sso: implement metadata.xml handler

Author: greenpau

Makefile

@@ -106,7 +106,8 @@ qtest: covdir
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestFactory ./pkg/authn/cookie/*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestNewSingleSignOnProviderConfig ./pkg/sso/*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestNewSingleSignOnProvider ./pkg/sso/*.go
-	@time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestParseRequestURL ./pkg/sso/request*.go
+	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestParseRequestURL ./pkg/sso/request*.go
+	@time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestGetMetadata ./pkg/sso/*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestValidateJwksKey ./pkg/authn/backends/oauth2/jwks*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestTransformData ./pkg/authn/transformer/*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out ./pkg/authn/icons/...

internal/tag/tag_test.go

@@ -67,6 +67,62 @@ func TestTagCompliance(t *testing.T) {
 		shouldErr bool
 		err       error
 	}{
+		{
+			name:  "test sso.KeyInfo struct",
+			entry: &sso.KeyInfo{},
+			opts: &Options{
+				Disabled: true,
+			},
+		},
+		{
+			name:  "test sso.SingleSignOnService struct",
+			entry: &sso.SingleSignOnService{},
+			opts: &Options{
+				Disabled: true,
+			},
+		},
+		{
+			name:  "test sso.EntityDescriptor struct",
+			entry: &sso.EntityDescriptor{},
+			opts: &Options{
+				Disabled: true,
+			},
+		},
+		{
+			name:  "test sso.X509Data struct",
+			entry: &sso.X509Data{},
+			opts: &Options{
+				Disabled: true,
+			},
+		},
+		{
+			name:  "test sso.IDPEntityDescriptor struct",
+			entry: &sso.IDPEntityDescriptor{},
+			opts: &Options{
+				Disabled: true,
+			},
+		},
+		{
+			name:  "test sso.Service struct",
+			entry: &sso.Service{},
+			opts: &Options{
+				Disabled: true,
+			},
+		},
+		{
+			name:  "test sso.IDPSSODescriptor struct",
+			entry: &sso.IDPSSODescriptor{},
+			opts: &Options{
+				Disabled: true,
+			},
+		},
+		{
+			name:  "test sso.KeyDescriptor struct",
+			entry: &sso.KeyDescriptor{},
+			opts: &Options{
+				Disabled: true,
+			},
+		},
 		{
 			name:  "test sso.Provider struct",
 			entry: &sso.Provider{},

pkg/authn/handle_http_apps_sso.go

@@ -87,11 +87,13 @@ func (p *Portal) handleHTTPAppsSingleSignOn(ctx context.Context, w http.Response
 // handleHTTPAppsSingleSignOnMetadata renders metadata.xml content. It is only available to admin users.
 func (p *Portal) handleHTTPAppsSingleSignOnMetadata(ctx context.Context, w http.ResponseWriter, r *http.Request, rr *requests.Request,
 	provider sso.SingleSignOnProvider, roles []*assumeRoleEntry) error {
-	// body := []byte("METADATA")
-	w.Header().Set("Content-Type", "text/html")
+	metadata, err := provider.GetMetadata()
+	if err != nil {
+		return p.handleHTTPRenderError(ctx, w, r, rr, err)
+	}
+	w.Header().Set("Content-Type", "application/xml")
 	w.WriteHeader(http.StatusOK)
-	// w.Write(body)
-	w.Write(provider.GetMetadata())
+	w.Write(metadata)
 	return nil
 }
 
@@ -200,8 +202,8 @@ func fetchSingleSignOnRoles(providerName string, usr *user.User) []*assumeRoleEn
 			continue
 		}
 		role := &assumeRoleEntry{
-			Name:      arr[2],
-			AccountID: arr[1],
+			Name:         arr[2],
+			AccountID:    arr[1],
 			ProviderName: providerName,
 		}
 		roles = append(roles, role)

pkg/sso/metadata.go

@@ -0,0 +1,149 @@
+// Copyright 2022 Paul Greenberg [email protected]
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package sso
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/xml"
+)
+
+// EntityDescriptor TODO.
+type EntityDescriptor struct {
+	XMLName  xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:metadata EntityDescriptor"`
+	ID       string   `xml:",attr,omitempty"`
+	EntityID string   `xml:"entityID,attr"`
+}
+
+// X509Data TODO.
+type X509Data struct {
+	XMLName         xml.Name `xml:"http://www.w3.org/2000/09/xmldsig# X509Data"`
+	X509Certificate string   `xml:"http://www.w3.org/2000/09/xmldsig# X509Certificate"`
+}
+
+// KeyInfo TODO.
+type KeyInfo struct {
+	XMLName  xml.Name `xml:"http://www.w3.org/2000/09/xmldsig# KeyInfo"`
+	X509Data *X509Data
+}
+
+// KeyDescriptor TODO.
+type KeyDescriptor struct {
+	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:metadata KeyDescriptor"`
+	Use     string   `xml:"use,attr,omitempty"`
+	KeyInfo KeyInfo
+}
+
+// Service TODO.
+type Service struct {
+	Binding  string `xml:",attr"`
+	Location string `xml:",attr"`
+}
+
+// SingleSignOnService TODO.
+type SingleSignOnService struct {
+	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:metadata SingleSignOnService"`
+	Service
+}
+
+// IDPSSODescriptor TODO.
+type IDPSSODescriptor struct {
+	XMLName                    xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:metadata IDPSSODescriptor"`
+	WantAuthnRequestsSigned    bool     `xml:",attr"`
+	ProtocolSupportEnumeration string   `xml:"protocolSupportEnumeration,attr"`
+	KeyDescriptor              KeyDescriptor
+	NameIDFormat               string `xml:"NameIDFormat"`
+	SingleSignOnService        []SingleSignOnService
+}
+
+// IDPEntityDescriptor TODO.
+type IDPEntityDescriptor struct {
+	*EntityDescriptor
+	IDPSSODescriptor *IDPSSODescriptor
+}
+
+// GetMetadata returns the contents of metadata.xml.
+func (p *Provider) GetMetadata() ([]byte, error) {
+	if len(p.metadata) > 0 {
+		return p.metadata, nil
+	}
+	entity := &IDPEntityDescriptor{
+		EntityDescriptor: &EntityDescriptor{
+			EntityID: p.config.EntityID,
+		},
+		IDPSSODescriptor: &IDPSSODescriptor{
+			ProtocolSupportEnumeration: "urn:oasis:names:tc:SAML:2.0:protocol",
+			KeyDescriptor: KeyDescriptor{
+				Use: "signing",
+				KeyInfo: KeyInfo{
+					X509Data: &X509Data{
+						X509Certificate: base64.StdEncoding.EncodeToString(p.cert.Raw),
+					},
+				},
+			},
+			WantAuthnRequestsSigned: false,
+			NameIDFormat:            "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+		},
+	}
+
+	for _, location := range p.config.Locations {
+		svc := SingleSignOnService{
+			Service: Service{
+				Binding:  "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+				Location: location,
+			},
+		}
+		entity.IDPSSODescriptor.SingleSignOnService = append(entity.IDPSSODescriptor.SingleSignOnService, svc)
+	}
+
+	var b bytes.Buffer
+	b.Write([]byte(xml.Header))
+	encoder := xml.NewEncoder(&b)
+	encoder.Indent("", "  ")
+	if err := encoder.Encode(entity); err != nil {
+		return nil, err
+	}
+	output := bytes.ReplaceAll(b.Bytes(), []byte("></SingleSignOnService>"), []byte("/>"))
+	output = bytes.ReplaceAll(output,
+		[]byte(`<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"`),
+		[]byte(`<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"`))
+	output = bytes.ReplaceAll(output,
+		[]byte(`<IDPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"`),
+		[]byte(`<md:IDPSSODescriptor`))
+	output = bytes.ReplaceAll(output,
+		[]byte(`<KeyDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"`),
+		[]byte(`<md:KeyDescriptor`))
+	output = bytes.ReplaceAll(output,
+		[]byte(`<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">`),
+		[]byte(`<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">`))
+	output = bytes.ReplaceAll(output,
+		[]byte(`<X509Data xmlns="http://www.w3.org/2000/09/xmldsig#">`),
+		[]byte(`<ds:X509Data>`))
+	output = bytes.ReplaceAll(output,
+		[]byte(`<X509Certificate xmlns="http://www.w3.org/2000/09/xmldsig#">`),
+		[]byte(`<ds:X509Certificate>`))
+	output = bytes.ReplaceAll(output,
+		[]byte(`SingleSignOnService xmlns="urn:oasis:names:tc:SAML:2.0:metadata"`),
+		[]byte(`md:SingleSignOnService`))
+	output = bytes.ReplaceAll(output, []byte(`</IDPSSODescriptor>`), []byte(`</md:IDPSSODescriptor>`))
+	output = bytes.ReplaceAll(output, []byte(`</EntityDescriptor>`), []byte(`</md:EntityDescriptor>`))
+	output = bytes.ReplaceAll(output, []byte(`</X509Data>`), []byte(`</ds:X509Data>`))
+	output = bytes.ReplaceAll(output, []byte(`</KeyInfo>`), []byte(`</ds:KeyInfo>`))
+	output = bytes.ReplaceAll(output, []byte(`</KeyDescriptor>`), []byte(`</md:KeyDescriptor>`))
+	output = bytes.ReplaceAll(output, []byte(`</X509Certificate>`), []byte(`</ds:X509Certificate>`))
+	output = bytes.ReplaceAll(output, []byte(`NameIDFormat>`), []byte(`md:NameIDFormat>`))
+	p.metadata = output
+	return p.metadata, nil
+}

pkg/sso/metadata_test.go

@@ -0,0 +1,106 @@
+// Copyright 2022 Paul Greenberg [email protected]
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package sso
+
+import (
+	"bytes"
+	"fmt"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	fileutil "github.com/greenpau/go-authcrunch/pkg/util/file"
+	logutil "github.com/greenpau/go-authcrunch/pkg/util/log"
+	"go.uber.org/zap"
+)
+
+func TestGetMetadata(t *testing.T) {
+	testcases := []struct {
+		name             string
+		config           *SingleSignOnProviderConfig
+		metadataFilePath string
+		disableLogger    bool
+		want             string
+		shouldErr        bool
+		err              error
+	}{
+		{
+			name:             "test valid sso provider metadata",
+			metadataFilePath: "../../testdata/sso/authp_saml_metadata.xml",
+			config: &SingleSignOnProviderConfig{
+				Name:           "aws",
+				Driver:         "aws",
+				EntityID:       "caddy-authp-idp",
+				PrivateKeyPath: "../../testdata/sso/authp_saml.key",
+				CertPath:       "../../testdata/sso/authp_saml.crt",
+				Locations: []string{
+					"https://localhost/apps/sso/aws",
+					"https://127.0.0.1/apps/sso/aws",
+				},
+			},
+			want: `{
+				"name": "aws",
+				"driver": "aws",
+			    "config": {
+	                "name":             "aws",
+		            "driver":           "aws",
+			        "entity_id":        "caddy-authp-idp",
+				    "private_key_path": "../../testdata/sso/authp_saml.key",
+					"cert_path": "../../testdata/sso/authp_saml.crt",
+					"locations": [
+						"https://localhost/apps/sso/aws",
+	                    "https://127.0.0.1/apps/sso/aws"
+		            ]
+				}
+            }`,
+		},
+	}
+	for _, tc := range testcases {
+		t.Run(tc.name, func(t *testing.T) {
+			var logger *zap.Logger
+			msgs := []string{fmt.Sprintf("test name: %s", tc.name)}
+			msgs = append(msgs, fmt.Sprintf("config:\n%v", tc.config))
+			logger = logutil.NewLogger()
+			provider, err := NewSingleSignOnProvider(tc.config, logger)
+			if err != nil {
+				t.Fatalf("failed initializing sso provider: %v", err)
+			}
+
+			want, err := fileutil.ReadFileBytes(tc.metadataFilePath)
+			if err != nil {
+				t.Fatalf("failed reading %q file: %v", tc.metadataFilePath, err)
+			}
+			want = bytes.TrimSpace(want)
+
+			got, err := provider.GetMetadata()
+
+			if err != nil {
+				if !tc.shouldErr {
+					t.Fatalf("expected success, got: %v", err)
+				}
+				if diff := cmp.Diff(err.Error(), tc.err.Error()); diff != "" {
+					t.Fatalf("unexpected error: %v, want: %v", err, tc.err)
+				}
+				return
+			}
+			if tc.shouldErr {
+				t.Fatalf("unexpected success, want: %v", tc.err)
+			}
+
+			if diff := cmp.Diff(want, got); diff != "" {
+				t.Errorf("provider.GetMetadata() mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}