chore(core): Synchronize SAML settings in multi-main (#19588)

2025-12-16 17:46:45 +00:00 · 2025-09-16 16:31:20 +02:00
parent a7f4e3e323
commit 0c0188fe40
5 changed files with 281 additions and 14 deletions
--- a/packages/@n8n/decorators/src/pubsub/pubsub-metadata.ts
+++ b/packages/@n8n/decorators/src/pubsub/pubsub-metadata.ts
@@ -17,6 +17,7 @@ export type PubSubEventName =
 	| 'reload-external-secrets-providers'
 	| 'reload-license'
 	| 'reload-oidc-config'
 	| 'reload-saml-config'
 	| 'response-to-get-worker-status'
 	| 'restart-event-bus'
 	| 'relay-execution-lifecycle-event';
--- a/packages/cli/src/scaling/pubsub/pubsub.event-map.ts
+++ b/packages/cli/src/scaling/pubsub/pubsub.event-map.ts
@@ -15,6 +15,7 @@ export type PubSubCommandMap = {
 	// # region SSO
 	'reload-oidc-config': never;
 	'reload-saml-config': never;
 	// #endregion
--- a/packages/cli/src/scaling/pubsub/pubsub.types.ts
+++ b/packages/cli/src/scaling/pubsub/pubsub.types.ts
@@ -41,6 +41,7 @@ export namespace PubSub {
 	namespace Commands {
 		export type ReloadLicense = ToCommand<'reload-license'>;
 		export type ReloadOIDCConfiguration = ToCommand<'reload-oidc-config'>;
 		export type ReloadSamlConfiguration = ToCommand<'reload-saml-config'>;
 		export type RestartEventBus = ToCommand<'restart-event-bus'>;
 		export type ReloadExternalSecretsProviders = ToCommand<'reload-external-secrets-providers'>;
 		export type CommunityPackageInstall = ToCommand<'community-package-install'>;
@@ -74,7 +75,8 @@ export namespace PubSub {
 		| Commands.DisplayWorkflowActivationError
 		| Commands.RelayExecutionLifecycleEvent
 		| Commands.ClearTestWebhooks
-		| Commands.ReloadOIDCConfiguration;
+		| Commands.ReloadOIDCConfiguration
 		| Commands.ReloadSamlConfiguration;
 	// ----------------------------------
 	//         worker responses
--- a/packages/cli/src/sso.ee/saml/tests/saml.service.ee.test.ts
+++ b/packages/cli/src/sso.ee/saml/tests/saml.service.ee.test.ts
@@ -1,14 +1,22 @@
-import { mockInstance } from '@n8n/backend-test-utils';
+import type { SamlPreferences } from '@n8n/api-types';
 import { mockInstance, mockLogger } from '@n8n/backend-test-utils';
 import type { GlobalConfig } from '@n8n/config';
 import { SettingsRepository } from '@n8n/db';
 import type { UserRepository } from '@n8n/db';
 import type { Settings } from '@n8n/db';
 import { Container } from '@n8n/di';
 import axios from 'axios';
 import type express from 'express';
 import { mock } from 'jest-mock-extended';
 import type { InstanceSettings } from 'n8n-core';
 import type { IdentityProviderInstance, ServiceProviderInstance } from 'samlify';
 import { BadRequestError } from '@/errors/response-errors/bad-request.error';
 import { Publisher } from '@/scaling/pubsub/publisher.service';
 import type { UrlService } from '@/services/url.service';
 import * as samlHelpers from '@/sso.ee/saml/saml-helpers';
 import { SamlService } from '@/sso.ee/saml/saml.service.ee';
 import * as ssoHelpers from '@/sso.ee/sso-helpers';
 import { SAML_PREFERENCES_DB_KEY } from '../constants';
 import { InvalidSamlMetadataUrlError } from '../errors/invalid-saml-metadata-url.error';
@@ -137,16 +145,68 @@ const SamlSettingWithValidUrl: Settings = {
 };
 describe('SamlService', () => {
 	let samlService: SamlService;
 	let settingsRepository: SettingsRepository;
 	let instanceSettings: InstanceSettings;
 	let globalConfig: GlobalConfig;
 	const validator = new SamlValidator(mock());
-	const settingsRepository = mockInstance(SettingsRepository);
+	const logger = mockLogger();
-	const samlService = new SamlService(mock(), mock(), validator, mock(), settingsRepository);
+
 	const mockSamlConfig = {
 		mapping: {
 			email: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
 			firstName: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname',
 			lastName: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname',
 			userPrincipalName: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn',
 		},
 		metadata:
 			'<?xml version="1.0" encoding="UTF-8" standalone="no"?>\n<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://saml.example.com/entityid" validUntil="2035-05-07T13:33:47.181Z">\n  <md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">\n    <md:KeyDescriptor use="signing">\n      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">\n        <ds:X509Data>\n          <ds:X509Certificate>MIIC4jCCAcoCCQC33wnybT5QZDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJV\nSzEPMA0GA1UECgwGQm94eUhRMRIwEAYDVQQDDAlNb2NrIFNBTUwwIBcNMjIwMjI4\nMjE0NjM4WhgPMzAyMTA3MDEyMTQ2MzhaMDIxCzAJBgNVBAYTAlVLMQ8wDQYDVQQK\nDAZCb3h5SFExEjAQBgNVBAMMCU1vY2sgU0FNTDCCASIwDQYJKoZIhvcNAQEBBQAD\nggEPADCCAQoCggEBALGfYettMsct1T6tVUwTudNJH5Pnb9GGnkXi9Zw/e6x45DD0\nRuRONbFlJ2T4RjAE/uG+AjXxXQ8o2SZfb9+GgmCHuTJFNgHoZ1nFVXCmb/Hg8Hpd\n4vOAGXndixaReOiq3EH5XvpMjMkJ3+8+9VYMzMZOjkgQtAqO36eAFFfNKX7dTj3V\npwLkvz6/KFCq8OAwY+AUi4eZm5J57D31GzjHwfjH9WTeX0MyndmnNB1qV75qQR3b\n2/W5sGHRv+9AarggJkF+ptUkXoLtVA51wcfYm6hILptpde5FQC8RWY1YrswBWAEZ\nNfyrR4JeSweElNHg4NVOs4TwGjOPwWGqzTfgTlECAwEAATANBgkqhkiG9w0BAQsF\nAAOCAQEAAYRlYflSXAWoZpFfwNiCQVE5d9zZ0DPzNdWhAybXcTyMf0z5mDf6FWBW\n5Gyoi9u3EMEDnzLcJNkwJAAc39Apa4I2/tml+Jy29dk8bTyX6m93ngmCgdLh5Za4\nkhuU3AM3L63g7VexCuO7kwkjh/+LqdcIXsVGO6XDfu2QOs1Xpe9zIzLpwm/RNYeX\nUjbSj5ce/jekpAw7qyVVL4xOyh8AtUW1ek3wIw1MJvEgEPt0d16oshWJpoS1OT8L\nr/22SvYEo3EmSGdTVGgk3x3s+A0qWAqTcyjr7Q4s/GKYRFfomGwz0TZ4Iw1ZN99M\nm0eo2USlSRTVl7QHRTuiuSThHpLKQQ==</ds:X509Certificate>\n        </ds:X509Data>\n      </ds:KeyInfo>\n    </md:KeyDescriptor>\n    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>\n    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mocksaml.com/api/saml/sso"/>\n    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mocksaml.com/api/saml/sso"/>\n  </md:IDPSSODescriptor>\n</md:EntityDescriptor>',
 		metadataUrl: '',
 		ignoreSSL: false,
 		loginBinding: 'redirect',
 		acsBinding: 'post',
 		authnRequestsSigned: false,
 		loginEnabled: false,
 		loginLabel: 'SAML',
 	};
 	const mockConfigFromDB = {
 		key: SAML_PREFERENCES_DB_KEY,
 		value: JSON.stringify(mockSamlConfig),
 		loadOnStartup: true,
 	};
 	beforeAll(async () => {
 		await validator.init();
 	});
-	beforeEach(() => {
+	beforeEach(async () => {
-		jest.restoreAllMocks();
+		jest.resetAllMocks();
 		Container.reset();
 		settingsRepository = mockInstance(SettingsRepository);
 		instanceSettings = mock<InstanceSettings>({
 			isMultiMain: true,
 		});
 		globalConfig = mock<GlobalConfig>({
 			sso: { saml: { loginEnabled: false } },
 		});
 		jest
 			.spyOn(ssoHelpers, 'reloadAuthenticationMethod')
 			.mockImplementation(async () => await Promise.resolve());
 		jest.spyOn(samlHelpers, 'isSamlLoginEnabled').mockReturnValue(true);
 		samlService = new SamlService(
 			logger,
 			mock<UrlService>(),
 			validator,
 			mock<UserRepository>(),
 			settingsRepository,
 			instanceSettings,
 		);
 		// Mock GlobalConfig container access
 		Container.set(require('@n8n/config').GlobalConfig, globalConfig);
 	});
 	describe('getAttributesFromLoginResponse', () => {
@@ -257,7 +317,7 @@ describe('SamlService', () => {
 			jest.spyOn(settingsRepository, 'findOne').mockResolvedValue(InvalidSamlSetting);
 			// ACT && ASSERT
-			await expect(samlService.loadFromDbAndApplySamlPreferences(true)).rejects.toThrowError(
+			await expect(samlService.loadFromDbAndApplySamlPreferences(true, false)).rejects.toThrowError(
 				InvalidSamlMetadataError,
 			);
 		});
@@ -269,7 +329,7 @@ describe('SamlService', () => {
 				.mockResolvedValue(SamlSettingWithInvalidUrlAndInvalidMetadataXML);
 			// ACT && ASSERT
-			await expect(samlService.loadFromDbAndApplySamlPreferences(true)).rejects.toThrowError(
+			await expect(samlService.loadFromDbAndApplySamlPreferences(true, false)).rejects.toThrowError(
 				InvalidSamlMetadataError,
 			);
 		});
@@ -279,7 +339,7 @@ describe('SamlService', () => {
 			jest.spyOn(settingsRepository, 'findOne').mockResolvedValue(SamlSettingWithInvalidUrl);
 			// ACT && ASSERT
-			await samlService.loadFromDbAndApplySamlPreferences(true);
+			await samlService.loadFromDbAndApplySamlPreferences(true, false);
 		});
 		test('does not throw an error when the metadata url is valid', async () => {
@@ -292,7 +352,7 @@ describe('SamlService', () => {
 				);
 			// ACT && ASSERT
-			await samlService.loadFromDbAndApplySamlPreferences(true);
+			await samlService.loadFromDbAndApplySamlPreferences(true, false);
 		});
 	});
@@ -412,12 +472,167 @@ describe('SamlService', () => {
 			await samlService.loadPreferencesWithoutValidation({
 				metadata: SamlMetadataWithoutRedirectBinding,
 			});
 			await samlService.loadSamlify();
 			expect(() => samlService.getIdentityProviderInstance(true)).toThrowError(
 				InvalidSamlMetadataError,
 			);
 		});
 	});
 	describe('broadcastReloadSAMLConfigurationCommand', () => {
 		const mockPublisher = { publishCommand: jest.fn() };
 		beforeEach(() => {
 			mockInstance(Publisher, mockPublisher);
 			// Mock all the validation and setup methods that setSamlPreferences calls
 			jest.spyOn(samlService, 'loadSamlify').mockResolvedValue(undefined);
 			jest.spyOn(validator, 'validateMetadata').mockResolvedValue(true);
 			jest.spyOn(samlService, 'getIdentityProviderInstance').mockReturnValue({} as any);
 			jest
 				.spyOn(samlService, 'saveSamlPreferencesToDb')
 				.mockResolvedValue(mockSamlConfig as SamlPreferences);
 			// Mock SAML login as disabled to avoid metadata validation
 			jest.spyOn(samlHelpers, 'isSamlLoginEnabled').mockReturnValue(false);
 		});
 		test('should publish reload command in multi-main setup', async () => {
 			(instanceSettings as any).isMultiMain = true;
 			await samlService.setSamlPreferences(
 				{ loginEnabled: false, metadata: mockSamlConfig.metadata },
 				false,
 				true,
 			);
 			expect(mockPublisher.publishCommand).toHaveBeenCalledWith({
 				command: 'reload-saml-config',
 			});
 		});
 		test('should not publish in single main setup', async () => {
 			(instanceSettings as any).isMultiMain = false;
 			await samlService.setSamlPreferences(
 				{ loginEnabled: false, metadata: mockSamlConfig.metadata },
 				false,
 				true,
 			);
 			expect(mockPublisher.publishCommand).not.toHaveBeenCalled();
 		});
 		test('should not publish when broadcastReload is false', async () => {
 			(instanceSettings as any).isMultiMain = true;
 			await samlService.setSamlPreferences(
 				{ loginEnabled: false, metadata: mockSamlConfig.metadata },
 				false,
 				false,
 			);
 			expect(mockPublisher.publishCommand).not.toHaveBeenCalled();
 		});
 	});
 	describe('reload', () => {
 		test('should reload SAML configuration from database', async () => {
 			settingsRepository.findOne = jest.fn().mockResolvedValue(mockConfigFromDB);
 			jest
 				.spyOn(samlService, 'loadFromDbAndApplySamlPreferences')
 				.mockResolvedValue(mockSamlConfig as SamlPreferences);
 			await samlService.reload();
 			expect(samlService.loadFromDbAndApplySamlPreferences).toHaveBeenCalledWith(true, false);
 			expect(ssoHelpers.reloadAuthenticationMethod).toHaveBeenCalled();
 			expect(globalConfig.sso.saml.loginEnabled).toBe(true);
 			expect(logger.debug).toHaveBeenCalledWith(
 				'SAML configuration changed, starting to load it from the database',
 			);
 		});
 		test('should prevent concurrent reloads with isReloading flag', async () => {
 			jest
 				.spyOn(samlService, 'loadFromDbAndApplySamlPreferences')
 				.mockResolvedValue(mockSamlConfig as SamlPreferences);
 			// Start first reload without awaiting
 			const firstReload = samlService.reload();
 			// Start second reload immediately
 			const secondReload = samlService.reload();
 			await Promise.all([firstReload, secondReload]);
 			// Should have called loadFromDbAndApplySamlPreferences only once due to isReloading flag
 			expect(samlService.loadFromDbAndApplySamlPreferences).toHaveBeenCalledTimes(1);
 			expect(logger.warn).toHaveBeenCalledWith('SAML configuration reload already in progress');
 		});
 		test('should handle errors during reload gracefully', async () => {
 			const error = new Error('Database connection failed');
 			jest.spyOn(samlService, 'loadFromDbAndApplySamlPreferences').mockRejectedValue(error);
 			await samlService.reload();
 			expect(logger.error).toHaveBeenCalledWith(
 				'SAML configuration changed, failed to reload SAML configuration',
 				{ error },
 			);
 			// Should reset isReloading flag even on error
 			// Test by calling reload again - should not be blocked
 			jest
 				.spyOn(samlService, 'loadFromDbAndApplySamlPreferences')
 				.mockResolvedValue(mockSamlConfig as SamlPreferences);
 			await samlService.reload();
 			expect(samlService.loadFromDbAndApplySamlPreferences).toHaveBeenCalledTimes(2);
 		});
 		test('should update GlobalConfig with login status', async () => {
 			jest
 				.spyOn(samlService, 'loadFromDbAndApplySamlPreferences')
 				.mockResolvedValue(mockSamlConfig as SamlPreferences);
 			// Mock SAML as disabled
 			jest.spyOn(samlHelpers, 'isSamlLoginEnabled').mockReturnValue(false);
 			await samlService.reload();
 			expect(globalConfig.sso.saml.loginEnabled).toBe(false);
 			expect(logger.debug).toHaveBeenCalledWith('SAML login is now disabled.');
 		});
 	});
 	describe('loadFromDbAndApplySamlPreferences with broadcastReload parameter', () => {
 		beforeEach(() => {
 			// Mock required methods to avoid complex initialization
 			jest.spyOn(samlService, 'loadSamlify').mockResolvedValue(undefined);
 			jest.spyOn(samlService, 'getIdentityProviderInstance').mockReturnValue({} as any);
 			jest
 				.spyOn(samlService, 'saveSamlPreferencesToDb')
 				.mockResolvedValue(mockSamlConfig as SamlPreferences);
 			jest
 				.spyOn(samlService as any, 'broadcastReloadSAMLConfigurationCommand')
 				.mockResolvedValue(undefined);
 		});
 		test('should call setSamlPreferences with broadcastReload=true by default', async () => {
 			settingsRepository.findOne = jest.fn().mockResolvedValue(mockConfigFromDB);
 			jest.spyOn(samlService, 'setSamlPreferences');
 			await samlService.loadFromDbAndApplySamlPreferences(true);
 			expect(samlService.setSamlPreferences).toHaveBeenCalledWith(mockSamlConfig, true, true);
 		});
 		test('should call setSamlPreferences with broadcastReload=false when specified', async () => {
 			settingsRepository.findOne = jest.fn().mockResolvedValue(mockConfigFromDB);
 			jest.spyOn(samlService, 'setSamlPreferences');
 			await samlService.loadFromDbAndApplySamlPreferences(true, false);
 			expect(samlService.setSamlPreferences).toHaveBeenCalledWith(mockSamlConfig, true, false);
 		});
 	});
 	describe('reset', () => {
 		test('disables saml login and deletes the saml `features.saml` key in the db', async () => {
 			// ARRANGE
--- a/packages/cli/src/sso.ee/saml/saml.service.ee.ts
+++ b/packages/cli/src/sso.ee/saml/saml.service.ee.ts
@@ -1,11 +1,14 @@
 import type { SamlPreferences } from '@n8n/api-types';
 import { Logger } from '@n8n/backend-common';
 import { GlobalConfig } from '@n8n/config';
 import type { Settings, User } from '@n8n/db';
 import { isValidEmail, SettingsRepository, UserRepository } from '@n8n/db';
-import { Service } from '@n8n/di';
+import { OnPubSubEvent } from '@n8n/decorators';
 import { Container, Service } from '@n8n/di';
 import axios from 'axios';
 import type express from 'express';
 import https from 'https';
 import { InstanceSettings } from 'n8n-core';
 import { jsonParse, UnexpectedError } from 'n8n-workflow';
 import { type IdentityProviderInstance, type ServiceProviderInstance } from 'samlify';
 import type { BindingContext, PostBindingContext } from 'samlify/types/src/entity';
@@ -30,7 +33,7 @@ import {
 import { SamlValidator } from './saml-validator';
 import { getServiceProviderInstance } from './service-provider.ee';
 import type { SamlLoginBinding, SamlUserAttributes } from './types';
-import { isSsoJustInTimeProvisioningEnabled } from '../sso-helpers';
+import { isSsoJustInTimeProvisioningEnabled, reloadAuthenticationMethod } from '../sso-helpers';
@Service()
 export class SamlService {
@@ -80,6 +83,7 @@ export class SamlService {
 		private readonly validator: SamlValidator,
 		private readonly userRepository: UserRepository,
 		private readonly settingsRepository: SettingsRepository,
 		private readonly instanceSettings: InstanceSettings,
 	) {}
 	async init(): Promise<void> {
@@ -247,9 +251,46 @@ export class SamlService {
 		};
 	}
 	private async broadcastReloadSAMLConfigurationCommand(): Promise<void> {
 		if (this.instanceSettings.isMultiMain) {
 			const { Publisher } = await import('@/scaling/pubsub/publisher.service');
 			await Container.get(Publisher).publishCommand({ command: 'reload-saml-config' });
 		}
 	}
 	private isReloading = false;
 	@OnPubSubEvent('reload-saml-config')
 	async reload(): Promise<void> {
 		if (this.isReloading) {
 			this.logger.warn('SAML configuration reload already in progress');
 			return;
 		}
 		this.isReloading = true;
 		try {
 			this.logger.debug('SAML configuration changed, starting to load it from the database');
 			await this.loadFromDbAndApplySamlPreferences(true, false);
 			await reloadAuthenticationMethod();
 			const samlLoginEnabled = isSamlLoginEnabled();
 			this.logger.debug(`SAML login is now ${samlLoginEnabled ? 'enabled' : 'disabled'}.`);
 			Container.get(GlobalConfig).sso.saml.loginEnabled = samlLoginEnabled;
 		} catch (error) {
 			this.logger.error('SAML configuration changed, failed to reload SAML configuration', {
 				error,
 			});
 		} finally {
 			this.isReloading = false;
 		}
 	}
 	async setSamlPreferences(
 		prefs: Partial<SamlPreferences>,
 		tryFallback: boolean = false,
 		broadcastReload: boolean = true,
 	): Promise<SamlPreferences | undefined> {
 		await this.loadSamlify();
 		const previousMetadataUrl = this._samlPreferences.metadataUrl;
@@ -304,6 +345,10 @@ export class SamlService {
 		}
 		this.getIdentityProviderInstance(true);
 		const result = await this.saveSamlPreferencesToDb();
 		if (broadcastReload) {
 			await this.broadcastReloadSAMLConfigurationCommand();
 		}
 		return result;
 	}
@@ -332,7 +377,10 @@ export class SamlService {
 		setSamlLoginLabel(prefs.loginLabel ?? getSamlLoginLabel());
 	}
-	async loadFromDbAndApplySamlPreferences(apply = true): Promise<SamlPreferences | undefined> {
+	async loadFromDbAndApplySamlPreferences(
 		apply = true,
 		broadcastReload: boolean = true,
 	): Promise<SamlPreferences | undefined> {
 		const samlPreferences = await this.settingsRepository.findOne({
 			where: { key: SAML_PREFERENCES_DB_KEY },
 		});
@@ -340,7 +388,7 @@ export class SamlService {
 			const prefs = jsonParse<SamlPreferences>(samlPreferences.value);
 			if (prefs) {
 				if (apply) {
-					await this.setSamlPreferences(prefs, true);
+					await this.setSamlPreferences(prefs, true, broadcastReload);
 				} else {
 					await this.loadPreferencesWithoutValidation(prefs);
 				}