feat: add saml metadata force update every 24 hours (#1020)

If the SAML Metadata defined via a URL does not publish validity or cache duration information, forcefully try to update it every 24 hours.
supabase · May 8, 2023 · 965feb9 · 965feb9
1 parent 9c3ba87
commit 965feb9
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 6 deletions.
diff --git a/internal/api/samlacs.go b/internal/api/samlacs.go
@@ -31,10 +31,16 @@ func (a *API) samlDestroyRelayState(ctx context.Context, relayState *models.SAML
 	})
 }
 
-func IsMetadataStale(idpMetadata *saml.EntityDescriptor, samlProvider models.SAMLProvider) bool {
-	hasIDPMetadataExpired := !idpMetadata.ValidUntil.IsZero() && idpMetadata.ValidUntil.Before(time.Now())
-	hasCacheDurationExceeded := idpMetadata.CacheDuration != 0 && samlProvider.UpdatedAt.Add(idpMetadata.CacheDuration).Before(time.Now())
-	return hasIDPMetadataExpired || hasCacheDurationExceeded
+func IsSAMLMetadataStale(idpMetadata *saml.EntityDescriptor, samlProvider models.SAMLProvider) bool {
+	now := time.Now()
+
+	hasValidityExpired := !idpMetadata.ValidUntil.IsZero() && now.After(idpMetadata.ValidUntil)
+	hasCacheDurationExceeded := idpMetadata.CacheDuration != 0 && now.After(samlProvider.UpdatedAt.Add(idpMetadata.CacheDuration))
+
+	// if metadata XML does not publish validity or caching information, update once in 24 hours
+	needsForceUpdate := idpMetadata.ValidUntil.IsZero() && idpMetadata.CacheDuration == 0 && now.After(samlProvider.UpdatedAt.Add(24*time.Hour))
+
+	return hasValidityExpired || hasCacheDurationExceeded || needsForceUpdate
 }
 
 // SAMLACS implements the main Assertion Consumer Service endpoint behavior.
@@ -154,7 +160,7 @@ func (a *API) SAMLACS(w http.ResponseWriter, r *http.Request) error {
 
 			logentry.Warn("SAML Metadata for identity provider will expire soon! Update its metadata_xml!")
 		}
-	} else if *ssoProvider.SAMLProvider.MetadataURL != "" && IsMetadataStale(idpMetadata, ssoProvider.SAMLProvider) {
+	} else if *ssoProvider.SAMLProvider.MetadataURL != "" && IsSAMLMetadataStale(idpMetadata, ssoProvider.SAMLProvider) {
 		rawMetadata, err := fetchSAMLMetadata(ctx, *ssoProvider.SAMLProvider.MetadataURL)
 		if err != nil {
 			// Fail silently but raise warning and continue with existing metadata

diff --git a/internal/api/sso_test.go b/internal/api/sso_test.go
@@ -183,7 +183,7 @@ func (ts *SSOTestSuite) TestIsStaleSAMLMetadata() {
 			provider.UpdatedAt = currentTime.Add(-time.Minute * 59)
 		}
 
-		require.Equal(ts.T(), example.IsStale, IsMetadataStale(metadata, provider))
+		require.Equal(ts.T(), example.IsStale, IsSAMLMetadataStale(metadata, provider))
 	}
 
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -183,7 +183,7 @@ func (ts *SSOTestSuite) TestIsStaleSAMLMetadata() { @@
     			provider.UpdatedAt = currentTime.Add(-time.Minute * 59)
     		}
-    		require.Equal(ts.T(), example.IsStale, IsMetadataStale(metadata, provider))
+    		require.Equal(ts.T(), example.IsStale, IsSAMLMetadataStale(metadata, provider))
     	}
     }
@@ Expand Down @@