Configure SAML with env vars and remove useless settings.yml

AjuntamentdeBarcelona · Jan 29, 2024 · 2b21757 · 2b21757
1 parent 0b8a727
commit 2b21757
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 55 deletions.
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
@@ -18,17 +18,11 @@ module Strategies
                     idp_cert: Rails.application.secrets.dig(:omniauth, :saml, :idp_cert),
                     idp_sso_target_url: Rails.application.secrets.dig(:omniauth, :saml, :idp_sso_target_url),
                     sp_entity_id: Rails.application.secrets.dig(:omniauth, :saml, :sp_entity_id),
-                    strategy_class: ::OmniAuth::Strategies::SAML,
-                    attribute_statements: {
-                      email: ["mail"],
-                      name: %w(givenName nom)
-                    },
+                    strategy_class: Rails.application.secrets.dig(:omniauth, :saml, :strategy_class).constantize,
+                    attribute_statements: Rails.application.secrets.dig(:omniauth, :saml, :attribute_statements),
                     certificate: Rails.application.secrets.dig(:omniauth, :saml, :certificate),
                     private_key: Rails.application.secrets.dig(:omniauth, :saml, :private_key),
-                    security: {
-                      authn_requests_signed: true,
-                      signature_method: XMLSecurity::Document::RSA_SHA256
-                    }
+                    security: Rails.application.secrets.dig(:omniauth, :saml, :security)
   end
 
   Devise::OmniauthCallbacksController.class_eval do

diff --git a/config/secrets.yml b/config/secrets.yml
@@ -40,7 +40,7 @@ default: &default
       idp_cert: <%= ENV["SAML_IDP_CERT"] %>
       idp_sso_target_url: <%= ENV["SAML_IDP_SSO_TARGET_URL"] %>
       sp_entity_id: <%= ENV["SAML_SP_ENTITY_ID"] %>
-      strategy_class: <%= ::OmniAuth::Strategies::SAML %>
+      strategy_class: <%= ENV["SAML_STRATEGY_CLASS"] || OmniAuth::Strategies::SAML %>
       attribute_statements:
         email:
           - mail
@@ -49,17 +49,17 @@ default: &default
           - nom
       certificate: <%= ENV["SAML_CERTIFICATE"] %>
       private_key: <%= ENV["SAML_PRIVATE_KEY"] %>
-      user_types: [ 'T1', 'T2', 'T3', 'T11' ]
-      cn: 'ACCES'
+      user_types: <%= ENV["SAML_USER_TYPES"] || %w[T1 T2 T3 T11] %>
+      cn: <%= ENV["SAML_CN"] || "ACCES" %>
       security:
-        authn_requests_signed: true
-        signature_method: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
+        authn_requests_signed: <%= ENV["SAML_SECURITY_AUTHN_REQUESTS_SIGNED"] || true %>
+        signature_method: <%= ENV["SAML_SECURITY_SIGNATURE_METHOD"] || XMLSecurity::Document::RSA_SHA256 %>
   maps:
     api_key: <%= ENV["MAPS_API_KEY"] %>
 
 development:
   <<: *default
-  secret_key_base: <%= ENV["SECRET_KEY_BASE"] || "b909b44627fbb3d4a30323d3bfce412ee5f4c69777276e041da0ab00d68431d6177905e7c1bf337daeee51fb528fb0cc47fc20e3c0a7957237a3c5d6710d79ce"%>
+  secret_key_base: <%= ENV["SECRET_KEY_BASE"] || "b909b44627fbb3d4a30323d3bfce412ee5f4c69777276e041da0ab00d68431d6177905e7c1bf337daeee51fb528fb0cc47fc20e3c0a7957237a3c5d6710d79ce" %>
   omniauth:
     imipre:
       enabled: false

diff --git a/config/settings.yml b/config/settings.yml