forked from casdoor/casdoor
181 lines
4.8 KiB
Go
181 lines
4.8 KiB
Go
// Copyright 2021 The Casdoor Authors. All Rights Reserved.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package object
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"encoding/base64"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"net/url"
|
|
|
|
"github.com/casdoor/casdoor/i18n"
|
|
"github.com/casdoor/casdoor/idp"
|
|
"github.com/mitchellh/mapstructure"
|
|
saml2 "github.com/russellhaering/gosaml2"
|
|
dsig "github.com/russellhaering/goxmldsig"
|
|
)
|
|
|
|
func ParseSamlResponse(samlResponse string, provider *Provider, host string) (*idp.UserInfo, error) {
|
|
samlResponse, _ = url.QueryUnescape(samlResponse)
|
|
sp, err := buildSp(provider, samlResponse, host)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
assertionInfo, err := sp.RetrieveAssertionInfo(samlResponse)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
userInfoMap := make(map[string]string)
|
|
for spAttr, idpAttr := range provider.UserMapping {
|
|
for _, attr := range assertionInfo.Values {
|
|
if attr.Name == idpAttr {
|
|
userInfoMap[spAttr] = attr.Values[0].Value
|
|
}
|
|
}
|
|
}
|
|
userInfoMap["id"] = assertionInfo.NameID
|
|
|
|
customUserInfo := &idp.CustomUserInfo{}
|
|
err = mapstructure.Decode(userInfoMap, customUserInfo)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
userInfo := &idp.UserInfo{
|
|
Id: customUserInfo.Id,
|
|
Username: customUserInfo.Username,
|
|
DisplayName: customUserInfo.DisplayName,
|
|
Email: customUserInfo.Email,
|
|
AvatarUrl: customUserInfo.AvatarUrl,
|
|
}
|
|
|
|
// Fallback: if Username is empty, use Email or NameID
|
|
if userInfo.Username == "" {
|
|
if userInfo.Email != "" {
|
|
userInfo.Username = userInfo.Email
|
|
} else if userInfo.Id != "" {
|
|
userInfo.Username = userInfo.Id
|
|
}
|
|
}
|
|
|
|
return userInfo, err
|
|
}
|
|
|
|
func GenerateSamlRequest(id, relayState, host, lang string) (auth string, method string, err error) {
|
|
provider, err := GetProvider(id)
|
|
if err != nil {
|
|
return "", "", err
|
|
}
|
|
if provider.Category != "SAML" {
|
|
return "", "", fmt.Errorf(i18n.Translate(lang, "saml_sp:provider %s's category is not SAML"), provider.Name)
|
|
}
|
|
|
|
sp, err := buildSp(provider, "", host)
|
|
if err != nil {
|
|
return "", "", err
|
|
}
|
|
|
|
if provider.EnableSignAuthnRequest {
|
|
post, err := sp.BuildAuthBodyPost(relayState)
|
|
if err != nil {
|
|
return "", "", err
|
|
}
|
|
auth = string(post[:])
|
|
method = "POST"
|
|
} else {
|
|
auth, err = sp.BuildAuthURL(relayState)
|
|
if err != nil {
|
|
return "", "", err
|
|
}
|
|
method = "GET"
|
|
}
|
|
return auth, method, nil
|
|
}
|
|
|
|
func buildSp(provider *Provider, samlResponse string, host string) (*saml2.SAMLServiceProvider, error) {
|
|
_, origin := getOriginFromHost(host)
|
|
|
|
certStore, err := buildSpCertificateStore(provider)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
sp := &saml2.SAMLServiceProvider{
|
|
ServiceProviderIssuer: fmt.Sprintf("%s/api/acs", origin),
|
|
AssertionConsumerServiceURL: fmt.Sprintf("%s/api/acs", origin),
|
|
SignAuthnRequests: false,
|
|
IDPCertificateStore: &certStore,
|
|
SPKeyStore: dsig.RandomKeyStoreForTest(),
|
|
}
|
|
|
|
if provider.Endpoint != "" {
|
|
sp.IdentityProviderSSOURL = provider.Endpoint
|
|
sp.IdentityProviderIssuer = provider.IssuerUrl
|
|
}
|
|
if provider.EnableSignAuthnRequest {
|
|
sp.SignAuthnRequests = true
|
|
sp.SPKeyStore, err = buildSpKeyStore()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
return sp, nil
|
|
}
|
|
|
|
func buildSpKeyStore() (dsig.X509KeyStore, error) {
|
|
keyPair, err := tls.LoadX509KeyPair("object/token_jwt_key.pem", "object/token_jwt_key.key")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &dsig.TLSCertKeyStore{
|
|
PrivateKey: keyPair.PrivateKey,
|
|
Certificate: keyPair.Certificate,
|
|
}, nil
|
|
}
|
|
|
|
func buildSpCertificateStore(provider *Provider) (certStore dsig.MemoryX509CertificateStore, err error) {
|
|
certEncodedData := provider.IdP
|
|
if certEncodedData == "" {
|
|
return dsig.MemoryX509CertificateStore{}, fmt.Errorf("the IdP certificate of provider: %s is empty", provider.Name)
|
|
}
|
|
|
|
var certData []byte
|
|
block, _ := pem.Decode([]byte(certEncodedData))
|
|
if block != nil {
|
|
// this was a PEM file
|
|
// block.Bytes are DER encoded so the following code block should happily accept it
|
|
certData = block.Bytes
|
|
} else {
|
|
certData, err = base64.StdEncoding.DecodeString(certEncodedData)
|
|
if err != nil {
|
|
return dsig.MemoryX509CertificateStore{}, err
|
|
}
|
|
}
|
|
|
|
idpCert, err := x509.ParseCertificate(certData)
|
|
if err != nil {
|
|
return dsig.MemoryX509CertificateStore{}, err
|
|
}
|
|
|
|
certStore = dsig.MemoryX509CertificateStore{
|
|
Roots: []*x509.Certificate{idpCert},
|
|
}
|
|
return certStore, nil
|
|
}
|