samlidp

package

v0.2.0 Latest Latest Go to latest Published: Dec 15, 2020 License: BSD-2-Clause Imports: 21 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/rancher/saml

Links

Open Source Insights

Documentation ¶

Overview ¶

Package samlidp a rudimentary SAML identity provider suitable for testing or as a starting point for a more complex service.

Index ¶

Variables
type MemoryStore
type Options
type Server
- func New(opts Options) (*Server, error)
type Service
type Shortcut
type Store
type User

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrNotFound = errors.New("not found")

ErrNotFound is returned from Store.Get() when a stored item is not present

Functions ¶

This section is empty.

Types ¶

type MemoryStore ¶

type MemoryStore struct {
	// contains filtered or unexported fields
}

MemoryStore is an implementation of Store that resides completely in memory.

func (*MemoryStore) Delete ¶

func (s *MemoryStore) Delete(key string) error

Delete removes `key`

func (*MemoryStore) Get ¶

func (s *MemoryStore) Get(key string, value interface{}) error

Get fetches the data stored in `key` and unmarshals it into `value`.

func (*MemoryStore) List ¶

func (s *MemoryStore) List(prefix string) ([]string, error)

List returns all the keys that start with `prefix`. The prefix is stripped from each returned value. So if keys are ["aa", "ab", "cd"] then List("a") would produce []string{"a", "b"}

func (*MemoryStore) Put ¶

func (s *MemoryStore) Put(key string, value interface{}) error

Put marshals `value` and stores it in `key`.

type Options ¶

type Options struct {
	URL         url.URL
	Key         crypto.PrivateKey
	Logger      logger.Interface
	Certificate *x509.Certificate
	Store       Store
}

Options represent the parameters to New() for creating a new IDP server

type Server ¶

type Server struct {
	http.Handler

	IDP   saml.IdentityProvider // the underlying IDP
	Store Store                 // the data store
	// contains filtered or unexported fields
}

Server represents an IDP server. The server provides the following URLs:

/metadata     - the SAML metadata
/sso          - the SAML endpoint to initiate an authentication flow
/login        - prompt for a username and password if no session established
/login/:shortcut - kick off an IDP-initiated authentication flow
/services     - RESTful interface to Service objects
/users        - RESTful interface to User objects
/sessions     - RESTful interface to Session objects
/shortcuts    - RESTful interface to Shortcut objects

func New ¶

func New(opts Options) (*Server, error)

New returns a new Server

func (*Server) GetServiceProvider ¶

func (s *Server) GetServiceProvider(r *http.Request, serviceProviderID string) (*saml.EntityDescriptor, error)

GetServiceProvider returns the Service Provider metadata for the service provider ID, which is typically the service provider's metadata URL. If an appropriate service provider cannot be found then the returned error must be os.ErrNotExist.

func (*Server) GetSession ¶

func (s *Server) GetSession(w http.ResponseWriter, r *http.Request, req *saml.IdpAuthnRequest) *saml.Session

GetSession returns the *Session for this request.

If the remote user has specified a username and password in the request then it is validated against the user database. If valid it sets a cookie and returns the newly created session object.

If the remote user has specified invalid credentials then a login form is returned with an English-language toast telling the user their password was invalid.

If a session cookie already exists and represents a valid session, then the session is returned

If neither credentials nor a valid session cookie exist, this function sends a login form and returns nil.

func (*Server) HandleDeleteService ¶

func (s *Server) HandleDeleteService(c web.C, w http.ResponseWriter, r *http.Request)

HandleDeleteService handles the `DELETE /services/:id` request.

func (*Server) HandleDeleteSession ¶

func (s *Server) HandleDeleteSession(c web.C, w http.ResponseWriter, r *http.Request)

HandleDeleteSession handles the `DELETE /sessions/:id` request. It invalidates the specified session.

func (*Server) HandleDeleteShortcut ¶

func (s *Server) HandleDeleteShortcut(c web.C, w http.ResponseWriter, r *http.Request)

HandleDeleteShortcut handles the `DELETE /shortcuts/:id` request.

func (*Server) HandleDeleteUser ¶

func (s *Server) HandleDeleteUser(c web.C, w http.ResponseWriter, r *http.Request)

HandleDeleteUser handles the `DELETE /users/:id` request.

func (*Server) HandleGetService ¶

func (s *Server) HandleGetService(c web.C, w http.ResponseWriter, r *http.Request)

HandleGetService handles the `GET /services/:id` request and responds with the service metadata in XML format.

func (*Server) HandleGetSession ¶

func (s *Server) HandleGetSession(c web.C, w http.ResponseWriter, r *http.Request)

HandleGetSession handles the `GET /sessions/:id` request and responds with the session object in JSON format.

func (*Server) HandleGetShortcut ¶

func (s *Server) HandleGetShortcut(c web.C, w http.ResponseWriter, r *http.Request)

HandleGetShortcut handles the `GET /shortcuts/:id` request and responds with the shortcut object in JSON format.

func (*Server) HandleGetUser ¶

func (s *Server) HandleGetUser(c web.C, w http.ResponseWriter, r *http.Request)

HandleGetUser handles the `GET /users/:id` request and responds with the user object in JSON format. The HashedPassword field is excluded.

func (*Server) HandleIDPInitiated ¶

func (s *Server) HandleIDPInitiated(c web.C, w http.ResponseWriter, r *http.Request)

HandleIDPInitiated handles a request for an IDP initiated login flow. It looks up the specified shortcut, generates the appropriate SAML assertion and redirects the user via the HTTP-POST binding to the service providers ACS URL.

func (*Server) HandleListServices ¶

func (s *Server) HandleListServices(c web.C, w http.ResponseWriter, r *http.Request)

HandleListServices handles the `GET /services/` request and responds with a JSON formatted list of service names.

func (*Server) HandleListSessions ¶

func (s *Server) HandleListSessions(c web.C, w http.ResponseWriter, r *http.Request)

HandleListSessions handles the `GET /sessions/` request and responds with a JSON formatted list of session names.

func (*Server) HandleListShortcuts ¶

func (s *Server) HandleListShortcuts(c web.C, w http.ResponseWriter, r *http.Request)

HandleListShortcuts handles the `GET /shortcuts/` request and responds with a JSON formatted list of shortcut names.

func (*Server) HandleListUsers ¶

func (s *Server) HandleListUsers(c web.C, w http.ResponseWriter, r *http.Request)

HandleListUsers handles the `GET /users/` request and responds with a JSON formatted list of user names.

func (*Server) HandleLogin ¶

func (s *Server) HandleLogin(c web.C, w http.ResponseWriter, r *http.Request)

HandleLogin handles the `POST /login` and `GET /login` forms. If credentials are present in the request body, then they are validated. For valid credentials, the response is a 200 OK and the JSON session object. For invalid credentials, the HTML login prompt form is sent.

func (*Server) HandlePutService ¶

func (s *Server) HandlePutService(c web.C, w http.ResponseWriter, r *http.Request)

HandlePutService handles the `PUT /shortcuts/:id` request. It accepts the XML-formatted service metadata in the request body and stores it.

func (*Server) HandlePutShortcut ¶

func (s *Server) HandlePutShortcut(c web.C, w http.ResponseWriter, r *http.Request)

HandlePutShortcut handles the `PUT /shortcuts/:id` request. It accepts a JSON formatted shortcut object in the request body and stores it.

func (*Server) HandlePutUser ¶

func (s *Server) HandlePutUser(c web.C, w http.ResponseWriter, r *http.Request)

HandlePutUser handles the `PUT /users/:id` request. It accepts a JSON formatted user object in the request body and stores it. If the PlaintextPassword field is present then it is hashed and stored in HashedPassword. If the PlaintextPassword field is not present then HashedPassword retains it's stored value.

func (*Server) InitializeHTTP ¶

func (s *Server) InitializeHTTP()

InitializeHTTP sets up the HTTP handler for the server. (This function is called automatically for you by New, but you may need to call it yourself if you don't create the object using New.)

type Service ¶

type Service struct {
	// Name is the name of the service provider
	Name string

	// Metdata is the XML metadata of the service provider.
	Metadata saml.EntityDescriptor
}

Service represents a configured SP for whom this IDP provides authentication services.

type Shortcut ¶

type Shortcut struct {
	// The name of the shortcut.
	Name string `json:"name"`

	// The entity ID of the service provider to use for this shortcut, i.e.
	// https://someapp.example.com/saml/metadata.
	ServiceProviderID string `json:"service_provider"`

	// If specified then the relay state is the fixed string provided
	RelayState *string `json:"relay_state,omitempty"`

	// If true then the URL suffix is used as the relayState. So for example, a user
	// requesting https://idp.example.com/login/myservice/foo will get redirected
	// to the myservice endpoint with a RelayState of "foo".
	URISuffixAsRelayState bool `json:"url_suffix_as_relay_state,omitempty"`
}

Shortcut represents an IDP-initiated SAML flow. When a user navigates to /login/:shortcut it initiates the login flow to the specified service provider with the specified RelayState.

type Store ¶

type Store interface {
	// Get fetches the data stored in `key` and unmarshals it into `value`.
	Get(key string, value interface{}) error

	// Put marshals `value` and stores it in `key`.
	Put(key string, value interface{}) error

	// Delete removes `key`
	Delete(key string) error

	// List returns all the keys that start with `prefix`. The prefix is
	// stripped from each returned value. So if keys are ["aa", "ab", "cd"]
	// then List("a") would produce []string{"a", "b"}
	List(prefix string) ([]string, error)
}

Store is an interface that describes an abstract key-value store.

type User ¶

type User struct {
	Name              string   `json:"name"`
	PlaintextPassword *string  `json:"password,omitempty"` // not stored
	HashedPassword    []byte   `json:"hashed_password,omitempty"`
	Groups            []string `json:"groups,omitempty"`
	Email             string   `json:"email,omitempty"`
	CommonName        string   `json:"common_name,omitempty"`
	Surname           string   `json:"surname,omitempty"`
	GivenName         string   `json:"given_name,omitempty"`
}

User represents a stored user. The data here are used to populate user once the user has authenticated.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL