                             if: -> { model.idp_cert_changed? }
-      validate :idp_cert_is_valid,
+      validate :idp_cert_not_expired,
                if: -> { model.idp_cert_changed? && model.idp_cert.present? }
 
       attribute :authn_requests_signed
@@ -66,12 +66,9 @@ def self.model
         validates_presence_of attr, if: -> { model.public_send(:"#{attr}_changed?") }
       end
 
-      def idp_cert_is_valid
-        model.loaded_idp_certificates.each do |cert|
-          if OneLogin::RubySaml::Utils.is_cert_expired(cert)
-            errors.add :certificate, :certificate_expired
-            break
-          end
+      def idp_cert_not_expired
+        unless model.idp_certificate_expired?
+          errors.add :certificate, :certificate_expired
         end
       rescue OpenSSL::X509::CertificateError => e
         errors.add :idp_cert, :invalid_certificate, additional_message: e.message

diff --git a/modules/auth_saml/app/models/saml/provider.rb b/modules/auth_saml/app/models/saml/provider.rb
@@ -67,7 +67,7 @@ def metadata_endpoint
     def configured?
       sp_entity_id.present? &&
         idp_sso_service_url.present? &&
-        certificate_configured?
+        idp_certificate_configured?
     end
 
     def mapping_configured?
@@ -95,10 +95,14 @@ def loaded_idp_certificates
       @loaded_idp_certificates ||= OpenSSL::X509::Certificate.load(idp_cert)
     end
 
-    def certificate_configured?
+    def idp_certificate_configured?
       idp_cert.present?
     end
 
+    def idp_certificate_expired?
+      !loaded_idp_certificates.all? { |cert| OneLogin::RubySaml::Utils.is_cert_expired(cert) }
+    end
+
     def idp_cert=(cert)
       formatted =
         if cert.include?("BEGIN CERTIFICATE")