feat(saml): implementation of saml for ZITADEL v2 (#3618)

internal/api/saml/auth_request_converter.go

@@ -0,0 +1,99 @@
+package saml
+
+import (
+	"context"
+	"time"
+
+	"github.com/zitadel/saml/pkg/provider/models"
+	"github.com/zitadel/saml/pkg/provider/xml/samlp"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
+)
+
+var _ models.AuthRequestInt = &AuthRequest{}
+
+type AuthRequest struct {
+	*domain.AuthRequest
+}
+
+func (a *AuthRequest) GetApplicationID() string {
+	return a.ApplicationID
+}
+
+func (a *AuthRequest) GetID() string {
+	return a.ID
+}
+func (a *AuthRequest) GetRelayState() string {
+	return a.TransferState
+}
+func (a *AuthRequest) GetAccessConsumerServiceURL() string {
+	return a.CallbackURI
+}
+
+func (a *AuthRequest) GetNameID() string {
+	return a.UserName
+}
+
+func (a *AuthRequest) saml() *domain.AuthRequestSAML {
+	return a.Request.(*domain.AuthRequestSAML)
+}
+func (a *AuthRequest) GetAuthRequestID() string {
+	return a.saml().ID
+}
+func (a *AuthRequest) GetBindingType() string {
+	return a.saml().BindingType
+}
+func (a *AuthRequest) GetIssuer() string {
+	return a.saml().Issuer
+}
+func (a *AuthRequest) GetIssuerName() string {
+	return a.saml().IssuerName
+}
+func (a *AuthRequest) GetDestination() string {
+	return a.saml().Destination
+}
+func (a *AuthRequest) GetCode() string {
+	return a.saml().Code
+}
+func (a *AuthRequest) GetUserID() string {
+	return a.UserID
+}
+func (a *AuthRequest) GetUserName() string {
+	return a.UserName
+}
+func (a *AuthRequest) Done() bool {
+	for _, step := range a.PossibleSteps {
+		if step.Type() == domain.NextStepRedirectToCallback {
+			return true
+		}
+	}
+	return false
+}
+
+func AuthRequestFromBusiness(authReq *domain.AuthRequest) (_ models.AuthRequestInt, err error) {
+	if _, ok := authReq.Request.(*domain.AuthRequestSAML); !ok {
+		return nil, errors.ThrowInvalidArgument(nil, "SAML-Hbz7A", "auth request is not of type saml")
+	}
+	return &AuthRequest{authReq}, nil
+}
+
+func CreateAuthRequestToBusiness(ctx context.Context, authReq *samlp.AuthnRequestType, acsUrl, protocolBinding, applicationID, relayState, userAgentID string) *domain.AuthRequest {
+	return &domain.AuthRequest{
+		CreationDate:  time.Now(),
+		AgentID:       userAgentID,
+		ApplicationID: applicationID,
+		CallbackURI:   acsUrl,
+		TransferState: relayState,
+		InstanceID:    authz.GetInstance(ctx).InstanceID(),
+		Request: &domain.AuthRequestSAML{
+			ID:          authReq.Id,
+			BindingType: protocolBinding,
+			Code:        "",
+			Issuer:      authReq.Issuer.Text,
+			IssuerName:  authReq.Issuer.SPProvidedID,
+			Destination: authReq.Destination,
+		},
+	}
+}

internal/api/saml/certificate.go

@@ -0,0 +1,202 @@
+package saml
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/zitadel/logging"
+	"github.com/zitadel/saml/pkg/provider/key"
+	"gopkg.in/square/go-jose.v2"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/query"
+	"github.com/zitadel/zitadel/internal/repository/keypair"
+)
+
+const (
+	locksTable = "projections.locks"
+	signingKey = "signing_key"
+	samlUser   = "SAML"
+
+	retryBackoff   = 500 * time.Millisecond
+	retryCount     = 3
+	lockDuration   = retryCount * retryBackoff * 5
+	gracefulPeriod = 10 * time.Minute
+)
+
+type CertificateAndKey struct {
+	algorithm   jose.SignatureAlgorithm
+	id          string
+	key         interface{}
+	certificate interface{}
+}
+
+func (c *CertificateAndKey) SignatureAlgorithm() jose.SignatureAlgorithm {
+	return c.algorithm
+}
+
+func (c *CertificateAndKey) Key() interface{} {
+	return c.key
+}
+
+func (c *CertificateAndKey) Certificate() interface{} {
+	return c.certificate
+}
+
+func (c *CertificateAndKey) ID() string {
+	return c.id
+}
+
+func (p *Storage) GetCertificateAndKey(ctx context.Context, usage domain.KeyUsage) (certAndKey *key.CertificateAndKey, err error) {
+	err = retry(func() error {
+		certAndKey, err = p.getCertificateAndKey(ctx, usage)
+		if err != nil {
+			return err
+		}
+		if certAndKey == nil {
+			return errors.ThrowInternal(err, "SAML-8u01nks", "no certificate found")
+		}
+		return nil
+	})
+	return certAndKey, err
+}
+
+func (p *Storage) getCertificateAndKey(ctx context.Context, usage domain.KeyUsage) (*key.CertificateAndKey, error) {
+	certs, err := p.query.ActiveCertificates(ctx, time.Now().Add(gracefulPeriod), usage)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(certs.Certificates) > 0 {
+		return p.certificateToCertificateAndKey(selectCertificate(certs.Certificates))
+	}
+
+	var sequence uint64
+	if certs.LatestSequence != nil {
+		sequence = certs.LatestSequence.Sequence
+	}
+
+	return nil, p.refreshCertificate(ctx, usage, sequence)
+}
+
+func (p *Storage) refreshCertificate(
+	ctx context.Context,
+	usage domain.KeyUsage,
+	sequence uint64,
+) error {
+	ok, err := p.ensureIsLatestCertificate(ctx, sequence)
+	if err != nil {
+		logging.WithError(err).Error("could not ensure latest key")
+		return err
+	}
+	if !ok {
+		logging.Warn("view not up to date, retrying later")
+		return err
+	}
+	err = p.lockAndGenerateCertificateAndKey(ctx, usage, sequence)
+	logging.OnError(err).Warn("could not create signing key")
+	return nil
+}
+
+func (p *Storage) ensureIsLatestCertificate(ctx context.Context, sequence uint64) (bool, error) {
+	maxSequence, err := p.getMaxKeySequence(ctx)
+	if err != nil {
+		return false, fmt.Errorf("error retrieving new events: %w", err)
+	}
+	return sequence == maxSequence, nil
+}
+
+func (p *Storage) lockAndGenerateCertificateAndKey(ctx context.Context, usage domain.KeyUsage, sequence uint64) error {
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+	ctx = setSAMLCtx(ctx)
+
+	errs := p.locker.Lock(ctx, lockDuration, authz.GetInstance(ctx).InstanceID())
+	err, ok := <-errs
+	if err != nil || !ok {
+		if errors.IsErrorAlreadyExists(err) {
+			return nil
+		}
+		logging.OnError(err).Warn("initial lock failed")
+		return err
+	}
+
+	switch usage {
+	case domain.KeyUsageSAMLMetadataSigning, domain.KeyUsageSAMLResponseSinging:
+		certAndKey, err := p.GetCertificateAndKey(ctx, domain.KeyUsageSAMLCA)
+		if err != nil {
+			return fmt.Errorf("error while reading ca certificate: %w", err)
+		}
+		if certAndKey.Key == nil || certAndKey.Certificate == nil {
+			return fmt.Errorf("has no ca certificate")
+		}
+
+		switch usage {
+		case domain.KeyUsageSAMLMetadataSigning:
+			return p.command.GenerateSAMLMetadataCertificate(setSAMLCtx(ctx), p.certificateAlgorithm, certAndKey.Key, certAndKey.Certificate)
+		case domain.KeyUsageSAMLResponseSinging:
+			return p.command.GenerateSAMLResponseCertificate(setSAMLCtx(ctx), p.certificateAlgorithm, certAndKey.Key, certAndKey.Certificate)
+		default:
+			return fmt.Errorf("unknown usage")
+		}
+	case domain.KeyUsageSAMLCA:
+		return p.command.GenerateSAMLCACertificate(setSAMLCtx(ctx), p.certificateAlgorithm)
+	default:
+		return fmt.Errorf("unknown certificate usage")
+	}
+}
+
+func (p *Storage) getMaxKeySequence(ctx context.Context) (uint64, error) {
+	return p.eventstore.LatestSequence(ctx,
+		eventstore.NewSearchQueryBuilder(eventstore.ColumnsMaxSequence).
+			ResourceOwner(authz.GetInstance(ctx).InstanceID()).
+			AddQuery().
+			AggregateTypes(keypair.AggregateType).
+			Builder(),
+	)
+}
+
+func (p *Storage) certificateToCertificateAndKey(certificate query.Certificate) (_ *key.CertificateAndKey, err error) {
+	keyData, err := crypto.Decrypt(certificate.Key(), p.encAlg)
+	if err != nil {
+		return nil, err
+	}
+	privateKey, err := crypto.BytesToPrivateKey(keyData)
+	if err != nil {
+		return nil, err
+	}
+
+	cert, err := crypto.BytesToCertificate(certificate.Certificate())
+	if err != nil {
+		return nil, err
+	}
+
+	return &key.CertificateAndKey{
+		Key:         privateKey,
+		Certificate: cert,
+	}, nil
+}
+
+func selectCertificate(certs []query.Certificate) query.Certificate {
+	return certs[len(certs)-1]
+}
+
+func setSAMLCtx(ctx context.Context) context.Context {
+	return authz.SetCtxData(ctx, authz.CtxData{UserID: samlUser, OrgID: authz.GetInstance(ctx).InstanceID()})
+}
+
+func retry(retryable func() error) (err error) {
+	for i := 0; i < retryCount; i++ {
+		err = retryable()
+		if err == nil {
+			return nil
+		}
+		time.Sleep(retryBackoff)
+	}
+	return err
+}

internal/api/saml/provider.go

@@ -0,0 +1,102 @@
+package saml
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"net/http"
+
+	"github.com/zitadel/saml/pkg/provider"
+
+	http_utils "github.com/zitadel/zitadel/internal/api/http"
+	"github.com/zitadel/zitadel/internal/api/http/middleware"
+	"github.com/zitadel/zitadel/internal/api/ui/login"
+	"github.com/zitadel/zitadel/internal/auth/repository"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/handler/crdb"
+	"github.com/zitadel/zitadel/internal/query"
+	"github.com/zitadel/zitadel/internal/telemetry/metrics"
+)
+
+const (
+	HandlerPrefix = "/saml/v2"
+)
+
+type Config struct {
+	ProviderConfig *provider.Config
+}
+
+func NewProvider(
+	ctx context.Context,
+	conf Config,
+	externalSecure bool,
+	command *command.Commands,
+	query *query.Queries,
+	repo repository.Repository,
+	encAlg crypto.EncryptionAlgorithm,
+	certEncAlg crypto.EncryptionAlgorithm,
+	es *eventstore.Eventstore,
+	projections *sql.DB,
+	instanceHandler,
+	userAgentCookie func(http.Handler) http.Handler,
+) (*provider.Provider, error) {
+	metricTypes := []metrics.MetricType{metrics.MetricTypeRequestCount, metrics.MetricTypeStatusCode, metrics.MetricTypeTotalCount}
+
+	provStorage, err := newStorage(
+		command,
+		query,
+		repo,
+		encAlg,
+		certEncAlg,
+		es,
+		projections,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	options := []provider.Option{
+		provider.WithHttpInterceptors(
+			middleware.MetricsHandler(metricTypes),
+			middleware.TelemetryHandler(),
+			middleware.NoCacheInterceptor().Handler,
+			instanceHandler,
+			userAgentCookie,
+			http_utils.CopyHeadersToContext,
+		),
+	}
+	if !externalSecure {
+		options = append(options, provider.WithAllowInsecure())
+	}
+
+	return provider.NewProvider(
+		ctx,
+		provStorage,
+		HandlerPrefix,
+		conf.ProviderConfig,
+		options...,
+	)
+}
+
+func newStorage(
+	command *command.Commands,
+	query *query.Queries,
+	repo repository.Repository,
+	encAlg crypto.EncryptionAlgorithm,
+	certEncAlg crypto.EncryptionAlgorithm,
+	es *eventstore.Eventstore,
+	projections *sql.DB,
+) (*Storage, error) {
+	return &Storage{
+		encAlg:          encAlg,
+		certEncAlg:      certEncAlg,
+		locker:          crdb.NewLocker(projections, locksTable, signingKey),
+		eventstore:      es,
+		repo:            repo,
+		command:         command,
+		query:           query,
+		defaultLoginURL: fmt.Sprintf("%s%s?%s=", login.HandlerPrefix, login.EndpointLogin, login.QueryAuthRequestID),
+	}, nil
+}

internal/api/saml/storage.go

@@ -0,0 +1,187 @@
+package saml
+
+import (
+	"context"
+	"time"
+
+	"github.com/zitadel/saml/pkg/provider"
+	"github.com/zitadel/saml/pkg/provider/key"
+	"github.com/zitadel/saml/pkg/provider/models"
+	"github.com/zitadel/saml/pkg/provider/serviceprovider"
+	"github.com/zitadel/saml/pkg/provider/xml/samlp"
+
+	"github.com/zitadel/zitadel/internal/api/http/middleware"
+	"github.com/zitadel/zitadel/internal/auth/repository"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/handler/crdb"
+	"github.com/zitadel/zitadel/internal/query"
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
+)
+
+var _ provider.EntityStorage = &Storage{}
+var _ provider.IdentityProviderStorage = &Storage{}
+var _ provider.AuthStorage = &Storage{}
+var _ provider.UserStorage = &Storage{}
+
+type Storage struct {
+	certChan                   <-chan interface{}
+	defaultCertificateLifetime time.Duration
+
+	currentCACertificate       query.Certificate
+	currentMetadataCertificate query.Certificate
+	currentResponseCertificate query.Certificate
+
+	locker               crdb.Locker
+	certificateAlgorithm string
+	encAlg               crypto.EncryptionAlgorithm
+	certEncAlg           crypto.EncryptionAlgorithm
+
+	eventstore *eventstore.Eventstore
+	repo       repository.Repository
+	command    *command.Commands
+	query      *query.Queries
+
+	defaultLoginURL string
+}
+
+func (p *Storage) GetEntityByID(ctx context.Context, entityID string) (*serviceprovider.ServiceProvider, error) {
+	app, err := p.query.AppBySAMLEntityID(ctx, entityID)
+	if err != nil {
+		return nil, err
+	}
+	return serviceprovider.NewServiceProvider(
+		app.ID,
+		&serviceprovider.Config{
+			Metadata: app.SAMLConfig.Metadata,
+		},
+		p.defaultLoginURL,
+	)
+}
+
+func (p *Storage) GetEntityIDByAppID(ctx context.Context, appID string) (string, error) {
+	app, err := p.query.AppByID(ctx, appID)
+	if err != nil {
+		return "", err
+	}
+	return app.SAMLConfig.EntityID, nil
+}
+
+func (p *Storage) Health(context.Context) error {
+	return nil
+}
+
+func (p *Storage) GetCA(ctx context.Context) (*key.CertificateAndKey, error) {
+	return p.GetCertificateAndKey(ctx, domain.KeyUsageSAMLCA)
+}
+
+func (p *Storage) GetMetadataSigningKey(ctx context.Context) (*key.CertificateAndKey, error) {
+	return p.GetCertificateAndKey(ctx, domain.KeyUsageSAMLMetadataSigning)
+}
+
+func (p *Storage) GetResponseSigningKey(ctx context.Context) (*key.CertificateAndKey, error) {
+	return p.GetCertificateAndKey(ctx, domain.KeyUsageSAMLResponseSinging)
+}
+
+func (p *Storage) CreateAuthRequest(ctx context.Context, req *samlp.AuthnRequestType, acsUrl, protocolBinding, relayState, applicationID string) (_ models.AuthRequestInt, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+	userAgentID, ok := middleware.UserAgentIDFromCtx(ctx)
+	if !ok {
+		return nil, errors.ThrowPreconditionFailed(nil, "SAML-sd436", "no user agent id")
+	}
+
+	authRequest := CreateAuthRequestToBusiness(ctx, req, acsUrl, protocolBinding, applicationID, relayState, userAgentID)
+
+	resp, err := p.repo.CreateAuthRequest(ctx, authRequest)
+	if err != nil {
+		return nil, err
+	}
+
+	return AuthRequestFromBusiness(resp)
+}
+
+func (p *Storage) AuthRequestByID(ctx context.Context, id string) (_ models.AuthRequestInt, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+	userAgentID, ok := middleware.UserAgentIDFromCtx(ctx)
+	if !ok {
+		return nil, errors.ThrowPreconditionFailed(nil, "SAML-D3g21", "no user agent id")
+	}
+	resp, err := p.repo.AuthRequestByIDCheckLoggedIn(ctx, id, userAgentID)
+	if err != nil {
+		return nil, err
+	}
+	return AuthRequestFromBusiness(resp)
+}
+
+func (p *Storage) SetUserinfoWithUserID(ctx context.Context, userinfo models.AttributeSetter, userID string, attributes []int) (err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+	user, err := p.query.GetUserByID(ctx, true, userID)
+	if err != nil {
+		return err
+	}
+
+	setUserinfo(user, userinfo, attributes)
+	return nil
+}
+
+func (p *Storage) SetUserinfoWithLoginName(ctx context.Context, userinfo models.AttributeSetter, loginName string, attributes []int) (err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	loginNameSQ, err := query.NewUserLoginNamesSearchQuery(loginName)
+	if err != nil {
+		return err
+	}
+	user, err := p.query.GetUser(ctx, true, loginNameSQ)
+	if err != nil {
+		return err
+	}
+
+	setUserinfo(user, userinfo, attributes)
+	return nil
+}
+
+func setUserinfo(user *query.User, userinfo models.AttributeSetter, attributes []int) {
+	if len(attributes) == 0 {
+		userinfo.SetUsername(user.PreferredLoginName)
+		userinfo.SetUserID(user.ID)
+		if user.Human == nil {
+			return
+		}
+		userinfo.SetEmail(user.Human.Email)
+		userinfo.SetSurname(user.Human.LastName)
+		userinfo.SetGivenName(user.Human.FirstName)
+		userinfo.SetFullName(user.Human.DisplayName)
+		return
+	}
+	for _, attribute := range attributes {
+		switch attribute {
+		case provider.AttributeEmail:
+			if user.Human != nil {
+				userinfo.SetEmail(user.Human.Email)
+			}
+		case provider.AttributeSurname:
+			if user.Human != nil {
+				userinfo.SetSurname(user.Human.LastName)
+			}
+		case provider.AttributeFullName:
+			if user.Human != nil {
+				userinfo.SetFullName(user.Human.DisplayName)
+			}
+		case provider.AttributeGivenName:
+			if user.Human != nil {
+				userinfo.SetGivenName(user.Human.FirstName)
+			}
+		case provider.AttributeUsername:
+			userinfo.SetUsername(user.PreferredLoginName)
+		case provider.AttributeUserID:
+			userinfo.SetUserID(user.ID)
+		}
+	}
+}