From b73c9ae4cbbbbcc39181d7fb8eb11632e1e501d0 Mon Sep 17 00:00:00 2001
From: Heitor Danilo <heitor.danilo@ossystems.com.br>
Date: Thu, 28 Nov 2024 14:35:33 -0300
Subject: [PATCH] wip

---
 api/services/system.go             |  2 -
 gateway/nginx/conf.d/shellhub.conf |  9 ++++
 pkg/models/system.go               | 77 +++++++++++++-----------------
 3 files changed, 41 insertions(+), 47 deletions(-)

diff --git a/api/services/system.go b/api/services/system.go
index 17e65389f3b..c7644919ab1 100644
--- a/api/services/system.go
+++ b/api/services/system.go
@@ -40,8 +40,6 @@ func (s *service) SystemGetInfo(ctx context.Context, req requests.SystemGetInfo)
 		system.Endpoints.API = req.Host
 	}
 
-	system.SAML.GetAuthURL()
-
 	return system, nil
 }
 
diff --git a/gateway/nginx/conf.d/shellhub.conf b/gateway/nginx/conf.d/shellhub.conf
index 23927c0a63d..ebf407252c7 100644
--- a/gateway/nginx/conf.d/shellhub.conf
+++ b/gateway/nginx/conf.d/shellhub.conf
@@ -454,6 +454,15 @@ server {
         proxy_pass       http://upstream_router;
     }
 
+    location /api/saml/acs {
+        {{ set_upstream "cloud-api" 8080 }}
+
+        auth_request     off;
+        proxy_set_header X-Real-IP $x_real_ip;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_pass       http://upstream_router;
+    }
+
     location /api/register {
         {{ set_upstream "cloud-api" 8080 }}
 
diff --git a/pkg/models/system.go b/pkg/models/system.go
index 862f61698ed..9761b991c1e 100644
--- a/pkg/models/system.go
+++ b/pkg/models/system.go
@@ -1,19 +1,13 @@
 package models
 
-import (
-	"crypto/x509"
-	"encoding/base64"
-
-	saml2 "github.com/russellhaering/gosaml2"
-	dsig "github.com/russellhaering/goxmldsig"
-)
-
 type System struct {
-	Version           string           `json:"version"`
-	Endpoints         *SystemEndpoints `json:"endpoints"`
-	Setup             bool             `json:"setup" bson:"setup"`
-	AllowManualSignin bool             `json:"allow_manual_signin" bson:"allow_manual_signin"`
-	SAML              *SystemSAML      `json:"sso" bson:"sso"`
+	Version   string           `json:"version"`
+	Endpoints *SystemEndpoints `json:"endpoints"`
+	Setup     bool             `json:"setup" bson:"setup"`
+	// Authentication manages the settings for available authentication methods, such as manual
+	// username/password authentication and SAML authentication. Each authentication method
+	// can be individually enabled or disabled.
+	Authentication *SystemAuthentication `json:"authentication" bson:"authentication"`
 }
 
 type SystemEndpoints struct {
@@ -21,41 +15,34 @@ type SystemEndpoints struct {
 	SSH string `json:"ssh"`
 }
 
-type SystemSAML struct {
-	Enabled           bool   `json:"enabled" bson:"enabled"`
-	AuthURL           string `json:"auth_url" bson:"-"`
-	IdpEntityID       string `json:"-" bson:"idp_entity_id"`
-	IdpSignonLocation string `json:"-" bson:"idp_signon_location"`
-	IdpLogoutLocation string `json:"-" bson:"idp_logout_location"`
-	IdpCertificate    string `json:"-" bson:"idp_certificate"`
+type SystemAuthentication struct {
+	// Manual indicates whether manual authentication using a username and password is enabled or
+	// not.
+	Manual bool `json:"manual" bson:"manual"`
+	// SAML contains the configuration settings for SAML authentication. [SAML.Enabled] indicates
+	// whether SAML authentication is enabled or not.
+	SAML *SystemSAML `json:"saml" bson:"saml"`
 }
 
-func (s *SystemSAML) decodeCertificate() *dsig.MemoryX509CertificateStore {
-	certData, err := base64.StdEncoding.DecodeString(s.IdpCertificate)
-	if err != nil {
-		panic(err)
-	}
-
-	idpCert, err := x509.ParseCertificate(certData)
-	if err != nil {
-		panic(err)
-	}
-
-	certStore := new(dsig.MemoryX509CertificateStore)
-	certStore.Roots = append(certStore.Roots, idpCert)
-
-	return certStore
+type SystemSAML struct {
+	// Enabled indicates whether SAML authentication is enabled.
+	Enabled bool           `json:"enabled" bson:"enabled"`
+	Idp     *SystemIdpSAML `json:"-" bson:"idp"`
+	Sp      *SystemSpSAML  `json:"-" bson:"sp"`
 }
 
-func (s *SystemSAML) GetAuthURL() {
-	sp := &saml2.SAMLServiceProvider{
-		IdentityProviderSSOURL:      s.IdpSignonLocation,
-		IdentityProviderIssuer:      s.IdpEntityID,
-		AssertionConsumerServiceURL: "http://localhost:3334/v1/_saml_callback",
-		SignAuthnRequests:           true,
-		IDPCertificateStore:         s.decodeCertificate(),
-		SPKeyStore:                  dsig.RandomKeyStoreForTest(),
-	}
+type SystemIdpSAML struct {
+	EntityID  string `json:"-" bson:"entity_id"`
+	SignonURL string `json:"-" bson:"signon_url"`
+	// Certificate is the IdP's X.509 certificate used to validate the authenticity of SAML assertions.
+	Certificate string `json:"-" bson:"certificate"`
+}
 
-	s.AuthURL, _ = sp.BuildAuthURL("")
+type SystemSpSAML struct {
+	// Certificate is the SP X.509 certificate used to enable mutual verification
+	// between the SP and IdP. The IdP uses this certificate to validate that authentication requests
+	// are signed by the SP, it also disable the "IdP-initiated" login flows.
+	//
+	// If this field is empty, the mutual verification behavior is disabled.
+	Certificate string `json:"-" bson:"certificate"`
 }