@boxyhq/saml-jackson 0.1.5 → 0.2.0-beta.149

package/src/controller/api.js

@@ -7,11 +7,33 @@ const crypto = require('crypto');
 
 let configStore;
 
+const extractHostName = (url) => {
+  try {
+    const pUrl = new URL(url);
+    if(pUrl.hostname.startsWith('www.')) {
+      return pUrl.hostname.substring(4);
+    }
+    return pUrl.hostname;
+  } catch (err) {
+    return null;
+  }
+};
+
 const config = async (body) => {
   const { rawMetadata, defaultRedirectUrl, redirectUrl, tenant, product } =
     body;
   const idpMetadata = await saml.parseMetadataAsync(rawMetadata);
 
+  // extract provider
+  let providerName = extractHostName(idpMetadata.entityID);
+  if (!providerName) {
+    providerName = extractHostName(
+      idpMetadata.sso.redirectUrl || idpMetadata.sso.postUrl
+    );
+  }
+
+  idpMetadata.provider = providerName ? providerName : 'Unknown';
+
   let clientID = dbutils.keyDigest(
     dbutils.keyFromParts(tenant, product, idpMetadata.entityID)
   );
@@ -56,12 +78,37 @@ const config = async (body) => {
   return {
     client_id: clientID,
     client_secret: clientSecret,
+    provider: idpMetadata.provider,
   };
 };
 
+const getConfig = async (body) => {
+  const { clientID, tenant, product } = body;
+
+  if (clientID) {
+    const samlConfig = await configStore.get(clientID);
+    if (!samlConfig) {
+      return {};
+    }
+
+    return { provider: samlConfig.idpMetadata.provider };
+  } else {
+    const samlConfigs = await configStore.getByIndex({
+      name: indexNames.tenantProduct,
+      value: dbutils.keyFromParts(tenant, product),
+    });
+    if (!samlConfigs || !samlConfigs.length) {
+      return {};
+    }
+
+    return { provider: samlConfigs[0].idpMetadata.provider };
+  }
+};
+
 module.exports = (opts) => {
   configStore = opts.configStore;
   return {
     config,
+    getConfig,
   };
 };

package/src/controller/error.js

@@ -0,0 +1,12 @@
+class JacksonError extends Error {
+  constructor(message, statusCode = 500) {
+    super(message);
+
+    this.name = this.constructor.name;
+    this.statusCode = statusCode;
+
+    Error.captureStackTrace(this, this.constructor);
+  }
+}
+
+module.exports = { JacksonError };

package/src/controller/oauth/redirect.js

@@ -6,12 +6,13 @@ module.exports = {
     res.redirect(url);
   },
 
-  success: (res, redirectUrl, params) => {
-    var url = new URL(redirectUrl);
+  success: (redirectUrl, params) => {
+    const url = new URL(redirectUrl);
+
     for (const [key, value] of Object.entries(params)) {
       url.searchParams.set(key, value);
     }
 
-    res.redirect(url);
+    return url.href;
   },
 };

package/src/controller/oauth.js

@@ -6,6 +6,7 @@ const { indexNames } = require('./utils.js');
 const dbutils = require('../db/utils.js');
 const redirect = require('./oauth/redirect.js');
 const allowed = require('./oauth/allowed.js');
+const { JacksonError } = require('./error.js');
 
 let configStore;
 let sessionStore;
@@ -15,16 +16,6 @@ let options;
 
 const relayStatePrefix = 'boxyhq_jackson_';
 
-const extractBearerToken = (req) => {
-  const authHeader = req.get('authorization');
-  const parts = (authHeader || '').split(' ');
-  if (parts.length > 1) {
-    return parts[1];
-  }
-
-  return null;
-};
-
 function getEncodedClientId(client_id) {
   try {
     const sp = new URLSearchParams(client_id);
@@ -43,7 +34,7 @@ function getEncodedClientId(client_id) {
   }
 }
 
-const authorize = async (req, res) => {
+const authorize = async (body) => {
   const {
     response_type = 'code',
     client_id,
@@ -55,16 +46,17 @@ const authorize = async (req, res) => {
     code_challenge_method = '',
     // eslint-disable-next-line no-unused-vars
     provider = 'saml',
-  } = req.query;
+  } = body;
 
   if (!redirect_uri) {
-    return res.status(400).send('Please specify a redirect URL.');
+    throw new JacksonError('Please specify a redirect URL.', 400);
   }
 
   if (!state) {
-    return res
-      .status(400)
-      .send('Please specify a state to safeguard against XSRF attacks.');
+    throw new JacksonError(
+      'Please specify a state to safeguard against XSRF attacks.',
+      400
+    );
   }
 
   let samlConfig;
@@ -84,7 +76,7 @@ const authorize = async (req, res) => {
       });
 
       if (!samlConfigs || samlConfigs.length === 0) {
-        return res.status(403).send('SAML configuration not found.');
+        throw new JacksonError('SAML configuration not found.', 403);
       }
 
       // TODO: Support multiple matches
@@ -99,7 +91,7 @@ const authorize = async (req, res) => {
     });
 
     if (!samlConfigs || samlConfigs.length === 0) {
-      return res.status(403).send('SAML configuration not found.');
+      throw new JacksonError('SAML configuration not found.', 403);
     }
 
     // TODO: Support multiple matches
@@ -107,15 +99,15 @@ const authorize = async (req, res) => {
   }
 
   if (!samlConfig) {
-    return res.status(403).send('SAML configuration not found.');
+    throw new JacksonError('SAML configuration not found.', 403);
   }
 
   if (!allowed.redirect(redirect_uri, samlConfig.redirectUrl)) {
-    return res.status(403).send('Redirect URL is not allowed.');
+    throw new JacksonError('Redirect URL is not allowed.', 403);
   }
 
   const samlReq = saml.request({
-    entityID: samlConfig.idpMetadata.entityID,
+    entityID: options.samlAudience,
     callbackUrl: options.externalUrl + options.samlPath,
     signingKey: samlConfig.certs.privateKey,
   });
@@ -131,24 +123,26 @@ const authorize = async (req, res) => {
     code_challenge_method,
   });
 
-  return redirect.success(res, samlConfig.idpMetadata.sso.redirectUrl, {
+  const redirectUrl = redirect.success(samlConfig.idpMetadata.sso.redirectUrl, {
     RelayState: relayStatePrefix + sessionId,
     SAMLRequest: Buffer.from(samlReq.request).toString('base64'),
   });
+
+  return { redirect_url: redirectUrl };
 };
 
-const samlResponse = async (req, res) => {
-  const { SAMLResponse } = req.body; // RelayState will contain the sessionId from earlier quasi-oauth flow
+const samlResponse = async (body) => {
+  const { SAMLResponse } = body; // RelayState will contain the sessionId from earlier quasi-oauth flow
 
-  let RelayState = req.body.RelayState || '';
+  let RelayState = body.RelayState || '';
 
   if (!options.idpEnabled && !RelayState.startsWith(relayStatePrefix)) {
     // IDP is disabled so block the request
-    return res
-      .status(403)
-      .send(
-        'IdP (Identity Provider) flow has been disabled. Please head to your Service Provider to login.'
-      );
+
+    throw new JacksonError(
+      'IdP (Identity Provider) flow has been disabled. Please head to your Service Provider to login.',
+      403
+    );
   }
 
   if (!RelayState.startsWith(relayStatePrefix)) {
@@ -167,7 +161,7 @@ const samlResponse = async (req, res) => {
   });
 
   if (!samlConfigs || samlConfigs.length === 0) {
-    return res.status(403).send('SAML configuration not found.');
+    throw new JacksonError('SAML configuration not found.', 403);
   }
 
   // TODO: Support multiple matches
@@ -178,10 +172,9 @@ const samlResponse = async (req, res) => {
   if (RelayState !== '') {
     session = await sessionStore.get(RelayState);
     if (!session) {
-      return redirect.error(
-        res,
-        samlConfig.defaultRedirectUrl,
-        'Unable to validate state from the origin request.'
+      throw new JacksonError(
+        'Unable to validate state from the origin request.',
+        403
       );
     }
   }
@@ -217,7 +210,7 @@ const samlResponse = async (req, res) => {
     session.redirect_uri &&
     !allowed.redirect(session.redirect_uri, samlConfig.redirectUrl)
   ) {
-    return res.status(403).send('Redirect URL is not allowed.');
+    throw new JacksonError('Redirect URL is not allowed.', 403);
   }
 
   let params = {
@@ -228,33 +221,34 @@ const samlResponse = async (req, res) => {
     params.state = session.state;
   }
 
-  return redirect.success(
-    res,
+  const redirectUrl = redirect.success(
     (session && session.redirect_uri) || samlConfig.defaultRedirectUrl,
     params
   );
+
+  return { redirect_url: redirectUrl };
 };
 
-const token = async (req, res) => {
+const token = async (body) => {
   const {
     client_id,
     client_secret,
     code_verifier,
     code,
     grant_type = 'authorization_code',
-  } = req.body;
+  } = body;
 
   if (grant_type !== 'authorization_code') {
-    return res.status(400).send('Unsupported grant_type');
+    throw new JacksonError('Unsupported grant_type', 400);
   }
 
   if (!code) {
-    return res.status(400).send('Please specify code');
+    throw new JacksonError('Please specify code', 400);
   }
 
   const codeVal = await codeStore.get(code);
   if (!codeVal || !codeVal.profile) {
-    return res.status(403).send('Invalid code');
+    throw new JacksonError('Invalid code', 403);
   }
 
   if (client_id && client_secret) {
@@ -266,7 +260,7 @@ const token = async (req, res) => {
         client_id !== codeVal.clientID ||
         client_secret !== codeVal.clientSecret
       ) {
-        return res.status(401).send('Invalid client_id or client_secret');
+        throw new JacksonError('Invalid client_id or client_secret', 401);
       }
     }
   } else if (code_verifier) {
@@ -277,12 +271,13 @@ const token = async (req, res) => {
     }
 
     if (codeVal.session.code_challenge !== cv) {
-      return res.status(401).send('Invalid code_verifier');
+      throw new JacksonError('Invalid code_verifier', 401);
     }
   } else if (codeVal && codeVal.session) {
-    return res
-      .status(401)
-      .send('Please specify client_secret or code_verifier');
+    throw new JacksonError(
+      'Please specify client_secret or code_verifier',
+      401
+    );
   }
 
   // store details against a token
@@ -290,24 +285,17 @@ const token = async (req, res) => {
 
   await tokenStore.put(token, codeVal.profile);
 
-  res.json({
+  return {
     access_token: token,
     token_type: 'bearer',
     expires_in: options.db.ttl,
-  });
+  };
 };
 
-const userInfo = async (req, res) => {
-  let token = extractBearerToken(req);
-
-  // check for query param
-  if (!token) {
-    token = req.query.access_token;
-  }
-
-  const profile = await tokenStore.get(token);
+const userInfo = async (token) => {
+  const { claims } = await tokenStore.get(token);
 
-  res.json(profile.claims);
+  return claims;
 };
 
 module.exports = (opts) => {

package/src/controller/utils.js

@@ -3,6 +3,17 @@ const indexNames = {
   tenantProduct: 'tenantProduct',
 };
 
+const extractAuthToken = (req) => {
+  const authHeader = req.get('authorization');
+  const parts = (authHeader || '').split(' ');
+  if (parts.length > 1) {
+    return parts[1];
+  }
+
+  return null;
+};
+
 module.exports = {
   indexNames,
+  extractAuthToken,
 };

package/src/db/db.test.js

@@ -224,7 +224,7 @@ t.test('dbs', ({ end }) => {
       }
 
       await new Promise((resolve) =>
-        setTimeout(resolve, ((dbEngine === 'mem' ? 5 : 0) + ttl + 0.5) * 1000)
+        setTimeout(resolve, (2*ttl + 0.5) * 1000)
       );
 
       const ret1 = await ttlStore.get(record1.id);

package/src/db/sql/entity/JacksonIndex.js

@@ -13,9 +13,11 @@ module.exports = new EntitySchema({
     },
     key: {
       type: 'varchar',
+      length: 1500,
     },
     storeKey: {
       type: 'varchar',
+      length: 1500,
     }
   },
   relations: {

package/src/db/sql/entity/JacksonStore.js

@@ -1,20 +1,32 @@
 const EntitySchema = require('typeorm').EntitySchema;
 const JacksonStore = require('../model/JacksonStore.js');
 
-module.exports = new EntitySchema({
-  name: 'JacksonStore',
-  target: JacksonStore,
-  columns: {
-    key: {
-      primary: true,
-      type: 'varchar',
-    },
-    value: {
-      type: 'varchar',
+const valueType = (type) => {
+  switch (type) {
+    case 'postgres':
+    case 'cockroachdb':
+      return 'text';
+    case 'mysql':
+    case 'mariadb':
+      return 'mediumtext';
+    default:
+      return 'varchar';
+  }
+};
+
+module.exports = (type) => {
+  return new EntitySchema({
+    name: 'JacksonStore',
+    target: JacksonStore,
+    columns: {
+      key: {
+        primary: true,
+        type: 'varchar',
+        length: 1500,
+      },
+      value: {
+        type: valueType(type),
+      },
     },
-    expiresAt: {
-      type: 'bigint',
-      nullable: true,
-    }
-  },
-});
+  });
+};

package/src/db/sql/entity/JacksonTTL.js

@@ -0,0 +1,23 @@
+const EntitySchema = require('typeorm').EntitySchema;
+const JacksonTTL = require('../model/JacksonTTL.js');
+
+module.exports = new EntitySchema({
+  name: 'JacksonTTL',
+  target: JacksonTTL,
+  columns: {
+    key: {
+      primary: true,
+      type: 'varchar',
+      length: 1500,
+    },
+    expiresAt: {
+      type: 'bigint',
+    },
+  },
+  indices: [
+    {
+      name: '_jackson_ttl_expires_at',
+      columns: ['expiresAt'],
+    },
+  ],
+});

package/src/db/sql/model/JacksonStore.js

@@ -1,8 +1,7 @@
 /*export */ class JacksonStore {
-  constructor(key, value, expiresAt) {
+  constructor(key, value) {
     this.key = key;
     this.value = value;
-    this.expiresAt = expiresAt;
   }
 }
 

package/src/db/sql/model/JacksonTTL.js

@@ -0,0 +1,8 @@
+/*export */ class JacksonTTL {
+  constructor(key, expiresAt) {
+    this.key = key;
+    this.expiresAt = expiresAt;
+  }
+}
+
+module.exports = JacksonTTL;

package/src/db/sql/sql.js

@@ -2,42 +2,62 @@ require('reflect-metadata');
 const typeorm = require('typeorm');
 const JacksonStore = require('./model/JacksonStore.js');
 const JacksonIndex = require('./model/JacksonIndex.js');
+const JacksonTTL = require('./model/JacksonTTL.js');
 
 const dbutils = require('../utils.js');
 
 class Sql {
   constructor(options) {
     return (async () => {
-      this.connection = await typeorm.createConnection({
-        name: options.type,
-        type: options.type,
-        url: options.url,
-        synchronize: true,
-        logging: false,
-        entities: [
-          require('./entity/JacksonStore.js'),
-          require('./entity/JacksonIndex.js'),
-        ],
-      });
+      while (true) {
+        try {
+          this.connection = await typeorm.createConnection({
+            name: options.type,
+            type: options.type,
+            url: options.url,
+            synchronize: true,
+            migrationsTableName: '_jackson_migrations',
+            logging: false,
+            entities: [
+              require('./entity/JacksonStore.js')(options.type),
+              require('./entity/JacksonIndex.js'),
+              require('./entity/JacksonTTL.js'),
+            ],
+          });
+
+          break;
+        } catch (err) {
+          console.error(`error connecting to ${options.type} db: ${err}`);
+          await dbutils.sleep(1000);
+          continue;
+        }
+      }
 
       this.storeRepository = this.connection.getRepository(JacksonStore);
       this.indexRepository = this.connection.getRepository(JacksonIndex);
+      this.ttlRepository = this.connection.getRepository(JacksonTTL);
 
       if (options.ttl && options.limit) {
         this.ttlCleanup = async () => {
           const now = Date.now();
 
           while (true) {
-            const ids = await this.storeRepository.find({
-              expiresAt: typeorm.MoreThan(now),
-              take: options.limit,
-            });
+            const ids = await this.ttlRepository
+              .createQueryBuilder('jackson_ttl')
+              .limit(options.limit)
+              .where('jackson_ttl.expiresAt <= :expiresAt', { expiresAt: now })
+              .getMany();
 
             if (ids.length <= 0) {
               break;
             }
 
+            const delIds = ids.map((id) => {
+              return id.key;
+            });
+
             await this.storeRepository.remove(ids);
+            await this.ttlRepository.delete(delIds);
           }
 
           this.timerId = setTimeout(this.ttlCleanup, options.ttl * 1000);
@@ -45,7 +65,9 @@ class Sql {
 
         this.timerId = setTimeout(this.ttlCleanup, options.ttl * 1000);
       } else {
-        console.log('Warning: ttl cleanup not enabled, set both "ttl" and "limit" options to enable it!')
+        console.log(
+          'Warning: ttl cleanup not enabled, set both "ttl" and "limit" options to enable it!'
+        );
       }
 
       return this;
@@ -86,13 +108,15 @@ class Sql {
 
   async put(namespace, key, val, ttl = 0, ...indexes) {
     await this.connection.transaction(async (transactionalEntityManager) => {
-      const store = new JacksonStore(
-        dbutils.key(namespace, key),
-        JSON.stringify(val),
-        ttl > 0 ? Date.now() + ttl * 1000 : null
-      );
+      const dbKey = dbutils.key(namespace, key);
+      const store = new JacksonStore(dbKey, JSON.stringify(val));
       await transactionalEntityManager.save(store);
 
+      if (ttl) {
+        const ttlRec = new JacksonTTL(dbKey, Date.now() + ttl * 1000);
+        await transactionalEntityManager.save(ttlRec);
+      }
+
       // no ttl support for secondary indexes
       for (const idx of indexes || []) {
         const key = dbutils.keyForIndex(namespace, idx);

package/src/db/utils.js

@@ -16,14 +16,15 @@ const keyFromParts = (...parts) => {
   return parts.join(':'); // TODO: pick a better strategy, keys can collide now
 };
 
+const sleep = (ms) => {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+};
+
 module.exports = {
   key,
-
   keyForIndex,
-
   keyDigest,
-
   keyFromParts,
-
+  sleep,
   indexPrefix: '_index',
 };

package/src/env.js

@@ -7,6 +7,8 @@ const samlPath = process.env.SAML_PATH || '/oauth/saml';
 const internalHostUrl = process.env.INTERNAL_HOST_URL || 'localhost';
 const internalHostPort = (process.env.INTERNAL_HOST_PORT || '6000') * 1;
 
+const apiKeys = (process.env.JACKSON_API_KEYS || '').split(',');
+
 const samlAudience = process.env.SAML_AUDIENCE;
 const preLoadedConfig = process.env.PRE_LOADED_CONFIG;
 
@@ -27,6 +29,7 @@ module.exports = {
   preLoadedConfig,
   internalHostUrl,
   internalHostPort,
+  apiKeys,
   idpEnabled,
   db,
   useInternalServer: !(

package/src/index.js

@@ -19,7 +19,7 @@ const defaultOpts = (opts) => {
   newOpts.db = newOpts.db || {};
   newOpts.db.engine = newOpts.db.engine || 'sql'; // Supported values: redis, sql, mongo, mem. Keep comment in sync with db.js
   newOpts.db.url =
-    newOpts.db.url || 'postgres://postgres:postgres@localhost:5432/jackson';
+    newOpts.db.url || 'postgresql://postgres:postgres@localhost:5432/postgres';
   newOpts.db.type = newOpts.db.type || 'postgres'; // Only needed if DB_ENGINE is sql. Supported values: postgres, cockroachdb, mysql, mariadb
   newOpts.db.ttl = (newOpts.db.ttl || 300) * 1; // TTL for the code, session and token stores (in seconds)
   newOpts.db.limit = (newOpts.db.limit || 1000) * 1; // Limit ttl cleanup to this many items at a time
@@ -56,7 +56,8 @@ module.exports = async function (opts) {
     }
   }
 
-  console.log(`Using engine: ${opts.db.engine}`);
+  const type = opts.db.engine === 'sql' && opts.db.type ? ' Type: ' + opts.db.type : '';
+  console.log(`Using engine: ${opts.db.engine}.${type}`);
 
   return {
     apiController,