Merge pull request #7016 from FlowFuse/housekeeping-sso-cert-expiry

knolleary · web-flow · commit 6f6343080e7a · 2026-04-08T14:24:53.000+01:00
Add Housekeeping task to check SSO certificate expiry
diff --git a/forge/ee/lib/sso/emailTemplates/SSOCertsExpiring.js b/forge/ee/lib/sso/emailTemplates/SSOCertsExpiring.js
@@ -0,0 +1,32 @@
+// Sent when a SSO Cert will expire in under 2 weeks
+
+// Inserts:
+// - name: SSO profile name
+// - data: Date of cert Expiry
+
+module.exports = {
+    subject: 'FlowFuse SSO Certificate expiring soon',
+    text:
+`Hello {{{user.name}}},
+
+The certificate for the SSO Profile "{{name}}" will expire
+at {{{date}}}.
+
+Please talk to your SSO administrator about issuing a new
+certificate for this provider.
+
+Your friendly FlowFuse Team
+`,
+    html:
+`
+<p>Hello {{{user.name}}},</p>
+
+<p>The certificate for the SSO Profile "{{name}}" will expire
+at {{{date}}}.</p
+
+<p>Please talk to your SSO administrator about issuing a new
+certificate for this provider.</p>
+
+<p>Your friendly FlowFuse Team</p>
+`
+}
diff --git a/forge/ee/lib/sso/index.js b/forge/ee/lib/sso/index.js
@@ -7,6 +7,9 @@ module.exports.init = async function (app) {
     // Set the SSO feature flag
     app.config.features.register('sso', true, true)
 
+    app.postoffice.registerTemplate('SSOCertsExpiring', require('./emailTemplates/SSOCertsExpiring'))
+    app.housekeeper.registerTask(require('./tasks/saml-cert-check'))
+
     async function getProviderOptions (id) {
         const provider = await app.db.models.SAMLProvider.byId(id)
         if (provider) {
diff --git a/forge/ee/lib/sso/tasks/saml-cert-check.js b/forge/ee/lib/sso/tasks/saml-cert-check.js
@@ -0,0 +1,49 @@
+/**
+ * Check when SSO certs expire
+ */
+const crypto = require('crypto')
+
+const TWO_WEEKS = (60 * 60 * 24 * 14 * 1000)
+
+module.exports = {
+    name: 'checkSAMLCertificateExpiry',
+    startup: false,
+    delay: 5000,
+    schedule: '@weekly',
+    run: async function (app) {
+        app.log.info('Checking SSO Cert life')
+        try {
+            const ssoConfigs = await app.db.models.SAMLProvider.getAll()
+            for (const sso of ssoConfigs.providers) {
+                if (sso.active && sso.type === 'saml') {
+                    if (sso.options.cert) {
+                        try {
+                            let pem = sso.options.cert
+                            if (!pem.startsWith('-----BEGIN CERTIFICATE-----\n')) {
+                                pem = `-----BEGIN CERTIFICATE-----\n${pem}\n-----END CERTIFICATE-----\n`
+                            }
+                            const cert = new crypto.X509Certificate(pem)
+                            const expiry = Date.parse(cert.validTo)
+                            const life = expiry - Date.now()
+                            if (life < TWO_WEEKS) {
+                                app.log.info(`SSO Certificate expires soon ${sso.name} ${cert.validTo}`)
+                                await emailAdmins(app, 'SSOCertsExpiring', { name: sso.name, date: cert.validTo })
+                            }
+                        } catch (err) {
+                            app.log.debug(`Problem checking ${sso.name}'s SSO certificate ${err.toString()}`)
+                        }
+                    }
+                }
+            }
+        } catch (err) {
+            app.log.debug(`Problem checking SSO certificate ${err.toString()}`)
+        }
+    }
+}
+
+async function emailAdmins (app, template, context) {
+    const admins = await app.db.models.User.admins()
+    for (const admin of admins) {
+        await app.postoffice.send(admin, template, context)
+    }
+}
diff --git a/test/unit/forge/ee/lib/sso/index_spec.js b/test/unit/forge/ee/lib/sso/index_spec.js
@@ -57,6 +57,25 @@ d
     e`
             }
         })
+        app.samlProviders.provider5 = await app.db.models.SAMLProvider.create({
+            name: 'expired SAML Cert',
+            domainFilter: 'certtest3.com',
+            active: true,
+            options: {
+                cert: `-----BEGIN CERTIFICATE-----
+MIIBlTCCAT+gAwIBAgIUbplhRkxz5Bi/PNX0XVoDXweALacwDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUZXhwaXJlZCBGRiBTQU1MIGNlcnQwHhcNMjYwNDA2MTUz
+NzMyWhcNMjYwNDA3MTUzNzMyWjAfMR0wGwYDVQQDDBRleHBpcmVkIEZGIFNBTUwg
+Y2VydDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC8C1+SXu71Bfg/QDgYkdVlk4lG
+yB2R6TAuQcRmXhKpjSTFx8UZinwDIJsSvIHF7ogFwZxveOzeExIFw702Tm2LAgMB
+AAGjUzBRMB0GA1UdDgQWBBTWj9s9V3qdJGtSapocX7r3YhG86TAfBgNVHSMEGDAW
+gBTWj9s9V3qdJGtSapocX7r3YhG86TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA0EADtdIpFInwMnjjhv4AMaeFsAUnKJzGmd9Gg/ugd13Adto6ReEC7+s
+NOY6Z1oJnpttQ9gwyV8euQ3C0Wcjf3+OVQ==
+-----END CERTIFICATE-----
+`
+            }
+        })
     })
 
     after(async function () {
@@ -444,4 +463,14 @@ d
             ;(await app.db.models.TeamMember.getTeamMembership(app.user.id, teams.BTeam.id)).should.have.property('role', Roles.Owner)
         })
     })
+    describe('find expired SSO SAML Certs', async function () {
+        it('send email for active SSO profile with cert with less than 2 weeks life', async function () {
+            const task = require('../../../../../../forge/ee/lib/sso/tasks/saml-cert-check')
+            await task.run(app)
+            app.config.email.transport.messages.should.have.length(1)
+            const email = app.config.email.transport.messages[0]
+            email.subject.should.equal('FlowFuse SSO Certificate expiring soon')
+            email.text.should.match(/"expired SAML Cert" will expire/)
+        })
+    })
 })
