forked from Shiloh/githaven
5bb8d1924d
Closes https://github.com/go-gitea/gitea/issues/5512 This PR adds basic SAML support - Adds SAML 2.0 as an auth source - Adds SAML configuration documentation - Adds integration test: - Use bare-bones SAML IdP to test protocol flow and test account is linked successfully (only runs on Postgres by default) - Adds documentation for configuring and running SAML integration test locally Future PRs: - Support group mapping - Support auto-registration (account linking) Co-Authored-By: @jackHay22 --------- Co-authored-by: jackHay22 <jack@allspice.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Jason Song <i@wolfogre.com> Co-authored-by: morphelinho <morphelinho@users.noreply.github.com> Co-authored-by: Zettat123 <zettat123@gmail.com> Co-authored-by: Yarden Shoham <git@yardenshoham.com> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: silverwind <me@silverwind.io>
90 lines
2.6 KiB
Go
90 lines
2.6 KiB
Go
// Copyright 2023 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package saml
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/markbates/goth"
|
|
)
|
|
|
|
// Callout redirects request/response pair to authenticate against the provider
|
|
func (source *Source) Callout(request *http.Request, response http.ResponseWriter) error {
|
|
samlRWMutex.RLock()
|
|
defer samlRWMutex.RUnlock()
|
|
if _, ok := providers[source.authSource.Name]; !ok {
|
|
return fmt.Errorf("no provider for this saml")
|
|
}
|
|
|
|
authURL, err := providers[source.authSource.Name].samlSP.BuildAuthURL("")
|
|
if err == nil {
|
|
http.Redirect(response, request, authURL, http.StatusTemporaryRedirect)
|
|
}
|
|
return err
|
|
}
|
|
|
|
// Callback handles SAML callback, resolve to a goth user and send back to original url
|
|
// this will trigger a new authentication request, but because we save it in the session we can use that
|
|
func (source *Source) Callback(request *http.Request, response http.ResponseWriter) (goth.User, error) {
|
|
samlRWMutex.RLock()
|
|
defer samlRWMutex.RUnlock()
|
|
|
|
user := goth.User{
|
|
Provider: source.authSource.Name,
|
|
}
|
|
samlResponse := request.FormValue("SAMLResponse")
|
|
assertions, err := source.samlSP.RetrieveAssertionInfo(samlResponse)
|
|
if err != nil {
|
|
return user, err
|
|
}
|
|
|
|
if assertions.WarningInfo.OneTimeUse {
|
|
return user, fmt.Errorf("SAML response contains one time use warning")
|
|
}
|
|
|
|
if assertions.WarningInfo.ProxyRestriction != nil {
|
|
return user, fmt.Errorf("SAML response contains proxy restriction warning: %v", assertions.WarningInfo.ProxyRestriction)
|
|
}
|
|
|
|
if assertions.WarningInfo.NotInAudience {
|
|
return user, fmt.Errorf("SAML response contains audience warning")
|
|
}
|
|
|
|
if assertions.WarningInfo.InvalidTime {
|
|
return user, fmt.Errorf("SAML response contains invalid time warning")
|
|
}
|
|
|
|
samlMap := make(map[string]string)
|
|
for key, value := range assertions.Values {
|
|
keyParsed := strings.ToLower(key[strings.LastIndex(key, "/")+1:]) // Uses the trailing slug as the key name.
|
|
valueParsed := value.Values[0].Value
|
|
samlMap[keyParsed] = valueParsed
|
|
|
|
}
|
|
|
|
user.UserID = assertions.NameID
|
|
if user.UserID == "" {
|
|
return user, fmt.Errorf("no nameID found in SAML response")
|
|
}
|
|
|
|
// email
|
|
if _, ok := samlMap[source.EmailAssertionKey]; !ok {
|
|
user.Email = samlMap[source.EmailAssertionKey]
|
|
}
|
|
// name
|
|
if _, ok := samlMap[source.NameAssertionKey]; !ok {
|
|
user.NickName = samlMap[source.NameAssertionKey]
|
|
}
|
|
// username
|
|
if _, ok := samlMap[source.UsernameAssertionKey]; !ok {
|
|
user.Name = samlMap[source.UsernameAssertionKey]
|
|
}
|
|
|
|
// TODO: utilize groups once mapping is supported
|
|
|
|
return user, nil
|
|
}
|