mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-11 23:07:32 +00:00
64a03fba28
<!-- Please inform yourself about the contribution guidelines on submitting a PR here: https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr. Take note of how PR/commit titles should be written and replace the template texts in the sections below. Don't remove any of the sections. It is important that the commit history clearly shows what is changed and why. Important: By submitting a contribution you agree to the terms from our Licensing Policy as described here: https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions. --> # Which Problems Are Solved The current user V2 API returns a `[]byte` containing a whole HTML document including the form on `StartIdentifyProviderIntent` for intents based on form post (e.g. SAML POST bindings). This is not usable for most clients as they cannot handle that and render a whole page inside their app. For redirect based intents, the url to which the client needs to redirect is returned. # How the Problems Are Solved - Changed the returned type to a new `FormData` message containing the url and a `fields` map. - internal changes: - Session.GetAuth now returns an `Auth` interfacce and error instead of (content string, redirect bool) - Auth interface has two implementations: `RedirectAuth` and `FormAuth` - All use of the GetAuth function now type switch on the returned auth object - A template has been added to the login UI to execute the form post automatically (as is). # Additional Changes - Some intent integration test did not check the redirect url and were wrongly configured. # Additional Context - relates to zitadel/typescript#410
181 lines
5.7 KiB
Go
181 lines
5.7 KiB
Go
package saml
|
|
|
|
import (
|
|
"context"
|
|
"encoding/base64"
|
|
"errors"
|
|
"net/http"
|
|
"net/url"
|
|
"time"
|
|
|
|
"github.com/beevik/etree"
|
|
"github.com/crewjam/saml"
|
|
"github.com/crewjam/saml/samlsp"
|
|
|
|
"github.com/zitadel/zitadel/internal/idp"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
var _ idp.Session = (*Session)(nil)
|
|
|
|
// Session is the [idp.Session] implementation for the SAML provider.
|
|
type Session struct {
|
|
ServiceProvider *samlsp.Middleware
|
|
state string
|
|
TransientMappingAttributeName string
|
|
|
|
RequestID string
|
|
Request *http.Request
|
|
|
|
Assertion *saml.Assertion
|
|
}
|
|
|
|
func NewSession(provider *Provider, requestID string, request *http.Request) (*Session, error) {
|
|
sp, err := provider.GetSP()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &Session{
|
|
ServiceProvider: sp,
|
|
TransientMappingAttributeName: provider.TransientMappingAttributeName(),
|
|
RequestID: requestID,
|
|
Request: request,
|
|
}, nil
|
|
}
|
|
|
|
// GetAuth implements the [idp.Session] interface.
|
|
func (s *Session) GetAuth(ctx context.Context) (idp.Auth, error) {
|
|
url, err := url.Parse(s.state)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
request := &http.Request{
|
|
URL: url,
|
|
}
|
|
return s.auth(request.WithContext(ctx))
|
|
}
|
|
|
|
// PersistentParameters implements the [idp.Session] interface.
|
|
func (s *Session) PersistentParameters() map[string]any {
|
|
return nil
|
|
}
|
|
|
|
// FetchUser implements the [idp.Session] interface.
|
|
func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) {
|
|
if s.RequestID == "" || s.Request == nil {
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "SAML-d09hy0wkex", "Errors.Intent.ResponseInvalid")
|
|
}
|
|
|
|
s.Assertion, err = s.ServiceProvider.ServiceProvider.ParseResponse(s.Request, []string{s.RequestID})
|
|
if err != nil {
|
|
invalidRespErr := new(saml.InvalidResponseError)
|
|
if errors.As(err, &invalidRespErr) {
|
|
return nil, zerrors.ThrowInvalidArgument(invalidRespErr.PrivateErr, "SAML-ajl3irfs", "Errors.Intent.ResponseInvalid")
|
|
}
|
|
return nil, zerrors.ThrowInvalidArgument(err, "SAML-nuo0vphhh9", "Errors.Intent.ResponseInvalid")
|
|
}
|
|
|
|
// nameID is required, but at least in ADFS it will not be sent unless explicitly configured
|
|
if s.Assertion.Subject == nil || s.Assertion.Subject.NameID == nil {
|
|
return nil, zerrors.ThrowInvalidArgument(err, "SAML-EFG32", "Errors.Intent.ResponseInvalid")
|
|
}
|
|
nameID := s.Assertion.Subject.NameID
|
|
userMapper := NewUser()
|
|
// use the nameID as default mapping id
|
|
userMapper.SetID(nameID.Value)
|
|
if nameID.Format == string(saml.TransientNameIDFormat) {
|
|
mappingID, err := s.transientMappingID()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
userMapper.SetID(mappingID)
|
|
}
|
|
for _, statement := range s.Assertion.AttributeStatements {
|
|
for _, attribute := range statement.Attributes {
|
|
values := make([]string, len(attribute.Values))
|
|
for i := range attribute.Values {
|
|
values[i] = attribute.Values[i].Value
|
|
}
|
|
userMapper.Attributes[attribute.Name] = values
|
|
}
|
|
}
|
|
return userMapper, nil
|
|
}
|
|
|
|
func (s *Session) ExpiresAt() time.Time {
|
|
if s.Assertion == nil || s.Assertion.Conditions == nil {
|
|
return time.Time{}
|
|
}
|
|
return s.Assertion.Conditions.NotOnOrAfter
|
|
}
|
|
|
|
func (s *Session) transientMappingID() (string, error) {
|
|
for _, statement := range s.Assertion.AttributeStatements {
|
|
for _, attribute := range statement.Attributes {
|
|
if attribute.Name != s.TransientMappingAttributeName {
|
|
continue
|
|
}
|
|
if len(attribute.Values) != 1 {
|
|
return "", zerrors.ThrowInvalidArgument(nil, "SAML-Soij4", "Errors.Intent.MissingSingleMappingAttribute")
|
|
}
|
|
return attribute.Values[0].Value, nil
|
|
}
|
|
}
|
|
return "", zerrors.ThrowInvalidArgument(nil, "SAML-swwg2", "Errors.Intent.MissingSingleMappingAttribute")
|
|
}
|
|
|
|
// auth is a modified copy of the [samlsp.Middleware.HandleStartAuthFlow] method.
|
|
// Instead of writing the response to the http.ResponseWriter, it returns the auth request as an [idp.Auth].
|
|
// In case of an error, it returns the error directly and does not write to the response.
|
|
func (s *Session) auth(r *http.Request) (idp.Auth, error) {
|
|
if r.URL.Path == s.ServiceProvider.ServiceProvider.AcsURL.Path {
|
|
// should never occur, but was handled in the original method, so we keep it here
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "SAML-Eoi24", "don't wrap Middleware with RequireAccount")
|
|
}
|
|
|
|
var binding, bindingLocation string
|
|
if s.ServiceProvider.Binding != "" {
|
|
binding = s.ServiceProvider.Binding
|
|
bindingLocation = s.ServiceProvider.ServiceProvider.GetSSOBindingLocation(binding)
|
|
} else {
|
|
binding = saml.HTTPRedirectBinding
|
|
bindingLocation = s.ServiceProvider.ServiceProvider.GetSSOBindingLocation(binding)
|
|
if bindingLocation == "" {
|
|
binding = saml.HTTPPostBinding
|
|
bindingLocation = s.ServiceProvider.ServiceProvider.GetSSOBindingLocation(binding)
|
|
}
|
|
}
|
|
|
|
authReq, err := s.ServiceProvider.ServiceProvider.MakeAuthenticationRequest(bindingLocation, binding, s.ServiceProvider.ResponseBinding)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
relayState, err := s.ServiceProvider.RequestTracker.TrackRequest(nil, r, authReq.ID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if binding == saml.HTTPRedirectBinding {
|
|
redirectURL, err := authReq.Redirect(relayState, &s.ServiceProvider.ServiceProvider)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return idp.Redirect(redirectURL.String())
|
|
}
|
|
if binding == saml.HTTPPostBinding {
|
|
doc := etree.NewDocument()
|
|
doc.SetRoot(authReq.Element())
|
|
reqBuf, err := doc.WriteToBytes()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
encodedReqBuf := base64.StdEncoding.EncodeToString(reqBuf)
|
|
return idp.Form(authReq.Destination,
|
|
map[string]string{
|
|
"SAMLRequest": encodedReqBuf,
|
|
"RelayState": relayState,
|
|
})
|
|
}
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "SAML-Eoi24", "Errors.Intent.Invalid")
|
|
}
|