SAML support (#3494)

* PLT-3073: Implement SAML/Okta Server side (EE) (#3422) * PLT-3137 Support for SAML configuration * PLT-3410 SAML Database Store * PLT-3411 CLI to add Identity Provider Certificate and Service Provider Private Key * PLT-3409 SAML Interface for EE * PLT-3139 Handle SAML authentication server side * Add localization messages * PLT-3443 SAML Obtain SP metadata * PLT-3142 Login & Switch to/from SAML * Remove Certs for Database & Clean SAML Request * Make required Username, FirstName and LastName * PLT-3140 Add SAML to System Console (#3476) * PLT-3140 Add SAML to System Console * Move web_client functions to client.jsx * Fix issues found by PM * update package.json mattermost driver * Fix text messages for SAML
author: enahum <nahumhbl@gmail.com> 2016-07-05 15:49:00 -0400
committer: GitHub <noreply@github.com> 2016-07-05 15:49:00 -0400
commit: 5f04dc4f45b9657d46380499f92ae6e5c1bf5506 (patch)
tree: 86670cb20e038f9716eca3ab9dcb7f2f71263286 /api
parent: f91b9d4a654ff27777580651d853b6372a425af6 (diff)
download: chat-5f04dc4f45b9657d46380499f92ae6e5c1bf5506.tar.gz
chat-5f04dc4f45b9657d46380499f92ae6e5c1bf5506.tar.bz2
chat-5f04dc4f45b9657d46380499f92ae6e5c1bf5506.zip
4 files changed, 190 insertions, 7 deletions
diff --git a/api/admin.go b/api/admin.go
index f0db5a4af..4d1528104 100644
--- a/api/admin.go
+++ b/api/admin.go
@@ -5,6 +5,7 @@ package api
 
 import (
 	"bufio"
+	"io"
 	"io/ioutil"
 	"net/http"
 	"os"
@@ -41,6 +42,9 @@ func InitAdmin() {
 	BaseRoutes.Admin.Handle("/reset_mfa", ApiAdminSystemRequired(adminResetMfa)).Methods("POST")
 	BaseRoutes.Admin.Handle("/reset_password", ApiAdminSystemRequired(adminResetPassword)).Methods("POST")
 	BaseRoutes.Admin.Handle("/ldap_sync_now", ApiAdminSystemRequired(ldapSyncNow)).Methods("POST")
+	BaseRoutes.Admin.Handle("/saml_metadata", ApiAppHandler(samlMetadata)).Methods("GET")
+	BaseRoutes.Admin.Handle("/add_certificate", ApiAdminSystemRequired(addCertificate)).Methods("POST")
+	BaseRoutes.Admin.Handle("/remove_certificate", ApiAdminSystemRequired(removeCertificate)).Methods("POST")
 }
 
 func getLogs(c *Context, w http.ResponseWriter, r *http.Request) {
@@ -582,3 +586,76 @@ func ldapSyncNow(c *Context, w http.ResponseWriter, r *http.Request) {
 	rdata["status"] = "ok"
 	w.Write([]byte(model.MapToJson(rdata)))
 }
+
+func samlMetadata(c *Context, w http.ResponseWriter, r *http.Request) {
+	samlInterface := einterfaces.GetSamlInterface()
+
+	if samlInterface == nil {
+		c.Err = model.NewLocAppError("loginWithSaml", "api.admin.saml.not_available.app_error", nil, "")
+		c.Err.StatusCode = http.StatusFound
+		return
+	}
+
+	if result, err := samlInterface.GetMetadata(); err != nil {
+		c.Err = model.NewLocAppError("loginWithSaml", "api.admin.saml.metadata.app_error", nil, "err="+err.Message)
+		return
+	} else {
+		w.Header().Set("Content-Type", "application/xml")
+		w.Header().Set("Content-Disposition", "attachment; filename=\"metadata.xml\"")
+		w.Write([]byte(result))
+	}
+}
+
+func addCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
+	err := r.ParseMultipartForm(*utils.Cfg.FileSettings.MaxFileSize)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	m := r.MultipartForm
+
+	fileArray, ok := m.File["certificate"]
+	if !ok {
+		c.Err = model.NewLocAppError("addCertificate", "api.admin.add_certificate.no_file.app_error", nil, "")
+		c.Err.StatusCode = http.StatusBadRequest
+		return
+	}
+
+	if len(fileArray) <= 0 {
+		c.Err = model.NewLocAppError("addCertificate", "api.admin.add_certificate.array.app_error", nil, "")
+		c.Err.StatusCode = http.StatusBadRequest
+		return
+	}
+
+	fileData := fileArray[0]
+
+	file, err := fileData.Open()
+	defer file.Close()
+	if err != nil {
+		c.Err = model.NewLocAppError("addCertificate", "api.admin.add_certificate.open.app_error", nil, err.Error())
+		return
+	}
+
+	out, err := os.Create(utils.FindDir("config") + fileData.Filename)
+	if err != nil {
+		c.Err = model.NewLocAppError("addCertificate", "api.admin.add_certificate.saving.app_error", nil, err.Error())
+		return
+	}
+	defer out.Close()
+
+	io.Copy(out, file)
+	ReturnStatusOK(w)
+}
+
+func removeCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
+	props := model.MapFromJson(r.Body)
+
+	filename := props["filename"]
+	if err := os.Remove(utils.FindConfigFile(filename)); err != nil {
+		c.Err = model.NewLocAppError("removeCertificate", "api.admin.remove_certificate.delete.app_error",
+			map[string]interface{}{"Filename": filename}, err.Error())
+		return
+	}
+	ReturnStatusOK(w)
+}
diff --git a/api/authentication.go b/api/authentication.go
index 42a395253..8170f0a8e 100644
--- a/api/authentication.go
+++ b/api/authentication.go
@@ -9,6 +9,7 @@ import (
 	"github.com/mattermost/platform/utils"
 
 	"net/http"
+	"strings"
 )
 
 func checkPasswordAndAllCriteria(user *model.User, password string, mfaToken string) *model.AppError {
@@ -145,7 +146,11 @@ func authenticateUser(user *model.User, password, mfaToken string) (*model.User,
 			return ldapUser, nil
 		}
 	} else if user.AuthService != "" {
-		err := model.NewLocAppError("login", "api.user.login.use_auth_service.app_error", map[string]interface{}{"AuthService": user.AuthService}, "")
+		authService := user.AuthService
+		if authService == model.USER_AUTH_SERVICE_SAML || authService == model.USER_AUTH_SERVICE_LDAP {
+			authService = strings.ToUpper(authService)
+		}
+		err := model.NewLocAppError("login", "api.user.login.use_auth_service.app_error", map[string]interface{}{"AuthService": authService}, "")
 		err.StatusCode = http.StatusBadRequest
 		return user, err
 	} else {
diff --git a/api/context.go b/api/context.go
index 1c0dae299..93ff83247 100644
--- a/api/context.go
+++ b/api/context.go
@@ -477,6 +477,11 @@ func RenderWebError(err *model.AppError, w http.ResponseWriter, r *http.Request)
 	link := "/"
 	linkMessage := T("api.templates.error.link")
 
+	status := http.StatusTemporaryRedirect
+	if err.StatusCode != http.StatusInternalServerError {
+		status = err.StatusCode
+	}
+
 	http.Redirect(
 		w,
 		r,
@@ -485,7 +490,7 @@ func RenderWebError(err *model.AppError, w http.ResponseWriter, r *http.Request)
 			"&details="+url.QueryEscape(details)+
 			"&link="+url.QueryEscape(link)+
 			"&linkmessage="+url.QueryEscape(linkMessage),
-		http.StatusTemporaryRedirect)
+		status)
 }
 
 func Handle404(w http.ResponseWriter, r *http.Request) {
diff --git a/api/user.go b/api/user.go
index 2ffda1bc5..47f20f6bf 100644
--- a/api/user.go
+++ b/api/user.go
@@ -5,6 +5,7 @@ package api
 
 import (
 	"bytes"
+	b64 "encoding/base64"
 	"fmt"
 	"hash/fnv"
 	"html/template"
@@ -71,6 +72,9 @@ func InitUser() {
 	BaseRoutes.NeedUser.Handle("/sessions", ApiUserRequired(getSessions)).Methods("GET")
 	BaseRoutes.NeedUser.Handle("/audits", ApiUserRequired(getAudits)).Methods("GET")
 	BaseRoutes.NeedUser.Handle("/image", ApiUserRequiredTrustRequester(getProfileImage)).Methods("GET")
+
+	BaseRoutes.Root.Handle("/login/sso/saml", AppHandlerIndependent(loginWithSaml)).Methods("GET")
+	BaseRoutes.Root.Handle("/login/sso/saml", AppHandlerIndependent(completeSaml)).Methods("POST")
 }
 
 func createUser(c *Context, w http.ResponseWriter, r *http.Request) {
@@ -2005,12 +2009,16 @@ func emailToOAuth(c *Context, w http.ResponseWriter, r *http.Request) {
 	stateProps["email"] = email
 
 	m := map[string]string{}
-	if authUrl, err := GetAuthorizationCode(c, service, stateProps, ""); err != nil {
-		c.LogAuditWithUserId(user.Id, "fail - oauth issue")
-		c.Err = err
-		return
+	if service == model.USER_AUTH_SERVICE_SAML {
+		m["follow_link"] = c.GetSiteURL() + "/login/sso/saml?action=" + model.OAUTH_ACTION_EMAIL_TO_SSO + "&email=" + email
 	} else {
-		m["follow_link"] = authUrl
+		if authUrl, err := GetAuthorizationCode(c, service, stateProps, ""); err != nil {
+			c.LogAuditWithUserId(user.Id, "fail - oauth issue")
+			c.Err = err
+			return
+		} else {
+			m["follow_link"] = authUrl
+		}
 	}
 
 	c.LogAuditWithUserId(user.Id, "success")
@@ -2419,3 +2427,91 @@ func checkMfa(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 	w.Write([]byte(model.MapToJson(rdata)))
 }
+
+func loginWithSaml(c *Context, w http.ResponseWriter, r *http.Request) {
+	samlInterface := einterfaces.GetSamlInterface()
+
+	if samlInterface == nil {
+		c.Err = model.NewLocAppError("loginWithSaml", "api.user.saml.not_available.app_error", nil, "")
+		c.Err.StatusCode = http.StatusFound
+		return
+	}
+
+	teamId, err := getTeamIdFromQuery(r.URL.Query())
+	if err != nil {
+		c.Err = err
+		return
+	}
+	action := r.URL.Query().Get("action")
+	relayState := ""
+
+	if len(action) != 0 {
+		relayProps := map[string]string{}
+		relayProps["team_id"] = teamId
+		relayProps["action"] = action
+		if action == model.OAUTH_ACTION_EMAIL_TO_SSO {
+			relayProps["email"] = r.URL.Query().Get("email")
+		}
+		relayState = b64.StdEncoding.EncodeToString([]byte(model.MapToJson(relayProps)))
+	}
+
+	if data, err := samlInterface.BuildRequest(relayState); err != nil {
+		c.Err = err
+		return
+	} else {
+		w.Header().Set("Content-Type", "application/x-www-form-urlencoded")
+		http.Redirect(w, r, data.URL, http.StatusFound)
+	}
+}
+
+func completeSaml(c *Context, w http.ResponseWriter, r *http.Request) {
+	samlInterface := einterfaces.GetSamlInterface()
+
+	if samlInterface == nil {
+		c.Err = model.NewLocAppError("completeSaml", "api.user.saml.not_available.app_error", nil, "")
+		c.Err.StatusCode = http.StatusFound
+		return
+	}
+
+	//Validate that the user is with SAML and all that
+	encodedXML := r.FormValue("SAMLResponse")
+	relayState := r.FormValue("RelayState")
+
+	relayProps := make(map[string]string)
+	if len(relayState) > 0 {
+		stateStr := ""
+		if b, err := b64.StdEncoding.DecodeString(relayState); err != nil {
+			c.Err = model.NewLocAppError("completeSaml", "api.user.authorize_oauth_user.invalid_state.app_error", nil, err.Error())
+			c.Err.StatusCode = http.StatusFound
+			return
+		} else {
+			stateStr = string(b)
+		}
+		relayProps = model.MapFromJson(strings.NewReader(stateStr))
+	}
+
+	if user, err := samlInterface.DoLogin(encodedXML, relayProps); err != nil {
+		c.Err = err
+		c.Err.StatusCode = http.StatusFound
+		return
+	} else {
+		if err := checkUserAdditionalAuthenticationCriteria(user, ""); err != nil {
+			c.Err = err
+			c.Err.StatusCode = http.StatusFound
+			return
+		}
+		action := relayProps["action"]
+		switch action {
+		case model.OAUTH_ACTION_SIGNUP:
+			teamId := relayProps["team_id"]
+			go addDirectChannels(teamId, user)
+			break
+		case model.OAUTH_ACTION_EMAIL_TO_SSO:
+			RevokeAllSession(c, user.Id)
+			go sendSignInChangeEmail(c, user.Email, c.GetSiteURL(), strings.Title(model.USER_AUTH_SERVICE_SAML)+" SSO")
+			break
+		}
+		doLogin(c, w, r, user, "")
+		http.Redirect(w, r, GetProtocol(r)+"://"+r.Host, http.StatusFound)
+	}
+}
author	enahum <nahumhbl@gmail.com>	2016-07-05 15:49:00 -0400
committer	GitHub <noreply@github.com>	2016-07-05 15:49:00 -0400
commit	5f04dc4f45b9657d46380499f92ae6e5c1bf5506 (patch)
tree	86670cb20e038f9716eca3ab9dcb7f2f71263286 /api
parent	f91b9d4a654ff27777580651d853b6372a425af6 (diff)
download	chat-5f04dc4f45b9657d46380499f92ae6e5c1bf5506.tar.gz chat-5f04dc4f45b9657d46380499f92ae6e5c1bf5506.tar.bz2 chat-5f04dc4f45b9657d46380499f92ae6e5c1bf5506.zip