Support for SAML as a Silo IdP, part 1 #994
Conversation
Add the db schemas, models, and some endpoints to support configuring a SAML IdP for a Silo. Enough functionality is here to support the first step of SP-initiated SAML login flow. More work is required to support receiving the SAML IdP's response, and actually creating and logging in the user. Two tables were added here: one that relates a silo to a list of typed identity providers, and one for saml configuration. Future work will add "local" and "ldap" identity provider support. Table column order was corrected - I didn't see any bugs from this but am aware that the bug potential exists. Currently, the external-authenticator role only applies to the default silo, not any new ones. Making that opctx work with any silo will unlock some more testing. This commit also moves the unauthorized_coverage code into the unauthorized function, and sets up both hardcoded and new non-hardcoded data. When global images support was added, a hardcoded port was used for the httptest server and it was a problem to find an unused port, but allowing for non-hardcoded data means any port can be used.
|
Looks like everything's failing because |
nexus/src/db/model.rs
Outdated
| )* | ||
| } | ||
| } | ||
| } |
|
Is xmlsec1 something that's now expected to be installed on the build/deployment machine and we depend on it at build and run time (similar to libpq, etc.)? In that case, I think you want to update the install_prerequisites script and not add new steps to the GitHub/buildomat workflows. I say that because those workflows won't be run on individuals' machines, whereas the install_prerequisites script is intended to be run by devs and it's also run in CI so it should cover all cases and actually gets tested regularly. |
|
We couldn't confirm that |
|
Dang, I had thought #870 already landed. I think maybe we want to land that? |
|
Unfortunately, there's also no xmlsec1 packages for helios. EDIT: or OmniOS |
xmlsec1 does build on helios. the following completes ok: Paging @jclulow - how do packages get built for helios? Is this something I can do? |
It's still a bit manual, so I've gone ahead and written the recipe and published the package for now. In the future, yes, I want things to be more self-service! I took version 1.2.33 (latest stable) and built it into this package: You should be able to install that to get the libraries and the |
remove silo_id from params, it was not used
add DerEncodedKeyPair type to add a bit of API safety remove get prefix from functions validate DER keys
Use serde's deserialize_with to validate public cert and private keys, causing failure if the DerEncodedKeyPair isn't valid. The visitor used here is a fn from `String -> Result<String>` which allows for early validation, and afterwards any code operating on DerEncodedKeyPair can be sure it contains valid data. Unfortunately, the deserialize_with could not be a fn from `String -> an openssl::type` because the openssl types do not derive JsonSchema. Previously some of this validation was in SiloSamlIdentityProvider's validate, and that has been removed in this commit.
Instead of putting an impl for the model::SiloSamlIdentityProvider type into the authn subsystem, make a new authn type, and convert the model type into that. Move the logic that looks up SiloIdentityProviderType from nexus.rs to authn silo subsystem. Move validate function logic into a new TryFrom impl for the authn SiloSamlIdentityProvider type. This way it's part of the conversion and cannot be forgotten about.
Ran
find */ -type f -exec sed -i -e 's/SiloIdentityProvider/IdentityProvider/g' {} + ;
find */ -type f -exec sed -i -e 's/SILO_IDENTITY_PROVIDER/IDENTITY_PROVIDER/g' {} + ;
find */ -type f -exec sed -i -e 's/silo_identity_provider/identity_provider/g' {} + ;
find */ -type f -exec sed -i -e 's/SiloSamlIdentityProvider/SamlIdentityProvider/g' {} + ;
find */ -type f -exec sed -i -e 's/SILO_SAML_IDENTITY_PROVIDER/SAML_IDENTITY_PROVIDER/g' {} + ;
find */ -type f -exec sed -i -e 's/silo_saml_identity_provider/saml_identity_provider/g' {} + ;
and
git mv ./nexus/src/db/model/silo_identity_provider.rs ./nexus/src/db/model/identity_provider.rs
nexus/src/authn/silos.rs
Outdated
| // model to the authn type here, this is a server | ||
| // error: it was validated before it went into the | ||
| // DB. | ||
| omicron_common::api::external::Error::internal_error(&e.to_string()) |
There was a problem hiding this comment.
Can you add a tiny bit of context here (like maybe make that argument &format!("deserializing SAML IdP from database: {:#}", e)? I'm afraid if we ever hit this case it'll be very hard to tell what we were even trying to parse.
There was a problem hiding this comment.
Definitely, context added in 46de770
nexus/src/db/lookup.rs
Outdated
| @@ -397,7 +397,7 @@ impl<'a> Root<'a> { | |||
| lookup_resource! { | |||
| name = "Silo", | |||
| ancestors = [], | |||
| children = [ "Organization" ], | |||
| children = [ "Organization", "SiloIdentityProvider", "SiloSamlIdentityProvider" ], | |||
There was a problem hiding this comment.
Okay. I think "backend" is consistent with its use in other distributed systems contexts (e.g., "backend task" in this SRE book chapter), but I'm definitely not attached to it!
|
There's too much going on in this PR, plus a lot has changed in main, PLUS even if I do rebase the whole thing it will remain blocked on Josh's PR upstreaming the "dynamic" branch of our samael fork. I'm going to close this, and break it up into several smaller PRs so the parts unrelated to the main SAML functionality can go in. |
Add the db schemas, models, and some endpoints to support configuring a
SAML IdP for a Silo. Enough functionality is here to support the first
step of SP-initiated SAML login flow. More work is required to support
receiving the SAML IdP's response, and actually creating and logging in
the user.
Two tables were added here: one that relates a silo to a list of typed
identity providers, and one for saml configuration. Future work will add
"local" and "ldap" identity provider support.
Table column order was corrected - I didn't see any bugs from this but
am aware that the bug potential exists.
Currently, the external-authenticator role only applies to the
default silo, not any new ones. Making that opctx work with any silo
will unlock some more testing.
This commit also moves the unauthorized_coverage code into the
unauthorized function, and sets up both hardcoded and new non-hardcoded
data. When global images support was added, a hardcoded port was used
for the httptest server and it was a problem to find an unused port, but
allowing for non-hardcoded data means any port can be used.