From 906343147166e30842f34b01726f7494702570ae Mon Sep 17 00:00:00 2001 From: Javier Marcos <1271349+javuto@users.noreply.github.com> Date: Fri, 31 Jan 2025 21:42:05 +0100 Subject: [PATCH 1/4] Allow POST requests when auth is SAML --- admin/main.go | 1 + 1 file changed, 1 insertion(+) diff --git a/admin/main.go b/admin/main.go index 6b23b019..a234100d 100644 --- a/admin/main.go +++ b/admin/main.go @@ -918,6 +918,7 @@ func osctrlAdminService() { // SAML ACS if adminConfig.Auth == settings.AuthSAML { adminMux.Handle("GET /saml/", samlMiddleware) + adminMux.Handle("POST /saml/", samlMiddleware) adminMux.HandleFunc("GET "+loginPath, func(w http.ResponseWriter, r *http.Request) { http.Redirect(w, r, samlConfig.LoginURL, http.StatusFound) }) From 227f6acc6e5c37d1b81e2e5c2ed19bc2d8613cb4 Mon Sep 17 00:00:00 2001 From: Javier Marcos <1271349+javuto@users.noreply.github.com> Date: Fri, 31 Jan 2025 21:48:19 +0100 Subject: [PATCH 2/4] Catch prefix and all requests --- admin/main.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/admin/main.go b/admin/main.go index a234100d..4214ffb7 100644 --- a/admin/main.go +++ b/admin/main.go @@ -917,8 +917,7 @@ func osctrlAdminService() { adminMux.Handle("POST "+logoutPath, handlerAuthCheck(http.HandlerFunc(handlersAdmin.LogoutPOSTHandler))) // SAML ACS if adminConfig.Auth == settings.AuthSAML { - adminMux.Handle("GET /saml/", samlMiddleware) - adminMux.Handle("POST /saml/", samlMiddleware) + adminMux.Handle("/saml/", samlMiddleware) adminMux.HandleFunc("GET "+loginPath, func(w http.ResponseWriter, r *http.Request) { http.Redirect(w, r, samlConfig.LoginURL, http.StatusFound) }) From bec32536a8bc730c93b6a61b4286581627be885e Mon Sep 17 00:00:00 2001 From: Javier Marcos <1271349+javuto@users.noreply.github.com> Date: Fri, 31 Jan 2025 21:55:42 +0100 Subject: [PATCH 3/4] Testing catching SAML URLs --- admin/main.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/admin/main.go b/admin/main.go index 4214ffb7..704c7677 100644 --- a/admin/main.go +++ b/admin/main.go @@ -917,7 +917,10 @@ func osctrlAdminService() { adminMux.Handle("POST "+logoutPath, handlerAuthCheck(http.HandlerFunc(handlersAdmin.LogoutPOSTHandler))) // SAML ACS if adminConfig.Auth == settings.AuthSAML { - adminMux.Handle("/saml/", samlMiddleware) + adminMux.Handle("GET /saml/metadata", samlMiddleware) + adminMux.Handle("POST /saml/metadata", samlMiddleware) + adminMux.Handle("GET /saml/acs", samlMiddleware) + adminMux.Handle("POST /saml/acs", samlMiddleware) adminMux.HandleFunc("GET "+loginPath, func(w http.ResponseWriter, r *http.Request) { http.Redirect(w, r, samlConfig.LoginURL, http.StatusFound) }) From d3f859b434511f5adec757bcc36bdd20c076428b Mon Sep 17 00:00:00 2001 From: Javier Marcos <1271349+javuto@users.noreply.github.com> Date: Sat, 1 Feb 2025 13:51:57 +0100 Subject: [PATCH 4/4] Handle GET/POST if SAML is enabled --- admin/auth.go | 4 ---- admin/main.go | 4 ++-- admin/saml.go | 27 +++++++++++++++++++++++++++ 3 files changed, 29 insertions(+), 6 deletions(-) diff --git a/admin/auth.go b/admin/auth.go index 447fe460..acc095f9 100644 --- a/admin/auth.go +++ b/admin/auth.go @@ -47,23 +47,19 @@ func handlerAuthCheck(h http.Handler) http.Handler { case settings.AuthSAML: samlSession, err := samlMiddleware.Session.GetSession(r) if err != nil { - log.Err(err).Msg("GetSession") http.Redirect(w, r, samlConfig.LoginURL, http.StatusFound) return } if samlSession == nil { - log.Error().Msg("No SAML session") http.Redirect(w, r, samlConfig.LogoutURL, http.StatusFound) return } jwtSessionClaims, ok := samlSession.(samlsp.JWTSessionClaims) if !ok { - log.Error().Msg("JWTSessionClaims") return } samlUser := jwtSessionClaims.Subject if samlUser == "" { - log.Error().Msg("SAML user is empty") return } // Check if user is already authenticated diff --git a/admin/main.go b/admin/main.go index 704c7677..cdc0d5be 100644 --- a/admin/main.go +++ b/admin/main.go @@ -917,10 +917,10 @@ func osctrlAdminService() { adminMux.Handle("POST "+logoutPath, handlerAuthCheck(http.HandlerFunc(handlersAdmin.LogoutPOSTHandler))) // SAML ACS if adminConfig.Auth == settings.AuthSAML { - adminMux.Handle("GET /saml/metadata", samlMiddleware) - adminMux.Handle("POST /saml/metadata", samlMiddleware) adminMux.Handle("GET /saml/acs", samlMiddleware) adminMux.Handle("POST /saml/acs", samlMiddleware) + adminMux.Handle("GET /saml/metadata", samlMiddleware) + adminMux.Handle("POST /saml/metadata", samlMiddleware) adminMux.HandleFunc("GET "+loginPath, func(w http.ResponseWriter, r *http.Request) { http.Redirect(w, r, samlConfig.LoginURL, http.StatusFound) }) diff --git a/admin/saml.go b/admin/saml.go index 9ce6aa77..a94e1ad2 100644 --- a/admin/saml.go +++ b/admin/saml.go @@ -51,10 +51,37 @@ func loadSAML(file string) (JSONConfigurationSAML, error) { if err := samlRaw.Unmarshal(&cfg); err != nil { return cfg, err } + // Verify SAML configuration + if err := verifySAML(cfg); err != nil { + return cfg, err + } // No errors! return cfg, nil } +// Function to verify SAML configuration +func verifySAML(cfg JSONConfigurationSAML) error { + if cfg.CertPath == "" { + return fmt.Errorf("Missing CertPath") + } + if cfg.KeyPath == "" { + return fmt.Errorf("Missing KeyPath") + } + if cfg.MetaDataURL == "" { + return fmt.Errorf("Missing MetaDataURL") + } + if cfg.RootURL == "" { + return fmt.Errorf("Missing RootURL") + } + if cfg.LoginURL == "" { + return fmt.Errorf("Missing LoginURL") + } + if cfg.LogoutURL == "" { + return fmt.Errorf("Missing LogoutURL") + } + return nil +} + // Function to initialize variables when using SAML for authentication func keypairSAML(config JSONConfigurationSAML) (samlThings, error) { var data samlThings