From c17301e8d60814cd82ba5210681f8a13477661c6 Mon Sep 17 00:00:00 2001
From: Oren Kanner <oren.kanner@gsa.gov>
Date: Mon, 29 Nov 2021 09:31:53 -0500
Subject: [PATCH] Add support for ForceAuthn in AuthnRequests (#50)

---
 lib/saml_idp/request.rb           |  6 ++++++
 lib/saml_idp/version.rb           |  2 +-
 spec/lib/saml_idp/request_spec.rb | 20 ++++++++++++++++++++
 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/lib/saml_idp/request.rb b/lib/saml_idp/request.rb
index 3f08648d..7c369090 100644
--- a/lib/saml_idp/request.rb
+++ b/lib/saml_idp/request.rb
@@ -67,6 +67,12 @@ def request
       end
     end
 
+    def force_authn?
+      return nil unless authn_request?
+
+      request["ForceAuthn"] == 'true'
+    end
+
     def requested_authn_context
       return authn_context_node.content if authn_request? && authn_context_node
     end
diff --git a/lib/saml_idp/version.rb b/lib/saml_idp/version.rb
index 430d3ac1..6ac6705c 100644
--- a/lib/saml_idp/version.rb
+++ b/lib/saml_idp/version.rb
@@ -1,4 +1,4 @@
 # encoding: utf-8
 module SamlIdp
-  VERSION = '0.14.3-18f'.freeze
+  VERSION = '0.15.0-18f'.freeze
 end
diff --git a/spec/lib/saml_idp/request_spec.rb b/spec/lib/saml_idp/request_spec.rb
index 3be3a180..fc6f26b0 100644
--- a/spec/lib/saml_idp/request_spec.rb
+++ b/spec/lib/saml_idp/request_spec.rb
@@ -10,6 +10,10 @@ module SamlIdp
 
     let(:raw_authn_unspecified_name_id_format) { "<samlp:AuthnRequest AssertionConsumerServiceURL='http://localhost:3000/saml/consume' Destination='http://localhost:1337/saml/auth' ID='_af43d1a0-e111-0130-661a-3c0754403fdb' IssueInstant='2013-08-06T22:01:35Z' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>localhost:3000</saml:Issuer><samlp:RequestedAuthnContext Comparison='exact'><saml:AuthnContextClassRef xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>" }
 
+    let(:raw_authn_forceauthn_present) { "<samlp:AuthnRequest AssertionConsumerServiceURL='http://localhost:3000/saml/consume' Destination='http://localhost:1337/saml/auth' ID='_af43d1a0-e111-0130-661a-3c0754403fdb' IssueInstant='2013-08-06T22:01:35Z' Version='2.0' ForceAuthn='true' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>localhost:3000</saml:Issuer><samlp:RequestedAuthnContext Comparison='exact'><saml:AuthnContextClassRef xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>" }
+
+    let(:raw_authn_forceauthn_false) { "<samlp:AuthnRequest AssertionConsumerServiceURL='http://localhost:3000/saml/consume' Destination='http://localhost:1337/saml/auth' ID='_af43d1a0-e111-0130-661a-3c0754403fdb' IssueInstant='2013-08-06T22:01:35Z' Version='2.0' ForceAuthn='false' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>localhost:3000</saml:Issuer><samlp:RequestedAuthnContext Comparison='exact'><saml:AuthnContextClassRef xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>" }
+
     describe "deflated request" do
       let(:deflated_request) { Base64.encode64(Zlib::Deflate.deflate(raw_authn_request, 9)[2..-5]) }
 
@@ -83,6 +87,22 @@ module SamlIdp
         expect(authn_request.issuer).to eq(nil)
         expect(authn_request.valid?).to eq(false)
       end
+
+      it 'defaults to force_authn = false' do
+        expect(subject.force_authn?).to be_falsey
+      end
+
+      it 'properly parses ForceAuthn="true" if passed' do
+        authn_request = described_class.new raw_authn_forceauthn_present
+
+        expect(authn_request.force_authn?).to be_truthy
+      end
+
+      it 'properly parses ForceAuthn="false" if passed' do
+        authn_request = described_class.new raw_authn_forceauthn_false
+
+        expect(authn_request.force_authn?).to be_falsey
+      end
     end
 
     describe "authn request with unspecified name id format" do