oxidecomputer · jmpesp · Apr 29, 2022 · Apr 29, 2022 · Apr 29, 2022 · Apr 29, 2022
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/common/src/api/external/mod.rs b/common/src/api/external/mod.rs
@@ -516,6 +516,8 @@ pub enum ResourceType {
     Fleet,
     Silo,
     SiloUser,
+    SiloIdentityProvider,
+    SiloSamlIdentityProvider,
     SshKey,
     ConsoleSession,
     GlobalImage,
@@ -1743,6 +1745,36 @@ impl std::fmt::Display for Digest {
     }
 }
 
+/// A SAML configuration specifies both IDP and SP details
+#[derive(Clone, Debug, Serialize, JsonSchema, Deserialize)]
+pub struct SiloSamlIdentityProvider {
+    #[serde(flatten)]
+    pub identity: IdentityMetadata,
+
+    /// url where identity provider metadata descriptor is
+    pub idp_metadata_url: String,
+
+    /// idp's entity id
+    pub idp_entity_id: String,
+
+    /// sp's client id
+    pub sp_client_id: String,
+
+    /// service provider endpoint where the response will be sent
+    pub acs_url: String,
+
+    /// service provider endpoint where the idp should send log out requests
+    pub slo_url: String,
+
+    /// customer's technical contact for saml configuration
+    pub technical_contact_email: String,
+
+    /// optional request signing key pair (base64 encoded der files)
+    pub public_cert: Option<String>,
+    #[serde(skip_serializing)]
+    pub private_key: Option<String>,
+}
+
 #[cfg(test)]
 mod test {
     use super::RouteDestination;

diff --git a/common/src/sql/dbinit.sql b/common/src/sql/dbinit.sql
@@ -183,16 +183,14 @@ CREATE TABLE omicron.public.volume (
 CREATE TABLE omicron.public.silo (
     /* Identity metadata */
     id UUID PRIMARY KEY,
-
     name STRING(128) NOT NULL,
     description STRING(512) NOT NULL,
-
-    discoverable BOOL NOT NULL,
-
     time_created TIMESTAMPTZ NOT NULL,
     time_modified TIMESTAMPTZ NOT NULL,
     time_deleted TIMESTAMPTZ,
 
+    discoverable BOOL NOT NULL,
+
     /* child resource generation number, per RFD 192 */
     rcgen INT NOT NULL
 );
@@ -206,7 +204,6 @@ CREATE UNIQUE INDEX ON omicron.public.silo (
  * Silo users
  */
 CREATE TABLE omicron.public.silo_user (
-    /* silo user id */
     id UUID PRIMARY KEY,
 
     silo_id UUID NOT NULL,
@@ -216,6 +213,45 @@ CREATE TABLE omicron.public.silo_user (
     time_deleted TIMESTAMPTZ
 );
 
+/*
+ * Silo identity provider list
+ */
+CREATE TABLE omicron.public.silo_identity_provider (
+    silo_id UUID NOT NULL,
+    provider_type TEXT NOT NULL,
+    name TEXT NOT NULL,
+    provider_id UUID NOT NULL,
+
+    PRIMARY KEY (silo_id, provider_id)
+);
+
+/*
+ * Silo SAML identity provider
+ */
+CREATE TABLE omicron.public.silo_saml_identity_provider (
+    /* Identity metadata */
+    id UUID PRIMARY KEY,
+    name STRING(128) NOT NULL,
+    description STRING(512) NOT NULL,
+    time_created TIMESTAMPTZ NOT NULL,
+    time_modified TIMESTAMPTZ NOT NULL,
+    time_deleted TIMESTAMPTZ,
+
+    silo_id UUID NOT NULL,
+
+    idp_metadata_url TEXT NOT NULL,
+    idp_metadata_document_string TEXT NOT NULL,
+
+    idp_entity_id TEXT NOT NULL,
+    sp_client_id TEXT NOT NULL,
+    acs_url TEXT NOT NULL,
+    slo_url TEXT NOT NULL,
+    technical_contact_email TEXT NOT NULL,
+
+    public_cert TEXT,
+    private_key TEXT
+);
+
 /*
  * Users' public SSH keys, per RFD 44
  */

diff --git a/nexus/Cargo.toml b/nexus/Cargo.toml
@@ -32,6 +32,9 @@ macaddr = { version = "1.0.1", features = [ "serde_std" ]}
 mime_guess = "2.0.4"
 newtype_derive = "0.1.6"
 num-integer = "0.1.44"
+openssl = "0.10"
+openssl-sys = "0.9"
+openssl-probe = "0.1.2"
 oso = "0.26"
 oximeter-client = { path = "../oximeter-client" }
 oximeter-db = { path = "../oximeter/db/" }
@@ -42,6 +45,7 @@ rand = "0.8.5"
 ref-cast = "1.0"
 reqwest = { version = "0.11.8", features = [ "json" ] }
 ring = "0.16"
+samael = { git = "https://github.com/njaremko/samael", features = ["xmlsec"], rev = "441a244120eeb5995b2e47a52dc1beafa890d2b2" }
 serde_json = "1.0"
 serde_urlencoded = "0.7.1"
 serde_with = "1.12.1"

diff --git a/nexus/src/authn/mod.rs b/nexus/src/authn/mod.rs
@@ -26,6 +26,7 @@
 
 pub mod external;
 pub mod saga;
+pub mod silos;
 
 pub use crate::db::fixed_data::user_builtin::USER_DB_INIT;
 pub use crate::db::fixed_data::user_builtin::USER_EXTERNAL_AUTHN;

diff --git a/nexus/src/authn/silos.rs b/nexus/src/authn/silos.rs
@@ -0,0 +1,156 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+//! Silo related authentication types and functions
+
+use crate::db::model::SiloSamlIdentityProvider;
+
+use anyhow::{anyhow, bail, Result};
+use samael::metadata::ContactPerson;
+use samael::metadata::ContactType;
+use samael::metadata::EntityDescriptor;
+use samael::metadata::NameIdFormat;
+use samael::metadata::HTTP_REDIRECT_BINDING;
+use samael::service_provider::ServiceProvider;
+use samael::service_provider::ServiceProviderBuilder;
+
+pub enum SiloIdentityProviderType {
+    Local,
+    Ldap,
+    Saml(Box<SiloSamlIdentityProvider>),
+}
+
+impl SiloSamlIdentityProvider {
+    /// return an error if this SiloSamlIdentityProvider is invalid
+    pub fn validate(&self) -> Result<()> {
+        // check that the idp metadata document string parses into an EntityDescriptor
+        let _idp_metadata: EntityDescriptor =
+            self.idp_metadata_document_string.parse()?;
+
+        // check that there is a valid sign in url
+        let _sign_in_url = self.sign_in_url(None)?;
+
+        // if keys were supplied, check that both public and private are here
+        if self.get_public_cert_bytes()?.is_some()
+            && self.get_private_key_bytes()?.is_none()
+        {
+            bail!("public and private key must be supplied together");
+        }
+        if self.get_public_cert_bytes()?.is_none()
+            && self.get_private_key_bytes()?.is_some()
+        {
+            bail!("public and private key must be supplied together");
+        }
+
+        // TODO validate DER keys
+
+        Ok(())
+    }
+
+    pub fn sign_in_url(&self, relay_state: Option<String>) -> Result<String> {
+        let idp_metadata: EntityDescriptor =
+            self.idp_metadata_document_string.parse()?;
+
+        // return the *first* SSO HTTP-Redirect binding URL in the IDP metadata:
+        //
+        //   <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://..."/>
+        let sso_descriptors = idp_metadata
+            .idp_sso_descriptors
+            .as_ref()
+            .ok_or_else(|| anyhow!("no IDPSSODescriptor"))?;
+
+        if sso_descriptors.is_empty() {
+            return Err(anyhow!("zero SSO descriptors"));
+        }
+
+        // Currently, we only support redirect binding
+        let redirect_binding_locations = sso_descriptors[0]
+            .single_sign_on_services
+            .iter()
+            .filter(|x| x.binding == HTTP_REDIRECT_BINDING)
+            .map(|x| x.location.clone())
+            .collect::<Vec<String>>();
+
+        if redirect_binding_locations.is_empty() {
+            return Err(anyhow!("zero redirect binding locations"));
+        }
+
+        let redirect_url = redirect_binding_locations[0].clone();
+
+        // Create the authn request
+        let provider = self.make_service_provider(idp_metadata)?;
+        let authn_request = provider
+            .make_authentication_request(&redirect_url)
+            .map_err(|e| anyhow!(e.to_string()))?;
+
+        let encoded_relay_state = if let Some(relay_state) = relay_state {
+            relay_state
+        } else {
+            "".to_string()
+        };
+
+        let authn_request_url =
+            if let Some(key) = self.get_private_key_bytes()? {
+                // sign authn request if keys were supplied
+                authn_request.signed_redirect(&encoded_relay_state, &key)
+            } else {
+                authn_request.redirect(&encoded_relay_state)
+            }
+            .map_err(|e| anyhow!(e.to_string()))?
+            .ok_or_else(|| anyhow!("request url was none!".to_string()))?;
+
+        Ok(authn_request_url.to_string())
+    }
+
+    fn make_service_provider(
+        &self,
+        idp_metadata: EntityDescriptor,
+    ) -> Result<ServiceProvider> {
+        let mut sp_builder = ServiceProviderBuilder::default();
+        sp_builder.entity_id(self.sp_client_id.clone());
+        sp_builder.allow_idp_initiated(true);
+        sp_builder.contact_person(ContactPerson {
+            email_addresses: Some(vec![self.technical_contact_email.clone()]),
+            contact_type: Some(ContactType::Technical.value().to_string()),
+            ..ContactPerson::default()
+        });
+        sp_builder.idp_metadata(idp_metadata);
+
+        // 3.4.1.1 Element <NameIDPolicy>: If the Format value is omitted or set
+        // to urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified, then the
+        // identity provider is free to return any kind of identifier
+        sp_builder.authn_name_id_format(Some(
+            NameIdFormat::UnspecifiedNameIDFormat.value().into(),
+        ));
+
+        sp_builder.acs_url(self.acs_url.clone());
+        sp_builder.slo_url(self.slo_url.clone());
+
+        if let Some(cert) = &self.public_cert {
+            if let Ok(decoded) = base64::decode(cert.as_bytes()) {
+                if let Ok(parsed) = openssl::x509::X509::from_der(&decoded) {
+                    sp_builder.certificate(Some(parsed));
+                }
+            }
+        }
+
+        Ok(sp_builder.build()?)
+    }
+
+    fn get_public_cert_bytes(&self) -> Result<Option<Vec<u8>>> {
+        if let Some(cert) = &self.public_cert {
+            Ok(Some(base64::decode(cert.as_bytes())?))
+        } else {
+            Ok(None)
+        }
+    }
+
+    fn get_private_key_bytes(&self) -> Result<Option<Vec<u8>>> {
+        if let Some(key) = &self.private_key {
+            Ok(Some(base64::decode(key.as_bytes())?))
+        } else {
+            Ok(None)
+        }
+    }
+}
diff --git a/nexus/src/authz/api_resources.rs b/nexus/src/authz/api_resources.rs
@@ -435,6 +435,22 @@ authz_resource! {
     polar_snippet = Custom,
 }
 
+authz_resource! {
+    name = "SiloIdentityProvider",
+    parent = "Silo",
+    primary_key = Uuid,
+    roles_allowed = false,
+    polar_snippet = Custom,
+}
+
+authz_resource! {
+    name = "SiloSamlIdentityProvider",
+    parent = "Silo",
+    primary_key = Uuid,
+    roles_allowed = false,
+    polar_snippet = Custom,
+}
+
 authz_resource! {
     name = "SshKey",
     parent = "SiloUser",

diff --git a/nexus/src/authz/omicron.polar b/nexus/src/authz/omicron.polar
@@ -151,9 +151,13 @@ resource Silo {
 }
 has_relation(fleet: Fleet, "parent_fleet", silo: Silo)
 	if silo.fleet = fleet;
+# Users can see their own silo! This includes USER_TEST_UNPRIVILEGED
 has_role(actor: AuthenticatedActor, "viewer", silo: Silo)
 	if actor.silo = silo;
 
+has_permission(actor: AuthenticatedActor, "read", silo: Silo)
+	if has_role(actor, "external-authenticator", silo.fleet);
+
 resource Organization {
 	permissions = [
 	    "list_children",
@@ -279,3 +283,51 @@ resource SshKey {
 }
 has_relation(user: SiloUser, "silo_user", ssh_key: SshKey)
 	if ssh_key.silo_user = user;
+
+resource SiloIdentityProvider {
+	permissions = [
+	    "read",
+	    "modify",
+	    "create_child",
+	    "list_children",
+	];
+	relations = { parent_silo: Silo };
+
+	"read" if "viewer" on "parent_silo";
+	"list_children" if "viewer" on "parent_silo";
+
+	# Only silo admins can create silo identity providers
+	"modify" if "admin" on "parent_silo";
+	"create_child" if "admin" on "parent_silo";
+}
+has_relation(silo: Silo, "parent_silo", silo_identity_provider: SiloIdentityProvider)
+	if silo_identity_provider.silo = silo;
+
+has_permission(actor: AuthenticatedActor, "read", silo_identity_provider: SiloIdentityProvider)
+	if has_role(actor, "external-authenticator", silo_identity_provider.silo.fleet);
+has_permission(actor: AuthenticatedActor, "list_children", silo_identity_provider: SiloIdentityProvider)
+	if has_role(actor, "external-authenticator", silo_identity_provider.silo.fleet);
+
+resource SiloSamlIdentityProvider {
+	permissions = [
+	    "read",
+	    "modify",
+	    "create_child",
+	    "list_children",
+	];
+	relations = { parent_silo: Silo };
+
+	# Only silo admins have permissions for specific identity provider details
+	"read" if "admin" on "parent_silo";
+	"list_children" if "admin" on "parent_silo";
+
+	"modify" if "admin" on "parent_silo";
+	"create_child" if "admin" on "parent_silo";
+}
+has_relation(silo: Silo, "parent_silo", silo_saml_identity_provider: SiloSamlIdentityProvider)
+	if silo_saml_identity_provider.silo = silo;
+
+has_permission(actor: AuthenticatedActor, "read", silo_saml_identity_provider: SiloSamlIdentityProvider)
+	if has_role(actor, "external-authenticator", silo_saml_identity_provider.silo.fleet);
+has_permission(actor: AuthenticatedActor, "list_children", silo_saml_identity_provider: SiloSamlIdentityProvider)
+	if has_role(actor, "external-authenticator", silo_saml_identity_provider.silo.fleet);
diff --git a/nexus/src/authz/oso_generic.rs b/nexus/src/authz/oso_generic.rs
@@ -69,6 +69,8 @@ pub fn make_omicron_oso(log: &slog::Logger) -> Result<Oso, anyhow::Error> {
         SshKey::init(),
         Silo::init(),
         SiloUser::init(),
+        SiloIdentityProvider::init(),
+        SiloSamlIdentityProvider::init(),
         Sled::init(),
         UpdateAvailableArtifact::init(),
         UserBuiltin::init(),