Persist signing cert and key in database and allow custom

Author: mraerino

api/external.go

@@ -277,7 +277,7 @@ func (a *API) Provider(ctx context.Context, name string) (provider.Provider, err
 	case "facebook":
 		return provider.NewFacebookProvider(config.External.Facebook)
 	case "saml":
-		return provider.NewSamlProvider(config.External.Saml)
+		return provider.NewSamlProvider(config.External.Saml, a.db, getInstanceID(ctx))
 	default:
 		return nil, fmt.Errorf("Provider %s could not be found", name)
 	}

api/external_saml.go

@@ -22,7 +22,7 @@ func (a *API) loadSAMLState(w http.ResponseWriter, r *http.Request) (context.Con
 func (a *API) samlCallback(r *http.Request, ctx context.Context) (*provider.UserProvidedData, error) {
 	config := a.getConfig(ctx)
 
-	samlProvider, err := provider.NewSamlProvider(config.External.Saml)
+	samlProvider, err := provider.NewSamlProvider(config.External.Saml, a.db, getInstanceID(ctx))
 	if err != nil {
 		return nil, badRequestError("Could not initialize SAML provider: %+v", err).WithInternalError(err)
 	}
@@ -59,7 +59,7 @@ func (a *API) SAMLMetadata(w http.ResponseWriter, r *http.Request) error {
 	ctx := r.Context()
 	config := getConfig(ctx)
 
-	samlProvider, err := provider.NewSamlProvider(config.External.Saml)
+	samlProvider, err := provider.NewSamlProvider(config.External.Saml, a.db, getInstanceID(ctx))
 	if err != nil {
 		return internalServerError("Could not create SAML Provider: %+v", err).WithInternalError(err)
 	}

api/provider/saml.go

@@ -1,27 +1,47 @@
 package provider
 
 import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/pem"
 	"encoding/xml"
 	"errors"
 	"fmt"
 	"io/ioutil"
+	"math/big"
 	"net/http"
 	"net/url"
 	"strings"
+	"time"
+
+	"github.com/netlify/gotrue/models"
+	"github.com/netlify/gotrue/storage"
 
 	"github.com/netlify/gotrue/conf"
 	saml2 "github.com/russellhaering/gosaml2"
 	"github.com/russellhaering/gosaml2/types"
 	dsig "github.com/russellhaering/goxmldsig"
+	uuid "github.com/satori/go.uuid"
 	"golang.org/x/oauth2"
 )
 
 type SamlProvider struct {
 	ServiceProvider *saml2.SAMLServiceProvider
 }
 
+type SamlCertCreation struct {
+	instanceId uuid.UUID
+	db         *storage.Connection
+}
+
+type MemoryX509KeyStore struct {
+	privateKey *rsa.PrivateKey
+	cert       []byte
+}
+
 func getMetadata(url string) (*types.EntityDescriptor, error) {
 	res, err := http.Get(url)
 	if err != nil {
@@ -45,7 +65,7 @@ func getMetadata(url string) (*types.EntityDescriptor, error) {
 }
 
 // NewSamlProvider creates a Saml account provider.
-func NewSamlProvider(ext conf.SamlProviderConfiguration) (*SamlProvider, error) {
+func NewSamlProvider(ext conf.SamlProviderConfiguration, db *storage.Connection, instanceId uuid.UUID) (*SamlProvider, error) {
 	if !ext.Enabled {
 		return nil, errors.New("SAML Provider is not enabled")
 	}
@@ -100,8 +120,15 @@ func NewSamlProvider(ext conf.SamlProviderConfiguration) (*SamlProvider, error)
 		}
 	}
 
-	// TODO: generate keys once, save them in the database and use here
-	randomKeyStore := dsig.RandomKeyStoreForTest()
+	certCreation := &SamlCertCreation{
+		instanceId: instanceId,
+		db:         db,
+	}
+
+	err, keyStore := certCreation.PrepareKeystore(ext)
+	if err != nil {
+		return nil, err
+	}
 
 	sp := &saml2.SAMLServiceProvider{
 		IdentityProviderSSOURL:      ssoService.Location,
@@ -111,7 +138,7 @@ func NewSamlProvider(ext conf.SamlProviderConfiguration) (*SamlProvider, error)
 		SignAuthnRequests:           true,
 		AudienceURI:                 baseURI.String() + "/saml",
 		IDPCertificateStore:         &certStore,
-		SPKeyStore:                  randomKeyStore,
+		SPKeyStore:                  keyStore,
 		AllowMissingAttributes:      true,
 	}
 
@@ -142,3 +169,105 @@ func (p SamlProvider) SPMetadata() ([]byte, error) {
 
 	return rawMetadata, nil
 }
+
+func (s SamlCertCreation) PrepareKeystore(conf conf.SamlProviderConfiguration) (error, dsig.X509KeyStore) {
+	if conf.SigningCert == "" && conf.SigningKey == "" {
+		return s.CreateSigningCert()
+	}
+
+	keyPair, err := tls.X509KeyPair([]byte(conf.SigningCert), []byte(conf.SigningKey))
+	if err != nil {
+		return fmt.Errorf("Parsing key pair failed: %+v", err), nil
+	}
+
+	var privKey *rsa.PrivateKey
+	switch key := keyPair.PrivateKey.(type) {
+	case *rsa.PrivateKey:
+		privKey = key
+	default:
+		return errors.New("Private key is not an RSA key"), nil
+	}
+
+	return nil, &MemoryX509KeyStore{
+		privateKey: privKey,
+		cert:       keyPair.Certificate[0],
+	}
+}
+
+func (s SamlCertCreation) CreateSigningCert() (error, dsig.X509KeyStore) {
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return err, nil
+	}
+
+	currentTime := time.Now()
+
+	certBody := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		NotBefore:    currentTime.Add(-5 * time.Minute),
+		NotAfter:     currentTime.Add(365 * 24 * time.Hour),
+
+		KeyUsage:              x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{},
+		BasicConstraintsValid: true,
+	}
+
+	cert, err := x509.CreateCertificate(rand.Reader, certBody, certBody, &key.PublicKey, key)
+	if err != nil {
+		return fmt.Errorf("Failed to create certificate: %+v", err), nil
+	}
+
+	if err := s.SaveConfig(cert, key); err != nil {
+		return fmt.Errorf("Saving signing keypair failed: %+v", err), nil
+	}
+
+	return nil, &MemoryX509KeyStore{
+		privateKey: key,
+		cert:       cert,
+	}
+}
+
+func (s SamlCertCreation) SaveConfig(cert []byte, key *rsa.PrivateKey) error {
+	if uuid.Equal(s.instanceId, uuid.Nil) {
+		return nil
+	}
+
+	pemCert := &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: cert,
+	}
+
+	certBytes := pem.EncodeToMemory(pemCert)
+	if certBytes == nil {
+		return errors.New("Could not encode certificate")
+	}
+
+	pemKey := &pem.Block{
+		Type:  "PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(key),
+	}
+
+	keyBytes := pem.EncodeToMemory(pemKey)
+	if keyBytes == nil {
+		return errors.New("Could not encode key")
+	}
+
+	instance, err := models.GetInstance(s.db, s.instanceId)
+	if err != nil {
+		return err
+	}
+
+	conf := instance.BaseConfig
+	conf.External.Saml.SigningCert = string(certBytes)
+	conf.External.Saml.SigningKey = string(keyBytes)
+
+	if err := instance.UpdateConfig(s.db, conf); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (ks *MemoryX509KeyStore) GetKeyPair() (*rsa.PrivateKey, []byte, error) {
+	return ks.privateKey, ks.cert, nil
+}

conf/configuration.go

@@ -30,6 +30,8 @@ type SamlProviderConfiguration struct {
 	MetadataURL string `json:"metadata_url" envconfig:"METADATA_URL"`
 	APIBase     string `json:"api_base" envconfig:"API_BASE"`
 	Name        string `json:"name"`
+	SigningCert string `json:"signing_cert" envconfig:"SIGNING_CERT"`
+	SigningKey  string `json:"signing_key" envconfig:"SIGNING_KEY"`
 }
 
 // DBConfiguration holds all the database related configuration.