Support SAML authentication (#25165)

Closes https://github.com/go-gitea/gitea/issues/5512 This PR adds basic SAML support - Adds SAML 2.0 as an auth source - Adds SAML configuration documentation - Adds integration test: - Use bare-bones SAML IdP to test protocol flow and test account is linked successfully (only runs on Postgres by default) - Adds documentation for configuring and running SAML integration test locally Future PRs: - Support group mapping - Support auto-registration (account linking) Co-Authored-By: @jackHay22 --------- Co-authored-by: jackHay22 <jack@allspice.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Jason Song <i@wolfogre.com> Co-authored-by: morphelinho <morphelinho@users.noreply.github.com> Co-authored-by: Zettat123 <zettat123@gmail.com> Co-authored-by: Yarden Shoham <git@yardenshoham.com> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: silverwind <me@silverwind.io>
2024-02-22 19:08:17 -05:00
parent c4b0cb4d0d
commit 5bb8d1924d
37 changed files with 1440 additions and 69 deletions
@@ -0,0 +1,89 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package saml
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/markbates/goth"
+)
+
+// Callout redirects request/response pair to authenticate against the provider
+func (source *Source) Callout(request *http.Request, response http.ResponseWriter) error {
+	samlRWMutex.RLock()
+	defer samlRWMutex.RUnlock()
+	if _, ok := providers[source.authSource.Name]; !ok {
+		return fmt.Errorf("no provider for this saml")
+	}
+
+	authURL, err := providers[source.authSource.Name].samlSP.BuildAuthURL("")
+	if err == nil {
+		http.Redirect(response, request, authURL, http.StatusTemporaryRedirect)
+	}
+	return err
+}
+
+// Callback handles SAML callback, resolve to a goth user and send back to original url
+// this will trigger a new authentication request, but because we save it in the session we can use that
+func (source *Source) Callback(request *http.Request, response http.ResponseWriter) (goth.User, error) {
+	samlRWMutex.RLock()
+	defer samlRWMutex.RUnlock()
+
+	user := goth.User{
+		Provider: source.authSource.Name,
+	}
+	samlResponse := request.FormValue("SAMLResponse")
+	assertions, err := source.samlSP.RetrieveAssertionInfo(samlResponse)
+	if err != nil {
+		return user, err
+	}
+
+	if assertions.WarningInfo.OneTimeUse {
+		return user, fmt.Errorf("SAML response contains one time use warning")
+	}
+
+	if assertions.WarningInfo.ProxyRestriction != nil {
+		return user, fmt.Errorf("SAML response contains proxy restriction warning: %v", assertions.WarningInfo.ProxyRestriction)
+	}
+
+	if assertions.WarningInfo.NotInAudience {
+		return user, fmt.Errorf("SAML response contains audience warning")
+	}
+
+	if assertions.WarningInfo.InvalidTime {
+		return user, fmt.Errorf("SAML response contains invalid time warning")
+	}
+
+	samlMap := make(map[string]string)
+	for key, value := range assertions.Values {
+		keyParsed := strings.ToLower(key[strings.LastIndex(key, "/")+1:]) // Uses the trailing slug as the key name.
+		valueParsed := value.Values[0].Value
+		samlMap[keyParsed] = valueParsed
+
+	}
+
+	user.UserID = assertions.NameID
+	if user.UserID == "" {
+		return user, fmt.Errorf("no nameID found in SAML response")
+	}
+
+	// email
+	if _, ok := samlMap[source.EmailAssertionKey]; !ok {
+		user.Email = samlMap[source.EmailAssertionKey]
+	}
+	// name
+	if _, ok := samlMap[source.NameAssertionKey]; !ok {
+		user.NickName = samlMap[source.NameAssertionKey]
+	}
+	// username
+	if _, ok := samlMap[source.UsernameAssertionKey]; !ok {
+		user.Name = samlMap[source.UsernameAssertionKey]
+	}
+
+	// TODO: utilize groups once mapping is supported
+
+	return user, nil
+}