SAML RoleとGrowiの権限の連携
https://github.com/weseek/growi/issues/961 external_link
TODO
-
Growiの管理画面でロールごと(keycloakではRole Nameを使う)に出来ること(or 出来ないことを)制限出来るようにする
- 例
growi_userでないとログイン出来ないgrowi_adminでないと管理画面に行けない- など
- 例
-
passport-samlをversion1.1.0にアップグレードする(getSamlResponseXmlを使うため) -
passport-samlのgetSamlResponseXmlで得られるXMLをparseしてロールを抽出 -
抽出したロールと管理画面で設定した制限を照らし合わせて、いろいろauthorizeする。
Sample Saml Response (passport-saml@1.1.0でgetSamlResponseXmlを呼ぶと得られる)
- keycloakでgrowi_adminという新規ロールを作成した
- 他のロールはデフォルトで与えられるもの
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="http://localhost:3000/passport/saml/callback" ID="ID_d408e2f0-6fbd-4375-873f-ad168b2c463b" InResponseTo="_92a1e9b60a219ce61bdf" IssueInstant="2019-05-21T07:50:41.507Z" Version="2.0"> <saml:Issuer>http://localhost:18080/auth/realms/growi</saml:Issuer> <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:SignedInfo> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <dsig:Reference URI="#ID_d408e2f0-6fbd-4375-873f-ad168b2c463b"> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <dsig:DigestValue>ynQGaOd3tSER3yQPj9QQTN+Koe8=</dsig:DigestValue> </dsig:Reference> </dsig:SignedInfo> <dsig:SignatureValue> EVYfxRzND42J5os6LIFFOU1P0HSqZaGAhmB2dtwX9jEM01t7r2C3fUlOIA/l+4JixTkZTUtaNWUFyGtGT+nvfiIi9i1uumov7NeozFt5yXGtkfPRwxf8O5nRdlsgVVaXoDpHraWgOyerpv37TiEpf3LvbxeaZAF2Ae3YtWOmm53nYvPiz4ml8A2SbsWQ/G2e9wVbHq+4Bg7hNiGDdvzV2Y/hpmImx1WXzZgZt48n2EZ3v1lATmBa/HAye+HKrvMYdWjSOyRDDXCK9a+gPptG9ygpsW9Tz6UkKu1v2DBMlxRukMECpVrQCRZotVECn/GE8lgEY0VsqYkEBwkmPIoIEg== </dsig:SignatureValue> <dsig:KeyInfo> <dsig:KeyName>97L7YxOQ-mbeqNCIM_Pkc558Qqj6sq1JfRCZwAjWZp0</dsig:KeyName> <dsig:X509Data> <dsig:X509Certificate> MIICmTCCAYECBgFq2LGz6TANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDDAVncm93aTAeFw0xOTA1MjEwNDM5NDVaFw0yOTA1MjEwNDQxMjVaMBAxDjAMBgNVBAMMBWdyb3dpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmkhoaTcFbGbbwOueDZygVfnlQKmHhyBkUhPwopEEaCzKtbF3e+G7h8a6QPtO4ZtoSUOsZlUA9W+5wy4brWlbzKrVyqEbp6ywogsuBPajFGNJ8F9jmjjHxPWGe7wpuADuX6E7hIJBMbA4wnYYsXYUva4zfAZa+TohbZugKDbiT5SbZLUjfkFtDGJPmOACOlixf56/7NgrINiPARqyYvYb+uatf5lmk9XCySSQ+nTqZIxWxneseEfyo30ZwYg1GwaahNJPdOvgWr7C/U2YoPkgGkl7QkpWMLjjGjxxPYUSYIT1zE9UIn0sCnTppVGj/MwwslKJgu0d9oCFzSuqQUKjHQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAsOQdaE8BJ6MjRpNPnGt6jKfcoLp6PCIJugzJmJvWykJW0IROdWVnyrcUdJAxa/smPCZsbFwBvWNd7I7htGbCJ8vkZmqzjti4SkC79IALKG+Hbh0Kt3E5ags71NsOKRhEwKZAujZdU/o1hLGvmF9NO3vMlcyKcaEhLvCLrL7YMBRY6FiPqwVb7lCmUcCvUj27yQ5CIQf1vYbLBB1Dt64mdKepdsiQW+NpltF3Wg7vXi/i+JDnjyLC0VWgMY7N/Jx9TF/VEa97Ub95g75AKvy6vcSpAEpeSsMJbcWU9rBaX58rmFbhBo0n8dqpKXSYdvY0yO3VAdVIMW2+VaJTeo6iz </dsig:X509Certificate> </dsig:X509Data> <dsig:KeyValue> <dsig:RSAKeyValue> <dsig:Modulus> mkhoaTcFbGbbwOueDZygVfnlQKmHhyBkUhPwopEEaCzKtbF3e+G7h8a6QPtO4ZtoSUOsZlUA9W+5wy4brWlbzKrVyqEbp6ywogsuBPajFGNJ8F9jmjjHxPWGe7wpuADuX6E7hIJBMbA4wnYYsXYUva4zfAZa+TohbZugKDbiT5SbZLUjfkFtDGJPmOACOlixf56/7NgrINiPARqyYvYb+uatf5lmk9XCySSQ+nTqZIxWxneseEfyo30ZwYg1GwaahNJPdOvgWr7C/U2YoPkgGkl7QkpWMLjjGjxxPYUSYIT1zE9UIn0sCnTppVGj/MwwslKJgu0d9oCFzSuqQUKjHQ== </dsig:Modulus> <dsig:Exponent>AQAB</dsig:Exponent> </dsig:RSAKeyValue> </dsig:KeyValue> </dsig:KeyInfo> </dsig:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_5cdf9dab-0d14-47a7-9268-8859ccd13965" IssueInstant="2019-05-21T07:50:41.502Z" Version="2.0"> <saml:Issuer>http://localhost:18080/auth/realms/growi</saml:Issuer> <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:SignedInfo> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <dsig:Reference URI="#ID_5cdf9dab-0d14-47a7-9268-8859ccd13965"> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <dsig:DigestValue>kVvliB8SeDg2S87Fo4/4tDgArs4=</dsig:DigestValue> </dsig:Reference> </dsig:SignedInfo> <dsig:SignatureValue> Rf3ZHmwYZ62QZeKILUlxU0qM/jujgbHqNTnhkWY9HN5bhs/yYgqVIzXGLtALbIGzjcutremTioXt96kE9TKPIaIow+CeC1dZFPOp58B9u6WLwisiy4y1Dqi/7Ekc5WAZamk87OzpapsJKskjk/V7rL5rvv0scpCFbTr2jkWhLrHT6FdHzhM2LD4Ye/e/2dpy/y0ErH2xf+yA2+Tj37LNF+hN81KY8GLFJSrM9/E3U6jHcwAvDN64/FoBE6qz1aW1sl+Xs/45mNlHX5QgfFUeRWBwKUTSKYTPYHQshZdnTNwGzztQRnM5e5Fx13P399sxRD6fExhi1g5ohqAicIBfwg== </dsig:SignatureValue> <dsig:KeyInfo> <dsig:KeyName>97L7YxOQ-mbeqNCIM_Pkc558Qqj6sq1JfRCZwAjWZp0</dsig:KeyName> <dsig:X509Data> <dsig:X509Certificate> MIICmTCCAYECBgFq2LGz6TANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDDAVncm93aTAeFw0xOTA1MjEwNDM5NDVaFw0yOTA1MjEwNDQxMjVaMBAxDjAMBgNVBAMMBWdyb3dpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmkhoaTcFbGbbwOueDZygVfnlQKmHhyBkUhPwopEEaCzKtbF3e+G7h8a6QPtO4ZtoSUOsZlUA9W+5wy4brWlbzKrVyqEbp6ywogsuBPajFGNJ8F9jmjjHxPWGe7wpuADuX6E7hIJBMbA4wnYYsXYUva4zfAZa+TohbZugKDbiT5SbZLUjfkFtDGJPmOACOlixf56/7NgrINiPARqyYvYb+uatf5lmk9XCySSQ+nTqZIxWxneseEfyo30ZwYg1GwaahNJPdOvgWr7C/U2YoPkgGkl7QkpWMLjjGjxxPYUSYIT1zE9UIn0sCnTppVGj/MwwslKJgu0d9oCFzSuqQUKjHQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAsOQdaE8BJ6MjRpNPnGt6jKfcoLp6PCIJugzJmJvWykJW0IROdWVnyrcUdJAxa/smPCZsbFwBvWNd7I7htGbCJ8vkZmqzjti4SkC79IALKG+Hbh0Kt3E5ags71NsOKRhEwKZAujZdU/o1hLGvmF9NO3vMlcyKcaEhLvCLrL7YMBRY6FiPqwVb7lCmUcCvUj27yQ5CIQf1vYbLBB1Dt64mdKepdsiQW+NpltF3Wg7vXi/i+JDnjyLC0VWgMY7N/Jx9TF/VEa97Ub95g75AKvy6vcSpAEpeSsMJbcWU9rBaX58rmFbhBo0n8dqpKXSYdvY0yO3VAdVIMW2+VaJTeo6iz </dsig:X509Certificate> </dsig:X509Data> <dsig:KeyValue> <dsig:RSAKeyValue> <dsig:Modulus> mkhoaTcFbGbbwOueDZygVfnlQKmHhyBkUhPwopEEaCzKtbF3e+G7h8a6QPtO4ZtoSUOsZlUA9W+5wy4brWlbzKrVyqEbp6ywogsuBPajFGNJ8F9jmjjHxPWGe7wpuADuX6E7hIJBMbA4wnYYsXYUva4zfAZa+TohbZugKDbiT5SbZLUjfkFtDGJPmOACOlixf56/7NgrINiPARqyYvYb+uatf5lmk9XCySSQ+nTqZIxWxneseEfyo30ZwYg1GwaahNJPdOvgWr7C/U2YoPkgGkl7QkpWMLjjGjxxPYUSYIT1zE9UIn0sCnTppVGj/MwwslKJgu0d9oCFzSuqQUKjHQ== </dsig:Modulus> <dsig:Exponent>AQAB</dsig:Exponent> </dsig:RSAKeyValue> </dsig:KeyValue> </dsig:KeyInfo> </dsig:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">mizozobu</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="_92a1e9b60a219ce61bdf" NotOnOrAfter="2019-05-21T07:55:39.502Z" Recipient="http://localhost:3000/passport/saml/callback" /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2019-05-21T07:50:39.502Z" NotOnOrAfter="2019-05-21T07:51:39.502Z"> <saml:AudienceRestriction> <saml:Audience>localhost:3000</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2019-05-21T07:50:41.510Z" SessionIndex="ddd6a21e-69eb-42e3-b907-b297c871ed9c::b554f081-abfb-4a40-8800-a9dc47340d83"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute FriendlyName="email" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">sou@weseek.co.jp </saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="username" Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">mizozobu</saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="id" Name="id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> 56c3f5b1-6e00-46fb-a568-bf28b0a38189</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">uma_authorization </saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view-profile</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">no_one</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">offline_access </saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account-links </saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>