samlidp

package
v0.15.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 16, 2024 License: Apache-2.0 Imports: 41 Imported by: 0

README

SAML IDP Module

This module allows a service to act as IDP (allow others to SSO with the service).

This module registers a feature configurer which does the following:

  1. add metadata refresh middleware to the sso endpoint
  2. add sso endpoint
  3. add metadata endpoint
  4. add error handling

Example Usage

samlidp.Use()

func (c *ExampleConfigurer) Configure(ws security.WebSecurity) {
    ws.Route(matcher.RouteWithPattern(c.config.Endpoints.SamlSso.Location.Path)).
		With(saml_auth.NewEndpoint().
			Issuer(c.config.Issuer).
			SsoCondition(c.config.Endpoints.SamlSso.Condition).
			SsoLocation(c.config.Endpoints.SamlSso.Location).
			MetadataPath(c.config.Endpoints.SamlMetadata))
	
	//Add more configuration to WS to finish the rest of the configuration for your app (i.e. what idp to use, etc)
}

Documentation

Index

Constants

View Source 
const (
	TenantRestrictionTypeAny = "any"
	TenantRestrictionTypeAll = "all"
)
View Source 
const (

	// ErrorSubTypeCodeSamlSso non-programming error that can occur during SAML web sso flow. These errors will be returned to the requester
	// as a status code when possible
	ErrorSubTypeCodeSamlSso = security.ErrorTypeCodeSaml + iota<<errorutils.ErrorSubTypeOffset
	// ErrorSubTypeCodeSamlSlo non-programming error that can occur during SAML SLO flow
	ErrorSubTypeCodeSamlSlo
	// ErrorSubTypeCodeSamlInternal programming error, these will be displayed on an error page
	// so that we can fix the error on our end.
	ErrorSubTypeCodeSamlInternal
)
View Source 
const (
	ErrorCodeSamlSsoRequester
	ErrorCodeSamlSsoResponder
	ErrorCodeSamlSsoRequestVersionMismatch
)

ErrorSubTypeCodeSamlSso

View Source 
const (
	ErrorCodeSamlSloRequester
	ErrorCodeSamlSloResponder
)

ErrorSubTypeCodeSamlSlo

View Source 
const CtxKeySamlAuthnRequest = "kSamlAuthnRequest"
View Source 
const (
	ErrorCodeSamlInternalGeneral
)

ErrorSubTypeCodeSamlInternal

Variables

View Source 
var (
	ErrorSubTypeSamlSso      = security.NewErrorSubType(ErrorSubTypeCodeSamlSso, errors.New("error sub-type: sso"))
	ErrorSubTypeSamlSlo      = security.NewErrorSubType(ErrorSubTypeCodeSamlSlo, errors.New("error sub-type: slo"))
	ErrorSubTypeSamlInternal = security.NewErrorSubType(ErrorSubTypeCodeSamlInternal, errors.New("error sub-type: internal"))

	// ErrorSamlSloRequester requester errors are displayed as a HTML page
	ErrorSamlSloRequester = security.NewCodedError(ErrorCodeSamlSloRequester, "SLO requester error")
	// ErrorSamlSloResponder responder errors are communicated back to SP via bindings
	ErrorSamlSloResponder = security.NewCodedError(ErrorCodeSamlSloResponder, "SLO responder error")
)
View Source 
var (
	FeatureId    = security.FeatureId("SamlAuthorizeEndpoint", security.FeatureOrderSamlAuthorizeEndpoint)
	SloFeatureId = security.FeatureId("SamlSLOEndpoint", security.FeatureOrderSamlLogout)
)
View Source 
var Module = &bootstrap.Module{
	Name:       "saml auth - authorize",
	Precedence: security.MinSecurityPrecedence + 20,
	Options: []fx.Option{
		fx.Invoke(register),
	},
}

Functions

func DetermineACSEndpoint 

func DetermineACSEndpoint(req *saml.IdpAuthnRequest) error

func MakeAssertion 

func MakeAssertion(ctx context.Context, req *saml.IdpAuthnRequest, authentication security.Authentication, generator AttributeGenerator) error

MakeAssertion This is similar to the method in saml.IdpAuthnRequest but we have our own logic for generating attributes.

func MakeAssertionEl 

func MakeAssertionEl(req *saml.IdpAuthnRequest, skipEncryption bool) error

MakeAssertionEl This is similar to the implementation in saml.IdpAuthnRequest we re-implement it here because we need to optionally skip encryption

func MakeErrorResponse 

func MakeErrorResponse(req *saml.IdpAuthnRequest, code string, message string) error

func MakeLogoutResponse 

func MakeLogoutResponse(req *SamlLogoutRequest, code string, message string) (*saml.LogoutResponse, error)

func NewSamlInternalError 

func NewSamlInternalError(text string, causes ...interface{}) error

func NewSamlRequestVersionMismatch 

func NewSamlRequestVersionMismatch(text string, causes ...interface{}) error

func NewSamlRequesterError 

func NewSamlRequesterError(text string, causes ...interface{}) error

func NewSamlResponderError 

func NewSamlResponderError(text string, causes ...interface{}) error

func SignLogoutResponse 

func SignLogoutResponse(idp *saml.IdentityProvider, resp *saml.LogoutResponse) error

SignLogoutResponse is similar to saml.ServiceProvider.SignLogoutResponse, but for IDP

func UnmarshalRequest 

func UnmarshalRequest(req *saml.IdpAuthnRequest) error

func Use 

func Use()

func ValidateAuthnRequest 

func ValidateAuthnRequest(req *saml.IdpAuthnRequest, spDetails SamlSpDetails, spMetadata *saml.EntityDescriptor) error

ValidateAuthnRequest This method is similar to the method in saml.IdpAuthnRequest, Because the original implementation doesn't support signature check and destination check, we reimplement it here to add support for them

Types

type AttributeGenerator 

type AttributeGenerator func(account security.Account) []saml.Attribute

type DefaultSamlClient 

type DefaultSamlClient struct {
	SamlSpDetails
	TenantRestrictions    utils.StringSet
	TenantRestrictionType string
}

func (DefaultSamlClient) GetEntityId 

func (c DefaultSamlClient) GetEntityId() string

func (DefaultSamlClient) GetMetadataSource 

func (c DefaultSamlClient) GetMetadataSource() string

func (DefaultSamlClient) GetMetadataTrustedKeys 

func (c DefaultSamlClient) GetMetadataTrustedKeys() []string

func (DefaultSamlClient) GetTenantRestrictionType 

func (c DefaultSamlClient) GetTenantRestrictionType() string

func (DefaultSamlClient) GetTenantRestrictions 

func (c DefaultSamlClient) GetTenantRestrictions() utils.StringSet

func (DefaultSamlClient) ShouldMetadataRequireSignature 

func (c DefaultSamlClient) ShouldMetadataRequireSignature() bool

func (DefaultSamlClient) ShouldMetadataTrustCheck 

func (c DefaultSamlClient) ShouldMetadataTrustCheck() bool

func (DefaultSamlClient) ShouldSkipAssertionEncryption 

func (c DefaultSamlClient) ShouldSkipAssertionEncryption() bool

func (DefaultSamlClient) ShouldSkipAuthRequestSignatureVerification 

func (c DefaultSamlClient) ShouldSkipAuthRequestSignatureVerification() bool

type Feature 

type Feature struct {
	// contains filtered or unexported fields
}

func Configure 

func Configure(ws security.WebSecurity) *Feature

func ConfigureLogout 

func ConfigureLogout(ws security.WebSecurity) *Feature

func New 

func New() *Feature

New Standard security.Feature entrypoint for authorization, DSL style. Used with security.WebSecurity

func NewLogout 

func NewLogout() *Feature

NewLogout Standard security.Feature entrypoint for single-logout, DSL style. Used with security.WebSecurity

func (*Feature) EnableSLO 

func (f *Feature) EnableSLO(logoutUrl string) *Feature

EnableSLO when logoutUrl is set, SLO Request handling is added to logout.Feature. SLO feature cannot work properly if this value mismatches the logout URL

func (*Feature) Identifier 

func (f *Feature) Identifier() security.FeatureIdentifier

func (*Feature) Issuer 

func (f *Feature) Issuer(issuer security.Issuer) *Feature

func (*Feature) MetadataPath 

func (f *Feature) MetadataPath(path string) *Feature

func (*Feature) SigningMethod 

func (f *Feature) SigningMethod(signatureMethod string) *Feature

func (*Feature) SsoCondition 

func (f *Feature) SsoCondition(condition web.RequestMatcher) *Feature

func (*Feature) SsoLocation 

func (f *Feature) SsoLocation(location *url.URL) *Feature

type MetadataMiddleware 

type MetadataMiddleware struct {
	// contains filtered or unexported fields
}

func NewMetadataMiddleware 

func NewMetadataMiddleware(opts *Options, samlClientStore samlctx.SamlClientStore) *MetadataMiddleware

func (*MetadataMiddleware) MetadataHandlerFunc 

func (mw *MetadataMiddleware) MetadataHandlerFunc() gin.HandlerFunc

func (*MetadataMiddleware) RefreshMetadataHandler 

func (mw *MetadataMiddleware) RefreshMetadataHandler(condition web.RequestMatcher) gin.HandlerFunc

type Options 

type Options struct {
	Key           crypto.PrivateKey
	Cert          *x509.Certificate
	EntityIdUrl   url.URL
	SsoUrl        url.URL
	SloUrl        url.URL
	SigningMethod string
	// contains filtered or unexported fields
}

type SamlAuthorizeEndpointConfigurer 

type SamlAuthorizeEndpointConfigurer struct {
	// contains filtered or unexported fields
}

func (*SamlAuthorizeEndpointConfigurer) Apply 

func (c *SamlAuthorizeEndpointConfigurer) Apply(feature security.Feature, ws security.WebSecurity) (err error)

type SamlAuthorizeEndpointMiddleware 

type SamlAuthorizeEndpointMiddleware struct {
	*MetadataMiddleware
	// contains filtered or unexported fields
}

func NewSamlAuthorizeEndpointMiddleware 

func NewSamlAuthorizeEndpointMiddleware(metaMw *MetadataMiddleware,
	accountStore security.AccountStore,
	attributeGenerator AttributeGenerator) *SamlAuthorizeEndpointMiddleware

func (*SamlAuthorizeEndpointMiddleware) AuthorizeHandlerFunc 

func (mw *SamlAuthorizeEndpointMiddleware) AuthorizeHandlerFunc(condition web.RequestMatcher) gin.HandlerFunc

type SamlError 

type SamlError struct {
	security.CodedError
	EC string // saml error code
	SC int    // status code
}

func NewSamlError 

func NewSamlError(code int64, e interface{}, samlErrorCode string, httpStatusCode int, causes ...interface{}) *SamlError

func (*SamlError) TranslateErrorCode 

func (s *SamlError) TranslateErrorCode() string

func (*SamlError) TranslateErrorMessage 

func (s *SamlError) TranslateErrorMessage() string

func (*SamlError) TranslateHttpStatusCode 

func (s *SamlError) TranslateHttpStatusCode() int

type SamlErrorHandler 

type SamlErrorHandler struct{}

func NewSamlErrorHandler 

func NewSamlErrorHandler() *SamlErrorHandler

func (*SamlErrorHandler) HandleError 

func (h *SamlErrorHandler) HandleError(c context.Context, r *http.Request, rw http.ResponseWriter, err error)

HandleError * Handles error as saml response when possible. Otherwise let the error handling handle it

See http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf 4.1.3.5

type SamlLogoutEndpointConfigurer 

type SamlLogoutEndpointConfigurer struct {
	// contains filtered or unexported fields
}

func (*SamlLogoutEndpointConfigurer) Apply 

func (c *SamlLogoutEndpointConfigurer) Apply(feature security.Feature, ws security.WebSecurity) (err error)

type SamlLogoutRequest 

type SamlLogoutRequest struct {
	HTTPRequest     *http.Request
	Binding         string
	Request         *saml.LogoutRequest
	RequestBuffer   []byte
	RelayState      string
	IDP             *saml.IdentityProvider
	SPMeta          *saml.EntityDescriptor // the requester
	SPSSODescriptor *saml.SPSSODescriptor
	Callback        *saml.Endpoint
	Response        *saml.LogoutResponse
}

func (SamlLogoutRequest) Validate 

func (r SamlLogoutRequest) Validate() error

func (SamlLogoutRequest) VerifySignature 

func (r SamlLogoutRequest) VerifySignature() error

func (SamlLogoutRequest) WriteResponse 

func (r SamlLogoutRequest) WriteResponse(rw http.ResponseWriter) error

type SamlSingleLogoutMiddleware 

type SamlSingleLogoutMiddleware struct {
	*MetadataMiddleware
	SamlErrorHandler
}

SamlSingleLogoutMiddleware is a 1. logout.LogoutHandler 2. logout.ConditionalLogoutHandler 3. security.AuthenticationSuccessHandler 4. security.AuthenticationErrorHandler 5. security.AuthenticationEntryPoint focusing on validate SAML logout request and send back SAML LogoutResponse

func NewSamlSingleLogoutMiddleware 

func NewSamlSingleLogoutMiddleware(metaMw *MetadataMiddleware) *SamlSingleLogoutMiddleware

func (*SamlSingleLogoutMiddleware) Commence 

func (mw *SamlSingleLogoutMiddleware) Commence(ctx context.Context, r *http.Request, rw http.ResponseWriter, err error)

func (*SamlSingleLogoutMiddleware) HandleAuthenticationError 

func (mw *SamlSingleLogoutMiddleware) HandleAuthenticationError(ctx context.Context, r *http.Request, rw http.ResponseWriter, err error)

func (*SamlSingleLogoutMiddleware) HandleAuthenticationSuccess 

func (mw *SamlSingleLogoutMiddleware) HandleAuthenticationSuccess(ctx context.Context, r *http.Request, rw http.ResponseWriter, from, to security.Authentication)

func (*SamlSingleLogoutMiddleware) HandleLogout 

func (mw *SamlSingleLogoutMiddleware) HandleLogout(ctx context.Context, _ *http.Request, _ http.ResponseWriter, auth security.Authentication) error

func (*SamlSingleLogoutMiddleware) Order 

func (mw *SamlSingleLogoutMiddleware) Order() int

func (*SamlSingleLogoutMiddleware) SLOCondition 

func (mw *SamlSingleLogoutMiddleware) SLOCondition() web.RequestMatcher

func (*SamlSingleLogoutMiddleware) ShouldLogout 

func (mw *SamlSingleLogoutMiddleware) ShouldLogout(ctx context.Context, r *http.Request, _ http.ResponseWriter, _ security.Authentication) error

ShouldLogout is a logout.ConditionalLogoutHandler method that intercept SP initiated SAML request. Possible outcomes are: - no error returned if the logout is not SAML single logout (no SAMLRequest found) - no error returned if the logout is a valid SAMLLogoutRequest - ErrorSubTypeSamlSlo if SAMLLogoutRequest is found but invalid

type SamlSpDetails 

type SamlSpDetails struct {
	EntityId                             string
	MetadataSource                       string
	SkipAssertionEncryption              bool
	SkipAuthRequestSignatureVerification bool

	MetadataRequireSignature bool
	MetadataTrustCheck       bool
	MetadataTrustedKeys      []string

	//currently the implementation is metaiop profile. this field is reserved for future use
	// https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/#configuration-security-profiles-pkix
	SecurityProfile string
}

type SamlSsoErrorTranslator 

type SamlSsoErrorTranslator interface {
	error
	TranslateErrorCode() string
	TranslateErrorMessage() string
	TranslateHttpStatusCode() int
}

type SpMetadataManager 

type SpMetadataManager struct {
	// contains filtered or unexported fields
}

func (*SpMetadataManager) GetServiceProvider 

func (m *SpMetadataManager) GetServiceProvider(serviceProviderID string) (SamlSpDetails, *saml.EntityDescriptor, error)

func (*SpMetadataManager) RefreshCache 

func (m *SpMetadataManager) RefreshCache(ctx context.Context, clients []samlctx.SamlClient)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.