123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105 |
- # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
- class SamlSignEncrypt < ActiveRecord::Migration[7.0]
- def change
- # return if it's a new setup
- return if !Setting.exists?(name: 'system_init_done')
- saml_setting = Setting.find_by(name: 'auth_saml_credentials')
- return if !saml_setting
- required_attributes(saml_setting)
- fingerprint_help(saml_setting)
- add_validations(saml_setting)
- sign_and_encrypt_attributes(saml_setting)
- check_ssl_verify(saml_setting)
- saml_setting.save!(validate: false)
- end
- private
- def required_attributes(saml_setting)
- [1, 2, 3, 5].each do |idx|
- saml_setting.options[:form][idx][:required] = true
- end
- true
- end
- def fingerprint_help(saml_setting)
- saml_setting.options[:form][4][:help] = 'Please note that this attribute is deprecated within one of the next versions of Zammad. Use the IDP certificate instead.'
- true
- end
- def add_validations(saml_setting)
- saml_setting.preferences[:validations] = [
- 'Setting::Validation::Saml::RequiredAttributes',
- 'Setting::Validation::Saml::TLS',
- 'Setting::Validation::Saml::Security',
- ]
- true
- end
- def sign_and_encrypt_attributes(saml_setting)
- saml_setting.options[:form].insert(-2, {
- display: 'SSL verification',
- null: true,
- name: 'ssl_verify',
- tag: 'boolean',
- options: {
- true => 'yes',
- false => 'no',
- },
- default: true,
- help: 'Turning off SSL verification is a security risk and should be used only temporary. Use this option at your own risk!',
- },
- {
- display: 'Signing & Encrypting',
- null: true,
- name: 'security',
- tag: 'select',
- options: {
- 'off' => 'None',
- 'on' => 'Signing & Encrypting',
- 'sign' => 'Only Signing',
- 'encrypt' => 'Only Encrypting',
- },
- },
- {
- display: 'Certificate (PEM)',
- null: true,
- name: 'certificate',
- tag: 'textarea',
- placeholder: '-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----',
- },
- {
- display: 'Private key (PEM)',
- null: true,
- name: 'private_key',
- tag: 'textarea',
- placeholder: '-----BEGIN RSA PRIVATE KEY-----\n...-----END RSA PRIVATE KEY-----', # gitleaks:allow
- },
- {
- display: 'Private key secret',
- null: true,
- name: 'private_key_secret',
- tag: 'input',
- type: 'password',
- single: true,
- placeholder: '',
- })
- true
- end
- def check_ssl_verify(_saml_setting)
- if Setting.get('auth_saml_credentials').present? && Setting.get('auth_saml')
- Setting.set('auth_saml_credentials', Setting.get('auth_saml_credentials').merge(ssl_verify: false))
- end
- true
- end
- end
|