Initial support for SAML authentication

2025-06-05 09:14:02 -04:00 · 2017-11-28 12:46:58 +09:00 · 2017-11-28 12:46:58 +09:00 · 4a4ae9d332
commit 4a4ae9d332
parent 9c002ce29b
12 changed files with 157 additions and 4 deletions
--- a/lib/config/default.js
+++ b/lib/config/default.js
@ -98,6 +98,22 @@ module.exports = {
    searchAttributes: undefined,
    tlsca: undefined
  },
+  saml: {
+    idpSsoUrl: undefined,
+    idpCert: undefined,
+    issuer: undefined,
+    callbackUrl: undefined,
+    identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+    groupAttribute: undefined,
+    externalGroups: [],
+    requiredGroups: [],
+    attribute: {
+      id: undefined,
+      username: undefined,
+      displayName: undefined,
+      email: undefined
+    }
+  },
  email: true,
  allowemailregister: true,
  allowpdfexport: true
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@ -73,6 +73,10 @@ module.exports = {
    searchAttributes: process.env.HMD_LDAP_SEARCHATTRIBUTES,
    tlsca: process.env.HMD_LDAP_TLS_CA
  },
+  saml: {
+    idpSsoUrl: process.env.HMD_SAML_IDPSSOURL,
+    idpCert: process.env.HMD_SAML_IDPCERT
+  },
  email: toBooleanConfig(process.env.HMD_EMAIL),
  allowemailregister: toBooleanConfig(process.env.HMD_ALLOW_EMAIL_REGISTER),
  allowpdfexport: toBooleanConfig(process.env.HMD_ALLOW_PDF_EXPORT)
--- a/lib/config/index.js
+++ b/lib/config/index.js
@ -92,6 +92,7 @@ config.isGitHubEnable = config.github.clientID && config.github.clientSecret
 config.isGitLabEnable = config.gitlab.clientID && config.gitlab.clientSecret
 config.isMattermostEnable = config.mattermost.clientID && config.mattermost.clientSecret
 config.isLDAPEnable = config.ldap.url
+config.isSAMLEnable = config.saml.idpSsoUrl
 config.isPDFExportEnable = config.allowpdfexport

 // generate correct path
--- a/lib/models/user.js
+++ b/lib/models/user.js
@ -143,6 +143,15 @@ module.exports = function (sequelize, DataTypes) {
              photo = letterAvatars(profile.username)
            }
            break
+          case 'saml':
+            if (profile.emails[0]) {
+              photo = 'https://www.gravatar.com/avatar/' + md5(profile.emails[0])
+              if (bigger) photo += '?s=400'
+              else photo += '?s=96'
+            } else {
+              photo = letterAvatars(profile.username)
+            }
+            break
        }
        return photo
      },
--- a/lib/response.js
+++ b/lib/response.js
@ -68,6 +68,7 @@ function showIndex (req, res, next) {
    dropbox: config.isDropboxEnable,
    google: config.isGoogleEnable,
    ldap: config.isLDAPEnable,
+    saml: config.isSAMLEnable,
    email: config.isEmailEnable,
    allowemailregister: config.allowemailregister,
    allowpdfexport: config.allowpdfexport,
@ -100,6 +101,7 @@ function responseHackMD (res, note) {
    dropbox: config.isDropboxEnable,
    google: config.isGoogleEnable,
    ldap: config.isLDAPEnable,
+    saml: config.isSAMLEnable,
    email: config.isEmailEnable,
    allowemailregister: config.allowemailregister,
    allowpdfexport: config.allowpdfexport
--- a/lib/web/auth/index.js
+++ b/lib/web/auth/index.js
@ -37,6 +37,7 @@ if (config.isMattermostEnable) authRouter.use(require('./mattermost'))
 if (config.isDropboxEnable) authRouter.use(require('./dropbox'))
 if (config.isGoogleEnable) authRouter.use(require('./google'))
 if (config.isLDAPEnable) authRouter.use(require('./ldap'))
+if (config.isSAMLEnable) authRouter.use(require('./saml'))
 if (config.isEmailEnable) authRouter.use(require('./email'))

 // logout
--- a/lib/web/auth/saml/index.js
+++ b/lib/web/auth/saml/index.js
@ -0,0 +1,96 @@
+'use strict'
+
+const Router = require('express').Router
+const passport = require('passport')
+const SamlStrategy = require('passport-saml').Strategy
+const config = require('../../../config')
+const models = require('../../../models')
+const logger = require('../../../logger')
+const {urlencodedParser} = require('../../utils')
+const fs = require('fs')
+const intersection = function (array1, array2) { return array1.filter((n) => array2.includes(n)) }
+
+let samlAuth = module.exports = Router()
+
+passport.use(new SamlStrategy({
+  callbackUrl: config.saml.callbackUrl || config.serverurl + '/auth/saml/callback',
+  entryPoint: config.saml.idpSsoUrl,
+  issuer: config.saml.issuer || config.serverurl,
+  cert: fs.readFileSync(config.saml.idpCert, 'utf-8'),
+  identifierFormat: config.saml.identifierFormat
+}, function (user, done) {
+  // check authorization if needed
+  if (config.saml.externalGroups && config.saml.grouptAttribute) {
+    var externalGroups = intersection(config.saml.externalGroups, user[config.saml.groupAttribute])
+    if (externalGroups.length > 0) {
+      logger.error('saml permission denied: ' + externalGroups.join(', '))
+      return done('Permission denied', null)
+    }
+  }
+  if (config.saml.requiredGroups && config.saml.grouptAttribute) {
+    if (intersection(config.saml.requiredGroups, user[config.saml.groupAttribute]).length === 0) {
+      logger.error('saml permission denied')
+      return done('Permission denied', null)
+    }
+  }
+  // user creation
+  var uuid = user[config.saml.attribute.id] || user.nameID
+  var profile = {
+    provider: 'saml',
+    id: 'SAML-' + uuid,
+    username: user[config.saml.attribute.username] || user.nameID,
+    displayName: user[config.saml.attribute.displayName] || user.nameID,
+    emails: user[config.saml.attribute.email] ? [user[config.saml.attribute.email]] : []
+  }
+  if (profile.emails.length === 0 && config.saml.identifierFormat === 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress') {
+    profile.emails.push(user.nameID)
+  }
+  var stringifiedProfile = JSON.stringify(profile)
+  models.User.findOrCreate({
+    where: {
+      profileid: profile.id.toString()
+    },
+    defaults: {
+      profile: stringifiedProfile
+    }
+  }).spread(function (user, created) {
+    if (user) {
+      var needSave = false
+      if (user.profile !== stringifiedProfile) {
+        user.profile = stringifiedProfile
+        needSave = true
+      }
+      if (needSave) {
+        user.save().then(function () {
+          if (config.debug) { logger.debug('user login: ' + user.id) }
+          return done(null, user)
+        })
+      } else {
+        if (config.debug) { logger.debug('user login: ' + user.id) }
+        return done(null, user)
+      }
+    }
+  }).catch(function (err) {
+    logger.error('saml auth failed: ' + err)
+    return done(err, null)
+  })
+}))
+
+samlAuth.get('/auth/saml',
+  passport.authenticate('saml', {
+    successReturnToOrRedirect: config.serverurl + '/',
+    failureRedirect: config.serverurl + '/'
+  })
+)
+
+samlAuth.post('/auth/saml/callback', urlencodedParser,
+  passport.authenticate('saml', {
+    successReturnToOrRedirect: config.serverurl + '/',
+    failureRedirect: config.serverurl + '/'
+  })
+)
+
+samlAuth.get('/auth/saml/metadata', function (req, res) {
+  res.type('application/xml')
+  res.send(passport._strategy('saml').generateServiceProviderMetadata())
+})