feat(core): Refactor and add SAML preferences for service provider instance (#5637)

* create SP through parameters instead of metadata * refactor SAML prefs and add SP configurations
2023-03-09 09:08:23 +01:00
parent 89d25995c3
commit 6f27b445ca
5 changed files with 105 additions and 76 deletions
--- a/packages/cli/src/sso/saml/saml.service.ee.ts
+++ b/packages/cli/src/sso/saml/saml.service.ee.ts
@@ -5,11 +5,10 @@ import { jsonParse, LoggerProxy } from 'n8n-workflow';
 import { AuthError, BadRequestError } from '@/ResponseHelper';
 import { getServiceProviderInstance } from './serviceProvider.ee';
 import type { SamlUserAttributes } from './types/samlUserAttributes';
-import type { SamlAttributeMapping } from './types/samlAttributeMapping';
 import { isSsoJustInTimeProvisioningEnabled } from '../ssoHelpers';
 import type { SamlPreferences } from './types/samlPreferences';
 import { SAML_PREFERENCES_DB_KEY } from './constants';
-import type { IdentityProviderInstance } from 'samlify';
+import type { IdentityProviderInstance, ServiceProviderInstance } from 'samlify';
 import { IdentityProvider, setSchemaValidator } from 'samlify';
 import {
 	createUserFromSamlAttributes,
@@ -32,30 +31,33 @@ export class SamlService {

 	private identityProviderInstance: IdentityProviderInstance | undefined;

-	private _attributeMapping: SamlAttributeMapping = {
-		email: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
-		firstName: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname',
-		lastName: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname',
-		userPrincipalName: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn',
+	private _samlPreferences: SamlPreferences = {
+		mapping: {
+			email: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
+			firstName: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname',
+			lastName: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname',
+			userPrincipalName: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn',
+		},
+		metadata: '',
+		metadataUrl: '',
+		ignoreSSL: false,
+		loginBinding: 'redirect',
+		acsBinding: 'post',
+		authnRequestsSigned: false,
+		loginEnabled: false,
+		loginLabel: 'SAML',
+		wantAssertionsSigned: true,
+		wantMessageSigned: true,
 	};

-	public get attributeMapping(): SamlAttributeMapping {
-		return this._attributeMapping;
+	public get samlPreferences(): SamlPreferences {
+		return {
+			...this._samlPreferences,
+			loginEnabled: isSamlLoginEnabled(),
+			loginLabel: getSamlLoginLabel(),
+		};
 	}

-	public set attributeMapping(mapping: SamlAttributeMapping) {
-		// TODO:SAML: add validation
-		this._attributeMapping = mapping;
-	}
-
-	private metadata = '';
-
-	private metadataUrl = '';
-
-	private ignoreSSL = false;
-
-	private loginBinding: SamlLoginBinding = 'post';
-
 	static getInstance(): SamlService {
 		if (!SamlService.instance) {
 			SamlService.instance = new SamlService();
@@ -79,18 +81,22 @@ export class SamlService {
 	getIdentityProviderInstance(forceRecreate = false): IdentityProviderInstance {
 		if (this.identityProviderInstance === undefined || forceRecreate) {
 			this.identityProviderInstance = IdentityProvider({
-				metadata: this.metadata,
+				metadata: this._samlPreferences.metadata,
 			});
 		}

 		return this.identityProviderInstance;
 	}

+	getServiceProviderInstance(): ServiceProviderInstance {
+		return getServiceProviderInstance(this._samlPreferences);
+	}
+
 	getLoginRequestUrl(binding?: SamlLoginBinding): {
 		binding: SamlLoginBinding;
 		context: BindingContext | PostBindingContext;
 	} {
-		if (binding === undefined) binding = this.loginBinding;
+		if (binding === undefined) binding = this._samlPreferences.loginBinding ?? 'redirect';
 		if (binding === 'post') {
 			return {
 				binding,
@@ -105,7 +111,7 @@ export class SamlService {
 	}

 	private getRedirectLoginRequestUrl(): BindingContext {
-		const loginRequest = getServiceProviderInstance().createLoginRequest(
+		const loginRequest = this.getServiceProviderInstance().createLoginRequest(
 			this.getIdentityProviderInstance(),
 			'redirect',
 		);
@@ -115,7 +121,7 @@ export class SamlService {
 	}

 	private getPostLoginRequestUrl(): PostBindingContext {
-		const loginRequest = getServiceProviderInstance().createLoginRequest(
+		const loginRequest = this.getServiceProviderInstance().createLoginRequest(
 			this.getIdentityProviderInstance(),
 			'post',
 		) as PostBindingContext;
@@ -177,35 +183,30 @@ export class SamlService {
 		return undefined;
 	}

-	getSamlPreferences(): SamlPreferences {
-		return {
-			mapping: this.attributeMapping,
-			metadata: this.metadata,
-			metadataUrl: this.metadataUrl,
-			ignoreSSL: this.ignoreSSL,
-			loginBinding: this.loginBinding,
-			loginEnabled: isSamlLoginEnabled(),
-			loginLabel: getSamlLoginLabel(),
-		};
-	}
-
 	async setSamlPreferences(prefs: SamlPreferences): Promise<SamlPreferences | undefined> {
-		this.loginBinding = prefs.loginBinding ?? this.loginBinding;
-		this.metadata = prefs.metadata ?? this.metadata;
-		this.attributeMapping = prefs.mapping ?? this.attributeMapping;
-		this.ignoreSSL = prefs.ignoreSSL ?? this.ignoreSSL;
+		this._samlPreferences.loginBinding = prefs.loginBinding ?? this._samlPreferences.loginBinding;
+		this._samlPreferences.metadata = prefs.metadata ?? this._samlPreferences.metadata;
+		this._samlPreferences.mapping = prefs.mapping ?? this._samlPreferences.mapping;
+		this._samlPreferences.ignoreSSL = prefs.ignoreSSL ?? this._samlPreferences.ignoreSSL;
+		this._samlPreferences.acsBinding = prefs.acsBinding ?? this._samlPreferences.acsBinding;
+		this._samlPreferences.authnRequestsSigned =
+			prefs.authnRequestsSigned ?? this._samlPreferences.authnRequestsSigned;
+		this._samlPreferences.wantAssertionsSigned =
+			prefs.wantAssertionsSigned ?? this._samlPreferences.wantAssertionsSigned;
+		this._samlPreferences.wantMessageSigned =
+			prefs.wantMessageSigned ?? this._samlPreferences.wantMessageSigned;
 		if (prefs.metadataUrl) {
-			this.metadataUrl = prefs.metadataUrl;
+			this._samlPreferences.metadataUrl = prefs.metadataUrl;
 			const fetchedMetadata = await this.fetchMetadataFromUrl();
 			if (fetchedMetadata) {
-				this.metadata = fetchedMetadata;
+				this._samlPreferences.metadata = fetchedMetadata;
 			}
 		} else if (prefs.metadata) {
 			const validationResult = await validateMetadata(prefs.metadata);
 			if (!validationResult) {
 				throw new Error('Invalid SAML metadata');
 			}
-			this.metadata = prefs.metadata;
+			this._samlPreferences.metadata = prefs.metadata;
 		}
 		setSamlLoginEnabled(prefs.loginEnabled ?? isSamlLoginEnabled());
 		setSamlLoginLabel(prefs.loginLabel ?? getSamlLoginLabel());
@@ -232,7 +233,7 @@ export class SamlService {
 		const samlPreferences = await Db.collections.Settings.findOne({
 			where: { key: SAML_PREFERENCES_DB_KEY },
 		});
-		const settingsValue = JSON.stringify(this.getSamlPreferences());
+		const settingsValue = JSON.stringify(this.samlPreferences);
 		let result: Settings;
 		if (samlPreferences) {
 			samlPreferences.value = settingsValue;
@@ -249,25 +250,29 @@ export class SamlService {
 	}

 	async fetchMetadataFromUrl(): Promise<string | undefined> {
+		if (!this._samlPreferences.metadataUrl)
+			throw new BadRequestError('Error fetching SAML Metadata, no Metadata URL set');
 		try {
 			// TODO:SAML: this will not work once axios is upgraded to > 1.2.0 (see checkServerIdentity)
 			const agent = new https.Agent({
-				rejectUnauthorized: !this.ignoreSSL,
+				rejectUnauthorized: !this._samlPreferences.ignoreSSL,
 			});
-			const response = await axios.get(this.metadataUrl, { httpsAgent: agent });
+			const response = await axios.get(this._samlPreferences.metadataUrl, { httpsAgent: agent });
 			if (response.status === 200 && response.data) {
 				const xml = (await response.data) as string;
 				const validationResult = await validateMetadata(xml);
 				if (!validationResult) {
 					throw new BadRequestError(
-						`Data received from ${this.metadataUrl} is not valid SAML metadata.`,
+						`Data received from ${this._samlPreferences.metadataUrl} is not valid SAML metadata.`,
 					);
 				}
 				return xml;
 			}
 		} catch (error) {
-			// eslint-disable-next-line @typescript-eslint/restrict-template-expressions
-			throw new BadRequestError(`Error fetching SAML Metadata from ${this.metadataUrl}: ${error}`);
+			throw new BadRequestError(
+				// eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+				`Error fetching SAML Metadata from ${this._samlPreferences.metadataUrl}: ${error}`,
+			);
 		}
 		return;
 	}
@@ -277,19 +282,21 @@ export class SamlService {
 		binding: SamlLoginBinding,
 	): Promise<SamlUserAttributes> {
 		let parsedSamlResponse;
+		if (!this._samlPreferences.mapping)
+			throw new BadRequestError('Error fetching SAML Attributes, no Attribute mapping set');
 		try {
-			parsedSamlResponse = await getServiceProviderInstance().parseLoginResponse(
+			parsedSamlResponse = await this.getServiceProviderInstance().parseLoginResponse(
 				this.getIdentityProviderInstance(),
 				binding,
 				req,
 			);
 		} catch (error) {
-			throw error;
-			// throw new AuthError('SAML Authentication failed. Could not parse SAML response.');
+			// throw error;
+			throw new AuthError('SAML Authentication failed. Could not parse SAML response.');
 		}
 		const { attributes, missingAttributes } = getMappedSamlAttributesFromFlowResult(
 			parsedSamlResponse,
-			this.attributeMapping,
+			this._samlPreferences.mapping,
 		);
 		if (!attributes) {
 			throw new AuthError('SAML Authentication failed. Invalid SAML response.');
@@ -308,7 +315,7 @@ export class SamlService {
 		try {
 			// TODO:SAML: this will not work once axios is upgraded to > 1.2.0 (see checkServerIdentity)
 			const agent = new https.Agent({
-				rejectUnauthorized: !this.ignoreSSL,
+				rejectUnauthorized: !this._samlPreferences.ignoreSSL,
 			});
 			const requestContext = this.getLoginRequestUrl();
 			if (!requestContext) return false;