Re: [pve-devel] [PATCH] [PATCH pve-access-control] SSO feature: login with SAMLv2

Re: [pve-devel] [PATCH] [PATCH pve-access-control] SSO feature: login with SAMLv2

[Dietmar Maurer]

I wonder why you want to store temporary data in /etc/pve/tmp/saml. Wouldn't it we good enough
to store that on the local file system?

> On 05/27/2021 11:55 PM Julien BLAIS <webmaster@jbsky.fr> wrote:
> 
>  
> Added a new endpoint usable by api2/html/access/saml?realm=$DOM
>   which allows to initiate a redirection to an IdP.
>   During initialization, the /etc/pve/tmp/saml file is filled with the format REALM:SAML_REQUEST_ID:TIME
> Modification of the endpoint /access/ticket to support SAMLResponse.
>   The information is extracted from the SAMLResponse variable in order to check
>   if the SAML_REQUEST_ID exists in /etc/pve/tmp/saml, we extract from this file the REALM used to initiate the SSO connection.

Re: [pve-devel] [PATCH] [PATCH pve-access-control] SSO feature:login with SAMLv2

[Victor Hooi]

Hi,

I'm super excited to see this SSO support come to Proxmox. This is really
awesome stuff!

One question - I wonder if it would be possible to use Google
Workspace/Google Auth as the SAMLv2 IDP?

I'm definitely not an auth expert, but from casual reading, I think it
might be possible via setting up a custom SAML application, per this guide:

https://support.google.com/a/answer/6087519

What do you think?

I went into one of my Google Workspace domains, and tried adding a new
custom SAML app. It then gives you a confirmation page, where you can
download an IdP metadata file (.xml) - excerpted below:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://accounts.google.com/o/saml2?idpid=C02hq58w2" validUntil=
"2026-01-18T05:49:17.000Z">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIDdDCCAlygAwIBAgIGAXcZMLKUMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ
bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv
b2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMjEwMTE5
MDU0OTE3WhcNMjYwMTE4MDU0OTE3WjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMN
TW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlMRgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAqXFeh4hdnVNM0NbmrU7DhyZr5fb9l/2s2kohFJgfT2b6nI+3uqLf6eKoQSMfO9Fc
WZaWVIXDD9bFncaGMxeqcNjcSo5TS4jc3x3k5es0Phjf/nJZxCLXWsFFpvLY5LT37aX88sJoAYc6
vPZCOo7t+DO/c/H2Kmx26selDVKHMhQWP3k2UJiPAIF4xT3hglkSgiCkvZBjDNqfTVAkuwt1hNIy
DH7vqriwn+XHgA/kwlTb78IxU55hVC31V6LlnqPGoilsze4ueGFw3MF00RMSZd+sQpXZQ6751OVH
hazyHXS0Rscd4/GTfkKXEHh3/uJlTxlzIkq+76E4m0J6X1U1yQIDAQABMA0GCSqGSIb3DQEBCwUA
A4IBAQAkp4W796dK5r7cYan0MeEYaa9qEquxleiviB4J9s5iM45WUChJNF7pYaML+gdWfLasYb9B
mJqnG1ZsuH7DsDyr2hkVgGZPav23ZX9S4jAW5w+OsMmVm92MOsNocl4P9uM86WcMJy7eiGe2KIre
cSxVfIAsO0hGM7ZZHkH+knjYc6Sq5BnHVtxSGX4a6OlxI56XBpAA22H3egBNGknrglmrVUD2VOCT
z9ePxsPnW+CCzD4gPJJHBdliB2GhN/gYUKwyvXesvd8/TlsntzEpdBctnc83rnfCUF6Rx67Kn54c
FCaLUeQtqtUjHUK5eRCFU9XNc74oR8AvCHqB9owP3Zvs</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</
md:NameIDFormat>
<md:SingleSignOnService Binding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
https://accounts.google.com/o/saml2/idp?idpid=C02hq58w2"/>
<md:SingleSignOnService Binding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://accounts.google.com/o/saml2/idp?idpid=C02hq58w2"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>

SSO URL - https://accounts.google.com/o/saml2/idp?idpid=C02hq58w2
Entity ID - https://accounts.google.com/o/saml2?idpid=C02hq58w2
Certificate - <ETC>

What do you think - would this work with your integration?

I'm willing to set up a Google Workspace domain for testing, and grant
access to anybody for testing?

Thanks,
Victor

On Wed, Jun 2, 2021 at 8:48 PM Dietmar Maurer <dietmar@proxmox.com> wrote:

>
> > On 06/02/2021 12:16 PM wb <webmaster@jbsky.fr> wrote:
> >
> >
> > > I also wonder why SAML? Would it be an option to use OpenId connect
> instead?
> > As I was able to use SAML, I know the functional part and therefore, if
> I used SAML, it is only by ease.
> >
> > Switch to OpenID, why not. The time I set up a functional POC.
> >
> > On the other hand, I would like to know your constraints.
>
> Sorry, what do you want to know exactly?
>
> > Do you still want to use Rust?
>
> Yes. But I am still searching for usable crates:
>
> openidconnect: https://github.com/ramosbugs/openidconnect-rs
>
> Seems promising, but I have not done any testing so far...
>
> > If yes, I am curious to know how to bind perl to Rust? Do you have an
> example?
>
> https://git.proxmox.com/?p=perlmod.git;a=summary
>
> Hope the inline docs and examples are good enough to start...
>
> > I noticed from our exchange :
> > During an API call, if the user is not authenticated, do not pass in
> private and privileged the writing on /tmp/.
>
> yes, unprivileged users should not be able to write anything.
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>

Re: [pve-devel] [PATCH] [PATCH pve-access-control] SSO feature: login with SAMLv2

[Dietmar Maurer]

Unfortunately, your code depends on code not packaged for Debian. Any idea 
how to replace that (cpanm Net::SAML2)?

Or better, is there a 'rust' implementaion for SAML2? If so, we could make perl bindings
for that and reuse the code with Proxmox Backup Server.

Other ideas?

> diff --git a/src/PVE/Auth/SAML.pm b/src/PVE/Auth/SAML.pm
> new file mode 100644
> index 0000000..4653cb7
> --- /dev/null
> +++ b/src/PVE/Auth/SAML.pm
> @@ -0,0 +1,248 @@
> +# Instructions for installation :
> +# apt-get install libxml2 make gcc libssl-dev libperl-dev git cpanminus
> +# cpanm Net::SAML2
> +# ln -s /usr/local/share/perl/5.28.1/Net/SAML2 /usr/share/perl/5.28.1/Net/SAML2
> +# ln -s /usr/local/share/perl/5.28.1/Net/SAML2 /usr/share/perl5/Net/SAML2

Re: [pve-devel] [PATCH] [PATCH pve-access-control] SSO feature: login with SAMLv2

[Thomas Lamprecht]

Hi!

Thanks for sending this as patch series, looks much nicer to review now!

It seems that a signed CLA from you is still missing though, please check out:
https://pve.proxmox.com/wiki/Developer_Documentation#Software_License_and_Copyright

Would be great if you could send one to office@proxmox.com so we can look into this.

Thank you!

- Thomas

[pve-devel] [PATCH] [PATCH pve-access-control] SSO feature: login with SAMLv2

[Julien BLAIS]

Added a new endpoint usable by api2/html/access/saml?realm=$DOM
  which allows to initiate a redirection to an IdP.
  During initialization, the /etc/pve/tmp/saml file is filled with the format REALM:SAML_REQUEST_ID:TIME
Modification of the endpoint /access/ticket to support SAMLResponse.
  The information is extracted from the SAMLResponse variable in order to check
  if the SAML_REQUEST_ID exists in /etc/pve/tmp/saml, we extract from this file the REALM used to initiate the SSO connection.
For the initialization and authentication part, I rely on the work available in the github repository by trying to apply the best recommendations.
  The TIME part of each record is tested with the time() function to ensure that each record does not exceed $timeout

Signed-off-by: Julien BLAIS <webmaster@jbsky.fr>
---
 src/PVE/API2/AccessControl.pm |  73 +++++++++-
 src/PVE/AccessControl.pm      |   2 +
 src/PVE/Auth/Makefile         |   1 +
 src/PVE/Auth/SAML.pm          | 248 ++++++++++++++++++++++++++++++++++
 4 files changed, 322 insertions(+), 2 deletions(-)
 create mode 100644 src/PVE/Auth/SAML.pm

diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index a77694b..bd660c3 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -20,6 +20,7 @@ use PVE::API2::Group;
 use PVE::API2::Role;
 use PVE::API2::ACL;
 use PVE::Auth::Plugin;
+use PVE::Auth::SAML;
 use PVE::OTP;
 use PVE::Tools;
 
@@ -243,6 +244,7 @@ __PACKAGE__->register_method ({
 	    username => {
 	        description => "User name",
 	        type => 'string',
+	        optional => 1,
 	        maxLength => 64,
 	        completion => \&PVE::AccessControl::complete_username,
 	    },
@@ -254,6 +256,7 @@ __PACKAGE__->register_method ({
 	    password => {
 		description => "The secret password. This can also be a valid ticket.",
 		type => 'string',
+		optional => 1,
 	    },
 	    otp => {
 		description => "One-time password for Two-factor authentication.",
@@ -274,6 +277,11 @@ __PACKAGE__->register_method ({
 		optional => 1,
 		maxLength => 64,
 	    },
+	    SAMLResponse => {
+		description => "SAMLResponse.",
+		type => 'string',
+		optional => 1,
+	    },
 	}
     },
     returns => {
@@ -289,8 +297,21 @@ __PACKAGE__->register_method ({
     code => sub {
 	my ($param) = @_;
 
-	my $username = $param->{username};
-	$username .= "\@$param->{realm}" if $param->{realm};
+	my $username;
+	if(defined($param->{username})){
+	    $username = $param->{username};
+	    $username .= "\@$param->{realm}" if $param->{realm};
+	}
+	elsif(defined($param->{SAMLResponse})) {
+	    my $realm = PVE::Auth::SAML->get_realm($param->{SAMLResponse});
+	    $username = PVE::Auth::SAML->get_username($param->{SAMLResponse})."\@$realm" if $realm;
+
+	    # Prepare for PVE::Auth::SAML->authenticate_user()
+	    $param->{password}=$param->{SAMLResponse};
+	}
+	else {
+	    die PVE::Exception->new("authentication failure\n", code => 401);
+	}
 
 	$username = PVE::AccessControl::lookup_username($username);
 	my $rpcenv = PVE::RPCEnvironment::get();
@@ -719,4 +740,52 @@ __PACKAGE__->register_method({
 	return $res;
     }});
 
+__PACKAGE__->register_method ({
+    name => 'get_saml',
+    path => 'saml',
+    method => 'GET',
+    permissions => { user => 'world' },
+    protected => 1, # else we can't access shadow files
+    allowtoken => 0, # we don't want tokens to create tickets
+    description => "Init saml redirect to a login page.",
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    realm => {
+		type => 'string',
+		description => "You must pass the realm using in this parameter.",
+	    }
+	}
+    },
+    returns => {
+	type => "object",
+	properties => {
+	    url => { type => 'string' },
+	    realm => { type => 'string'}
+	}
+    },
+    code => sub {
+	my ($param) = @_;
+
+	my $domain_cfg = cfs_read_file('domains.cfg');
+
+	my $rpcenv = PVE::RPCEnvironment::get();
+
+	my $url = "";
+
+	eval {
+	    $url = PVE::Auth::SAML->init_redirect($domain_cfg->{ids}->{$param->{realm}},$param->{realm});
+	};
+
+	if (my $err = $@) {
+	    my $clientip = $rpcenv->get_client_ip() || '';
+	    syslog('err', "Init saml redirect to a login page; rhost=$clientip msg=$err");
+	    die PVE::Exception->new("authentication failure\n", code => 401);
+	}
+
+	die PVE::Exception->new("authentication failure '$url'\n", code => 401) if ( $url eq "" );
+
+	return { realm => $param->{realm}, url => $url };
+    }});
+
 1;
diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index f7d4e78..61bc680 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -22,6 +22,7 @@ use PVE::JSONSchema qw(register_standard_option get_standard_option);
 use PVE::Auth::Plugin;
 use PVE::Auth::AD;
 use PVE::Auth::LDAP;
+use PVE::Auth::SAML;
 use PVE::Auth::PVE;
 use PVE::Auth::PAM;
 
@@ -29,6 +30,7 @@ use PVE::Auth::PAM;
 
 PVE::Auth::AD->register();
 PVE::Auth::LDAP->register();
+PVE::Auth::SAML->register();
 PVE::Auth::PVE->register();
 PVE::Auth::PAM->register();
 PVE::Auth::Plugin->init();
diff --git a/src/PVE/Auth/Makefile b/src/PVE/Auth/Makefile
index 58ae362..8a4688e 100644
--- a/src/PVE/Auth/Makefile
+++ b/src/PVE/Auth/Makefile
@@ -3,6 +3,7 @@ AUTH_SOURCES= 		 	\
 	Plugin.pm 		\
 	PVE.pm		 	\
 	PAM.pm		 	\
+	SAML.pm		 	\
 	AD.pm		 	\
 	LDAP.pm
 
diff --git a/src/PVE/Auth/SAML.pm b/src/PVE/Auth/SAML.pm
new file mode 100644
index 0000000..4653cb7
--- /dev/null
+++ b/src/PVE/Auth/SAML.pm
@@ -0,0 +1,248 @@
+# Instructions for installation :
+# apt-get install libxml2 make gcc libssl-dev libperl-dev git cpanminus
+# cpanm Net::SAML2
+# ln -s /usr/local/share/perl/5.28.1/Net/SAML2 /usr/share/perl/5.28.1/Net/SAML2
+# ln -s /usr/local/share/perl/5.28.1/Net/SAML2 /usr/share/perl5/Net/SAML2
+
+package PVE::Auth::SAML;
+use POSIX;
+
+# base64 decode
+use MIME::Base64;
+
+use strict;
+use warnings;
+
+use Net::SAML2::IdP;
+use Net::SAML2::Protocol::Assertion;
+use Net::SAML2::Protocol::AuthnRequest;
+use Net::SAML2::Binding::Redirect;
+use PVE::JSONSchema;
+use PVE::Tools;
+use PVE::Auth::Plugin;
+
+use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);
+
+use base qw(PVE::Auth::Plugin);
+
+my $samlrequestfile = 'tmp/saml';
+my $timeout = 60;
+
+cfs_register_file(
+    $samlrequestfile,
+    \&parse_saml_request,
+    \&write_saml_request);
+
+sub parse_saml_request {
+    my ($filename, $raw) = @_;
+
+    my $requests = {};
+
+    return $requests if !defined($raw);
+
+    while ($raw =~ /^\s*(.+?)\s*$/gm) {
+	my $line = $1;
+
+	if ($line !~ m/^\S+:\S+:\S+:$/) {
+	    warn "saml request: ignore invalid line $.\n";
+	    next;
+	}
+
+	my ($realm, $request, $time) = split (/:/, $line);
+	$requests->{realm}->{$realm}->{request}->{$request}->{time} = $time;
+    }
+
+    return $requests;
+}
+
+sub write_saml_request{
+    my ($filename, $saml_requests) = @_;
+
+    my $data='';
+    foreach my $realm (keys %{$saml_requests->{realm}}) {
+	foreach my $saml_request (keys %{$saml_requests->{realm}->{$realm}->{request}}) {
+	    if (time() - $saml_requests->{realm}->{$realm}->{request}->{$saml_request}->{time} < $timeout) {
+		$data .= "$realm:$saml_request:".$saml_requests->{realm}->{$realm}->{request}->{$saml_request}->{time}.":\n";
+	    }
+	}
+    }
+    return $data;
+}
+
+sub lock_saml_request {
+    my ($code, $errmsg) = @_;
+
+    cfs_lock_file($samlrequestfile, undef, $code);
+    my $err = $@;
+    if ($err) {
+	$errmsg ? die "$errmsg: $err" : die $err;
+    }
+}
+
+sub type {
+    return 'saml';
+}
+
+sub check_saml_request {
+    my ($request_id) = @_;
+
+    my $saml_requests = cfs_read_file($samlrequestfile);
+    my $found;
+    foreach my $realm (keys %{$saml_requests->{realm}}) {
+	foreach my $saml_request (keys %{$saml_requests->{realm}->{$realm}->{request}}) {
+	    if (time() - $saml_requests->{realm}->{$realm}->{request}->{$saml_request}->{time} < $timeout) {
+		if ($request_id eq $saml_request){
+		    $found = $saml_request;
+		    delete_request($realm, $saml_request);
+		}
+	    }
+	    else {
+		delete_request($realm, $saml_request);
+	    }
+	}
+    }
+    return $found;
+}
+
+sub properties {
+    return {
+	Identity_Provider_Entity_ID => {
+	    description => "Set the entity ID of the upstream identity provider."
+	    . "This will be provided by your IdP.",
+	    type => 'string',
+	},
+	Identity_Provider_Url_Metadata => {
+	    description => "Set the metadata Url of the identity provider.",
+	    type => 'string',
+	},
+	# TODO how to add a CAcert content instead of path?
+	Identity_Provider_x509_CA_Certificate => {
+	    description => "Paste the x509 CA certificate data from the"
+	    . "upstream identity provider. In most cases,"
+	    . "this will be provided by your IdP.",
+	    type => 'string',
+	},
+	# TODO how to add a private key content instead of path?
+	Service_Provider_Private_Key => {
+	    description => "Paste the Private key.",
+	    type => 'string',
+	},
+	Service_Provider_Entity_ID => {
+	    description => "Displays the service provider's entity ID."
+	    . "This is the entity ID you will need to provide to your IdP.",
+	    type => 'string',
+	}
+    };
+}
+
+sub options {
+    return {
+	Identity_Provider_Url_Metadata => {},
+	Identity_Provider_x509_CA_Certificate => {},
+	Identity_Provider_Entity_ID => {},
+	Service_Provider_Entity_ID => {},
+	Service_Provider_Private_Key => {},
+	comment => { optional => 1 },
+	default => { optional => 1 },
+    };
+}
+
+# used by GET SAML
+# Init a redirect and return Url
+sub init_redirect {
+    my ($class, $config, $realm) = @_;
+
+    my $url = $config->{Identity_Provider_Url_Metadata};
+    my $cacert = $config->{Identity_Provider_x509_CA_Certificate};
+    my $samlkey = $config->{Service_Provider_Private_Key};
+
+    my $idp = Net::SAML2::IdP->new_from_url(
+	url => $url,
+	cacert => $cacert
+    );
+    my $authnreq = Net::SAML2::Protocol::AuthnRequest->new(
+	issuer		=> $config->{Service_Provider_Entity_ID},
+	destination   => $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
+	provider_name => $config->{Identity_Provider_Entity_ID},
+    );
+
+    # Here, we need to store saml request id and check it on return from the IdP POST
+    # Is there a way to associate this saml request id with the session?
+    # If yes => TODO
+    lock_saml_request(sub {
+	my $requestfile = cfs_read_file($samlrequestfile);
+	$requestfile->{realm}->{$realm}->{request}->{$authnreq->id}->{time} = time();
+	cfs_write_file($samlrequestfile, $requestfile);
+    });
+
+    my $redirect = Net::SAML2::Binding::Redirect->new(
+	key => $samlkey,
+	cert => $idp->cert('signing'),
+	param => 'SAMLRequest',
+	# The ssl_url destination for redirect
+	url => $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
+    );
+
+    return $redirect->sign($authnreq->as_xml);
+}
+
+sub get_username {
+    my ($class, $SAMLResponse) = @_;
+
+    my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
+	xml => decode_base64($SAMLResponse)
+    );
+
+    return $assertion->{nameid};
+}
+
+# TODO get saml_request_id from cookie instead of $SAMLResponse
+sub get_realm {
+    my ($class, $SAMLResponse) = @_;
+
+    my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
+	xml => decode_base64($SAMLResponse)
+    );
+
+    my $saml_requests = cfs_read_file($samlrequestfile);
+    foreach my $realm (keys %{$saml_requests->{realm}}) {
+	foreach my $saml_request (keys %{$saml_requests->{realm}->{$realm}->{request}}) {
+	    if ($assertion->{in_response_to} eq $saml_request) {
+		return $realm;
+	    }
+	}
+    }
+    return undef;
+}
+
+sub authenticate_user {
+    my ($class, $config, $realm, $username, $SAMLResponse) = @_;
+
+    my $valid = 0;
+
+    my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
+	xml => decode_base64($SAMLResponse)
+    );
+
+    my $issuer = $config->{Service_Provider_Entity_ID};
+
+    if (check_saml_request($assertion->{in_response_to})) {
+	$valid = $assertion->valid($issuer, $assertion->{in_response_to});
+    }
+
+    die 'saml login failed!' if ($valid != '1');
+
+    return 1;
+}
+
+sub delete_request {
+    my ($realm, $request) = @_;
+
+    lock_saml_request(sub {
+	my $saml_requests = cfs_read_file($samlrequestfile);
+	delete $saml_requests->{realm}->{$realm}->{request}->{$request};
+	cfs_write_file($samlrequestfile, $saml_requests);
+    });
+}
+
+1;
-- 
2.20.1