Import SAML code from last year's website (#59)

* feat: inital saml import - Import SAML code (saml.py) from last year's code repository - Include settings and public key certificates * update: pathlib and json load optimizations * feat: SAML pytest and pnpm test script - Import test SAML from last year's code repository - Configure pytest to run on `pnpm test` * feat: import Serveless Function build script - Import vercel-lib.sh from last year's code repository to current repo's site code - Update site code's vercel.json to run this script * fix: add python3-saml to requirements.txt * fix: add config directory to copy api script * Fix SAML entityID for staging/QA identity provider * feat: SP_KEY and DEPLOYMENT documentation --------- Co-authored-by: Taesung Hwang <[email protected]>
HackAtUCI · Dec 6, 2023 · 7b457a8 · 7b457a8
1 parent 2271bab
commit 7b457a8
Show file tree

Hide file tree

Showing 19 changed files with 485 additions and 7 deletions.
diff --git a/apps/api/.gitignore b/apps/api/.gitignore
@@ -1 +1,3 @@
 __pycache__
+*.key
+.coverage
diff --git a/apps/api/README.md b/apps/api/README.md
@@ -17,3 +17,8 @@ which will start a Uvicorn server with auto-reload.
 For deployment, the following environment variables need to be set:
 
 -   `PYTHONPATH=src/api` to properly import Python modules
+-   `SP_KEY`, the private key for SAML authentication
+
+For staging, the following environment variables should also bet set:
+
+-   `DEPLOYMENT=staging`
diff --git a/apps/api/configuration/saml/advanced_settings.json b/apps/api/configuration/saml/advanced_settings.json
@@ -0,0 +1,42 @@
+{
+	"security": {
+		"nameIdEncrypted": true,
+		"authnRequestsSigned": true,
+		"logoutRequestSigned": true,
+		"logoutResponseSigned": true,
+		"signMetadata": true,
+		"wantMessagesSigned": true,
+		"wantAssertionsSigned": true,
+		"wantAssertionsEncrypted": true,
+		"wantNameId": false,
+		"wantNameIdEncrypted": true,
+		"wantAttributeStatement": true,
+		"requestedAuthnContext": true,
+		"requestedAuthnContextComparison": "exact",
+		"failOnAuthnContextMismatch": false,
+		"metadataValidUntil": null,
+		"metadataCacheDuration": null,
+		"allowSingleLabelDomains": false,
+		"signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+		"digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256",
+		"allowRepeatAttributeName": false,
+		"rejectDeprecatedAlgorithm": true
+	},
+	"contactPerson": {
+		"technical": {
+			"givenName": "Hack at UCI",
+			"emailAddress": "[email protected]"
+		},
+		"support": {
+			"givenName": "Hack at UCI",
+			"emailAddress": "[email protected]"
+		}
+	},
+	"organization": {
+		"en-US": {
+			"name": "HackAtUCI",
+			"displayname": "Hack at UCI",
+			"url": "https://hack.ics.uci.edu"
+		}
+	}
+}
diff --git a/apps/api/configuration/saml/certs/sp-prod.crt b/apps/api/configuration/saml/certs/sp-prod.crt
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEOTCCAyGgAwIBAgIUZ3pK3QmQN4lwPHQEd1XfG8ZDAtEwDQYJKoZIhvcNAQEL
+BQAwgasxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMQ8wDQYDVQQH
+DAZJcnZpbmUxKTAnBgNVBAoMIFVuaXZlcnNpdHkgb2YgQ2FsaWZvcm5pYSwgSXJ2
+aW5lMRQwEgYDVQQLDAtIYWNrIGF0IFVDSTEYMBYGA1UEAwwPaXJ2aW5laGFja3Mu
+Y29tMRswGQYJKoZIhvcNAQkBFgxoYWNrQHVjaS5lZHUwHhcNMjMxMTIzMTgwODM5
+WhcNMzMxMTIyMTgwODM5WjCBqzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm
+b3JuaWExDzANBgNVBAcMBklydmluZTEpMCcGA1UECgwgVW5pdmVyc2l0eSBvZiBD
+YWxpZm9ybmlhLCBJcnZpbmUxFDASBgNVBAsMC0hhY2sgYXQgVUNJMRgwFgYDVQQD
+DA9pcnZpbmVoYWNrcy5jb20xGzAZBgkqhkiG9w0BCQEWDGhhY2tAdWNpLmVkdTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9wb3qTdkEQEJnVaMfiud0V
+sQtKlaHR8jxIMa40plsAoPSzs/VDn+V1CiH/I2Hp8CL7uZcoDIdG9slYyulBN0jP
+KvpYrHf5GYxunHk/D+aD8spq1hP5KktiuaNYTDqDNYrHKyyavqFcEMy7ZXUk/rqn
+di7tzcLXFJutaSB++ad4cws/XLmJjJz8zn3rbGM+rCHzlZ60bw3y24xjSQhhiy9R
+Q+l9SYNJgz1q1M6g1l+9nPDgmtzKoR8f/qFMeQxkfTmmWuyYM2R4bD0FZW2pa2cv
+nH4fmeVXaFxyjAK5DvXFCckSt9X2/7efZdI1+MaPoYfZunXR+vOn6oWsq9Zu0DkC
+AwEAAaNTMFEwHQYDVR0OBBYEFNO4CEyG3Rbyt9y9MzpauzgffX09MB8GA1UdIwQY
+MBaAFNO4CEyG3Rbyt9y9MzpauzgffX09MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBADiItb6TkqFEiZPr2xeGiMjbDqQroNDw4m46D32FiTsr7WkD
+r6ZA/lInTSN30xF0cuzJyHh/M1uwwEo1w6Z4D3LWMDJROaiVAaKBAxiJFY5yDAFo
+cRO2VmoWLvJryJvyZdG4+ALaHgWYTXnAqZBAfmtaBIATX/Db5rI4+VKSaqqZNLlQ
+2s+9T5AlYcNOE/yIQmAIV5Nk319zmUhZbtJD9bmE1RwdE0qwBjIWOHDiNBpRcmES
+Umq0tVD/V7oUdE6L3WFOu8EMj5k6667hQcNZJDJwiEpC+brsJO/vBRWA8Skz6YFW
+CsdbuJV5/JXU5pzmizrSO7ZIvQJpXo27LTHwI+Y=
+-----END CERTIFICATE-----
diff --git a/apps/api/configuration/saml/certs/sp-staging.crt b/apps/api/configuration/saml/certs/sp-staging.crt
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIESTCCAzGgAwIBAgIUXSOSqBVb0kaTHAvtg4BIeaKk31wwDQYJKoZIhvcNAQEL
+BQAwgbMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMQ8wDQYDVQQH
+DAZJcnZpbmUxKTAnBgNVBAoMIFVuaXZlcnNpdHkgb2YgQ2FsaWZvcm5pYSwgSXJ2
+aW5lMRQwEgYDVQQLDAtIYWNrIGF0IFVDSTEgMB4GA1UEAwwXc3RhZ2luZy5pcnZp
+bmVoYWNrcy5jb20xGzAZBgkqhkiG9w0BCQEWDGhhY2tAdWNpLmVkdTAeFw0yMzEx
+MjMxODA5MTFaFw0zMzExMjIxODA5MTFaMIGzMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKQ2FsaWZvcm5pYTEPMA0GA1UEBwwGSXJ2aW5lMSkwJwYDVQQKDCBVbml2ZXJz
+aXR5IG9mIENhbGlmb3JuaWEsIElydmluZTEUMBIGA1UECwwLSGFjayBhdCBVQ0kx
+IDAeBgNVBAMMF3N0YWdpbmcuaXJ2aW5laGFja3MuY29tMRswGQYJKoZIhvcNAQkB
+FgxoYWNrQHVjaS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9
++thRtbPV5pGNw1ju6A1Ay4fWNZSJOSVExh7uK/f31GwPz+eKgZqg3TEkRvzJO5Bw
+Kok19oS5fXji1OvTy5BJEzSZ8rRUkWS5LlFBQTCLkP79+S12ldrbv8ojpsAYPuVa
+D7z69U9kmwFsTiS3h6Oqmn/rV0eicmGCFRYAjPSbdcG7zQZJ/HCfLHiblpagKX1X
+o2SeNBLkRZAV1uNA3fB8czk68pJ6+yBXH3BIbZUxRarmMDRMd104d4dvrcD90Lja
+B+kL3wAM/Iz3NkihRR45F0OZ66Tk9XnBZrdj2eyHMFn5nkVLAdi+nwZld/23ZL06
+9JkTvzeFpzqXltBk8kbnAgMBAAGjUzBRMB0GA1UdDgQWBBTTIK63nY6j+IH2KEiT
+rbsdulCI+DAfBgNVHSMEGDAWgBTTIK63nY6j+IH2KEiTrbsdulCI+DAPBgNVHRMB
+Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvxa/E8WJYlkckEMrY7X0u1EhF
+xxbHXiS1fXIYrojg4zFLpiulmw06C/09aw4kDaIGwUh8aicyRiA9PtVd8MEuqlhi
+C/GlI+PRjc/+5I0RNws4occAcWADEjMt7WHg/iLwuAg/QjmOEhZlA3qh+vYyaSlR
+XgoqdMtkulnIdxvXs+n/ZZEE9irVDbqrWF691bzhX1McvqxoIAuMEGUAWUqUhmdl
+GIk09JrWyJ9jwCwmObK8sKroNedUW22gh1wG/Bb3IIkNrXfoQukOinPlWmA327vP
+Pd8KjVZ0uR/IDRQwzROyU6j8/OVYpjOnEijShmVd74PK6wcDl0PmOnP9DFxT
+-----END CERTIFICATE-----
diff --git a/apps/api/configuration/saml/settings-prod.json b/apps/api/configuration/saml/settings-prod.json
@@ -0,0 +1,60 @@
+{
+	"strict": true,
+	"debug": true,
+	"sp": {
+		"entityId": "https://irvinehacks.com/shibboleth",
+		"assertionConsumerService": {
+			"url": "https://irvinehacks.com/api/saml/acs",
+			"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+		},
+		"singleLogoutService": {
+			"url": "https://irvinehacks.com/api/saml/sls",
+			"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+		},
+		"attributeConsumingService": {
+			"serviceName": "IrvineHacks Website",
+			"serviceDescription": "Website for IrvineHacks, Orange County's largest hackathon.",
+			"requestedAttributes": [
+				{
+					"nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+					"name": "urn:oid:0.9.2342.19200300.100.1.3",
+					"isRequired": true,
+					"friendlyName": "email"
+				},
+				{
+					"nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+					"name": "urn:oid:2.16.840.1.113730.3.1.241",
+					"isRequired": true,
+					"friendlyName": "displayName"
+				},
+				{
+					"nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+					"name": "urn:oid:2.16.840.1.113916.5.6.1.1",
+					"isRequired": true,
+					"friendlyName": "ucinetid"
+				},
+				{
+					"nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+					"name": "urn:oid:2.16.840.1.113916.5.6.1.59",
+					"isRequired": true,
+					"friendlyName": "uciaffiliation"
+				}
+			]
+		},
+		"NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+		"x509cert": "",
+		"privateKey": ""
+	},
+	"idp": {
+		"entityId": "urn:mace:incommon:uci.edu",
+		"singleSignOnService": {
+			"url": "https://shib.service.uci.edu/idp/profile/SAML2/Redirect/SSO",
+			"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+		},
+		"singleLogoutService": {
+			"url": "https://shib.service.uci.edu/logout.html",
+			"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+		},
+		"x509cert": "MIIDODCCAiCgAwIBAgIJALjyIupKtkKDMA0GCSqGSIb3DQEBBQUAMBwxGjAYBgNVBAMTEXNoaWIubmFjcy51Y2kuZWR1MB4XDTE2MDcxNTIzMTg1MVoXDTI2MDcxMzIzMTg1MVowHDEaMBgGA1UEAxMRc2hpYi5uYWNzLnVjaS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDp964Q5ZWIBmmI/5EfAo1z0S3SBYoLfNl5EkfJrnqntc5VO7AcBjsuNrZTb1zrv/juL7cXXjzcrh1Pbh2BIpwSa3z0yta1KQX3NZBq8wZOjdyd6iLkLx6kcT9q5MyWyd8qJ2DmPQZ9wWdPCb0RoRA8RaJW0gp/3JQhh4+ERVUJx438JA/+dfouSiXB+UguVYHgceETjOik09A/j6cD1shILMZnuBObAtOAuT9PSFiWhOKOLghloAHkc0QDTyXC9BNTBKtyBr9XiYLgvspmy13L3Kc1npPynLt+KqfuBIG0OE/arSOImGD/y6ep6EaB6WTcWaCqNaQ3l4bQX8RaLMp5AgMBAAGjfTB7MB0GA1UdDgQWBBTvY0+ZHT/jnKj8RLLgCpDcTowcCzBMBgNVHSMERTBDgBTvY0+ZHT/jnKj8RLLgCpDcTowcC6EgpB4wHDEaMBgGA1UEAxMRc2hpYi5uYWNzLnVjaS5lZHWCCQC48iLqSrZCgzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBTuqm1sr3CNlHMKaou7THCv+ADueR7mE+25C0vG8cEF+5GQ1Rh3dGPqXPmnt/D1R8zKhm5XqvkjXTvdE4cvq1hdpwADhDAa9IOYbnRCrbeajfZFUG0tAe5mFayBhKKmSVdM73n535nQ2NvTImGgO9bkD1Nss/Yi1WfCWUdoYf6zhE8LP6zQEE75vYHD5nmYpQ/k3Yw3dxkifIjuUZf/eTibB26/FRM4cdv05EYBQ88U4+0PzRg8ZRqvZ2Cj0qub7eRQNt6Jfm4/QsEos3q2PxBLbvTGUtZ1RizkEWrhF5bk0Ax8xJFkh64xXidpKNgt8Bl6IfZDpHXUZTdfjCTDRRD"
+	}
+}
diff --git a/apps/api/configuration/saml/settings-staging.json b/apps/api/configuration/saml/settings-staging.json
@@ -0,0 +1,60 @@
+{
+	"strict": true,
+	"debug": true,
+	"sp": {
+		"entityId": "https://staging.irvinehacks.com/shibboleth",
+		"assertionConsumerService": {
+			"url": "https://staging.irvinehacks.com/api/saml/acs",
+			"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+		},
+		"singleLogoutService": {
+			"url": "https://staging.irvinehacks.com/api/saml/sls",
+			"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+		},
+		"attributeConsumingService": {
+			"serviceName": "IrvineHacks Website",
+			"serviceDescription": "Website for IrvineHacks, Orange County's largest hackathon.",
+			"requestedAttributes": [
+				{
+					"nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+					"name": "urn:oid:0.9.2342.19200300.100.1.3",
+					"isRequired": true,
+					"friendlyName": "email"
+				},
+				{
+					"nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+					"name": "urn:oid:2.16.840.1.113730.3.1.241",
+					"isRequired": true,
+					"friendlyName": "displayName"
+				},
+				{
+					"nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+					"name": "urn:oid:2.16.840.1.113916.5.6.1.1",
+					"isRequired": true,
+					"friendlyName": "ucinetid"
+				},
+				{
+					"nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+					"name": "urn:oid:2.16.840.1.113916.5.6.1.59",
+					"isRequired": true,
+					"friendlyName": "uciaffiliation"
+				}
+			]
+		},
+		"NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+		"x509cert": "",
+		"privateKey": ""
+	},
+	"idp": {
+		"entityId": "https://shib-qa.service.uci.edu/idp",
+		"singleSignOnService": {
+			"url": "https://shib-qa.service.uci.edu/idp/profile/SAML2/Redirect/SSO",
+			"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+		},
+		"singleLogoutService": {
+			"url": "https://shib-qa.service.uci.edu/logout.html",
+			"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+		},
+		"x509cert": "MIIDJzCCAg+gAwIBAgIUU1688ql6Nw4jpeO9aKzQTz4eTCUwDQYJKoZIhvcNAQELBQAwIzEhMB8GA1UEAwwYc2hpYi1kZXYuc2VydmljZS51Y2kuZWR1MB4XDTIxMDMxNjIxMjUyMVoXDTMxMDMxNDIxMjUyMVowIzEhMB8GA1UEAwwYc2hpYi1kZXYuc2VydmljZS51Y2kuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo673SK1qbWNcQbTNzTz9j4hwQF5W+VwFsaHOa+YqtngRGjbXWrgwuf15pUgLz/Mzuqg8j8I46VAaTXd5kdPmhN0GbLxWmVQDgUjMEZzGk50LATvmx9abt3YR8JhvlVtgLAYCssjp3LA8QhoZJu0DsJJ8uMHM9xXtrktotYp8/PHoJekMsmPYjZk41Semz63H87wv79faREeBznpj1BNNeCqGHCV/OhsBnhuDjD7/xei1DH7fqHD2p/CSpti5/2GL+X60n7yuqe3SkQaHJ/fmUvsc2TVsmJ2GB9/tYbLaBnpeIR/W6Td9e8hB8t4/OS0tQFQlpdvuNg2mFEWyeChIBwIDAQABo1MwUTAdBgNVHQ4EFgQU4l1TIJmWzfA8aVWBM0z64ahRfFwwHwYDVR0jBBgwFoAU4l1TIJmWzfA8aVWBM0z64ahRfFwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAIgqAD8S9io6RR3vIvjMGcWtW7bE0ICAV9sVm2bXXB5mLBuDCGS46TEy8tVoLw5/56LfM6x25EF62/uncnFHQw/8b5r+45J6jVclT0YhHtwWeqKO3GJ7dzxXIdXCsNLPZ17/rL/wKQhUTuKDtFgOko3Oq4xsZM0X3ObsJD+t1VmgVcoTweai4LyiyX0k+vxX2F2EEXI7AWN0qzuQiBhp4pWGfSXRKCHEpQwd8+sXcYbn3VflbSXaMifPqWm5JRzsmUT6pA4XFxoux9/JAKciFuDeD/zWgM5HinqooIwg3SlHzjcOCK07ZcQ1fBTvnbS2NfVwwQmtCQHzLL8VoLFDaZw=="
+	}
+}
diff --git a/apps/api/package.json b/apps/api/package.json
@@ -2,6 +2,7 @@
 	"name": "api",
 	"private": true,
 	"scripts": {
-		"dev": "python src/dev.py"
+		"dev": "python src/dev.py",
+		"test": "pytest"
 	}
-}
+}
diff --git a/apps/api/pyproject.toml b/apps/api/pyproject.toml
@@ -0,0 +1,11 @@
+[tool.pytest.ini_options]
+pythonpath = "src"
+addopts = "--verbose --cov src"
+testpaths = "tests"
+asyncio_mode = "auto"
+
+[tool.coverage.run]
+branch = true
+
+[tool.coverage.report]
+show_missing = true
diff --git a/apps/api/requirements-dev.txt b/apps/api/requirements-dev.txt
@@ -1 +1,5 @@
+pytest==7.4.3
+pytest-asyncio==0.21.1
+pytest-cov==4.1.0
+
 uvicorn[standard]==0.23.2
diff --git a/apps/api/requirements.txt b/apps/api/requirements.txt
@@ -1,2 +1,4 @@
 fastapi==0.104.1
+httpx==0.25.2
 python-multipart==0.0.5
+python3-saml==1.16.0
diff --git a/apps/api/src/app.py b/apps/api/src/app.py
@@ -1,10 +1,10 @@
 from fastapi import FastAPI
 
-from routers import demo
+from routers import saml
 
 app = FastAPI()
 
-app.include_router(demo.router, prefix="/demo", tags=["demo"])
+app.include_router(saml.router, prefix="/saml", tags=["saml"])
 
 
 @app.get("/")