wip

Author: heiytor

api/pkg/responses/system.go

@@ -9,6 +9,7 @@ type SystemInfo struct {
 
 type SystemAuthenticationInfo struct {
 	Local bool `json:"local"`
+	SAML  bool `json:"saml"`
 }
 
 type SystemEndpointsInfo struct {

api/services/system.go

@@ -36,6 +36,7 @@ func (s *service) GetSystemInfo(ctx context.Context, req *requests.GetSystemInfo
 		},
 		Authentication: &responses.SystemAuthenticationInfo{
 			Local: system.Authentication.Local.Enabled,
+			SAML:  system.Authentication.SAML.Enabled,
 		},
 	}
 

api/store/mongo/migrations/main.go

@@ -98,6 +98,7 @@ func GenerateMigrations() []migrate.Migration {
 		migration86,
 		migration87,
 		migration88,
+		migration89,
 	}
 }
 

api/store/mongo/migrations/migration_89.go

@@ -0,0 +1,73 @@
+package migrations
+
+import (
+	"context"
+
+	"github.com/sirupsen/logrus"
+	migrate "github.com/xakep666/mongo-migrate"
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/mongo"
+)
+
+var migration89 = migrate.Migration{
+	Version:     89,
+	Description: "Adding an 'authentication.saml' attributes to system collection",
+	Up: migrate.MigrationFunc(func(ctx context.Context, db *mongo.Database) error {
+		logrus.WithFields(logrus.Fields{
+			"component": "migration",
+			"version":   89,
+			"action":    "Up",
+		}).Info("Applying migration")
+
+		filter := bson.M{
+			"authentication.saml": bson.M{"$exists": false},
+		}
+
+		update := bson.M{
+			"$set": bson.M{
+				"authentication.saml": bson.M{
+					"enabled": false,
+					"idp": bson.M{
+						"entity_id":    "",
+						"signon_url":   "",
+						"certificates": []string{},
+					},
+					"sp": bson.M{
+						"sign_auth_requests": false,
+						"certificate":        "",
+						"private_key":        "",
+					},
+				},
+			},
+		}
+
+		_, err := db.
+			Collection("system").
+			UpdateMany(ctx, filter, update)
+
+		return err
+	}),
+	Down: migrate.MigrationFunc(func(ctx context.Context, db *mongo.Database) error {
+		logrus.WithFields(logrus.Fields{
+			"component": "migration",
+			"version":   89,
+			"action":    "Down",
+		}).Info("Reverting migration")
+
+		filter := bson.M{
+			"authentication.saml": bson.M{"$exists": true},
+		}
+
+		update := bson.M{
+			"$unset": bson.M{
+				"authentication.saml": "",
+			},
+		}
+
+		_, err := db.
+			Collection("system").
+			UpdateMany(ctx, filter, update)
+
+		return err
+	}),
+}

api/store/mongo/migrations/migration_89_test.go

@@ -0,0 +1,136 @@
+package migrations
+
+import (
+	"context"
+	"testing"
+
+	"github.com/shellhub-io/shellhub/pkg/envs"
+	envmock "github.com/shellhub-io/shellhub/pkg/envs/mocks"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	migrate "github.com/xakep666/mongo-migrate"
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/bson/primitive"
+)
+
+func TestMigration89Up(t *testing.T) {
+	ctx := context.Background()
+
+	mock := &envmock.Backend{}
+	envs.DefaultBackend = mock
+
+	tests := []struct {
+		description string
+		setup       func() error
+	}{
+		{
+			description: "Apply up on migration 89",
+			setup: func() error {
+				_, err := c.
+					Database("test").
+					Collection("system").
+					InsertOne(ctx, map[string]interface{}{
+						"authentication": map[string]interface{}{
+							"local": map[string]interface{}{
+								"enabled": true,
+							},
+						},
+					})
+
+				return err
+			},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.description, func(tt *testing.T) {
+			tt.Cleanup(func() {
+				assert.NoError(tt, srv.Reset())
+			})
+
+			assert.NoError(tt, tc.setup())
+
+			migrates := migrate.NewMigrate(c.Database("test"), GenerateMigrations()[88])
+			require.NoError(tt, migrates.Up(context.Background(), migrate.AllAvailable))
+
+			query := c.
+				Database("test").
+				Collection("system").
+				FindOne(context.TODO(), bson.M{})
+
+			system := make(map[string]interface{})
+			require.NoError(tt, query.Decode(&system))
+
+			saml, ok := system["authentication"].(map[string]interface{})["saml"].(map[string]interface{})
+			require.Equal(tt, true, ok)
+
+			enabled, ok := saml["enabled"]
+			require.Equal(tt, true, ok)
+			require.Equal(tt, false, enabled)
+
+			idp, ok := saml["idp"].(map[string]interface{})
+			require.Equal(tt, true, ok)
+			require.Equal(tt, map[string]interface{}{"entity_id": "", "signon_url": "", "certificates": primitive.A{}}, idp)
+
+			sp, ok := saml["sp"].(map[string]interface{})
+			require.Equal(tt, true, ok)
+			require.Equal(tt, map[string]interface{}{"sign_auth_requests": false, "certificate": "", "private_key": ""}, sp)
+		})
+	}
+}
+
+func TestMigration89Down(t *testing.T) {
+	ctx := context.Background()
+
+	mock := &envmock.Backend{}
+	envs.DefaultBackend = mock
+
+	mock.On("Get", "SHELLHUB_CLOUD").Return("false")
+	mock.On("Get", "SHELLHUB_ENTERPRISE").Return("false")
+
+	tests := []struct {
+		description string
+		setup       func() error
+	}{
+		{
+			description: "Apply up on migration 89",
+			setup: func() error {
+				_, err := c.
+					Database("test").
+					Collection("system").
+					InsertOne(ctx, map[string]interface{}{
+						"authentication": map[string]interface{}{
+							"local": true,
+						},
+					})
+
+				return err
+			},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.description, func(tt *testing.T) {
+			tt.Cleanup(func() {
+				assert.NoError(tt, srv.Reset())
+			})
+
+			assert.NoError(tt, tc.setup())
+
+			migrates := migrate.NewMigrate(c.Database("test"), GenerateMigrations()[88])
+			require.NoError(tt, migrates.Up(context.Background(), migrate.AllAvailable))
+			require.NoError(tt, migrates.Down(context.Background(), migrate.AllAvailable))
+
+			query := c.
+				Database("test").
+				Collection("system").
+				FindOne(context.TODO(), bson.M{})
+
+			system := make(map[string]interface{})
+			require.NoError(tt, query.Decode(&system))
+
+			_, ok := system["authentication"].(map[string]interface{})["saml"]
+			require.Equal(tt, false, ok)
+		})
+	}
+}

gateway/nginx/conf.d/shellhub.conf

@@ -452,6 +452,15 @@ server {
     {{ end -}}
 
     {{ if $cfg.EnableEnterprise -}}
+    location /api/saml/acs {
+        {{ set_upstream "cloud-api" 8080 }}
+
+        auth_request     off;
+        proxy_set_header X-Real-IP $x_real_ip;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_pass       http://upstream_router;
+    }
+
     location /api/user/mfa {
         {{ set_upstream "cloud-api" 8080 }}
 

pkg/models/system.go

@@ -9,11 +9,44 @@ type System struct {
 }
 
 type SystemAuthentication struct {
-	Local *SystemAuthenticationLocal `json:"manual" bson:"manual"`
+	Local *SystemAuthenticationLocal `json:"local" bson:"local"`
+	SAML  *SystemAuthenticationSAML  `json:"saml" bson:"saml"`
 }
 
 type SystemAuthenticationLocal struct {
 	// Enabled indicates whether manual authentication using a username and password is enabled or
 	// not.
 	Enabled bool `json:"enabled" bool:"enabled"`
 }
+
+type SystemAuthenticationSAML struct {
+	// Enabled indicates whether SAML authentication is enabled.
+	Enabled bool           `json:"enabled" bson:"enabled"`
+	Idp     *SystemIdpSAML `json:"idp" bson:"idp"`
+	Sp      *SystemSpSAML  `json:"sp" bson:"sp"`
+}
+
+type SystemIdpSAML struct {
+	EntityID  string `json:"entity_id" bson:"entity_id"`
+	SignonURL string `json:"signon_url" bson:"signon_url"`
+	// Certificates is a list of X.509 certificates provided by the IdP. These certificates are used
+	// by the SP to validate the digital signatures of SAML assertions issued by the IdP.
+	Certificates []string `json:"certificates" bson:"certificates"`
+}
+
+type SystemSpSAML struct {
+	// SignRequests indicates whether ShellHub should sign authentication requests.
+	// If enabled, an X509 certificate is used to sign the request, and the IdP must authenticate
+	// the request using the corresponding public certificate. Enabling this option disables
+	// the "IdP-initiated" authentication pipeline.
+	SignAuthRequests bool `json:"sign_auth_requests" bson:"sign_auth_requests"`
+	// Certificate is an X509 certificate that the IdP uses to verify the authenticity of the
+	// authentication request signed by ShellHub. This certificate corresponds to the private key
+	// in the [SystemSpSAML.PrivateKey] and it is only populated when [SystemSpSAML.SignAuthRequests]
+	// is true.
+	Certificate string `json:"certificate" bson:"certificate"`
+	// PrivateKey is an encrypted private key used by ShellHub to sign authentication requests.
+	// The IdP verifies the signature using the [SystemSpSAML.Certificate]. It is only populated
+	// when [SystemSpSAML.SignAuthRequests] is true.
+	PrivateKey string `json:"-" bson:"private_key"`
+}

pkg/models/user.go

@@ -33,6 +33,8 @@ const (
 	// UserOriginLocal indicates that the user was created through the standard signup process, without
 	// using third-party integrations like SSO IdPs.
 	UserOriginLocal UserOrigin = "local"
+	// UserOriginSAML indicates that the user was created using a SAML authentication method.
+	UserOriginSAML UserOrigin = "SSO"
 )
 
 func (o UserOrigin) String() string {
@@ -44,6 +46,8 @@ type UserAuthMethod string
 const (
 	// UserAuthMethodLocal indicates that the user can authenticate using an email and password.
 	UserAuthMethodLocal UserAuthMethod = "local"
+	// UserAuthMethodManual indicates that the user can authenticate using a third-party SAML application.
+	UserAuthMethodSAML UserAuthMethod = "saml"
 )
 
 func (a UserAuthMethod) String() string {