From 9e9982ab5d4f761560ebef18c9b01a06286ca2c1 Mon Sep 17 00:00:00 2001
From: Dryusdan <contact@dryusdan.fr>
Date: Fri, 16 May 2025 19:01:34 +0200
Subject: [PATCH] feat(apps): Make SASL login work on bookstack with Anubis
 (#502)

* Make SASL login work on bookstack with Anubis

* chore: spelling

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>
Co-authored-by: Xe Iaso <me@xeiaso.net>
---
 .github/actions/spelling/expect.txt |  3 +++
 data/apps/bookstack-saml.yaml       | 20 ++++++++++++++++++++
 docs/docs/CHANGELOG.md              |  1 +
 3 files changed, 24 insertions(+)
 create mode 100644 data/apps/bookstack-saml.yaml

diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
index b6345d4..d25e048 100644
--- a/.github/actions/spelling/expect.txt
+++ b/.github/actions/spelling/expect.txt
@@ -1,3 +1,4 @@
+acs
 aeacus
 Aibrew
 alrest
@@ -165,6 +166,7 @@ risc
 ruleset
 RUnlock
 sas
+sasl
 Scumm
 searx
 sebest
@@ -172,6 +174,7 @@ secretplans
 selfsigned
 setsebool
 sitemap
+sls
 Sourceware
 Spambot
 sparkline
diff --git a/data/apps/bookstack-saml.yaml b/data/apps/bookstack-saml.yaml
new file mode 100644
index 0000000..ebeb3f7
--- /dev/null
+++ b/data/apps/bookstack-saml.yaml
@@ -0,0 +1,20 @@
+# Make SASL login work on bookstack with Anubis
+# https://www.bookstackapp.com/docs/admin/saml2-auth/
+- name: allow-bookstack-sasl-login-routes
+  action: ALLOW
+  expression:
+    all:
+      - 'method == "POST"'
+      - path.startsWith("/saml2/acs")
+- name: allow-bookstack-sasl-metadata-routes
+  action: ALLOW
+  expression:
+    all:
+      - 'method == "GET"'
+      - path.startsWith("/saml2/metadata")
+- name: allow-bookstack-sasl-logout-routes
+  action: ALLOW
+  expression:
+    all:
+      - 'method == "GET"'
+      - path.startsWith("/saml2/sls")
diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md
index fe327b7..4f923d6 100644
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Updated the nonce value in the challenge JWT cookie to be a string instead of a number
 - Rename cookies in response to user feedback
 - Ensure cookie renaming is consistent across configuration options
+- Add Bookstack app in data
 - Add `--target-host` flag/envvar to allow changing the value of the Host header in requests forwarded to the target service.
 - Bump AI-robots.txt to version 1.30 (add QualifiedBot)
 - Add `RuntimeDirectory` to systemd unit settings so native packages can listen over unix sockets