dani-garcia · pinpox · Oct 4, 2022 · ghost · May 18, 2022 · BlackDex
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -138,6 +138,10 @@ pico-args = "0.5.0"
 paste = "1.0.9"
 governor = "0.5.0"
 
+# OIDC SSo
+openidconnect = "2.3.2"
+
+
 # Capture CTRL+C
 ctrlc = { version = "3.2.3", features = ["termination"] }
 

diff --git a/migrations/mysql/2021-09-16-133000_add_sso/down.sql b/migrations/mysql/2021-09-16-133000_add_sso/down.sql
@@ -0,0 +1,2 @@
+DROP TABLE sso_nonce;
+DROP TABLE sso_config;
diff --git a/migrations/mysql/2021-09-16-133000_add_sso/up.sql b/migrations/mysql/2021-09-16-133000_add_sso/up.sql
@@ -0,0 +1,18 @@
+ALTER TABLE organizations ADD COLUMN identifier TEXT;
+
+CREATE TABLE sso_nonce (
+  uuid     CHAR(36) NOT NULL PRIMARY KEY,
+  org_uuid CHAR(36) NOT NULL REFERENCES organizations (uuid),
+  nonce    CHAR(36) NOT NULL
+);
+
+CREATE TABLE sso_config (
+  uuid                     CHAR(36) NOT NULL PRIMARY KEY,
+  org_uuid                 CHAR(36) NOT NULL REFERENCES organizations(uuid),
+  use_sso                  BOOLEAN NOT NULL,
+  callback_path            TEXT NOT NULL,
+  signed_out_callback_path TEXT NOT NULL,
+  authority                TEXT,
+  client_id                TEXT,
+  client_secret            TEXT
+);
diff --git a/migrations/postgresql/2021-09-16-133000_add_sso/down.sql b/migrations/postgresql/2021-09-16-133000_add_sso/down.sql
@@ -0,0 +1,2 @@
+DROP TABLE sso_nonce;
+DROP TABLE sso_config;
diff --git a/migrations/postgresql/2021-09-16-133000_add_sso/up.sql b/migrations/postgresql/2021-09-16-133000_add_sso/up.sql
@@ -0,0 +1,18 @@
+ALTER TABLE organizations ADD COLUMN identifier TEXT;
+
+CREATE TABLE sso_nonce (
+  uuid     CHAR(36) NOT NULL PRIMARY KEY,
+  org_uuid CHAR(36) NOT NULL REFERENCES organizations (uuid),
+  nonce    CHAR(36) NOT NULL
+);
+
+CREATE TABLE sso_config (
+  uuid                     CHAR(36) NOT NULL PRIMARY KEY,
+  org_uuid                 CHAR(36) NOT NULL REFERENCES organizations(uuid),
+  use_sso                  BOOLEAN NOT NULL,
+  callback_path            TEXT NOT NULL,
+  signed_out_callback_path TEXT NOT NULL,
+  authority                TEXT,
+  client_id                TEXT,
+  client_secret            TEXT
+);
diff --git a/migrations/sqlite/2021-09-16-133000_add_sso/down.sql b/migrations/sqlite/2021-09-16-133000_add_sso/down.sql
@@ -0,0 +1,2 @@
+DROP TABLE sso_nonce;
+DROP TABLE sso_config;
diff --git a/migrations/sqlite/2021-09-16-133000_add_sso/up.sql b/migrations/sqlite/2021-09-16-133000_add_sso/up.sql
@@ -0,0 +1,18 @@
+ALTER TABLE organizations ADD COLUMN identifier TEXT;
+
+CREATE TABLE sso_nonce (
+  uuid     CHAR(36) NOT NULL PRIMARY KEY,
+  org_uuid CHAR(36) NOT NULL REFERENCES organizations (uuid),
+  nonce    CHAR(36) NOT NULL
+);
+
+CREATE TABLE sso_config (
+  uuid                     CHAR(36) NOT NULL PRIMARY KEY,
+  org_uuid                 CHAR(36) NOT NULL REFERENCES organizations(uuid),
+  use_sso                  BOOLEAN NOT NULL,
+  callback_path            TEXT NOT NULL,
+  signed_out_callback_path TEXT NOT NULL,
+  authority                TEXT,
+  client_id                TEXT,
+  client_secret            TEXT
+);
diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs
@@ -31,6 +31,8 @@ pub fn routes() -> Vec<Route> {
         put_collection_users,
         put_organization,
         post_organization,
+        get_organization_sso,
+        put_organization_sso,
         post_organization_collections,
         delete_organization_collection_user,
         post_organization_collection_delete_user,
@@ -92,6 +94,14 @@ struct OrgData {
 struct OrganizationUpdateData {
     BillingEmail: String,
     Name: String,
+    Identifier: Option<String>,
+}
+
+#[derive(Deserialize, Debug)]
+#[allow(non_snake_case)]
+struct OrganizationSsoUpdateData {
+    Enabled: Option<bool>,
+    Data: Option<SsoOrganizationData>,
 }
 
 #[derive(Deserialize, Debug)]
@@ -100,6 +110,45 @@ struct NewCollectionData {
     Name: String,
 }
 
+#[derive(Deserialize, Debug)]
+#[allow(non_snake_case)]
+struct SsoOrganizationData {
+    // authority: Option<String>,
+    // clientId: Option<String>,
+    // clientSecret: Option<String>,
+    AcrValues: Option<String>,
+    AdditionalEmailClaimTypes: Option<String>,
+    AdditionalNameClaimTypes: Option<String>,
+    AdditionalScopes: Option<String>,
+    AdditionalUserIdClaimTypes: Option<String>,
+    Authority: Option<String>,
+    ClientId: Option<String>,
+    ClientSecret: Option<String>,
+    ConfigType: Option<String>,
+    ExpectedReturnAcrValue: Option<String>,
+    GetClaimsFromUserInfoEndpoint: Option<bool>,
+    IdpAllowUnsolicitedAuthnResponse: Option<bool>,
+    IdpArtifactResolutionServiceUrl: Option<String>,
+    IdpBindingType: Option<u8>,
+    IdpDisableOutboundLogoutRequests: Option<bool>,
+    IdpEntityId: Option<String>,
+    IdpOutboundSigningAlgorithm: Option<String>,
+    IdpSingleLogoutServiceUrl: Option<String>,
+    IdpSingleSignOnServiceUrl: Option<String>,
+    IdpWantAuthnRequestsSigned: Option<bool>,
+    IdpX509PublicCert: Option<String>,
+    KeyConnectorUrlY: Option<String>,
+    KeyConnectorEnabled: Option<bool>,
+    MetadataAddress: Option<String>,
+    RedirectBehavior: Option<String>,
+    SpMinIncomingSigningAlgorithm: Option<String>,
+    SpNameIdFormat: Option<u8>,
+    SpOutboundSigningAlgorithm: Option<String>,
+    SpSigningBehavior: Option<u8>,
+    SpValidateCertificates: Option<bool>,
+    SpWantAssertionsSigned: Option<bool>,
+}
+
 #[derive(Deserialize)]
 #[allow(non_snake_case)]
 struct OrgKeyData {
@@ -134,6 +183,7 @@ async fn create_organization(headers: Headers, data: JsonUpcase<OrgData>, conn:
 
     let org = Organization::new(data.Name, data.BillingEmail, private_key, public_key);
     let mut user_org = UserOrganization::new(headers.user.uuid, org.uuid.clone());
+    let sso_config = SsoConfig::new(org.uuid.clone());
     let collection = Collection::new(org.uuid.clone(), data.CollectionName);
 
     user_org.akey = data.Key;
@@ -143,6 +193,7 @@ async fn create_organization(headers: Headers, data: JsonUpcase<OrgData>, conn:
 
     org.save(&conn).await?;
     user_org.save(&conn).await?;
+    sso_config.save(&conn).await?;
     collection.save(&conn).await?;
 
     Ok(Json(org.to_json()))
@@ -228,11 +279,54 @@ async fn post_organization(
 
     org.name = data.Name;
     org.billing_email = data.BillingEmail;
+    org.identifier = data.Identifier;
 
     org.save(&conn).await?;
     Ok(Json(org.to_json()))
 }
 
+#[get("/organizations/<org_id>/sso")]
+async fn get_organization_sso(org_id: String, _headers: OwnerHeaders, conn: DbConn) -> JsonResult {
+    match SsoConfig::find_by_org(&org_id, &conn).await {
+        Some(sso_config) => {
+            let config_json = Json(sso_config.to_json());
+            Ok(config_json)
+        }
+        None => err!("Can't find organization sso config"),
+    }
+}
+
+#[post("/organizations/<org_id>/sso", data = "<data>")]
+async fn put_organization_sso(
+    org_id: String,
+    _headers: OwnerHeaders,
+    data: JsonUpcase<OrganizationSsoUpdateData>,
+    conn: DbConn,
+) -> JsonResult {
+    let p: OrganizationSsoUpdateData = data.into_inner().data;
+    let d: SsoOrganizationData = p.Data.unwrap();
+
+    let mut sso_config = match SsoConfig::find_by_org(&org_id, &conn).await {
+        Some(sso_config) => sso_config,
+        None => SsoConfig::new(org_id),
+    };
+
+    sso_config.use_sso = p.Enabled.unwrap_or_default();
+
+    // let sso_config_data = data.Data.unwrap();
+
+    // TODO use real values
+    sso_config.callback_path = "http://localhost:8000/#/sso".to_string(); //data.CallbackPath;
+    sso_config.signed_out_callback_path = "http://localhost:8000/#/sso".to_string(); //data2.Data.unwrap().call
+
+    sso_config.authority = d.Authority;
+    sso_config.client_id = d.ClientId;
+    sso_config.client_secret = d.ClientSecret;
+
+    sso_config.save(&conn).await?;
+    Ok(Json(sso_config.to_json()))
+}
+
 // GET /api/collections?writeOnly=false
 #[get("/collections")]
 async fn get_user_collections(headers: Headers, conn: DbConn) -> Json<Value> {