Add option for adding CA cert for the IdP

Author: itzg

README.md

@@ -16,6 +16,7 @@ Flags:
       --base-url string                            External URL of this proxy [SAML_PROXY_BASE_URL]
       --bind string                                host:port to bind for serving HTTP [SAML_PROXY_BIND] (default ":8080")
   -h, --help                                       help for saml-auth-proxy
+      --idp-ca-path string                         Optional path to a CA certificate PEM file for the IdP [SAML_PROXY_IDP_CA_PATH]
       --idp-metadata-url string                    URL of the IdP's metadata XML [SAML_PROXY_IDP_METADATA_URL]
       --name-id-mapping string                     Name of the request header to convey the SAML nameID/subject [SAML_PROXY_NAME_ID_MAPPING]
       --new-auth-webhook-url string                URL of webhook that will get POST'ed when a new authentication is processed [SAML_PROXY_NEW_AUTH_WEBHOOK_URL]
@@ -24,6 +25,9 @@ Flags:
       --version                                    version for saml-auth-proxy
 ```
 
+The snake-case values, such as `SAML_PROXY_BACKEND_URL`, are the equivalent environment variables
+that can be set instead of passing configuration via the command-line.
+
 ## Building
 
 With Go 1.11 or newer:

cmd/root.go

@@ -26,6 +26,8 @@ func init() {
 	rootCmd.Flags().StringVar(&serverConfig.BackendUrl, "backend-url", "", "URL of the backend being proxied")
 	rootCmd.Flags().StringVar(&serverConfig.NewAuthWebhookUrl, "new-auth-webhook-url", "", "URL of webhook that will get POST'ed when a new authentication is processed")
 	rootCmd.Flags().StringVar(&serverConfig.IdpMetadataUrl, "idp-metadata-url", "", "URL of the IdP's metadata XML")
+	rootCmd.Flags().StringVar(&serverConfig.IdpCaFile, "idp-ca-path", "",
+		"Optional path to a CA certificate PEM file for the IdP")
 	rootCmd.Flags().StringVar(&serverConfig.SpKeyPath, "sp-key-path", "saml-auth-proxy.key", "Path to the X509 private key PEM file for this SP")
 	rootCmd.Flags().StringVar(&serverConfig.SpCertPath, "sp-cert-path", "saml-auth-proxy.cert", "Path to the X509 public certificate PEM file for this SP")
 	rootCmd.Flags().StringToStringVar(&serverConfig.AttributeHeaderMappings, "attribute-header-mappings", nil,

server/server.go

@@ -6,6 +6,7 @@ import (
 	"crypto/x509"
 	"github.com/crewjam/saml/samlsp"
 	"github.com/pkg/errors"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"net/url"
@@ -16,6 +17,7 @@ type Config struct {
 	BaseUrl                 string
 	BackendUrl              string
 	IdpMetadataUrl          string
+	IdpCaFile               string
 	SpKeyPath               string
 	SpCertPath              string
 	NameIdHeaderMapping     string
@@ -44,12 +46,18 @@ func Start(cfg *Config) error {
 		return errors.Wrap(err, "Failed to parse base URL")
 	}
 
+	httpClient, err := setupHttpClient(cfg.IdpCaFile)
+	if err != nil {
+		return errors.Wrap(err, "Failed to setup HTTP client")
+	}
+
 	samlSP, err := samlsp.New(samlsp.Options{
 		URL:            *rootUrl,
 		Key:            keyPair.PrivateKey.(*rsa.PrivateKey),
 		Certificate:    keyPair.Leaf,
 		IDPMetadataURL: idpMetadataUrl,
 		CookieDomain:   rootUrl.Hostname(),
+		HTTPClient:     httpClient,
 	})
 	if err != nil {
 		return errors.Wrap(err, "Failed to initialize SP")
@@ -68,3 +76,32 @@ func Start(cfg *Config) error {
 	log.Printf("Serving requests for %s at %s", cfg.BaseUrl, cfg.Bind)
 	return http.ListenAndServe(cfg.Bind, nil)
 }
+
+func setupHttpClient(idpCaFile string) (*http.Client, error) {
+	if idpCaFile == "" {
+		return nil, nil
+	}
+
+	rootCAs, _ := x509.SystemCertPool()
+	if rootCAs == nil {
+		rootCAs = x509.NewCertPool()
+	}
+
+	certs, err := ioutil.ReadFile(idpCaFile)
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to read IdP CA file")
+	}
+
+	if ok := rootCAs.AppendCertsFromPEM(certs); !ok {
+		log.Println("INF No certs appended, using system certs only")
+	}
+
+	config := &tls.Config{
+		RootCAs: rootCAs,
+	}
+
+	tr := &http.Transport{TLSClientConfig: config}
+	client := &http.Client{Transport: tr}
+
+	return client, nil
+}