feat(SSO): JWTやSAMLでのSingle Sign-Onの実装 (MisskeyIO#519)

2024-03-15 01:30:56 +09:00 · 2024-03-15 01:30:56 +09:00 · 8c1db331e7
commit 8c1db331e7
parent d300a6829f
45 changed files with 4094 additions and 1725 deletions
--- a/packages/backend/src/server/api/EndpointsModule.ts
+++ b/packages/backend/src/server/api/EndpointsModule.ts
@ -90,6 +90,10 @@ import * as ep___admin_roles_assign from './endpoints/admin/roles/assign.js';
 import * as ep___admin_roles_unassign from './endpoints/admin/roles/unassign.js';
 import * as ep___admin_roles_updateDefaultPolicies from './endpoints/admin/roles/update-default-policies.js';
 import * as ep___admin_roles_users from './endpoints/admin/roles/users.js';
+import * as ep___admin_sso_create from './endpoints/admin/sso/create.js';
+import * as ep___admin_sso_delete from './endpoints/admin/sso/delete.js';
+import * as ep___admin_sso_list from './endpoints/admin/sso/list.js';
+import * as ep___admin_sso_update from './endpoints/admin/sso/update.js';
 import * as ep___announcements from './endpoints/announcements.js';
 import * as ep___antennas_create from './endpoints/antennas/create.js';
 import * as ep___antennas_delete from './endpoints/antennas/delete.js';
@ -472,6 +476,10 @@ const $admin_roles_assign: Provider = { provide: 'ep:admin/roles/assign', useCla
 const $admin_roles_unassign: Provider = { provide: 'ep:admin/roles/unassign', useClass: ep___admin_roles_unassign.default };
 const $admin_roles_updateDefaultPolicies: Provider = { provide: 'ep:admin/roles/update-default-policies', useClass: ep___admin_roles_updateDefaultPolicies.default };
 const $admin_roles_users: Provider = { provide: 'ep:admin/roles/users', useClass: ep___admin_roles_users.default };
+const $admin_sso_create: Provider = { provide: 'ep:admin/sso/create', useClass: ep___admin_sso_create.default };
+const $admin_sso_delete: Provider = { provide: 'ep:admin/sso/delete', useClass: ep___admin_sso_delete.default };
+const $admin_sso_list: Provider = { provide: 'ep:admin/sso/list', useClass: ep___admin_sso_list.default };
+const $admin_sso_update: Provider = { provide: 'ep:admin/sso/update', useClass: ep___admin_sso_update.default };
 const $announcements: Provider = { provide: 'ep:announcements', useClass: ep___announcements.default };
 const $antennas_create: Provider = { provide: 'ep:antennas/create', useClass: ep___antennas_create.default };
 const $antennas_delete: Provider = { provide: 'ep:antennas/delete', useClass: ep___antennas_delete.default };
@ -858,6 +866,10 @@ const $reversi_verify: Provider = { provide: 'ep:reversi/verify', useClass: ep__
 		$admin_roles_unassign,
 		$admin_roles_updateDefaultPolicies,
 		$admin_roles_users,
+		$admin_sso_create,
+		$admin_sso_delete,
+		$admin_sso_list,
+		$admin_sso_update,
 		$announcements,
 		$antennas_create,
 		$antennas_delete,
@ -1238,6 +1250,10 @@ const $reversi_verify: Provider = { provide: 'ep:reversi/verify', useClass: ep__
 		$admin_roles_unassign,
 		$admin_roles_updateDefaultPolicies,
 		$admin_roles_users,
+		$admin_sso_create,
+		$admin_sso_delete,
+		$admin_sso_list,
+		$admin_sso_update,
 		$announcements,
 		$antennas_create,
 		$antennas_delete,
--- a/packages/backend/src/server/api/endpoints.ts
+++ b/packages/backend/src/server/api/endpoints.ts
@ -90,6 +90,10 @@ import * as ep___admin_roles_assign from './endpoints/admin/roles/assign.js';
 import * as ep___admin_roles_unassign from './endpoints/admin/roles/unassign.js';
 import * as ep___admin_roles_updateDefaultPolicies from './endpoints/admin/roles/update-default-policies.js';
 import * as ep___admin_roles_users from './endpoints/admin/roles/users.js';
+import * as ep___admin_sso_create from './endpoints/admin/sso/create.js';
+import * as ep___admin_sso_delete from './endpoints/admin/sso/delete.js';
+import * as ep___admin_sso_list from './endpoints/admin/sso/list.js';
+import * as ep___admin_sso_update from './endpoints/admin/sso/update.js';
 import * as ep___announcements from './endpoints/announcements.js';
 import * as ep___antennas_create from './endpoints/antennas/create.js';
 import * as ep___antennas_delete from './endpoints/antennas/delete.js';
@ -470,6 +474,10 @@ const eps = [
 	['admin/roles/unassign', ep___admin_roles_unassign],
 	['admin/roles/update-default-policies', ep___admin_roles_updateDefaultPolicies],
 	['admin/roles/users', ep___admin_roles_users],
+	['admin/sso/create', ep___admin_sso_create],
+	['admin/sso/delete', ep___admin_sso_delete],
+	['admin/sso/list', ep___admin_sso_list],
+	['admin/sso/update', ep___admin_sso_update],
 	['announcements', ep___announcements],
 	['antennas/create', ep___antennas_create],
 	['antennas/delete', ep___antennas_delete],
--- a/packages/backend/src/server/api/endpoints/admin/indie-auth/create.ts
+++ b/packages/backend/src/server/api/endpoints/admin/indie-auth/create.ts
@ -1,8 +1,3 @@
-/*
- * SPDX-FileCopyrightText: syuilo and misskey-project
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
 import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import type { IndieAuthClientsRepository } from '@/models/_.js';
@ -70,7 +65,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			const indieAuthClient = await this.indieAuthClientsRepository.insert({
 				id: ps.id,
 				createdAt: new Date(),
-				name: ps.name,
+				name: ps.name ? ps.name : null,
 				redirectUris: ps.redirectUris,
 			}).then(r => this.indieAuthClientsRepository.findOneByOrFail({ id: r.identifiers[0].id }));

--- a/packages/backend/src/server/api/endpoints/admin/indie-auth/delete.ts
+++ b/packages/backend/src/server/api/endpoints/admin/indie-auth/delete.ts
@ -1,8 +1,3 @@
-/*
- * SPDX-FileCopyrightText: syuilo and misskey-project
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
 import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import type { IndieAuthClientsRepository } from '@/models/_.js';
--- a/packages/backend/src/server/api/endpoints/admin/indie-auth/list.ts
+++ b/packages/backend/src/server/api/endpoints/admin/indie-auth/list.ts
@ -1,8 +1,3 @@
-/*
- * SPDX-FileCopyrightText: syuilo and misskey-project
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
 import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import type { IndieAuthClientsRepository } from '@/models/_.js';
--- a/packages/backend/src/server/api/endpoints/admin/indie-auth/update.ts
+++ b/packages/backend/src/server/api/endpoints/admin/indie-auth/update.ts
@ -1,8 +1,3 @@
-/*
- * SPDX-FileCopyrightText: syuilo and misskey-project
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
 import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import type { IndieAuthClientsRepository } from '@/models/_.js';
@ -53,7 +48,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			if (client == null) throw new ApiError(meta.errors.noSuchIndieAuthClient);

 			await this.indieAuthClientsRepository.update(client.id, {
-				name: ps.name,
+				name: ps.name !== '' ? ps.name : null,
 				redirectUris: ps.redirectUris,
 			});

--- a/packages/backend/src/server/api/endpoints/admin/sso/create.ts
+++ b/packages/backend/src/server/api/endpoints/admin/sso/create.ts
@ -0,0 +1,159 @@
+import { randomUUID } from 'node:crypto';
+import { Inject, Injectable } from '@nestjs/common';
+import * as jose from 'jose';
+import { Endpoint } from '@/server/api/endpoint-base.js';
+import { ModerationLogService } from '@/core/ModerationLogService.js';
+import { DI } from '@/di-symbols.js';
+import type { SingleSignOnServiceProviderRepository } from '@/models/_.js';
+import { ApiError } from '../../../error.js';
+
+export const meta = {
+	tags: ['admin'],
+
+	requireCredential: true,
+	requireModerator: true,
+	kind: 'write:admin:sso',
+
+	errors: {
+		invalidParamSamlUseCertificate: {
+			message: 'SAML service provider must use certificate.',
+			code: 'INVALID_PARAM',
+			id: 'bb97e559-f23c-4d6a-9e4e-eb5db1f467f9',
+		},
+	},
+
+	res: {
+		type: 'object',
+		optional: false, nullable: false,
+		properties: {
+			id: {
+				type: 'string',
+				optional: false, nullable: false,
+			},
+			createdAt: {
+				type: 'string',
+				optional: false, nullable: false,
+				format: 'date-time',
+			},
+			name: {
+				type: 'string',
+				optional: false, nullable: true,
+			},
+			type: {
+				type: 'string',
+				optional: false, nullable: false,
+				enum: ['saml', 'jwt'],
+			},
+			issuer: {
+				type: 'string',
+				optional: false, nullable: false,
+			},
+			audience: {
+				type: 'array',
+				optional: false, nullable: false,
+				items: { type: 'string', nullable: false },
+			},
+			acsUrl: {
+				type: 'string',
+				optional: false, nullable: false,
+			},
+			publicKey: {
+				type: 'string',
+				optional: false, nullable: false,
+			},
+			signatureAlgorithm: {
+				type: 'string',
+				optional: false, nullable: false,
+			},
+			cipherAlgorithm: {
+				type: 'string',
+				optional: true, nullable: true,
+			},
+			wantAuthnRequestsSigned: {
+				type: 'boolean',
+				optional: false, nullable: false,
+			},
+			wantAssertionsSigned: {
+				type: 'boolean',
+				optional: false, nullable: false,
+			},
+		},
+	},
+} as const;
+
+export const paramDef = {
+	type: 'object',
+	properties: {
+		name: { type: 'string', nullable: true },
+		type: { type: 'string', enum: ['saml', 'jwt'], nullable: false },
+		issuer: { type: 'string', nullable: false },
+		audience: { type: 'array', items: { type: 'string', nullable: false }, default: [] },
+		acsUrl: { type: 'string', nullable: false },
+		signatureAlgorithm: { type: 'string', nullable: false },
+		cipherAlgorithm: { type: 'string', nullable: true },
+		wantAuthnRequestsSigned: { type: 'boolean', nullable: false, default: false },
+		wantAssertionsSigned: { type: 'boolean', nullable: false, default: true },
+		useCertificate: { type: 'boolean', nullable: false, default: true },
+		secret: { type: 'string', nullable: true },
+	},
+	required: ['type', 'issuer', 'acsUrl', 'signatureAlgorithm', 'useCertificate'],
+} as const;
+
+@Injectable()
+export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
+	constructor(
+		@Inject(DI.singleSignOnServiceProviderRepository)
+		private singleSignOnServiceProviderRepository: SingleSignOnServiceProviderRepository,
+
+		private moderationLogService: ModerationLogService,
+	) {
+		super(meta, paramDef, async (ps, me) => {
+			if (ps.type === 'saml' && ps.useCertificate === false) {
+				throw new ApiError(meta.errors.invalidParamSamlUseCertificate);
+			}
+
+			const { publicKey, privateKey } = ps.useCertificate
+				? await jose.generateKeyPair(ps.signatureAlgorithm).then(async keypair => ({
+					publicKey: JSON.stringify(await jose.exportJWK(keypair.publicKey)),
+					privateKey: JSON.stringify(await jose.exportJWK(keypair.privateKey)),
+				}))
+				: { publicKey: ps.secret ?? randomUUID(), privateKey: null };
+
+			const ssoServiceProvider = await this.singleSignOnServiceProviderRepository.insert({
+				id: randomUUID(),
+				createdAt: new Date(),
+				name: ps.name ? ps.name : null,
+				type: ps.type,
+				issuer: ps.issuer,
+				audience: ps.audience,
+				acsUrl: ps.acsUrl,
+				publicKey: publicKey,
+				privateKey: privateKey,
+				signatureAlgorithm: ps.signatureAlgorithm,
+				cipherAlgorithm: ps.cipherAlgorithm ? ps.cipherAlgorithm : null,
+				wantAuthnRequestsSigned: ps.wantAuthnRequestsSigned,
+				wantAssertionsSigned: ps.wantAssertionsSigned,
+			}).then(r => this.singleSignOnServiceProviderRepository.findOneByOrFail({ id: r.identifiers[0].id }));
+
+			this.moderationLogService.log(me, 'createSSOServiceProvider', {
+				serviceId: ssoServiceProvider.id,
+				service: ssoServiceProvider,
+			});
+
+			return {
+				id: ssoServiceProvider.id,
+				createdAt: ssoServiceProvider.createdAt.toISOString(),
+				name: ssoServiceProvider.name,
+				type: ssoServiceProvider.type,
+				issuer: ssoServiceProvider.issuer,
+				audience: ssoServiceProvider.audience,
+				acsUrl: ssoServiceProvider.acsUrl,
+				publicKey: ssoServiceProvider.publicKey,
+				signatureAlgorithm: ssoServiceProvider.signatureAlgorithm,
+				cipherAlgorithm: ssoServiceProvider.cipherAlgorithm,
+				wantAuthnRequestsSigned: ssoServiceProvider.wantAuthnRequestsSigned,
+				wantAssertionsSigned: ssoServiceProvider.wantAssertionsSigned,
+			};
+		});
+	}
+}
--- a/packages/backend/src/server/api/endpoints/admin/sso/delete.ts
+++ b/packages/backend/src/server/api/endpoints/admin/sso/delete.ts
@ -0,0 +1,53 @@
+import { Inject, Injectable } from '@nestjs/common';
+import type { SingleSignOnServiceProviderRepository } from '@/models/_.js';
+import { DI } from '@/di-symbols.js';
+import { Endpoint } from '@/server/api/endpoint-base.js';
+import { ModerationLogService } from '@/core/ModerationLogService.js';
+import { ApiError } from '../../../error.js';
+
+export const meta = {
+	tags: ['admin'],
+
+	requireCredential: true,
+	requireModerator: true,
+	kind: 'write:admin:sso',
+
+	errors: {
+		noSuchSingleSignOnServiceProvider: {
+			message: 'No such SSO Service Provider',
+			code: 'NO_SUCH_SSO_SP',
+			id: 'ece541d3-6c41-4fc3-a514-fa762b96704a',
+		},
+	},
+} as const;
+
+export const paramDef = {
+	type: 'object',
+	properties: {
+		id: { type: 'string' },
+	},
+	required: ['id'],
+} as const;
+
+@Injectable()
+export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
+	constructor(
+		@Inject(DI.singleSignOnServiceProviderRepository)
+		private singleSignOnServiceProviderRepository: SingleSignOnServiceProviderRepository,
+
+		private moderationLogService: ModerationLogService,
+	) {
+		super(meta, paramDef, async (ps, me) => {
+			const service = await this.singleSignOnServiceProviderRepository.findOneBy({ id: ps.id });
+
+			if (service == null) throw new ApiError(meta.errors.noSuchSingleSignOnServiceProvider);
+
+			await this.singleSignOnServiceProviderRepository.delete(service.id);
+
+			this.moderationLogService.log(me, 'deleteSSOServiceProvider', {
+				serviceId: service.id,
+				service: service,
+			});
+		});
+	}
+}
--- a/packages/backend/src/server/api/endpoints/admin/sso/list.ts
+++ b/packages/backend/src/server/api/endpoints/admin/sso/list.ts
@ -0,0 +1,111 @@
+import { Inject, Injectable } from '@nestjs/common';
+import type { SingleSignOnServiceProviderRepository } from '@/models/_.js';
+import { DI } from '@/di-symbols.js';
+import { Endpoint } from '@/server/api/endpoint-base.js';
+
+export const meta = {
+	tags: ['admin'],
+
+	requireCredential: true,
+	requireModerator: true,
+	kind: 'read:admin:sso',
+
+	res: {
+		type: 'array',
+		optional: false, nullable: false,
+		items: {
+			type: 'object',
+			optional: false, nullable: false,
+			properties: {
+				id: {
+					type: 'string',
+					optional: false, nullable: false,
+				},
+				createdAt: {
+					type: 'string',
+					optional: false, nullable: false,
+					format: 'date-time',
+				},
+				name: {
+					type: 'string',
+					optional: false, nullable: true,
+				},
+				type: {
+					type: 'string',
+					optional: false, nullable: false,
+					enum: ['saml', 'jwt'],
+				},
+				issuer: {
+					type: 'string',
+					optional: false, nullable: false,
+				},
+				audience: {
+					type: 'array',
+					optional: false, nullable: false,
+					items: { type: 'string', nullable: false },
+				},
+				acsUrl: {
+					type: 'string',
+					optional: false, nullable: false,
+				},
+				publicKey: {
+					type: 'string',
+					optional: false, nullable: false,
+				},
+				signatureAlgorithm: {
+					type: 'string',
+					optional: false, nullable: false,
+				},
+				cipherAlgorithm: {
+					type: 'string',
+					optional: true, nullable: true,
+				},
+				wantAuthnRequestsSigned: {
+					type: 'boolean',
+					optional: false, nullable: false,
+				},
+				wantAssertionsSigned: {
+					type: 'boolean',
+					optional: false, nullable: false,
+				},
+			},
+		},
+	},
+} as const;
+
+export const paramDef = {
+	type: 'object',
+	properties: {
+		limit: { type: 'integer', minimum: 1, maximum: 100, default: 10 },
+		offset: { type: 'integer', default: 0 },
+	},
+	required: [],
+} as const;
+
+@Injectable()
+export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
+	constructor(
+		@Inject(DI.singleSignOnServiceProviderRepository)
+		private singleSignOnServiceProviderRepository: SingleSignOnServiceProviderRepository,
+	) {
+		super(meta, paramDef, async (ps, me) => {
+			const query = this.singleSignOnServiceProviderRepository.createQueryBuilder('service');
+			const services = await query.offset(ps.offset).limit(ps.limit).getMany();
+
+			return services.map(service => ({
+				id: service.id,
+				createdAt: service.createdAt.toISOString(),
+				name: service.name,
+				type: service.type,
+				issuer: service.issuer,
+				audience: service.audience,
+				acsUrl: service.acsUrl,
+				publicKey: service.publicKey,
+				signatureAlgorithm: service.signatureAlgorithm,
+				cipherAlgorithm: service.cipherAlgorithm,
+				wantAuthnRequestsSigned: service.wantAuthnRequestsSigned,
+				wantAssertionsSigned: service.wantAssertionsSigned,
+			}));
+		});
+	}
+}
--- a/packages/backend/src/server/api/endpoints/admin/sso/update.ts
+++ b/packages/backend/src/server/api/endpoints/admin/sso/update.ts
@ -0,0 +1,86 @@
+import * as jose from 'jose';
+import { Inject, Injectable } from '@nestjs/common';
+import type { SingleSignOnServiceProviderRepository } from '@/models/_.js';
+import { DI } from '@/di-symbols.js';
+import { Endpoint } from '@/server/api/endpoint-base.js';
+import { ModerationLogService } from '@/core/ModerationLogService.js';
+import { ApiError } from '../../../error.js';
+
+export const meta = {
+	tags: ['admin'],
+
+	requireCredential: true,
+	requireModerator: true,
+	kind: 'write:admin:sso',
+
+	errors: {
+		noSuchSingleSignOnServiceProvider: {
+			message: 'No such SSO Service Provider',
+			code: 'NO_SUCH_SSO_SP',
+			id: '2f481db0-23f5-4380-8cb8-704169ffb25b',
+		},
+	},
+} as const;
+
+export const paramDef = {
+	type: 'object',
+	properties: {
+		id: { type: 'string' },
+		name: { type: 'string' },
+		issuer: { type: 'string' },
+		audience: { type: 'array', items: { type: 'string', nullable: false } },
+		acsUrl: { type: 'string' },
+		signatureAlgorithm: { type: 'string' },
+		cipherAlgorithm: { type: 'string' },
+		wantAuthnRequestsSigned: { type: 'boolean' },
+		wantAssertionsSigned: { type: 'boolean' },
+		regenerateCertificate: { type: 'boolean' },
+		secret: { type: 'string' },
+	},
+	required: ['id'],
+} as const;
+
+@Injectable()
+export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
+	constructor(
+		@Inject(DI.singleSignOnServiceProviderRepository)
+		private singleSignOnServiceProviderRepository: SingleSignOnServiceProviderRepository,
+
+		private moderationLogService: ModerationLogService,
+	) {
+		super(meta, paramDef, async (ps, me) => {
+			const service = await this.singleSignOnServiceProviderRepository.findOneBy({ id: ps.id });
+
+			if (service == null) throw new ApiError(meta.errors.noSuchSingleSignOnServiceProvider);
+
+			const alg = ps.signatureAlgorithm ? ps.signatureAlgorithm : service.signatureAlgorithm;
+			const { publicKey, privateKey } = ps.regenerateCertificate
+				? await jose.generateKeyPair(alg).then(async keypair => ({
+					publicKey: JSON.stringify(await jose.exportJWK(keypair.publicKey)),
+					privateKey: JSON.stringify(await jose.exportJWK(keypair.privateKey)),
+				}))
+				: { publicKey: ps.secret ?? undefined, privateKey: undefined };
+
+			await this.singleSignOnServiceProviderRepository.update(service.id, {
+				name: ps.name !== '' ? ps.name : null,
+				issuer: ps.issuer,
+				audience: ps.audience,
+				acsUrl: ps.acsUrl,
+				publicKey: publicKey,
+				privateKey: privateKey,
+				signatureAlgorithm: ps.signatureAlgorithm,
+				cipherAlgorithm: ps.cipherAlgorithm !== '' ? ps.cipherAlgorithm : null,
+				wantAuthnRequestsSigned: ps.wantAuthnRequestsSigned,
+				wantAssertionsSigned: ps.wantAssertionsSigned,
+			});
+
+			const updatedService = await this.singleSignOnServiceProviderRepository.findOneByOrFail({ id: service.id });
+
+			this.moderationLogService.log(me, 'updateSSOServiceProvider', {
+				serviceId: service.id,
+				before: service,
+				after: updatedService,
+			});
+		});
+	}
+}