From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id E8D9773506 for ; Thu, 27 May 2021 23:57:47 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id DEB3C2293D for ; Thu, 27 May 2021 23:57:17 +0200 (CEST) Received: from smtp.smtpout.orange.fr (smtp04.smtpout.orange.fr [80.12.242.126]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 96FD12292B for ; Thu, 27 May 2021 23:57:16 +0200 (CEST) Received: from dovecot.localdomain ([90.118.15.232]) by mwinf5d51 with ME id 9xx92500950Qfqq03xxAuS; Thu, 27 May 2021 23:57:10 +0200 X-ME-Helo: dovecot.localdomain X-ME-Auth: anVsaWVuLmJsYWlzNUBvcmFuZ2UuZnI= X-ME-Date: Thu, 27 May 2021 23:57:10 +0200 X-ME-IP: 90.118.15.232 From: Julien BLAIS To: pve-devel@lists.proxmox.com Cc: Julien BLAIS Date: Thu, 27 May 2021 23:55:11 +0200 Message-Id: <20210527215511.28243-1-webmaster@jbsky.fr> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 1 AWL -0.145 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods KAM_NUMSUBJECT 0.5 Subject ends in numbers excluding current years POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust RCVD_IN_MSPIKE_H2 -0.001 Average reputation (+2) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH] [PATCH pve-access-control] SSO feature: login with SAMLv2 X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 May 2021 21:57:48 -0000 Added a new endpoint usable by api2/html/access/saml?realm=$DOM which allows to initiate a redirection to an IdP. During initialization, the /etc/pve/tmp/saml file is filled with the format REALM:SAML_REQUEST_ID:TIME Modification of the endpoint /access/ticket to support SAMLResponse. The information is extracted from the SAMLResponse variable in order to check if the SAML_REQUEST_ID exists in /etc/pve/tmp/saml, we extract from this file the REALM used to initiate the SSO connection. For the initialization and authentication part, I rely on the work available in the github repository by trying to apply the best recommendations. The TIME part of each record is tested with the time() function to ensure that each record does not exceed $timeout Signed-off-by: Julien BLAIS --- src/PVE/API2/AccessControl.pm | 73 +++++++++- src/PVE/AccessControl.pm | 2 + src/PVE/Auth/Makefile | 1 + src/PVE/Auth/SAML.pm | 248 ++++++++++++++++++++++++++++++++++ 4 files changed, 322 insertions(+), 2 deletions(-) create mode 100644 src/PVE/Auth/SAML.pm diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm index a77694b..bd660c3 100644 --- a/src/PVE/API2/AccessControl.pm +++ b/src/PVE/API2/AccessControl.pm @@ -20,6 +20,7 @@ use PVE::API2::Group; use PVE::API2::Role; use PVE::API2::ACL; use PVE::Auth::Plugin; +use PVE::Auth::SAML; use PVE::OTP; use PVE::Tools; @@ -243,6 +244,7 @@ __PACKAGE__->register_method ({ username => { description => "User name", type => 'string', + optional => 1, maxLength => 64, completion => \&PVE::AccessControl::complete_username, }, @@ -254,6 +256,7 @@ __PACKAGE__->register_method ({ password => { description => "The secret password. This can also be a valid ticket.", type => 'string', + optional => 1, }, otp => { description => "One-time password for Two-factor authentication.", @@ -274,6 +277,11 @@ __PACKAGE__->register_method ({ optional => 1, maxLength => 64, }, + SAMLResponse => { + description => "SAMLResponse.", + type => 'string', + optional => 1, + }, } }, returns => { @@ -289,8 +297,21 @@ __PACKAGE__->register_method ({ code => sub { my ($param) = @_; - my $username = $param->{username}; - $username .= "\@$param->{realm}" if $param->{realm}; + my $username; + if(defined($param->{username})){ + $username = $param->{username}; + $username .= "\@$param->{realm}" if $param->{realm}; + } + elsif(defined($param->{SAMLResponse})) { + my $realm = PVE::Auth::SAML->get_realm($param->{SAMLResponse}); + $username = PVE::Auth::SAML->get_username($param->{SAMLResponse})."\@$realm" if $realm; + + # Prepare for PVE::Auth::SAML->authenticate_user() + $param->{password}=$param->{SAMLResponse}; + } + else { + die PVE::Exception->new("authentication failure\n", code => 401); + } $username = PVE::AccessControl::lookup_username($username); my $rpcenv = PVE::RPCEnvironment::get(); @@ -719,4 +740,52 @@ __PACKAGE__->register_method({ return $res; }}); +__PACKAGE__->register_method ({ + name => 'get_saml', + path => 'saml', + method => 'GET', + permissions => { user => 'world' }, + protected => 1, # else we can't access shadow files + allowtoken => 0, # we don't want tokens to create tickets + description => "Init saml redirect to a login page.", + parameters => { + additionalProperties => 0, + properties => { + realm => { + type => 'string', + description => "You must pass the realm using in this parameter.", + } + } + }, + returns => { + type => "object", + properties => { + url => { type => 'string' }, + realm => { type => 'string'} + } + }, + code => sub { + my ($param) = @_; + + my $domain_cfg = cfs_read_file('domains.cfg'); + + my $rpcenv = PVE::RPCEnvironment::get(); + + my $url = ""; + + eval { + $url = PVE::Auth::SAML->init_redirect($domain_cfg->{ids}->{$param->{realm}},$param->{realm}); + }; + + if (my $err = $@) { + my $clientip = $rpcenv->get_client_ip() || ''; + syslog('err', "Init saml redirect to a login page; rhost=$clientip msg=$err"); + die PVE::Exception->new("authentication failure\n", code => 401); + } + + die PVE::Exception->new("authentication failure '$url'\n", code => 401) if ( $url eq "" ); + + return { realm => $param->{realm}, url => $url }; + }}); + 1; diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm index f7d4e78..61bc680 100644 --- a/src/PVE/AccessControl.pm +++ b/src/PVE/AccessControl.pm @@ -22,6 +22,7 @@ use PVE::JSONSchema qw(register_standard_option get_standard_option); use PVE::Auth::Plugin; use PVE::Auth::AD; use PVE::Auth::LDAP; +use PVE::Auth::SAML; use PVE::Auth::PVE; use PVE::Auth::PAM; @@ -29,6 +30,7 @@ use PVE::Auth::PAM; PVE::Auth::AD->register(); PVE::Auth::LDAP->register(); +PVE::Auth::SAML->register(); PVE::Auth::PVE->register(); PVE::Auth::PAM->register(); PVE::Auth::Plugin->init(); diff --git a/src/PVE/Auth/Makefile b/src/PVE/Auth/Makefile index 58ae362..8a4688e 100644 --- a/src/PVE/Auth/Makefile +++ b/src/PVE/Auth/Makefile @@ -3,6 +3,7 @@ AUTH_SOURCES= \ Plugin.pm \ PVE.pm \ PAM.pm \ + SAML.pm \ AD.pm \ LDAP.pm diff --git a/src/PVE/Auth/SAML.pm b/src/PVE/Auth/SAML.pm new file mode 100644 index 0000000..4653cb7 --- /dev/null +++ b/src/PVE/Auth/SAML.pm @@ -0,0 +1,248 @@ +# Instructions for installation : +# apt-get install libxml2 make gcc libssl-dev libperl-dev git cpanminus +# cpanm Net::SAML2 +# ln -s /usr/local/share/perl/5.28.1/Net/SAML2 /usr/share/perl/5.28.1/Net/SAML2 +# ln -s /usr/local/share/perl/5.28.1/Net/SAML2 /usr/share/perl5/Net/SAML2 + +package PVE::Auth::SAML; +use POSIX; + +# base64 decode +use MIME::Base64; + +use strict; +use warnings; + +use Net::SAML2::IdP; +use Net::SAML2::Protocol::Assertion; +use Net::SAML2::Protocol::AuthnRequest; +use Net::SAML2::Binding::Redirect; +use PVE::JSONSchema; +use PVE::Tools; +use PVE::Auth::Plugin; + +use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file); + +use base qw(PVE::Auth::Plugin); + +my $samlrequestfile = 'tmp/saml'; +my $timeout = 60; + +cfs_register_file( + $samlrequestfile, + \&parse_saml_request, + \&write_saml_request); + +sub parse_saml_request { + my ($filename, $raw) = @_; + + my $requests = {}; + + return $requests if !defined($raw); + + while ($raw =~ /^\s*(.+?)\s*$/gm) { + my $line = $1; + + if ($line !~ m/^\S+:\S+:\S+:$/) { + warn "saml request: ignore invalid line $.\n"; + next; + } + + my ($realm, $request, $time) = split (/:/, $line); + $requests->{realm}->{$realm}->{request}->{$request}->{time} = $time; + } + + return $requests; +} + +sub write_saml_request{ + my ($filename, $saml_requests) = @_; + + my $data=''; + foreach my $realm (keys %{$saml_requests->{realm}}) { + foreach my $saml_request (keys %{$saml_requests->{realm}->{$realm}->{request}}) { + if (time() - $saml_requests->{realm}->{$realm}->{request}->{$saml_request}->{time} < $timeout) { + $data .= "$realm:$saml_request:".$saml_requests->{realm}->{$realm}->{request}->{$saml_request}->{time}.":\n"; + } + } + } + return $data; +} + +sub lock_saml_request { + my ($code, $errmsg) = @_; + + cfs_lock_file($samlrequestfile, undef, $code); + my $err = $@; + if ($err) { + $errmsg ? die "$errmsg: $err" : die $err; + } +} + +sub type { + return 'saml'; +} + +sub check_saml_request { + my ($request_id) = @_; + + my $saml_requests = cfs_read_file($samlrequestfile); + my $found; + foreach my $realm (keys %{$saml_requests->{realm}}) { + foreach my $saml_request (keys %{$saml_requests->{realm}->{$realm}->{request}}) { + if (time() - $saml_requests->{realm}->{$realm}->{request}->{$saml_request}->{time} < $timeout) { + if ($request_id eq $saml_request){ + $found = $saml_request; + delete_request($realm, $saml_request); + } + } + else { + delete_request($realm, $saml_request); + } + } + } + return $found; +} + +sub properties { + return { + Identity_Provider_Entity_ID => { + description => "Set the entity ID of the upstream identity provider." + . "This will be provided by your IdP.", + type => 'string', + }, + Identity_Provider_Url_Metadata => { + description => "Set the metadata Url of the identity provider.", + type => 'string', + }, + # TODO how to add a CAcert content instead of path? + Identity_Provider_x509_CA_Certificate => { + description => "Paste the x509 CA certificate data from the" + . "upstream identity provider. In most cases," + . "this will be provided by your IdP.", + type => 'string', + }, + # TODO how to add a private key content instead of path? + Service_Provider_Private_Key => { + description => "Paste the Private key.", + type => 'string', + }, + Service_Provider_Entity_ID => { + description => "Displays the service provider's entity ID." + . "This is the entity ID you will need to provide to your IdP.", + type => 'string', + } + }; +} + +sub options { + return { + Identity_Provider_Url_Metadata => {}, + Identity_Provider_x509_CA_Certificate => {}, + Identity_Provider_Entity_ID => {}, + Service_Provider_Entity_ID => {}, + Service_Provider_Private_Key => {}, + comment => { optional => 1 }, + default => { optional => 1 }, + }; +} + +# used by GET SAML +# Init a redirect and return Url +sub init_redirect { + my ($class, $config, $realm) = @_; + + my $url = $config->{Identity_Provider_Url_Metadata}; + my $cacert = $config->{Identity_Provider_x509_CA_Certificate}; + my $samlkey = $config->{Service_Provider_Private_Key}; + + my $idp = Net::SAML2::IdP->new_from_url( + url => $url, + cacert => $cacert + ); + my $authnreq = Net::SAML2::Protocol::AuthnRequest->new( + issuer => $config->{Service_Provider_Entity_ID}, + destination => $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'), + provider_name => $config->{Identity_Provider_Entity_ID}, + ); + + # Here, we need to store saml request id and check it on return from the IdP POST + # Is there a way to associate this saml request id with the session? + # If yes => TODO + lock_saml_request(sub { + my $requestfile = cfs_read_file($samlrequestfile); + $requestfile->{realm}->{$realm}->{request}->{$authnreq->id}->{time} = time(); + cfs_write_file($samlrequestfile, $requestfile); + }); + + my $redirect = Net::SAML2::Binding::Redirect->new( + key => $samlkey, + cert => $idp->cert('signing'), + param => 'SAMLRequest', + # The ssl_url destination for redirect + url => $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'), + ); + + return $redirect->sign($authnreq->as_xml); +} + +sub get_username { + my ($class, $SAMLResponse) = @_; + + my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml( + xml => decode_base64($SAMLResponse) + ); + + return $assertion->{nameid}; +} + +# TODO get saml_request_id from cookie instead of $SAMLResponse +sub get_realm { + my ($class, $SAMLResponse) = @_; + + my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml( + xml => decode_base64($SAMLResponse) + ); + + my $saml_requests = cfs_read_file($samlrequestfile); + foreach my $realm (keys %{$saml_requests->{realm}}) { + foreach my $saml_request (keys %{$saml_requests->{realm}->{$realm}->{request}}) { + if ($assertion->{in_response_to} eq $saml_request) { + return $realm; + } + } + } + return undef; +} + +sub authenticate_user { + my ($class, $config, $realm, $username, $SAMLResponse) = @_; + + my $valid = 0; + + my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml( + xml => decode_base64($SAMLResponse) + ); + + my $issuer = $config->{Service_Provider_Entity_ID}; + + if (check_saml_request($assertion->{in_response_to})) { + $valid = $assertion->valid($issuer, $assertion->{in_response_to}); + } + + die 'saml login failed!' if ($valid != '1'); + + return 1; +} + +sub delete_request { + my ($realm, $request) = @_; + + lock_saml_request(sub { + my $saml_requests = cfs_read_file($samlrequestfile); + delete $saml_requests->{realm}->{$realm}->{request}->{$request}; + cfs_write_file($samlrequestfile, $saml_requests); + }); +} + +1; -- 2.20.1