登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
开源项目 > 服务器应用 > 容器/虚拟机 &&
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
36 Star 395 Fork 71

GVPrancher / rancher

代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
saml_provider.go 8.99 KB
一键复制 编辑 原始数据 按行查看 历史
rajashree 提交于 2019-02-06 16:29 . Change SAML redirect and error code based on action
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309
package saml



import (

	"context"

	"fmt"

	"net/http"

	"strings"



	"github.com/crewjam/saml"

	"github.com/crewjam/saml/samlsp"

	"github.com/mitchellh/mapstructure"

	"github.com/pkg/errors"

	"github.com/rancher/norman/types"

	"github.com/rancher/rancher/pkg/api/store/auth"

	"github.com/rancher/rancher/pkg/auth/providers/common"

	"github.com/rancher/rancher/pkg/auth/tokens"

	corev1 "github.com/rancher/types/apis/core/v1"

	"github.com/rancher/types/apis/management.cattle.io/v3"

	"github.com/rancher/types/apis/management.cattle.io/v3public"

	"github.com/rancher/types/client/management/v3"

	publicclient "github.com/rancher/types/client/management/v3public"

	"github.com/rancher/types/config"

	"github.com/rancher/types/user"

	"github.com/sirupsen/logrus"

	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

	"k8s.io/apimachinery/pkg/runtime"

)



const (

	PingName            = "ping"

	ADFSName            = "adfs"

	KeyCloakName        = "keycloak"

	OKTAName            = "okta"

	loginAction         = "login"

	testAndEnableAction = "testAndEnable"

)



type Provider struct {

	ctx             context.Context

	authConfigs     v3.AuthConfigInterface

	secrets         corev1.SecretInterface

	userMGR         user.Manager

	tokenMGR        *tokens.Manager

	serviceProvider *saml.ServiceProvider

	name            string

	userType        string

	groupType       string

	clientState     samlsp.ClientState

}



var SamlProviders = make(map[string]*Provider)



func Configure(ctx context.Context, mgmtCtx *config.ScaledContext, userMGR user.Manager, tokenMGR *tokens.Manager, name string) common.AuthProvider {

	samlp := &Provider{

		ctx:         ctx,

		authConfigs: mgmtCtx.Management.AuthConfigs(""),

		secrets:     mgmtCtx.Core.Secrets(""),

		userMGR:     userMGR,

		tokenMGR:    tokenMGR,

		name:        name,

		userType:    name + "_user",

		groupType:   name + "_group",

	}

	SamlProviders[name] = samlp

	return samlp

}



func (s *Provider) GetName() string {

	return s.name

}



func (s *Provider) CustomizeSchema(schema *types.Schema) {

	schema.ActionHandler = s.actionHandler

	schema.Formatter = s.formatter

}



func (s *Provider) TransformToAuthProvider(authConfig map[string]interface{}) map[string]interface{} {

	p := common.TransformToAuthProvider(authConfig)

	switch s.name {

	case PingName:

		p[publicclient.PingProviderFieldRedirectURL] = formSamlRedirectURLFromMap(authConfig, s.name)

	case ADFSName:

		p[publicclient.ADFSProviderFieldRedirectURL] = formSamlRedirectURLFromMap(authConfig, s.name)

	case KeyCloakName:

		p[publicclient.KeyCloakProviderFieldRedirectURL] = formSamlRedirectURLFromMap(authConfig, s.name)

	case OKTAName:

		p[publicclient.OKTAProviderFieldRedirectURL] = formSamlRedirectURLFromMap(authConfig, s.name)

	}

	return p

}



func (s *Provider) AuthenticateUser(input interface{}) (v3.Principal, []v3.Principal, string, error) {

	return v3.Principal{}, nil, "", fmt.Errorf("SAML providers do not implement Authenticate User API")

}



func PerformSamlLogin(name string, apiContext *types.APIContext, input interface{}) error {

	//input will contain the FINAL redirect URL

	login, ok := input.(*v3public.SamlLoginInput)

	if !ok {

		return errors.New("unexpected input type")

	}

	finalRedirectURL := login.FinalRedirectURL



	if provider, ok := SamlProviders[name]; ok {

		provider.clientState.SetState(apiContext.Response, apiContext.Request, "Rancher_FinalRedirectURL", finalRedirectURL)

		provider.clientState.SetState(apiContext.Response, apiContext.Request, "Rancher_Action", loginAction)

		idpRedirectURL, err := provider.HandleSamlLogin(apiContext.Response, apiContext.Request)

		if err != nil {

			return err

		}

		data := map[string]interface{}{

			"idpRedirectUrl": idpRedirectURL,

			"type":           "samlLoginOutput",

		}



		apiContext.WriteResponse(http.StatusOK, data)

		return nil

	}



	return nil

}



func (s *Provider) getSamlConfig() (*v3.SamlConfig, error) {

	authConfigObj, err := s.authConfigs.ObjectClient().UnstructuredClient().Get(s.name, metav1.GetOptions{})

	if err != nil {

		return nil, fmt.Errorf("SAML: failed to retrieve SamlConfig, error: %v", err)

	}



	u, ok := authConfigObj.(runtime.Unstructured)

	if !ok {

		return nil, fmt.Errorf("SAML: failed to retrieve SamlConfig, cannot read k8s Unstructured data")

	}

	storedSamlConfigMap := u.UnstructuredContent()



	storedSamlConfig := &v3.SamlConfig{}

	mapstructure.Decode(storedSamlConfigMap, storedSamlConfig)



	if enabled, ok := storedSamlConfigMap["enabled"].(bool); ok {

		storedSamlConfig.Enabled = enabled

	}



	metadataMap, ok := storedSamlConfigMap["metadata"].(map[string]interface{})

	if !ok {

		return nil, fmt.Errorf("SAML: failed to retrieve SamlConfig metadata, cannot read k8s Unstructured data")

	}



	objectMeta := &metav1.ObjectMeta{}

	mapstructure.Decode(metadataMap, objectMeta)

	storedSamlConfig.ObjectMeta = *objectMeta



	if storedSamlConfig.SpKey != "" {

		value, err := common.ReadFromSecret(s.secrets, storedSamlConfig.SpKey,

			strings.ToLower(auth.TypeToField[client.PingConfigType]))

		if err != nil {

			return nil, err

		}

		storedSamlConfig.SpKey = value

	}



	return storedSamlConfig, nil

}



func (s *Provider) saveSamlConfig(config *v3.SamlConfig) error {

	var configType string



	storedSamlConfig, err := s.getSamlConfig()

	if err != nil {

		return err

	}



	switch s.name {

	case PingName:

		configType = client.PingConfigType

	case ADFSName:

		configType = client.ADFSConfigType

	case KeyCloakName:

		configType = client.KeyCloakConfigType

	case OKTAName:

		configType = client.OKTAConfigType

	}



	config.APIVersion = "management.cattle.io/v3"

	config.Kind = v3.AuthConfigGroupVersionKind.Kind

	config.Type = configType

	storedSamlConfig.Annotations = config.Annotations

	config.ObjectMeta = storedSamlConfig.ObjectMeta



	field := strings.ToLower(auth.TypeToField[configType])

	if err := common.CreateOrUpdateSecrets(s.secrets, config.SpKey,

		field, strings.ToLower(config.Type)); err != nil {

		return err

	}



	config.SpKey = common.GetName(config.Type, field)



	logrus.Debugf("updating samlConfig %s", s.name)

	_, err = s.authConfigs.ObjectClient().Update(config.ObjectMeta.Name, config)

	if err != nil {

		return err

	}

	return nil



}



func (s *Provider) toPrincipal(principalType string, princ v3.Principal, token *v3.Token) v3.Principal {

	if principalType == s.userType {

		princ.PrincipalType = "user"

		if token != nil {

			princ.Me = s.isThisUserMe(token.UserPrincipal, princ)

			if princ.Me {

				princ.LoginName = token.UserPrincipal.LoginName

				princ.DisplayName = token.UserPrincipal.DisplayName

			}

		}

	} else {

		princ.PrincipalType = "group"

		if token != nil {

			princ.MemberOf = s.tokenMGR.IsMemberOf(*token, princ)

		}

	}



	return princ

}



func (s *Provider) RefetchGroupPrincipals(principalID string, secret string) ([]v3.Principal, error) {

	// This should never be called

	return nil, errors.New("Not implemented")

}



func (s *Provider) SearchPrincipals(searchKey, principalType string, token v3.Token) ([]v3.Principal, error) {

	var principals []v3.Principal



	if principalType == "" {

		principalType = "user"

	}



	p := v3.Principal{

		ObjectMeta:    metav1.ObjectMeta{Name: s.userType + "://" + searchKey},

		DisplayName:   searchKey,

		LoginName:     searchKey,

		PrincipalType: principalType,

		Provider:      s.name,

	}



	principals = append(principals, p)



	return principals, nil

}



func (s *Provider) GetPrincipal(principalID string, token v3.Token) (v3.Principal, error) {

	parts := strings.SplitN(principalID, ":", 2)

	if len(parts) != 2 {

		return v3.Principal{}, fmt.Errorf("SAML: invalid id %v", principalID)

	}

	principalType := parts[0]

	externalID := strings.TrimPrefix(parts[1], "//")



	if principalType != s.userType && principalType != s.groupType {

		return v3.Principal{}, fmt.Errorf("SAML: Invalid principal type")

	}



	p := v3.Principal{

		ObjectMeta:  metav1.ObjectMeta{Name: principalType + "://" + externalID},

		DisplayName: externalID,

		LoginName:   externalID,

		Provider:    s.name,

	}



	p = s.toPrincipal(principalType, p, &token)



	return p, nil

}



func (s *Provider) isThisUserMe(me v3.Principal, other v3.Principal) bool {

	if me.ObjectMeta.Name == other.ObjectMeta.Name && me.PrincipalType == other.PrincipalType {

		return true

	}

	return false

}



func formSamlRedirectURLFromMap(config map[string]interface{}, name string) string {

	var hostname string

	switch name {

	case PingName:

		hostname, _ = config[client.PingConfigFieldRancherAPIHost].(string)

	case ADFSName:

		hostname, _ = config[client.ADFSConfigFieldRancherAPIHost].(string)

	case KeyCloakName:

		hostname, _ = config[client.KeyCloakConfigFieldRancherAPIHost].(string)

	case OKTAName:

		hostname, _ = config[client.OKTAConfigFieldRancherAPIHost].(string)

	}



	path := hostname + "/v1-saml/" + name + "/login"

	return path

}



func (s *Provider) CanAccessWithGroupProviders(userPrincipalID string, groupPrincipals []v3.Principal) (bool, error) {

	config, err := s.getSamlConfig()

	if err != nil {

		logrus.Errorf("Error fetching saml config: %v", err)

		return false, err

	}

	allowed, err := s.userMGR.CheckAccess(config.AccessMode, config.AllowedPrincipalIDs, userPrincipalID, groupPrincipals)

	if err != nil {

		return false, err

	}

	return allowed, nil

}
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
Go
1
https://gitee.com/rancher/rancher.git
git@gitee.com:rancher/rancher.git
rancher
rancher
rancher
v2.2.0-rc6
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部