Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes for SAML authentication for osctrl-admin #279

Merged
merged 6 commits into from
Jun 17, 2022
Merged

Fixes for SAML authentication for osctrl-admin #279

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
00ffa2f
Fixes for SAML authentication
javuto Jun 16, 2022
c6282ea
Specifying entity ID
javuto Jun 16, 2022
994ecfc
Entity ID is within metadata
javuto Jun 16, 2022
871524e
Session retrieval
javuto Jun 17, 2022
727944c
JWT parsing
javuto Jun 17, 2022
dfa7f70
Using JWT parsing key properly
javuto Jun 17, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
93 changes: 46 additions & 47 deletions admin/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,62 +47,61 @@ func handlerAuthCheck(h http.Handler) http.Handler {
case settings.AuthSAML:
_, err := samlMiddleware.Session.GetSession(r)
if err != nil {
cookiev, err := r.Cookie(samlConfig.TokenName)
if err != nil {
log.Printf("error extracting JWT data: %v", err)
http.Redirect(w, r, samlConfig.LoginURL, http.StatusFound)
log.Printf("GetSession %v", err)
}
cookiev, err := r.Cookie(samlConfig.TokenName)
if err != nil {
log.Printf("error extracting JWT data: %v", err)
http.Redirect(w, r, samlConfig.LoginURL, http.StatusFound)
return
}
jwtdata, err := parseJWTFromCookie(samlData.KeyPair, cookiev.Value)
if err != nil {
log.Printf("error parsing JWT: %v", err)
http.Redirect(w, r, samlConfig.LoginURL, http.StatusFound)
return
}
// Check if user is already authenticated
authenticated, session := sessionsmgr.CheckAuth(r)
if !authenticated {
// Create user if it does not exist
if !adminUsers.Exists(jwtdata.Username) {
log.Printf("user not found: %s", jwtdata.Username)
http.Redirect(w, r, forbiddenPath, http.StatusFound)
return
}
jwtdata, err := parseJWTFromCookie(samlData.KeyPair, cookiev.Value)
u, err := adminUsers.Get(jwtdata.Username)
if err != nil {
log.Printf("error parsing JWT: %v", err)
http.Redirect(w, r, samlConfig.LoginURL, http.StatusFound)
log.Printf("error getting user %s: %v", jwtdata.Username, err)
http.Redirect(w, r, forbiddenPath, http.StatusFound)
return
}
// Check if user is already authenticated
authenticated, session := sessionsmgr.CheckAuth(r)
if !authenticated {
// Create user if it does not exist
if !adminUsers.Exists(jwtdata.Username) {
log.Printf("user not found: %s", jwtdata.Username)
http.Redirect(w, r, forbiddenPath, http.StatusFound)
return
}
u, err := adminUsers.Get(jwtdata.Username)
if err != nil {
log.Printf("error getting user %s: %v", jwtdata.Username, err)
http.Redirect(w, r, forbiddenPath, http.StatusFound)
return
}
access, err := adminUsers.GetEnvAccess(u.Username, u.DefaultEnv)
if err != nil {
log.Printf("error getting access for %s: %v", jwtdata.Username, err)
http.Redirect(w, r, forbiddenPath, http.StatusFound)
return
}
// Create new session
session, err = sessionsmgr.Save(r, w, u, access)
if err != nil {
log.Printf("session error: %v", err)
http.Redirect(w, r, samlConfig.LoginURL, http.StatusFound)
return
}
access, err := adminUsers.GetEnvAccess(u.Username, u.DefaultEnv)
if err != nil {
log.Printf("error getting access for %s: %v", jwtdata.Username, err)
http.Redirect(w, r, forbiddenPath, http.StatusFound)
return
}
// Set middleware values
s := make(sessions.ContextValue)
s[ctxUser] = session.Username
s[ctxCSRF] = session.Values[ctxCSRF].(string)
ctx := context.WithValue(r.Context(), sessions.ContextKey("session"), s)
// Update metadata for the user
err = adminUsers.UpdateMetadata(session.IPAddress, session.UserAgent, session.Username, s["csrftoken"])
// Create new session
session, err = sessionsmgr.Save(r, w, u, access)
if err != nil {
log.Printf("error updating metadata for user %s: %v", session.Username, err)
log.Printf("session error: %v", err)
http.Redirect(w, r, samlConfig.LoginURL, http.StatusFound)
return
}
// Access granted
samlMiddleware.RequireAccount(h).ServeHTTP(w, r.WithContext(ctx))
} else {
samlMiddleware.RequireAccount(h).ServeHTTP(w, r)
}
// Set middleware values
s := make(sessions.ContextValue)
s[ctxUser] = session.Username
s[ctxCSRF] = session.Values[ctxCSRF].(string)
ctx := context.WithValue(r.Context(), sessions.ContextKey("session"), s)
// Update metadata for the user
err = adminUsers.UpdateMetadata(session.IPAddress, session.UserAgent, session.Username, s["csrftoken"])
if err != nil {
log.Printf("error updating metadata for user %s: %v", session.Username, err)
}
// Access granted
samlMiddleware.RequireAccount(h).ServeHTTP(w, r.WithContext(ctx))
}
})
}
10 changes: 4 additions & 6 deletions admin/jwt.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ package main
import (
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"log"

"github.com/golang-jwt/jwt/v4"
Expand Down Expand Up @@ -38,16 +37,15 @@ func parseJWTFromCookie(keypair tls.Certificate, cookie string) (JWTData, error)
}
tokenClaims := TokenClaims{}
token, err := jwt.ParseWithClaims(cookie, &tokenClaims, func(t *jwt.Token) (interface{}, error) {
secretBlock := x509.MarshalPKCS1PrivateKey(keypair.PrivateKey.(*rsa.PrivateKey))
return secretBlock, nil
return keypair.PrivateKey.(*rsa.PrivateKey).Public(), nil
})

if err != nil || !token.Valid {
return JWTData{}, err
}
return JWTData{
Subject: tokenClaims.Subject,
Email: tokenClaims.Attributes["mail"][0],
Display: tokenClaims.Attributes["displayName"][0],
Username: tokenClaims.Attributes["sAMAccountName"][0],
Email: tokenClaims.Subject,
Username: tokenClaims.Subject,
}, nil
}
1 change: 1 addition & 0 deletions admin/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -574,6 +574,7 @@ func osctrlAdminService() {
URL: *samlData.RootURL,
Key: samlData.KeyPair.PrivateKey.(*rsa.PrivateKey),
Certificate: samlData.KeyPair.Leaf,
IDPMetadata: samlData.IdpMetadata,
AllowIDPInitiated: true,
})
if err != nil {
Expand Down
9 changes: 9 additions & 0 deletions admin/saml.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,16 @@
package main

import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"log"
"net/http"
"net/url"

"github.com/crewjam/saml"
"github.com/crewjam/saml/samlsp"
"github.com/jmpsec/osctrl/settings"
"github.com/spf13/viper"
)
Expand All @@ -28,6 +32,7 @@ type JSONConfigurationSAML struct {
type samlThings struct {
RootURL *url.URL
IdpMetadataURL *url.URL
IdpMetadata *saml.EntityDescriptor
KeyPair tls.Certificate
}

Expand Down Expand Up @@ -65,6 +70,10 @@ func keypairSAML(config JSONConfigurationSAML) (samlThings, error) {
if err != nil {
return data, fmt.Errorf("Parse MetadataURL %v", err)
}
data.IdpMetadata, err = samlsp.FetchMetadata(context.Background(), http.DefaultClient, *data.IdpMetadataURL)
if err != nil {
return data, fmt.Errorf("Fetch Metadata %v", err)
}
data.RootURL, err = url.Parse(config.RootURL)
if err != nil {
return data, fmt.Errorf("Parse RootURL %v", err)
Expand Down