
162 lines
4.2 KiB
Raw Normal View History

2021-12-29 00:36:47 -05:00
package main
import (
// adapted from
func parsePEM(filename string) *pem.Block {
raw, err := ioutil.ReadFile(filename)
if err != nil {
block, _ := pem.Decode(raw)
if block == nil {
panic("Could not decode PEM from " + filename)
return block
type Config struct {
// The filesystem path to the private key to use for the IDP.
// The key should be in PKCS8 PEM format.
IDPKeyPath string `json:"idp_key_path"`
// The filesystem path to the certificate to use for the IDP.
// The certificate should be in PEM format.
IDPCertPath string `json:"idp_cert_path"`
// The name of the FCGI variable which has the user's username.
UsernameKey string `json:"username_key"`
// The name of the FCGI variable which has the user's email.
EmailKey string `json:"email_key"`
// The name of the FCGI variable which has the user's first name.
GivenNameKey string `json:"given_name_key"`
// The name of the FCGI variable which has the user's last name.
SurnameKey string `json:"surname_key"`
// The name of the FCGI variable which has the user's groups.
// The groups should be concatenated together into one string
// separated by semicolons, e.g. "group1;group2".
GroupsKey string `json:"groups_key"`
// The base URL for the IDP. The following endpoints will be
// derived from it:
// Metadata: baseURL + "/metadata"
// SSO login: baseURL + "/sso"
BaseURL string `json:"base_url"`
// An array of filepaths or HTTP URLs of the service providers'
// metadata XML files.
SPMetadataPaths []string `json:"sp_metadata_paths"`
// The filesystem path of the Unix domain socket on which this
// program will listen for incoming FCGI connections.
SocketPath string `json:"socket_path"`
func newIDP(cfg *Config) *saml.IdentityProvider {
key := func() crypto.PrivateKey {
block := parsePEM(cfg.IDPKeyPath)
k, err := x509.ParsePKCS8PrivateKey(block.Bytes)
if err != nil {
return k
cert := func() *x509.Certificate {
block := parsePEM(cfg.IDPCertPath)
c, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return c
sessionProvider := &BasicSessionProvider{
UsernameKey: cfg.UsernameKey,
EmailKey: cfg.EmailKey,
GivenNameKey: cfg.GivenNameKey,
SurnameKey: cfg.SurnameKey,
GroupsKey: cfg.GroupsKey,
serviceProviderProvider := NewServiceProviderProvider(cfg.SPMetadataPaths)
metadataURL, err := url.Parse(cfg.BaseURL + "/metadata")
if err != nil {
ssoURL, err := url.Parse(cfg.BaseURL + "/sso")
if err != nil {
return &saml.IdentityProvider{
Key: key,
Certificate: cert,
Logger: logger.DefaultLogger,
MetadataURL: *metadataURL,
SessionProvider: sessionProvider,
ServiceProviderProvider: serviceProviderProvider,
func newHTTPHandler(idp *saml.IdentityProvider) http.Handler {
mux := http.NewServeMux()
mux.HandleFunc(idp.MetadataURL.Path, idp.ServeMetadata)
mux.HandleFunc(idp.SSOURL.Path, idp.ServeSSO)
return mux
func newListener(cfg *Config) net.Listener {
var err error
sockPath := cfg.SocketPath
if _, err = os.Stat(sockPath); err == nil {
err = os.Remove(sockPath)
if err != nil {
ln, err := net.Listen("unix", sockPath)
if err != nil {
os.Chmod(sockPath, 0777)
return ln
func main() {
// Allow the key path to be overriden via a CLI flag so that we
// can use systemd's LoadCredential feature
idpKeyPathPtr := flag.String("k", "", "IDP key path")
configPathPtr := flag.String("c", "./config.json", "config file path")
cfgBytes, err := ioutil.ReadFile(*configPathPtr)
if err != nil {
cfg := Config{}
err = json.Unmarshal(cfgBytes, &cfg)
if err != nil {
if *idpKeyPathPtr != "" {
cfg.IDPKeyPath = *idpKeyPathPtr
idp := newIDP(&cfg)
handler := newHTTPHandler(idp)
listener := newListener(&cfg)
err = fcgi.Serve(listener, handler)
if err != nil {