feat: allow login page customization (crewjam#597)

based on crewjam#493

Co-authored-by: Sergey Solodyagin <[email protected]>

Author: crewjam

samlidp/samlidp.go

@@ -5,6 +5,7 @@ package samlidp
 import (
 	"crypto"
 	"crypto/x509"
+	"html/template"
 	"net/http"
 	"net/url"
 	"regexp"
@@ -19,12 +20,13 @@ import (
 
 // Options represent the parameters to New() for creating a new IDP server
 type Options struct {
-	URL         url.URL
-	Key         crypto.PrivateKey
-	Signer      crypto.Signer
-	Logger      logger.Interface
-	Certificate *x509.Certificate
-	Store       Store
+	URL               url.URL
+	Key               crypto.PrivateKey
+	Signer            crypto.Signer
+	Logger            logger.Interface
+	Certificate       *x509.Certificate
+	Store             Store
+	LoginFormTemplate *template.Template
 }
 
 // Server represents an IDP server. The server provides the following URLs:
@@ -39,11 +41,12 @@ type Options struct {
 //	/shortcuts    - RESTful interface to Shortcut objects
 type Server struct {
 	http.Handler
-	idpConfigMu      sync.RWMutex // protects calls into the IDP
-	logger           logger.Interface
-	serviceProviders map[string]*saml.EntityDescriptor
-	IDP              saml.IdentityProvider // the underlying IDP
-	Store            Store                 // the data store
+	idpConfigMu       sync.RWMutex // protects calls into the IDP
+	logger            logger.Interface
+	serviceProviders  map[string]*saml.EntityDescriptor
+	IDP               saml.IdentityProvider // the underlying IDP
+	Store             Store                 // the data store
+	LoginFormTemplate *template.Template
 }
 
 // New returns a new Server
@@ -69,8 +72,9 @@ func New(opts Options) (*Server, error) {
 			MetadataURL: metadataURL,
 			SSOURL:      ssoURL,
 		},
-		logger: logr,
-		Store:  opts.Store,
+		logger:            logr,
+		Store:             opts.Store,
+		LoginFormTemplate: opts.LoginFormTemplate,
 	}
 
 	s.IDP.SessionProvider = s

samlidp/session.go

@@ -5,8 +5,8 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"html/template"
 	"net/http"
-	"text/template"
 	"time"
 
 	"golang.org/x/crypto/bcrypt"
@@ -39,13 +39,13 @@ func (s *Server) GetSession(w http.ResponseWriter, r *http.Request, req *saml.Id
 		user := User{}
 		if err := s.Store.Get(fmt.Sprintf("/users/%s", r.PostForm.Get("user")), &user); err != nil {
 			s.logger.Printf("ERROR: User '%s' doesn't exists", r.PostForm.Get("user"))
-			s.sendLoginForm(w, r, req, "Invalid username or password")
+			s.sendLoginForm(w, req, "Invalid username or password")
 			return nil
 		}
 
 		if err := bcrypt.CompareHashAndPassword(user.HashedPassword, []byte(r.PostForm.Get("password"))); err != nil {
 			s.logger.Printf("ERROR: Invalid password for user '%s'", r.PostForm.Get("user"))
-			s.sendLoginForm(w, r, req, "Invalid username or password")
+			s.sendLoginForm(w, req, "Invalid username or password")
 			return nil
 		}
 
@@ -86,39 +86,44 @@ func (s *Server) GetSession(w http.ResponseWriter, r *http.Request, req *saml.Id
 		session := &saml.Session{}
 		if err := s.Store.Get(fmt.Sprintf("/sessions/%s", sessionCookie.Value), session); err != nil {
 			if err == ErrNotFound {
-				s.sendLoginForm(w, r, req, "")
+				s.sendLoginForm(w, req, "")
 				return nil
 			}
 			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 			return nil
 		}
 
 		if saml.TimeNow().After(session.ExpireTime) {
-			s.sendLoginForm(w, r, req, "")
+			s.sendLoginForm(w, req, "")
 			return nil
 		}
 		return session
 	}
 
-	s.sendLoginForm(w, r, req, "")
+	s.sendLoginForm(w, req, "")
 	return nil
 }
 
+var defaultLoginFormTemplate = template.Must(template.New("saml-post-form").Parse(`` +
+	`<html>` +
+	`<p>{{.Toast}}</p>` +
+	`<form method="post" action="{{.URL}}">` +
+	`<input type="text" name="user" placeholder="user" value="" />` +
+	`<input type="password" name="password" placeholder="password" value="" />` +
+	`<input type="hidden" name="SAMLRequest" value="{{.SAMLRequest}}" />` +
+	`<input type="hidden" name="RelayState" value="{{.RelayState}}" />` +
+	`<input type="submit" value="Log In" />` +
+	`</form>` +
+	`</html>`))
+
 // sendLoginForm produces a form which requests a username and password and directs the user
 // back to the IDP authorize URL to restart the SAML login flow, this time establishing a
 // session based on the credentials that were provided.
-func (s *Server) sendLoginForm(w http.ResponseWriter, _ *http.Request, req *saml.IdpAuthnRequest, toast string) {
-	tmpl := template.Must(template.New("saml-post-form").Parse(`` +
-		`<html>` +
-		`<p>{{.Toast}}</p>` +
-		`<form method="post" action="{{.URL}}">` +
-		`<input type="text" name="user" placeholder="user" value="" />` +
-		`<input type="password" name="password" placeholder="password" value="" />` +
-		`<input type="hidden" name="SAMLRequest" value="{{.SAMLRequest}}" />` +
-		`<input type="hidden" name="RelayState" value="{{.RelayState}}" />` +
-		`<input type="submit" value="Log In" />` +
-		`</form>` +
-		`</html>`))
+func (s *Server) sendLoginForm(w http.ResponseWriter, req *saml.IdpAuthnRequest, toast string) {
+	tmpl := s.LoginFormTemplate
+	if tmpl == nil {
+		tmpl = defaultLoginFormTemplate
+	}
 	data := struct {
 		Toast       string
 		URL         string

samlidp/testdata/http_sso_response.html

@@ -1 +1 @@
-<html><p></p><form method="post" action="https://idp.example.com/sso"><input type="text" name="user" placeholder="user" value="" /><input type="password" name="password" placeholder="password" value="" /><input type="hidden" name="SAMLRequest" value="PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBJRD0iaWQtMDAwMjA0MDYwODBhMGMwZTEwMTIxNDE2MTgxYTFjMWUyMDIyMjQyNiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMTItMDFUMDE6NTc6MDlaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9pZHAuZXhhbXBsZS5jb20vc3NvIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vc3AuZXhhbXBsZS5jb20vc2FtbDIvYWNzIiBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiPjxzYW1sOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI+aHR0cHM6Ly9zcC5leGFtcGxlLmNvbS9zYW1sMi9tZXRhZGF0YTwvc2FtbDpJc3N1ZXI+PHNhbWxwOk5hbWVJRFBvbGljeSBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCIgQWxsb3dDcmVhdGU9InRydWUiLz48L3NhbWxwOkF1dGhuUmVxdWVzdD4=" /><input type="hidden" name="RelayState" value="frob" /><input type="submit" value="Log In" /></form></html>
+<html><p></p><form method="post" action="https://idp.example.com/sso"><input type="text" name="user" placeholder="user" value="" /><input type="password" name="password" placeholder="password" value="" /><input type="hidden" name="SAMLRequest" value="PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBJRD0iaWQtMDAwMjA0MDYwODBhMGMwZTEwMTIxNDE2MTgxYTFjMWUyMDIyMjQyNiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMTItMDFUMDE6NTc6MDlaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9pZHAuZXhhbXBsZS5jb20vc3NvIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vc3AuZXhhbXBsZS5jb20vc2FtbDIvYWNzIiBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiPjxzYW1sOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI&#43;aHR0cHM6Ly9zcC5leGFtcGxlLmNvbS9zYW1sMi9tZXRhZGF0YTwvc2FtbDpJc3N1ZXI&#43;PHNhbWxwOk5hbWVJRFBvbGljeSBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCIgQWxsb3dDcmVhdGU9InRydWUiLz48L3NhbWxwOkF1dGhuUmVxdWVzdD4=" /><input type="hidden" name="RelayState" value="frob" /><input type="submit" value="Log In" /></form></html>