fix(saml): drop cert and key content and return path

2023-09-22 22:37:04 +08:00 · 2023-09-22 22:37:04 +08:00 · cc3e4e4dc5
parent 6349cd3910
commit cc3e4e4dc5
2 changed files with 24 additions and 16 deletions
--- a/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_api.erl
+++ b/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_api.erl
@ -243,7 +243,9 @@ valid_config(Backend, #{<<"backend">> := Backend} = Config, Fun) ->
 valid_config(_, _, _) ->
    {error, invalid_config}.

-handle_backend_update_result({ok, _}, Config) ->
+handle_backend_update_result({ok, #{backend := saml} = State}, _Config) ->
+    {200, to_json(maps:without([idp_meta, sp], State))};
+handle_backend_update_result({ok, _State}, Config) ->
    {200, to_json(Config)};
 handle_backend_update_result(ok, _) ->
    204;
--- a/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_saml.erl
+++ b/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_saml.erl
@ -107,18 +107,17 @@ do_create(
    #{
        dashboard_addr := DashboardAddr,
        idp_metadata_url := IDPMetadataURL,
-        key := KeyPath,
-        certificate := CertPath
+        sp_sign_request := SpSignRequest,
+        sp_private_key := KeyPath,
+        sp_public_key := CertPath
    } = Config
 ) ->
    {ok, _} = application:ensure_all_started(esaml),
    BaseURL = binary_to_list(DashboardAddr) ++ "/api/v5",
-    Key = esaml_util:load_private_key(KeyPath),
-    Cert = esaml_util:load_certificate(CertPath),
    SP = esaml_sp:setup(#esaml_sp{
-        key = Key,
-        certificate = Cert,
-        sp_sign_requests = true,
+        key = maybe_load_cert_or_key(KeyPath, fun esaml_util:load_private_key/1),
+        certificate = maybe_load_cert_or_key(CertPath, fun esaml_util:load_certificate/1),
+        sp_sign_requests = SpSignRequest,
        trusted_fingerprints = [],
        consume_uri = BaseURL ++ "/sso/saml/acs",
        metadata_uri = BaseURL ++ "/sso/saml/metadata",
@ -135,7 +134,8 @@ do_create(
    }),
    try
        IdpMeta = esaml_util:load_metadata(binary_to_list(IDPMetadataURL)),
-        {ok, Config#{idp_meta => IdpMeta, sp => SP}}
+        State = Config,
+        {ok, State#{idp_meta => IdpMeta, sp => SP}}
    catch
        Kind:Error ->
            Reason = failed_to_load_metadata,
@ -202,18 +202,24 @@ do_validate_assertion(SP, DuplicateFun, Body) ->
 %%------------------------------------------------------------------------------

 -define(DIR, <<"SAML_SSO_sp_certs">>).
-define(RSA_KEYS_A, [sp_public_key, sp_private_key]).

-ensure_cert_and_key(Config) ->
+ensure_cert_and_key(#{sp_public_key := Cert, sp_private_key := Key} = Config) ->
    case
-        emqx_tls_lib:ensure_ssl_files(?DIR, Config#{enable => ture}, #{required_keys => ?RSA_KEYS_A})
+        emqx_tls_lib:ensure_ssl_files(
+            ?DIR, #{enable => ture, certfile => Cert, keyfile => Key}, #{}
+        )
    of
-        {ok, NConfig} ->
-            NConfig;
-        {error, #{which_options := [KeyPath | _]}} ->
-            error({missing_key, KeyPath})
+        {ok, #{certfile := CertPath, keyfile := KeyPath} = _NSSL} ->
+            Config#{sp_public_key => CertPath, sp_private_key => KeyPath};
+        {error, #{which_options := KeyPath}} ->
+            error({missing_key, lists:flatten(KeyPath)})
    end.

+maybe_load_cert_or_key(undefined, _) ->
+    undefined;
+maybe_load_cert_or_key(Path, Func) ->
+    Func(Path).
+
 is_msie(Headers) ->
    UA = maps:get(<<"user-agent">>, Headers, <<"">>),
    not (binary:match(UA, <<"MSIE">>) =:= nomatch).