Configure mscolab for sso

.gitignore

@@ -2,8 +2,6 @@
 .idea/
 .vscode/
 .DS_Store
-*.key
-*.crt
 *.pyc
 *.swp
 *.patch
@@ -30,5 +28,3 @@ tutorials/cursor_image.png
 __pycache__/
 instance/
 mslib/idp/modules
-mslib/idp/sp.xml
-mslib/auth_client_sp/idp.xml

docs/components.rst

@@ -11,3 +11,4 @@ Components
    gentutorials
    mssautoplot
    conf_auth_client_sp_idp
+   conf_sso_test_msscolab

docs/conf_auth_client_sp_idp.rst

@@ -1,5 +1,5 @@
-Identity Provider and Service Provider for testing the SSO process
-==================================================================
+Identity Provider and Testing Service Provider for testing the SSO process
+==========================================================================
 Both ``auth_client_sp`` and ``idp`` are designed specifically for testing the Single Sign-On (SSO) process using PySAML2. These folders encompass both the Identity Provider (IdP) and Service Provider (SP) implementations, which are utilized on a local server.
 
 The Identity Provider was set up following the official documentation of https://pysaml2.readthedocs.io/en/latest/, along with examples provided in the repository. Metadata YAML files will generate using the built-in tools of PySAML2. Actual key and certificate files can be used in when actual implementation. Please note that this both identity provider(IDP) and service provider(SP) is intended for testing purposes only.
@@ -31,7 +31,9 @@ To set up the certificates for local development, follow these steps:
 
     - Key and certificate of Service Provider: ``MSS/mslib/auth_client_sp/``
 
-    - key and certificate of Identity Provider: ``MSS/mslib/idp/``
+    - key and certificate of Identity Provider:
+        Since mscolab server's path was set as the default path for the key and certificate, you should manually update the path of `SERVER_CERT` with the path of the generated `.crt` file for IDP, and `SERVER_KEY` with the path of the generated `.key` file for the IDP in the file `MSS/mslib/idp/idp_conf.py`
+
 
     Make sure to insert the key along with its corresponding certificate.
 
@@ -43,7 +45,7 @@ First, generate the metadata file (https://pysaml2.readthedocs.io/en/latest/howt
 1. Navigate to the home directory, ``/MSS/``.
 2. Start the Flask application by running ``$ python mslib/auth_client_sp/app/app.py`` The application will listen on port : 5000.
 3. Download the metadata file by executing the command: ``curl http://localhost:5000/metadata/ -o sp.xml``.
-4. Move generated ``sp.xml`` to dir ``MSS/mslib/idp/``.
+4. Move generated ``sp.xml`` to dir ``MSS/mslib/idp/`` and update path of `["metadata"]["local"]` accordingly.
 
 After that, generate the idp.xml file, copy it over to the Service Provider (SP), and restart the SP Flask application:
 

docs/conf_sso_test_msscolab.rst

@@ -0,0 +1,77 @@
+Configuration MSS Colab Server with Testing IDP for SSO
+=======================================================
+Testing IDP (`mslib/idp`) is designed specifically for testing the Single Sign-On (SSO) process using PySAML2.
+
+Here is documentation that explains the configuration of the MSS Colab Server with the testing IDP.
+
+Getting started
+---------------
+
+To set up a local identity provider with the mscolab server, you'll first need to generate the required keys and certificates for both the Identity Provider and the mscolab server. Follow these steps to configure the system:
+
+    1. Initial Steps
+    2. Generate Keys and Certificates
+    3. Enable IDP Login
+    4. Generate Metadata Files
+    5. Start the Identity Provider
+    6. Restart the mscolab Server
+    7. Test the Single Sign-On (SSO) Process
+
+
+Initial Steps
+-------------
+Before getting started, you should correctly activate the environments, set the correct Python path, and be in the correct directory (`$ cd MSS`), as explained in the mss instructions : https://open-mss.github.io/develop/Setup-Instructions
+
+
+
+Generate Keys and Certificates
+------------------------------
+
+This involves generating both .key files and .crt files for both the Identity provider and mscolab server. You can create these simply by running
+
+`$ python mslib/mscolab/mscolab.py sso_conf --init_sso_crts`
+
+In some cases, if you set `IDP_ENABLED = True` without certificates, this will not execute. So, make sure to set `IDP_ENABLED = False` before executing this
+
+
+Enable IDP login
+----------------
+
+To enable identity provider-based login, set `IDP_ENABLED = True` in the `mslib/mscolab/conf.py` file of the MSS Colab server.
+
+After enabling the IDP, the next step is to add the `CONFIGURED_IDPS` dictionary. This dictionary should include keys for each enabled Identity Provider, represented by `idp_identity_name`, and their corresponding `idp_name`. Once this dictionary is set up, it should be used to update various functionalities of the mscolab server, such as the SAML2Client config .yml file, ensuring proper integration with the enabled IDPs.
+
+
+Generate metadata files
+-----------------------
+
+This involves generating necessary metadata files for both the identity provider and the service provider. You can generate them by simply running the appropriate command.
+
+Before executing this, you should enable IDP login as described in the third step(Enable IDP login).
+
+`$ python mslib/mscolab/mscolab.py sso_conf --init_sso_metadata`
+
+
+Start Identity provider
+-----------------------
+
+Once you setted certificates and metada files you can start mscolab server and local identity provider. To start local identity provider, simpy execute
+
+`$ python mslib/idp/idp.py idp_conf`
+
+
+Restart the mscolab Server
+--------------------------
+
+Start mscolab server
+
+`$ python mslib/mscolab/mscolab.py start`
+
+
+Testing Single Sign-On (SSO) process
+------------------------------------
+
+* Once you have successfully launched the server and identity provider, you can begin testing the Single Sign-On (SSO) process.
+* Start MSS PyQT application `$ python mslib/msui/msui.py`.
+* Login with identity provider through Qt Client application.
+* To log in to the mscolab server through the identity provider, you can use the credentials specified in the ``PASSWD`` section of the ``MSS/mslib/idp/idp.py`` file. Look for the relevant section in the file to find the necessary login credentials.

localbuild/meta.yaml

@@ -94,6 +94,7 @@ requirements:
     - dbus-python
     - flask-login
     - pysaml2
+    - libxmlsec1
 
 test:
   imports:

mslib/idp/idp.py

@@ -550,6 +550,8 @@ def do_authentication(environ, start_response, authn_context, key, redirect_uri,
     "roland": "dianakra",
     "babs": "howes",
     "upper": "crust",
+    "testuser2": "abcd1234",
+    "testuser3": "ABCD1234",
 }
 
 

mslib/idp/idp_conf.py

@@ -40,6 +40,11 @@
 
 XMLSEC_PATH = get_xmlsec_binary()
 
+# CRTs and metadata files can be generated through the mscolab server. if configured that way CRTs DIRs should be same in both IDP and mscolab server.
+BASE_DIR = os.path.expanduser("~")
+DATA_DIR = os.path.join(BASE_DIR, "colabdata")
+MSCOLAB_SSO_DIR = os.path.join(DATA_DIR, 'datasso')
+
 BASEDIR = os.path.abspath(os.path.dirname(__file__))
 
 
@@ -48,6 +53,10 @@ def full_path(local_file):
 
     return os.path.join(BASEDIR, local_file)
 
+def sso_dir_path(local_file):
+    """Return the full path by joining the MSCOLAB_SSO_DIR and local_file."""
+    return os.path.join(MSCOLAB_SSO_DIR, local_file)
+
 HOST = 'localhost'
 PORT = 8088
 
@@ -59,8 +68,8 @@ def full_path(local_file):
     BASE = f"http://{HOST}:{PORT}"
 
 # HTTPS cert information
-SERVER_CERT = "mslib/idp/crt_idp.crt"
-SERVER_KEY = "mslib/idp/key_idp.key"
+SERVER_CERT = f"{MSCOLAB_SSO_DIR}/crt_local_idp.crt"
+SERVER_KEY = f"{MSCOLAB_SSO_DIR}/key_local_idp.key"
 CERT_CHAIN = ""
 SIGN_ALG = None
 DIGEST_ALG = None
@@ -135,10 +144,10 @@ def full_path(local_file):
         },
     },
     "debug": 1,
-    "key_file": full_path("./key_idp.key"),
-    "cert_file": full_path("./crt_idp.crt"),
+    "key_file": sso_dir_path("./key_local_idp.key"),
+    "cert_file": sso_dir_path("./crt_local_idp.crt"),
     "metadata": {
-        "local": [full_path("./sp.xml")],
+        "local": [sso_dir_path("./metadata_sp.xml")],
     },
     "organization": {
         "display_name": "Organization Display Name",

mslib/idp/idp_user.py

@@ -49,6 +49,52 @@
         "postaladdress": "postaladdress",
         "cn": "cn",
     },
+    "testuser2": {
+        "sn": "Testsson2",
+        "givenName": "Test2",
+        "eduPersonAffiliation": "student",
+        "eduPersonScopedAffiliation": "[email protected]",
+        "eduPersonPrincipalName": "[email protected]",
+        "uid": "testuser2",
+        "eduPersonTargetedID": ["one!for!all"],
+        "c": "SE",
+        "o": "Example Co.",
+        "ou": "IT",
+        "initials": "P",
+        "co": "co",
+        "mail": "mail",
+        "noreduorgacronym": "noreduorgacronym",
+        "schacHomeOrganization": "example.com",
+        "email": "[email protected]",
+        "displayName": "Test Testsson",
+        "labeledURL": "http://www.example.com/test My homepage",
+        "norEduPersonNIN": "SE199012315555",
+        "postaladdress": "postaladdress",
+        "cn": "cn",
+    },
+    "testuser3": {
+        "sn": "Testsson3",
+        "givenName": "Test3",
+        "eduPersonAffiliation": "student",
+        "eduPersonScopedAffiliation": "[email protected]",
+        "eduPersonPrincipalName": "[email protected]",
+        "uid": "testuser3",
+        "eduPersonTargetedID": ["one!for!all"],
+        "c": "SE",
+        "o": "Example Co.",
+        "ou": "IT",
+        "initials": "P",
+        "co": "co",
+        "mail": "mail",
+        "noreduorgacronym": "noreduorgacronym",
+        "schacHomeOrganization": "example.com",
+        "email": "[email protected]",
+        "displayName": "Test Testsson",
+        "labeledURL": "http://www.example.com/test My homepage",
+        "norEduPersonNIN": "SE199012315555",
+        "postaladdress": "postaladdress",
+        "cn": "cn",
+    },
     "roland": {
         "sn": "Hedberg",
         "givenName": "Roland",

mslib/mscolab/app/mss_saml2_backend.yaml

@@ -0,0 +1,117 @@
+name: Saml2
+config:
+  entityid_endpoint: true
+  mirror_force_authn: no
+  memorize_idp: no
+  use_memorized_idp_when_force_authn: no
+  send_requester_id: no
+  enable_metadata_reload: no
+
+  # SP Configuration for localhost_test_idp
+  localhost_test_idp:
+    name: "MSS Colab Server - Testing IDP(localhost)"
+    description: "MSS Collaboration Server with Testing IDP(localhost)"
+    key_file: path/to/key_sp.key # Will be set from the mscolab server
+    cert_file: path/to/crt_sp.crt # Will be set from the mscolab server
+    organization: {display_name: Open-MSS, name: Mission Support System, url: 'https://open-mss.github.io/about/'}
+    contact_person:
+    - {contact_type: technical, email_address: [email protected], given_name: Technical}
+    - {contact_type: support, email_address: [email protected], given_name: Support}
+
+    metadata:
+      local: [path/to/idp.xml] # Will be set from the mscolab server
+
+    entityid: http://localhost:5000/proxy_saml2_backend.xml
+    accepted_time_diff: 60
+    service:
+      sp:
+        ui_info:
+          display_name:
+            - lang: en
+              text: "Open MSS"
+          description:
+            - lang: en
+              text: "Mission Support System"
+          information_url:
+            - lang: en
+              text: "https://open-mss.github.io/about/"
+          privacy_statement_url:
+            - lang: en
+              text: "https://open-mss.github.io/about/"
+          keywords:
+            - lang: se
+              text: ["MSS"]
+            - lang: en
+              text: ["OpenMSS"]
+          logo:
+            text: "https://open-mss.github.io/assets/logo.png"
+            width: "100"
+            height: "100"
+        authn_requests_signed: true
+        want_response_signed: true
+        want_assertion_signed: true
+        allow_unknown_attributes: true
+        allow_unsolicited: true
+        endpoints:
+          assertion_consumer_service:
+            - [http://localhost:8083/localhost_test_idp/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+            - [http://localhost:8083/localhost_test_idp/acs/redirect, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
+          discovery_response:
+          - [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
+        name_id_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+        name_id_format_allow_create: true
+
+
+  # # SP Configuration for IDP 2
+  # sp_config_idp_2:
+  #   name: "MSS Colab Server - Testing IDP(localhost)"
+  #   description: "MSS Collaboration Server with Testing IDP(localhost)"
+  #   key_file: mslib/mscolab/app/key_sp.key
+  #   cert_file: mslib/mscolab/app/crt_sp.crt
+  #   organization: {display_name: Open-MSS, name: Mission Support System, url: 'https://open-mss.github.io/about/'}
+  #   contact_person:
+  #   - {contact_type: technical, email_address: [email protected], given_name: Technical}
+  #   - {contact_type: support, email_address: [email protected], given_name: Support}
+
+  #   metadata:
+  #     local: [mslib/mscolab/app/idp.xml]
+
+  #   entityid: http://localhost:5000/proxy_saml2_backend.xml
+  #   accepted_time_diff: 60
+  #   service:
+  #     sp:
+  #       ui_info:
+  #         display_name:
+  #           - lang: en
+  #             text: "Open MSS"
+  #         description:
+  #           - lang: en
+  #             text: "Mission Support System"
+  #         information_url:
+  #           - lang: en
+  #             text: "https://open-mss.github.io/about/"
+  #         privacy_statement_url:
+  #           - lang: en
+  #             text: "https://open-mss.github.io/about/"
+  #         keywords:
+  #           - lang: se
+  #             text: ["MSS"]
+  #           - lang: en
+  #             text: ["OpenMSS"]
+  #         logo:
+  #           text: "https://open-mss.github.io/assets/logo.png"
+  #           width: "100"
+  #           height: "100"
+  #       authn_requests_signed: true
+  #       want_response_signed: true
+  #       want_assertion_signed: true
+  #       allow_unknown_attributes: true
+  #       allow_unsolicited: true
+  #       endpoints:
+  #         assertion_consumer_service:
+  #           - [http://localhost:8083/idp2/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+  #           - [http://localhost:8083/idp2/acs/redirect, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
+  #         discovery_response:
+  #         - [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
+  #       name_id_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+  #       name_id_format_allow_create: true

mslib/mscolab/conf.py

@@ -90,6 +90,18 @@ class default_mscolab_settings:
     # enable login by identity provider
     IDP_ENABLED = False
 
+    # dir where mscolab single sign process files are stored
+    MSCOLAB_SSO_DIR = os.path.join(DATA_DIR, 'datasso')
+
+    # idp settings
+    CONFIGURED_IDPS = [
+        {
+          'idp_identity_name':'localhost_test_idp',
+          'idp_name':'Testing Identity Provider'
+        },
+        # {'idp_identity_name':'idp_2','idp_name':'idp 2'},
+        # {'idp_identity_name':'idp_3','idp_name':'idp 3'},
+        ]
 
 mscolab_settings = default_mscolab_settings()
 

mslib/mscolab/models.py

@@ -48,14 +48,16 @@ class User(db.Model):
     confirmed = db.Column(db.Boolean, nullable=False, default=False)
     confirmed_on = db.Column(db.DateTime, nullable=True)
     permissions = db.relationship('Permission', cascade='all,delete,delete-orphan', backref='user')
+    authentication_backend = db.Column(db.String(255), nullable=True, default=False)
 
-    def __init__(self, emailid, username, password, confirmed=False, confirmed_on=None):
+    def __init__(self, emailid, username, password, confirmed=False, confirmed_on=None, authentication_backend='local'):
         self.username = username
         self.emailid = emailid
         self.hash_password(password)
         self.registered_on = datetime.datetime.now()
         self.confirmed = confirmed
         self.confirmed_on = confirmed_on
+        self.authentication_backend = authentication_backend
 
     def __repr__(self):
         return f'<User {self.username}>'