npm - @boxyhq/saml-jackson - Versions diffs - 0.1.5-beta.123 → 0.1.5-beta.136 - Mend

@boxyhq/saml-jackson 0.1.5-beta.123 → 0.1.5-beta.136

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -129,14 +129,15 @@ Kubernetes and docker-compose deployment files will be coming soon.
 Please follow the instructions [here](https://docs.google.com/document/d/1fk---Z9Ln59u-2toGKUkyO3BF6Dh3dscT2u4J2xHANE) to guide your customers in setting up SAML correctly for your product(s). You should create a copy of the doc and modify it with your custom settings, we have used the values that work for our demo apps.
 ### 1.1 SAML profile/claims/attributes mapping
-As outlined in the guide above we try and support 4 attributes in the SAML claims - `id`, `email`, `firstName`, `lastName`. This is how the common SAML aattributes map over for most providers, but some providers have custom mappings. Please refer to the documentation on Identity Provider to understand the exact mapping.
-| SAML Attribute | Jackson mapping |
-|----------------|-----------------|
-|http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier|id|
-|http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress|email|
-|http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname|firstName|
-|http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname|lastName|
+As outlined in the guide above we try and support 4 attributes in the SAML claims - `id`, `email`, `firstName`, `lastName`. This is how the common SAML attributes map over for most providers, but some providers have custom mappings. Please refer to the documentation on Identity Provider to understand the exact mapping.
+| SAML Attribute                                                       | Jackson mapping |
+| -------------------------------------------------------------------- | --------------- |
+| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier | id              |
+| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress   | email           |
+| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname      | firstName       |
+| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname        | lastName        |
 ### 2. SAML config API
@@ -148,6 +149,7 @@ The following API call sets up the configuration in Jackson:
 ```
 curl --location --request POST 'http://localhost:6000/api/v1/saml/config' \
+--header 'Authorization: Api-Key <Jackson API Key>' \
 --header 'Content-Type: application/x-www-form-urlencoded' \
 --data-urlencode 'rawMetadata=<IdP/SP metadata XML>' \
 --data-urlencode 'defaultRedirectUrl=http://localhost:3000/login/saml' \
@@ -162,7 +164,29 @@ curl --location --request POST 'http://localhost:6000/api/v1/saml/config' \
 - tenant: Jackson supports a multi-tenant architecture, this is a unique identifier you set from your side that relates back to your customer's tenant. This is normally an email, domain, an account id, or user-id
 - product: Jackson support multiple products, this is a unique identifier you set from your side that relates back to the product your customer is using
-The response returns a JSON with `client_id` and `client_secret` that can be stored against your tenant and product for a more secure OAuth 2.0 flow. If you do not want to store the `client_id` and `client_secret` you can alternatively use `client_id=tenant=<tenantID>&product=<productID>` and any arbitrary value for `client_secret` when setting up the OAuth 2.0 flow.
+The response returns a JSON with `client_id` and `client_secret` that can be stored against your tenant and product for a more secure OAuth 2.0 flow. If you do not want to store the `client_id` and `client_secret` you can alternatively use `client_id=tenant=<tenantID>&product=<productID>` and any arbitrary value for `client_secret` when setting up the OAuth 2.0 flow. Additionally a `provider` attribute is also returned which indicates the domain of your Identity Provider.
+#### 2.1 SAML GET config API
+This endpoint can be used to return metadata about an existing SAML config. This can be used to check and display the details to your customers. You can use either `clientID` and `clientSecret` combination or `tenant` and `product` combination.
+```
+curl --location --request GET 'http://localhost:6000/api/v1/saml/config' \
+--header 'Authorization: Api-Key <Jackson API Key>' \
+--header 'Content-Type: application/x-www-form-urlencoded' \
+--data-urlencode 'tenant=boxyhq.com' \
+--data-urlencode 'product=demo'
+```
+```
+curl --location --request GET 'http://localhost:6000/api/v1/saml/config' \
+--header 'Authorization: Api-Key <Jackson API Key>' \
+--header 'Content-Type: application/x-www-form-urlencoded' \
+--data-urlencode 'clientID=<Client ID>' \
+--data-urlencode 'clientSecret=<Client Secret>'
+```
+The response returns a JSON with `provider` indicating the domain of your Identity Provider. If an empty JSON payload is returned then we do not have any configuration stored for the attributes you requested.
 ### 3. OAuth 2.0 Flow
@@ -199,11 +223,11 @@ The code can then be exchanged for a token by making the following request:
 curl --request POST \
   --url 'http://localhost:5000/oauth/token' \
   --header 'content-type: application/x-www-form-urlencoded' \
-  --data grant_type=authorization_code \
+  --data 'grant_type=authorization_code' \
   --data 'client_id=<clientID or tenant and product query params as described in the SAML config API section above>' \
-  --data client_secret=<clientSecret or any arbitrary value if using the tenant and product in the clientID> \
+  --data 'client_secret=<clientSecret or any arbitrary value if using the tenant and product in the clientID>' \
   --data 'redirect_uri=<redirect URL>' \
-  --data code=<code from the query parameter above>
+  --data 'code=<code from the query parameter above>'
 ```
 - grant_type=authorization_code: This is the only supported flow, for now. We might extend this in the future
@@ -236,15 +260,15 @@ If everything goes well you should receive a JSON response with the user's profi
 ```
 {
+  "id": <id from the Identity Provider>,
   "email": "sjackson@coolstartup.com",
   "firstName": "SAML"
-  "id": <id from the Identity Provider>,
-  "lastName": "Jackson",
+  "lastName": "Jackson"
 }
 ```
-- email: The email address of the user as provided by the Identity Provider
 - id: The id of the user as provided by the Identity Provider
+- email: The email address of the user as provided by the Identity Provider
 - firstName: The first name of the user as provided by the Identity Provider
 - lastName: The last name of the user as provided by the Identity Provider
@@ -276,6 +300,7 @@ The following options are supported and will have to be configured during deploy
 | EXTERNAL_URL (npm: externalUrl)   | The public URL to reach this service, used internally for documenting the SAML configuration instructions.                                                                                                                                                                                                                                                                                                           | `http://{HOST_URL}:{HOST_PORT}` |
 | INTERNAL_HOST_URL                 | The URL to bind to expose the internal APIs. Do not configure this to a public network.                                                                                                                                                                                                                                                                                                                              | `localhost`                     |
 | INTERNAL_HOST_PORT                | The port to bind to for the internal APIs.                                                                                                                                                                                                                                                                                                                                                                           | `6000`                          |
+| JACKSON_API_KEYS                  | A comma separated list of API keys that will be validated when serving the Config API requests                                                                                                                                                                                                                                                                                                                                                  |                                 |
 | SAML_AUDIENCE (npm: samlAudience) | This is just an identifier to validate the SAML audience, this value will also get configured in the SAML apps created by your customers. Once set do not change this value unless you get your customers to reconfigure their SAML again. It is case-sensitive. This does not have to be a real URL.                                                                                                                | `https://saml.boxyhq.com`       |
 | IDP_ENABLED (npm: idpEnabled)     | Set to `true` to enable IdP initiated login for SAML. SP initiated login is the only recommended flow but you might have to support IdP login at times.                                                                                                                                                                                                                                                              | `false`                         |
 | DB_ENGINE (npm: db.engine)        | Supported values are `redis`, `sql`, `mongo`, `mem`.                                                                                                                                                                                                                                                                                                                                                                 | `sql`                           |

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@boxyhq/saml-jackson",
-  "version": "0.1.5-beta.123",
+  "version": "0.1.5-beta.136",
   "license": "Apache 2.0",
   "description": "SAML 2.0 service",
   "main": "src/index.js",
@@ -20,7 +20,8 @@
     "mongo": "cross-env DB_ENGINE=mongo DB_URL=mongodb://localhost:27017/jackson nodemon src/jackson.js",
     "pre-loaded": "cross-env DB_ENGINE=mem PRE_LOADED_CONFIG='./_config' nodemon src/jackson.js",
     "test": "tap --timeout=100 src/**/*.test.js",
-    "dev-dbs": "docker-compose -f ./_dev/docker-compose.yml up -d"
+    "dev-dbs": "docker-compose -f ./_dev/docker-compose.yml up -d",
+    "dev-dbs-destroy": "docker-compose -f ./_dev/docker-compose.yml down --volumes --remove-orphans"
   },
   "tap": {
     "coverage-map": "map.js",

package/src/controller/api.js CHANGED Viewed

@@ -7,11 +7,33 @@ const crypto = require('crypto');
 let configStore;
+const extractHostName = (url) => {
+  try {
+    const pUrl = new URL(url);
+    if(pUrl.hostname.startsWith('www.')) {
+      return pUrl.hostname.substring(4);
+    }
+    return pUrl.hostname;
+  } catch (err) {
+    return null;
+  }
+};
 const config = async (body) => {
   const { rawMetadata, defaultRedirectUrl, redirectUrl, tenant, product } =
     body;
   const idpMetadata = await saml.parseMetadataAsync(rawMetadata);
+  // extract provider
+  let providerName = extractHostName(idpMetadata.entityID);
+  if (!providerName) {
+    providerName = extractHostName(
+      idpMetadata.sso.redirectUrl || idpMetadata.sso.postUrl
+    );
+  }
+  idpMetadata.provider = providerName ? providerName : 'Unknown';
   let clientID = dbutils.keyDigest(
     dbutils.keyFromParts(tenant, product, idpMetadata.entityID)
   );
@@ -59,9 +81,33 @@ const config = async (body) => {
   };
 };
+const getConfig = async (body) => {
+  const { clientID, clientSecret, tenant, product } = body;
+  if (clientID && clientSecret) {
+    const samlConfig = await configStore.get(clientID);
+    if (!samlConfig) {
+      return {};
+    }
+    return { provider: samlConfig.idpMetadata.provider };
+  } else {
+    const samlConfigs = await configStore.getByIndex({
+      name: indexNames.tenantProduct,
+      value: dbutils.keyFromParts(tenant, product),
+    });
+    if (!samlConfigs || !samlConfigs.length) {
+      return {};
+    }
+    return { provider: samlConfigs[0].idpMetadata.provider };
+  }
+};
 module.exports = (opts) => {
   configStore = opts.configStore;
   return {
     config,
+    getConfig,
   };
 };

package/src/jackson.js CHANGED Viewed

@@ -87,6 +87,22 @@ internalApp.post(apiPath + '/config', async (req, res) => {
   }
 });
+internalApp.get(apiPath + '/config', async (req, res) => {
+  try {
+    const apiKey = extractAuthToken(req);
+    if (!validateApiKey(apiKey)) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
+    res.json(await apiController.getConfig(req.body));
+  } catch (err) {
+    res.status(500).json({
+      error: err.message,
+    });
+  }
+});
 let internalServer = server;
 if (env.useInternalServer) {
   internalServer = internalApp.listen(env.internalHostPort, async () => {