Commit 5f04dc4f authored by enahum's avatar enahum Committed by GitHub
Browse files

SAML support (#3494)

* PLT-3073: Implement SAML/Okta Server side (EE) (#3422)

* PLT-3137 Support for SAML configuration

* PLT-3410 SAML Database Store

* PLT-3411 CLI to add Identity Provider Certificate and Service Provider Private Key

* PLT-3409 SAML Interface for EE

* PLT-3139 Handle SAML authentication server side

* Add localization messages

* PLT-3443 SAML Obtain SP metadata

* PLT-3142 Login & Switch to/from SAML

* Remove Certs for Database & Clean SAML Request

* Make required Username, FirstName and LastName

* PLT-3140 Add SAML to System Console (#3476)

* PLT-3140 Add SAML to System Console

* Move web_client functions to client.jsx

* Fix issues found by PM

* update package.json mattermost driver

* Fix text messages for SAML
parent f91b9d4a
......@@ -5,6 +5,7 @@ package api
import (
"bufio"
"io"
"io/ioutil"
"net/http"
"os"
......@@ -41,6 +42,9 @@ func InitAdmin() {
BaseRoutes.Admin.Handle("/reset_mfa", ApiAdminSystemRequired(adminResetMfa)).Methods("POST")
BaseRoutes.Admin.Handle("/reset_password", ApiAdminSystemRequired(adminResetPassword)).Methods("POST")
BaseRoutes.Admin.Handle("/ldap_sync_now", ApiAdminSystemRequired(ldapSyncNow)).Methods("POST")
BaseRoutes.Admin.Handle("/saml_metadata", ApiAppHandler(samlMetadata)).Methods("GET")
BaseRoutes.Admin.Handle("/add_certificate", ApiAdminSystemRequired(addCertificate)).Methods("POST")
BaseRoutes.Admin.Handle("/remove_certificate", ApiAdminSystemRequired(removeCertificate)).Methods("POST")
}
func getLogs(c *Context, w http.ResponseWriter, r *http.Request) {
......@@ -582,3 +586,76 @@ func ldapSyncNow(c *Context, w http.ResponseWriter, r *http.Request) {
rdata["status"] = "ok"
w.Write([]byte(model.MapToJson(rdata)))
}
func samlMetadata(c *Context, w http.ResponseWriter, r *http.Request) {
samlInterface := einterfaces.GetSamlInterface()
if samlInterface == nil {
c.Err = model.NewLocAppError("loginWithSaml", "api.admin.saml.not_available.app_error", nil, "")
c.Err.StatusCode = http.StatusFound
return
}
if result, err := samlInterface.GetMetadata(); err != nil {
c.Err = model.NewLocAppError("loginWithSaml", "api.admin.saml.metadata.app_error", nil, "err="+err.Message)
return
} else {
w.Header().Set("Content-Type", "application/xml")
w.Header().Set("Content-Disposition", "attachment; filename=\"metadata.xml\"")
w.Write([]byte(result))
}
}
func addCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
err := r.ParseMultipartForm(*utils.Cfg.FileSettings.MaxFileSize)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
m := r.MultipartForm
fileArray, ok := m.File["certificate"]
if !ok {
c.Err = model.NewLocAppError("addCertificate", "api.admin.add_certificate.no_file.app_error", nil, "")
c.Err.StatusCode = http.StatusBadRequest
return
}
if len(fileArray) <= 0 {
c.Err = model.NewLocAppError("addCertificate", "api.admin.add_certificate.array.app_error", nil, "")
c.Err.StatusCode = http.StatusBadRequest
return
}
fileData := fileArray[0]
file, err := fileData.Open()
defer file.Close()
if err != nil {
c.Err = model.NewLocAppError("addCertificate", "api.admin.add_certificate.open.app_error", nil, err.Error())
return
}
out, err := os.Create(utils.FindDir("config") + fileData.Filename)
if err != nil {
c.Err = model.NewLocAppError("addCertificate", "api.admin.add_certificate.saving.app_error", nil, err.Error())
return
}
defer out.Close()
io.Copy(out, file)
ReturnStatusOK(w)
}
func removeCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
props := model.MapFromJson(r.Body)
filename := props["filename"]
if err := os.Remove(utils.FindConfigFile(filename)); err != nil {
c.Err = model.NewLocAppError("removeCertificate", "api.admin.remove_certificate.delete.app_error",
map[string]interface{}{"Filename": filename}, err.Error())
return
}
ReturnStatusOK(w)
}
......@@ -9,6 +9,7 @@ import (
"github.com/mattermost/platform/utils"
"net/http"
"strings"
)
func checkPasswordAndAllCriteria(user *model.User, password string, mfaToken string) *model.AppError {
......@@ -145,7 +146,11 @@ func authenticateUser(user *model.User, password, mfaToken string) (*model.User,
return ldapUser, nil
}
} else if user.AuthService != "" {
err := model.NewLocAppError("login", "api.user.login.use_auth_service.app_error", map[string]interface{}{"AuthService": user.AuthService}, "")
authService := user.AuthService
if authService == model.USER_AUTH_SERVICE_SAML || authService == model.USER_AUTH_SERVICE_LDAP {
authService = strings.ToUpper(authService)
}
err := model.NewLocAppError("login", "api.user.login.use_auth_service.app_error", map[string]interface{}{"AuthService": authService}, "")
err.StatusCode = http.StatusBadRequest
return user, err
} else {
......
......@@ -477,6 +477,11 @@ func RenderWebError(err *model.AppError, w http.ResponseWriter, r *http.Request)
link := "/"
linkMessage := T("api.templates.error.link")
status := http.StatusTemporaryRedirect
if err.StatusCode != http.StatusInternalServerError {
status = err.StatusCode
}
http.Redirect(
w,
r,
......@@ -485,7 +490,7 @@ func RenderWebError(err *model.AppError, w http.ResponseWriter, r *http.Request)
"&details="+url.QueryEscape(details)+
"&link="+url.QueryEscape(link)+
"&linkmessage="+url.QueryEscape(linkMessage),
http.StatusTemporaryRedirect)
status)
}
func Handle404(w http.ResponseWriter, r *http.Request) {
......
......@@ -5,6 +5,7 @@ package api
import (
"bytes"
b64 "encoding/base64"
"fmt"
"hash/fnv"
"html/template"
......@@ -71,6 +72,9 @@ func InitUser() {
BaseRoutes.NeedUser.Handle("/sessions", ApiUserRequired(getSessions)).Methods("GET")
BaseRoutes.NeedUser.Handle("/audits", ApiUserRequired(getAudits)).Methods("GET")
BaseRoutes.NeedUser.Handle("/image", ApiUserRequiredTrustRequester(getProfileImage)).Methods("GET")
BaseRoutes.Root.Handle("/login/sso/saml", AppHandlerIndependent(loginWithSaml)).Methods("GET")
BaseRoutes.Root.Handle("/login/sso/saml", AppHandlerIndependent(completeSaml)).Methods("POST")
}
func createUser(c *Context, w http.ResponseWriter, r *http.Request) {
......@@ -2005,12 +2009,16 @@ func emailToOAuth(c *Context, w http.ResponseWriter, r *http.Request) {
stateProps["email"] = email
m := map[string]string{}
if authUrl, err := GetAuthorizationCode(c, service, stateProps, ""); err != nil {
c.LogAuditWithUserId(user.Id, "fail - oauth issue")
c.Err = err
return
if service == model.USER_AUTH_SERVICE_SAML {
m["follow_link"] = c.GetSiteURL() + "/login/sso/saml?action=" + model.OAUTH_ACTION_EMAIL_TO_SSO + "&email=" + email
} else {
m["follow_link"] = authUrl
if authUrl, err := GetAuthorizationCode(c, service, stateProps, ""); err != nil {
c.LogAuditWithUserId(user.Id, "fail - oauth issue")
c.Err = err
return
} else {
m["follow_link"] = authUrl
}
}
c.LogAuditWithUserId(user.Id, "success")
......@@ -2419,3 +2427,91 @@ func checkMfa(c *Context, w http.ResponseWriter, r *http.Request) {
}
w.Write([]byte(model.MapToJson(rdata)))
}
func loginWithSaml(c *Context, w http.ResponseWriter, r *http.Request) {
samlInterface := einterfaces.GetSamlInterface()
if samlInterface == nil {
c.Err = model.NewLocAppError("loginWithSaml", "api.user.saml.not_available.app_error", nil, "")
c.Err.StatusCode = http.StatusFound
return
}
teamId, err := getTeamIdFromQuery(r.URL.Query())
if err != nil {
c.Err = err
return
}
action := r.URL.Query().Get("action")
relayState := ""
if len(action) != 0 {
relayProps := map[string]string{}
relayProps["team_id"] = teamId
relayProps["action"] = action
if action == model.OAUTH_ACTION_EMAIL_TO_SSO {
relayProps["email"] = r.URL.Query().Get("email")
}
relayState = b64.StdEncoding.EncodeToString([]byte(model.MapToJson(relayProps)))
}
if data, err := samlInterface.BuildRequest(relayState); err != nil {
c.Err = err
return
} else {
w.Header().Set("Content-Type", "application/x-www-form-urlencoded")
http.Redirect(w, r, data.URL, http.StatusFound)
}
}
func completeSaml(c *Context, w http.ResponseWriter, r *http.Request) {
samlInterface := einterfaces.GetSamlInterface()
if samlInterface == nil {
c.Err = model.NewLocAppError("completeSaml", "api.user.saml.not_available.app_error", nil, "")
c.Err.StatusCode = http.StatusFound
return
}
//Validate that the user is with SAML and all that
encodedXML := r.FormValue("SAMLResponse")
relayState := r.FormValue("RelayState")
relayProps := make(map[string]string)
if len(relayState) > 0 {
stateStr := ""
if b, err := b64.StdEncoding.DecodeString(relayState); err != nil {
c.Err = model.NewLocAppError("completeSaml", "api.user.authorize_oauth_user.invalid_state.app_error", nil, err.Error())
c.Err.StatusCode = http.StatusFound
return
} else {
stateStr = string(b)
}
relayProps = model.MapFromJson(strings.NewReader(stateStr))
}
if user, err := samlInterface.DoLogin(encodedXML, relayProps); err != nil {
c.Err = err
c.Err.StatusCode = http.StatusFound
return
} else {
if err := checkUserAdditionalAuthenticationCriteria(user, ""); err != nil {
c.Err = err
c.Err.StatusCode = http.StatusFound
return
}
action := relayProps["action"]
switch action {
case model.OAUTH_ACTION_SIGNUP:
teamId := relayProps["team_id"]
go addDirectChannels(teamId, user)
break
case model.OAUTH_ACTION_EMAIL_TO_SSO:
RevokeAllSession(c, user.Id)
go sendSignInChangeEmail(c, user.Email, c.GetSiteURL(), strings.Title(model.USER_AUTH_SERVICE_SAML)+" SSO")
break
}
doLogin(c, w, r, user, "")
http.Redirect(w, r, GetProtocol(r)+"://"+r.Host, http.StatusFound)
}
}
......@@ -166,5 +166,23 @@
"DefaultServerLocale": "en",
"DefaultClientLocale": "en",
"AvailableLocales": ""
},
"SamlSettings": {
"Enable": false,
"Verify": false,
"Encrypt": false,
"IdpUrl": "",
"IdpDescriptorUrl": "",
"AssertionConsumerServiceURL": "",
"IdpCertificateFile": "",
"PublicCertificateFile": "",
"PrivateKeyFile": "",
"FirstNameAttribute": "",
"LastNameAttribute": "",
"EmailAttribute": "",
"UsernameAttribute": "",
"NicknameAttribute": "",
"LocaleAttribute": "",
"LoginButtonText": ""
}
}
\ No newline at end of file
// Copyright (c) 2015 Mattermost, Inc. All Rights Reserved.
// See License.txt for license information.
package einterfaces
import (
"github.com/mattermost/platform/model"
)
type SamlInterface interface {
ConfigureSP() *model.AppError
BuildRequest(relayState string) (*model.SamlAuthRequest, *model.AppError)
DoLogin(encodedXML string, relayState map[string]string) (*model.User, *model.AppError)
GetMetadata() (string, *model.AppError)
}
var theSamlInterface SamlInterface
func RegisterSamlInterface(newInterface SamlInterface) {
theSamlInterface = newInterface
}
func GetSamlInterface() SamlInterface {
return theSamlInterface
}
......@@ -42,6 +42,8 @@ imports:
version: 9c19ed558d5df4da88e2ade9c8940d742aef0e7e
- name: github.com/gorilla/websocket
version: 1f512fc3f05332ba7117626cdfb4e07474e58e60
- name: github.com/kardianos/osext
version: 29ae4ffbc9a6fe9fb2bc5029050ce6996ea1d3bc
- name: github.com/lib/pq
version: ee1442bda7bd1b6a84e913bdb421cb1874ec629d
subpackages:
......
......@@ -39,3 +39,4 @@ import:
- package: gopkg.in/throttled/throttled.v1
subpackages:
- store
- package: github.com/kardianos/osext
......@@ -47,6 +47,22 @@
"id": "September",
"translation": "September"
},
{
"id": "api.admin.add_certificate.array.app_error",
"translation": "Empty array under 'certificate' in request"
},
{
"id": "api.admin.add_certificate.no_file.app_error",
"translation": "No file under 'certificate' in request"
},
{
"id": "api.admin.add_certificate.open.app_error",
"translation": "Could not open certificate file"
},
{
"id": "api.admin.add_certificate.saving.app_error",
"translation": "Could not save certificate file"
},
{
"id": "api.admin.file_read_error",
"translation": "Error reading log file"
......@@ -71,6 +87,14 @@
"id": "api.admin.recycle_db_start.warn",
"translation": "Attempting to recycle the database connection"
},
{
"id": "api.admin.remove_certificate.delete.app_error",
"translation": "An error occurred while deleting the certificate. Make sure the file config/{{.Filename}} exists."
},
{
"id": "api.admin.saml.metadata.app_error",
"translation": "An error occurred while building Service Provider Metadata"
},
{
"id": "api.admin.test_email.body",
"translation": "<br/><br/><br/>It appears your Mattermost email is setup correctly!"
......@@ -1099,6 +1123,10 @@
"id": "api.preference.save_preferences.set_details.app_error",
"translation": "session.user_id={{.SessionUserId}}, preference.user_id={{.PreferenceUserId}}"
},
{
"id": "api.saml.save_certificate.app_error",
"translation": "Certificate did not save properly."
},
{
"id": "api.server.new_server.init.info",
"translation": "Server is initializing..."
......@@ -1803,6 +1831,10 @@
"id": "api.user.reset_password.wrong_team.app_error",
"translation": "Trying to reset password for user on wrong team."
},
{
"id": "api.user.saml.not_available.app_error",
"translation": "SAML is not configured or supported on this server."
},
{
"id": "api.user.send_email_change_email_and_forget.error",
"translation": "Failed to send email change notification email successfully err=%v"
......@@ -2171,6 +2203,74 @@
"id": "ent.mfa.validate_token.authenticate.app_error",
"translation": "Error trying to authenticate MFA token"
},
{
"id": "ent.saml.build_request.app_error",
"translation": "An error occurred while initiating the request to the Identity Provider. Please contact your System Administrator."
},
{
"id": "ent.saml.build_request.encoding.app_error",
"translation": "An error occurred while encoding the request for the Identity Provider. Please contact your System Administrator."
},
{
"id": "ent.saml.build_request.encoding_signed.app_error",
"translation": "An error occurred while encoding the signed request for the Identity Provider. Please contact your System Administrator."
},
{
"id": "ent.saml.configure.app_error",
"translation": "An error occurred while configuring SAML Service Provider, err=%v"
},
{
"id": "ent.saml.configure.encryption_not_enabled.app_error",
"translation": "SAML login was unsuccessful because encryption is not enabled. Please contact your System Administrator."
},
{
"id": "ent.saml.configure.load_idp_cert.app_error",
"translation": "Identity Provider Public Certificate File was not found. Please contact your System Administrator."
},
{
"id": "ent.saml.configure.load_private_key.app_error",
"translation": "SAML login was unsuccessful because the Service Provider Private Key was not found. Please contact your System Administrator."
},
{
"id": "ent.saml.configure.load_public_cert.app_error",
"translation": "Service Provider Public Certificate File was not found. Please contact your System Administrator."
},
{
"id": "ent.saml.configure.not_encrypted_response.app_error",
"translation": "SAML login was unsuccessful as the Identity Provider response is not encrypted. Please contact your System Administrator."
},
{
"id": "ent.saml.do_login.decrypt.app_error",
"translation": "SAML login was unsuccessful because an error occurred while decrypting the response from the Identity Provider. Please contact your System Administrator."
},
{
"id": "ent.saml.do_login.empty_response.app_error",
"translation": "We received an empty response from the Identity Provider"
},
{
"id": "ent.saml.do_login.parse.app_error",
"translation": "An error occurred while parsing the response from the Identity Provider. Please contact your System Administrator."
},
{
"id": "ent.saml.do_login.validate.app_error",
"translation": "An error occurred while validating the response from the Identity Provider. Please contact your System Administrator."
},
{
"id": "ent.saml.license_disable.app_error",
"translation": "Your license does not support SAML authentication."
},
{
"id": "ent.saml.metadata.app_error",
"translation": "An error occurred while building Service Provider Metadata."
},
{
"id": "ent.saml.service_disable.app_error",
"translation": "SAML is not configured or supported on this server."
},
{
"id": "ent.saml.update_saml_user.unable_error",
"translation": "Unable to update existing SAML user. Allowing login anyway. err=%v"
},
{
"id": "error.generic.link_message",
"translation": "Back to Mattermost"
......@@ -2571,6 +2671,46 @@
"id": "model.config.is_valid.restrict_direct_message.app_error",
"translation": "Invalid direct message restriction. Must be 'any', or 'team'"
},
{
"id": "model.config.is_valid.saml_assertion_consumer_service_url.app_error",
"translation": "Service Provider Login URL must be a valid URL and start with http:// or https://."
},
{
"id": "model.config.is_valid.saml_email_attribute.app_error",
"translation": "Invalid Email attribute. Must be set."
},
{
"id": "model.config.is_valid.saml_first_name_attribute.app_error",
"translation": "Invalid First Name attribute. Must be set."
},
{
"id": "model.config.is_valid.saml_idp_cert.app_error",
"translation": "Identity Provider Public Certificate missing. Did you forget to upload it?"
},
{
"id": "model.config.is_valid.saml_idp_descriptor_url.app_error",
"translation": "Identity Provider Issuer URL must be a valid URL and start with http:// or https://."
},
{
"id": "model.config.is_valid.saml_idp_url.app_error",
"translation": "SAML SSO URL must be a valid URL and start with http:// or https://."
},
{
"id": "model.config.is_valid.saml_last_name_attribute.app_error",
"translation": "Invalid Last Name attribute. Must be set."
},
{
"id": "model.config.is_valid.saml_private_key.app_error",
"translation": "Service Provider Private Key missing. Did you forget to upload it?"
},
{
"id": "model.config.is_valid.saml_public_cert.app_error",
"translation": "Service Provider Public Certificate missing. Did you forget to upload it?"
},
{
"id": "model.config.is_valid.saml_username_attribute.app_error",
"translation": "Invalid Username attribute. Must be set."
},
{
"id": "model.config.is_valid.sql_data_src.app_error",
"translation": "Invalid data source for SQL settings. Must be set."
......@@ -3795,6 +3935,10 @@
"id": "store.sql_user.save.email_exists.ldap_app_error",
"translation": "This account does not use LDAP authentication. Please sign in using email and password."
},
{
"id": "store.sql_user.save.email_exists.saml_app_error",
"translation": "This account does not use SAML authentication. Please sign in using email and password."
},
{
"id": "store.sql_user.save.existing.app_error",
"translation": "Must call update for exisiting user"
......@@ -3815,6 +3959,10 @@
"id": "store.sql_user.save.username_exists.ldap_app_error",
"translation": "An account with that username already exists. Please contact your Administrator."
},
{
"id": "store.sql_user.save.username_exists.saml_app_error",
"translation": "An account with that username already exists. Please contact your Administrator."
},
{
"id": "store.sql_user.update.app_error",
"translation": "We couldn't update the account"
......
......@@ -227,6 +227,31 @@ type LocalizationSettings struct {
AvailableLocales *string
}
type SamlSettings struct {
// Basic
Enable *bool
Verify *bool
Encrypt *bool
IdpUrl *string
IdpDescriptorUrl *string
AssertionConsumerServiceURL *string
IdpCertificateFile *string
PublicCertificateFile *string
PrivateKeyFile *string
// User Mapping
FirstNameAttribute *string
LastNameAttribute *string
EmailAttribute *string
UsernameAttribute *string
NicknameAttribute *string
LocaleAttribute *string
LoginButtonText *string
}
type Config struct {
ServiceSettings ServiceSettings
TeamSettings TeamSettings
......@@ -242,6 +267,7 @@ type Config struct {
LdapSettings LdapSettings
ComplianceSettings ComplianceSettings
LocalizationSettings LocalizationSettings
SamlSettings SamlSettings
}
func (o *Config) ToJson() string {
......@@ -627,6 +653,86 @@ func (o *Config) SetDefaults() {
o.LocalizationSettings.AvailableLocales = new(string)
*o.LocalizationSettings.AvailableLocales = ""
}
if o.SamlSettings.Enable == nil {
o.SamlSettings.Enable = new(bool)
*o.SamlSettings.Enable = false
}
if o.SamlSettings.Verify == nil {
o.SamlSettings.Verify = new(bool)
*o.SamlSettings.Verify = false
}
if o.SamlSettings.Encrypt == nil {
o.SamlSettings.Encrypt = new(bool)
*o.SamlSettings.Encrypt = false
}
if o.SamlSettings.IdpUrl == nil {
o.SamlSettings.IdpUrl = new(string)
*o.SamlSettings.IdpUrl = ""
}
if o.SamlSettings.IdpDescriptorUrl == nil {
o.SamlSettings.IdpDescriptorUrl = new(string)
*o.SamlSettings.IdpDescriptorUrl = ""
}
if o.SamlSettings.IdpCertificateFile == nil {
o.SamlSettings.IdpCertificateFile = new(string)
*o.SamlSettings.IdpCertificateFile = ""
}
if o.SamlSettings.PublicCertificateFile == nil {
o.SamlSettings.PublicCertificateFile = new(string)
*o.SamlSettings.PublicCertificateFile = ""
}
if o.SamlSettings.PrivateKeyFile == nil {
o.SamlSettings.PrivateKeyFile = new(string)
*o.SamlSettings.PrivateKeyFile = ""
}