fix(core): Report missing SAML attributes early with an actionable error message (#9316)

despairblue · web-flow · commit 225fdbb379f6 · 2024-05-07T10:27:44.000+02:00
diff --git a/packages/cli/src/sso/saml/saml.service.ee.ts b/packages/cli/src/sso/saml/saml.service.ee.ts
@@ -359,7 +359,7 @@ export class SamlService {
 		if (!attributes) {
 			throw new AuthError('SAML Authentication failed. Invalid SAML response.');
 		}
-		if (!attributes.email && missingAttributes.length > 0) {
+		if (missingAttributes.length > 0) {
 			throw new AuthError(
 				`SAML Authentication failed. Invalid SAML response (missing attributes: ${missingAttributes.join(
 					', ',
diff --git a/packages/cli/test/unit/sso/saml/saml.service.ee.test.ts b/packages/cli/test/unit/sso/saml/saml.service.ee.test.ts
@@ -0,0 +1,53 @@
+import { mock } from 'jest-mock-extended';
+import type express from 'express';
+import { SamlService } from '@/sso/saml/saml.service.ee';
+import { mockInstance } from '../../../shared/mocking';
+import { UrlService } from '@/services/url.service';
+import { Logger } from '@/Logger';
+import type { IdentityProviderInstance, ServiceProviderInstance } from 'samlify';
+import * as samlHelpers from '@/sso/saml/samlHelpers';
+
+describe('SamlService', () => {
+	const logger = mockInstance(Logger);
+	const urlService = mockInstance(UrlService);
+	const samlService = new SamlService(logger, urlService);
+
+	describe('getAttributesFromLoginResponse', () => {
+		test('throws when any attribute is missing', async () => {
+			//
+			// ARRANGE
+			//
+			jest
+				.spyOn(samlService, 'getIdentityProviderInstance')
+				.mockReturnValue(mock<IdentityProviderInstance>());
+
+			const serviceProviderInstance = mock<ServiceProviderInstance>();
+			serviceProviderInstance.parseLoginResponse.mockResolvedValue({
+				samlContent: '',
+				extract: {},
+			});
+			jest
+				.spyOn(samlService, 'getServiceProviderInstance')
+				.mockReturnValue(serviceProviderInstance);
+
+			jest.spyOn(samlHelpers, 'getMappedSamlAttributesFromFlowResult').mockReturnValue({
+				attributes: {} as never,
+				missingAttributes: [
+					'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
+					'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname',
+					'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname',
+					'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn',
+				],
+			});
+
+			//
+			// ACT & ASSERT
+			//
+			await expect(
+				samlService.getAttributesFromLoginResponse(mock<express.Request>(), 'post'),
+			).rejects.toThrowError(
+				'SAML Authentication failed. Invalid SAML response (missing attributes: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn).',
+			);
+		});
+	});
+});

Original file line number	Diff line number	Diff line change
`@@ -359,7 +359,7 @@ export class SamlService {`
`359`	`359`	`if (!attributes) {`
`360`	`360`	`throw new AuthError('SAML Authentication failed. Invalid SAML response.');`
`361`	`361`	`}`
`362`		`- if (!attributes.email && missingAttributes.length > 0) {`
	`362`	`+ if (missingAttributes.length > 0) {`
`363`	`363`	`throw new AuthError(`
`364`	`364`	`SAML Authentication failed. Invalid SAML response (missing attributes: ${missingAttributes.join(
`365`	`365`	`', ',`