-
-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support anonymous access prior to login request (#63)
- Loading branch information
Showing
14 changed files
with
321 additions
and
73 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
/*metadata.xml | ||
/*.cert | ||
/*.key | ||
*.cert | ||
*.key | ||
|
||
/dist/ | ||
/saml-auth-proxy | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
FROM golang:1.18-alpine3.16 AS builder | ||
FROM golang:1.20-alpine3.16 AS builder | ||
|
||
WORKDIR /app | ||
COPY . /app | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
package server | ||
|
||
import ( | ||
"errors" | ||
"github.com/crewjam/saml" | ||
"github.com/crewjam/saml/samlsp" | ||
"go.uber.org/zap" | ||
"net/http" | ||
) | ||
|
||
type AnonymousSession struct { | ||
} | ||
|
||
func IsAnonymousSession(session samlsp.Session) bool { | ||
_, isAnonymous := session.(AnonymousSession) | ||
return isAnonymous | ||
} | ||
|
||
// InitAnonymousSessionProvider will initially provide AnonymousSession instances when requested; however, | ||
// once the given initiateSessionPath is intercepted, then remaining session access is delegated to the | ||
// given delegateSessionProvider. | ||
type InitAnonymousSessionProvider struct { | ||
delegateSessionProvider samlsp.SessionProvider | ||
initiateSessionPath string | ||
logger *zap.Logger | ||
} | ||
|
||
func NewInitAnonymousSessionProvider(logger *zap.Logger, initiateSessionPath string, delegateSessionProvider samlsp.SessionProvider) *InitAnonymousSessionProvider { | ||
return &InitAnonymousSessionProvider{ | ||
delegateSessionProvider: delegateSessionProvider, | ||
initiateSessionPath: initiateSessionPath, | ||
logger: logger.With(zap.String("scope", "InitAnonymousSessionProvider")), | ||
} | ||
} | ||
|
||
func (p *InitAnonymousSessionProvider) CreateSession(w http.ResponseWriter, r *http.Request, assertion *saml.Assertion) error { | ||
return p.delegateSessionProvider.CreateSession(w, r, assertion) | ||
} | ||
|
||
func (p *InitAnonymousSessionProvider) DeleteSession(w http.ResponseWriter, r *http.Request) error { | ||
return p.delegateSessionProvider.DeleteSession(w, r) | ||
} | ||
|
||
func (p *InitAnonymousSessionProvider) GetSession(r *http.Request) (samlsp.Session, error) { | ||
session, err := p.delegateSessionProvider.GetSession(r) | ||
if err != nil { | ||
if errors.Is(err, samlsp.ErrNoSession) { | ||
if r.URL.Path == p.initiateSessionPath { | ||
p.logger.Debug("Intercepted initiate session path", zap.String("path", r.URL.Path)) | ||
return nil, samlsp.ErrNoSession | ||
} | ||
p.logger.Debug("Auth has not been initiated, returning anonymous session", zap.String("path", r.URL.Path)) | ||
return AnonymousSession{}, nil | ||
} else { | ||
return nil, err | ||
} | ||
} else { | ||
return session, nil | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
|
||
## Setup | ||
|
||
Create the proxy's cert and key files [like in the README](../../README.md#trying-it-out) | ||
|
||
Bring up the services setting the `BASE_URL` to the publicly resolvable URL of your service: | ||
|
||
```shell | ||
BASE_URL=... docker compose up -d --build | ||
``` | ||
|
||
Export and upload the IDP metadata [like in the README](../../README.md#trying-it-out) | ||
|
||
Access Grafana via the proxy at <http://localhost:8080> | ||
|
||
Login as Rick via `samltest.idp` since the test configures that user as admin. | ||
|
||
Go to the pre-provisioned dashboard at the path `/d/c6f2205a-a683-417f-b177-b916085d5519/public?orgId=1`, [make it public](https://grafana.com/docs/grafana/latest/dashboards/dashboard-public/#make-a-dashboard-public), and copy the public dashboard link. | ||
|
||
Open an incognito tab (or equivalent) and confirm access to the public dashboard without login. Go to some other path like `/` and confirm that you are redirected to login via SAML auth. |
Oops, something went wrong.