fleet/server/sso/validate.go

package sso

import (
	"crypto/rand"
	"crypto/x509"
	"encoding/base64"
	"encoding/xml"
	"strings"
	"time"

	"github.com/beevik/etree"
	"github.com/kolide/fleet/server/kolide"
	"github.com/pkg/errors"
	gosamltypes "github.com/russellhaering/gosaml2/types"
	dsig "github.com/russellhaering/goxmldsig"
	"github.com/russellhaering/goxmldsig/etreeutils"
)

type Validator interface {
	ValidateSignature(auth kolide.Auth) (kolide.Auth, error)
	ValidateResponse(auth kolide.Auth) error
}

type validator struct {
	context  *dsig.ValidationContext
	clock    *dsig.Clock
	metadata gosamltypes.EntityDescriptor
}

func Clock(clock *dsig.Clock) func(v *validator) {
	return func(v *validator) {
		v.clock = clock
	}
}

// NewValidator is used to validate the response to an auth request.
// metadata is from the IDP.
func NewValidator(metadata string, opts ...func(v *validator)) (Validator, error) {
	var v validator

	err := xml.Unmarshal([]byte(metadata), &v.metadata)
	if err != nil {
		return nil, errors.Wrap(err, "unmarshalling metadata")
	}
	var idpCertStore dsig.MemoryX509CertificateStore
	for _, key := range v.metadata.IDPSSODescriptor.KeyDescriptors {
		if len(key.KeyInfo.X509Data.X509Certificates) == 0 {
			return nil, errors.New("missing x509 cert")
		}
		certData, err := base64.StdEncoding.DecodeString(strings.TrimSpace(key.KeyInfo.X509Data.X509Certificates[0].Data))
		if err != nil {
			return nil, errors.Wrap(err, "decoding idp x509 cert")
		}
		cert, err := x509.ParseCertificate(certData)
		if err != nil {
			return nil, errors.Wrap(err, "parsing idp x509 cert")
		}
		idpCertStore.Roots = append(idpCertStore.Roots, cert)
	}
	for _, opt := range opts {
		opt(&v)
	}
	if v.clock == nil {
		v.clock = dsig.NewRealClock()
	}
	v.context = dsig.NewDefaultValidationContext(&idpCertStore)
	v.context.Clock = v.clock
	return &v, nil
}

func (v *validator) ValidateResponse(auth kolide.Auth) error {
	info := auth.(*resp)
	// make sure response is current
	onOrAfter, err := time.Parse(time.RFC3339, info.response.Assertion.Conditions.NotOnOrAfter)
	if err != nil {
		return errors.Wrap(err, "missing timestamp from condition")
	}
	notBefore, err := time.Parse(time.RFC3339, info.response.Assertion.Conditions.NotBefore)
	if err != nil {
		return errors.Wrap(err, "missing timestamp from condition")
	}
	currentTime := v.clock.Now()
	if currentTime.After(onOrAfter) {
		return errors.New("response expired")
	}
	if currentTime.Before(notBefore) {
		return errors.New("response too early")
	}
	if auth.UserID() == "" {
		return errors.New("missing user id")
	}
	return nil
}

func (v *validator) ValidateSignature(auth kolide.Auth) (kolide.Auth, error) {
	info := auth.(*resp)
	status, err := info.status()
	if err != nil {
		return nil, errors.New("missing or malformed response")
	}
	if status != Success {
		return nil, errors.Errorf("response status %s", info.statusDescription())
	}
	decoded, err := base64.StdEncoding.DecodeString(info.rawResponse())
	if err != nil {
		return nil, errors.Wrap(err, "based64 decoding response")
	}
	doc := etree.NewDocument()
	err = doc.ReadFromBytes(decoded)
	if err != nil || doc.Root() == nil {
		return nil, errors.Wrap(err, "parsing xml response")
	}
	elt := doc.Root()
	signed, err := v.validateSignature(elt)
	if err != nil {
		return nil, errors.Wrap(err, "signing verification failed")
	}
	// We've verified that the response hasn't been tampered with at this point
	signedDoc := etree.NewDocument()
	signedDoc.SetRoot(signed)
	buffer, err := signedDoc.WriteToBytes()
	if err != nil {
		return nil, errors.Wrap(err, "creating signed doc buffer")
	}
	var response Response
	err = xml.Unmarshal(buffer, &response)
	if err != nil {
		return nil, errors.Wrap(err, "unmarshalling signed doc")
	}
	info.setResponse(&response)
	return info, nil
}

func (v *validator) validateSignature(elt *etree.Element) (*etree.Element, error) {
	validated, err := v.context.Validate(elt)
	if err == nil {
		// If entire doc is signed, success, we're done.
		return validated, nil
	}
	if err == dsig.ErrMissingSignature {
		// If entire document is not signed find signed assertions, remove assertions
		// that are not signed.
		err = v.validateAssertionSignature(elt)
		if err != nil {
			return nil, err
		}
		return elt, nil
	}

	return nil, err
}

func (v *validator) validateAssertionSignature(elt *etree.Element) error {
	validateAssertion := func(ctx etreeutils.NSContext, unverified *etree.Element) error {
		if unverified.Parent() != elt {
			return errors.Errorf("assertion with unexpected parent: %s", unverified.Parent().Tag)
		}
		// Remove assertions that are not signed.
		detached, err := etreeutils.NSDetatch(ctx, unverified)
		if err != nil {
			return err
		}
		signed, err := v.context.Validate(detached)
		if err != nil {
			return err
		}
		elt.RemoveChild(unverified)
		elt.AddChild(signed)
		return nil
	}
	return etreeutils.NSFindIterate(elt, "urn:oasis:names:tc:SAML:2.0:assertion", "Assertion", validateAssertion)
}

const (
	idPrefix   = "id"
	idSize     = 16
	idAlphabet = `1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ`
)

// There isn't anything in the SAML spec that tells us what is valid inside an
// ID other than expecting that it has to be unique and valid XML. ADFS blows
// up on '=' in the ID, so we are using an alphabet that we know works.
//
// Azure IdP requires that the ID begin with a character so we use the constant
// prefix.
func generateSAMLValidID() (string, error) {
	randomBytes := make([]byte, idSize)
	_, err := rand.Read(randomBytes)
	if err != nil {
		return "", err
	}
	for i := 0; i < idSize; i++ {
		randomBytes[i] = idAlphabet[randomBytes[i]%byte(len(idAlphabet))]
	}
	return idPrefix + string(randomBytes), nil
}
Server Side SSO Support (#1498) This PR partially addresses #1456, providing SSO SAML support. The flow of the code is as follows. A Kolide user attempts to access a protected resource and is directed to log in. If SSO identity providers (IDP) have been configured by an admin, the user is presented with SSO log in. The user selects SSO, which invokes a call the InitiateSSO passing the URL of the protected resource that the user was originally trying access. Kolide server loads the IDP metadata and caches it along with the URL. We then build an auth request URL for the IDP which is returned to the front end. The IDP calls the server, invoking CallbackSSO with the auth response. We extract the original request id from the response and use it to fetch the cached metadata and the URL. We check the signature of the response, and validate the timestamps. If everything passes we get the user id from the IDP response and use it to create a login session. We then build a page which executes some javascript that will write the token to web local storage, and redirect to the original URL. I've created a test web page in tools/app/authtest.html that can be used to test and debug new IDP's which also illustrates how a front end would interact with the IDP and the server. This page can be loaded by starting Kolide with the environment variable KOLIDE_TEST_PAGE_PATH to the full path of the page and then accessed at https://localhost:8080/test 2017-05-09 00:43:48 +00:00			`package sso`

			`import (`
Fix SSO for ADFS (#1535) Closes #1533 Since the SAML 2.0 spec doesn't say what characters are valid in an Entity ID and Active Directory doesn't like '=' signs in base64 encoded ID's I added code that generates ID's with a character set that we know works. Also, removed ProtocolBinding attribute from AuthRequest as is was forcing ADFS to use redirect binding when it should use post binding. 2017-08-01 02:48:42 +00:00			`"crypto/rand"`
Server Side SSO Support (#1498) This PR partially addresses #1456, providing SSO SAML support. The flow of the code is as follows. A Kolide user attempts to access a protected resource and is directed to log in. If SSO identity providers (IDP) have been configured by an admin, the user is presented with SSO log in. The user selects SSO, which invokes a call the InitiateSSO passing the URL of the protected resource that the user was originally trying access. Kolide server loads the IDP metadata and caches it along with the URL. We then build an auth request URL for the IDP which is returned to the front end. The IDP calls the server, invoking CallbackSSO with the auth response. We extract the original request id from the response and use it to fetch the cached metadata and the URL. We check the signature of the response, and validate the timestamps. If everything passes we get the user id from the IDP response and use it to create a login session. We then build a page which executes some javascript that will write the token to web local storage, and redirect to the original URL. I've created a test web page in tools/app/authtest.html that can be used to test and debug new IDP's which also illustrates how a front end would interact with the IDP and the server. This page can be loaded by starting Kolide with the environment variable KOLIDE_TEST_PAGE_PATH to the full path of the page and then accessed at https://localhost:8080/test 2017-05-09 00:43:48 +00:00			`"crypto/x509"`
			`"encoding/base64"`
			`"encoding/xml"`
Trim whitespace from X509 certificate (#1900) 2018-08-10 19:42:35 +00:00			`"strings"`
Server Side SSO Support (#1498) This PR partially addresses #1456, providing SSO SAML support. The flow of the code is as follows. A Kolide user attempts to access a protected resource and is directed to log in. If SSO identity providers (IDP) have been configured by an admin, the user is presented with SSO log in. The user selects SSO, which invokes a call the InitiateSSO passing the URL of the protected resource that the user was originally trying access. Kolide server loads the IDP metadata and caches it along with the URL. We then build an auth request URL for the IDP which is returned to the front end. The IDP calls the server, invoking CallbackSSO with the auth response. We extract the original request id from the response and use it to fetch the cached metadata and the URL. We check the signature of the response, and validate the timestamps. If everything passes we get the user id from the IDP response and use it to create a login session. We then build a page which executes some javascript that will write the token to web local storage, and redirect to the original URL. I've created a test web page in tools/app/authtest.html that can be used to test and debug new IDP's which also illustrates how a front end would interact with the IDP and the server. This page can be loaded by starting Kolide with the environment variable KOLIDE_TEST_PAGE_PATH to the full path of the page and then accessed at https://localhost:8080/test 2017-05-09 00:43:48 +00:00			`"time"`

			`"github.com/beevik/etree"`
Rename project to Kolide Fleet (#1529) 2017-06-22 19:50:45 +00:00			`"github.com/kolide/fleet/server/kolide"`
Server Side SSO Support (#1498) This PR partially addresses #1456, providing SSO SAML support. The flow of the code is as follows. A Kolide user attempts to access a protected resource and is directed to log in. If SSO identity providers (IDP) have been configured by an admin, the user is presented with SSO log in. The user selects SSO, which invokes a call the InitiateSSO passing the URL of the protected resource that the user was originally trying access. Kolide server loads the IDP metadata and caches it along with the URL. We then build an auth request URL for the IDP which is returned to the front end. The IDP calls the server, invoking CallbackSSO with the auth response. We extract the original request id from the response and use it to fetch the cached metadata and the URL. We check the signature of the response, and validate the timestamps. If everything passes we get the user id from the IDP response and use it to create a login session. We then build a page which executes some javascript that will write the token to web local storage, and redirect to the original URL. I've created a test web page in tools/app/authtest.html that can be used to test and debug new IDP's which also illustrates how a front end would interact with the IDP and the server. This page can be loaded by starting Kolide with the environment variable KOLIDE_TEST_PAGE_PATH to the full path of the page and then accessed at https://localhost:8080/test 2017-05-09 00:43:48 +00:00			`"github.com/pkg/errors"`
			`gosamltypes "github.com/russellhaering/gosaml2/types"`
			`dsig "github.com/russellhaering/goxmldsig"`
			`"github.com/russellhaering/goxmldsig/etreeutils"`
			`)`

			`type Validator interface {`
			`ValidateSignature(auth kolide.Auth) (kolide.Auth, error)`
			`ValidateResponse(auth kolide.Auth) error`
			`}`

			`type validator struct {`
			`context *dsig.ValidationContext`
			`clock *dsig.Clock`
			`metadata gosamltypes.EntityDescriptor`
			`}`

			`func Clock(clock dsig.Clock) func(v validator) {`
			`return func(v *validator) {`
			`v.clock = clock`
			`}`
			`}`

			`// NewValidator is used to validate the response to an auth request.`
			`// metadata is from the IDP.`
			`func NewValidator(metadata string, opts ...func(v *validator)) (Validator, error) {`
			`var v validator`

			`err := xml.Unmarshal([]byte(metadata), &v.metadata)`
			`if err != nil {`
			`return nil, errors.Wrap(err, "unmarshalling metadata")`
			`}`
			`var idpCertStore dsig.MemoryX509CertificateStore`
			`for _, key := range v.metadata.IDPSSODescriptor.KeyDescriptors {`
Update goxmldsig dependency (#2177) Update the github.com/russellhaering/goxmldsig dependency and apply the appropriate fixes for the API changes. This is a preparation for integration with github.com/AbGuthrie/goquery, which uses a newer version of the dependency. 2020-01-14 00:15:14 +00:00			`if len(key.KeyInfo.X509Data.X509Certificates) == 0 {`
			`return nil, errors.New("missing x509 cert")`
			`}`
			`certData, err := base64.StdEncoding.DecodeString(strings.TrimSpace(key.KeyInfo.X509Data.X509Certificates[0].Data))`
Server Side SSO Support (#1498) This PR partially addresses #1456, providing SSO SAML support. The flow of the code is as follows. A Kolide user attempts to access a protected resource and is directed to log in. If SSO identity providers (IDP) have been configured by an admin, the user is presented with SSO log in. The user selects SSO, which invokes a call the InitiateSSO passing the URL of the protected resource that the user was originally trying access. Kolide server loads the IDP metadata and caches it along with the URL. We then build an auth request URL for the IDP which is returned to the front end. The IDP calls the server, invoking CallbackSSO with the auth response. We extract the original request id from the response and use it to fetch the cached metadata and the URL. We check the signature of the response, and validate the timestamps. If everything passes we get the user id from the IDP response and use it to create a login session. We then build a page which executes some javascript that will write the token to web local storage, and redirect to the original URL. I've created a test web page in tools/app/authtest.html that can be used to test and debug new IDP's which also illustrates how a front end would interact with the IDP and the server. This page can be loaded by starting Kolide with the environment variable KOLIDE_TEST_PAGE_PATH to the full path of the page and then accessed at https://localhost:8080/test 2017-05-09 00:43:48 +00:00			`if err != nil {`
			`return nil, errors.Wrap(err, "decoding idp x509 cert")`
			`}`
			`cert, err := x509.ParseCertificate(certData)`
			`if err != nil {`
			`return nil, errors.Wrap(err, "parsing idp x509 cert")`
			`}`
			`idpCertStore.Roots = append(idpCertStore.Roots, cert)`
			`}`
			`for _, opt := range opts {`
			`opt(&v)`
			`}`
			`if v.clock == nil {`
			`v.clock = dsig.NewRealClock()`
			`}`
			`v.context = dsig.NewDefaultValidationContext(&idpCertStore)`
			`v.context.Clock = v.clock`
			`return &v, nil`
			`}`

			`func (v *validator) ValidateResponse(auth kolide.Auth) error {`
			`info := auth.(*resp)`
			`// make sure response is current`
			`onOrAfter, err := time.Parse(time.RFC3339, info.response.Assertion.Conditions.NotOnOrAfter)`
			`if err != nil {`
			`return errors.Wrap(err, "missing timestamp from condition")`
			`}`
			`notBefore, err := time.Parse(time.RFC3339, info.response.Assertion.Conditions.NotBefore)`
			`if err != nil {`
			`return errors.Wrap(err, "missing timestamp from condition")`
			`}`
			`currentTime := v.clock.Now()`
			`if currentTime.After(onOrAfter) {`
			`return errors.New("response expired")`
			`}`
			`if currentTime.Before(notBefore) {`
			`return errors.New("response too early")`
			`}`
			`if auth.UserID() == "" {`
			`return errors.New("missing user id")`
			`}`
			`return nil`
			`}`

			`func (v *validator) ValidateSignature(auth kolide.Auth) (kolide.Auth, error) {`
			`info := auth.(*resp)`
			`status, err := info.status()`
			`if err != nil {`
			`return nil, errors.New("missing or malformed response")`
			`}`
			`if status != Success {`
			`return nil, errors.Errorf("response status %s", info.statusDescription())`
			`}`
			`decoded, err := base64.StdEncoding.DecodeString(info.rawResponse())`
			`if err != nil {`
			`return nil, errors.Wrap(err, "based64 decoding response")`
			`}`
			`doc := etree.NewDocument()`
			`err = doc.ReadFromBytes(decoded)`
			`if err != nil \|\| doc.Root() == nil {`
			`return nil, errors.Wrap(err, "parsing xml response")`
			`}`
			`elt := doc.Root()`
			`signed, err := v.validateSignature(elt)`
			`if err != nil {`
			`return nil, errors.Wrap(err, "signing verification failed")`
			`}`
			`// We've verified that the response hasn't been tampered with at this point`
			`signedDoc := etree.NewDocument()`
			`signedDoc.SetRoot(signed)`
Added ability to handle nested signed assertions in SAML response Closes #1532 Fixes error that was caused because there was a bug in processing nested assertions in a successful SAML response. This was not caught in the initial push of this code because the IDP's we tested against all sign the entire response document as opposed to parts of it. Thus the existing test cases didn't cover the code that dealt with nested assertions. 2017-07-18 20:28:35 +00:00			`buffer, err := signedDoc.WriteToBytes()`
Server Side SSO Support (#1498) This PR partially addresses #1456, providing SSO SAML support. The flow of the code is as follows. A Kolide user attempts to access a protected resource and is directed to log in. If SSO identity providers (IDP) have been configured by an admin, the user is presented with SSO log in. The user selects SSO, which invokes a call the InitiateSSO passing the URL of the protected resource that the user was originally trying access. Kolide server loads the IDP metadata and caches it along with the URL. We then build an auth request URL for the IDP which is returned to the front end. The IDP calls the server, invoking CallbackSSO with the auth response. We extract the original request id from the response and use it to fetch the cached metadata and the URL. We check the signature of the response, and validate the timestamps. If everything passes we get the user id from the IDP response and use it to create a login session. We then build a page which executes some javascript that will write the token to web local storage, and redirect to the original URL. I've created a test web page in tools/app/authtest.html that can be used to test and debug new IDP's which also illustrates how a front end would interact with the IDP and the server. This page can be loaded by starting Kolide with the environment variable KOLIDE_TEST_PAGE_PATH to the full path of the page and then accessed at https://localhost:8080/test 2017-05-09 00:43:48 +00:00			`if err != nil {`
			`return nil, errors.Wrap(err, "creating signed doc buffer")`
			`}`
			`var response Response`
			`err = xml.Unmarshal(buffer, &response)`
			`if err != nil {`
			`return nil, errors.Wrap(err, "unmarshalling signed doc")`
			`}`
			`info.setResponse(&response)`
			`return info, nil`
			`}`

			`func (v validator) validateSignature(elt etree.Element) (*etree.Element, error) {`
			`validated, err := v.context.Validate(elt)`
			`if err == nil {`
			`// If entire doc is signed, success, we're done.`
			`return validated, nil`
			`}`
			`if err == dsig.ErrMissingSignature {`
			`// If entire document is not signed find signed assertions, remove assertions`
			`// that are not signed.`
			`err = v.validateAssertionSignature(elt)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return elt, nil`
			`}`

			`return nil, err`
			`}`

			`func (v validator) validateAssertionSignature(elt etree.Element) error {`
			`validateAssertion := func(ctx etreeutils.NSContext, unverified *etree.Element) error {`
			`if unverified.Parent() != elt {`
			`return errors.Errorf("assertion with unexpected parent: %s", unverified.Parent().Tag)`
			`}`
			`// Remove assertions that are not signed.`
			`detached, err := etreeutils.NSDetatch(ctx, unverified)`
			`if err != nil {`
			`return err`
			`}`
			`signed, err := v.context.Validate(detached)`
			`if err != nil {`
			`return err`
			`}`
			`elt.RemoveChild(unverified)`
			`elt.AddChild(signed)`
			`return nil`
			`}`
			`return etreeutils.NSFindIterate(elt, "urn:oasis:names:tc:SAML:2.0:assertion", "Assertion", validateAssertion)`
			`}`
Fix SSO for ADFS (#1535) Closes #1533 Since the SAML 2.0 spec doesn't say what characters are valid in an Entity ID and Active Directory doesn't like '=' signs in base64 encoded ID's I added code that generates ID's with a character set that we know works. Also, removed ProtocolBinding attribute from AuthRequest as is was forcing ADFS to use redirect binding when it should use post binding. 2017-08-01 02:48:42 +00:00
			`const (`
Add 'id' prefix to generated SAML IDs (#2046) Though the SAML spec does not specify what the contents of the ID must be, the Azure IdP implementation prohibits it beginning with a number. We follow their suggestion to prefix with 'id'. See https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol. Fixes #2044. 2019-05-16 20:51:42 +00:00			`idPrefix = "id"`
Fix SSO for ADFS (#1535) Closes #1533 Since the SAML 2.0 spec doesn't say what characters are valid in an Entity ID and Active Directory doesn't like '=' signs in base64 encoded ID's I added code that generates ID's with a character set that we know works. Also, removed ProtocolBinding attribute from AuthRequest as is was forcing ADFS to use redirect binding when it should use post binding. 2017-08-01 02:48:42 +00:00			`idSize = 16`
			idAlphabet = `1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ`
			`)`

Add 'id' prefix to generated SAML IDs (#2046) Though the SAML spec does not specify what the contents of the ID must be, the Azure IdP implementation prohibits it beginning with a number. We follow their suggestion to prefix with 'id'. See https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol. Fixes #2044. 2019-05-16 20:51:42 +00:00			`// There isn't anything in the SAML spec that tells us what is valid inside an`
			`// ID other than expecting that it has to be unique and valid XML. ADFS blows`
			`// up on '=' in the ID, so we are using an alphabet that we know works.`
			`//`
			`// Azure IdP requires that the ID begin with a character so we use the constant`
			`// prefix.`
Fix SSO for ADFS (#1535) Closes #1533 Since the SAML 2.0 spec doesn't say what characters are valid in an Entity ID and Active Directory doesn't like '=' signs in base64 encoded ID's I added code that generates ID's with a character set that we know works. Also, removed ProtocolBinding attribute from AuthRequest as is was forcing ADFS to use redirect binding when it should use post binding. 2017-08-01 02:48:42 +00:00			`func generateSAMLValidID() (string, error) {`
			`randomBytes := make([]byte, idSize)`
			`_, err := rand.Read(randomBytes)`
			`if err != nil {`
			`return "", err`
			`}`
			`for i := 0; i < idSize; i++ {`
			`randomBytes[i] = idAlphabet[randomBytes[i]%byte(len(idAlphabet))]`
			`}`
Add 'id' prefix to generated SAML IDs (#2046) Though the SAML spec does not specify what the contents of the ID must be, the Azure IdP implementation prohibits it beginning with a number. We follow their suggestion to prefix with 'id'. See https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol. Fixes #2044. 2019-05-16 20:51:42 +00:00			`return idPrefix + string(randomBytes), nil`
Fix SSO for ADFS (#1535) Closes #1533 Since the SAML 2.0 spec doesn't say what characters are valid in an Entity ID and Active Directory doesn't like '=' signs in base64 encoded ID's I added code that generates ID's with a character set that we know works. Also, removed ProtocolBinding attribute from AuthRequest as is was forcing ADFS to use redirect binding when it should use post binding. 2017-08-01 02:48:42 +00:00			`}`