Alternative to support multiple x509 Certificates via procs (#211)

pelted · web-flow · commit 6f832aff456b · 2024-11-01T17:23:06.000+01:00
* Adds support for multiple multiple x509 certificates, secret keys, and passwords by providing procs in the idp configuration.

* Call the proc in the tests

* Add documentation in the form of a comment in the README.md

* fix extra space

* remove additional change

* Fix metadata x509 certificate
diff --git a/README.md b/README.md
@@ -78,6 +78,11 @@ KEY DATA
 -----END RSA PRIVATE KEY-----
 CERT
 
+  # x509_certificate, secret_key, and password may also be set from within a proc, for example:
+  # config.x509_certificate = -> { File.read("cert.pem") }
+  # config.secret_key = -> { SecretKeyFinder.key_for(id: 1) }
+  # config.password = -> { "password" }
+
   # config.password = "secret_key_password"
   # config.algorithm = :sha256                                    # Default: sha1 only for development.
   # config.organization_name = "Your Organization"
diff --git a/lib/saml_idp/configurator.rb b/lib/saml_idp/configurator.rb
@@ -25,8 +25,8 @@ class Configurator
     attr_accessor :logger
 
     def initialize
-      self.x509_certificate = Default::X509_CERTIFICATE
-      self.secret_key = Default::SECRET_KEY
+      self.x509_certificate = -> { Default::X509_CERTIFICATE }
+      self.secret_key = -> { Default::SECRET_KEY }
       self.algorithm = :sha1
       self.reference_id_generator = ->() { SecureRandom.uuid }
       self.service_provider = OpenStruct.new
diff --git a/lib/saml_idp/metadata_builder.rb b/lib/saml_idp/metadata_builder.rb
@@ -152,7 +152,8 @@ def raw_algorithm
     private :raw_algorithm
 
     def x509_certificate
-      SamlIdp.config.x509_certificate
+      certificate = SamlIdp.config.x509_certificate.is_a?(Proc) ? SamlIdp.config.x509_certificate.call : SamlIdp.config.x509_certificate
+      certificate
       .to_s
       .gsub(/-----BEGIN CERTIFICATE-----/,"")
       .gsub(/-----END CERTIFICATE-----/,"")
diff --git a/lib/saml_idp/signature_builder.rb b/lib/saml_idp/signature_builder.rb
@@ -21,7 +21,8 @@ def raw
     end
 
     def x509_certificate
-      SamlIdp.config.x509_certificate
+      certificate = SamlIdp.config.x509_certificate.is_a?(Proc) ? SamlIdp.config.x509_certificate.call : SamlIdp.config.x509_certificate
+      certificate
       .to_s
       .gsub(/-----BEGIN CERTIFICATE-----/,"")
       .gsub(/-----END CERTIFICATE-----/,"")
diff --git a/lib/saml_idp/signed_info_builder.rb b/lib/saml_idp/signed_info_builder.rb
@@ -65,12 +65,12 @@ def clean_algorithm_name
     private :clean_algorithm_name
 
     def secret_key
-      SamlIdp.config.secret_key
+      SamlIdp.config.secret_key.is_a?(Proc) ? SamlIdp.config.secret_key.call : SamlIdp.config.secret_key
     end
     private :secret_key
 
     def password
-      SamlIdp.config.password
+      SamlIdp.config.password.is_a?(Proc) ? SamlIdp.config.password.call : SamlIdp.config.password
     end
     private :password
 
diff --git a/spec/lib/saml_idp/configurator_spec.rb b/spec/lib/saml_idp/configurator_spec.rb
@@ -20,11 +20,11 @@ module SamlIdp
     it { should respond_to :logger }
 
     it "has a valid x509_certificate" do
-      expect(subject.x509_certificate).to eq(Default::X509_CERTIFICATE)
+      expect(subject.x509_certificate.call).to eq(Default::X509_CERTIFICATE)
     end
 
     it "has a valid secret_key" do
-      expect(subject.secret_key).to eq(Default::SECRET_KEY)
+      expect(subject.secret_key.call).to eq(Default::SECRET_KEY)
     end
 
     it "has a valid algorithm" do
