Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAML SLO support #45379

Open
wants to merge 33 commits into
base: release/v2.9
Choose a base branch
from
+465 −58
Open

SAML SLO support #45379

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
7e43cbf
extended auth provider types with flags for logout all support, i.e. …
andreas-kupries May 6, 2024
61786ce
feat: global logout interceptor callback
andreas-kupries Apr 5, 2024
a6f0065
log handling in saml, compiles, untested
andreas-kupries May 6, 2024
2314c29
link saml logout handler/backend with token manager frontend, via the…
andreas-kupries Apr 5, 2024
94eced4
added guards against UI misbehaviour
andreas-kupries May 6, 2024
77e4440
lots more debug lines - most to be removed before final
andreas-kupries Jun 6, 2024
05b94da
ditto
andreas-kupries Jun 6, 2024
f615a8f
bug fix - register the new structures with the norman frame work to e…
andreas-kupries Jun 6, 2024
34f88f8
fix: missing handling of SLO responses.
andreas-kupries Jun 7, 2024
6a03770
fixup, forgot to change logout error url
andreas-kupries Jun 7, 2024
f5550f4
drop unndeded traces
andreas-kupries Jun 7, 2024
dc856a8
trace finalize, and saml server
andreas-kupries Jun 7, 2024
c464549
inject slo support flag into the initial authconfigs
andreas-kupries Jun 7, 2024
a9632c8
report errors which are not `invalid response` too
andreas-kupries Jun 7, 2024
e2faec8
disable eror handling preventing completion of flow for UI to be able…
andreas-kupries Jun 7, 2024
9ad4398
main fixup - translate rancher user to idp user via user attributes
andreas-kupries Jun 11, 2024
985b11c
go mod tidy
andreas-kupries Jun 12, 2024
11ba86a
tracing galore
andreas-kupries Jun 12, 2024
f00f784
eXXXperimental - set up a haering SP concurrent to crewjam sp, plan i…
andreas-kupries Jun 17, 2024
a17ac6f
fixup of hearing SP setup
andreas-kupries Jun 17, 2024
d671c96
draft step 3/4 processing
andreas-kupries Jun 17, 2024
26f2fce
rework 3/4 processing ...
andreas-kupries Jun 17, 2024
77a0e83
fix: extended flow state storage with ability to set the cookie path.
andreas-kupries Jun 18, 2024
eb895e8
continued cookie path: set proper paths wherever we have state setup
andreas-kupries Jun 18, 2024
9e06fe1
cleanup of SLO processing. it is step 5, with a GET.
andreas-kupries Jun 18, 2024
c8167fd
chore: moved use of haering from experimental to required
andreas-kupries Jun 18, 2024
84987a8
properly separate get/post for the /slo endpoint in the mux
andreas-kupries Jun 19, 2024
7cdc5fd
added request signing - applies only to logout requests
andreas-kupries Jun 19, 2024
4087d68
dropped haering/gosaml2 validation - failed to verify response signat…
andreas-kupries Jun 19, 2024
e94a252
disable haering SP setup hack.
andreas-kupries Jun 20, 2024
b27a254
facepalm - fixup
andreas-kupries Jun 20, 2024
ae6e9ce
fixup - dammit, where is my mind ?
andreas-kupries Jun 20, 2024
88183bb
eliminate haering again, completely
andreas-kupries Jun 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
7 changes: 4 additions & 3 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,6 +261,7 @@ require (
github.com/proglottis/gpgme v0.1.3 // indirect
github.com/rancher/wrangler v1.1.2 // indirect
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
github.com/russellhaering/gosaml2 v0.9.1 // indirect
github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
github.com/sigstore/fulcio v1.4.3 // indirect
github.com/sigstore/rekor v1.2.2 // indirect
Expand Down Expand Up @@ -313,7 +314,7 @@ require (
github.com/adrg/xdg v0.4.0 // indirect
github.com/apparentlymart/go-cidr v1.1.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/beevik/etree v1.1.0 // indirect
github.com/beevik/etree v1.2.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
Expand Down Expand Up @@ -366,7 +367,7 @@ require (
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/jmoiron/sqlx v1.3.5 // indirect
github.com/jonboulle/clockwork v0.2.2 // indirect
github.com/jonboulle/clockwork v0.3.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/klauspost/compress v1.17.7 // indirect
Expand Down Expand Up @@ -411,7 +412,7 @@ require (
github.com/rogpeppe/go-internal v1.12.0 // indirect
github.com/rs/xid v1.2.1 // indirect
github.com/rubenv/sql-migrate v1.5.2 // indirect
github.com/russellhaering/goxmldsig v1.3.0 // indirect
github.com/russellhaering/goxmldsig v1.4.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/shopspring/decimal v1.3.1 // indirect
github.com/spf13/cast v1.5.1 // indirect
Expand Down
11 changes: 8 additions & 3 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -925,8 +925,9 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.28.10 h1:69tpbPED7jKPyzMcrwSvhWcJ9bP
github.com/aws/aws-sdk-go-v2/service/sts v1.28.10/go.mod h1:0Aqn1MnEuitqfsCNyKsdKLhDUOr4txD/g19EfiUqgws=
github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs=
github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
github.com/beevik/etree v1.2.0 h1:l7WETslUG/T+xOPs47dtd6jov2Ii/8/OjCldk5fYfQw=
github.com/beevik/etree v1.2.0/go.mod h1:aiPf89g/1k3AShMVAzriilpcE4R/Vuor90y83zVZWFc=
github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
Expand Down Expand Up @@ -1507,8 +1508,9 @@ github.com/jmoiron/sqlx v1.3.5 h1:vFFPA71p1o5gAeqtEAwLU4dnX2napprKtHr7PYIcN3g=
github.com/jmoiron/sqlx v1.3.5/go.mod h1:nRVWtLre0KfCLJvgxzCsLVMogSvQ1zNJtpYr2Ccp0mQ=
github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ=
github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
github.com/jonboulle/clockwork v0.3.0 h1:9BSCMi8C+0qdApAp4auwX0RkLGUjs956h0EkuQymUhg=
github.com/jonboulle/clockwork v0.3.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
Expand Down Expand Up @@ -1918,8 +1920,11 @@ github.com/rs/xid v1.2.1 h1:mhH9Nq+C1fY2l1XIpgxIiUOfNpRBYH1kKcr+qfKgjRc=
github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
github.com/rubenv/sql-migrate v1.5.2 h1:bMDqOnrJVV/6JQgQ/MxOpU+AdO8uzYYA/TxFUBzFtS0=
github.com/rubenv/sql-migrate v1.5.2/go.mod h1:H38GW8Vqf8F0Su5XignRyaRcbXbJunSWxs+kmzlg0Is=
github.com/russellhaering/goxmldsig v1.3.0 h1:DllIWUgMy0cRUMfGiASiYEa35nsieyD3cigIwLonTPM=
github.com/russellhaering/gosaml2 v0.9.1 h1:H/whrl8NuSoxyW46Ww5lKPskm+5K+qYLw9afqJ/Zef0=
github.com/russellhaering/gosaml2 v0.9.1/go.mod h1:ja+qgbayxm+0mxBRLMSUuX3COqy+sb0RRhIGun/W2kc=
github.com/russellhaering/goxmldsig v1.3.0/go.mod h1:gM4MDENBQf7M+V824SGfyIUVFWydB7n0KkEubVJl+Tw=
github.com/russellhaering/goxmldsig v1.4.0 h1:8UcDh/xGyQiyrW+Fq5t8f+l2DLB1+zlhYzkPUJ7Qhys=
github.com/russellhaering/goxmldsig v1.4.0/go.mod h1:gM4MDENBQf7M+V824SGfyIUVFWydB7n0KkEubVJl+Tw=
github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
Expand Down
11 changes: 11 additions & 0 deletions pkg/apis/management.cattle.io/v3/authn_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,7 @@ type AuthConfig struct {
Enabled bool `json:"enabled,omitempty"`
AccessMode string `json:"accessMode,omitempty" norman:"required,notnullable,type=enum,options=required|restricted|unrestricted"`
AllowedPrincipalIDs []string `json:"allowedPrincipalIds,omitempty" norman:"type=array[reference[principal]]"`
LogoutAllSupported bool `json:"logoutAllSupported,omitempty"`
Status AuthConfigStatus `json:"status"`
}

Expand Down Expand Up @@ -404,6 +405,8 @@ type FreeIpaTestAndApplyInput struct {
type SamlConfig struct {
AuthConfig `json:",inline" mapstructure:",squash"`

LogoutAllEnabled bool `json:"logoutAllEnabled,omitempty"`
LogoutAllForced bool `json:"logoutAllForced,omitempty"`
IDPMetadataContent string `json:"idpMetadataContent" norman:"required"`
SpCert string `json:"spCert" norman:"required"`
SpKey string `json:"spKey" norman:"required,type=password"`
Expand All @@ -423,6 +426,14 @@ type SamlConfigTestOutput struct {
IdpRedirectURL string `json:"idpRedirectUrl"`
}

type SamlConfigLogoutInput struct {
FinalRedirectURL string `json:"finalRedirectUrl"`
}

type SamlConfigLogoutOutput struct {
IdpRedirectURL string `json:"idpRedirectUrl"`
}

type PingConfig struct {
SamlConfig `json:",inline" mapstructure:",squash"`
}
Expand Down
32 changes: 32 additions & 0 deletions pkg/apis/management.cattle.io/v3/zz_generated_deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

37 changes: 19 additions & 18 deletions pkg/auth/data/authconfig_data.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,66 +20,66 @@ import (
)

func AuthConfigs(management *config.ManagementContext) error {
if err := addAuthConfig(github.Name, client.GithubConfigType, false, management); err != nil {
if err := addAuthConfig(github.Name, client.GithubConfigType, false, false, management); err != nil {
return err
}

if err := addAuthConfig(activedirectory.Name, client.ActiveDirectoryConfigType, false, management); err != nil {
if err := addAuthConfig(activedirectory.Name, client.ActiveDirectoryConfigType, false, false, management); err != nil {
return err
}

if err := addAuthConfig(azure.Name, client.AzureADConfigType, false, management); err != nil {
if err := addAuthConfig(azure.Name, client.AzureADConfigType, false, false, management); err != nil {
return err
}

if err := addAuthConfig(ldap.OpenLdapName, client.OpenLdapConfigType, false, management); err != nil {
if err := addAuthConfig(ldap.OpenLdapName, client.OpenLdapConfigType, false, false, management); err != nil {
return err
}

if err := addAuthConfig(ldap.FreeIpaName, client.FreeIpaConfigType, false, management); err != nil {
if err := addAuthConfig(ldap.FreeIpaName, client.FreeIpaConfigType, false, false, management); err != nil {
return err
}

if err := addAuthConfig(saml.PingName, client.PingConfigType, false, management); err != nil {
if err := addAuthConfig(saml.PingName, client.PingConfigType, false, true, management); err != nil {
return err
}

if err := addAuthConfig(saml.ADFSName, client.ADFSConfigType, false, management); err != nil {
if err := addAuthConfig(saml.ADFSName, client.ADFSConfigType, false, true, management); err != nil {
return err
}

if err := addAuthConfig(saml.KeyCloakName, client.KeyCloakConfigType, false, management); err != nil {
if err := addAuthConfig(saml.KeyCloakName, client.KeyCloakConfigType, false, true, management); err != nil {
return err
}

if err := addAuthConfig(saml.OKTAName, client.OKTAConfigType, false, management); err != nil {
if err := addAuthConfig(saml.OKTAName, client.OKTAConfigType, false, true, management); err != nil {
return err
}

if err := addAuthConfig(saml.ShibbolethName, client.ShibbolethConfigType, false, management); err != nil {
if err := addAuthConfig(saml.ShibbolethName, client.ShibbolethConfigType, false, true, management); err != nil {
return err
}

if err := addAuthConfig(googleoauth.Name, client.GoogleOauthConfigType, false, management); err != nil {
if err := addAuthConfig(googleoauth.Name, client.GoogleOauthConfigType, false, false, management); err != nil {
return err
}

if err := addAuthConfig(oidc.Name, client.OIDCConfigType, false, management); err != nil {
if err := addAuthConfig(oidc.Name, client.OIDCConfigType, false, false, management); err != nil {
return err
}

if err := addAuthConfig(keycloakoidc.Name, client.KeyCloakOIDCConfigType, false, management); err != nil {
if err := addAuthConfig(keycloakoidc.Name, client.KeyCloakOIDCConfigType, false, false, management); err != nil {
return err
}

if err := addAuthConfig(genericoidc.Name, client.GenericOIDCConfigType, false, management); err != nil {
if err := addAuthConfig(genericoidc.Name, client.GenericOIDCConfigType, false, false, management); err != nil {
return err
}

return addAuthConfig(localprovider.Name, client.LocalConfigType, true, management)
return addAuthConfig(localprovider.Name, client.LocalConfigType, true, false, management)
}

func addAuthConfig(name, aType string, enabled bool, management *config.ManagementContext) error {
func addAuthConfig(name, aType string, enabled, sloSupported bool, management *config.ManagementContext) error {
annotations := make(map[string]string)
if name == azure.Name {
annotations[azure.GraphEndpointMigratedAnnotation] = "true"
Expand All @@ -91,8 +91,9 @@ func addAuthConfig(name, aType string, enabled bool, management *config.Manageme
Name: name,
Annotations: annotations,
},
Type: aType,
Enabled: enabled,
Type: aType,
Enabled: enabled,
LogoutAllSupported: sloSupported,
})
if err != nil && !apierrors.IsAlreadyExists(err) {
return err
Expand Down
3 changes: 3 additions & 0 deletions pkg/auth/providers/providers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,9 @@ func Configure(ctx context.Context, mgmt *config.ScaledContext) {
defer confMu.Unlock()
userMGR := mgmt.UserManager
tokenMGR := tokens.NewManager(ctx, mgmt)

tokens.OnLogoutAll(saml.PerformSamlLogout)

var p common.AuthProvider

p = local.Configure(ctx, mgmt, tokenMGR)
Expand Down
5 changes: 5 additions & 0 deletions pkg/auth/providers/saml/saml_actions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,10 +59,15 @@ func (s *Provider) testAndEnable(actionName string, action *types.Action, reques
}

logrus.Debugf("SAML [testAndEnable]: Setting clientState for SAML service provider %v", s.name)

finalRedirectURL := samlLogin.FinalRedirectURL
logrus.Debugf("SAML [testAndEnable]: Final redirect will be (%v)", finalRedirectURL)

provider.clientState.SetPath(provider.serviceProvider.AcsURL.Path)
provider.clientState.SetState(request.Response, request.Request, "Rancher_UserID", provider.userMGR.GetUser(request))
provider.clientState.SetState(request.Response, request.Request, "Rancher_FinalRedirectURL", finalRedirectURL)
provider.clientState.SetState(request.Response, request.Request, "Rancher_Action", testAndEnableAction)

idpRedirectURL, err := provider.HandleSamlLogin(request.Response, request.Request)
if err != nil {
return err
Expand Down