feat(SSO): JWTやSAMLでのSingle Sign-Onの実装 (MisskeyIO#519)

2024-03-15 01:30:56 +09:00 · 2024-03-15 01:30:56 +09:00 · 8c1db331e7
commit 8c1db331e7
parent d300a6829f
45 changed files with 4094 additions and 1725 deletions
--- a/packages/frontend/src/pages/admin/security.vue
+++ b/packages/frontend/src/pages/admin/security.vue
@ -137,7 +137,7 @@ SPDX-License-Identifier: AGPL-3.0-only

 					<div class="_gaps">
 						<MkButton primary full @click="indieAuthAddNew"><i class="ti ti-plus"></i> New</MkButton>
-						<MkFolder v-for="(client, index) in indieAuthClients" :key="`${index}-${client.createdAt}`" :defaultOpen="!client.createdAt">
+						<MkFolder v-for="(client, index) in indieAuthClients" :key="`${indieAuthTimestamp}-${index}-${client.createdAt ? client.id : 'new'}`" :defaultOpen="!client.createdAt">
 							<template #label>{{ client.name || client.id }}</template>
 							<template #icon>
 								<i v-if="client.id" class="ti ti-key"></i>
@ -166,6 +166,72 @@ SPDX-License-Identifier: AGPL-3.0-only
 						</MkButton>
 					</div>
 				</MkFolder>
+
+				<MkFolder>
+					<template #label>Single Sign-On Service Providers</template>
+
+					<div class="_gaps">
+						<MkButton primary full @click="ssoServiceAddNew"><i class="ti ti-plus"></i> New</MkButton>
+						<MkFolder v-for="(service, index) in ssoServices" :key="`${ssoServiceTimestamp}-${index}-${service.createdAt ? service.id : 'new'}`" :defaultOpen="!service.createdAt">
+							<template #label>{{ service.name || service.id }}</template>
+							<template #icon>
+								<i v-if="service.id" class="ti ti-key"></i>
+								<i v-else class="ti ti-plus"></i>
+							</template>
+							<template v-if="service.name && service.id" #caption>{{ service.id }}</template>
+
+							<div class="_gaps_m">
+								<MkInput v-model="service.id" disabled>
+									<template #label>Service ID</template>
+								</MkInput>
+								<MkInput v-model="service.name">
+									<template #label>Name</template>
+								</MkInput>
+								<MkRadios v-model="service.type">
+									<option value="jwt">JWT</option>
+									<option value="saml">SAML</option>
+								</MkRadios>
+								<MkInput v-model="service.issuer">
+									<template #label>Issuer</template>
+								</MkInput>
+								<MkTextarea v-model="service.audience">
+									<template #label>Audience</template>
+								</MkTextarea>
+								<MkInput v-model="service.acsUrl">
+									<template #label>Assertion Consumer Service URL</template>
+								</MkInput>
+								<MkInput v-model="service.publicKey">
+									<template #label>{{ service['useCertificate'] ? 'Public Key' : 'Secret' }}</template>
+								</MkInput>
+								<MkInput v-model="service.signatureAlgorithm">
+									<template #label>Signature Algorithm</template>
+								</MkInput>
+								<MkInput v-model="service.cipherAlgorithm">
+									<template #label>Cipher Algorithm</template>
+								</MkInput>
+								<MkSwitch v-model="service.wantAuthnRequestsSigned">
+									<template #label>Want Authn Requests Signed</template>
+								</MkSwitch>
+								<MkSwitch v-model="service.wantAssertionsSigned">
+									<template #label>Want Assertions Signed</template>
+								</MkSwitch>
+								<MkSwitch v-model="service.useCertificate" :disabled="!!service.createdAt">
+									<template #label>Use Certificate</template>
+								</MkSwitch>
+								<MkSwitch v-if="service.useCertificate" v-model="service.regenerateCertificate">
+									<template #label>Regenerate Certificate</template>
+								</MkSwitch>
+								<div class="buttons _buttons">
+									<MkButton primary @click="ssoServiceSave(service)"><i class="ti ti-device-floppy"></i> Save</MkButton>
+									<MkButton v-if="service.createdAt" warn @click="ssoServiceDelete(service)"><i class="ti ti-trash"></i> Delete</MkButton>
+								</div>
+							</div>
+						</MkFolder>
+						<MkButton v-if="ssoServiceHasMore" :class="$style.more" :disabled="!ssoServiceHasMore" primary rounded @click="ssoServiceFetch()">
+							<i class="ti ti-reload"></i>{{ i18n.ts.more }}
+						</MkButton>
+					</div>
+				</MkFolder>
 			</div>
 		</FormSuspense>
 	</MkSpacer>
@ -208,8 +274,13 @@ const truemailInstance = ref<string | null>(null);
 const truemailAuthKey = ref<string | null>(null);
 const bannedEmailDomains = ref<string>('');
 const indieAuthClients = ref<any[]>([]);
+const indieAuthTimestamp = ref(0);
 const indieAuthOffset = ref(0);
 const indieAuthHasMore = ref(false);
+const ssoServices = ref<any[]>([]);
+const ssoServiceTimestamp = ref(0);
+const ssoServiceOffset = ref(0);
+const ssoServiceHasMore = ref(false);

 async function init() {
 	const meta = await misskeyApi('admin/meta');
@ -274,12 +345,11 @@ function indieAuthFetch(resetOffset = false) {
 		offset: indieAuthOffset.value,
 		limit: 10,
 	}).then(clients => {
-		indieAuthClients.value = indieAuthClients.value.concat(clients.map((client: any) => ({
-			id: client.id,
-			name: client.name,
+		indieAuthClients.value = indieAuthClients.value.concat(clients.map(client => ({
+			...client,
 			redirectUris: client.redirectUris.join('\n'),
-			createdAt: client.createdAt,
 		})));
+		indieAuthTimestamp.value = Date.now();
 		indieAuthHasMore.value = clients.length === 10;
 		indieAuthOffset.value += clients.length;
 	});
@ -302,7 +372,9 @@ function indieAuthDelete(client) {
 	}).then(({ canceled }) => {
 		if (canceled) return;
 		indieAuthClients.value = indieAuthClients.value.filter(x => x !== client);
-		misskeyApi('admin/indie-auth/delete', client);
+		os.apiWithDialog('admin/indie-auth/delete', client).then(() => {
+			indieAuthFetch(true);
+		});
 	});
 }

@ -314,11 +386,100 @@ async function indieAuthSave(client) {
 	};

 	if (client.createdAt !== undefined) {
-		await misskeyApi('admin/indie-auth/update', params);
+		await os.apiWithDialog('admin/indie-auth/update', params).then(() => {
+			indieAuthFetch(true);
+		});
 	} else {
-		await misskeyApi('admin/indie-auth/create', params);
+		await os.apiWithDialog('admin/indie-auth/create', params).then(() => {
+			indieAuthFetch(true);
+		});
+	}
+}
+
+function ssoServiceFetch(resetOffset = false) {
+	if (resetOffset) {
+		ssoServices.value = [];
+		ssoServiceOffset.value = 0;
+	}
+
+	misskeyApi('admin/sso/list', {
+		offsetMode: true,
+		offset: ssoServiceOffset.value,
+		limit: 10,
+	}).then(services => {
+		ssoServices.value = ssoServices.value.concat(services.map(service => ({
+			...service,
+			audience: service.audience.join('\n'),
+		})));
+		ssoServiceTimestamp.value = Date.now();
+		ssoServiceHasMore.value = services.length === 10;
+		ssoServiceOffset.value += services.length;
+	});
+}
+
+ssoServiceFetch(true);
+
+function ssoServiceAddNew() {
+	ssoServices.value.unshift({
+		id: '',
+		name: '',
+		type: 'jwt',
+		issuer: '',
+		audience: '',
+		acsUrl: '',
+		publicKey: '',
+		signatureAlgorithm: 'HS256',
+		cipherAlgorithm: '',
+		wantAuthnRequestsSigned: false,
+		wantAssertionsSigned: true,
+		useCertificate: false,
+		regenerateCertificate: false,
+	});
+}
+
+function ssoServiceDelete(service) {
+	os.confirm({
+		type: 'warning',
+		text: i18n.tsx.deleteAreYouSure({ x: service.id }),
+	}).then(({ canceled }) => {
+		if (canceled) return;
+		ssoServices.value = ssoServices.value.filter(x => x !== service);
+		os.apiWithDialog('admin/sso/delete', service).then(() => {
+			ssoServiceFetch(true);
+		});
+	});
+}
+
+async function ssoServiceSave(service) {
+	const params = {
+		id: service.id,
+		name: service.name,
+		type: service.type,
+		issuer: service.issuer,
+		audience: service.audience.split('\n'),
+		acsUrl: service.acsUrl,
+		secret: service.publicKey,
+		signatureAlgorithm: service.signatureAlgorithm,
+		cipherAlgorithm: service.cipherAlgorithm,
+		wantAuthnRequestsSigned: service.wantAuthnRequestsSigned,
+		wantAssertionsSigned: service.wantAssertionsSigned,
+	};
+
+	if (service.createdAt !== undefined) {
+		await os.apiWithDialog('admin/sso/update', {
+			...params,
+			regenerateCertificate: service.regenerateCertificate,
+		}).then(() => {
+			ssoServiceFetch(true);
+		});
+	} else {
+		await os.apiWithDialog('admin/sso/create', {
+			...params,
+			useCertificate: service.useCertificate,
+		}).then(() => {
+			ssoServiceFetch(true);
+		});
 	}
-	indieAuthFetch(true);
 }

 const headerActions = computed(() => []);
--- a/packages/frontend/src/pages/sso.vue
+++ b/packages/frontend/src/pages/sso.vue
@ -0,0 +1,65 @@
+<!--
+SPDX-FileCopyrightText: syuilo and misskey-project
+SPDX-License-Identifier: AGPL-3.0-only
+-->
+
+<template>
+<MkStickyContainer>
+	<template #header><MkPageHeader/></template>
+	<MkSpacer :contentMax="800">
+		<div v-if="$i">
+			<div v-if="name">{{ i18n.tsx._auth.shareAccess({ name }) }}</div>
+			<div v-else>{{ i18n.ts._auth.shareAccessAsk }}</div>
+			<form :class="$style.buttons" :action="`/sso/${kind}/authorize`" accept-charset="utf-8" method="post">
+				<input name="transaction_id" class="mk-input-tr-id-hidden" type="hidden" :value="transactionIdMeta?.content"/>
+				<input name="login_token" class="mk-input-token-hidden" type="hidden" :value="$i.token"/>
+				<MkButton inline name="cancel" value="cancel">{{ i18n.ts.cancel }}</MkButton>
+				<MkButton inline primary>{{ i18n.ts.accept }}</MkButton>
+			</form>
+		</div>
+		<div v-else>
+			<p :class="$style.loginMessage">{{ i18n.ts._auth.pleaseLogin }}</p>
+			<MkSignin @login="onLogin"/>
+		</div>
+	</MkSpacer>
+</MkStickyContainer>
+</template>
+
+<script lang="ts" setup>
+import MkSignin from '@/components/MkSignin.vue';
+import MkButton from '@/components/MkButton.vue';
+import { $i, login } from '@/account.js';
+import { i18n } from '@/i18n.js';
+import { definePageMetadata } from '@/scripts/page-metadata.js';
+
+const transactionIdMeta = document.querySelector<HTMLMetaElement>('meta[name="misskey:sso:transaction-id"]');
+if (transactionIdMeta) {
+	transactionIdMeta.remove();
+}
+
+const name = document.querySelector<HTMLMetaElement>('meta[name="misskey:sso:service-name"]')?.content;
+const kind = document.querySelector<HTMLMetaElement>('meta[name="misskey:sso:kind"]')?.content;
+
+function onLogin(res): void {
+	login(res.i);
+}
+
+definePageMetadata(() => ({
+	title: 'Single Sign-On',
+	icon: 'ti ti-apps',
+}));
+</script>
+
+<style lang="scss" module>
+.buttons {
+	margin-top: 16px;
+	display: flex;
+	gap: 8px;
+	flex-wrap: wrap;
+}
+
+.loginMessage {
+	text-align: center;
+	margin: 8px 0 24px;
+}
+</style>
--- a/packages/frontend/src/router/definition.ts
+++ b/packages/frontend/src/router/definition.ts
@ -264,6 +264,9 @@ const routes: RouteDef[] = [{
 }, {
 	path: '/oauth/authorize',
 	component: page(() => import('@/pages/oauth.vue')),
+}, {
+	path: '/sso/:kind/:serviceId',
+	component: page(() => import('@/pages/sso.vue')),
 }, {
 	path: '/tags/:tag',
 	component: page(() => import('@/pages/tag.vue')),