Skip to content

[v11] Backport removal of enterprise SSO connectors #20244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
camscale wants to merge 5 commits into from
Closed

[v11] Backport removal of enterprise SSO connectors #20244

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2d4ece9
[v11] Move SAML/OIDC web handlers to enterprise repository
camscale Oct 25, 2022
7dd40a4
[v11] Remove SAML connector and tests
camscale Nov 28, 2022
00862b9
[v11] auth: Remove SAML auth web handler
camscale Dec 1, 2022
208e73f
[v11] auth: Remove the OIDC connector login logic
camscale Dec 6, 2022
a562fa6
[v11] Update enterprise submodule
camscale Jan 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion e
Open in desktop
Submodule e updated from 6915e4 to 69b08e
3 changes: 0 additions & 3 deletions fuzz/oss-fuzz-build.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,6 @@ build_teleport_fuzzers() {
compile_native_go_fuzzer $TELEPORT_PREFIX/lib/services \
FuzzParserEvalBoolPredicate fuzz_parser_eval_bool_predicate

compile_native_go_fuzzer $TELEPORT_PREFIX/lib/auth \
FuzzParseSAMLInResponseTo fuzz_parse_saml_in_response_to

compile_native_go_fuzzer $TELEPORT_PREFIX/lib/restrictedsession \
FuzzParseIPSpec fuzz_parse_ip_spec

Expand Down
70 changes: 0 additions & 70 deletions lib/auth/apiserver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,8 +171,6 @@ func NewAPIServer(config *APIConfig) (http.Handler, error) {
srv.POST("/:version/configuration/static_tokens", srv.WithAuth(srv.setStaticTokens))

// SSO validation handlers
srv.POST("/:version/oidc/requests/validate", srv.WithAuth(srv.validateOIDCAuthCallback))
srv.POST("/:version/saml/requests/validate", srv.WithAuth(srv.validateSAMLResponse))
srv.POST("/:version/github/requests/validate", srv.WithAuth(srv.validateGithubAuthCallback))

// Audit logs AKA events
Expand Down Expand Up @@ -868,74 +866,6 @@ func (s *APIServer) getSession(auth ClientI, w http.ResponseWriter, r *http.Requ
return se, nil
}

func (s *APIServer) validateOIDCAuthCallback(auth ClientI, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error) {
var req *ValidateOIDCAuthCallbackReq
if err := httplib.ReadJSON(r, &req); err != nil {
return nil, trace.Wrap(err)
}
response, err := auth.ValidateOIDCAuthCallback(r.Context(), req.Query)
if err != nil {
return nil, trace.Wrap(err)
}
raw := OIDCAuthRawResponse{
Username: response.Username,
Identity: response.Identity,
Cert: response.Cert,
TLSCert: response.TLSCert,
Req: response.Req,
}
if response.Session != nil {
rawSession, err := services.MarshalWebSession(response.Session, services.WithVersion(version))
if err != nil {
return nil, trace.Wrap(err)
}
raw.Session = rawSession
}
raw.HostSigners = make([]json.RawMessage, len(response.HostSigners))
for i, ca := range response.HostSigners {
data, err := services.MarshalCertAuthority(ca, services.WithVersion(version))
if err != nil {
return nil, trace.Wrap(err)
}
raw.HostSigners[i] = data
}
return &raw, nil
}

func (s *APIServer) validateSAMLResponse(auth ClientI, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error) {
var req *ValidateSAMLResponseReq
if err := httplib.ReadJSON(r, &req); err != nil {
return nil, trace.Wrap(err)
}
response, err := auth.ValidateSAMLResponse(r.Context(), req.Response, req.ConnectorID)
if err != nil {
return nil, trace.Wrap(err)
}
raw := SAMLAuthRawResponse{
Username: response.Username,
Identity: response.Identity,
Cert: response.Cert,
Req: response.Req,
TLSCert: response.TLSCert,
}
if response.Session != nil {
rawSession, err := services.MarshalWebSession(response.Session, services.WithVersion(version))
if err != nil {
return nil, trace.Wrap(err)
}
raw.Session = rawSession
}
raw.HostSigners = make([]json.RawMessage, len(response.HostSigners))
for i, ca := range response.HostSigners {
data, err := services.MarshalCertAuthority(ca, services.WithVersion(version))
if err != nil {
return nil, trace.Wrap(err)
}
raw.HostSigners[i] = data
}
return &raw, nil
}

// validateGithubAuthCallbackReq is a request to validate Github OAuth2 callback
type validateGithubAuthCallbackReq struct {
// Query is the callback query string
Expand Down
16 changes: 0 additions & 16 deletions lib/auth/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -292,22 +292,6 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error) {
)
}
}
// Plug in SAML auth service
sas := NewSAMLAuthService(&SAMLAuthServiceConfig{
Auth: &as,
Emitter: as.emitter,
AssertionReplayService: as.Unstable.AssertionReplayService,
})
as.SetSAMLService(sas)

oas, err := NewOIDCAuthService(&OIDCAuthServiceConfig{
Auth: &as,
Emitter: as.emitter,
})
if err != nil {
return nil, trace.Wrap(err)
}
as.SetOIDCService(oas)

return &as, nil
}
Expand Down
Loading