Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support SAML authentication #29403

Open
wants to merge 20 commits into
base: main
Choose a base branch
from
Open

Support SAML authentication #29403

wants to merge 20 commits into from

Conversation

6543
Copy link
Member

@6543 6543 commented Feb 25, 2024

Resubmit #25165 for review

Closes #5512

This PR adds basic SAML support

  • Adds SAML 2.0 as an auth source
  • Adds SAML configuration documentation
  • Adds integration test:
    • Use bare-bones SAML IdP to test protocol flow and test account is linked successfully (only runs on Postgres by default)
    • Adds documentation for configuring and running SAML integration test locally

Future PRs:

  • Support group mapping
  • Support auto-registration (account linking)
  • Convert helper classes in this PR to tailwind
  • Test if github.com/crewjam/saml is more suited

Co-Authored-By: @jackHay22

Closes go-gitea#5512

This PR adds basic SAML support
- Adds SAML 2.0 as an auth source
- Adds SAML configuration documentation
- Adds integration test:
- Use bare-bones SAML IdP to test protocol flow and test account is
linked successfully (only runs on Postgres by default)
- Adds documentation for configuring and running SAML integration test
locally

Future PRs:
- Support group mapping
- Support auto-registration (account linking)

Co-Authored-By: @jackHay22

---------

Co-authored-by: jackHay22 <jack@allspice.io>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Jason Song <i@wolfogre.com>
Co-authored-by: morphelinho <morphelinho@users.noreply.github.com>
Co-authored-by: Zettat123 <zettat123@gmail.com>
Co-authored-by: Yarden Shoham <git@yardenshoham.com>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: silverwind <me@silverwind.io>
@6543 6543 added the type/feature Completely new functionality. Can only be merged if feature freeze is not active. label Feb 25, 2024
@6543 6543 added this to the 1.22.0 milestone Feb 25, 2024
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Feb 25, 2024
@pull-request-size pull-request-size bot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Feb 25, 2024
@6543
Copy link
Member Author

6543 commented Feb 25, 2024

as per #29358 and #25165 (comment)

the pull is resubmitted for review

@6543 6543 requested a review from a team February 25, 2024 19:59
templates/user/auth/signin_inner.tmpl Outdated Show resolved Hide resolved
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Feb 25, 2024
@6543 6543 added type/changelog Adds the changelog for a new Gitea version topic/authentication labels Feb 25, 2024
@techknowlogick

This comment was marked as resolved.

@6543

This comment was marked as resolved.

@@ -90,6 +90,8 @@ require (
github.com/quasoft/websspi v1.1.2
github.com/redis/go-redis/v9 v9.4.0
github.com/robfig/cron/v3 v3.0.1
github.com/russellhaering/gosaml2 v0.9.1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found a more popular package(crewjam/saml) that we can use. It looks like russellhaering/gosaml2 only supports HTTP POST binding, but crewjam/saml supports both HTTP Redirect binding and HTTP POST binding.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you make a pull against my feature branch we can test that lib :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PS: it's no simple drop-in replacement :/

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Zettat123 the pull is not originally from me but was just resubmited for review.

so @techknowlogick or @jackHay22 might know more about why thy have choosen the lib?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Zettat123 I'll added it to the followups is that ok or should we wait for the others to respond?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have a strong opinion here; if the additional features are useful this would be a good time to make the switch.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Zettat123 It looks like gosaml2 supports HTTP redirect binding. Let me know if I'm missing something.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found an issue related to the Redirect binding. I haven't looked into this issue, but it looks like there is a workaround. But I think this issue not being solved for a long time means that the project is not very active.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't disagree but I think the crewjam/saml repo also has signs of inactivity.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think at some point a saml lib is just completed and only needs version bumps if it has dependencys?

so in this regards if there are no issues open anymore I'm fine with a inactive lib.

here both repos still have open issues :/

@GiteaBot GiteaBot added lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Feb 27, 2024
IdentityProviderMetadataURL: fmt.Sprintf("http://%s/simplesaml/saml2/idp/metadata.php", samlURL),
InsecureSkipAssertionSignatureValidation: false,
NameIDFormat: 4,
ServiceProviderCertificate: "", // SimpleSAMLPhp requires that the SP certificate be specified in the server configuration rather than SP metadata
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is true? I've been using SimpleSAMLphp and it does accept SP certificates in the XML-format metadata directly.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would make sense; I just wasn't able to get it to work. Perhaps the version we use doesn't support it?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@grawity could you provide an example of your config for this so we can adjust the tests?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wasn't able to find the sources of the Docker image being used, so I don't know what it does with the SP metadata, but given the separate settings to specify ACS/SLO endpoints, I suspect it doesn't look at the XML metadata at all and just builds its own version like this?

But on a full SimpleSAMLphp 2.x installation (and I believe 1.19.x as well), you can list the whole XML file in config.php and it will happily accept signed requests. (Although plain sign-on requests don't use the SP certificate at all; it's just a) encrypted assertions or b) signed single-logout requests that need it; but I re-tested the latter to verify that SimpleSAMLphp pays attention to the certificate in the SP's XML file and it does.)

$config = [
    ...
    "metadata.sources" => [
        ["type" => "flatfile"],                             // the PHP-format saml20-sp-remote.php
        ["type" => "xml", "file" => "metadata/gitea.xml"],  // an XML-format metadata file
    ],
];

Even if you're using the PHP-format SP metadata file (saml20-sp-remote.php), where it might look like the certificate has to be in a separate file:

$metadata["https://SOME_ENTITY_ID"] = [
    "AssertionConsumerService" => "https://SOME_URL",
    "certificate" => "exlibris-alma.crt",
    ...
];

it is still possible to specify it inline, and the XML-to-PHP metadata converter that comes with SimpleSAMLphp (Admin > Federation) will include any found certificates inline as part of the PHP-format metadata:

$metadata["https://SOME_ENTITY_ID"] = [
    "AssertionConsumerService" => "https://SOME_URL",
    "keys" => [
        ["type" => "X509Certificate", "encryption" => true, "signing" => true, "X509Certificate" => "MII…"]
    ]
    ...
];

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's the repository with the configuration: https://github.com/AllSpiceIO/docker-test-saml-idp/tree/master

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not certain on how thorough Gitea's requirements for test cases are, so take this with a grain of salt. But I don't think it's important to test SAML request signing because Gitea isn't making any claims that the IdP will rely on for the request. Also, (I sure hope) IdPs will be using HTTPS so there's no concern of tampering or confidentiality leaks anyways (not that there's any confidential data being sent by Gitea to begin with).

@6543
Copy link
Member Author

6543 commented Mar 1, 2024

We need to know soon, if switching the library is a breaking change !
cc @jackHay22

if it its, we should move it into the next release else merge it early and build upon it

@denyskon
Copy link
Member

denyskon commented Mar 3, 2024

@techknowlogick @jackHay22 @Zettat123 We need a decision soon, otherwise this PR won't be part of Gitea 1.22

@lunny lunny modified the milestones: 1.22.0, 1.23.0 Mar 4, 2024
@silverwind
Copy link
Member

Tailwind migration done.

@6543
Copy link
Member Author

6543 commented Mar 26, 2024

Thanks :)

@ldomesjo
Copy link

Will this make it into the 1.23 release? I've been looking forward for this feature :)

@techknowlogick
Copy link
Member

Even though @6543 pinged me when we last saw each other, I'm sorry for letting this one drop off my radar. I think we should seriously consider switching to the other SAML lib as reading more into the spec it seems that the missing option from the existing library in use in this PR is a somewhat common option to use. I have access to push to this branch so I can resolve existing conflicts and start to work on that (I don't want to ask others to do the work, as they have already done so much, and to ask to do even more would be too much to ask).

@6543
Copy link
Member Author

6543 commented Sep 1, 2024

If you want you can also fetch this branch and create your own pull, as this would indicate you as the main author again 😅 ... anyway good to hear you had time to read the actual spec. can you suggest an library or is it to early? @techknowlogick

@lunny lunny modified the milestones: 1.23.0, 1.24.0 Oct 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged modifies/dependencies modifies/docs modifies/go Pull requests that update Go code modifies/internal modifies/js modifies/templates This PR modifies the template files modifies/translation size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. topic/authentication type/changelog Adds the changelog for a new Gitea version type/feature Completely new functionality. Can only be merged if feature freeze is not active.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support SAML 2.0 as Login-Source (Service Provider)