Support CAS in UI Auth flows. (#7186)
This commit is contained in:
parent
b0db928c63
commit
694d8bed0e
|
@ -0,0 +1 @@
|
||||||
|
Support SSO in the user interactive authentication workflow.
|
|
@ -116,7 +116,7 @@ class AuthHandler(BaseHandler):
|
||||||
self.hs = hs # FIXME better possibility to access registrationHandler later?
|
self.hs = hs # FIXME better possibility to access registrationHandler later?
|
||||||
self.macaroon_gen = hs.get_macaroon_generator()
|
self.macaroon_gen = hs.get_macaroon_generator()
|
||||||
self._password_enabled = hs.config.password_enabled
|
self._password_enabled = hs.config.password_enabled
|
||||||
self._saml2_enabled = hs.config.saml2_enabled
|
self._sso_enabled = hs.config.saml2_enabled or hs.config.cas_enabled
|
||||||
|
|
||||||
# we keep this as a list despite the O(N^2) implication so that we can
|
# we keep this as a list despite the O(N^2) implication so that we can
|
||||||
# keep PASSWORD first and avoid confusing clients which pick the first
|
# keep PASSWORD first and avoid confusing clients which pick the first
|
||||||
|
@ -136,7 +136,7 @@ class AuthHandler(BaseHandler):
|
||||||
# necessarily identical. Login types have SSO (and other login types)
|
# necessarily identical. Login types have SSO (and other login types)
|
||||||
# added in the rest layer, see synapse.rest.client.v1.login.LoginRestServerlet.on_GET.
|
# added in the rest layer, see synapse.rest.client.v1.login.LoginRestServerlet.on_GET.
|
||||||
ui_auth_types = login_types.copy()
|
ui_auth_types = login_types.copy()
|
||||||
if self._saml2_enabled:
|
if self._sso_enabled:
|
||||||
ui_auth_types.append(LoginType.SSO)
|
ui_auth_types.append(LoginType.SSO)
|
||||||
self._supported_ui_auth_types = ui_auth_types
|
self._supported_ui_auth_types = ui_auth_types
|
||||||
|
|
||||||
|
|
|
@ -15,7 +15,7 @@
|
||||||
|
|
||||||
import logging
|
import logging
|
||||||
import xml.etree.ElementTree as ET
|
import xml.etree.ElementTree as ET
|
||||||
from typing import AnyStr, Dict, Optional, Tuple
|
from typing import Dict, Optional, Tuple
|
||||||
|
|
||||||
from six.moves import urllib
|
from six.moves import urllib
|
||||||
|
|
||||||
|
@ -48,26 +48,47 @@ class CasHandler:
|
||||||
|
|
||||||
self._http_client = hs.get_proxied_http_client()
|
self._http_client = hs.get_proxied_http_client()
|
||||||
|
|
||||||
def _build_service_param(self, client_redirect_url: AnyStr) -> str:
|
def _build_service_param(self, args: Dict[str, str]) -> str:
|
||||||
|
"""
|
||||||
|
Generates a value to use as the "service" parameter when redirecting or
|
||||||
|
querying the CAS service.
|
||||||
|
|
||||||
|
Args:
|
||||||
|
args: Additional arguments to include in the final redirect URL.
|
||||||
|
|
||||||
|
Returns:
|
||||||
|
The URL to use as a "service" parameter.
|
||||||
|
"""
|
||||||
return "%s%s?%s" % (
|
return "%s%s?%s" % (
|
||||||
self._cas_service_url,
|
self._cas_service_url,
|
||||||
"/_matrix/client/r0/login/cas/ticket",
|
"/_matrix/client/r0/login/cas/ticket",
|
||||||
urllib.parse.urlencode({"redirectUrl": client_redirect_url}),
|
urllib.parse.urlencode(args),
|
||||||
)
|
)
|
||||||
|
|
||||||
async def _handle_cas_response(
|
async def _validate_ticket(
|
||||||
self, request: SynapseRequest, cas_response_body: str, client_redirect_url: str
|
self, ticket: str, service_args: Dict[str, str]
|
||||||
) -> None:
|
) -> Tuple[str, Optional[str]]:
|
||||||
"""
|
"""
|
||||||
Retrieves the user and display name from the CAS response and continues with the authentication.
|
Validate a CAS ticket with the server, parse the response, and return the user and display name.
|
||||||
|
|
||||||
Args:
|
Args:
|
||||||
request: The original client request.
|
ticket: The CAS ticket from the client.
|
||||||
cas_response_body: The response from the CAS server.
|
service_args: Additional arguments to include in the service URL.
|
||||||
client_redirect_url: The URl to redirect the client to when
|
Should be the same as those passed to `get_redirect_url`.
|
||||||
everything is done.
|
|
||||||
"""
|
"""
|
||||||
user, attributes = self._parse_cas_response(cas_response_body)
|
uri = self._cas_server_url + "/proxyValidate"
|
||||||
|
args = {
|
||||||
|
"ticket": ticket,
|
||||||
|
"service": self._build_service_param(service_args),
|
||||||
|
}
|
||||||
|
try:
|
||||||
|
body = await self._http_client.get_raw(uri, args)
|
||||||
|
except PartialDownloadError as pde:
|
||||||
|
# Twisted raises this error if the connection is closed,
|
||||||
|
# even if that's being used old-http style to signal end-of-data
|
||||||
|
body = pde.response
|
||||||
|
|
||||||
|
user, attributes = self._parse_cas_response(body)
|
||||||
displayname = attributes.pop(self._cas_displayname_attribute, None)
|
displayname = attributes.pop(self._cas_displayname_attribute, None)
|
||||||
|
|
||||||
for required_attribute, required_value in self._cas_required_attributes.items():
|
for required_attribute, required_value in self._cas_required_attributes.items():
|
||||||
|
@ -82,7 +103,7 @@ class CasHandler:
|
||||||
if required_value != actual_value:
|
if required_value != actual_value:
|
||||||
raise LoginError(401, "Unauthorized", errcode=Codes.UNAUTHORIZED)
|
raise LoginError(401, "Unauthorized", errcode=Codes.UNAUTHORIZED)
|
||||||
|
|
||||||
await self._on_successful_auth(user, request, client_redirect_url, displayname)
|
return user, displayname
|
||||||
|
|
||||||
def _parse_cas_response(
|
def _parse_cas_response(
|
||||||
self, cas_response_body: str
|
self, cas_response_body: str
|
||||||
|
@ -127,34 +148,69 @@ class CasHandler:
|
||||||
)
|
)
|
||||||
return user, attributes
|
return user, attributes
|
||||||
|
|
||||||
async def _on_successful_auth(
|
def get_redirect_url(self, service_args: Dict[str, str]) -> str:
|
||||||
self,
|
"""
|
||||||
username: str,
|
Generates a URL for the CAS server where the client should be redirected.
|
||||||
request: SynapseRequest,
|
|
||||||
client_redirect_url: str,
|
|
||||||
user_display_name: Optional[str] = None,
|
|
||||||
) -> None:
|
|
||||||
"""Called once the user has successfully authenticated with the SSO.
|
|
||||||
|
|
||||||
Registers the user if necessary, and then returns a redirect (with
|
|
||||||
a login token) to the client.
|
|
||||||
|
|
||||||
Args:
|
Args:
|
||||||
username: the remote user id. We'll map this onto
|
service_args: Additional arguments to include in the final redirect URL.
|
||||||
something sane for a MXID localpath.
|
|
||||||
|
|
||||||
request: the incoming request from the browser. We'll
|
Returns:
|
||||||
respond to it with a redirect.
|
The URL to redirect the client to.
|
||||||
|
|
||||||
client_redirect_url: the redirect_url the client gave us when
|
|
||||||
it first started the process.
|
|
||||||
|
|
||||||
user_display_name: if set, and we have to register a new user,
|
|
||||||
we will set their displayname to this.
|
|
||||||
"""
|
"""
|
||||||
|
args = urllib.parse.urlencode(
|
||||||
|
{"service": self._build_service_param(service_args)}
|
||||||
|
)
|
||||||
|
|
||||||
|
return "%s/login?%s" % (self._cas_server_url, args)
|
||||||
|
|
||||||
|
async def handle_ticket(
|
||||||
|
self,
|
||||||
|
request: SynapseRequest,
|
||||||
|
ticket: str,
|
||||||
|
client_redirect_url: Optional[str],
|
||||||
|
session: Optional[str],
|
||||||
|
) -> None:
|
||||||
|
"""
|
||||||
|
Called once the user has successfully authenticated with the SSO.
|
||||||
|
Validates a CAS ticket sent by the client and completes the auth process.
|
||||||
|
|
||||||
|
If the user interactive authentication session is provided, marks the
|
||||||
|
UI Auth session as complete, then returns an HTML page notifying the
|
||||||
|
user they are done.
|
||||||
|
|
||||||
|
Otherwise, this registers the user if necessary, and then returns a
|
||||||
|
redirect (with a login token) to the client.
|
||||||
|
|
||||||
|
Args:
|
||||||
|
request: the incoming request from the browser. We'll
|
||||||
|
respond to it with a redirect or an HTML page.
|
||||||
|
|
||||||
|
ticket: The CAS ticket provided by the client.
|
||||||
|
|
||||||
|
client_redirect_url: the redirectUrl parameter from the `/cas/ticket` HTTP request, if given.
|
||||||
|
This should be the same as the redirectUrl from the original `/login/sso/redirect` request.
|
||||||
|
|
||||||
|
session: The session parameter from the `/cas/ticket` HTTP request, if given.
|
||||||
|
This should be the UI Auth session id.
|
||||||
|
"""
|
||||||
|
args = {}
|
||||||
|
if client_redirect_url:
|
||||||
|
args["redirectUrl"] = client_redirect_url
|
||||||
|
if session:
|
||||||
|
args["session"] = session
|
||||||
|
username, user_display_name = await self._validate_ticket(ticket, args)
|
||||||
|
|
||||||
localpart = map_username_to_mxid_localpart(username)
|
localpart = map_username_to_mxid_localpart(username)
|
||||||
user_id = UserID(localpart, self._hostname).to_string()
|
user_id = UserID(localpart, self._hostname).to_string()
|
||||||
registered_user_id = await self._auth_handler.check_user_exists(user_id)
|
registered_user_id = await self._auth_handler.check_user_exists(user_id)
|
||||||
|
|
||||||
|
if session:
|
||||||
|
self._auth_handler.complete_sso_ui_auth(
|
||||||
|
registered_user_id, session, request,
|
||||||
|
)
|
||||||
|
|
||||||
|
else:
|
||||||
if not registered_user_id:
|
if not registered_user_id:
|
||||||
registered_user_id = await self._registration_handler.register_user(
|
registered_user_id = await self._registration_handler.register_user(
|
||||||
localpart=localpart, default_display_name=user_display_name
|
localpart=localpart, default_display_name=user_display_name
|
||||||
|
@ -163,42 +219,3 @@ class CasHandler:
|
||||||
self._auth_handler.complete_sso_login(
|
self._auth_handler.complete_sso_login(
|
||||||
registered_user_id, request, client_redirect_url
|
registered_user_id, request, client_redirect_url
|
||||||
)
|
)
|
||||||
|
|
||||||
def handle_redirect_request(self, client_redirect_url: bytes) -> bytes:
|
|
||||||
"""
|
|
||||||
Generates a URL to the CAS server where the client should be redirected.
|
|
||||||
|
|
||||||
Args:
|
|
||||||
client_redirect_url: The final URL the client should go to after the
|
|
||||||
user has negotiated SSO.
|
|
||||||
|
|
||||||
Returns:
|
|
||||||
The URL to redirect to.
|
|
||||||
"""
|
|
||||||
args = urllib.parse.urlencode(
|
|
||||||
{"service": self._build_service_param(client_redirect_url)}
|
|
||||||
)
|
|
||||||
|
|
||||||
return ("%s/login?%s" % (self._cas_server_url, args)).encode("ascii")
|
|
||||||
|
|
||||||
async def handle_ticket_request(
|
|
||||||
self, request: SynapseRequest, client_redirect_url: str, ticket: str
|
|
||||||
) -> None:
|
|
||||||
"""
|
|
||||||
Validates a CAS ticket sent by the client for login/registration.
|
|
||||||
|
|
||||||
On a successful request, writes a redirect to the request.
|
|
||||||
"""
|
|
||||||
uri = self._cas_server_url + "/proxyValidate"
|
|
||||||
args = {
|
|
||||||
"ticket": ticket,
|
|
||||||
"service": self._build_service_param(client_redirect_url),
|
|
||||||
}
|
|
||||||
try:
|
|
||||||
body = await self._http_client.get_raw(uri, args)
|
|
||||||
except PartialDownloadError as pde:
|
|
||||||
# Twisted raises this error if the connection is closed,
|
|
||||||
# even if that's being used old-http style to signal end-of-data
|
|
||||||
body = pde.response
|
|
||||||
|
|
||||||
await self._handle_cas_response(request, body, client_redirect_url)
|
|
||||||
|
|
|
@ -425,7 +425,9 @@ class CasRedirectServlet(BaseSSORedirectServlet):
|
||||||
self._cas_handler = hs.get_cas_handler()
|
self._cas_handler = hs.get_cas_handler()
|
||||||
|
|
||||||
def get_sso_url(self, client_redirect_url: bytes) -> bytes:
|
def get_sso_url(self, client_redirect_url: bytes) -> bytes:
|
||||||
return self._cas_handler.handle_redirect_request(client_redirect_url)
|
return self._cas_handler.get_redirect_url(
|
||||||
|
{"redirectUrl": client_redirect_url}
|
||||||
|
).encode("ascii")
|
||||||
|
|
||||||
|
|
||||||
class CasTicketServlet(RestServlet):
|
class CasTicketServlet(RestServlet):
|
||||||
|
@ -436,10 +438,20 @@ class CasTicketServlet(RestServlet):
|
||||||
self._cas_handler = hs.get_cas_handler()
|
self._cas_handler = hs.get_cas_handler()
|
||||||
|
|
||||||
async def on_GET(self, request: SynapseRequest) -> None:
|
async def on_GET(self, request: SynapseRequest) -> None:
|
||||||
client_redirect_url = parse_string(request, "redirectUrl", required=True)
|
client_redirect_url = parse_string(request, "redirectUrl")
|
||||||
ticket = parse_string(request, "ticket", required=True)
|
ticket = parse_string(request, "ticket", required=True)
|
||||||
await self._cas_handler.handle_ticket_request(
|
|
||||||
request, client_redirect_url, ticket
|
# Maybe get a session ID (if this ticket is from user interactive
|
||||||
|
# authentication).
|
||||||
|
session = parse_string(request, "session")
|
||||||
|
|
||||||
|
# Either client_redirect_url or session must be provided.
|
||||||
|
if not client_redirect_url and not session:
|
||||||
|
message = "Missing string query parameter redirectUrl or session"
|
||||||
|
raise SynapseError(400, message, errcode=Codes.MISSING_PARAM)
|
||||||
|
|
||||||
|
await self._cas_handler.handle_ticket(
|
||||||
|
request, ticket, client_redirect_url, session
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -111,6 +111,11 @@ class AuthRestServlet(RestServlet):
|
||||||
self._saml_enabled = hs.config.saml2_enabled
|
self._saml_enabled = hs.config.saml2_enabled
|
||||||
if self._saml_enabled:
|
if self._saml_enabled:
|
||||||
self._saml_handler = hs.get_saml_handler()
|
self._saml_handler = hs.get_saml_handler()
|
||||||
|
self._cas_enabled = hs.config.cas_enabled
|
||||||
|
if self._cas_enabled:
|
||||||
|
self._cas_handler = hs.get_cas_handler()
|
||||||
|
self._cas_server_url = hs.config.cas_server_url
|
||||||
|
self._cas_service_url = hs.config.cas_service_url
|
||||||
|
|
||||||
def on_GET(self, request, stagetype):
|
def on_GET(self, request, stagetype):
|
||||||
session = parse_string(request, "session")
|
session = parse_string(request, "session")
|
||||||
|
@ -133,14 +138,27 @@ class AuthRestServlet(RestServlet):
|
||||||
% (CLIENT_API_PREFIX, LoginType.TERMS),
|
% (CLIENT_API_PREFIX, LoginType.TERMS),
|
||||||
}
|
}
|
||||||
|
|
||||||
elif stagetype == LoginType.SSO and self._saml_enabled:
|
elif stagetype == LoginType.SSO:
|
||||||
# Display a confirmation page which prompts the user to
|
# Display a confirmation page which prompts the user to
|
||||||
# re-authenticate with their SSO provider.
|
# re-authenticate with their SSO provider.
|
||||||
|
if self._cas_enabled:
|
||||||
|
# Generate a request to CAS that redirects back to an endpoint
|
||||||
|
# to verify the successful authentication.
|
||||||
|
sso_redirect_url = self._cas_handler.get_redirect_url(
|
||||||
|
{"session": session},
|
||||||
|
)
|
||||||
|
|
||||||
|
elif self._saml_enabled:
|
||||||
client_redirect_url = ""
|
client_redirect_url = ""
|
||||||
sso_redirect_url = self._saml_handler.handle_redirect_request(
|
sso_redirect_url = self._saml_handler.handle_redirect_request(
|
||||||
client_redirect_url, session
|
client_redirect_url, session
|
||||||
)
|
)
|
||||||
|
|
||||||
|
else:
|
||||||
|
raise SynapseError(400, "Homeserver not configured for SSO.")
|
||||||
|
|
||||||
html = self.auth_handler.start_sso_ui_auth(sso_redirect_url, session)
|
html = self.auth_handler.start_sso_ui_auth(sso_redirect_url, session)
|
||||||
|
|
||||||
else:
|
else:
|
||||||
raise SynapseError(404, "Unknown auth stage type")
|
raise SynapseError(404, "Unknown auth stage type")
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue