samlidp

package
v0.4.43 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 7, 2023 License: BSD-2-Clause Imports: 24 Imported by: 0

Documentation

Overview

Package samlidp a rudimentary SAML identity provider suitable for testing or as a starting point for a more complex service.

Index

Constants

This section is empty.

Variables

View Source
var ErrNotFound = errors.New("not found")

ErrNotFound is returned from Store.Get() when a stored item is not present

Functions

This section is empty.

Types

type MemoryStore

type MemoryStore struct {
	// contains filtered or unexported fields
}

MemoryStore is an implementation of Store that resides completely in memory.

func (*MemoryStore) Delete

func (s *MemoryStore) Delete(key string) error

Delete removes `key`

func (*MemoryStore) Get

func (s *MemoryStore) Get(key string, value interface{}) error

Get fetches the data stored in `key` and unmarshals it into `value`.

func (*MemoryStore) List

func (s *MemoryStore) List(prefix string) ([]string, error)

List returns all the keys that start with `prefix`. The prefix is stripped from each returned value. So if keys are ["aa", "ab", "cd"] then List("a") would produce []string{"a", "b"}

func (*MemoryStore) Put

func (s *MemoryStore) Put(key string, value interface{}) error

Put marshals `value` and stores it in `key`.

type Options

type Options struct {
	URL         url.URL
	Key         crypto.PrivateKey
	Logger      logger.Interface
	Certificate *x509.Certificate
	Store       Store
}

Options represent the parameters to New() for creating a new IDP server

type Server

type Server struct {
	http.Handler

	IDP   saml.IdentityProvider // the underlying IDP
	Store Store                 // the data store
	// contains filtered or unexported fields
}

Server represents an IDP server. The server provides the following URLs:

/metadata     - the SAML metadata
/sso          - the SAML endpoint to initiate an authentication flow
/login        - prompt for a username and password if no session established
/login/:shortcut - kick off an IDP-initiated authentication flow
/services     - RESTful interface to Service objects
/users        - RESTful interface to User objects
/sessions     - RESTful interface to Session objects
/shortcuts    - RESTful interface to Shortcut objects

func New

func New(opts Options) (*Server, error)

New returns a new Server

func (*Server) GetServiceProvider

func (s *Server) GetServiceProvider(r *http.Request, serviceProviderID string) (*saml.EntityDescriptor, error)

GetServiceProvider returns the Service Provider metadata for the service provider ID, which is typically the service provider's metadata URL. If an appropriate service provider cannot be found then the returned error must be os.ErrNotExist.

func (*Server) GetSession

func (s *Server) GetSession(w http.ResponseWriter, r *http.Request, req *saml.IdpAuthnRequest) *saml.Session

GetSession returns the *Session for this request.

If the remote user has specified a username and password in the request then it is validated against the user database. If valid it sets a cookie and returns the newly created session object.

If the remote user has specified invalid credentials then a login form is returned with an English-language toast telling the user their password was invalid.

If a session cookie already exists and represents a valid session, then the session is returned

If neither credentials nor a valid session cookie exist, this function sends a login form and returns nil.

func (*Server) HandleDeleteService

func (s *Server) HandleDeleteService(c web.C, w http.ResponseWriter, r *http.Request)

HandleDeleteService handles the `DELETE /services/:id` request.

func (*Server) HandleDeleteSession

func (s *Server) HandleDeleteSession(c web.C, w http.ResponseWriter, r *http.Request)

HandleDeleteSession handles the `DELETE /sessions/:id` request. It invalidates the specified session.

func (*Server) HandleDeleteShortcut

func (s *Server) HandleDeleteShortcut(c web.C, w http.ResponseWriter, r *http.Request)

HandleDeleteShortcut handles the `DELETE /shortcuts/:id` request.

func (*Server) HandleDeleteUser

func (s *Server) HandleDeleteUser(c web.C, w http.ResponseWriter, r *http.Request)

HandleDeleteUser handles the `DELETE /users/:id` request.

func (*Server) HandleGetService

func (s *Server) HandleGetService(c web.C, w http.ResponseWriter, r *http.Request)

HandleGetService handles the `GET /services/:id` request and responds with the service metadata in XML format.

func (*Server) HandleGetSession

func (s *Server) HandleGetSession(c web.C, w http.ResponseWriter, r *http.Request)

HandleGetSession handles the `GET /sessions/:id` request and responds with the session object in JSON format.

func (*Server) HandleGetShortcut

func (s *Server) HandleGetShortcut(c web.C, w http.ResponseWriter, r *http.Request)

HandleGetShortcut handles the `GET /shortcuts/:id` request and responds with the shortcut object in JSON format.

func (*Server) HandleGetUser

func (s *Server) HandleGetUser(c web.C, w http.ResponseWriter, r *http.Request)

HandleGetUser handles the `GET /users/:id` request and responds with the user object in JSON format. The HashedPassword field is excluded.

func (*Server) HandleIDPInitiated

func (s *Server) HandleIDPInitiated(c web.C, w http.ResponseWriter, r *http.Request)

HandleIDPInitiated handles a request for an IDP initiated login flow. It looks up the specified shortcut, generates the appropriate SAML assertion and redirects the user via the HTTP-POST binding to the service providers ACS URL.

func (*Server) HandleListServices

func (s *Server) HandleListServices(c web.C, w http.ResponseWriter, r *http.Request)

HandleListServices handles the `GET /services/` request and responds with a JSON formatted list of service names.

func (*Server) HandleListSessions

func (s *Server) HandleListSessions(c web.C, w http.ResponseWriter, r *http.Request)

HandleListSessions handles the `GET /sessions/` request and responds with a JSON formatted list of session names.

func (*Server) HandleListShortcuts

func (s *Server) HandleListShortcuts(c web.C, w http.ResponseWriter, r *http.Request)

HandleListShortcuts handles the `GET /shortcuts/` request and responds with a JSON formatted list of shortcut names.

func (*Server) HandleListUsers

func (s *Server) HandleListUsers(c web.C, w http.ResponseWriter, r *http.Request)

HandleListUsers handles the `GET /users/` request and responds with a JSON formatted list of user names.

func (*Server) HandleLogin

func (s *Server) HandleLogin(c web.C, w http.ResponseWriter, r *http.Request)

HandleLogin handles the `POST /login` and `GET /login` forms. If credentials are present in the request body, then they are validated. For valid credentials, the response is a 200 OK and the JSON session object. For invalid credentials, the HTML login prompt form is sent.

func (*Server) HandlePutService

func (s *Server) HandlePutService(c web.C, w http.ResponseWriter, r *http.Request)

HandlePutService handles the `PUT /shortcuts/:id` request. It accepts the XML-formatted service metadata in the request body and stores it.

func (*Server) HandlePutShortcut

func (s *Server) HandlePutShortcut(c web.C, w http.ResponseWriter, r *http.Request)

HandlePutShortcut handles the `PUT /shortcuts/:id` request. It accepts a JSON formatted shortcut object in the request body and stores it.

func (*Server) HandlePutUser

func (s *Server) HandlePutUser(c web.C, w http.ResponseWriter, r *http.Request)

HandlePutUser handles the `PUT /users/:id` request. It accepts a JSON formatted user object in the request body and stores it. If the PlaintextPassword field is present then it is hashed and stored in HashedPassword. If the PlaintextPassword field is not present then HashedPassword retains it's stored value.

func (*Server) InitializeHTTP

func (s *Server) InitializeHTTP()

InitializeHTTP sets up the HTTP handler for the server. (This function is called automatically for you by New, but you may need to call it yourself if you don't create the object using New.)

type Service

type Service struct {
	// Name is the name of the service provider
	Name string

	// Metdata is the XML metadata of the service provider.
	Metadata saml.EntityDescriptor
}

Service represents a configured SP for whom this IDP provides authentication services.

type Shortcut

type Shortcut struct {
	// The name of the shortcut.
	Name string `json:"name"`

	// The entity ID of the service provider to use for this shortcut, i.e.
	// https://someapp.example.com/saml/metadata.
	ServiceProviderID string `json:"service_provider"`

	// If specified then the relay state is the fixed string provided
	RelayState *string `json:"relay_state,omitempty"`

	// If true then the URL suffix is used as the relayState. So for example, a user
	// requesting https://idp.example.com/login/myservice/foo will get redirected
	// to the myservice endpoint with a RelayState of "foo".
	URISuffixAsRelayState bool `json:"url_suffix_as_relay_state,omitempty"`
}

Shortcut represents an IDP-initiated SAML flow. When a user navigates to /login/:shortcut it initiates the login flow to the specified service provider with the specified RelayState.

type Store

type Store interface {
	// Get fetches the data stored in `key` and unmarshals it into `value`.
	Get(key string, value interface{}) error

	// Put marshals `value` and stores it in `key`.
	Put(key string, value interface{}) error

	// Delete removes `key`
	Delete(key string) error

	// List returns all the keys that start with `prefix`. The prefix is
	// stripped from each returned value. So if keys are ["aa", "ab", "cd"]
	// then List("a") would produce []string{"a", "b"}
	List(prefix string) ([]string, error)
}

Store is an interface that describes an abstract key-value store.

type User

type User struct {
	Name              string   `json:"name"`
	PlaintextPassword *string  `json:"password,omitempty"` // not stored
	HashedPassword    []byte   `json:"hashed_password,omitempty"`
	Groups            []string `json:"groups,omitempty"`
	Email             string   `json:"email,omitempty"`
	CommonName        string   `json:"common_name,omitempty"`
	Surname           string   `json:"surname,omitempty"`
	GivenName         string   `json:"given_name,omitempty"`
	ScopedAffiliation string   `json:"scoped_affiliation,omitempty"`
}

User represents a stored user. The data here are used to populate user once the user has authenticated.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL