[pve-devel] [PATCH] [PATCH pve-access-control] SSO feature: login with SAMLv2
Julien BLAIS
webmaster at jbsky.fr
Thu May 27 23:55:11 CEST 2021
Added a new endpoint usable by api2/html/access/saml?realm=$DOM
which allows to initiate a redirection to an IdP.
During initialization, the /etc/pve/tmp/saml file is filled with the format REALM:SAML_REQUEST_ID:TIME
Modification of the endpoint /access/ticket to support SAMLResponse.
The information is extracted from the SAMLResponse variable in order to check
if the SAML_REQUEST_ID exists in /etc/pve/tmp/saml, we extract from this file the REALM used to initiate the SSO connection.
For the initialization and authentication part, I rely on the work available in the github repository by trying to apply the best recommendations.
The TIME part of each record is tested with the time() function to ensure that each record does not exceed $timeout
Signed-off-by: Julien BLAIS <webmaster at jbsky.fr>
---
src/PVE/API2/AccessControl.pm | 73 +++++++++-
src/PVE/AccessControl.pm | 2 +
src/PVE/Auth/Makefile | 1 +
src/PVE/Auth/SAML.pm | 248 ++++++++++++++++++++++++++++++++++
4 files changed, 322 insertions(+), 2 deletions(-)
create mode 100644 src/PVE/Auth/SAML.pm
diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index a77694b..bd660c3 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -20,6 +20,7 @@ use PVE::API2::Group;
use PVE::API2::Role;
use PVE::API2::ACL;
use PVE::Auth::Plugin;
+use PVE::Auth::SAML;
use PVE::OTP;
use PVE::Tools;
@@ -243,6 +244,7 @@ __PACKAGE__->register_method ({
username => {
description => "User name",
type => 'string',
+ optional => 1,
maxLength => 64,
completion => \&PVE::AccessControl::complete_username,
},
@@ -254,6 +256,7 @@ __PACKAGE__->register_method ({
password => {
description => "The secret password. This can also be a valid ticket.",
type => 'string',
+ optional => 1,
},
otp => {
description => "One-time password for Two-factor authentication.",
@@ -274,6 +277,11 @@ __PACKAGE__->register_method ({
optional => 1,
maxLength => 64,
},
+ SAMLResponse => {
+ description => "SAMLResponse.",
+ type => 'string',
+ optional => 1,
+ },
}
},
returns => {
@@ -289,8 +297,21 @@ __PACKAGE__->register_method ({
code => sub {
my ($param) = @_;
- my $username = $param->{username};
- $username .= "\@$param->{realm}" if $param->{realm};
+ my $username;
+ if(defined($param->{username})){
+ $username = $param->{username};
+ $username .= "\@$param->{realm}" if $param->{realm};
+ }
+ elsif(defined($param->{SAMLResponse})) {
+ my $realm = PVE::Auth::SAML->get_realm($param->{SAMLResponse});
+ $username = PVE::Auth::SAML->get_username($param->{SAMLResponse})."\@$realm" if $realm;
+
+ # Prepare for PVE::Auth::SAML->authenticate_user()
+ $param->{password}=$param->{SAMLResponse};
+ }
+ else {
+ die PVE::Exception->new("authentication failure\n", code => 401);
+ }
$username = PVE::AccessControl::lookup_username($username);
my $rpcenv = PVE::RPCEnvironment::get();
@@ -719,4 +740,52 @@ __PACKAGE__->register_method({
return $res;
}});
+__PACKAGE__->register_method ({
+ name => 'get_saml',
+ path => 'saml',
+ method => 'GET',
+ permissions => { user => 'world' },
+ protected => 1, # else we can't access shadow files
+ allowtoken => 0, # we don't want tokens to create tickets
+ description => "Init saml redirect to a login page.",
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ realm => {
+ type => 'string',
+ description => "You must pass the realm using in this parameter.",
+ }
+ }
+ },
+ returns => {
+ type => "object",
+ properties => {
+ url => { type => 'string' },
+ realm => { type => 'string'}
+ }
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my $domain_cfg = cfs_read_file('domains.cfg');
+
+ my $rpcenv = PVE::RPCEnvironment::get();
+
+ my $url = "";
+
+ eval {
+ $url = PVE::Auth::SAML->init_redirect($domain_cfg->{ids}->{$param->{realm}},$param->{realm});
+ };
+
+ if (my $err = $@) {
+ my $clientip = $rpcenv->get_client_ip() || '';
+ syslog('err', "Init saml redirect to a login page; rhost=$clientip msg=$err");
+ die PVE::Exception->new("authentication failure\n", code => 401);
+ }
+
+ die PVE::Exception->new("authentication failure '$url'\n", code => 401) if ( $url eq "" );
+
+ return { realm => $param->{realm}, url => $url };
+ }});
+
1;
diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index f7d4e78..61bc680 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -22,6 +22,7 @@ use PVE::JSONSchema qw(register_standard_option get_standard_option);
use PVE::Auth::Plugin;
use PVE::Auth::AD;
use PVE::Auth::LDAP;
+use PVE::Auth::SAML;
use PVE::Auth::PVE;
use PVE::Auth::PAM;
@@ -29,6 +30,7 @@ use PVE::Auth::PAM;
PVE::Auth::AD->register();
PVE::Auth::LDAP->register();
+PVE::Auth::SAML->register();
PVE::Auth::PVE->register();
PVE::Auth::PAM->register();
PVE::Auth::Plugin->init();
diff --git a/src/PVE/Auth/Makefile b/src/PVE/Auth/Makefile
index 58ae362..8a4688e 100644
--- a/src/PVE/Auth/Makefile
+++ b/src/PVE/Auth/Makefile
@@ -3,6 +3,7 @@ AUTH_SOURCES= \
Plugin.pm \
PVE.pm \
PAM.pm \
+ SAML.pm \
AD.pm \
LDAP.pm
diff --git a/src/PVE/Auth/SAML.pm b/src/PVE/Auth/SAML.pm
new file mode 100644
index 0000000..4653cb7
--- /dev/null
+++ b/src/PVE/Auth/SAML.pm
@@ -0,0 +1,248 @@
+# Instructions for installation :
+# apt-get install libxml2 make gcc libssl-dev libperl-dev git cpanminus
+# cpanm Net::SAML2
+# ln -s /usr/local/share/perl/5.28.1/Net/SAML2 /usr/share/perl/5.28.1/Net/SAML2
+# ln -s /usr/local/share/perl/5.28.1/Net/SAML2 /usr/share/perl5/Net/SAML2
+
+package PVE::Auth::SAML;
+use POSIX;
+
+# base64 decode
+use MIME::Base64;
+
+use strict;
+use warnings;
+
+use Net::SAML2::IdP;
+use Net::SAML2::Protocol::Assertion;
+use Net::SAML2::Protocol::AuthnRequest;
+use Net::SAML2::Binding::Redirect;
+use PVE::JSONSchema;
+use PVE::Tools;
+use PVE::Auth::Plugin;
+
+use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);
+
+use base qw(PVE::Auth::Plugin);
+
+my $samlrequestfile = 'tmp/saml';
+my $timeout = 60;
+
+cfs_register_file(
+ $samlrequestfile,
+ \&parse_saml_request,
+ \&write_saml_request);
+
+sub parse_saml_request {
+ my ($filename, $raw) = @_;
+
+ my $requests = {};
+
+ return $requests if !defined($raw);
+
+ while ($raw =~ /^\s*(.+?)\s*$/gm) {
+ my $line = $1;
+
+ if ($line !~ m/^\S+:\S+:\S+:$/) {
+ warn "saml request: ignore invalid line $.\n";
+ next;
+ }
+
+ my ($realm, $request, $time) = split (/:/, $line);
+ $requests->{realm}->{$realm}->{request}->{$request}->{time} = $time;
+ }
+
+ return $requests;
+}
+
+sub write_saml_request{
+ my ($filename, $saml_requests) = @_;
+
+ my $data='';
+ foreach my $realm (keys %{$saml_requests->{realm}}) {
+ foreach my $saml_request (keys %{$saml_requests->{realm}->{$realm}->{request}}) {
+ if (time() - $saml_requests->{realm}->{$realm}->{request}->{$saml_request}->{time} < $timeout) {
+ $data .= "$realm:$saml_request:".$saml_requests->{realm}->{$realm}->{request}->{$saml_request}->{time}.":\n";
+ }
+ }
+ }
+ return $data;
+}
+
+sub lock_saml_request {
+ my ($code, $errmsg) = @_;
+
+ cfs_lock_file($samlrequestfile, undef, $code);
+ my $err = $@;
+ if ($err) {
+ $errmsg ? die "$errmsg: $err" : die $err;
+ }
+}
+
+sub type {
+ return 'saml';
+}
+
+sub check_saml_request {
+ my ($request_id) = @_;
+
+ my $saml_requests = cfs_read_file($samlrequestfile);
+ my $found;
+ foreach my $realm (keys %{$saml_requests->{realm}}) {
+ foreach my $saml_request (keys %{$saml_requests->{realm}->{$realm}->{request}}) {
+ if (time() - $saml_requests->{realm}->{$realm}->{request}->{$saml_request}->{time} < $timeout) {
+ if ($request_id eq $saml_request){
+ $found = $saml_request;
+ delete_request($realm, $saml_request);
+ }
+ }
+ else {
+ delete_request($realm, $saml_request);
+ }
+ }
+ }
+ return $found;
+}
+
+sub properties {
+ return {
+ Identity_Provider_Entity_ID => {
+ description => "Set the entity ID of the upstream identity provider."
+ . "This will be provided by your IdP.",
+ type => 'string',
+ },
+ Identity_Provider_Url_Metadata => {
+ description => "Set the metadata Url of the identity provider.",
+ type => 'string',
+ },
+ # TODO how to add a CAcert content instead of path?
+ Identity_Provider_x509_CA_Certificate => {
+ description => "Paste the x509 CA certificate data from the"
+ . "upstream identity provider. In most cases,"
+ . "this will be provided by your IdP.",
+ type => 'string',
+ },
+ # TODO how to add a private key content instead of path?
+ Service_Provider_Private_Key => {
+ description => "Paste the Private key.",
+ type => 'string',
+ },
+ Service_Provider_Entity_ID => {
+ description => "Displays the service provider's entity ID."
+ . "This is the entity ID you will need to provide to your IdP.",
+ type => 'string',
+ }
+ };
+}
+
+sub options {
+ return {
+ Identity_Provider_Url_Metadata => {},
+ Identity_Provider_x509_CA_Certificate => {},
+ Identity_Provider_Entity_ID => {},
+ Service_Provider_Entity_ID => {},
+ Service_Provider_Private_Key => {},
+ comment => { optional => 1 },
+ default => { optional => 1 },
+ };
+}
+
+# used by GET SAML
+# Init a redirect and return Url
+sub init_redirect {
+ my ($class, $config, $realm) = @_;
+
+ my $url = $config->{Identity_Provider_Url_Metadata};
+ my $cacert = $config->{Identity_Provider_x509_CA_Certificate};
+ my $samlkey = $config->{Service_Provider_Private_Key};
+
+ my $idp = Net::SAML2::IdP->new_from_url(
+ url => $url,
+ cacert => $cacert
+ );
+ my $authnreq = Net::SAML2::Protocol::AuthnRequest->new(
+ issuer => $config->{Service_Provider_Entity_ID},
+ destination => $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
+ provider_name => $config->{Identity_Provider_Entity_ID},
+ );
+
+ # Here, we need to store saml request id and check it on return from the IdP POST
+ # Is there a way to associate this saml request id with the session?
+ # If yes => TODO
+ lock_saml_request(sub {
+ my $requestfile = cfs_read_file($samlrequestfile);
+ $requestfile->{realm}->{$realm}->{request}->{$authnreq->id}->{time} = time();
+ cfs_write_file($samlrequestfile, $requestfile);
+ });
+
+ my $redirect = Net::SAML2::Binding::Redirect->new(
+ key => $samlkey,
+ cert => $idp->cert('signing'),
+ param => 'SAMLRequest',
+ # The ssl_url destination for redirect
+ url => $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
+ );
+
+ return $redirect->sign($authnreq->as_xml);
+}
+
+sub get_username {
+ my ($class, $SAMLResponse) = @_;
+
+ my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
+ xml => decode_base64($SAMLResponse)
+ );
+
+ return $assertion->{nameid};
+}
+
+# TODO get saml_request_id from cookie instead of $SAMLResponse
+sub get_realm {
+ my ($class, $SAMLResponse) = @_;
+
+ my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
+ xml => decode_base64($SAMLResponse)
+ );
+
+ my $saml_requests = cfs_read_file($samlrequestfile);
+ foreach my $realm (keys %{$saml_requests->{realm}}) {
+ foreach my $saml_request (keys %{$saml_requests->{realm}->{$realm}->{request}}) {
+ if ($assertion->{in_response_to} eq $saml_request) {
+ return $realm;
+ }
+ }
+ }
+ return undef;
+}
+
+sub authenticate_user {
+ my ($class, $config, $realm, $username, $SAMLResponse) = @_;
+
+ my $valid = 0;
+
+ my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
+ xml => decode_base64($SAMLResponse)
+ );
+
+ my $issuer = $config->{Service_Provider_Entity_ID};
+
+ if (check_saml_request($assertion->{in_response_to})) {
+ $valid = $assertion->valid($issuer, $assertion->{in_response_to});
+ }
+
+ die 'saml login failed!' if ($valid != '1');
+
+ return 1;
+}
+
+sub delete_request {
+ my ($realm, $request) = @_;
+
+ lock_saml_request(sub {
+ my $saml_requests = cfs_read_file($samlrequestfile);
+ delete $saml_requests->{realm}->{$realm}->{request}->{$request};
+ cfs_write_file($samlrequestfile, $saml_requests);
+ });
+}
+
+1;
--
2.20.1
More information about the pve-devel
mailing list