Added initial support for SAML based authentication

Author: akclace

go.mod

@@ -19,10 +19,13 @@ require (
 	github.com/gorilla/sessions v1.4.0
 	github.com/hashicorp/vault/api v1.15.0
 	github.com/jackc/pgx/v5 v5.7.5
+	github.com/jackc/pgxlisten v0.0.0-20241106001234-1d6f6656415c
 	github.com/markbates/goth v1.80.0
 	github.com/moby/buildkit v0.18.1
 	github.com/pkg/profile v1.7.0
 	github.com/rs/zerolog v1.33.0
+	github.com/russellhaering/gosaml2 v0.10.0
+	github.com/russellhaering/goxmldsig v1.5.0
 	github.com/segmentio/ksuid v1.0.4
 	github.com/urfave/cli/v2 v2.27.5
 	go.starlark.net v0.0.0-20241125201518-c05ff208a98f
@@ -51,6 +54,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.33.2 // indirect
 	github.com/aws/smithy-go v1.22.1 // indirect
+	github.com/beevik/etree v1.5.0 // indirect
 	github.com/caddyserver/zerossl v0.1.3 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
@@ -81,13 +85,14 @@ require (
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/pgxlisten v0.0.0-20241106001234-1d6f6656415c // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/jonboulle/clockwork v0.5.0 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
 	github.com/libdns/libdns v0.2.2 // indirect
 	github.com/markbates/going v1.0.3 // indirect
+	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
 	github.com/mholt/acmez/v2 v2.0.3 // indirect
 	github.com/miekg/dns v1.1.62 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect

go.sum

@@ -51,6 +51,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.33.2 h1:s4074ZO1Hk8qv65GqNXqDjmkf4HS
 github.com/aws/aws-sdk-go-v2/service/sts v1.33.2/go.mod h1:mVggCnIWoM09jP71Wh+ea7+5gAp53q+49wDFs1SW5z8=
 github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro=
 github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
+github.com/beevik/etree v1.5.0 h1:iaQZFSDS+3kYZiGoc9uKeOkUY3nYMXOKLl6KIJxiJWs=
+github.com/beevik/etree v1.5.0/go.mod h1:gPNJNaBGVZ9AwsidazFZyygnd+0pAU38N4D+WemwKNs=
 github.com/benbjohnson/hashfs v0.2.2 h1:vFZtksphM5LcnMRFctj49jCUkCc7wp3NP6INyfjkse4=
 github.com/benbjohnson/hashfs v0.2.2/go.mod h1:7OMXaMVo1YkfiIPxKrl7OXkUTUgWjmsAKyR+E6xDIRM=
 github.com/bmatcuk/doublestar/v4 v4.7.1 h1:fdDeAqgT47acgwd9bd9HxJRDmc9UAmPpc+2m0CXv75Q=
@@ -185,6 +187,8 @@ github.com/jarcoal/httpmock v0.0.0-20180424175123-9c70cfe4a1da h1:FjHUJJ7oBW4G/9
 github.com/jarcoal/httpmock v0.0.0-20180424175123-9c70cfe4a1da/go.mod h1:ks+b9deReOc7jgqp+e7LuFiCBH6Rm5hL32cLcEAArb4=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
+github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
+github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
@@ -207,6 +211,8 @@ github.com/markbates/going v1.0.3 h1:mY45T5TvW+Xz5A6jY7lf4+NLg9D8+iuStIHyR7M8qsE
 github.com/markbates/going v1.0.3/go.mod h1:fQiT6v6yQar9UD6bd/D4Z5Afbk9J6BBVBtLiyY4gp2o=
 github.com/markbates/goth v1.80.0 h1:NnvatczZDzOs1hn9Ug+dVYf2Viwwkp/ZDX5K+GLjan8=
 github.com/markbates/goth v1.80.0/go.mod h1:4/GYHo+W6NWisrMPZnq0Yr2Q70UntNLn7KXEFhrIdAY=
+github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
+github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
@@ -252,6 +258,10 @@ github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
 github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
+github.com/russellhaering/gosaml2 v0.10.0 h1:z7JTpKmC4JVG94tvSQz4lszUdKLt+uy5c6lEkhdEz3Y=
+github.com/russellhaering/gosaml2 v0.10.0/go.mod h1:XLwI/5aWV4E2X9p+qj6LgRwiYGv2nh4YS6pQBGlQ0Cc=
+github.com/russellhaering/goxmldsig v1.5.0 h1:AU2UkkYIUOTyZRbe08XMThaOCelArgvNfYapcmSjBNw=
+github.com/russellhaering/goxmldsig v1.5.0/go.mod h1:x98CjQNFJcWfMxeOrMnMKg70lvDP6tE0nTaeUnjXDmk=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
@@ -273,6 +283,7 @@ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSS
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=

internal/server/app_apis.go

@@ -132,8 +132,8 @@ func (s *Server) CreateAppTx(ctx context.Context, currentTx types.Transaction, a
 	appEntry.SourceUrl = sourceUrl
 	appEntry.IsDev = appRequest.IsDev
 	if appRequest.AppAuthn != "" {
-		if !s.ssoAuth.ValidateAuthType(string(appRequest.AppAuthn)) {
-			return nil, fmt.Errorf("invalid authentication type %s", appRequest.AppAuthn)
+		if err := s.validateAppAuthnType(string(appRequest.AppAuthn)); err != nil {
+			return nil, err
 		}
 		appEntry.Settings.AuthnType = appRequest.AppAuthn
 	} else {
@@ -163,6 +163,18 @@ func (s *Server) CreateAppTx(ctx context.Context, currentTx types.Transaction, a
 	return auditResult, nil
 }
 
+func (s *Server) validateAppAuthnType(authStr string) error {
+	if strings.HasPrefix(authStr, SAML_AUTH_PREFIX) || strings.HasPrefix(authStr, RBAC_AUTH_PREFIX+SAML_AUTH_PREFIX) {
+		// saml auth, with or without rbac
+		if !s.samlManager.ValidateSAMLProvider(authStr) {
+			return fmt.Errorf("invalid saml auth type %s", authStr)
+		}
+	} else if !s.oAuthManager.ValidateAuthType(authStr) {
+		return fmt.Errorf("invalid authentication type %s", authStr)
+	}
+	return nil
+}
+
 func (s *Server) createApp(ctx context.Context, tx types.Transaction,
 	appEntry *types.AppEntry, approve, dryRun bool, branch, commit, gitAuth string, applyInfo *types.CreateAppRequest, repoCache *RepoCache) (*types.AppCreateResponse, error) {
 	if !system.IsGit(appEntry.SourceUrl) {
@@ -495,15 +507,28 @@ func (s *Server) authenticateAndServeApp(w http.ResponseWriter, r *http.Request,
 			return
 		}
 		userId = strippedAuthStr
+	} else if strings.HasPrefix(strippedAuthStr, SAML_AUTH_PREFIX) {
+		// Use SAML auth
+		if !s.samlManager.ValidateSAMLProvider(strippedAuthStr) {
+			http.Error(w, "Unsupported saml provider: "+strippedAuthStr, http.StatusInternalServerError)
+			return
+		}
+		userId, groups, err = s.samlManager.CheckSAMLAuth(w, r, strippedAuthStr)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+		}
+		if userId == "" {
+			return // Already redirected to auth provider
+		}
 	} else {
 		// Use SSO auth
-		if !s.ssoAuth.ValidateProviderName(strippedAuthStr) {
+		if !s.oAuthManager.ValidateProviderName(strippedAuthStr) {
 			http.Error(w, "Unsupported authentication provider: "+strippedAuthStr, http.StatusInternalServerError)
 			return
 		}
 
 		// Redirect to the auth provider if not logged in
-		userId, groups, err = s.ssoAuth.CheckAuth(w, r, strippedAuthStr, true)
+		userId, groups, err = s.oAuthManager.CheckAuth(w, r, strippedAuthStr, true)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 		}

internal/server/app_updates.go

@@ -484,8 +484,8 @@ func (s *Server) updateAppSettings(ctx context.Context, tx types.Transaction, ap
 		}
 
 		if updateAppRequest.AuthnType != types.StringValueUndefined {
-			if !s.ssoAuth.ValidateAuthType(string(updateAppRequest.AuthnType)) {
-				return nil, fmt.Errorf("invalid authentication type %s", updateAppRequest.AuthnType)
+			if err := s.validateAppAuthnType(string(updateAppRequest.AuthnType)); err != nil {
+				return nil, err
 			}
 			linkedApp.Settings.AuthnType = types.AppAuthnType(updateAppRequest.AuthnType)
 		}

internal/server/sso_auth.go renamed to internal/server/oauth.go

@@ -14,6 +14,7 @@ import (
 	"github.com/gorilla/sessions"
 	"github.com/markbates/goth"
 	"github.com/markbates/goth/gothic"
+	"github.com/openrundev/openrun/internal/system"
 	"github.com/openrundev/openrun/internal/types"
 
 	"github.com/markbates/goth/providers/amazon"
@@ -42,15 +43,16 @@ const (
 	REDIRECT_URL            = "redirect"
 )
 
-type SSOAuth struct {
+// OAuthManager manages the OAuth providers and their configurations (also OIDC)
+type OAuthManager struct {
 	*types.Logger
 	config          *types.ServerConfig
 	cookieStore     *sessions.CookieStore
 	providerConfigs map[string]*types.AuthConfig
 }
 
-func NewSSOAuth(logger *types.Logger, config *types.ServerConfig) *SSOAuth {
-	return &SSOAuth{
+func NewOAuthManager(logger *types.Logger, config *types.ServerConfig) *OAuthManager {
+	return &OAuthManager{
 		Logger: logger,
 		config: config,
 	}
@@ -77,7 +79,7 @@ func generateRandomKey(length int) (string, error) {
 	return string(key), nil
 }
 
-func (s *SSOAuth) Setup() error {
+func (s *OAuthManager) Setup() error {
 	var err error
 	sessionKey := s.config.Security.SessionSecret
 	if sessionKey == "" {
@@ -167,14 +169,14 @@ func (s *SSOAuth) Setup() error {
 	}
 
 	if len(providers) != 0 && s.config.Security.CallbackUrl == "" {
-		return fmt.Errorf("security.callback_url must be set for enabling SSO auth")
+		return fmt.Errorf("security.callback_url must be set for enabling OAuth")
 	}
 
 	goth.UseProviders(providers...) // Register the providers with goth
 	return nil
 }
 
-func (s *SSOAuth) RegisterRoutes(mux *chi.Mux) {
+func (s *OAuthManager) RegisterRoutes(mux *chi.Mux) {
 	mux.Get(types.INTERNAL_URL_PREFIX+"/auth/{provider}/callback", func(w http.ResponseWriter, r *http.Request) {
 		user, err := gothic.CompleteUserAuth(w, r)
 		if err != nil {
@@ -308,7 +310,7 @@ func (s *SSOAuth) RegisterRoutes(mux *chi.Mux) {
 	})
 }
 
-func (s *SSOAuth) validateResponse(providerName string, user goth.User) error {
+func (s *OAuthManager) validateResponse(providerName string, user goth.User) error {
 	providerConfig := s.providerConfigs[providerName]
 	if providerConfig == nil {
 		return fmt.Errorf("provider %s not configured", providerName)
@@ -326,11 +328,11 @@ func (s *SSOAuth) validateResponse(providerName string, user goth.User) error {
 	return nil
 }
 
-func (s *SSOAuth) ValidateProviderName(provider string) bool {
+func (s *OAuthManager) ValidateProviderName(provider string) bool {
 	return s.providerConfigs[provider] != nil
 }
 
-func (s *SSOAuth) ValidateAuthType(authType string) bool {
+func (s *OAuthManager) ValidateAuthType(authType string) bool {
 	authType = strings.TrimPrefix(authType, RBAC_AUTH_PREFIX)
 	switch authType {
 	case string(types.AppAuthnDefault), string(types.AppAuthnSystem), string(types.AppAuthnNone):
@@ -344,7 +346,7 @@ func (s *SSOAuth) ValidateAuthType(authType string) bool {
 	}
 }
 
-func (s *SSOAuth) CheckAuth(w http.ResponseWriter, r *http.Request, appProvider string, updateRedirect bool) (string, []string, error) {
+func (s *OAuthManager) CheckAuth(w http.ResponseWriter, r *http.Request, appProvider string, updateRedirect bool) (string, []string, error) {
 	cookieName := genCookieName(appProvider)
 	session, err := s.cookieStore.Get(r, cookieName)
 	if err != nil {
@@ -355,16 +357,16 @@ func (s *SSOAuth) CheckAuth(w http.ResponseWriter, r *http.Request, appProvider
 			s.cookieStore.Save(r, w, session) //nolint:errcheck
 		}
 		if r.Header.Get("HX-Request") == "true" {
-			w.Header().Set("HX-Redirect", r.RequestURI)
+			w.Header().Set("HX-Redirect", system.GetRequestUrl(r))
 		} else {
-			http.Redirect(w, r, r.RequestURI, http.StatusTemporaryRedirect)
+			http.Redirect(w, r, system.GetRequestUrl(r), http.StatusTemporaryRedirect)
 		}
 		return "", nil, err
 	}
 	if auth, ok := session.Values[AUTH_KEY].(bool); !ok || !auth {
 		// Store the target URL before redirecting to login
 		if updateRedirect {
-			session.Values[REDIRECT_URL] = r.RequestURI
+			session.Values[REDIRECT_URL] = system.GetRequestUrl(r)
 			err = session.Save(r, w)
 			if err != nil {
 				s.Warn().Err(err).Msg("failed to save session")
@@ -373,25 +375,25 @@ func (s *SSOAuth) CheckAuth(w http.ResponseWriter, r *http.Request, appProvider
 		}
 		s.Warn().Err(err).Msg("no auth, redirecting to login")
 		if r.Header.Get("HX-Request") == "true" {
-			w.Header().Set("HX-Redirect", types.INTERNAL_URL_PREFIX+"/auth/"+appProvider)
+			w.Header().Set("HX-Redirect", s.config.Security.CallbackUrl+types.INTERNAL_URL_PREFIX+"/auth/"+appProvider)
 		} else {
-			http.Redirect(w, r, types.INTERNAL_URL_PREFIX+"/auth/"+appProvider, http.StatusTemporaryRedirect)
+			http.Redirect(w, r, s.config.Security.CallbackUrl+types.INTERNAL_URL_PREFIX+"/auth/"+appProvider, http.StatusTemporaryRedirect)
 		}
 		return "", nil, nil
 	}
 
 	// Check if provider name matches the one in the session
 	if providerName, ok := session.Values[PROVIDER_NAME_KEY].(string); !ok || providerName != appProvider {
 		if updateRedirect {
-			session.Values[REDIRECT_URL] = r.RequestURI
+			session.Values[REDIRECT_URL] = system.GetRequestUrl(r)
 			err = session.Save(r, w)
 			if err != nil {
 				s.Warn().Err(err).Msg("failed to save session")
 				return "", nil, err
 			}
 		}
 		s.Warn().Err(err).Msg("provider mismatch, redirecting to login")
-		http.Redirect(w, r, types.INTERNAL_URL_PREFIX+"/auth/"+appProvider, http.StatusTemporaryRedirect)
+		http.Redirect(w, r, s.config.Security.CallbackUrl+types.INTERNAL_URL_PREFIX+"/auth/"+appProvider, http.StatusTemporaryRedirect)
 		return "", nil, nil
 	}
 

internal/server/router.go

@@ -144,7 +144,8 @@ func NewTCPHandler(logger *types.Logger, config *types.ServerConfig, server *Ser
 	// Webhooks are always mounted, they are disabled at the app level by default
 	router.Mount(types.WEBHOOK_URL_PREFIX, handler.serveWebhooks())
 
-	server.ssoAuth.RegisterRoutes(router) // register SSO routes
+	server.oAuthManager.RegisterRoutes(router) // register OAuth routes
+	server.samlManager.RegisterRoutes(router)  // register SAML routes
 
 	router.HandleFunc("/*", handler.callApp)
 	router.HandleFunc("/testperf", func(w http.ResponseWriter, r *http.Request) {