Add support for signing SAML requests

Antony1060 · Antony1060 · commit 8de43eccd551 · 2024-12-18T23:23:58.000+01:00
diff --git a/.env.example b/.env.example
@@ -12,4 +12,10 @@ SAML_IDP_METADATA_URL=https://sso.some.provider/saml/metadata.xml
 SAML_SP_ENTITY_ID=great-client-abcd
 SAML_SP_ACS_URL=http://localhost:3000/saml/acs
 SAML_SP_SLO_URL=http://localhost:3000/saml/slo
-SAML_SP_VERIFY_SIGNATURES=true
+SAML_SP_VERIFY_SIGNATURES=true
+
+# private keys should always be in PEM format, not DER
+SAML_SP_PRIVATE_KEY_LOCATION=./keys/private.der
+
+# can either be rsa or ecdsa
+SAML_SP_PRIVATE_KEY_TYPE=rsa
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,6 @@
 /target
 .idea/
 .env
+
+keys/**
+!keys/.gitkeep
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -25,3 +25,4 @@ tracing = "0.1.41"
 tracing-subscriber = { version = "0.3.19", features = ["env-filter"] }
 url = "2.5.4"
 urlencoding = "2.1.3"
+openssl = "0.10.68"
diff --git a/keys/.gitkeep b/keys/.gitkeep
@@ -0,0 +1 @@
+keys
diff --git a/src/env.rs b/src/env.rs
@@ -1,3 +1,4 @@
+use crate::sso::saml::SamlPrivateKeyType;
 use thiserror::Error;
 use tracing::warn;
 use url::Url;
@@ -27,6 +28,8 @@ pub struct SamlConfig {
     pub acs_url: BaseUrlParts,
     pub slo_url: BaseUrlParts,
     pub verify_signatures: bool,
+    pub private_key: String,
+    pub private_key_type: SamlPrivateKeyType,
 }
 
 #[derive(Debug)]
@@ -105,6 +108,14 @@ fn init_saml_config() -> Result<SamlConfig, EnvError> {
         verify_signatures: get_env("SAML_SP_VERIFY_SIGNATURES")?
             .parse()
             .map_err(|_| EnvError::VarError("SAML_SP_VERIFY_SIGNATURES"))?,
+        private_key: get_env("SAML_SP_PRIVATE_KEY_LOCATION")?,
+        private_key_type: get_env("SAML_SP_PRIVATE_KEY_TYPE").map(|val| {
+            match val.to_ascii_lowercase().as_str() {
+                "rsa" => Ok(SamlPrivateKeyType::Rsa),
+                "ecdsa" => Ok(SamlPrivateKeyType::Ecdsa),
+                _ => Err(EnvError::VarError("SAML_SP_PRIVATE_KEY_TYPE")),
+            }
+        })??,
     })
 }
 
diff --git a/src/sso/saml.rs b/src/sso/saml.rs
@@ -3,6 +3,7 @@ use crate::models::UserAttribute;
 use base64::prelude::BASE64_STANDARD;
 use base64::Engine;
 use multimap::MultiMap;
+use openssl::pkey::PKey;
 use samael::attribute::Attribute;
 use samael::metadata::{EntityDescriptor, HTTP_REDIRECT_BINDING};
 use samael::schema::{Assertion, Subject, SubjectNameID};
@@ -37,10 +38,23 @@ pub enum SamlSetupError {
 
     #[error("Failed to build SAML service provider: {0}")]
     ServiceProviderError(#[from] samael::service_provider::ServiceProviderBuilderError),
+
+    #[error("Failed to read private key: {0}")]
+    IOError(#[from] std::io::Error),
+
+    #[error("Failed to parse private key: {0}")]
+    OpensslError(#[from] openssl::error::ErrorStack),
+}
+
+#[derive(Debug, Clone)]
+pub enum SamlPrivateKeyType {
+    Rsa,
+    Ecdsa,
 }
 
 pub struct SamlServiceProvider {
     sp: ServiceProvider,
+    private_key: PKey<openssl::pkey::Private>,
 }
 
 #[derive(Error, Debug)]
@@ -84,6 +98,18 @@ impl SamlServiceProvider {
             }
         })?;
 
+        let private_key_bytes = std::fs::read(&config.private_key)?;
+
+        let private_key = match config.private_key_type {
+            SamlPrivateKeyType::Rsa => {
+                PKey::from_rsa(openssl::rsa::Rsa::private_key_from_pem(&private_key_bytes)?)?
+            }
+            // TODO: untested
+            SamlPrivateKeyType::Ecdsa => PKey::from_ec_key(
+                openssl::ec::EcKey::private_key_from_pem(&private_key_bytes)?,
+            )?,
+        };
+
         let sp = samael::service_provider::ServiceProviderBuilder::default()
             .entity_id(config.entity_id.clone())
             .allow_idp_initiated(false)
@@ -92,7 +118,7 @@ impl SamlServiceProvider {
             .slo_url(config.slo_url.full_url.clone())
             .build()?;
 
-        Ok(Self { sp })
+        Ok(Self { sp, private_key })
     }
 
     fn remove_signing_descriptors(mut metadata: EntityDescriptor) -> EntityDescriptor {
@@ -125,7 +151,9 @@ impl SamlServiceProvider {
                 })?,
         )?;
 
-        let url = authn_request.redirect("")?.unwrap();
+        let url = authn_request
+            .signed_redirect("", self.private_key.clone())?
+            .unwrap();
 
         Ok(SamlAuthenticationRequest {
             id: authn_request.id.clone(),
@@ -182,7 +210,7 @@ impl SamlServiceProvider {
                 attribute_statement
                     .attributes
                     .into_iter()
-                    .filter_map(|attribute| Self::parse_attribute(attribute))
+                    .filter_map(Self::parse_attribute)
             })
             .collect();
 

-Original file line number
+Diff line change
 /target
 .idea/
 .env
++
 +keys/**
 +!keys/.gitkeep