[pve-devel] [PATCH] [PATCH pve-access-control] SSO feature: login with SAMLv2

[pve-devel] [PATCH] [PATCH pve-access-control] SSO feature: login with SAMLv2

[Julien BLAIS]

Added a new endpoint usable by api2/html/access/saml?realm=$DOM
  which allows to initiate a redirection to an IdP.
  During initialization, the /etc/pve/tmp/saml file is filled with the format REALM:SAML_REQUEST_ID:TIME
Modification of the endpoint /access/ticket to support SAMLResponse.
  The information is extracted from the SAMLResponse variable in order to check
  if the SAML_REQUEST_ID exists in /etc/pve/tmp/saml, we extract from this file the REALM used to initiate the SSO connection.
For the initialization and authentication part, I rely on the work available in the github repository by trying to apply the best recommendations.
  The TIME part of each record is tested with the time() function to ensure that each record does not exceed $timeout

Signed-off-by: Julien BLAIS <webmaster@jbsky.fr>
---
 src/PVE/API2/AccessControl.pm |  73 +++++++++-
 src/PVE/AccessControl.pm      |   2 +
 src/PVE/Auth/Makefile         |   1 +
 src/PVE/Auth/SAML.pm          | 248 ++++++++++++++++++++++++++++++++++
 4 files changed, 322 insertions(+), 2 deletions(-)
 create mode 100644 src/PVE/Auth/SAML.pm

diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index a77694b..bd660c3 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -20,6 +20,7 @@ use PVE::API2::Group;
 use PVE::API2::Role;
 use PVE::API2::ACL;
 use PVE::Auth::Plugin;
+use PVE::Auth::SAML;
 use PVE::OTP;
 use PVE::Tools;
 
@@ -243,6 +244,7 @@ __PACKAGE__->register_method ({
 	    username => {
 	        description => "User name",
 	        type => 'string',
+	        optional => 1,
 	        maxLength => 64,
 	        completion => \&PVE::AccessControl::complete_username,
 	    },
@@ -254,6 +256,7 @@ __PACKAGE__->register_method ({
 	    password => {
 		description => "The secret password. This can also be a valid ticket.",
 		type => 'string',
+		optional => 1,
 	    },
 	    otp => {
 		description => "One-time password for Two-factor authentication.",
@@ -274,6 +277,11 @@ __PACKAGE__->register_method ({
 		optional => 1,
 		maxLength => 64,
 	    },
+	    SAMLResponse => {
+		description => "SAMLResponse.",
+		type => 'string',
+		optional => 1,
+	    },
 	}
     },
     returns => {
@@ -289,8 +297,21 @@ __PACKAGE__->register_method ({
     code => sub {
 	my ($param) = @_;
 
-	my $username = $param->{username};
-	$username .= "\@$param->{realm}" if $param->{realm};
+	my $username;
+	if(defined($param->{username})){
+	    $username = $param->{username};
+	    $username .= "\@$param->{realm}" if $param->{realm};
+	}
+	elsif(defined($param->{SAMLResponse})) {
+	    my $realm = PVE::Auth::SAML->get_realm($param->{SAMLResponse});
+	    $username = PVE::Auth::SAML->get_username($param->{SAMLResponse})."\@$realm" if $realm;
+
+	    # Prepare for PVE::Auth::SAML->authenticate_user()
+	    $param->{password}=$param->{SAMLResponse};
+	}
+	else {
+	    die PVE::Exception->new("authentication failure\n", code => 401);
+	}
 
 	$username = PVE::AccessControl::lookup_username($username);
 	my $rpcenv = PVE::RPCEnvironment::get();
@@ -719,4 +740,52 @@ __PACKAGE__->register_method({
 	return $res;
     }});
 
+__PACKAGE__->register_method ({
+    name => 'get_saml',
+    path => 'saml',
+    method => 'GET',
+    permissions => { user => 'world' },
+    protected => 1, # else we can't access shadow files
+    allowtoken => 0, # we don't want tokens to create tickets
+    description => "Init saml redirect to a login page.",
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    realm => {
+		type => 'string',
+		description => "You must pass the realm using in this parameter.",
+	    }
+	}
+    },
+    returns => {
+	type => "object",
+	properties => {
+	    url => { type => 'string' },
+	    realm => { type => 'string'}
+	}
+    },
+    code => sub {
+	my ($param) = @_;
+
+	my $domain_cfg = cfs_read_file('domains.cfg');
+
+	my $rpcenv = PVE::RPCEnvironment::get();
+
+	my $url = "";
+
+	eval {
+	    $url = PVE::Auth::SAML->init_redirect($domain_cfg->{ids}->{$param->{realm}},$param->{realm});
+	};
+
+	if (my $err = $@) {
+	    my $clientip = $rpcenv->get_client_ip() || '';
+	    syslog('err', "Init saml redirect to a login page; rhost=$clientip msg=$err");
+	    die PVE::Exception->new("authentication failure\n", code => 401);
+	}
+
+	die PVE::Exception->new("authentication failure '$url'\n", code => 401) if ( $url eq "" );
+
+	return { realm => $param->{realm}, url => $url };
+    }});
+
 1;
diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index f7d4e78..61bc680 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -22,6 +22,7 @@ use PVE::JSONSchema qw(register_standard_option get_standard_option);
 use PVE::Auth::Plugin;
 use PVE::Auth::AD;
 use PVE::Auth::LDAP;
+use PVE::Auth::SAML;
 use PVE::Auth::PVE;
 use PVE::Auth::PAM;
 
@@ -29,6 +30,7 @@ use PVE::Auth::PAM;
 
 PVE::Auth::AD->register();
 PVE::Auth::LDAP->register();
+PVE::Auth::SAML->register();
 PVE::Auth::PVE->register();
 PVE::Auth::PAM->register();
 PVE::Auth::Plugin->init();
diff --git a/src/PVE/Auth/Makefile b/src/PVE/Auth/Makefile
index 58ae362..8a4688e 100644
--- a/src/PVE/Auth/Makefile
+++ b/src/PVE/Auth/Makefile
@@ -3,6 +3,7 @@ AUTH_SOURCES= 		 	\
 	Plugin.pm 		\
 	PVE.pm		 	\
 	PAM.pm		 	\
+	SAML.pm		 	\
 	AD.pm		 	\
 	LDAP.pm
 
diff --git a/src/PVE/Auth/SAML.pm b/src/PVE/Auth/SAML.pm
new file mode 100644
index 0000000..4653cb7
--- /dev/null
+++ b/src/PVE/Auth/SAML.pm
@@ -0,0 +1,248 @@
+# Instructions for installation :
+# apt-get install libxml2 make gcc libssl-dev libperl-dev git cpanminus
+# cpanm Net::SAML2
+# ln -s /usr/local/share/perl/5.28.1/Net/SAML2 /usr/share/perl/5.28.1/Net/SAML2
+# ln -s /usr/local/share/perl/5.28.1/Net/SAML2 /usr/share/perl5/Net/SAML2
+
+package PVE::Auth::SAML;
+use POSIX;
+
+# base64 decode
+use MIME::Base64;
+
+use strict;
+use warnings;
+
+use Net::SAML2::IdP;
+use Net::SAML2::Protocol::Assertion;
+use Net::SAML2::Protocol::AuthnRequest;
+use Net::SAML2::Binding::Redirect;
+use PVE::JSONSchema;
+use PVE::Tools;
+use PVE::Auth::Plugin;
+
+use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);
+
+use base qw(PVE::Auth::Plugin);
+
+my $samlrequestfile = 'tmp/saml';
+my $timeout = 60;
+
+cfs_register_file(
+    $samlrequestfile,
+    \&parse_saml_request,
+    \&write_saml_request);
+
+sub parse_saml_request {
+    my ($filename, $raw) = @_;
+
+    my $requests = {};
+
+    return $requests if !defined($raw);
+
+    while ($raw =~ /^\s*(.+?)\s*$/gm) {
+	my $line = $1;
+
+	if ($line !~ m/^\S+:\S+:\S+:$/) {
+	    warn "saml request: ignore invalid line $.\n";
+	    next;
+	}
+
+	my ($realm, $request, $time) = split (/:/, $line);
+	$requests->{realm}->{$realm}->{request}->{$request}->{time} = $time;
+    }
+
+    return $requests;
+}
+
+sub write_saml_request{
+    my ($filename, $saml_requests) = @_;
+
+    my $data='';
+    foreach my $realm (keys %{$saml_requests->{realm}}) {
+	foreach my $saml_request (keys %{$saml_requests->{realm}->{$realm}->{request}}) {
+	    if (time() - $saml_requests->{realm}->{$realm}->{request}->{$saml_request}->{time} < $timeout) {
+		$data .= "$realm:$saml_request:".$saml_requests->{realm}->{$realm}->{request}->{$saml_request}->{time}.":\n";
+	    }
+	}
+    }
+    return $data;
+}
+
+sub lock_saml_request {
+    my ($code, $errmsg) = @_;
+
+    cfs_lock_file($samlrequestfile, undef, $code);
+    my $err = $@;
+    if ($err) {
+	$errmsg ? die "$errmsg: $err" : die $err;
+    }
+}
+
+sub type {
+    return 'saml';
+}
+
+sub check_saml_request {
+    my ($request_id) = @_;
+
+    my $saml_requests = cfs_read_file($samlrequestfile);
+    my $found;
+    foreach my $realm (keys %{$saml_requests->{realm}}) {
+	foreach my $saml_request (keys %{$saml_requests->{realm}->{$realm}->{request}}) {
+	    if (time() - $saml_requests->{realm}->{$realm}->{request}->{$saml_request}->{time} < $timeout) {
+		if ($request_id eq $saml_request){
+		    $found = $saml_request;
+		    delete_request($realm, $saml_request);
+		}
+	    }
+	    else {
+		delete_request($realm, $saml_request);
+	    }
+	}
+    }
+    return $found;
+}
+
+sub properties {
+    return {
+	Identity_Provider_Entity_ID => {
+	    description => "Set the entity ID of the upstream identity provider."
+	    . "This will be provided by your IdP.",
+	    type => 'string',
+	},
+	Identity_Provider_Url_Metadata => {
+	    description => "Set the metadata Url of the identity provider.",
+	    type => 'string',
+	},
+	# TODO how to add a CAcert content instead of path?
+	Identity_Provider_x509_CA_Certificate => {
+	    description => "Paste the x509 CA certificate data from the"
+	    . "upstream identity provider. In most cases,"
+	    . "this will be provided by your IdP.",
+	    type => 'string',
+	},
+	# TODO how to add a private key content instead of path?
+	Service_Provider_Private_Key => {
+	    description => "Paste the Private key.",
+	    type => 'string',
+	},
+	Service_Provider_Entity_ID => {
+	    description => "Displays the service provider's entity ID."
+	    . "This is the entity ID you will need to provide to your IdP.",
+	    type => 'string',
+	}
+    };
+}
+
+sub options {
+    return {
+	Identity_Provider_Url_Metadata => {},
+	Identity_Provider_x509_CA_Certificate => {},
+	Identity_Provider_Entity_ID => {},
+	Service_Provider_Entity_ID => {},
+	Service_Provider_Private_Key => {},
+	comment => { optional => 1 },
+	default => { optional => 1 },
+    };
+}
+
+# used by GET SAML
+# Init a redirect and return Url
+sub init_redirect {
+    my ($class, $config, $realm) = @_;
+
+    my $url = $config->{Identity_Provider_Url_Metadata};
+    my $cacert = $config->{Identity_Provider_x509_CA_Certificate};
+    my $samlkey = $config->{Service_Provider_Private_Key};
+
+    my $idp = Net::SAML2::IdP->new_from_url(
+	url => $url,
+	cacert => $cacert
+    );
+    my $authnreq = Net::SAML2::Protocol::AuthnRequest->new(
+	issuer		=> $config->{Service_Provider_Entity_ID},
+	destination   => $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
+	provider_name => $config->{Identity_Provider_Entity_ID},
+    );
+
+    # Here, we need to store saml request id and check it on return from the IdP POST
+    # Is there a way to associate this saml request id with the session?
+    # If yes => TODO
+    lock_saml_request(sub {
+	my $requestfile = cfs_read_file($samlrequestfile);
+	$requestfile->{realm}->{$realm}->{request}->{$authnreq->id}->{time} = time();
+	cfs_write_file($samlrequestfile, $requestfile);
+    });
+
+    my $redirect = Net::SAML2::Binding::Redirect->new(
+	key => $samlkey,
+	cert => $idp->cert('signing'),
+	param => 'SAMLRequest',
+	# The ssl_url destination for redirect
+	url => $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
+    );
+
+    return $redirect->sign($authnreq->as_xml);
+}
+
+sub get_username {
+    my ($class, $SAMLResponse) = @_;
+
+    my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
+	xml => decode_base64($SAMLResponse)
+    );
+
+    return $assertion->{nameid};
+}
+
+# TODO get saml_request_id from cookie instead of $SAMLResponse
+sub get_realm {
+    my ($class, $SAMLResponse) = @_;
+
+    my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
+	xml => decode_base64($SAMLResponse)
+    );
+
+    my $saml_requests = cfs_read_file($samlrequestfile);
+    foreach my $realm (keys %{$saml_requests->{realm}}) {
+	foreach my $saml_request (keys %{$saml_requests->{realm}->{$realm}->{request}}) {
+	    if ($assertion->{in_response_to} eq $saml_request) {
+		return $realm;
+	    }
+	}
+    }
+    return undef;
+}
+
+sub authenticate_user {
+    my ($class, $config, $realm, $username, $SAMLResponse) = @_;
+
+    my $valid = 0;
+
+    my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
+	xml => decode_base64($SAMLResponse)
+    );
+
+    my $issuer = $config->{Service_Provider_Entity_ID};
+
+    if (check_saml_request($assertion->{in_response_to})) {
+	$valid = $assertion->valid($issuer, $assertion->{in_response_to});
+    }
+
+    die 'saml login failed!' if ($valid != '1');
+
+    return 1;
+}
+
+sub delete_request {
+    my ($realm, $request) = @_;
+
+    lock_saml_request(sub {
+	my $saml_requests = cfs_read_file($samlrequestfile);
+	delete $saml_requests->{realm}->{$realm}->{request}->{$request};
+	cfs_write_file($samlrequestfile, $saml_requests);
+    });
+}
+
+1;
-- 
2.20.1

[pve-devel] [PATCH] [PATCH pve-cluster] SSO feature: login with SAMLv2

[Julien BLAIS]

Adding the file /etc/pve/tmp/saml managed by the Auth::SAML plugin

Signed-off-by: Julien BLAIS <webmaster@jbsky.fr>
---
 data/PVE/Cluster.pm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/PVE/Cluster.pm b/data/PVE/Cluster.pm
index 4d09c60..9a45b4f 100644
--- a/data/PVE/Cluster.pm
+++ b/data/PVE/Cluster.pm
@@ -75,6 +75,7 @@ my $observed = {
     'sdn/dns.cfg' => 1,
     'sdn/.running-config' => 1,
     'virtual-guest/cpu-models.conf' => 1,
+    'tmp/saml' => 1,
 };
 
 sub prepare_observed_file_basedirs {
-- 
2.20.1

[pve-devel] [PATCH] [PATCH pve-http-server] SSO feature: login with SAMLv2

[Julien BLAIS]

Add a formatted page that allows redirection.
For performance reasons, a raw format is used instead of a redirection initiated by the HTTP header.

/!\ Modification of the redirection URL for the /access/ticket endpoint.

Signed-off-by: Julien BLAIS <webmaster@jbsky.fr>
---
 src/PVE/APIServer/Formatter/HTML.pm | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/src/PVE/APIServer/Formatter/HTML.pm b/src/PVE/APIServer/Formatter/HTML.pm
index 743d0ad..3a90aa8 100644
--- a/src/PVE/APIServer/Formatter/HTML.pm
+++ b/src/PVE/APIServer/Formatter/HTML.pm
@@ -277,7 +277,7 @@ PVE::APIServer::Formatter::register_page_formatter(
 	    my $cookie = PVE::APIServer::Formatter::create_auth_cookie(
 		$data->{ticket}, $config->{cookie_name});
 
-	    my $headers = HTTP::Headers->new(Location => $get_portal_base_url->($config),
+	    my $headers = HTTP::Headers->new(Location => '/',
 					     'Set-Cookie' => $cookie);
 	    return HTTP::Response->new(301, "Moved", $headers);
 	}
@@ -293,4 +293,27 @@ PVE::APIServer::Formatter::register_page_formatter(
 	return ($raw, $portal_ct);
     });
 
+PVE::APIServer::Formatter::register_page_formatter(
+    'format' => $portal_format,
+    method => 'GET',
+    path => "/access/saml",
+    code => sub {
+	my ($res, $data, $param, $path, $auth, $config) = @_;
+
+	# Get realm from cookie, see TODO part in POST /access/ticket
+	my $cookie = PVE::APIServer::Formatter::create_auth_cookie(
+	$data->{realm}, 'realm');
+
+	my $page = qq[<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+	<html>
+	<body>
+	<script type="text/javascript">if ('$data->{url}' != '') window.location.href='$data->{url}';</script>
+	</body>
+	</html>
+	];
+	my $headers = HTTP::Headers->new('Set-Cookie' => $cookie);
+	return HTTP::Response->new(200, "Moved", $headers, $page);
+
+    });
+
 1;
-- 
2.20.1

[pve-devel] [PATCH container] [PATCH pve-manager] SSO feature: login with SAMLv2

[Julien BLAIS]

Part allowing to add a SAML authentication
Adding the rule that the endpoint /access/saml does not need authentication

Signed-off-by: Julien BLAIS <webmaster@jbsky.fr>
---
 PVE/HTTPServer.pm               |  3 +-
 www/manager6/Makefile           |  1 +
 www/manager6/Utils.js           |  5 +++
 www/manager6/dc/AuthEditSAML.js | 65 +++++++++++++++++++++++++++++++++
 4 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 www/manager6/dc/AuthEditSAML.js

diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index 636b562b..3e64943a 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -68,7 +68,8 @@ sub auth_handler {
 
     # explicitly allow some calls without auth
     if (($rel_uri eq '/access/domains' && $method eq 'GET') ||
-	($rel_uri eq '/access/ticket' && ($method eq 'GET' || $method eq 'POST'))) {
+	($rel_uri eq '/access/ticket' && ($method eq 'GET' || $method eq 'POST')) ||
+	($rel_uri eq '/access/saml' && $method eq 'GET' )) {
 	$require_auth = 0;
     }
 
diff --git a/www/manager6/Makefile b/www/manager6/Makefile
index 506b5a4e..fc89215e 100644
--- a/www/manager6/Makefile
+++ b/www/manager6/Makefile
@@ -119,6 +119,7 @@ JSSRC= 							\
 	dc/AuthEditBase.js				\
 	dc/AuthEditAD.js				\
 	dc/AuthEditLDAP.js				\
+	dc/AuthEditSAML.js				\
 	dc/AuthView.js					\
 	dc/Backup.js					\
 	dc/Cluster.js					\
diff --git a/www/manager6/Utils.js b/www/manager6/Utils.js
index d9567979..600b81e9 100644
--- a/www/manager6/Utils.js
+++ b/www/manager6/Utils.js
@@ -740,6 +740,11 @@ Ext.define('PVE.Utils', {
 	    syncipanel: 'pveAuthLDAPSyncPanel',
 	    add: true,
 	},
+	saml: {
+	    name: gettext('SAMLv2'),
+	    ipanel: 'pveAuthSAMLPanel',
+	    add: true,
+	},
 	pam: {
 	    name: 'Linux PAM',
 	    ipanel: 'pveAuthBasePanel',
diff --git a/www/manager6/dc/AuthEditSAML.js b/www/manager6/dc/AuthEditSAML.js
new file mode 100644
index 00000000..3794bccd
--- /dev/null
+++ b/www/manager6/dc/AuthEditSAML.js
@@ -0,0 +1,65 @@
+Ext.define('PVE.panel.SAMLInputPanel', {
+    extend: 'PVE.panel.AuthBase',
+    xtype: 'pveAuthSAMLPanel',
+
+    initComponent: function() {
+	let me = this;
+
+	if (me.type !== 'saml') {
+	    throw 'invalid type';
+	}
+
+	me.column1 = [
+	    {
+		xtype: 'textfield',
+		name: 'Identity_Provider_Entity_ID',
+		fieldLabel: gettext('IdP Entity ID'),
+		emptyText: '',
+		allowBlank: false,
+	    },
+	    {
+		xtype: 'textfield',
+		name: 'Identity_Provider_Url_Metadata',
+		emptyText: '',
+		fieldLabel: gettext('IdP Url Metadata'),
+		allowBlank: true,
+	    },
+	    {
+		name: 'Identity_Provider_x509_CA_Certificate',
+		emptyText: '',
+		fieldLabel: gettext('IdP x509 CA Certificate'),
+		allowBlank: true,
+		xtype: 'textarea',
+	    },
+	];
+
+	me.column2 = [
+	    {
+		xtype: 'textfield',
+		fieldLabel: gettext('SP Entity ID'),
+		allowBlank: false,
+		name: 'Service_Provider_Entity_ID',
+	    },
+	    {
+		xtype: 'textarea',
+		fieldLabel: gettext('SP Private key'),
+		allowBlank: true,
+		name: 'Service_Provider_Private_Key',
+	    }
+	];
+
+	me.callParent();
+    },
+    onGetValues: function(values) {
+	let me = this;
+
+	if (!values.verify) {
+	    if (!me.isCreate) {
+		Proxmox.Utils.assemble_field_data(values, { 'delete': 'verify' });
+	    }
+	    delete values.verify;
+	}
+
+	return me.callParent([values]);
+    },
+});
-- 
2.20.1

Re: [pve-devel] [PATCH] [PATCH pve-access-control] SSO feature: login with SAMLv2

[Thomas Lamprecht]

Hi!

Thanks for sending this as patch series, looks much nicer to review now!

It seems that a signed CLA from you is still missing though, please check out:
https://pve.proxmox.com/wiki/Developer_Documentation#Software_License_and_Copyright

Would be great if you could send one to office@proxmox.com so we can look into this.

Thank you!

- Thomas

[pve-devel] RE : [PATCH] [PATCH pve-access-control] SSO feature: loginwith SAMLv2

[wb]

Hello,

The 4th page has been signed and sent.

Sincerely,

Julien Blais

De : Thomas Lamprecht
Envoyé le :vendredi 28 mai 2021 09:38
À : Proxmox VE development discussion; Julien BLAIS
Objet :Re: [pve-devel] [PATCH] [PATCH pve-access-control] SSO feature: loginwith SAMLv2

Hi!

Thanks for sending this as patch series, looks much nicer to review now!

It seems that a signed CLA from you is still missing though, please check out:
https://pve.proxmox.com/wiki/Developer_Documentation#Software_License_and_Copyright

Would be great if you could send one to office@proxmox.com so we can look into this.

Thank you!

- Thomas

Re: [pve-devel] [PATCH] [PATCH pve-http-server] SSO feature: login with SAMLv2

[Dietmar Maurer]

I am trying to test your code, so I need a SAML Identity provider. What is
the best OSS implementation for that?

I tried lemonldap-ng, but there example configuration is a nightmare and
I was unable to get that running. Is there anything else I can use to test?. 

- Dietmar