Implementing SSO/SAML login :)

.gitignore

@@ -28,6 +28,9 @@ virtualenv-components
 virtualenv-components-osx
 .venv-st2devbox
 
+# st2client build files
+st2client/build/*
+
 # generated travis conf
 conf/st2.travis.conf
 # generated GitHub Actions conf

CHANGELOG.rst

@@ -6,6 +6,15 @@ in development
 
 Added
 ~~~~~
+
+* Revised support for SSO backends + SAML2 included by default #5664
+
+  SAML backend on a separate repository, included as a dependecy , https://github.com/StackStorm/st2-auth-backend-sso-saml2
+
+  RBAC support also baked into SSO backends
+
+  Contributed by @pimguilherme
+
 * Move `git clone` to `user_home/.st2packs` #5845
 
 * Error on `st2ctl status` when running in Kubernetes. #5851

requirements.txt

@@ -19,6 +19,7 @@ decorator==4.4.2
 dnspython>=1.16.0,<2.0.0
 eventlet==0.30.2
 flex==6.14.1
+git+https://github.com/pimguilherme/st2-auth-backend-sso-saml2.git@feat/saml#egg=st2-auth-backend-sso-saml2
 gitdb==4.0.2
 gitpython==3.1.15
 greenlet==1.0.0

st2auth/in-requirements.txt

@@ -6,6 +6,8 @@ passlib
 pymongo
 six
 stevedore
+# for SAML sso
+git+https://github.com/pimguilherme/st2-auth-backend-sso-saml2.git@feat/saml#egg=st2-auth-backend-sso-saml2
 # For backward compatibility reasons, flat file backend is installed by default
 st2-auth-backend-flat-file@ git+https://github.com/StackStorm/st2-auth-backend-flat-file.git@master
 st2-auth-ldap@ git+https://github.com/StackStorm/st2-auth-ldap.git@master

st2auth/requirements.txt

@@ -7,6 +7,7 @@
 # update the component requirements.txt
 bcrypt==3.2.0
 eventlet==0.30.2
+git+https://github.com/pimguilherme/st2-auth-backend-sso-saml2.git@feat/saml#egg=st2-auth-backend-sso-saml2
 gunicorn==20.1.0
 oslo.config>=1.12.1,<1.13
 passlib==1.7.4

st2auth/st2auth/controllers/v1/sso.py

@@ -14,18 +14,30 @@
 
 import datetime
 import json
+from uuid import uuid4
 
 from oslo_config import cfg
 from six.moves import http_client
 from six.moves import urllib
+from st2common.router import GenericRequestParam
 
 import st2auth.handlers as handlers
 
 from st2auth import sso as st2auth_sso
+from st2auth.sso.base import BaseSingleSignOnBackendResponse
 from st2common.exceptions import auth as auth_exc
 from st2common import log as logging
 from st2common import router
-
+from st2common.models.db.auth import SSORequestDB
+from st2common.services.access import (
+    create_cli_sso_request,
+    create_web_sso_request,
+    get_sso_request_by_request_id,
+)
+from st2common.exceptions.auth import SSORequestNotFoundError
+from st2common.util.crypto import read_crypto_key_from_dict, symmetric_encrypt
+from st2common.util.date import get_datetime_utc_now
+from st2common.util.jsonify import json_decode
 
 LOG = logging.getLogger(__name__)
 SSO_BACKEND = st2auth_sso.get_sso_backend()
@@ -35,25 +47,96 @@ class IdentityProviderCallbackController(object):
     def __init__(self):
         self.st2_auth_handler = handlers.ProxyAuthHandler()
 
+    # Validates the incoming SSO response by getting its ID, checking against
+    # the database for outstanding SSO requests and checking to see if they have already expired
+    def _validate_and_delete_sso_request(self, response):
+
+        # Grabs the ID from the SSO response based on the backend
+        request_id = SSO_BACKEND.get_request_id_from_response(response)
+        if request_id is None:
+            raise ValueError("Invalid request id coming from SAML response")
+
+        LOG.debug("Validating SSO request %s from received response!", request_id)
+
+        # Grabs the original SSO request based on the ID
+        original_sso_request = None
+        try:
+            original_sso_request = get_sso_request_by_request_id(request_id)
+        except SSORequestNotFoundError:
+            pass
+
+        if original_sso_request is None:
+            raise ValueError(
+                "This SSO request is invalid (it may have already been used)"
+            )
+
+        # Verifies if the request has expired already
+        LOG.info(
+            "Incoming SSO response matching request: %s, with expiry: %s",
+            original_sso_request.request_id,
+            original_sso_request.expiry,
+        )
+        if original_sso_request.expiry <= get_datetime_utc_now():
+            raise ValueError(
+                "The SSO request associated with this response has already expired!"
+            )
+
+        # All done, we should not need to use this again :)
+        LOG.debug(
+            "Deleting original SSO request from database with ID %s",
+            original_sso_request.id,
+        )
+        original_sso_request.delete()
+
+        return original_sso_request
+
     def post(self, response, **kwargs):
         try:
+
+            original_sso_request = self._validate_and_delete_sso_request(response)
+
+            # Obtain user details from the SSO response from the backend
             verified_user = SSO_BACKEND.verify_response(response)
+            if not isinstance(verified_user, BaseSingleSignOnBackendResponse):
+                return process_failure_response(
+                    http_client.INTERNAL_SERVER_ERROR,
+                    "Unexpected SSO backend response type. Expected "
+                    "BaseSingleSignOnBackendResponse instance!",
+                )
+
+            LOG.info(
+                "Authenticating SSO user [%s] with groups [%s]",
+                verified_user.username,
+                verified_user.groups,
+            )
 
-            st2_auth_token_create_request = {
-                "user": verified_user["username"],
-                "ttl": None,
-            }
+            st2_auth_token_create_request = GenericRequestParam(
+                ttl=None,
+                groups=verified_user.groups,
+            )
 
             st2_auth_token = self.st2_auth_handler.handle_auth(
                 request=st2_auth_token_create_request,
-                remote_addr=verified_user["referer"],
-                remote_user=verified_user["username"],
+                remote_addr=verified_user.referer,
+                remote_user=verified_user.username,
                 headers={},
             )
 
-            return process_successful_authn_response(
-                verified_user["referer"], st2_auth_token
-            )
+            # Depending on the type of SSO request we should handle the response differently
+            # ie WEB gets redirected and CLI gets an encrypted callback
+            if original_sso_request.type == SSORequestDB.Type.WEB:
+                return process_successful_sso_web_response(
+                    verified_user.referer, st2_auth_token
+                )
+            elif original_sso_request.type == SSORequestDB.Type.CLI:
+                return process_successful_sso_cli_response(
+                    verified_user.referer, original_sso_request.key, st2_auth_token
+                )
+            else:
+                raise NotImplementedError(
+                    "Unexpected SSO request type [%s] -- I can deal with web and cli"
+                    % original_sso_request.type
+                )
         except NotImplementedError as e:
             return process_failure_response(http_client.INTERNAL_SERVER_ERROR, e)
         except auth_exc.SSOVerificationError as e:
@@ -63,14 +146,76 @@ def post(self, response, **kwargs):
 
 
 class SingleSignOnRequestController(object):
-    def get(self, referer):
+    def _create_sso_request(self, handler, **kwargs):
+
+        request_id = "id_%s" % str(uuid4())
+        sso_request = handler(request_id=request_id, **kwargs)
+        LOG.debug(
+            "Created SSO request with request id %s and expiry %s and type %s",
+            request_id,
+            sso_request.expiry,
+            sso_request.type,
+        )
+        return sso_request
+
+    # web-intended SSO
+    def get_web(self, referer):
         try:
+            sso_request = self._create_sso_request(create_web_sso_request)
+
             response = router.Response(status=http_client.TEMPORARY_REDIRECT)
-            response.location = SSO_BACKEND.get_request_redirect_url(referer)
+            response.location = SSO_BACKEND.get_request_redirect_url(
+                sso_request.request_id, referer
+            )
             return response
         except NotImplementedError as e:
+            if sso_request:
+                sso_request.delete()
             return process_failure_response(http_client.INTERNAL_SERVER_ERROR, e)
         except Exception as e:
+            if sso_request:
+                sso_request.delete()
+            raise e
+
+    # cli-intended SSO
+    def post_cli(self, response):
+        sso_request = None
+        try:
+            key = getattr(response, "key", None)
+            callback_url = getattr(response, "callback_url", None)
+            # This is already checked at the API level, but aanyway..
+            if not key or not callback_url:
+                raise ValueError("Missing either key and/or callback_url!")
+
+            try:
+                read_crypto_key_from_dict(json_decode(key))
+            except Exception:
+                LOG.warn("Could not decode incoming SSO CLI request key")
+                raise ValueError(
+                    "The provided key is invalid! It should be stackstorm-compatible AES key"
+                )
+
+            sso_request = self._create_sso_request(create_cli_sso_request, key=key)
+            response = router.Response(status=http_client.OK)
+            response.content_type = "application/json"
+            response.json = {
+                "sso_url": SSO_BACKEND.get_request_redirect_url(
+                    sso_request.request_id, callback_url
+                ),
+                # this is needed because the db doesnt save microseconds
+                # pylint: disable=E1101
+                "expiry": sso_request.expiry.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3]
+                + "000+00:00",
+            }
+
+            return response
+        except NotImplementedError as e:
+            if sso_request:
+                sso_request.delete()
+            return process_failure_response(http_client.INTERNAL_SERVER_ERROR, e)
+        except Exception as e:
+            if sso_request:
+                sso_request.delete()
             raise e
 
 
@@ -94,22 +239,52 @@ def get(self):
 CALLBACK_SUCCESS_RESPONSE_BODY = """
 <html>
     <script>
+        function setCookie(name, value, days) {
+            var expires = "";
+            if (days) {
+                var date = new Date();
+                date.setTime(date.getTime() + (days * 24 * 60 * 60 * 1000));
+                expires = "; expires=" + date.toUTCString();
+            }
+            document.cookie = name + "=" + (value || "") + expires + "; path=/";
+        }
         function getCookie(name) {
             var v = document.cookie.match('(^|;) ?' + name + '=([^;]*)(;|$)');
             return v ? v[2] : null;
         }
 
-        data = JSON.parse(window.localStorage.getItem('st2Session'));
-        data['token'] = JSON.parse(decodeURIComponent(getCookie('st2-auth-token')));
+        // This cookie should've been set by the sso module
+        tokenDetails = JSON.parse(decodeURIComponent(getCookie('st2-auth-token')));
+
+        // Defining what to be set
+        data = JSON.parse(window.localStorage.getItem('st2Session') || "{}");
+        data['token'] = tokenDetails
+
+        if (!data['server']) {
+            serverPrefix = location.protocol + '//' + location.host;
+            data['server'] = {
+                "api": `${serverPrefix}/api`,
+                "auth": `${serverPrefix}/auth`,
+                "stream": `${serverPrefix}/stream`,
+                "token": null
+            }
+            console.log("Configured default server endpoints to [%%s]", data['server'])
+        }
+
+        // Persising data
+        console.log("Setting credentials to persistent stores")
         window.localStorage.setItem('st2Session', JSON.stringify(data));
+        window.localStorage.setItem('logged_in', { "loggedIn": true })
+        setCookie("auth-token", tokenDetails.token)
+
         window.location.replace("%s");
     </script>
 </html>
 """
 
 
-def process_successful_authn_response(referer, token):
-    token_json = {
+def token_to_json(token):
+    return {
         "id": str(token.id),
         "user": token.user,
         "token": token.token,
@@ -118,6 +293,29 @@ def process_successful_authn_response(referer, token):
         "metadata": {},
     }
 
+
+def process_successful_sso_cli_response(callback_url, key, token):
+    token_json = token_to_json(token)
+
+    aes_key = read_crypto_key_from_dict(json_decode(key))
+    encrypted_token = symmetric_encrypt(aes_key, json.dumps(token_json))
+
+    LOG.debug(
+        "Redirecting successfuly SSO CLI login to url [%s] "
+        "with extra parameters for the encrypted token",
+        callback_url,
+    )
+
+    # Response back to the browser has all the data in the query string, in an encrypted formta :)
+    resp = router.Response(status=http_client.FOUND)
+    resp.location = "%s?response=%s" % (callback_url, encrypted_token.decode("utf-8"))
+
+    return resp
+
+
+def process_successful_sso_web_response(referer, token):
+    token_json = token_to_json(token)
+
     body = CALLBACK_SUCCESS_RESPONSE_BODY % referer
     resp = router.Response(body=body)
     resp.headers["Content-Type"] = "text/html"