feat(api): SSO landing page

2021-12-03 12:48:13 +01:00 · 2021-12-03 12:48:13 +01:00 · 5ebfd8ae6a
commit 5ebfd8ae6a
parent c97c1ada29
4 changed files with 19 additions and 13 deletions
--- a/ee/api/.chalice/config.json
+++ b/ee/api/.chalice/config.json
@ -62,6 +62,8 @@
        "idp_x509cert": "",
        "idp_sls_url": "",
        "idp_name": "",
+        "sso_exp_delta_seconds": "86400",
+        "sso_landing": "/login?jwt=%s",
        "invitation_link": "/api/users/invitation?token=%s",
        "change_password_link": "/reset-password?invitation=%s&&pass=%s",
        "iosBucket": "openreplay-ios-images",
--- a/ee/api/chalicelib/blueprints/bp_saml.py
+++ b/ee/api/chalicelib/blueprints/bp_saml.py
@ -31,7 +31,6 @@ def start_sso():
 def process_sso_assertion():
    req = prepare_request(request=app.current_request)
    session = req["cookie"]["session"]
-    request = req['request']
    auth = init_saml_auth(req)

    request_id = None
@ -80,16 +79,21 @@ def process_sso_assertion():
            users.update(tenant_id=t['tenantId'], user_id=existing["id"],
                         changes={"origin": SAML2_helper.get_saml2_provider(), "internal_id": internal_id})
    expiration = auth.get_session_expiration()
-    print("TTL:")
-    print(auth.get_session_expiration())
-    return users.authenticate_sso(email=email, internal_id=internal_id, exp=expiration)
+    expiration = expiration if expiration is not None and expiration > 10 * 60 \
+        else int(environ.get("sso_exp_delta_seconds", 24 * 60 * 60))
+    jwt = users.authenticate_sso(email=email, internal_id=internal_id, exp=expiration)
+    if jwt is None:
+        return {"errors": ["null JWT"]}
+    return Response(
+        status_code=307,
+        body='',
+        headers={'Location': SAML2_helper.get_landing_URL(jwt), 'Content-Type': 'text/plain'})


@app.route('/sso/saml2/sls', methods=['GET'], authorizer=None)
 def process_sls_assertion():
    req = prepare_request(request=app.current_request)
    session = req["cookie"]["session"]
-    request = req['request']
    auth = init_saml_auth(req)
    request_id = None
    if 'LogoutRequestID' in session:
--- a/ee/api/chalicelib/core/users.py
+++ b/ee/api/chalicelib/core/users.py
@ -690,14 +690,10 @@ def authenticate_sso(email, internal_id, exp=None):
                   RETURNING jwt_iat;""",
                {"user_id": r["id"]})
            cur.execute(query)
-            return {
-                "jwt": authorizers.generate_jwt(r['id'], r['tenantId'],
-                                                TimeUTC.datetime_to_timestamp(cur.fetchone()["jwt_iat"]),
-                                                aud=f"front:{helper.get_stage_name()}",
-                                                exp=exp),
-                "email": email,
-                **r
-            }
+            return authorizers.generate_jwt(r['id'], r['tenantId'],
+                                            TimeUTC.datetime_to_timestamp(cur.fetchone()["jwt_iat"]),
+                                            aud=f"front:{helper.get_stage_name()}",
+                                            exp=exp)
    return None


--- a/ee/api/chalicelib/utils/SAML2_helper.py
+++ b/ee/api/chalicelib/utils/SAML2_helper.py
@ -107,3 +107,7 @@ def is_saml2_available():
 def get_saml2_provider():
    return environ.get("idp_name", "saml2") if is_saml2_available() and len(
        environ.get("idp_name", "saml2")) > 0 else None
+
+
+def get_landing_URL(jwt):
+    return environ["SITE_URL"] + environ.get("sso_landing", "/login?jwt=%s") % jwt