Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-06 06:48:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 117
fleet/server/sso/authorization_request.go
Lucas Manuel Rodriguez 3e2c72dfed
Fix ProtocolBinding attribute in SAML AuthnRequests (#30751) 
Fix for #30750.

Using the proper values defined in:
346540312f/metadata.go (L12-L16)
2025-07-10 17:55:09 -03:00

99 lines
3 KiB
Go
Raw Blame History

package sso
import (
"bytes"
"context"
"encoding/xml"
"errors"
"fmt"
"github.com/crewjam/saml"
"github.com/fleetdm/fleet/v4/server"
"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
)
const cacheLifetimeSeconds = uint(300) // in seconds (5 minutes)
func getDestinationURL(idpMetadata *saml.EntityDescriptor) (string, error) {
for _, ssoDescriptor := range idpMetadata.IDPSSODescriptors {
for _, ssos := range ssoDescriptor.SingleSignOnServices {
if ssos.Binding == saml.HTTPRedirectBinding {
return ssos.Location, nil
}
}
}
return "", errors.New("IDP does not support redirect binding")
}
// CreateAuthorizationRequest creates a new SAML AuthnRequest and creates a new session in sessionStore.
// It will generate and return the session identifier.
// (the IdP will send it again to Fleet in the callback, and that's how Fleet will authenticate the session).
// If sessionTTLSeconds is 0 then a default of 5 minutes of TTL is used.
func CreateAuthorizationRequest(
ctx context.Context,
samlProvider *saml.ServiceProvider,
sessionStore SessionStore,
originalURL string,
sessionTTLSeconds uint,
) (sessionID string, idpURL string, err error) {
idpURL, err = getDestinationURL(samlProvider.IDPMetadata)
if err != nil {
return "", "", fmt.Errorf("get idp url: %w", err)
}
samlAuthRequest, err := samlProvider.MakeAuthenticationRequest(
idpURL,
saml.HTTPRedirectBinding,
saml.HTTPPostBinding,
)
if err != nil {
return "", "", ctxerr.Wrap(ctx, err, "make auth request")
}
// We can modify the samlAuthRequest because it's not signed
// (not a requirement when using "HTTPRedirectBinding" binding for the request)
samlAuthRequest.ProviderName = "Fleet"
var metadataWriter bytes.Buffer
err = xml.NewEncoder(&metadataWriter).Encode(samlProvider.IDPMetadata)
if err != nil {
return "", "", fmt.Errorf("encoding metadata creating auth request: %w", err)
}
sessionID, err = generateSessionID()
if err != nil {
return "", "", ctxerr.Wrap(ctx, err, "generate session ID")
}
sessionLifetimeSeconds := cacheLifetimeSeconds
if sessionTTLSeconds > 0 {
sessionLifetimeSeconds = sessionTTLSeconds
}
// Store the session with the generated ID.
// We cache the metadata so we can check the signatures on the response we get from the IdP.
err = sessionStore.create(
sessionID,
samlAuthRequest.ID,
originalURL,
metadataWriter.String(),
sessionLifetimeSeconds,
)
if err != nil {
return "", "", fmt.Errorf("caching SSO session while creating auth request: %w", err)
}
relayState := "" // Fleet currently doesn't use/set RelayState
idpRedirectURL, err := samlAuthRequest.Redirect(relayState, samlProvider)
if err != nil {
return "", "", ctxerr.Wrap(ctx, err, "generating redirect")
}
return sessionID, idpRedirectURL.String(), nil
}
func generateSessionID() (string, error) {
const sessionIDLength = 24
sessionID, err := server.GenerateRandomText(sessionIDLength)
if err != nil {
return "", fmt.Errorf("create random session ID: %w", err)
}
return sessionID, nil
}
Reference in a new issue View git blame Copy permalink