feat: implement SAML2 authentication with configuration options

wxg0103 · wxg0103 · commit 9a474b2302f6 · 2025-11-26T11:31:04.000+08:00
diff --git a/apps/oss/views/file.py b/apps/oss/views/file.py
@@ -1,5 +1,8 @@
 # coding=utf-8
 import base64
+import ipaddress
+import socket
+from urllib.parse import urlparse
 
 import requests
 from django.utils.translation import gettext_lazy as _
@@ -83,7 +86,17 @@ class GetUrlView(APIView):
     )
     def get(self, request: Request):
         url = request.query_params.get('url')
-        response = requests.get(url)
+        parsed = validate_url(url)
+
+        response = requests.get(
+            url,
+            timeout=3,
+            allow_redirects=False
+        )
+        final_host = urlparse(response.url).hostname
+        if is_private_ip(final_host):
+            raise ValueError("Blocked unsafe redirect to internal host")
+
         # 返回状态码 响应内容大小  响应的contenttype 还有字节流
         content_type = response.headers.get('Content-Type', '')
         # 根据内容类型决定如何处理
@@ -99,3 +112,43 @@ def get(self, request: Request):
             'Content-Type': content_type,
             'content': content,
         })
+
+
+def is_private_ip(host: str) -> bool:
+    """检测 IP 是否属于内网、环回、云 metadata 的危险地址"""
+    try:
+        ip = ipaddress.ip_address(socket.gethostbyname(host))
+        return (
+                ip.is_private or
+                ip.is_loopback or
+                ip.is_reserved or
+                ip.is_link_local or
+                ip.is_multicast
+        )
+    except Exception:
+        return True
+
+
+def validate_url(url: str):
+    """验证 URL 是否安全"""
+    if not url:
+        raise ValueError("URL is required")
+
+    parsed = urlparse(url)
+
+    # 仅允许 http / https
+    if parsed.scheme not in ("http", "https"):
+        raise ValueError("Only http and https are allowed")
+
+    host = parsed.hostname
+    path = parsed.path
+
+    # 域名不能为空
+    if not host:
+        raise ValueError("Invalid URL")
+
+    # 禁止访问内部、保留、环回、云 metadata
+    if is_private_ip(host):
+        raise ValueError("Access to internal IP addresses is blocked")
+
+    return parsed
diff --git a/ui/src/api/user/login.ts b/ui/src/api/user/login.ts
@@ -99,7 +99,11 @@ const postLanguage: (data: any, loading?: Ref<boolean>) => Promise<Result<User>>
 ) => {
   return post('/user/language', data, undefined, loading)
 }
-
+const samlLogin: (loading?: Ref<boolean>) => Promise<Result<any>> = (
+  loading,
+) => {
+  return get('/saml2', '', loading)
+}
 export default {
   login,
   logout,
@@ -112,5 +116,6 @@ export default {
   getDingOauth2Callback,
   getLarkCallback,
   getQrSource,
-  ldapLogin
+  ldapLogin,
+  samlLogin
 }
diff --git a/ui/src/locales/lang/en-US/views/system.ts b/ui/src/locales/lang/en-US/views/system.ts
@@ -71,6 +71,24 @@ export default {
       filedMappingPlaceholder: 'Please enter field mapping',
       enableAuthentication: 'Enable OAuth2 Authentication',
     },
+    saml2: {
+      title: 'SAML2',
+      ldp: 'Idp MetaData Url',
+      ldpPlaceholder: 'Please enter Idp MetaData Url',
+      enableAuthnRequests: 'Enable request signature',
+      enableAssertions: 'Enable assertion signatures',
+      privateKey: 'SP Private Key',
+      privateKeyPlaceholder: 'Please enter SP Private Key',
+      certificate: 'SP Certificate',
+      certificatePlaceholder: 'Please enter SP Certificate',
+      filedMapping: 'Field Mapping',
+      spEntityId: 'SP Entity Id',
+      spEntityIdPlaceholder: 'Please enter SP Entity Id',
+      spAcs: 'SP Ace',
+      spAcsPlaceholder: 'Please enter SP Ace',
+      filedMappingPlaceholder: 'Please enter field mapping',
+      enableAuthentication: 'Enable SAML2 Authentication',
+    },
     scanTheQRCode: {
       title: 'Scan the QR code',
       wecom: 'WeCom',
@@ -133,9 +151,9 @@ export default {
     type: 'Type',
     management: 'management',
   },
-    default_login: 'Default Login Method',
+  default_login: 'Default Login Method',
   display_code: 'Account login verification code setting',
-    loginFailed: 'Login failed',
+  loginFailed: 'Login failed',
   loginFailedMessage: 'Display verification code twice',
   display_codeTip: 'When the value is -1, the verification code is not displayed',
   time: 'Times',
diff --git a/ui/src/locales/lang/zh-CN/views/system.ts b/ui/src/locales/lang/zh-CN/views/system.ts
@@ -73,6 +73,24 @@ export default {
       filedMappingPlaceholder: '请输入字段映射',
       enableAuthentication: '启用 OAuth2 认证',
     },
+    saml2: {
+      title: 'SAML2',
+      ldp: 'Idp MetaData Url',
+      ldpPlaceholder: '请输入 Idp MetaData Url',
+      enableAuthnRequests: '开启请求签名',
+      enableAssertions: '开启断言签名',
+      privateKey: 'SP Private Key',
+      privateKeyPlaceholder: '请输入 SP Private Key',
+      certificate: 'SP Certificate',
+      certificatePlaceholder: '请输入 SP Certificate',
+      filedMapping: '字段映射',
+      spEntityId: 'SP Entity Id',
+      spEntityIdPlaceholder: '请输入 SP Entity Id',
+      spAcs: 'SP Ace',
+      spAcsPlaceholder: '请输入 SP Ace',
+      filedMappingPlaceholder: '请输入字段映射',
+      enableAuthentication: '启用 SAML2 认证',
+    },
     scanTheQRCode: {
       title: '扫码登录',
       wecom: '企业微信',
diff --git a/ui/src/locales/lang/zh-Hant/views/system.ts b/ui/src/locales/lang/zh-Hant/views/system.ts
@@ -71,6 +71,25 @@ export default {
       filedMappingPlaceholder: '請輸入欄位對應',
       enableAuthentication: '啟用 OAuth2 認證',
     },
+    saml2: {
+      title: 'SAML2',
+      ldp: 'Idp MetaData Url',
+      ldpPlaceholder: '請輸入 Idp MetaData Url',
+      enableAuthnRequests: '開啟請求簽名',
+      enableAssertions: '開啟斷言簽名',
+      privateKey: 'SP Private Key',
+      privateKeyPlaceholder: '請輸入 SP Private Key',
+      certificate: 'SP Certificate',
+      certificatePlaceholder: '請輸入 SP Certificate',
+      filedMapping: '欄位映射',
+      spEntityId: 'SP Entity Id',
+      spEntityIdPlaceholder: '請輸入 SP Entity Id',
+      spAcs: 'SP Ace',
+      spAcsPlaceholder: '請輸入 SP Ace',
+      filedMappingPlaceholder: '請輸入欄位映射',
+      enableAuthentication: '啟用 SAML2 認證',
+    },
+
     scanTheQRCode: {
       title: '掃碼登入',
       wecom: '企業微信',
@@ -133,7 +152,7 @@ export default {
     type: '類型',
     management: '管理',
   },
-    default_login: '預設登入方式',
+  default_login: '預設登入方式',
   display_code: '帳號登入驗證碼設定',
   loginFailed: '登入失敗',
   loginFailedMessage: '次顯示驗證碼',
diff --git a/ui/src/stores/modules/login.ts b/ui/src/stores/modules/login.ts
@@ -86,6 +86,10 @@ const useLoginStore = defineStore('login', {
         return ok.data
       })
     },
+    async samlLogin() {
+      return LoginApi.samlLogin().then((ok) => {
+      })
+    }
   },
 })
 
diff --git a/ui/src/views/login/index.vue b/ui/src/views/login/index.vue
@@ -329,6 +329,10 @@ function redirectAuth(authType: string, needMessage: boolean = true) {
       if (config.scope) {
         url += `&scope=${config.scope}`
       }
+    } else if (authType === 'SAML2') {
+      loginApi.samlLogin().then((res: any) => {
+        window.location.href = res.data
+      })
     }
     if (!url) {
       return
diff --git a/ui/src/views/system-setting/authentication/component/Saml2.vue b/ui/src/views/system-setting/authentication/component/Saml2.vue
diff --git a/ui/src/views/system-setting/authentication/index.vue b/ui/src/views/system-setting/authentication/index.vue

Original file line number	Diff line number	Diff line change
`@@ -329,6 +329,10 @@ function redirectAuth(authType: string, needMessage: boolean = true) {`
`329`	`329`	`if (config.scope) {`
`330`	`330`	url += `&scope=${config.scope}`
`331`	`331`	`}`
	`332`	`+ } else if (authType === 'SAML2') {`
	`333`	`+ loginApi.samlLogin().then((res: any) => {`
	`334`	`+ window.location.href = res.data`
	`335`	`+ })`
`332`	`336`	`}`
`333`	`337`	`if (!url) {`
`334`	`338`	`return`