Use github.com/rancher/saml and also change option handling

Author: andrewheberle

go.mod

@@ -2,6 +2,8 @@ module github.com/andrewheberle/go-http-auth-server
 
 go 1.21.4
 
+replace github.com/crewjam/saml v0.4.14 => github.com/rancher/saml v0.4.14-rancher3
+
 require (
 	github.com/cloudflare/certinel v0.4.1
 	github.com/crewjam/saml v0.4.14
@@ -15,7 +17,7 @@ require (
 )
 
 require (
-	github.com/beevik/etree v1.1.0 // indirect
+	github.com/beevik/etree v1.2.0 // indirect
 	github.com/crewjam/httperr v0.2.0 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect

go.sum

@@ -1,13 +1,12 @@
-github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs=
 github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
+github.com/beevik/etree v1.2.0 h1:l7WETslUG/T+xOPs47dtd6jov2Ii/8/OjCldk5fYfQw=
+github.com/beevik/etree v1.2.0/go.mod h1:aiPf89g/1k3AShMVAzriilpcE4R/Vuor90y83zVZWFc=
 github.com/cloudflare/certinel v0.4.1 h1:b0nGqKxEjCe6aS3SoZf0HwjkzfCCAqGzZj8iB9ZJGW0=
 github.com/cloudflare/certinel v0.4.1/go.mod h1:hcx0SA3fmeMzo6egeOzN/29/xfA4+bhZttHvR20a4YA=
 github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo=
 github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4=
-github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c=
-github.com/crewjam/saml v0.4.14/go.mod h1:UVSZCf18jJkk6GpWNVqcyQJMD5HsRugBPf4I1nl2mME=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -53,6 +52,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rancher/saml v0.4.14-rancher3 h1:2NN6cPqm9FJeiT25x8+gLHWGdulsEak33cHRkGaJ5v0=
+github.com/rancher/saml v0.4.14-rancher3/go.mod h1:S4+611dxnKt8z/ulbvaJzcgSHsuhjVc1QHNTcr1R7Fw=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
 github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=

internal/cmd/root.go

@@ -44,7 +44,7 @@ func init() {
 	rootCmd.Flags().String("sp-cert", "", "Service Provider Certificate")
 	rootCmd.Flags().String("sp-key", "", "Service Provider Key")
 	rootCmd.Flags().String("sp-url", "http://localhost:9091", "Service Provider URL")
-	rootCmd.Flags().StringToString("sp-claim-mapping", map[string]string{"remote-user": "urn:oasis:names:tc:SAML:attribute:subject-id", "remote-email": "mail", "remote-name": "displayName", "remote-groups": "role"}, "Mapping of claims to headers")
+	rootCmd.Flags().StringToString("sp-claim-mapping", sp.DefaultClaimMapping, "Mapping of claims to headers")
 	rootCmd.Flags().String("idp-metadata", "", "IdP Metadata URL")
 	rootCmd.Flags().String("idp-issuer", "", "IdP Issuer/Entity ID")
 	rootCmd.Flags().String("idp-sso-endpoint", "", "IdP SSO/login Endpoint")
@@ -94,32 +94,32 @@ func runRootCmd() error {
 		return fmt.Errorf("problem with SP URL: %w", err)
 	}
 
-	// set up metadata
-	metadata, err := func() (interface{}, error) {
-		if m := viper.GetString("idp-metadata"); m != "" {
-			// from url
-			return url.Parse(m)
-		}
+	// set up service provider options
+	opts := []sp.ServiceProviderOption{
+		sp.WithClaimMapping(viper.GetStringMapString("sp-claim-mapping")),
+	}
 
-		// error if the options for custom metadata are not set
-		if viper.GetString("idp-issuer") == "" {
-			return nil, fmt.Errorf("no metadata url or IdP information provided")
+	// handle metadata
+	if m := viper.GetString("idp-metadata"); m != "" {
+		metadata, err := url.Parse(m)
+		if err != nil {
+			return fmt.Errorf("problem parsing IdP metadata url: %w", err)
 		}
 
-		// or custom made
-		return sp.ServiceProviderMetadata{
+		opts = append(opts, sp.WithMetadataURL(metadata))
+	} else {
+		metadata := sp.ServiceProviderMetadata{
 			Issuer:      viper.GetString("idp-issuer"),
 			Endpoint:    viper.GetString("idp-sso-endpoint"),
 			NameId:      "persistent",
 			Certificate: viper.GetString("idp-certificate"),
-		}, nil
-	}()
-	if err != nil {
-		return fmt.Errorf("problem with settign up IdP metadata: %w", err)
+		}
+
+		opts = append(opts, sp.WithCustomMetadata(metadata))
 	}
 
 	// set up auth provider
-	provider, err := sp.NewServiceProvider(viper.GetString("sp-cert"), viper.GetString("sp-key"), metadata, root, viper.GetStringMapString("sp-claim-mapping"))
+	provider, err := sp.NewServiceProvider(viper.GetString("sp-cert"), viper.GetString("sp-key"), root, opts...)
 	if err != nil {
 		return fmt.Errorf("problem setting up SP: %w", err)
 	}
@@ -211,8 +211,20 @@ func runRootCmd() error {
 				default:
 					time.Sleep(time.Hour * 24)
 
+					// parse url
+					metadata, _ := url.Parse(viper.GetString("idp-metadata"))
+					if err != nil {
+						return fmt.Errorf("problem parsing IdP metadata url: %w", err)
+					}
+
+					// set up service provider options
+					opts := []sp.ServiceProviderOption{
+						sp.WithClaimMapping(viper.GetStringMapString("sp-claim-mapping")),
+						sp.WithMetadataURL(metadata),
+					}
+
 					// set up provider
-					provider, err := sp.NewServiceProvider(viper.GetString("sp-cert"), viper.GetString("sp-key"), metadata, root, viper.GetStringMapString("sp-claim-mapping"))
+					provider, err := sp.NewServiceProvider(viper.GetString("sp-cert"), viper.GetString("sp-key"), root, opts...)
 					if err != nil {
 						// not a fatal error
 						slog.Error("saml service provider reload", "error", err)

pkg/sp/codec.go

@@ -4,15 +4,14 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
-	"sync"
 
 	"github.com/crewjam/saml/samlsp"
 	"github.com/golang-jwt/jwt/v4"
 )
 
 type JWTSessionCodec struct {
 	samlsp.JWTSessionCodec
-	store *AttributeStore
+	store AttributeStore
 }
 
 func (c JWTSessionCodec) Encode(s samlsp.Session) (string, error) {
@@ -64,52 +63,8 @@ func (c JWTSessionCodec) Decode(signed string) (samlsp.Session, error) {
 	return claims, nil
 }
 
-type AttributeStore struct {
-	store map[string]samlsp.Attributes
-	mu    sync.RWMutex
-}
-
-func NewAttributeStore() *AttributeStore {
-	return &AttributeStore{
-		store: make(map[string]samlsp.Attributes),
-	}
-}
-
-func (s *AttributeStore) Get(id string) (samlsp.Attributes, error) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-
-	if attrs, found := s.store[id]; found {
-		slog.Debug("getting attributes from store", "id", id, "attrs", attrs)
-
-		return attrs, nil
-	}
-
-	return nil, fmt.Errorf("not found")
-}
-
-func (s *AttributeStore) Set(id string, attrs samlsp.Attributes) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	if s.store == nil {
-		s.store = make(map[string]samlsp.Attributes)
-	}
-
-	slog.Debug("setting attributes in store", "id", id, "attrs", attrs)
-
-	s.store[id] = attrs
-}
-
-func (s *AttributeStore) Delete(id string) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	if s.store == nil {
-		return
-	}
-
-	slog.Debug("deleting attributes in store", "id", id)
-
-	delete(s.store, id)
+type AttributeStore interface {
+	Get(id string) (samlsp.Attributes, error)
+	Set(id string, attrs samlsp.Attributes)
+	Delete(id string)
 }

pkg/sp/memorystore.go

@@ -0,0 +1,59 @@
+package sp
+
+import (
+	"fmt"
+	"log/slog"
+	"sync"
+
+	"github.com/crewjam/saml/samlsp"
+)
+
+type MemoryAttributeStore struct {
+	store map[string]samlsp.Attributes
+	mu    sync.RWMutex
+}
+
+func NewMemoryAttributeStore() *MemoryAttributeStore {
+	return &MemoryAttributeStore{
+		store: make(map[string]samlsp.Attributes),
+	}
+}
+
+func (s *MemoryAttributeStore) Get(id string) (samlsp.Attributes, error) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	if attrs, found := s.store[id]; found {
+		slog.Debug("getting attributes from store", "id", id, "attrs", attrs)
+
+		return attrs, nil
+	}
+
+	return nil, fmt.Errorf("not found")
+}
+
+func (s *MemoryAttributeStore) Set(id string, attrs samlsp.Attributes) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if s.store == nil {
+		s.store = make(map[string]samlsp.Attributes)
+	}
+
+	slog.Debug("setting attributes in store", "id", id, "attrs", attrs)
+
+	s.store[id] = attrs
+}
+
+func (s *MemoryAttributeStore) Delete(id string) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if s.store == nil {
+		return
+	}
+
+	slog.Debug("deleting attributes in store", "id", id)
+
+	delete(s.store, id)
+}

pkg/sp/options.go

@@ -0,0 +1,61 @@
+package sp
+
+import (
+	"context"
+	"log/slog"
+	"net/http"
+	"net/url"
+	"time"
+
+	"github.com/crewjam/saml/samlsp"
+)
+
+type ServiceProviderOption func(*ServiceProvider)
+
+func WithMetadataURL(metadata *url.URL) ServiceProviderOption {
+	return func(s *ServiceProvider) {
+		// populate metadata either from a metadata URL or from custom values
+		ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
+		defer cancel()
+
+		// fetch metadata from URL
+		idpMetadata, err := samlsp.FetchMetadata(ctx, http.DefaultClient, *metadata)
+		if err != nil {
+			slog.Error("error fetching metadata", "error", err)
+			return
+		}
+
+		s.idpMetadata = idpMetadata
+	}
+}
+
+func WithCustomMetadata(metadata ServiceProviderMetadata) ServiceProviderOption {
+	return func(s *ServiceProvider) {
+		// build metadata from provided values
+		b, err := buildMetadata(metadata.Issuer, metadata.Endpoint, metadata.NameId, metadata.Certificate)
+		if err != nil {
+			slog.Error("metadata build error", "error", err)
+			return
+		}
+
+		idpMetadata, err := samlsp.ParseMetadata(b)
+		if err != nil {
+			slog.Error("custom metadata error", "error", err)
+			return
+		}
+
+		s.idpMetadata = idpMetadata
+	}
+}
+
+func WithClaimMapping(mapping map[string]string) ServiceProviderOption {
+	return func(s *ServiceProvider) {
+		s.mapping = mapping
+	}
+}
+
+func WithAttributeStore(store AttributeStore) ServiceProviderOption {
+	return func(s *ServiceProvider) {
+		s.store = store
+	}
+}