Initial commit

Author: itzg

.circleci/config.yml

@@ -0,0 +1,37 @@
+version: 2
+jobs:
+  build:
+    docker:
+      - image: circleci/golang:1.11
+    steps:
+      - checkout
+      - run: go build
+
+  release:
+    docker:
+      - image: circleci/golang:1.11
+    steps:
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: docker login
+          command: docker login -u $DOCKER_USER -p $DOCKER_PASSWORD
+      - run:
+          name: build and release
+          command: curl -sL https://git.io/goreleaser | bash
+workflows:
+  version: 2
+  build:
+    jobs:
+      - build:
+          filters:
+            tags:
+              ignore: /.*/
+  release:
+    jobs:
+      - release:
+          filters:
+            branches:
+              ignore: /.*/
+            tags:
+              only: /[0-9]+(\.[0-9]+)*(-.*)*/

.gitignore

@@ -0,0 +1,9 @@
+/*metadata.xml
+/*.cert
+/*.key
+
+/dist/
+/saml-auth-proxy
+/saml-auth-proxy.exe
+/*.iml
+/.idea

.goreleaser.yml

@@ -0,0 +1,44 @@
+project_name: saml-proxy
+before:
+  hooks:
+    - go mod download
+builds:
+- env:
+  - CGO_ENABLED=0
+  goos:
+    - linux
+    - windows
+    - darwin
+  goarch:
+    - amd64
+    - arm
+archive:
+  replacements:
+    darwin: macosx
+    386: x86_32
+    amd64: x86_64
+  format: binary
+  files:
+    - none*
+dockers:
+  - image_templates:
+      - "itzg/{{.ProjectName}}:latest"
+      - "itzg/{{.ProjectName}}:{{ .Tag }}"
+checksum:
+  name_template: 'checksums.txt'
+snapshot:
+  name_template: "snapshot-{{ .ShortCommit }}"
+changelog:
+  sort: asc
+  filters:
+    exclude:
+    - '^docs:'
+    - '^misc:'
+    - '^ci:'
+    - '^test:'
+scoop:
+  bucket:
+    owner: itzg
+    name: scoop-bucket
+  license: Apache2
+  description: Provides a SAML SP authentication proxy for backend web services

LICENSE.txt

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Geoff Bourne
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,70 @@
+Provides a SAML SP authentication proxy for backend web services
+
+## Usage
+
+```text
+Usage:
+  saml-auth-proxy [flags]
+
+Flags:
+      --attribute-header-mappings stringToString   Comma separated list of attribute=header pairs mapping SAML IdP response attributes to forwarded request header [SAML_PROXY_ATTRIBUTE_HEADER_MAPPINGS] (default [])
+      --backend-url string                         URL of the backend being proxied [SAML_PROXY_BACKEND_URL]
+      --base-url string                            External URL of this proxy [SAML_PROXY_BASE_URL]
+      --bind string                                host:port to bind for serving HTTP [SAML_PROXY_BIND] (default ":8080")
+  -h, --help                                       help for saml-auth-proxy
+      --idp-metadata-url string                    URL of the IdP's metadata XML [SAML_PROXY_IDP_METADATA_URL]
+      --new-auth-webhook-url string                URL of webhook that will get POST'ed when a new authentication is processed [SAML_PROXY_NEW_AUTH_WEBHOOK_URL]
+      --sp-cert-path string                        Path to the X509 public certificate PEM file for this SP [SAML_PROXY_SP_CERT_PATH] (default "saml-auth-proxy.cert")
+      --sp-key-path string                         Path to the X509 private key PEM file for this SP [SAML_PROXY_SP_KEY_PATH] (default "saml-auth-proxy.key")
+      --version                                    version for saml-auth-proxy
+```
+
+## Building
+
+With Go 1.11 or newer:
+
+```
+go build
+```
+
+## Trying it out
+
+The following procedure will enable you to try out the proxy running locally and using
+Grafana as a backend to proxy with authentication. It will use [SSOCircle](https://www.ssocircle.com)
+as a SAML IdP.
+
+Start the supplied Grafana and Web Debug Server using Docker Compose:
+
+```bash
+docker-compose up -d
+```
+
+Create a domain name that resolves to 127.0.0.1 and use that as the `BASE_FQDN` in the following
+operations;
+
+Generate the SP certificate and key material by running:
+
+```bash
+openssl req -x509 -newkey rsa:2048 -keyout saml-auth-proxy.key -out saml-auth-proxy.cert -days 365 -nodes -subj "/CN=${BASE_FQDN}"
+```
+
+Start saml-auth-proxy using:
+
+```bash
+./saml-auth-proxy \
+  --base-url http://${BASE_FQDN}:8080 \
+  --backend-url http://locahost:3000 \
+  --idp-metadata-url https://idp.ssocircle.com/
+```
+
+Generate your SP's SAML metadata by accessing the built-in metadata endpoint:
+
+```bash
+curl localhost:8000/saml/metadata > saml-sp-metadata.xml
+```
+
+You can post the content of the `saml-sp-metadata.xml` file at 
+[SSOCircle's SP metadata page](https://idp.ssocircle.com/sso/hos/ManageSPMetadata.jsp).
+
+Now you can open your browser and navigate to `http://${BASE_FQDN}:8080`. You will be redirected
+via SSOCircle's login page and then be returned with access to Grafana.

cmd/root.go

@@ -0,0 +1,53 @@
+package cmd
+
+import (
+	"fmt"
+	"github.com/itzg/saml-auth-proxy/server"
+	"github.com/jamiealquiza/envy"
+	"github.com/spf13/cobra"
+	"log"
+	"os"
+)
+
+var serverConfig server.Config
+
+var rootCmd = &cobra.Command{
+	Use:   "saml-auth-proxy",
+	Short: "Provides a SAML SP authentication proxy for backend web services",
+	Run: func(cmd *cobra.Command, args []string) {
+		err := server.Start(&serverConfig)
+		log.Fatal(err)
+	},
+}
+
+func init() {
+	rootCmd.Flags().StringVar(&serverConfig.Bind, "bind", ":8080", "host:port to bind for serving HTTP")
+	rootCmd.Flags().StringVar(&serverConfig.BaseUrl, "base-url", "", "External URL of this proxy")
+	rootCmd.Flags().StringVar(&serverConfig.BackendUrl, "backend-url", "", "URL of the backend being proxied")
+	rootCmd.Flags().StringVar(&serverConfig.NewAuthWebhookUrl, "new-auth-webhook-url", "", "URL of webhook that will get POST'ed when a new authentication is processed")
+	rootCmd.Flags().StringVar(&serverConfig.IdpMetadataUrl, "idp-metadata-url", "", "URL of the IdP's metadata XML")
+	rootCmd.Flags().StringVar(&serverConfig.SpKeyPath, "sp-key-path", "saml-auth-proxy.key", "Path to the X509 private key PEM file for this SP")
+	rootCmd.Flags().StringVar(&serverConfig.SpCertPath, "sp-cert-path", "saml-auth-proxy.cert", "Path to the X509 public certificate PEM file for this SP")
+	rootCmd.Flags().StringToStringVar(&serverConfig.AttributeHeaderMappings, "attribute-header-mappings", nil,
+		"Comma separated list of attribute=header pairs mapping SAML IdP response attributes to forwarded request header")
+
+	_ = rootCmd.MarkFlagRequired("base-url")
+	_ = rootCmd.MarkFlagRequired("backend-url")
+	_ = rootCmd.MarkFlagRequired("idp-metadata-url")
+}
+
+func Execute(version string) {
+
+	rootCmd.Version = version
+
+	cfg := envy.CobraConfig{
+		Prefix: "SAML_PROXY",
+	}
+
+	envy.ParseCobra(rootCmd, cfg)
+
+	if err := rootCmd.Execute(); err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+}

docker-compose.yml

@@ -0,0 +1,20 @@
+version: '3.4'
+
+services:
+  grafana:
+    image: grafana/grafana
+    ports:
+      - 3000:3000
+    environment:
+      GF_SECURITY_ADMIN_PASSWORD: notsecret
+      GF_AUTH_PROXY_ENABLED: "true"
+      GF_AUTH_PROXY_HEADER_NAME: X-WEBAUTH-USER
+    volumes:
+      - grafana:/var/lib/grafana
+  web-debug-server:
+    image: itzg/web-debug-server:0.0.4
+    ports:
+      - 8081:8080
+
+volumes:
+  grafana: {}

go.mod

@@ -0,0 +1,16 @@
+module github.com/itzg/saml-auth-proxy
+
+require (
+	github.com/beevik/etree v1.1.0 // indirect
+	github.com/crewjam/saml v0.0.0-20180831135026-ebc5f787b786
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/jamiealquiza/envy v1.1.0
+	github.com/jonboulle/clockwork v0.1.0 // indirect
+	github.com/patrickmn/go-cache v2.1.0+incompatible
+	github.com/pkg/errors v0.8.1
+	github.com/russellhaering/goxmldsig v0.0.0-20180430223755-7acd5e4a6ef7 // indirect
+	github.com/spf13/cobra v0.0.3
+	github.com/spf13/pflag v1.0.3 // indirect
+	golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67 // indirect
+)

go.sum

@@ -0,0 +1,24 @@
+github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs=
+github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
+github.com/crewjam/saml v0.0.0-20180831135026-ebc5f787b786 h1:8OVABJfT9iJh/uHeYlk1HWugxt7j50JPwW2uLOV9Yqs=
+github.com/crewjam/saml v0.0.0-20180831135026-ebc5f787b786/go.mod h1:w5eu+HNtubx+kRpQL6QFT2F3yIFfYVe6+EzOFVU7Hko=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
+github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/jamiealquiza/envy v1.1.0 h1:Nwh4wqTZ28gDA8zB+wFkhnUpz3CEcO12zotjeqqRoKE=
+github.com/jamiealquiza/envy v1.1.0/go.mod h1:MP36BriGCLwEHhi1OU8E9569JNZrjWfCvzG7RsPnHus=
+github.com/jonboulle/clockwork v0.1.0 h1:VKV+ZcuP6l3yW9doeqz6ziZGgcynBVQO+obU0+0hcPo=
+github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
+github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
+github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
+github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/russellhaering/goxmldsig v0.0.0-20180430223755-7acd5e4a6ef7 h1:J4AOUcOh/t1XbQcJfkEqhzgvMJ2tDxdCVvmHxW5QXao=
+github.com/russellhaering/goxmldsig v0.0.0-20180430223755-7acd5e4a6ef7/go.mod h1:Oz4y6ImuOQZxynhbSXk7btjEfNBtGlj2dcaOvXl2FSM=
+github.com/spf13/cobra v0.0.3 h1:ZlrZ4XsMRm04Fr5pSFxBgfND2EBVa1nLpiy1stUsX/8=
+github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
+github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg=
+github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67 h1:ng3VDlRp5/DHpSWl02R4rM9I+8M2rhmsuLwAMmkLQWE=
+golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=

main.go

@@ -0,0 +1,15 @@
+package main
+
+import (
+	"github.com/itzg/saml-auth-proxy/cmd"
+)
+
+var (
+	version = "dev"
+	commit  = "HEAD"
+)
+
+func main() {
+	// delegate all the init work to cobra
+	cmd.Execute(version + "-" + commit)
+}