initial commit

.air.toml

@@ -0,0 +1,51 @@
+root = "."
+testdata_dir = "testdata"
+tmp_dir = "tmp"
+
+[build]
+  args_bin = []
+  bin = "./tmp/main"
+  cmd = "go build -o ./tmp/main ."
+  delay = 1000
+  exclude_dir = ["assets", "tmp", "vendor", "testdata"]
+  exclude_file = []
+  exclude_regex = ["_test.go"]
+  exclude_unchanged = false
+  follow_symlink = false
+  full_bin = ""
+  include_dir = []
+  include_ext = ["go", "tpl", "tmpl", "html"]
+  include_file = []
+  kill_delay = "0s"
+  log = "build-errors.log"
+  poll = false
+  poll_interval = 0
+  post_cmd = []
+  pre_cmd = []
+  rerun = false
+  rerun_delay = 500
+  send_interrupt = false
+  stop_on_error = false
+
+[color]
+  app = ""
+  build = "yellow"
+  main = "magenta"
+  runner = "green"
+  watcher = "cyan"
+
+[log]
+  main_only = false
+  time = false
+
+[misc]
+  clean_on_exit = false
+
+[proxy]
+  app_port = 0
+  enabled = false
+  proxy_port = 0
+
+[screen]
+  clear_on_rebuild = false
+  keep_scroll = true

.github/workflows/go.yaml

@@ -0,0 +1,29 @@
+name: Go
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+
+      - name: Build
+        run: go build .
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+
+      - name: Lint
+        uses: golangci/golangci-lint-action@v6

.gitignore

@@ -0,0 +1,3 @@
+/keys
+/tmp
+/tlskeys

.golangci.yml

@@ -0,0 +1,3 @@
+linters:
+  enable:
+    - gofmt

.vscode/extensions.json

@@ -0,0 +1,5 @@
+{
+    "recommendations": [
+        "golang.go"
+    ]
+}

Dockerfile

@@ -0,0 +1,14 @@
+FROM golang:1.23.2-alpine
+WORKDIR /app
+COPY go.mod go.sum ./
+RUN go mod download
+COPY auth_provider.go main.go saml_auth_provider.go tls_certs.go /app
+RUN go build -o main .
+
+FROM alpine:latest
+WORKDIR /app
+COPY --from=0 /app/main main
+COPY keys/sp-cert.pem keys/sp-cert.pem
+COPY keys/sp-key.pem keys/sp-key.pem
+ENV ENV=prod
+CMD ["/app/main"]

Dockerfile.dev

@@ -0,0 +1,12 @@
+FROM golang:1.23.2-alpine
+
+WORKDIR /app
+
+RUN go install github.com/air-verse/air@latest
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . /app
+
+CMD ["air", "-c", ".air.toml"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Cyber Security Club @ tOSU
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,54 @@
+# Auth
+
+This is an auth platform and discord bot that interacts with SAML as a single binary, without Shibboleth or Nginx.
+
+## Development
+
+By default, the SAML provider is mocked out, so it is possible to develop without Service Provider secrets. Just run:
+
+```
+docker compose up --watch --build --remove-orphans
+```
+
+This will start a local server at http://localhost:3000
+
+You will also want to install `gopls` for the language server in your IDE.
+
+## Development with SAML
+
+The certificate for our current credentials will expire `May 4 20:08:05 2031 GMT`, at which point it will need to be renewed.
+
+To develop with SAML credentials, put the Service Provider keys into `keys/sp-cert.pem` and `keys/sp-key.pem`. Then run:
+
+```
+docker compose -f docker-compose-saml.yaml up --watch --build --remove-orphans
+```
+
+This will start a local server at https://test-auth.osucyber.club. It will generate a self signed certificate for local https.
+
+## How does it work?
+
+Read this for specific details on OSU's SSO: https://webauth.service.ohio-state.edu/~shibboleth/index.html
+
+In summary:
+
+The OSU authentication system uses SAML2, like many other universities. This means that OSU runs an Identity Provider (IdP), which stores user data (like `Name.#`, email, and `BuckID`). Third parties can interact with the IdP by becoming a Service Provider (SP), think Schedule Planner. The OSU Cyber Security Club also has been granted private keys to be an SP at 2 hosts: `https://auth-test.osucyber.club` and `https://auth.osucyber.club`. We've configured DNS to point `auth-test.osucyber.club` to `127.0.0.1` for local testing, and it still requires self signed certificates. `https://auth.osucyber.club` is the public, production web server.
+
+Here are some other important facts about our setup in particular:
+- Our registered entity ID is `https://auth.osucyber.club/shibboleth`
+- Shibboleth assertions will be sent to our `/Shibboleth.sso/` and below (for example `/Shibboleth.sso/SAML2/POST`)
+
+The recommended way to actually use those keys as an SP is using [Shibboleth](https://shibboleth.net). Shibboleth was primarily developed in 2004 by an OSU employee and integrates nicely into Apache and IIS. But, it is kind of a nightmare. OSUCyber's former auth system, modelled after [sigpwny's auth system](https://github.com/sigpwny/sigpwny-shibboleth-auth) dockerized the process, which works this way:
+
+There are 2 containers side-by-side:
+- Shibboleth
+  - Shibboleth's 3 processes, `shibd`, `shibauthorizer`, and `shibresponder`
+    - Configured with `OSU-attribute-policy.xml`, `OSU-metadata.cer`, `shibboleth2.xml`, `attribute-map.xml`, `sessionError.html`
+  - Nginx
+    - Using [a plugin to interact with Shibboleth](https://github.com/nginx-shib/nginx-http-shibboleth)
+    - Configured `/login` endpoint to be restricted by Shibboleth authentication, using redirects to sign in. Then once it is successful, it sets trusted HTTP headers like `Employeenumber` and `Displayname`. This is how the webapp will receive information about the OSU user.
+- Webapp
+  - Whatever webapp you want to write
+  - Has a `/login` which reads from the trusted HTTP headers set by Nginx. Then the app can put it in its own database, or however it wants to handle it.
+
+However, updating any of the Shibboleth/Nginx stuff is really scary. Instead, it is possible to just use a SAML2 library to be an SP, all in one single place. That is what this repository is. We use [`crewjam/saml`](https://github.com/crewjam/saml) to handle being an SP in golang, and then build the rest of the auth app around it. It requires picking out only the important parts of the `shibboleth2.xml`, and makes significantly easier to read.

auth_provider.go

@@ -0,0 +1,64 @@
+package main
+
+import (
+	"context"
+	"net/http"
+)
+
+// Full list of attributes is here:
+// https://webauth.service.ohio-state.edu/~shibboleth/user-attribute-reference.html (https://archive.is/H9bOB)
+//
+// Note that OSUCyber is only authorized for a subset of these attributes. As of 2024-10-23, this is:
+// sn, IDMUID, displayName, eduPersonScopedAffiliation, employeeNumber, givenName, mail, SessionIndex, eduPersonPrincipalName
+type OSUAttributes struct {
+	// This attribute is `sn` in the OSU Shibboleth user attribute reference.
+	Surname string
+	// This attribute is `IDM ID` in the OSU Shibboleth user attribute reference.
+	IDMUID string
+	// This attribute is `displayName` in the OSU Shibboleth user attribute reference.
+	DisplayName string
+	// This attribute is `eduPersonScopedAffiliation` in the OSU Shibboleth user attribute reference.
+	Affiliations []string
+	// This attribute is `employeeNumber` in the OSU Shibboleth user attribute reference.
+	BuckID string
+	// This attribute is `givenName` in the OSU Shibboleth user attribute reference.
+	GivenName string
+	// This attribute is `mail` in the OSU Shibboleth user attribute reference.
+	Email string
+	// This attribute is `SessionIndex` in the OSU Shibboleth user attribute reference.
+	SessionIndex string
+}
+
+type AuthProvider interface {
+	attributesFromContext(ctx context.Context) *OSUAttributes
+	requireAuth(handler http.Handler) http.Handler
+	globalLogout(w http.ResponseWriter, r *http.Request)
+}
+
+type MockAuthProvider struct{}
+
+func (m MockAuthProvider) attributesFromContext(ctx context.Context) *OSUAttributes {
+	return &OSUAttributes{
+		GivenName:    "Brutus",
+		Surname:      "Buckeye",
+		DisplayName:  "Brutus Buckeye",
+		BuckID:       "500123456",
+		IDMUID:       "IDM123456789",
+		Email:        "[email protected]",
+		Affiliations: []string{"[email protected]", "[email protected]"},
+		SessionIndex: "_0123456789abcdef01234566890abcde",
+	}
+}
+
+func (m MockAuthProvider) requireAuth(handler http.Handler) http.Handler {
+	return handler
+}
+
+func (m MockAuthProvider) globalLogout(w http.ResponseWriter, r *http.Request) {
+	w.Header().Add("Location", "https://webauth.service.ohio-state.edu/cgi-bin/logout.cgi")
+	w.WriteHeader(http.StatusFound)
+}
+
+func mockAuthProvider() *MockAuthProvider {
+	return &MockAuthProvider{}
+}

docker-compose-saml.yaml

@@ -0,0 +1,24 @@
+services:
+  auth:
+    ports:
+      - 443:443
+    build:
+      dockerfile: Dockerfile.dev
+    command: air
+    volumes:
+      - ./keys:/app/keys
+      - ./tlskeys:/app/tlskeys
+    environment:
+      - ENV=saml
+    develop:
+      watch:
+        - action: sync
+          path: .
+          target: /app
+          ignore:
+            - tlskeys
+            - .git/
+        - action: rebuild
+          path: go.mod
+        - action: rebuild
+          path: go.sum

docker-compose.yaml

@@ -0,0 +1,18 @@
+services:
+  auth:
+    ports:
+      - 3000:3000
+    build:
+      dockerfile: Dockerfile.dev
+    command: air
+    develop:
+      watch:
+        - action: sync
+          path: .
+          target: /app
+          ignore:
+            - .git/
+        - action: rebuild
+          path: go.mod
+        - action: rebuild
+          path: go.sum