diff options
| author | mo khan <mo@mokhan.ca> | 2025-03-05 11:43:07 -0700 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-03-05 11:43:07 -0700 |
| commit | 20e152182f7137ae2c7f512d0cab1b3c846a4677 (patch) | |
| tree | 9c7a0ca1e52abc1d9fd2a77ec0c3b3b6166c4dd0 | |
| parent | 502228f90f6e3e7b03d2c3165a9b8b8f00e29dce (diff) | |
refactor: extract scheme and provide the appropriate nameid for saml transaction
| -rw-r--r-- | README.md | 20 | ||||
| -rwxr-xr-x | bin/api (renamed from bin/rest-api) | 32 | ||||
| -rwxr-xr-x | bin/idp | 79 | ||||
| -rwxr-xr-x | bin/ui (renamed from bin/sp) | 38 |
4 files changed, 86 insertions, 83 deletions
@@ -13,26 +13,6 @@ Below is a recording of a SAML based service provider initiated login, displayin  -## Identity Provider (SAML IdP) - -A minimal SAML Identity Provider for testing interactions with a SAML Service Provider. - -1. Start the server: - ```sh - ruby ./bin/idp - ``` -2. Use `http://localhost:8282/metadata.xml` as your SAML IdP metadata URL. - -## Service Provider (SAML SP) - -A minimal SAML Service Provider for testing interactions with a SAML Identity Provider. - -1. Start the server: - ```sh - ruby ./bin/sp - ``` -2. Use `http://localhost:8283/metadata.xml` as your SAML SP metadata URL. - ## Experiments ### Twirp + gRPC (AuthZ) @@ -13,6 +13,10 @@ gemfile do gem "webrick", "~> 1.0" end +$scheme = ENV.fetch('SCHEME', 'http') +$port = ENV.fetch('PORT', 8284).to_i +$host = ENV.fetch('HOST', "localhost:#{$port}") + class Project class << self def all @@ -35,11 +39,7 @@ class Project end end -class RESTAPI - def initialize - @storage = {} - end - +class API def call(env) request = Rack::Request.new(env) path = env['PATH_INFO'] @@ -75,32 +75,40 @@ class RESTAPI end def json_not_found - [404, { 'X-Backend-Server' => 'REST', 'Content-Type' => 'application/json' }, []] + http_response(code: 404) end def json_ok(body) - [200, { 'Content-Type' => 'application/json' }, [JSON.pretty_generate(body)]] + http_response(code: 200, body: JSON.pretty_generate(body)) end def json_created(body) - [201, { 'Content-Type' => 'application/json' }, [JSON.pretty_generate(body.to_h)]] + http_response(code: 201, body: JSON.pretty_generate(body.to_h)) end def json_unauthorized(permission) - [401, { 'Content-Type' => 'application/json' }, [JSON.pretty_generate({ + http_response(code: 401, body: JSON.pretty_generate({ error: { code: 401, message: "`#{permission}` is required", } - })]] + })) + end + + def http_response(code:, headers: { 'Content-Type' => 'application/json' }, body: nil) + [ + code, + headers.merge({ 'X-Backend-Server' => 'REST' }), + [body].compact + ] end end if __FILE__ == $0 app = Rack::Builder.new do use Rack::Reloader - run RESTAPI.new + run API.new end.to_app - Rackup::Server.start(app: app, Port: ENV.fetch('PORT', 8284).to_i) + Rackup::Server.start(app: app, Port: $port) end @@ -13,18 +13,44 @@ gemfile do gem "webrick", "~> 1.0" end +$scheme = ENV.fetch('SCHEME', 'http') +$port = ENV.fetch('PORT', 8282).to_i +$host = ENV.fetch('HOST', "localhost:#{$port}") + +class JWT + attr_reader :claims + + def initialize(claims) + @claims = claims + end + + def to_jwt + [ + Base64.strict_encode64(JSON.generate({alg: "RS256", typ: "JWT"})), + Base64.strict_encode64(JSON.generate(claims)), + Base64.strict_encode64(JSON.generate({})), + ].join(".") + end +end + class User def initialize(attributes) @attributes = attributes end def name_id_for(name_id_format) - @attributes[:email] + if name_id_format == Saml::Kit::Namespaces::EMAIL_ADDRESS + @attributes[:email] + else + @attributes[:id] + end end def assertion_attributes_for(request) { - custom: 'custom attribute' + custom: 'custom attribute', + email: @attributes[:email], + access_token: JWT.new(sub: SecureRandom.uuid, iat: Time.now.to_i).to_jwt, } end end @@ -40,16 +66,12 @@ class OnDemandRegistry < Saml::Kit::DefaultRegistry end Saml::Kit.configure do |x| - x.entity_id = "http://localhost:8282/metadata.xml" + x.entity_id = "#{$scheme}://#{$host}/metadata.xml" x.registry = OnDemandRegistry.new x.logger = Logger.new("/dev/stderr") end class IdentityProvider - def initialize - @storage = {} - end - def call(env) path = env['PATH_INFO'] case env['REQUEST_METHOD'] @@ -63,7 +85,8 @@ class IdentityProvider return not_found when "/metadata.xml" return saml_metadata - when "/sessions/new" + when "/saml/new" + # TODO:: render a login page return saml_post_back(Rack::Request.new(env)) when "/oauth/authorize" # RFC-6749 return get_authorize(Rack::Request.new(env)) @@ -72,13 +95,13 @@ class IdentityProvider end when 'POST' case path - when "/sessions/new" + when "/saml/new" return saml_post_back(Rack::Request.new(env)) when "/oauth/authorize" # RFC-6749 return post_authorize(Rack::Request.new(env)) when "/oauth/token" # RFC-6749 return [200, { 'Content-Type' => "application/json" }, [JSON.pretty_generate({ - access_token: to_jwt(sub: SecureRandom.uuid, iat: Time.now.to_i), + access_token: JWT.new(sub: SecureRandom.uuid, iat: Time.now.to_i).to_jwt, token_type: "Bearer", expires_in: 3600, refresh_token: SecureRandom.hex(32) @@ -94,14 +117,6 @@ class IdentityProvider private - def to_jwt(claims) - [ - Base64.strict_encode64(JSON.generate({alg: "RS256", typ: "JWT"})), - Base64.strict_encode64(JSON.generate(claims)), - Base64.strict_encode64(JSON.generate({})), - ].join(".") - end - # Download IDP Metadata # # GET /metadata.xml @@ -111,7 +126,7 @@ class IdentityProvider builder.organization_name = "Acme, Inc" builder.organization_url = "https://example.com" builder.build_identity_provider do |x| - x.add_single_sign_on_service("http://localhost:8282/sessions/new", binding: :http_post) + x.add_single_sign_on_service("#{$scheme}://#{$host}/saml/new", binding: :http_post) x.name_id_formats = [Saml::Kit::Namespaces::EMAIL_ADDRESS] x.attributes << :Username end @@ -123,9 +138,9 @@ class IdentityProvider # GET /.well-known/oauth-authorization-server def oauth_metadata [200, { 'Content-Type' => "application/json" }, [JSON.pretty_generate({ - issuer: "http://localhost:8282/.well-known/oauth-authorization-server", - authorization_endpoint: "http://localhost:8282/oauth/authorize", - token_endpoint: "http://localhost:8282/oauth/token", + issuer: "#{$scheme}://#{$host}/.well-known/oauth-authorization-server", + authorization_endpoint: "#{$scheme}://#{$host}/oauth/authorize", + token_endpoint: "#{$scheme}://#{$host}/oauth/token", jwks_uri: "", # RFC-7517 registration_endpoint: "", # RFC-7591 scopes_supported: ["openid", "profile", "email"], @@ -138,10 +153,10 @@ class IdentityProvider ui_locales_supported: ["en-US"], op_policy_uri: "", op_tos_uri: "", - revocation_endpoint: "http://localhost:8282/oauth/revoke", # RFC-7009 + revocation_endpoint: "#{$scheme}://#{$host}/oauth/revoke", # RFC-7009 revocation_endpoint_auth_methods_supported: ["client_secret_basic"], revocation_endpoint_auth_signing_alg_values_supported: ["RS256"], - introspection_endpoint: "http://localhost:8282/oauth/introspect", # RFC-7662 + introspection_endpoint: "#{$scheme}://#{$host}/oauth/introspect", # RFC-7662 introspection_endpoint_auth_methods_supported: ["client_secret_basic"], introspection_endpoint_auth_signing_alg_values_supported: ["RS256"], code_challenge_methods_supported: [], # RFC-7636 @@ -196,10 +211,10 @@ class IdentityProvider # GET /.well-known/openid-configuration def openid_metadata [200, { 'Content-Type' => "application/json" }, [JSON.pretty_generate({ - issuer: "http://localhost:8282/.well-known/oauth-authorization-server", - authorization_endpoint: "http://localhost:8282/oauth/authorize", - token_endpoint: "http://localhost:8282/oauth/token", - userinfo_endpoint: "http://localhost:8282/oidc/user/", + issuer: "#{$scheme}://#{$host}/.well-known/oauth-authorization-server", + authorization_endpoint: "#{$scheme}://#{$host}/oauth/authorize", + token_endpoint: "#{$scheme}://#{$host}/oauth/token", + userinfo_endpoint: "#{$scheme}://#{$host}/oidc/user/", jwks_uri: "", # RFC-7517 registration_endpoint: nil, scopes_supported: ["openid", "profile", "email"], @@ -254,7 +269,7 @@ class IdentityProvider saml_request = binding_for(request).deserialize(params) @builder = nil url, saml_params = saml_request.response_for( - User.new({ email: "example@example.com" }), + User.new({ id: SecureRandom.uuid, email: "example@example.com" }), binding: :http_post, relay_state: params[:RelayState] ) do |builder| @@ -270,7 +285,7 @@ class IdentityProvider <textarea readonly="readonly" disabled="disabled" cols=225 rows=6><%=- saml_request.to_xml(pretty: true) -%></textarea> <h2>Sending SAML Response (IdP -> SP)</h2> - <textarea readonly="readonly" disabled="disabled" cols=225 rows=30><%=- @builder.build.to_xml(pretty: true) -%></textarea> + <textarea readonly="readonly" disabled="disabled" cols=225 rows=40><%=- @builder.build.to_xml(pretty: true) -%></textarea> <form action="<%= url %>" method="post"> <%- saml_params.each do |(key, value)| -%> <input type="hidden" name="<%= key %>" value="<%= value %>" /> @@ -303,7 +318,7 @@ class IdentityProvider end def binding_for(request) - location = "http://localhost:8282/sessions/new" + location = "#{$scheme}://#{$host}/saml/new" if request.post? Saml::Kit::Bindings::HttpPost .new(location: location) @@ -320,5 +335,5 @@ if __FILE__ == $0 run IdentityProvider.new end.to_app - Rackup::Server.start(app: app, Port: ENV.fetch('PORT', 8282).to_i) + Rackup::Server.start(app: app, Port: $port) end @@ -14,6 +14,10 @@ gemfile do gem "webrick", "~> 1.0" end +$scheme = ENV.fetch('SCHEME', 'http') +$port = ENV.fetch('PORT', 8283).to_i +$host = ENV.fetch('HOST', "localhost:#{$port}") + class OnDemandRegistry < Saml::Kit::DefaultRegistry def metadata_for(entity_id) found = super(entity_id) @@ -25,28 +29,21 @@ class OnDemandRegistry < Saml::Kit::DefaultRegistry end Saml::Kit.configure do |x| - x.entity_id = "http://localhost:8283/metadata.xml" + x.entity_id = "#{$scheme}://#{$host}/metadata.xml" x.registry = OnDemandRegistry.new x.logger = Logger.new("/dev/stderr") end -class ServiceProvider - def initialize - @storage = {} - end - - # Download IDP Metadata - # - # GET /metadata.xml +class UI def metadata xml = Saml::Kit::Metadata.build_xml do |builder| builder.embed_signature = false - builder.contact_email = 'hi@example.com' + builder.contact_email = 'ui@example.com' builder.organization_name = "Acme, Inc" builder.organization_url = "https://example.com" builder.build_service_provider do |x| x.name_id_formats = [Saml::Kit::Namespaces::EMAIL_ADDRESS] - x.add_assertion_consumer_service("http://localhost:8283/assertions", binding: :http_post) + x.add_assertion_consumer_service("#{$scheme}://#{$host}/saml/assertions", binding: :http_post) end end @@ -60,16 +57,19 @@ class ServiceProvider case path when "/metadata.xml" return metadata - when "/openid/new" - return redirect_to("http://localhost:8282/oauth/authorize?client_id=service-provider&state=example&redirect_uri=http://localhost:8283/oauth/callback&response_type=code&response_mode=query&scope=openid") + when "/oidc/new" + return redirect_to("http://localhost:8282/oauth/authorize?client_id=service-provider&state=example&redirect_uri=#{$scheme}://#{$host}/oauth/callback&response_type=code&response_mode=query&scope=openid") + when "/saml/new" + return saml_post_to_idp(Rack::Request.new(env)) when "/oauth/callback" return oauth_callback(Rack::Request.new(env)) else - return saml_post_to_idp(Rack::Request.new(env)) + # return saml_post_to_idp(Rack::Request.new(env)) + return redirect_to("/saml/new") end when 'POST' case path - when "/assertions" + when "/saml/assertions" return saml_assertions(Rack::Request.new(env)) else return not_found @@ -81,7 +81,7 @@ class ServiceProvider private def not_found - [404, { 'X-Backend-Server' => 'SP' }, []] + [404, { 'X-Backend-Server' => 'UI' }, []] end def redirect_to(location) @@ -132,7 +132,7 @@ class ServiceProvider end def saml_assertions(request) - sp = Saml::Kit.registry.metadata_for('http://localhost:8283/metadata.xml') + sp = Saml::Kit.registry.metadata_for("#{$scheme}://#{$host}/metadata.xml") saml_binding = sp.assertion_consumer_service_for(binding: :http_post) saml_response = saml_binding.deserialize(request.params) raise saml_response.errors unless saml_response.valid? @@ -156,8 +156,8 @@ end if __FILE__ == $0 app = Rack::Builder.new do use Rack::Reloader - run ServiceProvider.new + run UI.new end.to_app - Rackup::Server.start(app: app, Port: ENV.fetch('PORT', 8283).to_i) + Rackup::Server.start(app: app, Port: $port) end |