From: Julien BLAIS <webmaster@jbsky.fr>
To: pve-devel@lists.proxmox.com
Cc: Julien BLAIS <webmaster@jbsky.fr>
Subject: [pve-devel] [PATCH] [PATCH pve-access-control] SSO feature: login with SAMLv2
Date: Thu, 27 May 2021 23:55:11 +0200 [thread overview]
Message-ID: <20210527215511.28243-1-webmaster@jbsky.fr> (raw)
Added a new endpoint usable by api2/html/access/saml?realm=$DOM
which allows to initiate a redirection to an IdP.
During initialization, the /etc/pve/tmp/saml file is filled with the format REALM:SAML_REQUEST_ID:TIME
Modification of the endpoint /access/ticket to support SAMLResponse.
The information is extracted from the SAMLResponse variable in order to check
if the SAML_REQUEST_ID exists in /etc/pve/tmp/saml, we extract from this file the REALM used to initiate the SSO connection.
For the initialization and authentication part, I rely on the work available in the github repository by trying to apply the best recommendations.
The TIME part of each record is tested with the time() function to ensure that each record does not exceed $timeout
Signed-off-by: Julien BLAIS <webmaster@jbsky.fr>
---
src/PVE/API2/AccessControl.pm | 73 +++++++++-
src/PVE/AccessControl.pm | 2 +
src/PVE/Auth/Makefile | 1 +
src/PVE/Auth/SAML.pm | 248 ++++++++++++++++++++++++++++++++++
4 files changed, 322 insertions(+), 2 deletions(-)
create mode 100644 src/PVE/Auth/SAML.pm
diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index a77694b..bd660c3 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -20,6 +20,7 @@ use PVE::API2::Group;
use PVE::API2::Role;
use PVE::API2::ACL;
use PVE::Auth::Plugin;
+use PVE::Auth::SAML;
use PVE::OTP;
use PVE::Tools;
@@ -243,6 +244,7 @@ __PACKAGE__->register_method ({
username => {
description => "User name",
type => 'string',
+ optional => 1,
maxLength => 64,
completion => \&PVE::AccessControl::complete_username,
},
@@ -254,6 +256,7 @@ __PACKAGE__->register_method ({
password => {
description => "The secret password. This can also be a valid ticket.",
type => 'string',
+ optional => 1,
},
otp => {
description => "One-time password for Two-factor authentication.",
@@ -274,6 +277,11 @@ __PACKAGE__->register_method ({
optional => 1,
maxLength => 64,
},
+ SAMLResponse => {
+ description => "SAMLResponse.",
+ type => 'string',
+ optional => 1,
+ },
}
},
returns => {
@@ -289,8 +297,21 @@ __PACKAGE__->register_method ({
code => sub {
my ($param) = @_;
- my $username = $param->{username};
- $username .= "\@$param->{realm}" if $param->{realm};
+ my $username;
+ if(defined($param->{username})){
+ $username = $param->{username};
+ $username .= "\@$param->{realm}" if $param->{realm};
+ }
+ elsif(defined($param->{SAMLResponse})) {
+ my $realm = PVE::Auth::SAML->get_realm($param->{SAMLResponse});
+ $username = PVE::Auth::SAML->get_username($param->{SAMLResponse})."\@$realm" if $realm;
+
+ # Prepare for PVE::Auth::SAML->authenticate_user()
+ $param->{password}=$param->{SAMLResponse};
+ }
+ else {
+ die PVE::Exception->new("authentication failure\n", code => 401);
+ }
$username = PVE::AccessControl::lookup_username($username);
my $rpcenv = PVE::RPCEnvironment::get();
@@ -719,4 +740,52 @@ __PACKAGE__->register_method({
return $res;
}});
+__PACKAGE__->register_method ({
+ name => 'get_saml',
+ path => 'saml',
+ method => 'GET',
+ permissions => { user => 'world' },
+ protected => 1, # else we can't access shadow files
+ allowtoken => 0, # we don't want tokens to create tickets
+ description => "Init saml redirect to a login page.",
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ realm => {
+ type => 'string',
+ description => "You must pass the realm using in this parameter.",
+ }
+ }
+ },
+ returns => {
+ type => "object",
+ properties => {
+ url => { type => 'string' },
+ realm => { type => 'string'}
+ }
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my $domain_cfg = cfs_read_file('domains.cfg');
+
+ my $rpcenv = PVE::RPCEnvironment::get();
+
+ my $url = "";
+
+ eval {
+ $url = PVE::Auth::SAML->init_redirect($domain_cfg->{ids}->{$param->{realm}},$param->{realm});
+ };
+
+ if (my $err = $@) {
+ my $clientip = $rpcenv->get_client_ip() || '';
+ syslog('err', "Init saml redirect to a login page; rhost=$clientip msg=$err");
+ die PVE::Exception->new("authentication failure\n", code => 401);
+ }
+
+ die PVE::Exception->new("authentication failure '$url'\n", code => 401) if ( $url eq "" );
+
+ return { realm => $param->{realm}, url => $url };
+ }});
+
1;
diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index f7d4e78..61bc680 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -22,6 +22,7 @@ use PVE::JSONSchema qw(register_standard_option get_standard_option);
use PVE::Auth::Plugin;
use PVE::Auth::AD;
use PVE::Auth::LDAP;
+use PVE::Auth::SAML;
use PVE::Auth::PVE;
use PVE::Auth::PAM;
@@ -29,6 +30,7 @@ use PVE::Auth::PAM;
PVE::Auth::AD->register();
PVE::Auth::LDAP->register();
+PVE::Auth::SAML->register();
PVE::Auth::PVE->register();
PVE::Auth::PAM->register();
PVE::Auth::Plugin->init();
diff --git a/src/PVE/Auth/Makefile b/src/PVE/Auth/Makefile
index 58ae362..8a4688e 100644
--- a/src/PVE/Auth/Makefile
+++ b/src/PVE/Auth/Makefile
@@ -3,6 +3,7 @@ AUTH_SOURCES= \
Plugin.pm \
PVE.pm \
PAM.pm \
+ SAML.pm \
AD.pm \
LDAP.pm
diff --git a/src/PVE/Auth/SAML.pm b/src/PVE/Auth/SAML.pm
new file mode 100644
index 0000000..4653cb7
--- /dev/null
+++ b/src/PVE/Auth/SAML.pm
@@ -0,0 +1,248 @@
+# Instructions for installation :
+# apt-get install libxml2 make gcc libssl-dev libperl-dev git cpanminus
+# cpanm Net::SAML2
+# ln -s /usr/local/share/perl/5.28.1/Net/SAML2 /usr/share/perl/5.28.1/Net/SAML2
+# ln -s /usr/local/share/perl/5.28.1/Net/SAML2 /usr/share/perl5/Net/SAML2
+
+package PVE::Auth::SAML;
+use POSIX;
+
+# base64 decode
+use MIME::Base64;
+
+use strict;
+use warnings;
+
+use Net::SAML2::IdP;
+use Net::SAML2::Protocol::Assertion;
+use Net::SAML2::Protocol::AuthnRequest;
+use Net::SAML2::Binding::Redirect;
+use PVE::JSONSchema;
+use PVE::Tools;
+use PVE::Auth::Plugin;
+
+use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);
+
+use base qw(PVE::Auth::Plugin);
+
+my $samlrequestfile = 'tmp/saml';
+my $timeout = 60;
+
+cfs_register_file(
+ $samlrequestfile,
+ \&parse_saml_request,
+ \&write_saml_request);
+
+sub parse_saml_request {
+ my ($filename, $raw) = @_;
+
+ my $requests = {};
+
+ return $requests if !defined($raw);
+
+ while ($raw =~ /^\s*(.+?)\s*$/gm) {
+ my $line = $1;
+
+ if ($line !~ m/^\S+:\S+:\S+:$/) {
+ warn "saml request: ignore invalid line $.\n";
+ next;
+ }
+
+ my ($realm, $request, $time) = split (/:/, $line);
+ $requests->{realm}->{$realm}->{request}->{$request}->{time} = $time;
+ }
+
+ return $requests;
+}
+
+sub write_saml_request{
+ my ($filename, $saml_requests) = @_;
+
+ my $data='';
+ foreach my $realm (keys %{$saml_requests->{realm}}) {
+ foreach my $saml_request (keys %{$saml_requests->{realm}->{$realm}->{request}}) {
+ if (time() - $saml_requests->{realm}->{$realm}->{request}->{$saml_request}->{time} < $timeout) {
+ $data .= "$realm:$saml_request:".$saml_requests->{realm}->{$realm}->{request}->{$saml_request}->{time}.":\n";
+ }
+ }
+ }
+ return $data;
+}
+
+sub lock_saml_request {
+ my ($code, $errmsg) = @_;
+
+ cfs_lock_file($samlrequestfile, undef, $code);
+ my $err = $@;
+ if ($err) {
+ $errmsg ? die "$errmsg: $err" : die $err;
+ }
+}
+
+sub type {
+ return 'saml';
+}
+
+sub check_saml_request {
+ my ($request_id) = @_;
+
+ my $saml_requests = cfs_read_file($samlrequestfile);
+ my $found;
+ foreach my $realm (keys %{$saml_requests->{realm}}) {
+ foreach my $saml_request (keys %{$saml_requests->{realm}->{$realm}->{request}}) {
+ if (time() - $saml_requests->{realm}->{$realm}->{request}->{$saml_request}->{time} < $timeout) {
+ if ($request_id eq $saml_request){
+ $found = $saml_request;
+ delete_request($realm, $saml_request);
+ }
+ }
+ else {
+ delete_request($realm, $saml_request);
+ }
+ }
+ }
+ return $found;
+}
+
+sub properties {
+ return {
+ Identity_Provider_Entity_ID => {
+ description => "Set the entity ID of the upstream identity provider."
+ . "This will be provided by your IdP.",
+ type => 'string',
+ },
+ Identity_Provider_Url_Metadata => {
+ description => "Set the metadata Url of the identity provider.",
+ type => 'string',
+ },
+ # TODO how to add a CAcert content instead of path?
+ Identity_Provider_x509_CA_Certificate => {
+ description => "Paste the x509 CA certificate data from the"
+ . "upstream identity provider. In most cases,"
+ . "this will be provided by your IdP.",
+ type => 'string',
+ },
+ # TODO how to add a private key content instead of path?
+ Service_Provider_Private_Key => {
+ description => "Paste the Private key.",
+ type => 'string',
+ },
+ Service_Provider_Entity_ID => {
+ description => "Displays the service provider's entity ID."
+ . "This is the entity ID you will need to provide to your IdP.",
+ type => 'string',
+ }
+ };
+}
+
+sub options {
+ return {
+ Identity_Provider_Url_Metadata => {},
+ Identity_Provider_x509_CA_Certificate => {},
+ Identity_Provider_Entity_ID => {},
+ Service_Provider_Entity_ID => {},
+ Service_Provider_Private_Key => {},
+ comment => { optional => 1 },
+ default => { optional => 1 },
+ };
+}
+
+# used by GET SAML
+# Init a redirect and return Url
+sub init_redirect {
+ my ($class, $config, $realm) = @_;
+
+ my $url = $config->{Identity_Provider_Url_Metadata};
+ my $cacert = $config->{Identity_Provider_x509_CA_Certificate};
+ my $samlkey = $config->{Service_Provider_Private_Key};
+
+ my $idp = Net::SAML2::IdP->new_from_url(
+ url => $url,
+ cacert => $cacert
+ );
+ my $authnreq = Net::SAML2::Protocol::AuthnRequest->new(
+ issuer => $config->{Service_Provider_Entity_ID},
+ destination => $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
+ provider_name => $config->{Identity_Provider_Entity_ID},
+ );
+
+ # Here, we need to store saml request id and check it on return from the IdP POST
+ # Is there a way to associate this saml request id with the session?
+ # If yes => TODO
+ lock_saml_request(sub {
+ my $requestfile = cfs_read_file($samlrequestfile);
+ $requestfile->{realm}->{$realm}->{request}->{$authnreq->id}->{time} = time();
+ cfs_write_file($samlrequestfile, $requestfile);
+ });
+
+ my $redirect = Net::SAML2::Binding::Redirect->new(
+ key => $samlkey,
+ cert => $idp->cert('signing'),
+ param => 'SAMLRequest',
+ # The ssl_url destination for redirect
+ url => $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
+ );
+
+ return $redirect->sign($authnreq->as_xml);
+}
+
+sub get_username {
+ my ($class, $SAMLResponse) = @_;
+
+ my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
+ xml => decode_base64($SAMLResponse)
+ );
+
+ return $assertion->{nameid};
+}
+
+# TODO get saml_request_id from cookie instead of $SAMLResponse
+sub get_realm {
+ my ($class, $SAMLResponse) = @_;
+
+ my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
+ xml => decode_base64($SAMLResponse)
+ );
+
+ my $saml_requests = cfs_read_file($samlrequestfile);
+ foreach my $realm (keys %{$saml_requests->{realm}}) {
+ foreach my $saml_request (keys %{$saml_requests->{realm}->{$realm}->{request}}) {
+ if ($assertion->{in_response_to} eq $saml_request) {
+ return $realm;
+ }
+ }
+ }
+ return undef;
+}
+
+sub authenticate_user {
+ my ($class, $config, $realm, $username, $SAMLResponse) = @_;
+
+ my $valid = 0;
+
+ my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
+ xml => decode_base64($SAMLResponse)
+ );
+
+ my $issuer = $config->{Service_Provider_Entity_ID};
+
+ if (check_saml_request($assertion->{in_response_to})) {
+ $valid = $assertion->valid($issuer, $assertion->{in_response_to});
+ }
+
+ die 'saml login failed!' if ($valid != '1');
+
+ return 1;
+}
+
+sub delete_request {
+ my ($realm, $request) = @_;
+
+ lock_saml_request(sub {
+ my $saml_requests = cfs_read_file($samlrequestfile);
+ delete $saml_requests->{realm}->{$realm}->{request}->{$request};
+ cfs_write_file($samlrequestfile, $saml_requests);
+ });
+}
+
+1;
--
2.20.1
next reply other threads:[~2021-05-27 21:57 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-27 21:55 Julien BLAIS [this message]
2021-05-27 21:55 ` [pve-devel] [PATCH] [PATCH pve-cluster] " Julien BLAIS
2021-05-27 21:55 ` [pve-devel] [PATCH] [PATCH pve-http-server] " Julien BLAIS
2021-05-27 21:55 ` [pve-devel] [PATCH container] [PATCH pve-manager] " Julien BLAIS
2021-05-28 7:38 ` [pve-devel] [PATCH] [PATCH pve-access-control] " Thomas Lamprecht
2021-05-28 12:11 ` [pve-devel] RE : [PATCH] [PATCH pve-access-control] SSO feature: loginwith SAMLv2 wb
2021-06-01 8:12 [pve-devel] [PATCH] [PATCH pve-access-control] SSO feature: login with SAMLv2 Dietmar Maurer
2021-06-01 9:04 Dietmar Maurer
2021-06-02 10:48 [pve-devel] RE : RE : [PATCH] [PATCH pve-access-control] SSO feature:login " Dietmar Maurer
2021-06-03 8:24 ` [pve-devel] " Victor Hooi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210527215511.28243-1-webmaster@jbsky.fr \
--to=webmaster@jbsky.fr \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal