feat: add SAML as identity provider (#6454)

* feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 01:47:33 +00:00 · 2023-09-29 11:26:14 +02:00
parent 2e99d0fe1b
commit 15fd3045e0
82 changed files with 6301 additions and 245 deletions
--- a/internal/query/idp_template.go
+++ b/internal/query/idp_template.go
@@ -44,6 +44,7 @@ type IDPTemplate struct {
 	*GoogleIDPTemplate
 	*LDAPIDPTemplate
 	*AppleIDPTemplate
+	*SAMLIDPTemplate
 }

 type IDPTemplates struct {
@@ -150,6 +151,15 @@ type AppleIDPTemplate struct {
 	Scopes     database.StringArray
 }

+type SAMLIDPTemplate struct {
+	IDPID             string
+	Metadata          []byte
+	Key               *crypto.CryptoValue
+	Certificate       []byte
+	Binding           string
+	WithSignedRequest bool
+}
+
 var (
 	idpTemplateTable = table{
 		name:          projection.IDPTemplateTable,
@@ -650,6 +660,41 @@ var (
 	}
 )

+var (
+	samlIdpTemplateTable = table{
+		name:          projection.IDPTemplateSAMLTable,
+		instanceIDCol: projection.IDPTemplateInstanceIDCol,
+	}
+	SAMLIDCol = Column{
+		name:  projection.SAMLIDCol,
+		table: samlIdpTemplateTable,
+	}
+	SAMLInstanceCol = Column{
+		name:  projection.SAMLInstanceIDCol,
+		table: samlIdpTemplateTable,
+	}
+	SAMLMetadataCol = Column{
+		name:  projection.SAMLMetadataCol,
+		table: samlIdpTemplateTable,
+	}
+	SAMLKeyCol = Column{
+		name:  projection.SAMLKeyCol,
+		table: samlIdpTemplateTable,
+	}
+	SAMLCertificateCol = Column{
+		name:  projection.SAMLCertificateCol,
+		table: samlIdpTemplateTable,
+	}
+	SAMLBindingCol = Column{
+		name:  projection.SAMLBindingCol,
+		table: samlIdpTemplateTable,
+	}
+	SAMLWithSignedRequestCol = Column{
+		name:  projection.SAMLWithSignedRequestCol,
+		table: samlIdpTemplateTable,
+	}
+)
+
 // IDPTemplateByID searches for the requested id
 func (q *Queries) IDPTemplateByID(ctx context.Context, shouldTriggerBulk bool, id string, withOwnerRemoved bool, queries ...SearchQuery) (template *IDPTemplate, err error) {
 	ctx, span := tracing.NewSpan(ctx)
@@ -820,6 +865,13 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
 			GoogleClientIDCol.identifier(),
 			GoogleClientSecretCol.identifier(),
 			GoogleScopesCol.identifier(),
+			// saml
+			SAMLIDCol.identifier(),
+			SAMLMetadataCol.identifier(),
+			SAMLKeyCol.identifier(),
+			SAMLCertificateCol.identifier(),
+			SAMLBindingCol.identifier(),
+			SAMLWithSignedRequestCol.identifier(),
 			// ldap
 			LDAPIDCol.identifier(),
 			LDAPServersCol.identifier(),
@@ -861,6 +913,7 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
 			LeftJoin(join(GitLabIDCol, IDPTemplateIDCol)).
 			LeftJoin(join(GitLabSelfHostedIDCol, IDPTemplateIDCol)).
 			LeftJoin(join(GoogleIDCol, IDPTemplateIDCol)).
+			LeftJoin(join(SAMLIDCol, IDPTemplateIDCol)).
 			LeftJoin(join(LDAPIDCol, IDPTemplateIDCol)).
 			LeftJoin(join(AppleIDCol, IDPTemplateIDCol) + db.Timetravel(call.Took(ctx))).
 			PlaceholderFormat(sq.Dollar),
@@ -927,6 +980,13 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
 			googleClientSecret := new(crypto.CryptoValue)
 			googleScopes := database.StringArray{}

+			samlID := sql.NullString{}
+			var samlMetadata []byte
+			samlKey := new(crypto.CryptoValue)
+			var samlCertificate []byte
+			samlBinding := sql.NullString{}
+			samlWithSignedRequest := sql.NullBool{}
+
 			ldapID := sql.NullString{}
 			ldapServers := database.StringArray{}
 			ldapStartTls := sql.NullBool{}
@@ -1030,6 +1090,13 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
 				&googleClientID,
 				&googleClientSecret,
 				&googleScopes,
+				// saml
+				&samlID,
+				&samlMetadata,
+				&samlKey,
+				&samlCertificate,
+				&samlBinding,
+				&samlWithSignedRequest,
 				// ldap
 				&ldapID,
 				&ldapServers,
@@ -1156,6 +1223,16 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
 					Scopes:       googleScopes,
 				}
 			}
+			if samlID.Valid {
+				idpTemplate.SAMLIDPTemplate = &SAMLIDPTemplate{
+					IDPID:             samlID.String,
+					Metadata:          samlMetadata,
+					Key:               samlKey,
+					Certificate:       samlCertificate,
+					Binding:           samlBinding.String,
+					WithSignedRequest: samlWithSignedRequest.Bool,
+				}
+			}
 			if ldapID.Valid {
 				idpTemplate.LDAPIDPTemplate = &LDAPIDPTemplate{
 					IDPID:             ldapID.String,
@@ -1273,6 +1350,13 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 			GoogleClientIDCol.identifier(),
 			GoogleClientSecretCol.identifier(),
 			GoogleScopesCol.identifier(),
+			// saml
+			SAMLIDCol.identifier(),
+			SAMLMetadataCol.identifier(),
+			SAMLKeyCol.identifier(),
+			SAMLCertificateCol.identifier(),
+			SAMLBindingCol.identifier(),
+			SAMLWithSignedRequestCol.identifier(),
 			// ldap
 			LDAPIDCol.identifier(),
 			LDAPServersCol.identifier(),
@@ -1316,6 +1400,7 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 			LeftJoin(join(GitLabIDCol, IDPTemplateIDCol)).
 			LeftJoin(join(GitLabSelfHostedIDCol, IDPTemplateIDCol)).
 			LeftJoin(join(GoogleIDCol, IDPTemplateIDCol)).
+			LeftJoin(join(SAMLIDCol, IDPTemplateIDCol)).
 			LeftJoin(join(LDAPIDCol, IDPTemplateIDCol)).
 			LeftJoin(join(AppleIDCol, IDPTemplateIDCol) + db.Timetravel(call.Took(ctx))).
 			PlaceholderFormat(sq.Dollar),
@@ -1385,6 +1470,13 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 				googleClientSecret := new(crypto.CryptoValue)
 				googleScopes := database.StringArray{}

+				samlID := sql.NullString{}
+				var samlMetadata []byte
+				samlKey := new(crypto.CryptoValue)
+				var samlCertificate []byte
+				samlBinding := sql.NullString{}
+				samlWithSignedRequest := sql.NullBool{}
+
 				ldapID := sql.NullString{}
 				ldapServers := database.StringArray{}
 				ldapStartTls := sql.NullBool{}
@@ -1488,6 +1580,13 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 					&googleClientID,
 					&googleClientSecret,
 					&googleScopes,
+					// saml
+					&samlID,
+					&samlMetadata,
+					&samlKey,
+					&samlCertificate,
+					&samlBinding,
+					&samlWithSignedRequest,
 					// ldap
 					&ldapID,
 					&ldapServers,
@@ -1613,6 +1712,16 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 						Scopes:       googleScopes,
 					}
 				}
+				if samlID.Valid {
+					idpTemplate.SAMLIDPTemplate = &SAMLIDPTemplate{
+						IDPID:             samlID.String,
+						Metadata:          samlMetadata,
+						Key:               samlKey,
+						Certificate:       samlCertificate,
+						Binding:           samlBinding.String,
+						WithSignedRequest: samlWithSignedRequest.Bool,
+					}
+				}
 				if ldapID.Valid {
 					idpTemplate.LDAPIDPTemplate = &LDAPIDPTemplate{
 						IDPID:             ldapID.String,