sso: add sso app handler

Author: greenpau

Makefile

@@ -88,7 +88,7 @@ clean:
 
 qtest: covdir
 	@echo "Perform quick tests ..."
-	@time richgo test -v -coverprofile=.coverage/coverage.out internal/tag/*.go
+	@#time richgo test -v -coverprofile=.coverage/coverage.out internal/tag/*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out ./pkg/util/data/...
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestNewConfig ./*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestNewServer ./*.go
@@ -105,7 +105,8 @@ qtest: covdir
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestServeHTTP ./pkg/authn/*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestFactory ./pkg/authn/cookie/*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestNewSingleSignOnProviderConfig ./pkg/sso/*.go
-	@time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestNewSingleSignOnProvider ./pkg/sso/*.go
+	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestNewSingleSignOnProvider ./pkg/sso/*.go
+	@time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestParseRequestURL ./pkg/sso/request*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestValidateJwksKey ./pkg/authn/backends/oauth2/jwks*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestTransformData ./pkg/authn/transformer/*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out ./pkg/authn/icons/...

assets/portal/templates/basic/apps_sso.template

@@ -34,7 +34,7 @@
 
           {{ if gt .Data.role_count 0 }}
             <div class="pb-4 pt-4">
-              <p class="app-inp-lbl">Assume the following roles on the associated AWS accounts.</p>
+              <p class="app-inp-lbl">Assume any of the following roles on the associated AWS accounts by clicking the name of the role.</p>
             </div>
 
             <div class="flex flex-col">
@@ -51,7 +51,7 @@
                       {{ range .Data.roles }}
                         <tr>
                           <td class="whitespace-nowrap py-4 pl-4 pr-3 text-sm font-medium text-primary-700 sm:pl-6 md:pl-0 leading-none">
-                            <span>{{ brsplitline .Name }}</span>
+                            <a href="{{ pathjoin $.ActionEndpoint "/apps/sso" .ProviderName "assume" .AccountID .Name }}">{{ brsplitline .Name }}</a>
                           </td>
                           <td class="whitespace-nowrap py-4 px-3 text-sm text-primary-500">{{ .AccountID }}</td>
                         </tr>

internal/tag/tag_test.go

@@ -77,6 +77,11 @@ func TestTagCompliance(t *testing.T) {
 			entry: &sso.SingleSignOnProviderConfig{},
 			opts:  &Options{},
 		},
+		{
+			name:  "test sso.Request struct",
+			entry: &sso.Request{},
+			opts:  &Options{},
+		},
 		{
 			name:  "test ui.NavigationItem struct",
 			entry: &ui.NavigationItem{},

pkg/authn/handle_http_apps_sso.go

@@ -17,17 +17,22 @@ package authn
 import (
 	"context"
 	"fmt"
+	"net/http"
+	"strings"
+
 	"github.com/greenpau/go-authcrunch/pkg/requests"
+	"github.com/greenpau/go-authcrunch/pkg/sso"
 	"github.com/greenpau/go-authcrunch/pkg/user"
 	"go.uber.org/zap"
-	"net/http"
-	"strings"
 )
 
-func (p *Portal) handleHTTPAppsSingleSignOn(ctx context.Context, w http.ResponseWriter, r *http.Request, rr *requests.Request, parsedUser *user.User) error {
-	var assumedRole, authorizedRole bool
-	var accountID, roleName string
+type assumeRoleEntry struct {
+	Name         string
+	AccountID    string
+	ProviderName string
+}
 
+func (p *Portal) handleHTTPAppsSingleSignOn(ctx context.Context, w http.ResponseWriter, r *http.Request, rr *requests.Request, parsedUser *user.User) error {
 	p.disableClientCache(w)
 	p.injectRedirectURL(ctx, w, r, rr)
 
@@ -54,55 +59,69 @@ func (p *Portal) handleHTTPAppsSingleSignOn(ctx context.Context, w http.Response
 		return p.handleHTTPRedirect(ctx, w, r, rr, "/login")
 	}
 
-	resp := p.ui.GetArgs()
-	resp.PageTitle = "AWS SSO"
-	resp.BaseURL(rr.Upstream.BasePath)
-
-	if strings.Contains(r.URL.Path, "/apps/sso") && strings.Contains(r.URL.Path, "metadata.xml") {
-		// TODO(greenpau): add metadata for realm.
+	// Parse SSO provider name from URL.
+	req, err := sso.ParseRequestURL(r)
+	if err != nil {
+		return p.handleHTTPRenderError(ctx, w, r, rr, err)
 	}
 
-	if strings.Contains(r.URL.Path, "/apps/sso/assume") {
-		accountRole, err := getEndpoint(r.URL.Path, "/apps/sso/assume/")
-		if err != nil {
-			p.logger.Warn(
-				"SSO request failed",
-				zap.String("session_id", rr.Upstream.SessionID),
-				zap.String("request_id", rr.ID),
-				zap.String("error", "malformed SSO request"),
-			)
-		} else {
-			assumedRole = true
-			arr := strings.SplitN(accountRole, "/", 2)
-			if len(arr) != 2 {
-				return p.handleHTTPRenderError(ctx, w, r, rr, fmt.Errorf("Malformed SSO request"))
-			}
-			accountID = arr[0]
-			roleName = arr[1]
-		}
+	// Check whether the requested SSO provider exists.
+	provider, err := p.fetchSingleSignOnProvider(req.ProviderName)
+	if err != nil {
+		return p.handleHTTPRenderError(ctx, w, r, rr, err)
 	}
 
-	type roleEntry struct {
-		Name      string
-		AccountID string
+	roles := fetchSingleSignOnRoles(provider.GetName(), usr)
+
+	switch req.Kind {
+	case sso.MetadataRequest:
+		return p.handleHTTPAppsSingleSignOnMetadata(ctx, w, r, rr, provider, roles)
+	case sso.AssumeRoleRequest:
+		return p.handleHTTPAppsSingleSignOnAssumeRole(ctx, w, r, rr, provider, roles, usr)
+	case sso.MenuRequest:
+		return p.handleHTTPAppsSingleSignOnMenu(ctx, w, r, rr, provider, roles, usr)
 	}
+	return p.handleHTTPAppsSingleSignOnMenu(ctx, w, r, rr, provider, roles, usr)
+}
 
-	roles := []*roleEntry{}
-	for _, entry := range usr.Claims.Roles {
-		arr := strings.Split(entry, "/")
-		if len(arr) != 3 {
-			continue
-		}
-		if arr[0] != "aws" {
-			continue
-		}
-		role := &roleEntry{
-			Name:      arr[2],
-			AccountID: arr[1],
+// handleHTTPAppsSingleSignOnMetadata renders metadata.xml content. It is only available to admin users.
+func (p *Portal) handleHTTPAppsSingleSignOnMetadata(ctx context.Context, w http.ResponseWriter, r *http.Request, rr *requests.Request,
+	provider sso.SingleSignOnProvider, roles []*assumeRoleEntry) error {
+	// body := []byte("METADATA")
+	w.Header().Set("Content-Type", "text/html")
+	w.WriteHeader(http.StatusOK)
+	// w.Write(body)
+	w.Write(provider.GetMetadata())
+	return nil
+}
+
+func (p *Portal) handleHTTPAppsSingleSignOnAssumeRole(ctx context.Context, w http.ResponseWriter, r *http.Request, rr *requests.Request,
+	provider sso.SingleSignOnProvider, roles []*assumeRoleEntry, usr *user.User) error {
+
+	/*
+		if strings.Contains(r.URL.Path, "/apps/sso/assume") {
+			accountRole, err := getEndpoint(r.URL.Path, "/apps/sso/assume/")
+			if err != nil {
+				p.logger.Warn(
+					"SSO request failed",
+					zap.String("session_id", rr.Upstream.SessionID),
+					zap.String("request_id", rr.ID),
+					zap.String("error", "malformed SSO request"),
+				)
+			} else {
+				assumedRole = true
+				arr := strings.SplitN(accountRole, "/", 2)
+				if len(arr) != 2 {
+					return p.handleHTTPRenderError(ctx, w, r, rr, fmt.Errorf("Malformed SSO request"))
+				}
+				accountID = arr[0]
+				roleName = arr[1]
+			}
 		}
-		roles = append(roles, role)
+	*/
 
-		if assumedRole {
+	/*
+			if assumedRole {
 			if (role.Name == roleName) && (role.AccountID == accountID) {
 				authorizedRole = true
 				p.logger.Debug(
@@ -114,22 +133,39 @@ func (p *Portal) handleHTTPAppsSingleSignOn(ctx context.Context, w http.Response
 				)
 			}
 		}
-	}
+	*/
 
-	if assumedRole {
-		if !authorizedRole {
-			p.logger.Debug(
-				"Unauthorized SSO assume role request",
-				zap.String("session_id", rr.Upstream.SessionID),
-				zap.String("request_id", rr.ID),
-				zap.String("role_name", roleName),
-				zap.String("account_id", accountID),
-			)
-			return p.handleHTTPRenderError(ctx, w, r, rr, fmt.Errorf("Unauthorized SSO assume role request"))
+	/*
+			if assumedRole {
+			if !authorizedRole {
+				p.logger.Debug(
+					"Unauthorized SSO assume role request",
+					zap.String("session_id", rr.Upstream.SessionID),
+					zap.String("request_id", rr.ID),
+					zap.String("role_name", roleName),
+					zap.String("account_id", accountID),
+				)
+				return p.handleHTTPRenderError(ctx, w, r, rr, fmt.Errorf("Unauthorized SSO assume role request"))
+			}
+			p.logger.Debug("Redirecting to SAML endpoint")
 		}
-		p.logger.Debug("Redirecting to SAML endpoint")
-	}
 
+	*/
+
+	body := []byte("ASSUME ROLE")
+	w.Header().Set("Content-Type", "text/html")
+	w.WriteHeader(http.StatusOK)
+	w.Write(body)
+	return nil
+}
+
+// handleHTTPAppsSingleSignOnMenu renders SSO provider role selection page.
+func (p *Portal) handleHTTPAppsSingleSignOnMenu(ctx context.Context, w http.ResponseWriter, r *http.Request, rr *requests.Request,
+	provider sso.SingleSignOnProvider, roles []*assumeRoleEntry, usr *user.User) error {
+
+	resp := p.ui.GetArgs()
+	resp.PageTitle = "AWS SSO"
+	resp.BaseURL(rr.Upstream.BasePath)
 	resp.Data["role_count"] = len(roles)
 	resp.Data["roles"] = roles
 
@@ -139,3 +175,36 @@ func (p *Portal) handleHTTPAppsSingleSignOn(ctx context.Context, w http.Response
 	}
 	return p.handleHTTPRenderHTML(ctx, w, http.StatusOK, content.Bytes())
 }
+
+func (p *Portal) fetchSingleSignOnProvider(providerName string) (sso.SingleSignOnProvider, error) {
+	for _, provider := range p.ssoProviders {
+		if provider.GetName() == providerName {
+			return provider, nil
+		}
+	}
+	return nil, fmt.Errorf("provider name not found")
+}
+
+func (p *Portal) parseSingleSignOnProviderName() (string, string, error) {
+	return "aws", "metadata", nil
+}
+
+func fetchSingleSignOnRoles(providerName string, usr *user.User) []*assumeRoleEntry {
+	roles := []*assumeRoleEntry{}
+	for _, entry := range usr.Claims.Roles {
+		arr := strings.Split(entry, "/")
+		if len(arr) != 3 {
+			continue
+		}
+		if arr[0] != "aws" {
+			continue
+		}
+		role := &assumeRoleEntry{
+			Name:      arr[2],
+			AccountID: arr[1],
+			ProviderName: providerName,
+		}
+		roles = append(roles, role)
+	}
+	return roles
+}

pkg/authn/portal.go

@@ -16,6 +16,8 @@ package authn
 
 import (
 	"context"
+	"sort"
+
 	"github.com/greenpau/go-authcrunch/pkg/acl"
 	"github.com/greenpau/go-authcrunch/pkg/authn/cache"
 	"github.com/greenpau/go-authcrunch/pkg/authn/cookie"
@@ -31,14 +33,14 @@ import (
 	"github.com/greenpau/go-authcrunch/pkg/registry"
 	"github.com/greenpau/go-authcrunch/pkg/sso"
 	cfgutil "github.com/greenpau/go-authcrunch/pkg/util/cfg"
-	"sort"
 
 	"fmt"
-	"github.com/google/uuid"
-	"go.uber.org/zap"
 	"path"
 	"strings"
 	"time"
+
+	"github.com/google/uuid"
+	"go.uber.org/zap"
 )
 
 const (

pkg/authn/ui/pages.go

@@ -2196,7 +2196,7 @@ function u2f_token_authenticate(formID, btnID) {
 
           {{ if gt .Data.role_count 0 }}
             <div class="pb-4 pt-4">
-              <p class="app-inp-lbl">Assume the following roles on the associated AWS accounts.</p>
+              <p class="app-inp-lbl">Assume any of the following roles on the associated AWS accounts by clicking the name of the role.</p>
             </div>
 
             <div class="flex flex-col">
@@ -2213,7 +2213,7 @@ function u2f_token_authenticate(formID, btnID) {
                       {{ range .Data.roles }}
                         <tr>
                           <td class="whitespace-nowrap py-4 pl-4 pr-3 text-sm font-medium text-primary-700 sm:pl-6 md:pl-0 leading-none">
-                            <span>{{ brsplitline .Name }}</span>
+                            <a href="{{ pathjoin $.ActionEndpoint "/apps/sso" .ProviderName "assume" .AccountID .Name }}">{{ brsplitline .Name }}</a>
                           </td>
                           <td class="whitespace-nowrap py-4 px-3 text-sm text-primary-500">{{ .AccountID }}</td>
                         </tr>

pkg/errors/sso.go

@@ -18,4 +18,6 @@ package errors
 const (
 	ErrSingleSignOnProviderConfigInvalid           StandardError = "invalid sso provider config: %v: %v"
 	ErrSingleSignOnProviderConfigureLoggerNotFound StandardError = "sso provider configuration has no logger"
+	ErrSingleSignOnProviderRequestMalformed        StandardError = "malformed sso provider request"
+	// ErrSingleSignOnProviderRequestInvalid          StandardError = "invalid sso provider request: %v"
 )

pkg/identity/database.go

@@ -63,7 +63,7 @@ func init() {
 	app.Documentation = "https://github.com/greenpau/go-authcrunch"
 	app.SetVersion(appVersion, "1.0.35")
 	app.SetGitBranch(gitBranch, "main")
-	app.SetGitCommit(gitCommit, "v1.0.35")
+	app.SetGitCommit(gitCommit, "v1.0.35-6-g39f4bc2")
 	app.SetBuildUser(buildUser, "")
 	app.SetBuildDate(buildDate, "")
 }

pkg/sso/provider.go

@@ -16,6 +16,7 @@ package sso
 
 import (
 	"encoding/json"
+
 	"github.com/greenpau/go-authcrunch/pkg/errors"
 	"go.uber.org/zap"
 )
@@ -27,11 +28,12 @@ type SingleSignOnProvider interface {
 	GetConfig() map[string]interface{}
 	Configure() error
 	Configured() bool
+	GetMetadata() []byte
 }
 
 // Provider represents sso provider.
 type Provider struct {
-	config     *SingleSignOnProviderConfig `json:"config,omitempty" xml:"config,omitempty" yaml:"config,omitempty"`
+	config     *SingleSignOnProviderConfig
 	configured bool
 	logger     *zap.Logger
 }
@@ -86,3 +88,8 @@ func NewSingleSignOnProvider(cfg *SingleSignOnProviderConfig, logger *zap.Logger
 
 	return p, nil
 }
+
+// GetDriver returns the name of the driver associated with the provider.
+func (p *Provider) GetMetadata() []byte {
+	return []byte("METADATA")
+}