From cc3e4e4dc58b34da102e8291b3d78b8c4175cef0 Mon Sep 17 00:00:00 2001 From: JimMoen Date: Fri, 22 Sep 2023 22:37:04 +0800 Subject: [PATCH] fix(saml): drop cert and key content and return path --- .../src/emqx_dashboard_sso_api.erl | 4 ++- .../src/emqx_dashboard_sso_saml.erl | 36 +++++++++++-------- 2 files changed, 24 insertions(+), 16 deletions(-) diff --git a/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_api.erl b/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_api.erl index 6674db3a8..c19d2b66e 100644 --- a/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_api.erl +++ b/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_api.erl @@ -243,7 +243,9 @@ valid_config(Backend, #{<<"backend">> := Backend} = Config, Fun) -> valid_config(_, _, _) -> {error, invalid_config}. -handle_backend_update_result({ok, _}, Config) -> +handle_backend_update_result({ok, #{backend := saml} = State}, _Config) -> + {200, to_json(maps:without([idp_meta, sp], State))}; +handle_backend_update_result({ok, _State}, Config) -> {200, to_json(Config)}; handle_backend_update_result(ok, _) -> 204; diff --git a/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_saml.erl b/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_saml.erl index bceb064f6..aa9f482c1 100644 --- a/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_saml.erl +++ b/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_saml.erl @@ -107,18 +107,17 @@ do_create( #{ dashboard_addr := DashboardAddr, idp_metadata_url := IDPMetadataURL, - key := KeyPath, - certificate := CertPath + sp_sign_request := SpSignRequest, + sp_private_key := KeyPath, + sp_public_key := CertPath } = Config ) -> {ok, _} = application:ensure_all_started(esaml), BaseURL = binary_to_list(DashboardAddr) ++ "/api/v5", - Key = esaml_util:load_private_key(KeyPath), - Cert = esaml_util:load_certificate(CertPath), SP = esaml_sp:setup(#esaml_sp{ - key = Key, - certificate = Cert, - sp_sign_requests = true, + key = maybe_load_cert_or_key(KeyPath, fun esaml_util:load_private_key/1), + certificate = maybe_load_cert_or_key(CertPath, fun esaml_util:load_certificate/1), + sp_sign_requests = SpSignRequest, trusted_fingerprints = [], consume_uri = BaseURL ++ "/sso/saml/acs", metadata_uri = BaseURL ++ "/sso/saml/metadata", @@ -135,7 +134,8 @@ do_create( }), try IdpMeta = esaml_util:load_metadata(binary_to_list(IDPMetadataURL)), - {ok, Config#{idp_meta => IdpMeta, sp => SP}} + State = Config, + {ok, State#{idp_meta => IdpMeta, sp => SP}} catch Kind:Error -> Reason = failed_to_load_metadata, @@ -202,18 +202,24 @@ do_validate_assertion(SP, DuplicateFun, Body) -> %%------------------------------------------------------------------------------ -define(DIR, <<"SAML_SSO_sp_certs">>). --define(RSA_KEYS_A, [sp_public_key, sp_private_key]). -ensure_cert_and_key(Config) -> +ensure_cert_and_key(#{sp_public_key := Cert, sp_private_key := Key} = Config) -> case - emqx_tls_lib:ensure_ssl_files(?DIR, Config#{enable => ture}, #{required_keys => ?RSA_KEYS_A}) + emqx_tls_lib:ensure_ssl_files( + ?DIR, #{enable => ture, certfile => Cert, keyfile => Key}, #{} + ) of - {ok, NConfig} -> - NConfig; - {error, #{which_options := [KeyPath | _]}} -> - error({missing_key, KeyPath}) + {ok, #{certfile := CertPath, keyfile := KeyPath} = _NSSL} -> + Config#{sp_public_key => CertPath, sp_private_key => KeyPath}; + {error, #{which_options := KeyPath}} -> + error({missing_key, lists:flatten(KeyPath)}) end. +maybe_load_cert_or_key(undefined, _) -> + undefined; +maybe_load_cert_or_key(Path, Func) -> + Func(Path). + is_msie(Headers) -> UA = maps:get(<<"user-agent">>, Headers, <<"">>), not (binary:match(UA, <<"MSIE">>) =:= nomatch).