Adds SAML SP

.github/workflows/ci.yml

@@ -14,6 +14,10 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: 3.12
+      - name: apt update
+        run: sudo apt update
+      - name: Install libxmlsec1
+        run: sudo apt-get install -y libxmlsec1-dev
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip pipenv

Aptfile

@@ -0,0 +1 @@
+libxmlsec1-dev

Dockerfile

@@ -0,0 +1,17 @@
+# syntax=docker/dockerfile:1
+FROM python:3.12
+
+RUN pip install --no-cache-dir --upgrade pip pipenv
+
+RUN apt-get update && apt-get upgrade -y && apt-get install -y git libxmlsec1-dev
+
+ENV FLASK_RUN_HOST=0.0.0.0
+ENV FLASK_ENV="development"
+
+WORKDIR /app
+COPY . .
+RUN pipenv install --dev --system --clear --deploy
+
+CMD ["make", "run-dev"]
+
+EXPOSE 5000

Makefile

@@ -16,26 +16,30 @@ update: install ## update all Python dependencies
 ## ---- Unit test commands ---- ##
 
 test: ## run tests and print a coverage report
-	pipenv run coverage run --source=cdnauth -m pytest -vv
+	FLASK_ENV=testing pipenv run coverage run --source=cdnauth -m pytest -vv
 	pipenv run coverage report -m
+	pipenv run coverage html
 
 coveralls: test
 	pipenv run coverage lcov -o ./coverage/lcov.info
 
 ## ---- Code quality and safety commands ---- ##
 
 # linting commands
-lint: black mypy ruff safety ## run all linters
+lint: black ruff safety ## run all linters
 
 black:
 	pipenv run black --check --diff .
 
-mypy:
-	pipenv run mypy .
+black-apply: # apply changes with 'black'
+	pipenv run black .
 
 ruff:
 	pipenv run ruff check .
 
+ruff-apply: # resolve 'fixable errors' with 'ruff'
+	pipenv run ruff check --fix .
+
 safety:
 	pipenv check
 	pipenv verify
@@ -45,6 +49,22 @@ safety:
 
 run-dev: ## run the flask app in dev
 	FLASK_ENV=development pipenv run flask --app cdnauth run --debug
+	# example of how to use SSL in dev. Very useful if you override /etc/hosts to have localhost
+	# act as touchstone registered SP
+	# FLASK_ENV=development pipenv run flask --app cdnauth run --debug --cert=adhoc
+
 
 run-prod: ## run the flask app in a prod-like mode
-	FLASK_ENV=production pipenv run gunicorn cdnauth:app --log-file -
+	FLASK_ENV=production pipenv run gunicorn --bind 0.0.0.0 cdnauth:app  --log-level debug --log-file -
+
+
+## ---- Useful commands for managing the app when using a container for dev ---- ##
+
+build: ## build local container
+	docker build -t cdnauth-local .
+
+app-bash: build ## bash shell in app container with linked file system to local directory
+	docker run -it -v.:/app -p 5000:5000 -p 8000:8000 --env-file .env cdnauth-local bash
+	# example of how to use SSL in dev. Very useful if you override /etc/hosts to have localhost
+	# act as touchstone registered SP
+	# docker run -it -v.:/app -p 443:5000 --env-file .env cdnauth-local bash

Pipfile

@@ -6,10 +6,12 @@ name = "pypi"
 [packages]
 flask = "*"
 gunicorn = "*"
+python3-saml = "*"
+lxml = "==4.9.4"
+pyjwt = "*"
 
 [dev-packages]
 black = "*"
-mypy = "*"
 ruff = "*"
 safety = "*"
 pytest = "*"

README.md

@@ -40,17 +40,115 @@ Not all links are publicly accessible.
 
 ## How to run this app locally
 
-- Pre-requisite: python 3.12 (if you use `asdf`, `asdf install python 3.12.1`)
-- switch to python 3.12 (`asdf shell python 3.12.1` or equivalent)
-- confirm you are using python 3.12 (`python --version`)
-- pipenv in your python 3.12 install: `pip install pipenv`
-  - note: failing to do this may not result in a noticeable problem, but this is still good practice as it will ensure you are using a `pipenv` within the correct version of python instead of one from your default version. Do this every time you install a new python version.
-- note: a python virtual environment will be created via `pipenv` when following the next steps if one does not yet exist. If you run into issues at any point, you can remove that virtualenv with `pipenv --rm` from the project root and start over.
+This application expects to be developed in docker. [There are dependency issues with libxmlxec1 on macos](https://github.com/SAML-Toolkits/python3-saml/issues/356) at this time and rather than each of us fighting with that, we will develop inside the docker container so it can be solved programatically and repeatably.
+
+Additionally, `lxml` versions newer than 4.9.4 [crash python3-saml](https://github.com/SAML-Toolkits/python3-saml/issues/389)
+
+### General development workflow
+
+- Pre-requisite: docker
+
+- `make app-bash` will build a new container and drop you into a shell. This will be your main interaction point from which you will run other commands. Code is automatically synced between your local environment and the container, so this only needs to be done once per session (or when changing settings in `local.env`).
+
+Within the docker container:
+
 - `make` to see useful commands for this application
-- Install local dependencies: `make install`
+- Install local dependencies: `make install` (this is done automatically when starting the bash shell, but if you make changes you can run this again without rebuilding and it should be fine)
 - Run tests: `make test`
 - Run linters: `make lint`
 - Run dev server: `make run-dev`
   - access localhost:5000 and localhost:5000/ping
 - (optional) run prod-mode server locally: `make run-prod`
   - access localhost:8000 and localhost:8000/ping
+
+## Required ENV
+
+These values should be set in a `.env` file in the project root for development, and in Heroku config when deployed.
+
+### Application settings
+
+`FLASK_APP` = cdnauth
+`FLASK_ENV` = production/development/testing as appropriate
+
+See [Flask docs](https://flask.palletsprojects.com/en/2.3.x/config/#SECRET_KEY) for information on how to properly generate a secret key. Should be unique for each deployment (stage/prod/local).
+`SECRET_KEY` = generate a long random string. Used for session security.
+
+`COOKIE_NAME` = This needs to be the same value in this app and the lambda
+`COOKIE_DOMAIN` = This needs to match the domain the app and cdn are running in. The app and lambda _must_ run in the same domain. NOTE: in development we set this to `False` due to how cookies work with localhost. Setting the domain to `localhost` is rejected by most browsers. Not setting a value works as expected with localhost.
+
+`JWT_SECRET`  = This must be a long random string and be set to the same value for this app and our lambda
+
+
+### Identity Provider (IdP) Settings
+
+See [our dev docs](https://mitlibraries.github.io/guides/authentication/touchstone_saml.html#configuring-the-application) for how to obtain the IDP settings
+`IDP_CERT` = standard IST IDP setting
+`IDP_ENTITY_ID` = standard IST IDP setting
+`IDP_SSO_URL` = standard IST IDP setting
+
+### Service Provider (SP) settings
+
+Note: See [our dev docs](https://mitlibraries.github.io/guides/authentication/touchstone_saml.html#generating-a-self-signed-certificate-for-touchstone) for information on how to generate SP key/cert. They should be unique for each deployment and backed up to our shared LastPass.
+
+`SP_ACS_URL` = route in this app that handles the response from IDP. domain name of app + /saml/?acs
+`SP_CERT` = obtained from self signed cert generated for this app. Note: remove all spaces/linebreaks as well as the "BEGIN" and "END" lines from file for ENV setting.
+`SP_ENTITY_ID` = domain name of app + /saml
+`SP_KEY` = obtained from self signed key generated for this app
+`SP_SECURITY_ASSERTIONS_ENCRYPTED` (optional) = Boolean. Defaults to `True` in production and `False` in development.
+`URN_UID` (optional) = where in the SAML response to get the user info from. Default values are set to work with Touchstone in production and our test IdP in development.
+
+### Running a local Identity Provider (IdP)
+
+Touchstone is our production IdP, but cannot be used for development work.
+
+If you are working on a feature and you want to test the full authentication process, using a local IdP can help. It won't be exactly the same as Touchstone so you'll want to test closely in staging, but it often is helpful enough to be worth using.
+
+#### Using Simple SAML IdP in a Container
+
+The docker composer file `idp-compose.yaml` is configured to allow an SP (this app!) to connect.
+
+To start the IdP
+
+```bash
+docker compose -f idp-compose.yaml up
+```
+
+The IdP comes pre-configured with test users:
+
+```text
+name: user1
+password: password
+
+name: user2
+password: password
+```
+
+If you need to access the IdP admin interface, the credentials are:
+
+```text
+name: admin
+password: secret
+```
+
+Your `.env` file will need to be updated to have the following values for IdP related settings:
+
+```yaml
+IDP_CERT=MIICmjCCAYICCQDX5sKPsYV3+jANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTE5MTIyMzA5MDI1MVoXDTIwMDEyMjA5MDI1MVowDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdtDJ278DQTp84O5Nq5F8s5YOR34GFOGI2Swb/3pU7X7918lVljiKv7WVM65S59nJSyXV+fa15qoXLfsdRnq3yw0hTSTs2YDX+jl98kK3ksk3rROfYh1LIgByj4/4NeNpExgeB6rQk5Ay7YS+ARmMzEjXa0favHxu5BOdB2y6WvRQyjPS2lirT/PKWBZc04QZepsZ56+W7bd557tdedcYdY/nKI1qmSQClG2qgslzgqFOv1KCOw43a3mcK/TiiD8IXyLMJNC6OFW3xTL/BG6SOZ3dQ9rjQOBga+6GIaQsDjC4Xp7Kx+FkSvgaw0sJV8gt1mlZy+27Sza6d+hHD2pWECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAm2fk1+gd08FQxK7TL04O8EK1f0bzaGGUxWzlh98a3Dm8+OPhVQRi/KLsFHliLC86lsZQKunYdDB+qd0KUk2oqDG6tstG/htmRYD/S/jNmt8gyPAVi11dHUqW3IvQgJLwxZtoAv6PNs188hvT1WK3VWJ4YgFKYi5XQYnR5sv69Vsr91lYAxyrIlMKahjSW1jTD3ByRfAQghsSLk6fV0OyJHyhuF1TxOVBVf8XOdaqfmvD90JGIPGtfMLPUX4m35qaGAU48PwCL7L3cRHYs9wZWc0ifXZcBENLtHYCLi5txR8c5lyHB9d3AQHzKHMFNjLswn5HsckKg83RH7+eVqHqGw==
+IDP_ENTITY_ID=http://localhost:8080/simplesaml/saml2/idp/metadata.php
+IDP_SSO_URL=http://localhost:8080/simplesaml/saml2/idp/SSOService.php
+```
+
+Note: It's unclear if that IdP cert is fully stable, but so far it has survived a few container rebuilds. If it stops working, remove it from this README and you can get the proper value after the IdP is running from the metadata at:
+
+<http://localhost:8080/simplesaml/saml2/idp/metadata.php?output=xhtml>
+
+Remember while these are the IdP settings to change in `.env`, you will still need to configure the rest of this application appropriately including the SP related config.
+
+If using `make app-bash` followed by `make run-dev`, these values are likely what you want to use.
+
+```yaml
+SP_ACS_URL=http://localhost:5000/saml/?acs
+SP_ENTITY_ID=http://localhost:5000/saml
+```
+
+You should generate a cert/key combo to populate `SP_CERT` and `SP_KEY`. See `Service Provider (SP) settings` above for details.

cdnauth/__init__.py

@@ -3,26 +3,27 @@
 
 from flask import Flask
 
+from cdnauth import auth, cdn, debug
+
 app = Flask(__name__, instance_relative_config=True)
+app.register_blueprint(auth.bp)
+app.register_blueprint(debug.bp)
+app.register_blueprint(cdn.bp)
+
 
 flask_env = os.getenv("FLASK_ENV")
 
 if flask_env == "development":
     app.config.from_object("cdnauth.config.DevelopmentConfig")
-elif flask_env == "production":
-    app.config.from_object("cdnauth.config.Config")
-else:
+elif flask_env == "testing":
     app.config.from_object("cdnauth.config.TestingConfig")
+else:
+    app.config.from_object("cdnauth.config.Config")
 
 
 logging.basicConfig(level=logging.INFO)
 
 
-@app.route("/")
-def root():
-    return "Hallo!"
-
-
 @app.route("/ping")
 def ping():
     return "pong"

cdnauth/auth.py

@@ -0,0 +1,119 @@
+import json
+from functools import wraps
+from urllib.parse import urljoin, urlparse
+
+from flask import (
+    Blueprint,
+    current_app,
+    make_response,
+    redirect,
+    request,
+    session,
+    url_for,
+)
+
+from onelogin.saml2.auth import OneLogin_Saml2_Auth
+
+
+def is_safe_url(target):
+    ref_url = urlparse(request.host_url)
+    test_url = urlparse(urljoin(request.host_url, target))
+    return test_url.scheme in ("http", "https") and ref_url.netloc == test_url.netloc
+
+
+def login_required(f):
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if "samlNameId" not in session:
+            return redirect(url_for("auth.saml", sso=True, next=request.url))
+
+        return f(*args, **kwargs)
+
+    return decorated_function
+
+
+def load_saml_settings():
+    json_settings = {}
+    with open("saml/settings.json", "r") as json_file:
+        json_settings = json.load(json_file)
+        json_settings["debug"] = current_app.config["DEBUG"]
+        json_settings["sp"]["entityId"] = current_app.config["SP_ENTITY_ID"]
+        json_settings["sp"]["assertionConsumerService"]["url"] = current_app.config[
+            "SP_ACS_URL"
+        ]
+        json_settings["sp"]["x509cert"] = current_app.config["SP_CERT"]
+        json_settings["sp"]["privateKey"] = current_app.config["SP_KEY"]
+        json_settings["idp"]["entityId"] = current_app.config["IDP_ENTITY_ID"]
+        json_settings["idp"]["singleSignOnService"]["url"] = current_app.config[
+            "IDP_SSO_URL"
+        ]
+        json_settings["idp"]["x509cert"] = current_app.config["IDP_CERT"]
+        json_settings["security"]["wantAssertionsEncrypted"] = current_app.config[
+            "SP_SECURITY_ASSERTIONS_ENCRYPTED"
+        ]
+
+    return json_settings
+
+
+def prepare_flask_request(request):
+    url_data = urlparse(request.url)
+    return {
+        "https": "on" if request.scheme == "https" else "off",
+        "http_host": request.host,
+        "server_port": url_data.port,
+        "script_name": request.path,
+        "get_data": request.args.copy(),
+        "post_data": request.form.copy(),
+    }
+
+
+bp = Blueprint("auth", __name__, url_prefix="/saml")
+
+
+@bp.route("/", methods=("GET", "POST"))
+def saml():
+    saml_settings = load_saml_settings()
+    req = prepare_flask_request(request)
+    auth = OneLogin_Saml2_Auth(req, saml_settings)
+    errors = []
+    next_page = request.args.get("next")
+    if not next_page or is_safe_url(next_page) is False:
+        next_page = ""
+
+    if "sso" in request.args:
+        return redirect(auth.login(return_to=next_page))
+
+    elif "acs" in request.args:
+        auth.process_response()
+        errors = auth.get_errors()
+        if not auth.is_authenticated():
+            # TODO: return something helpful to the user.
+            # That said, this should never happen.
+            pass
+        if len(errors) == 0:
+            session["samlUserdata"] = auth.get_attributes()
+            session["samlNameId"] = session["samlUserdata"][
+                current_app.config["URN_UID"]
+            ][0]
+            session["samlSessionIndex"] = auth.get_session_index()
+            return redirect(request.form["RelayState"])
+        else:
+            print("Errors: %s", errors)
+            print("Last error reason: %s", auth.get_last_error_reason())
+
+
+@bp.route("/metadata/")
+def metadata():
+    saml_settings = load_saml_settings()
+    req = prepare_flask_request(request)
+    auth = OneLogin_Saml2_Auth(req, saml_settings)
+    settings = auth.get_settings()
+    metadata = settings.get_sp_metadata()
+    errors = settings.validate_metadata(metadata)
+
+    if len(errors) == 0:
+        resp = make_response(metadata, 200)
+        resp.headers["Content-Type"] = "text/xml"
+    else:
+        resp = make_response(", ".join(errors), 500)
+    return resp