@boxyhq/saml-jackson 0.1.5-beta.97 → 0.1.6-beta.148

package/src/controller/oauth.js

@@ -6,6 +6,7 @@ const { indexNames } = require('./utils.js');
 const dbutils = require('../db/utils.js');
 const redirect = require('./oauth/redirect.js');
 const allowed = require('./oauth/allowed.js');
+const { JacksonError } = require('../error.js');
 
 let configStore;
 let sessionStore;
@@ -15,16 +16,6 @@ let options;
 
 const relayStatePrefix = 'boxyhq_jackson_';
 
-const extractBearerToken = (req) => {
-  const authHeader = req.get('authorization');
-  const parts = (authHeader || '').split(' ');
-  if (parts.length > 1) {
-    return parts[1];
-  }
-
-  return null;
-};
-
 function getEncodedClientId(client_id) {
   try {
     const sp = new URLSearchParams(client_id);
@@ -43,7 +34,7 @@ function getEncodedClientId(client_id) {
   }
 }
 
-const authorize = async (req, res) => {
+const authorize = async (body) => {
   const {
     response_type = 'code',
     client_id,
@@ -55,16 +46,17 @@ const authorize = async (req, res) => {
     code_challenge_method = '',
     // eslint-disable-next-line no-unused-vars
     provider = 'saml',
-  } = req.query;
+  } = body;
 
   if (!redirect_uri) {
-    return res.status(400).send('Please specify a redirect URL.');
+    throw new JacksonError('Please specify a redirect URL.', 400);
   }
 
   if (!state) {
-    return res
-      .status(400)
-      .send('Please specify a state to safeguard against XSRF attacks.');
+    throw new JacksonError(
+      'Please specify a state to safeguard against XSRF attacks.',
+      400
+    );
   }
 
   let samlConfig;
@@ -84,7 +76,7 @@ const authorize = async (req, res) => {
       });
 
       if (!samlConfigs || samlConfigs.length === 0) {
-        return res.status(403).send('SAML configuration not found.');
+        throw new JacksonError('SAML configuration not found.', 403);
       }
 
       // TODO: Support multiple matches
@@ -99,7 +91,7 @@ const authorize = async (req, res) => {
     });
 
     if (!samlConfigs || samlConfigs.length === 0) {
-      return res.status(403).send('SAML configuration not found.');
+      throw new JacksonError('SAML configuration not found.', 403);
     }
 
     // TODO: Support multiple matches
@@ -107,15 +99,15 @@ const authorize = async (req, res) => {
   }
 
   if (!samlConfig) {
-    return res.status(403).send('SAML configuration not found.');
+    throw new JacksonError('SAML configuration not found.', 403);
   }
 
   if (!allowed.redirect(redirect_uri, samlConfig.redirectUrl)) {
-    return res.status(403).send('Redirect URL is not allowed.');
+    throw new JacksonError('Redirect URL is not allowed.', 403);
   }
 
   const samlReq = saml.request({
-    entityID: samlConfig.idpMetadata.entityID,
+    entityID: options.samlAudience,
     callbackUrl: options.externalUrl + options.samlPath,
     signingKey: samlConfig.certs.privateKey,
   });
@@ -131,24 +123,26 @@ const authorize = async (req, res) => {
     code_challenge_method,
   });
 
-  return redirect.success(res, samlConfig.idpMetadata.sso.redirectUrl, {
+  const redirectUrl = redirect.success(samlConfig.idpMetadata.sso.redirectUrl, {
     RelayState: relayStatePrefix + sessionId,
     SAMLRequest: Buffer.from(samlReq.request).toString('base64'),
   });
+
+  return { redirect_url: redirectUrl };
 };
 
-const samlResponse = async (req, res) => {
-  const { SAMLResponse } = req.body; // RelayState will contain the sessionId from earlier quasi-oauth flow
+const samlResponse = async (body) => {
+  const { SAMLResponse } = body; // RelayState will contain the sessionId from earlier quasi-oauth flow
 
-  let RelayState = req.body.RelayState || '';
+  let RelayState = body.RelayState || '';
 
   if (!options.idpEnabled && !RelayState.startsWith(relayStatePrefix)) {
     // IDP is disabled so block the request
-    return res
-      .status(403)
-      .send(
-        'IdP (Identity Provider) flow has been disabled. Please head to your Service Provider to login.'
-      );
+
+    throw new JacksonError(
+      'IdP (Identity Provider) flow has been disabled. Please head to your Service Provider to login.',
+      403
+    );
   }
 
   if (!RelayState.startsWith(relayStatePrefix)) {
@@ -167,7 +161,7 @@ const samlResponse = async (req, res) => {
   });
 
   if (!samlConfigs || samlConfigs.length === 0) {
-    return res.status(403).send('SAML configuration not found.');
+    throw new JacksonError('SAML configuration not found.', 403);
   }
 
   // TODO: Support multiple matches
@@ -178,10 +172,9 @@ const samlResponse = async (req, res) => {
   if (RelayState !== '') {
     session = await sessionStore.get(RelayState);
     if (!session) {
-      return redirect.error(
-        res,
-        samlConfig.defaultRedirectUrl,
-        'Unable to validate state from the origin request.'
+      throw new JacksonError(
+        'Unable to validate state from the origin request.',
+        403
       );
     }
   }
@@ -217,7 +210,7 @@ const samlResponse = async (req, res) => {
     session.redirect_uri &&
     !allowed.redirect(session.redirect_uri, samlConfig.redirectUrl)
   ) {
-    return res.status(403).send('Redirect URL is not allowed.');
+    throw new JacksonError('Redirect URL is not allowed.', 403);
   }
 
   let params = {
@@ -228,33 +221,34 @@ const samlResponse = async (req, res) => {
     params.state = session.state;
   }
 
-  return redirect.success(
-    res,
+  const redirectUrl = redirect.success(
     (session && session.redirect_uri) || samlConfig.defaultRedirectUrl,
     params
   );
+
+  return { redirect_url: redirectUrl };
 };
 
-const token = async (req, res) => {
+const token = async (body) => {
   const {
     client_id,
     client_secret,
     code_verifier,
     code,
     grant_type = 'authorization_code',
-  } = req.body;
+  } = body;
 
   if (grant_type !== 'authorization_code') {
-    return res.status(400).send('Unsupported grant_type');
+    throw new JacksonError('Unsupported grant_type', 400);
   }
 
   if (!code) {
-    return res.status(400).send('Please specify code');
+    throw new JacksonError('Please specify code', 400);
   }
 
   const codeVal = await codeStore.get(code);
   if (!codeVal || !codeVal.profile) {
-    return res.status(403).send('Invalid code');
+    throw new JacksonError('Invalid code', 403);
   }
 
   if (client_id && client_secret) {
@@ -266,7 +260,7 @@ const token = async (req, res) => {
         client_id !== codeVal.clientID ||
         client_secret !== codeVal.clientSecret
       ) {
-        return res.status(401).send('Invalid client_id or client_secret');
+        throw new JacksonError('Invalid client_id or client_secret', 401);
       }
     }
   } else if (code_verifier) {
@@ -277,12 +271,13 @@ const token = async (req, res) => {
     }
 
     if (codeVal.session.code_challenge !== cv) {
-      return res.status(401).send('Invalid code_verifier');
+      throw new JacksonError('Invalid code_verifier', 401);
     }
   } else if (codeVal && codeVal.session) {
-    return res
-      .status(401)
-      .send('Please specify client_secret or code_verifier');
+    throw new JacksonError(
+      'Please specify client_secret or code_verifier',
+      401
+    );
   }
 
   // store details against a token
@@ -290,24 +285,17 @@ const token = async (req, res) => {
 
   await tokenStore.put(token, codeVal.profile);
 
-  res.json({
+  return {
     access_token: token,
     token_type: 'bearer',
     expires_in: options.db.ttl,
-  });
+  };
 };
 
-const userInfo = async (req, res) => {
-  let token = extractBearerToken(req);
-
-  // check for query param
-  if (!token) {
-    token = req.query.access_token;
-  }
-
-  const profile = await tokenStore.get(token);
+const userInfo = async (token) => {
+  const { claims } = await tokenStore.get(token);
 
-  res.json(profile.claims);
+  return claims;
 };
 
 module.exports = (opts) => {

package/src/controller/utils.js

@@ -3,6 +3,17 @@ const indexNames = {
   tenantProduct: 'tenantProduct',
 };
 
+const extractAuthToken = (req) => {
+  const authHeader = req.get('authorization');
+  const parts = (authHeader || '').split(' ');
+  if (parts.length > 1) {
+    return parts[1];
+  }
+
+  return null;
+};
+
 module.exports = {
   indexNames,
+  extractAuthToken,
 };

package/src/db/db.test.js

@@ -224,7 +224,7 @@ t.test('dbs', ({ end }) => {
       }
 
       await new Promise((resolve) =>
-        setTimeout(resolve, ((dbEngine === 'mem' ? 5 : 0) + ttl + 0.5) * 1000)
+        setTimeout(resolve, (2*ttl + 0.5) * 1000)
       );
 
       const ret1 = await ttlStore.get(record1.id);

package/src/db/sql/entity/JacksonStore.js

@@ -27,10 +27,6 @@ module.exports = (type) => {
       value: {
         type: valueType(type),
       },
-      expiresAt: {
-        type: 'bigint',
-        nullable: true,
-      },
     },
   });
 };

package/src/db/sql/entity/JacksonTTL.js

@@ -0,0 +1,23 @@
+const EntitySchema = require('typeorm').EntitySchema;
+const JacksonTTL = require('../model/JacksonTTL.js');
+
+module.exports = new EntitySchema({
+  name: 'JacksonTTL',
+  target: JacksonTTL,
+  columns: {
+    key: {
+      primary: true,
+      type: 'varchar',
+      length: 1500,
+    },
+    expiresAt: {
+      type: 'bigint',
+    },
+  },
+  indices: [
+    {
+      name: '_jackson_ttl_expires_at',
+      columns: ['expiresAt'],
+    },
+  ],
+});

package/src/db/sql/model/JacksonStore.js

@@ -1,8 +1,7 @@
 /*export */ class JacksonStore {
-  constructor(key, value, expiresAt) {
+  constructor(key, value) {
     this.key = key;
     this.value = value;
-    this.expiresAt = expiresAt;
   }
 }
 

package/src/db/sql/model/JacksonTTL.js

@@ -0,0 +1,8 @@
+/*export */ class JacksonTTL {
+  constructor(key, expiresAt) {
+    this.key = key;
+    this.expiresAt = expiresAt;
+  }
+}
+
+module.exports = JacksonTTL;

package/src/db/sql/sql.js

@@ -2,6 +2,7 @@ require('reflect-metadata');
 const typeorm = require('typeorm');
 const JacksonStore = require('./model/JacksonStore.js');
 const JacksonIndex = require('./model/JacksonIndex.js');
+const JacksonTTL = require('./model/JacksonTTL.js');
 
 const dbutils = require('../utils.js');
 
@@ -20,6 +21,7 @@ class Sql {
             entities: [
               require('./entity/JacksonStore.js')(options.type),
               require('./entity/JacksonIndex.js'),
+              require('./entity/JacksonTTL.js'),
             ],
           });
 
@@ -33,22 +35,29 @@ class Sql {
 
       this.storeRepository = this.connection.getRepository(JacksonStore);
       this.indexRepository = this.connection.getRepository(JacksonIndex);
+      this.ttlRepository = this.connection.getRepository(JacksonTTL);
 
       if (options.ttl && options.limit) {
         this.ttlCleanup = async () => {
           const now = Date.now();
 
           while (true) {
-            const ids = await this.storeRepository.find({
-              expiresAt: typeorm.MoreThan(now),
-              take: options.limit,
-            });
+            const ids = await this.ttlRepository
+              .createQueryBuilder('jackson_ttl')
+              .limit(options.limit)
+              .where('jackson_ttl.expiresAt <= :expiresAt', { expiresAt: now })
+              .getMany();
 
             if (ids.length <= 0) {
               break;
             }
 
+            const delIds = ids.map((id) => {
+              return id.key;
+            });
+
             await this.storeRepository.remove(ids);
+            await this.ttlRepository.delete(delIds);
           }
 
           this.timerId = setTimeout(this.ttlCleanup, options.ttl * 1000);
@@ -99,13 +108,15 @@ class Sql {
 
   async put(namespace, key, val, ttl = 0, ...indexes) {
     await this.connection.transaction(async (transactionalEntityManager) => {
-      const store = new JacksonStore(
-        dbutils.key(namespace, key),
-        JSON.stringify(val),
-        ttl > 0 ? Date.now() + ttl * 1000 : null
-      );
+      const dbKey = dbutils.key(namespace, key);
+      const store = new JacksonStore(dbKey, JSON.stringify(val));
       await transactionalEntityManager.save(store);
 
+      if (ttl) {
+        const ttlRec = new JacksonTTL(dbKey, Date.now() + ttl * 1000);
+        await transactionalEntityManager.save(ttlRec);
+      }
+
       // no ttl support for secondary indexes
       for (const idx of indexes || []) {
         const key = dbutils.keyForIndex(namespace, idx);

package/src/env.js

@@ -7,6 +7,8 @@ const samlPath = process.env.SAML_PATH || '/oauth/saml';
 const internalHostUrl = process.env.INTERNAL_HOST_URL || 'localhost';
 const internalHostPort = (process.env.INTERNAL_HOST_PORT || '6000') * 1;
 
+const apiKeys = (process.env.JACKSON_API_KEYS || '').split(',');
+
 const samlAudience = process.env.SAML_AUDIENCE;
 const preLoadedConfig = process.env.PRE_LOADED_CONFIG;
 
@@ -27,6 +29,7 @@ module.exports = {
   preLoadedConfig,
   internalHostUrl,
   internalHostPort,
+  apiKeys,
   idpEnabled,
   db,
   useInternalServer: !(

package/src/error.js

@@ -0,0 +1,12 @@
+class JacksonError extends Error {
+  constructor(message, statusCode = 500) {
+    super(message);
+
+    this.name = this.constructor.name;
+    this.statusCode = statusCode;
+
+    Error.captureStackTrace(this, this.constructor);
+  }
+}
+
+module.exports = { JacksonError };

package/src/index.js

@@ -19,7 +19,7 @@ const defaultOpts = (opts) => {
   newOpts.db = newOpts.db || {};
   newOpts.db.engine = newOpts.db.engine || 'sql'; // Supported values: redis, sql, mongo, mem. Keep comment in sync with db.js
   newOpts.db.url =
-    newOpts.db.url || 'postgres://postgres:postgres@localhost:5432/jackson';
+    newOpts.db.url || 'postgresql://postgres:postgres@localhost:5432/postgres';
   newOpts.db.type = newOpts.db.type || 'postgres'; // Only needed if DB_ENGINE is sql. Supported values: postgres, cockroachdb, mysql, mariadb
   newOpts.db.ttl = (newOpts.db.ttl || 300) * 1; // TTL for the code, session and token stores (in seconds)
   newOpts.db.limit = (newOpts.db.limit || 1000) * 1; // Limit ttl cleanup to this many items at a time
@@ -56,7 +56,7 @@ module.exports = async function (opts) {
     }
   }
 
-  const type = opts.db.type ? ' Type: ' + opts.db.type : '';
+  const type = opts.db.engine === 'sql' && opts.db.type ? ' Type: ' + opts.db.type : '';
   console.log(`Using engine: ${opts.db.engine}.${type}`);
 
   return {

package/src/jackson.js

@@ -2,6 +2,7 @@ const express = require('express');
 const cors = require('cors');
 
 const env = require('./env.js');
+const { extractAuthToken } = require('./controller/utils.js');
 
 let apiController;
 let oauthController;
@@ -16,33 +17,60 @@ app.use(express.urlencoded({ extended: true }));
 
 app.get(oauthPath + '/authorize', async (req, res) => {
   try {
-    await oauthController.authorize(req, res);
+    const { redirect_url } = await oauthController.authorize(req.query);
+
+    res.redirect(redirect_url);
   } catch (err) {
-    res.status(500).send(err.message);
+    const { message, statusCode = 500 } = err;
+
+    res.status(statusCode).send(message);
   }
 });
 
 app.post(env.samlPath, async (req, res) => {
   try {
-    await oauthController.samlResponse(req, res);
+    const { redirect_url } = await oauthController.samlResponse(req.body);
+
+    res.redirect(redirect_url);
   } catch (err) {
-    res.status(500).send(err.message);
+    const { message, statusCode = 500 } = err;
+
+    res.status(statusCode).send(message);
   }
 });
 
 app.post(oauthPath + '/token', cors(), async (req, res) => {
   try {
-    await oauthController.token(req, res);
+    const result = await oauthController.token(req.body);
+
+    res.send(result);
   } catch (err) {
-    res.status(500).send(err.message);
+    const { message, statusCode = 500 } = err;
+
+    res.status(statusCode).send(message);
   }
 });
 
-app.get(oauthPath + '/userinfo', cors(), async (req, res) => {
+app.get(oauthPath + '/userinfo', async (req, res) => {
   try {
-    await oauthController.userInfo(req, res);
+    let token = extractAuthToken(req);
+
+    // check for query param
+    if (!token) {
+      token = req.query.access_token;
+    }
+
+    if (!token) {
+      res.status(401).json({ message: 'Unauthorized' });
+    }
+
+    const profile = await oauthController.userInfo(token);
+
+    res.json(profile);
   } catch (err) {
-    res.status(500).send(err.message);
+    const { message, statusCode = 500 } = err;
+
+    res.status(statusCode).json({ message });
   }
 });
 
@@ -66,8 +94,18 @@ if (env.useInternalServer) {
   internalApp.use(express.urlencoded({ extended: true }));
 }
 
+const validateApiKey = (token) => {
+  return env.apiKeys.includes(token);
+};
+
 internalApp.post(apiPath + '/config', async (req, res) => {
   try {
+    const apiKey = extractAuthToken(req);
+    if (!validateApiKey(apiKey)) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
+
     res.json(await apiController.config(req.body));
   } catch (err) {
     res.status(500).json({
@@ -76,6 +114,22 @@ internalApp.post(apiPath + '/config', async (req, res) => {
   }
 });
 
+internalApp.post(apiPath + '/config/get', async (req, res) => {
+  try {
+    const apiKey = extractAuthToken(req);
+    if (!validateApiKey(apiKey)) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
+
+    res.json(await apiController.getConfig(req.body));
+  } catch (err) {
+    res.status(500).json({
+      error: err.message,
+    });
+  }
+});
+
 let internalServer = server;
 if (env.useInternalServer) {
   internalServer = internalApp.listen(env.internalHostPort, async () => {

package/src/saml/claims.js

@@ -0,0 +1,40 @@
+const mapping = [
+  {
+    attribute: 'id',
+    schema:
+      'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier',
+  },
+  {
+    attribute: 'email',
+    schema:
+      'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
+  },
+  {
+    attribute: 'firstName',
+    schema: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
+  },
+  {
+    attribute: 'lastName',
+    schema: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
+  },
+];
+
+const map = (claims) => {
+  const profile = {
+    raw: claims,
+  };
+
+  mapping.forEach((m) => {
+    if (claims[m.attribute]) {
+      profile[m.attribute] = claims[m.attribute];
+    } else if (claims[m.schema]) {
+      profile[m.attribute] = claims[m.schema];
+    }
+  });
+
+  return profile;
+};
+
+module.exports = {
+  map,
+};