feat(core): Improve ldap/saml toggle and tests (#5771)

* improve ldap/saml toggle and tests * import cleanup * reject regular login users when saml is enabled * lint fix
2025-12-23 12:49:09 +00:00 · 2023-03-24 17:46:06 +01:00
parent 30aeeb70b4
commit 47ee357059
9 changed files with 186 additions and 43 deletions
--- a/packages/cli/test/integration/ldap/ldap.api.test.ts
+++ b/packages/cli/test/integration/ldap/ldap.api.test.ts
@@ -16,6 +16,7 @@ import { randomEmail, randomName, uniqueId } from './../shared/random';
 import * as testDb from './../shared/testDb';
 import type { AuthAgent } from '../shared/types';
 import * as utils from '../shared/utils';
+import { getCurrentAuthenticationMethod, setCurrentAuthenticationMethod } from '@/sso/ssoHelpers';

 jest.mock('@/telemetry');
 jest.mock('@/UserManagement/email/NodeMailer');
@@ -55,6 +56,8 @@ beforeAll(async () => {
 	);

 	utils.initConfigFile();
+
+	await setCurrentAuthenticationMethod('email');
 });

 beforeEach(async () => {
@@ -174,6 +177,7 @@ describe('PUT /ldap/config', () => {
 		const emailUser = await Db.collections.User.findOneByOrFail({ id: member.id });
 		const localLdapIdentities = await testDb.getLdapIdentities();

+		expect(getCurrentAuthenticationMethod()).toBe('email');
 		expect(emailUser.email).toBe(member.email);
 		expect(emailUser.lastName).toBe(member.lastName);
 		expect(emailUser.firstName).toBe(member.firstName);
@@ -190,6 +194,7 @@ test('GET /ldap/config route should retrieve current configuration', async () =>

 	let response = await authAgent(owner).put('/ldap/config').send(validPayload);
 	expect(response.statusCode).toBe(200);
+	expect(getCurrentAuthenticationMethod()).toBe('ldap');

 	response = await authAgent(owner).get('/ldap/config');

--- a/packages/cli/test/integration/saml/saml.api.test.ts
+++ b/packages/cli/test/integration/saml/saml.api.test.ts
@@ -2,10 +2,11 @@ import type { SuperAgentTest } from 'supertest';
 import config from '@/config';
 import type { User } from '@db/entities/User';
 import { setSamlLoginEnabled } from '@/sso/saml/samlHelpers';
-import { setCurrentAuthenticationMethod } from '@/sso/ssoHelpers';
+import { getCurrentAuthenticationMethod, setCurrentAuthenticationMethod } from '@/sso/ssoHelpers';
 import { randomEmail, randomName, randomValidPassword } from '../shared/random';
 import * as testDb from '../shared/testDb';
 import * as utils from '../shared/utils';
+import { sampleConfig } from './sampleMetadata';

 let owner: User;
 let authOwnerAgent: SuperAgentTest;
@@ -16,7 +17,7 @@ async function enableSaml(enable: boolean) {
 }

 beforeAll(async () => {
-	const app = await utils.initTestServer({ endpointGroups: ['me'] });
+	const app = await utils.initTestServer({ endpointGroups: ['me', 'saml'] });
 	owner = await testDb.createOwner();
 	authOwnerAgent = utils.createAuthAgent(app)(owner);
 });
@@ -67,4 +68,66 @@ describe('Instance owner', () => {
 				});
 		});
 	});
+
+	describe('POST /sso/saml/config', () => {
+		test('should post saml config', async () => {
+			await authOwnerAgent
+				.post('/sso/saml/config')
+				.send({
+					...sampleConfig,
+					loginEnabled: true,
+				})
+				.expect(200);
+			expect(getCurrentAuthenticationMethod()).toBe('saml');
+		});
+	});
+
+	describe('POST /sso/saml/config/toggle', () => {
+		test('should toggle saml as default authentication method', async () => {
+			await enableSaml(true);
+			expect(getCurrentAuthenticationMethod()).toBe('saml');
+
+			await authOwnerAgent
+				.post('/sso/saml/config/toggle')
+				.send({
+					loginEnabled: false,
+				})
+				.expect(200);
+			expect(getCurrentAuthenticationMethod()).toBe('email');
+
+			await authOwnerAgent
+				.post('/sso/saml/config/toggle')
+				.send({
+					loginEnabled: true,
+				})
+				.expect(200);
+			expect(getCurrentAuthenticationMethod()).toBe('saml');
+		});
+	});
+
+	describe('POST /sso/saml/config/toggle', () => {
+		test('should fail enable saml if default authentication is not email', async () => {
+			await enableSaml(true);
+
+			await authOwnerAgent
+				.post('/sso/saml/config/toggle')
+				.send({
+					loginEnabled: false,
+				})
+				.expect(200);
+			expect(getCurrentAuthenticationMethod()).toBe('email');
+
+			await setCurrentAuthenticationMethod('ldap');
+			expect(getCurrentAuthenticationMethod()).toBe('ldap');
+
+			await authOwnerAgent
+				.post('/sso/saml/config/toggle')
+				.send({
+					loginEnabled: true,
+				})
+				.expect(200);
+
+			expect(getCurrentAuthenticationMethod()).toBe('ldap');
+		});
+	});
 });
--- a/packages/cli/test/integration/saml/sampleMetadata.ts
+++ b/packages/cli/test/integration/saml/sampleMetadata.ts
--- a/packages/cli/test/integration/shared/types.d.ts
+++ b/packages/cli/test/integration/shared/types.d.ts
@@ -22,6 +22,7 @@ type EndpointGroup =
 	| 'publicApi'
 	| 'nodes'
 	| 'ldap'
+	| 'saml'
 	| 'eventBus'
 	| 'license';

--- a/packages/cli/test/integration/shared/utils.ts
+++ b/packages/cli/test/integration/shared/utils.ts
@@ -78,6 +78,9 @@ import { LdapManager } from '@/Ldap/LdapManager.ee';
 import { LDAP_ENABLED } from '@/Ldap/constants';
 import { handleLdapInit } from '@/Ldap/helpers';
 import { Push } from '@/push';
+import { setSamlLoginEnabled } from '@/sso/saml/samlHelpers';
+import { SamlService } from '@/sso/saml/saml.service.ee';
+import { SamlController } from '@/sso/saml/routes/saml.controller.ee';

 export const mockInstance = <T>(
 	ctor: new (...args: any[]) => T,
@@ -190,6 +193,11 @@ export async function initTestServer({
 						new LdapController(service, sync, internalHooks),
 					);
 					break;
+				case 'saml':
+					await setSamlLoginEnabled(true);
+					const samlService = Container.get(SamlService);
+					registerController(testServer.app, config, new SamlController(samlService));
+					break;
 				case 'nodes':
 					registerController(
 						testServer.app,