groot/automatisch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(sso): introduce authentication with SAML

Browse Source
This commit is contained in:
Ali BARIN
2023-07-06 11:05:28 +00:00
parent 5176b8c322
commit a7104c41a2
28 changed files with 720 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
packages/backend/package.json
View File

@@ -27,10 +27,12 @@
"@casl/ability": "^6.5.0",
"@graphql-tools/graphql-file-loader": "^7.3.4",
"@graphql-tools/load": "^7.5.2",
"@node-saml/passport-saml": "^4.0.4",
"@rudderstack/rudder-sdk-node": "^1.1.2",
"@sentry/node": "^7.42.0",
"@sentry/tracing": "^7.42.0",
"@types/luxon": "^2.3.1",
"@types/passport": "^1.0.12",
"@types/xmlrpc": "^1.3.7",
"ajv-formats": "^2.1.1",
"axios": "0.24.0",
@@ -63,6 +65,7 @@
"nodemailer": "6.7.0",
"oauth-1.0a": "^2.2.6",
"objection": "^3.0.0",
"passport": "^0.6.0",
"pg": "^8.7.1",
"php-serialize": "^4.0.2",
"stripe": "^11.13.0",

4
packages/backend/src/app.ts
View File

@@ -17,6 +17,7 @@ import {
} from './helpers/create-bull-board-handler';
import injectBullBoardHandler from './helpers/inject-bull-board-handler';
import router from './routes';
import configurePassport from './helpers/passport';
createBullBoardHandler(serverAdapter);
@@ -50,6 +51,9 @@ app.use(
})
);
app.use(cors(corsOptions));
configurePassport(app);
app.use('/', router);
webUIHandler(app);

23
packages/backend/src/db/migrations/20230702210636_create_saml_auth_providers.ts Normal file
View File

@@ -0,0 +1,23 @@
import { Knex } from 'knex';
export async function up(knex: Knex): Promise<void> {
return knex.schema.createTable('saml_auth_providers', (table) => {
table.uuid('id').primary().defaultTo(knex.raw('gen_random_uuid()'));
table.string('name').notNullable();
table.text('certificate').notNullable();
table.string('signature_algorithm').notNullable();
table.string('issuer').notNullable();
table.text('entry_point').notNullable();
table.text('firstname_attribute_name').notNullable();
table.text('surname_attribute_name').notNullable();
table.text('email_attribute_name').notNullable();
table.text('role_attribute_name').notNullable();
table.uuid('default_role_id').references('id').inTable('roles');
table.timestamps(true, true);
});
}
export async function down(knex: Knex): Promise<void> {
return knex.schema.dropTable('saml_auth_providers');
}

17
packages/backend/src/db/migrations/20230707094923_create_identities.ts Normal file
View File

@@ -0,0 +1,17 @@
import { Knex } from 'knex';
export async function up(knex: Knex): Promise<void> {
return knex.schema.createTable('identities', (table) => {
table.uuid('id').primary().defaultTo(knex.raw('gen_random_uuid()'));
table.uuid('user_id').references('id').inTable('users');
table.string('remote_id').notNullable();
table.string('provider_id').notNullable();
table.string('provider_type').notNullable();
table.timestamps(true, true);
});
}
export async function down(knex: Knex): Promise<void> {
return knex.schema.dropTable('identities');
}

14
packages/backend/src/db/migrations/20230715214424_make_user_password_nullable.ts Normal file
View File

@@ -0,0 +1,14 @@
import { Knex } from 'knex';
export async function up(knex: Knex): Promise<void> {
return await knex.schema.alterTable('users', (table) => {
table.string('password').nullable().alter();
});
}
export async function down(knex: Knex): Promise<void> {
return await knex.schema.alterTable('users', table => {
// what do we do? passwords cannot be left empty
// table.string('password').notNullable().alter();
});
}

9
packages/backend/src/graphql/queries/get-saml-auth-providers.ee.ts Normal file
View File

@@ -0,0 +1,9 @@
import SamlAuthProvider from '../../models/saml-auth-provider.ee';
const getSamlAuthProviders = async () => {
const providers = await SamlAuthProvider.query();
return providers;
};
export default getSamlAuthProviders;

2
packages/backend/src/graphql/query-resolvers.ts
View File

@@ -18,6 +18,7 @@ import getInvoices from './queries/get-invoices.ee';
import getAutomatischInfo from './queries/get-automatisch-info';
import getTrialStatus from './queries/get-trial-status.ee';
import getSubscriptionStatus from './queries/get-subscription-status.ee';
import getSamlAuthProviders from './queries/get-saml-auth-providers.ee';
import healthcheck from './queries/healthcheck';
const queryResolvers = {
@@ -41,6 +42,7 @@ const queryResolvers = {
getAutomatischInfo,
getTrialStatus,
getSubscriptionStatus,
getSamlAuthProviders,
healthcheck,
};

7
packages/backend/src/graphql/schema.graphql
View File

@@ -41,6 +41,7 @@ type Query {
getAutomatischInfo: GetAutomatischInfo
getTrialStatus: GetTrialStatus
getSubscriptionStatus: GetSubscriptionStatus
getSamlAuthProviders: [GetSamlAuthProviders]
healthcheck: AppHealth
}
@@ -554,6 +555,12 @@ type PaymentPlan {
productId: String
}
type GetSamlAuthProviders {
id: String
name: String
issuer: String
}
schema {
query: Query
mutation: Mutation

1
packages/backend/src/helpers/authentication.ts
View File

@@ -33,6 +33,7 @@ const authentication = shield(
Query: {
'*': isAuthenticated,
getAutomatischInfo: allow,
getSamlAuthProviders: allow,
healthcheck: allow,
},
Mutation: {

14
packages/backend/src/helpers/create-auth-token-by-user-id.ts Normal file
View File

@@ -0,0 +1,14 @@
import jwt from 'jsonwebtoken';
import appConfig from '../config/app';
const TOKEN_EXPIRES_IN = '14d';
const createAuthTokenByUserId = (userId: string) => {
const token = jwt.sign({ userId }, appConfig.appSecretKey, {
expiresIn: TOKEN_EXPIRES_IN,
});
return token;
};
export default createAuthTokenByUserId;

48
packages/backend/src/helpers/find-or-create-user-by-saml-identity.ee.ts Normal file
View File

@@ -0,0 +1,48 @@
import SamlAuthProvider from '../models/saml-auth-provider.ee';
import User from '../models/user';
import Identity from '../models/identity.ee';
const getUser = (user: Record<string, unknown>, providerConfig: SamlAuthProvider) => ({
name: user[providerConfig.firstnameAttributeName],
surname: user[providerConfig.surnameAttributeName],
id: user.nameID,
email: user[providerConfig.emailAttributeName],
role: user[providerConfig.roleAttributeName],
})
const findOrCreateUserBySamlIdentity = async (userIdentity: Record<string, unknown>, samlAuthProvider: SamlAuthProvider) => {
const mappedUser = getUser(userIdentity, samlAuthProvider);
const identity = await Identity.query().findOne({
remote_id: mappedUser.id,
});
if (identity) {
const user = await identity.$relatedQuery('user');
return user;
}
const createdUser = await User.query().insertGraphAndFetch({
fullName: [
mappedUser.name,
mappedUser.surname
]
.filter(Boolean)
.join(' '),
email: mappedUser.email as string,
roleId: samlAuthProvider.defaultRoleId,
identities: [
{
remoteId: mappedUser.id as string,
providerId: samlAuthProvider.id,
providerType: 'saml'
}
]
}, {
relate: ['identities']
});
return createdUser;
};
export default findOrCreateUserBySamlIdentity;

84
packages/backend/src/helpers/passport.ts Normal file
View File

@@ -0,0 +1,84 @@
import { URL } from 'node:url';
import { IRequest } from '@automatisch/types';
import { MultiSamlStrategy } from '@node-saml/passport-saml';
import { Express } from 'express';
import passport from 'passport';
import appConfig from '../config/app';
import createAuthTokenByUserId from '../helpers/create-auth-token-by-user-id';
import SamlAuthProvider from '../models/saml-auth-provider.ee';
import findOrCreateUserBySamlIdentity from './find-or-create-user-by-saml-identity.ee'
export default function configurePassport(app: Express) {
app.use(passport.initialize({
userProperty: 'currentUser',
}));
passport.use(new MultiSamlStrategy(
{
passReqToCallback: true,
getSamlOptions: async function (request, done) {
const { issuer } = request.params;
const notFoundIssuer = new Error('Issuer cannot be found!');
if (!issuer) return done(notFoundIssuer);
const authProvider = await SamlAuthProvider.query().findOne({
issuer: request.params.issuer as string,
});
if (!authProvider) {
return done(notFoundIssuer);
}
return done(null, authProvider.config);
},
},
async function (request, user: Record<string, unknown>, done) {
const { issuer } = request.params;
const notFoundIssuer = new Error('Issuer cannot be found!');
if (!issuer) return done(notFoundIssuer);
const authProvider = await SamlAuthProvider.query().findOne({
issuer: request.params.issuer as string,
});
if (!authProvider) {
return done(notFoundIssuer);
}
const foundUserWithIdentity = await findOrCreateUserBySamlIdentity(user, authProvider);
return done(null, foundUserWithIdentity as unknown as Record<string, unknown>);
},
function (request, user: Record<string, unknown>, done: (error: any, user: Record<string, unknown>) => void) {
return done(null, null);
}
));
app.get('/login/saml/:issuer',
passport.authenticate('saml',
{
session: false,
successRedirect: '/',
})
);
app.post(
'/login/saml/:issuer/callback',
passport.authenticate('saml', {
session: false,
failureRedirect: '/',
failureFlash: true,
}),
(req: IRequest, res) => {
const token = createAuthTokenByUserId(req.currentUser.id);
const redirectUrl = new URL(
`/login/callback?token=${token}`,
appConfig.webAppUrl,
).toString();
res.redirect(redirectUrl);
}
);
};

53
packages/backend/src/models/identity.ee.ts Normal file
View File

@@ -0,0 +1,53 @@
import Base from './base';
import SamlAuthProvider from './saml-auth-provider.ee';
import User from './user';
class Identity extends Base {
id!: string;
remoteId!: string;
userId!: string;
providerId!: string;
providerType!: 'saml';
static tableName = 'identities';
static jsonSchema = {
type: 'object',
required: [
'providerId',
'remoteId',
'userId',
'providerType',
],
properties: {
id: { type: 'string', format: 'uuid' },
userId: { type: 'string', format: 'uuid' },
remoteId: { type: 'string', minLength: 1 },
providerId: { type: 'string', format: 'uuid' },
providerType: { type: 'string', enum: ['saml'] },
},
};
static relationMappings = () => ({
user: {
relation: Base.BelongsToOneRelation,
modelClass: User,
join: {
from: 'users.id',
to: 'identities.user_id',
},
},
samlAuthProvider: {
relation: Base.BelongsToOneRelation,
modelClass: SamlAuthProvider,
join: {
from: 'saml_auth_providers.id',
to: 'identities.provider_id'
},
},
});
}
export default Identity;

79
packages/backend/src/models/saml-auth-provider.ee.ts Normal file
View File

@@ -0,0 +1,79 @@
import { URL } from 'node:url';
import type { SamlConfig } from '@node-saml/passport-saml';
import appConfig from '../config/app';
import Base from './base';
import Identity from './identity.ee';
class SamlAuthProvider extends Base {
id!: string;
name: string;
certificate: string;
signatureAlgorithm: SamlConfig["signatureAlgorithm"];
issuer: string;
entryPoint: string;
firstnameAttributeName: string;
surnameAttributeName: string;
emailAttributeName: string;
roleAttributeName: string;
defaultRoleId: string;
static tableName = 'saml_auth_providers';
static jsonSchema = {
type: 'object',
required: [
'name',
'certificate',
'signatureAlgorithm',
'entryPoint',
'issuer',
'firstnameAttributeName',
'surnameAttributeName',
'emailAttributeName',
'roleAttributeName',
'defaultRoleId',
],
properties: {
id: { type: 'string', format: 'uuid' },
name: { type: 'string', minLength: 1 },
certificate: { type: 'string', minLength: 1 },
signatureAlgorithm: { type: 'string', enum: ['sha1', 'sha256', 'sha512'] },
issuer: { type: 'string', minLength: 1 },
entryPoint: { type: 'string', minLength: 1 },
firstnameAttributeName: { type: 'string', minLength: 1 },
surnameAttributeName: { type: 'string', minLength: 1 },
emailAttributeName: { type: 'string', minLength: 1 },
roleAttributeName: { type: 'string', minLength: 1 },
defaultRoleId: { type: 'string', format: 'uuid' }
},
};
static relationMappings = () => ({
identities: {
relation: Base.HasOneRelation,
modelClass: Identity,
join: {
from: 'identities.provider_id',
to: 'saml_auth_providers.id',
},
},
});
get config(): SamlConfig {
const callbackUrl = new URL(
`/login/saml/${this.issuer}/callback`,
appConfig.baseUrl
).toString();
return {
callbackUrl,
cert: this.certificate,
entryPoint: this.entryPoint,
issuer: this.issuer,
signatureAlgorithm: this.signatureAlgorithm,
}
}
}
export default SamlAuthProvider;

22
packages/backend/src/models/user.ts
View File

@@ -14,6 +14,7 @@ import Step from './step';
import Role from './role';
import Permission from './permission';
import Execution from './execution';
import Identity from './identity.ee';
import UsageData from './usage-data.ee';
import Subscription from './subscription.ee';
@@ -36,18 +37,19 @@ class User extends Base {
currentSubscription?: Subscription;
role: Role;
permissions: Permission[];
identities: Identity[];
static tableName = 'users';
static jsonSchema = {
type: 'object',
required: ['fullName', 'email', 'password'],
required: ['fullName', 'email'],
properties: {
id: { type: 'string', format: 'uuid' },
fullName: { type: 'string', minLength: 1 },
email: { type: 'string', format: 'email', minLength: 1, maxLength: 255 },
password: { type: 'string', minLength: 1, maxLength: 255 },
password: { type: 'string' },
resetPasswordToken: { type: 'string' },
resetPasswordTokenSentAt: { type: 'string' },
trialExpiryDate: { type: 'string' },
@@ -157,6 +159,14 @@ class User extends Base {
to: 'permissions.id',
},
},
identities: {
relation: Base.HasManyRelation,
modelClass: Identity,
join: {
from: 'identities.user_id',
to: 'users.id',
}
}
});
login(password: string) {
@@ -191,7 +201,9 @@ class User extends Base {
}
async generateHash() {
this.password = await bcrypt.hash(this.password, 10);
if (this.password) {
this.password = await bcrypt.hash(this.password, 10);
}
}
async startTrialPeriod() {
@@ -265,9 +277,7 @@ class User extends Base {
async $beforeUpdate(opt: ModelOptions, queryContext: QueryContext) {
await super.$beforeUpdate(opt, queryContext);
if (this.password) {
await this.generateHash();
}
await this.generateHash();
}
async $afterInsert(queryContext: QueryContext) {