mirror of
https://github.com/fleetdm/fleet
synced 2026-05-14 20:48:35 +00:00
c69d56ed64
For https://github.com/fleetdm/confidential/issues/9931.
[Here](ec3e8edbdc/docs/Contributing/Testing-and-local-development.md (L339))'s
how to test SAML locally with SimpleSAML.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] Added/updated automated tests
- [x] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [x] Manual QA for all new/changed functionality
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Improved SSO and SAML integration with enhanced session management
using secure cookies.
* Added support for IdP-initiated login flows.
* Introduced new tests covering SSO login flows, metadata handling, and
error scenarios.
* **Bug Fixes**
* Enhanced validation and error handling for invalid or tampered SAML
responses.
* Fixed session cookie handling during SSO and Apple MDM SSO flows.
* **Refactor**
* Replaced custom SAML implementation with the crewjam/saml library for
improved reliability.
* Simplified SAML metadata parsing and session store management.
* Streamlined SSO authorization request and response processing.
* Removed deprecated fields and redundant code related to SSO.
* **Documentation**
* Updated testing and local development docs with clearer instructions
for SSO and IdP-initiated login.
* **Chores**
* Upgraded dependencies including crewjam/saml and related packages.
* Cleaned up tests and configuration by removing deprecated fields and
unused imports.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
108 lines
3.2 KiB
Go
108 lines
3.2 KiB
Go
package sso
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
|
|
"github.com/fleetdm/fleet/v4/server/datastore/redis"
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
redigo "github.com/gomodule/redigo/redis"
|
|
)
|
|
|
|
// Session stores state for the lifetime of a single sign on session.
|
|
type Session struct {
|
|
// RequestID is the SAMLRequest ID that must match "InResponseTo" in the SAMLResponse.
|
|
RequestID string `json:"request_id"`
|
|
// Metadata is the IdP's Metadata used to validate the response.
|
|
Metadata string `json:"metadata"`
|
|
// OriginalURL is the resource being accessed when login request was triggered
|
|
OriginalURL string `json:"original_url"`
|
|
}
|
|
|
|
// SessionStore persists state of a sso session across process boundries and
|
|
// method calls by associating the state of the sign on session with a unique
|
|
// token created by the user agent (browser SPA). The lifetime of the state object
|
|
// is constrained in the backing store (Redis) so if the sso process is not completed in
|
|
// a reasonable amount of time, it automatically expires and is removed.
|
|
type SessionStore interface {
|
|
create(sessionID, requestID, originalURL, metadata string, lifetimeSecs uint) error
|
|
get(sessionID string) (*Session, error)
|
|
expire(sessionID string) error
|
|
// Fullfill loads a session with the given session ID, deletes it and returns it.
|
|
Fullfill(sessionID string) (*Session, error)
|
|
}
|
|
|
|
// NewSessionStore creates a SessionStore
|
|
func NewSessionStore(pool fleet.RedisPool) SessionStore {
|
|
return &store{pool}
|
|
}
|
|
|
|
type store struct {
|
|
pool fleet.RedisPool
|
|
}
|
|
|
|
func (s *store) create(sessionID, requestID, originalURL, metadata string, lifetimeSecs uint) error {
|
|
if len(sessionID) < 8 {
|
|
return errors.New("request id must be 8 or more characters in length")
|
|
}
|
|
conn := redis.ConfigureDoer(s.pool, s.pool.Get())
|
|
defer conn.Close()
|
|
|
|
session := Session{
|
|
RequestID: requestID,
|
|
Metadata: metadata,
|
|
OriginalURL: originalURL,
|
|
}
|
|
var writer bytes.Buffer
|
|
err := json.NewEncoder(&writer).Encode(session)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
_, err = conn.Do("SETEX", sessionID, lifetimeSecs, writer.String())
|
|
return err
|
|
}
|
|
|
|
func (s *store) get(sessionID string) (*Session, error) {
|
|
// not reading from a replica here as this gets called in close succession
|
|
// in the auth flow, with initiate SSO writing and callback SSO having to
|
|
// read that write.
|
|
conn := redis.ConfigureDoer(s.pool, s.pool.Get())
|
|
defer conn.Close()
|
|
val, err := redigo.String(conn.Do("GET", sessionID))
|
|
if err != nil {
|
|
if err == redigo.ErrNil {
|
|
return nil, fleet.NewAuthRequiredError("session not found")
|
|
}
|
|
return nil, err
|
|
}
|
|
|
|
var sess Session
|
|
reader := bytes.NewBufferString(val)
|
|
err = json.NewDecoder(reader).Decode(&sess)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &sess, nil
|
|
}
|
|
|
|
func (s *store) expire(sessionID string) error {
|
|
conn := redis.ConfigureDoer(s.pool, s.pool.Get())
|
|
defer conn.Close()
|
|
_, err := conn.Do("DEL", sessionID)
|
|
return err
|
|
}
|
|
|
|
func (s *store) Fullfill(sessionID string) (*Session, error) {
|
|
session, err := s.get(sessionID)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("sso request invalid: %w", err)
|
|
}
|
|
// Remove session so that it can't be reused before it expires.
|
|
err = s.expire(sessionID)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("remove sso request: %w", err)
|
|
}
|
|
return session, nil
|
|
}
|