feat: SAML (#287)

* fix: saml impl

* fix: remove sp entity id from client

* fix: unique idp entity id

* fix: changelog

* fix: SAML client count

* fix: index for expires_at

* fix: repeatable read

* fix: mt query serializable

* fix: gradle

* fix: update deadlock tests

* fix: configurable claims and relay state validity

* fix: restoring transaction isolation level for bulk import

* fix: revert transaction isolation changes

* fix: autocommit

* fix: revert deadlock test

* fix: auto commit

* fix: restore isolation and auto commit

Author: sattvikc

CHANGELOG.md

@@ -7,6 +7,67 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [9.3.0]
+
+- Adds SAML support
+
+### Migration
+
+```sql
+CREATE TABLE IF NOT EXISTS saml_clients (
+    app_id VARCHAR(64) NOT NULL DEFAULT 'public',
+    tenant_id VARCHAR(64) NOT NULL DEFAULT 'public',
+    client_id VARCHAR(256) NOT NULL,
+    client_secret TEXT,
+    sso_login_url TEXT NOT NULL,
+    redirect_uris TEXT NOT NULL,
+    default_redirect_uri TEXT NOT NULL,
+    idp_entity_id VARCHAR(256) NOT NULL,
+    idp_signing_certificate TEXT NOT NULL,
+    allow_idp_initiated_login BOOLEAN NOT NULL DEFAULT FALSE,
+    enable_request_signing BOOLEAN NOT NULL DEFAULT FALSE,
+    created_at BIGINT NOT NULL,
+    updated_at BIGINT NOT NULL,
+    CONSTRAINT saml_clients_pkey PRIMARY KEY(app_id, tenant_id, client_id),
+    CONSTRAINT saml_clients_idp_entity_id_key UNIQUE (app_id, tenant_id, idp_entity_id),
+    CONSTRAINT saml_clients_app_id_fkey FOREIGN KEY(app_id) REFERENCES apps (app_id) ON DELETE CASCADE,
+    CONSTRAINT saml_clients_tenant_id_fkey FOREIGN KEY(app_id, tenant_id) REFERENCES tenants (app_id, tenant_id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS saml_clients_app_id_tenant_id_index ON saml_clients (app_id, tenant_id);
+
+CREATE TABLE IF NOT EXISTS saml_relay_state (
+    app_id VARCHAR(64) NOT NULL DEFAULT 'public',
+    tenant_id VARCHAR(64) NOT NULL DEFAULT 'public',
+    relay_state VARCHAR(256) NOT NULL,
+    client_id VARCHAR(256) NOT NULL,
+    state TEXT NOT NULL,
+    redirect_uri TEXT NOT NULL,
+    created_at BIGINT NOT NULL,
+    CONSTRAINT saml_relay_state_pkey PRIMARY KEY(app_id, tenant_id, relay_state),
+    CONSTRAINT saml_relay_state_app_id_fkey FOREIGN KEY(app_id) REFERENCES apps (app_id) ON DELETE CASCADE,
+    CONSTRAINT saml_relay_state_tenant_id_fkey FOREIGN KEY(app_id, tenant_id) REFERENCES tenants (app_id, tenant_id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS saml_relay_state_app_id_tenant_id_index ON saml_relay_state (app_id, tenant_id);
+CREATE INDEX IF NOT EXISTS saml_relay_state_expires_at_index ON saml_relay_state (expires_at);
+
+CREATE TABLE IF NOT EXISTS saml_claims (
+    app_id VARCHAR(64) NOT NULL DEFAULT 'public',
+    tenant_id VARCHAR(64) NOT NULL DEFAULT 'public',
+    client_id VARCHAR(256) NOT NULL,
+    code VARCHAR(256) NOT NULL,
+    claims TEXT NOT NULL,
+    created_at BIGINT NOT NULL,
+    CONSTRAINT saml_claims_pkey PRIMARY KEY(app_id, tenant_id, code),
+    CONSTRAINT saml_claims_app_id_fkey FOREIGN KEY(app_id) REFERENCES apps (app_id) ON DELETE CASCADE,
+    CONSTRAINT saml_claims_tenant_id_fkey FOREIGN KEY(app_id, tenant_id) REFERENCES tenants (app_id, tenant_id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS saml_claims_app_id_tenant_id_index ON saml_claims (app_id, tenant_id);
+CREATE INDEX IF NOT EXISTS saml_claims_expires_at_index ON saml_claims (expires_at);
+```
+
 ## [9.2.0]
 
 - Adds docker support for opentelemetry javaagent

build.gradle

@@ -2,10 +2,12 @@ plugins {
     id 'java-library'
 }
 
-version = "9.2.0"
+version = "9.3.0"
 
 repositories {
     mavenCentral()
+
+    maven { url 'https://build.shibboleth.net/nexus/content/repositories/releases/' }
 }
 
 dependencies {

pluginInterfaceSupported.json

@@ -1,6 +1,6 @@
 {
   "_comment": "contains a list of plugin interfaces branch names that this core supports",
   "versions": [
-    "8.2"
+    "8.3"
   ]
 }

src/main/java/io/supertokens/storage/postgresql/BulkImportProxyStorage.java

@@ -16,17 +16,17 @@
 
 package io.supertokens.storage.postgresql;
 
+import java.sql.Connection;
+import java.sql.SQLException;
+import java.util.List;
+
 import io.supertokens.pluginInterface.exceptions.DbInitException;
 import io.supertokens.pluginInterface.exceptions.StorageQueryException;
 import io.supertokens.pluginInterface.exceptions.StorageTransactionLogicException;
 import io.supertokens.pluginInterface.multitenancy.TenantIdentifier;
 import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
 import io.supertokens.pluginInterface.sqlStorage.TransactionConnection;
 
-import java.sql.Connection;
-import java.sql.SQLException;
-import java.util.List;
-
 
 /**
 * BulkImportProxyStorage is a class extending Start, serving as a Storage instance in the bulk import user cronjob.

src/main/java/io/supertokens/storage/postgresql/Start.java

@@ -17,11 +17,39 @@
 
 package io.supertokens.storage.postgresql;
 
-import ch.qos.logback.classic.Logger;
+import java.lang.reflect.Field;
+import java.sql.BatchUpdateException;
+import java.sql.Connection;
+import java.sql.SQLException;
+import java.sql.SQLTransactionRollbackException;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import javax.annotation.Nonnull;
+
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+import org.jetbrains.annotations.TestOnly;
+import org.postgresql.util.PSQLException;
+import org.postgresql.util.ServerErrorMessage;
+import org.slf4j.LoggerFactory;
+
 import com.google.gson.JsonObject;
 import com.google.gson.JsonPrimitive;
 import com.zaxxer.hikari.pool.HikariPool;
-import io.supertokens.pluginInterface.*;
+
+import ch.qos.logback.classic.Logger;
+import io.supertokens.pluginInterface.ActiveUsersSQLStorage;
+import io.supertokens.pluginInterface.ActiveUsersStorage;
+import io.supertokens.pluginInterface.ConfigFieldInfo;
+import io.supertokens.pluginInterface.KeyValueInfo;
+import io.supertokens.pluginInterface.LOG_LEVEL;
+import io.supertokens.pluginInterface.RECIPE_ID;
+import io.supertokens.pluginInterface.STORAGE_TYPE;
+import io.supertokens.pluginInterface.Storage;
 import io.supertokens.pluginInterface.authRecipe.AuthRecipeUserInfo;
 import io.supertokens.pluginInterface.authRecipe.LoginMethod;
 import io.supertokens.pluginInterface.authRecipe.sqlStorage.AuthRecipeSQLStorage;
@@ -73,8 +101,16 @@
 import io.supertokens.pluginInterface.passwordless.PasswordlessCode;
 import io.supertokens.pluginInterface.passwordless.PasswordlessDevice;
 import io.supertokens.pluginInterface.passwordless.PasswordlessImportUser;
-import io.supertokens.pluginInterface.passwordless.exception.*;
+import io.supertokens.pluginInterface.passwordless.exception.DuplicateCodeIdException;
+import io.supertokens.pluginInterface.passwordless.exception.DuplicateDeviceIdHashException;
+import io.supertokens.pluginInterface.passwordless.exception.DuplicateLinkCodeHashException;
+import io.supertokens.pluginInterface.passwordless.exception.DuplicatePhoneNumberException;
+import io.supertokens.pluginInterface.passwordless.exception.UnknownDeviceIdHash;
 import io.supertokens.pluginInterface.passwordless.sqlStorage.PasswordlessSQLStorage;
+import io.supertokens.pluginInterface.saml.SAMLClaimsInfo;
+import io.supertokens.pluginInterface.saml.SAMLClient;
+import io.supertokens.pluginInterface.saml.SAMLRelayStateInfo;
+import io.supertokens.pluginInterface.saml.SAMLStorage;
 import io.supertokens.pluginInterface.session.SessionInfo;
 import io.supertokens.pluginInterface.session.SessionStorage;
 import io.supertokens.pluginInterface.session.sqlStorage.SessionSQLStorage;
@@ -104,37 +140,43 @@
 import io.supertokens.pluginInterface.webauthn.AccountRecoveryTokenInfo;
 import io.supertokens.pluginInterface.webauthn.WebAuthNOptions;
 import io.supertokens.pluginInterface.webauthn.WebAuthNStoredCredential;
-import io.supertokens.pluginInterface.webauthn.exceptions.*;
+import io.supertokens.pluginInterface.webauthn.exceptions.DuplicateOptionsIdException;
+import io.supertokens.pluginInterface.webauthn.exceptions.DuplicateRecoverAccountTokenException;
+import io.supertokens.pluginInterface.webauthn.exceptions.DuplicateUserEmailException;
+import io.supertokens.pluginInterface.webauthn.exceptions.WebauthNCredentialNotExistsException;
+import io.supertokens.pluginInterface.webauthn.exceptions.WebauthNOptionsNotExistsException;
 import io.supertokens.pluginInterface.webauthn.slqStorage.WebAuthNSQLStorage;
+import static io.supertokens.storage.postgresql.QueryExecutorTemplate.execute;
 import io.supertokens.storage.postgresql.annotations.EnvName;
 import io.supertokens.storage.postgresql.config.Config;
 import io.supertokens.storage.postgresql.config.PostgreSQLConfig;
 import io.supertokens.storage.postgresql.output.Logging;
-import io.supertokens.storage.postgresql.queries.*;
-import org.jetbrains.annotations.NotNull;
-import org.jetbrains.annotations.Nullable;
-import org.jetbrains.annotations.TestOnly;
-import org.postgresql.util.PSQLException;
-import org.postgresql.util.ServerErrorMessage;
-import org.slf4j.LoggerFactory;
-
-import javax.annotation.Nonnull;
-import java.lang.reflect.Field;
-import java.sql.BatchUpdateException;
-import java.sql.Connection;
-import java.sql.SQLException;
-import java.sql.SQLTransactionRollbackException;
-import java.util.*;
-
-import static io.supertokens.storage.postgresql.QueryExecutorTemplate.execute;
+import io.supertokens.storage.postgresql.queries.ActiveUsersQueries;
+import io.supertokens.storage.postgresql.queries.BulkImportQueries;
+import io.supertokens.storage.postgresql.queries.DashboardQueries;
+import io.supertokens.storage.postgresql.queries.EmailPasswordQueries;
+import io.supertokens.storage.postgresql.queries.EmailVerificationQueries;
+import io.supertokens.storage.postgresql.queries.GeneralQueries;
+import io.supertokens.storage.postgresql.queries.JWTSigningQueries;
+import io.supertokens.storage.postgresql.queries.MultitenancyQueries;
+import io.supertokens.storage.postgresql.queries.OAuthQueries;
+import io.supertokens.storage.postgresql.queries.PasswordlessQueries;
+import io.supertokens.storage.postgresql.queries.SAMLQueries;
+import io.supertokens.storage.postgresql.queries.SessionQueries;
+import io.supertokens.storage.postgresql.queries.TOTPQueries;
+import io.supertokens.storage.postgresql.queries.ThirdPartyQueries;
+import io.supertokens.storage.postgresql.queries.UserIdMappingQueries;
+import io.supertokens.storage.postgresql.queries.UserMetadataQueries;
+import io.supertokens.storage.postgresql.queries.UserRolesQueries;
+import io.supertokens.storage.postgresql.queries.WebAuthNQueries;
 
 @WithinOtelSpan
 public class Start
         implements SessionSQLStorage, EmailPasswordSQLStorage, EmailVerificationSQLStorage, ThirdPartySQLStorage,
         JWTRecipeSQLStorage, PasswordlessSQLStorage, UserMetadataSQLStorage, UserRolesSQLStorage, UserIdMappingStorage,
         UserIdMappingSQLStorage, MultitenancyStorage, MultitenancySQLStorage, DashboardSQLStorage, TOTPSQLStorage,
         ActiveUsersStorage, ActiveUsersSQLStorage, AuthRecipeSQLStorage, OAuthStorage, BulkImportSQLStorage,
-        WebAuthNSQLStorage {
+        WebAuthNSQLStorage, SAMLStorage {
 
     // these configs are protected from being modified / viewed by the dev using the SuperTokens
     // SaaS. If the core is not running in SuperTokens SaaS, this array has no effect.
@@ -1032,6 +1074,8 @@ public void addInfoToNonAuthRecipesBasedOnUserId(TenantIdentifier tenantIdentifi
             //ignore
         } else if (className.equals(OAuthStorage.class.getName())) {
             /* Since OAuth recipe tables do not store userId we do not add any data to them */
+        } else if (className.equals(SAMLStorage.class.getName())) {
+            //ignore
         } else if (className.equals(ActiveUsersStorage.class.getName())) {
             try {
                 ActiveUsersQueries.updateUserLastActive(this, tenantIdentifier.toAppIdentifier(), userId);
@@ -4392,4 +4436,115 @@ public void deleteExpiredGeneratedOptions() throws StorageQueryException {
             throw new StorageQueryException(e);
         }
     }
+
+    @Override
+    public SAMLClient createOrUpdateSAMLClient(TenantIdentifier tenantIdentifier, SAMLClient samlClient)
+            throws StorageQueryException, io.supertokens.pluginInterface.saml.exception.DuplicateEntityIdException {
+        try {
+            return SAMLQueries.createOrUpdateSAMLClient(this, tenantIdentifier, samlClient.clientId, samlClient.clientSecret,
+                    samlClient.ssoLoginURL, samlClient.redirectURIs.toString(), samlClient.defaultRedirectURI,
+                    samlClient.idpEntityId, samlClient.idpSigningCertificate,
+                    samlClient.allowIDPInitiatedLogin, samlClient.enableRequestSigning);
+        } catch (SQLException e) {
+            if (e instanceof PSQLException) {
+                PostgreSQLConfig config = Config.getConfig(this);
+                ServerErrorMessage serverMessage = ((PSQLException) e).getServerErrorMessage();
+
+                if (isUniqueConstraintError(serverMessage, config.getSAMLClientsTable(), "idp_entity_id")) {
+                    throw new io.supertokens.pluginInterface.saml.exception.DuplicateEntityIdException();
+                }
+            }
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public boolean removeSAMLClient(TenantIdentifier tenantIdentifier, String clientId) throws StorageQueryException {
+        try {
+            return SAMLQueries.removeSAMLClient(this, tenantIdentifier, clientId);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public SAMLClient getSAMLClient(TenantIdentifier tenantIdentifier, String clientId) throws StorageQueryException {
+        try {
+            return SAMLQueries.getSAMLClient(this, tenantIdentifier, clientId);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public SAMLClient getSAMLClientByIDPEntityId(TenantIdentifier tenantIdentifier, String idpEntityId) throws StorageQueryException {
+        try {
+            return SAMLQueries.getSAMLClientByIDPEntityId(this, tenantIdentifier, idpEntityId);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public List<SAMLClient> getSAMLClients(TenantIdentifier tenantIdentifier) throws StorageQueryException {
+        try {
+            return SAMLQueries.getSAMLClients(this, tenantIdentifier);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public void saveRelayStateInfo(TenantIdentifier tenantIdentifier, SAMLRelayStateInfo relayStateInfo, long relayStateValidity) throws StorageQueryException {
+        try {
+            SAMLQueries.saveRelayStateInfo(this, tenantIdentifier, relayStateInfo.relayState, relayStateInfo.clientId, relayStateInfo.state, relayStateInfo.redirectURI, relayStateValidity);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public SAMLRelayStateInfo getRelayStateInfo(TenantIdentifier tenantIdentifier, String relayState) throws StorageQueryException {
+        try {
+            return SAMLQueries.getRelayStateInfo(this, tenantIdentifier, relayState);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public void saveSAMLClaims(TenantIdentifier tenantIdentifier, String clientId, String code, JsonObject claims, long claimsValidity) throws StorageQueryException {
+        try {
+            SAMLQueries.saveSAMLClaims(this, tenantIdentifier, clientId, code, claims.toString(), claimsValidity);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public SAMLClaimsInfo getSAMLClaimsAndRemoveCode(TenantIdentifier tenantIdentifier, String code) throws StorageQueryException {
+        try {
+            return SAMLQueries.getSAMLClaimsAndRemoveCode(this, tenantIdentifier, code);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public void removeExpiredSAMLCodesAndRelayStates() throws StorageQueryException {
+        try {
+            SAMLQueries.removeExpiredSAMLCodesAndRelayStates(this);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public int countSAMLClients(TenantIdentifier tenantIdentifier) throws StorageQueryException {
+        try {
+            return SAMLQueries.countSAMLClients(this, tenantIdentifier);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
 }

src/main/java/io/supertokens/storage/postgresql/config/PostgreSQLConfig.java

@@ -496,6 +496,12 @@ public String getOAuthLogoutChallengesTable() {
 
     public String getWebAuthNAccountRecoveryTokenTable() { return   addSchemaAndPrefixToTableName("webauthn_account_recovery_tokens"); }
 
+    public String getSAMLClientsTable() { return addSchemaAndPrefixToTableName("saml_clients"); }
+
+    public String getSAMLRelayStateTable() { return addSchemaAndPrefixToTableName("saml_relay_state"); }
+
+    public String getSAMLClaimsTable() { return addSchemaAndPrefixToTableName("saml_claims"); }
+
     public String getBulkImportUsersTable() {
         return addSchemaAndPrefixToTableName("bulk_import_users");
     }