@boxyhq/saml-jackson 0.2.0 → 0.2.1-beta.156

package/README.md

@@ -236,6 +236,8 @@ https://localhost:5000/oauth/authorize
 
 - response_type=code: This is the only supported type for now but maybe extended in the future
 - client_id: Use the client_id returned by the SAML config API or use `tenant=<tenantID>&product=<productID>` to use the tenant and product IDs instead. **Note:** Please don't forget to URL encode the query parameters including `client_id`.
+- tenant: Optionally you can provide a dummy `client_id` and specify the `tenant` and `product` custom attributes (if your OAuth 2.0 library allows it).
+- product: Should be specified if specifying `tenant` above
 - redirect_uri: This is where the user will be taken back once the authorization flow is complete
 - state: Use a randomly generated string as the state, this will be echoed back as a query parameter when taking the user back to the `redirect_uri` above. You should validate the state to prevent XSRF attacks
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@boxyhq/saml-jackson",
-  "version": "0.2.0",
+  "version": "0.2.1-beta.156",
   "license": "Apache 2.0",
   "description": "SAML 2.0 service",
   "main": "src/index.js",
@@ -17,9 +17,9 @@
   "scripts": {
     "start": "cross-env IDP_ENABLED=true node src/jackson.js",
     "dev": "cross-env IDP_ENABLED=true nodemon src/jackson.js",
-    "mongo": "cross-env DB_ENGINE=mongo DB_URL=mongodb://localhost:27017/jackson nodemon src/jackson.js",
-    "pre-loaded": "cross-env DB_ENGINE=mem PRE_LOADED_CONFIG='./_config' nodemon src/jackson.js",
-    "pre-loaded-db": "cross-env PRE_LOADED_CONFIG='./_config' nodemon src/jackson.js",
+    "mongo": "cross-env JACKSON_API_KEYS=secret DB_ENGINE=mongo DB_URL=mongodb://localhost:27017/jackson nodemon src/jackson.js",
+    "pre-loaded": "cross-env JACKSON_API_KEYS=secret DB_ENGINE=mem PRE_LOADED_CONFIG='./_config' nodemon src/jackson.js",
+    "pre-loaded-db": "cross-env JACKSON_API_KEYS=secret PRE_LOADED_CONFIG='./_config' nodemon src/jackson.js",
     "test": "tap --timeout=100 src/**/*.test.js",
     "dev-dbs": "docker-compose -f ./_dev/docker-compose.yml up -d",
     "dev-dbs-destroy": "docker-compose -f ./_dev/docker-compose.yml down --volumes --remove-orphans"
@@ -64,4 +64,4 @@
     "*.js": "eslint --cache --fix",
     "*.{js,css,md}": "prettier --write"
   }
-}
+}

package/src/controller/api.js

@@ -10,7 +10,7 @@ let configStore;
 const extractHostName = (url) => {
   try {
     const pUrl = new URL(url);
-    if(pUrl.hostname.startsWith('www.')) {
+    if (pUrl.hostname.startsWith('www.')) {
       return pUrl.hostname.substring(4);
     }
     return pUrl.hostname;
@@ -56,7 +56,7 @@ const config = async (body) => {
     {
       idpMetadata,
       defaultRedirectUrl,
-      redirectUrl: JSON.parse(redirectUrl),
+      redirectUrl: JSON.parse(redirectUrl), // redirectUrl is a stringified array
       tenant,
       product,
       clientID,

package/src/controller/oauth.js

@@ -61,7 +61,19 @@ const authorize = async (body) => {
 
   let samlConfig;
 
-  if (
+  if (tenant && product) {
+    const samlConfigs = await configStore.getByIndex({
+      name: indexNames.tenantProduct,
+      value: dbutils.keyFromParts(tenant, product),
+    });
+
+    if (!samlConfigs || samlConfigs.length === 0) {
+      throw new JacksonError('SAML configuration not found.', 403);
+    }
+
+    // TODO: Support multiple matches
+    samlConfig = samlConfigs[0];
+  } else if (
     client_id &&
     client_id !== '' &&
     client_id !== 'undefined' &&
@@ -85,17 +97,10 @@ const authorize = async (body) => {
       samlConfig = await configStore.get(client_id);
     }
   } else {
-    const samlConfigs = await configStore.getByIndex({
-      name: indexNames.tenantProduct,
-      value: dbutils.keyFromParts(tenant, product),
-    });
-
-    if (!samlConfigs || samlConfigs.length === 0) {
-      throw new JacksonError('SAML configuration not found.', 403);
-    }
-
-    // TODO: Support multiple matches
-    samlConfig = samlConfigs[0];
+    throw new JacksonError(
+      'You need to specify client_id or tenant & product',
+      403
+    );
   }
 
   if (!samlConfig) {
@@ -253,14 +258,16 @@ const token = async (body) => {
 
   if (client_id && client_secret) {
     // check if we have an encoded client_id
-    const sp = getEncodedClientId(client_id);
-    if (!sp) {
-      // OAuth flow
-      if (
-        client_id !== codeVal.clientID ||
-        client_secret !== codeVal.clientSecret
-      ) {
-        throw new JacksonError('Invalid client_id or client_secret', 401);
+    if (client_id !== 'dummy' && client_secret !== 'dummy') {
+      const sp = getEncodedClientId(client_id);
+      if (!sp) {
+        // OAuth flow
+        if (
+          client_id !== codeVal.clientID ||
+          client_secret !== codeVal.clientSecret
+        ) {
+          throw new JacksonError('Invalid client_id or client_secret', 401);
+        }
       }
     }
   } else if (code_verifier) {

package/src/db/db.js

@@ -3,18 +3,39 @@ const mongo = require('./mongo.js');
 const redis = require('./redis.js');
 const sql = require('./sql/sql.js');
 const store = require('./store.js');
+const encrypter = require('./encrypter.js');
+
+const decrypt = (res, encryptionKey) => {
+  if (res.iv && res.tag) {
+    return JSON.parse(
+      encrypter.decrypt(res.value, res.iv, res.tag, encryptionKey)
+    );
+  }
+
+  return JSON.parse(res.value);
+};
 
 class DB {
-  constructor(db) {
+  constructor(db, encryptionKey) {
     this.db = db;
+    this.encryptionKey = encryptionKey;
   }
 
   async get(namespace, key) {
-    return await this.db.get(namespace, key);
+    const res = await this.db.get(namespace, key);
+    if (!res) {
+      return null;
+    }
+
+    return decrypt(res, this.encryptionKey);
   }
 
   async getByIndex(namespace, idx) {
-    return await this.db.getByIndex(namespace, idx);
+    const res = await this.db.getByIndex(namespace, idx);
+    const encryptionKey = this.encryptionKey;
+    return res.map((r) => {
+      return decrypt(r, encryptionKey);
+    });
   }
 
   // ttl is in seconds
@@ -23,7 +44,11 @@ class DB {
       throw new Error('secondary indexes not allow on a store with ttl');
     }
 
-    return await this.db.put(namespace, key, val, ttl, ...indexes);
+    const dbVal = this.encryptionKey
+      ? encrypter.encrypt(JSON.stringify(val), this.encryptionKey)
+      : { value: JSON.stringify(val) };
+
+    return await this.db.put(namespace, key, dbVal, ttl, ...indexes);
   }
 
   async delete(namespace, key) {
@@ -37,15 +62,18 @@ class DB {
 
 module.exports = {
   new: async (options) => {
+    const encryptionKey = options.encryptionKey
+      ? Buffer.from(options.encryptionKey, 'latin1')
+      : null;
     switch (options.engine) {
       case 'redis':
-        return new DB(await redis.new(options));
+        return new DB(await redis.new(options), encryptionKey);
       case 'sql':
-        return new DB(await sql.new(options));
+        return new DB(await sql.new(options), encryptionKey);
       case 'mongo':
-        return new DB(await mongo.new(options));
+        return new DB(await mongo.new(options), encryptionKey);
       case 'mem':
-        return new DB(await mem.new(options));
+        return new DB(await mem.new(options), encryptionKey);
       default:
         throw new Error('unsupported db engine: ' + options.engine);
     }

package/src/db/db.test.js

@@ -2,6 +2,8 @@ const t = require('tap');
 
 const DB = require('./db.js');
 
+const encryptionKey = '3yGrTcnKPBqqHoH3zZMAU6nt4bmIYb2q';
+
 let configStores = [];
 let ttlStores = [];
 const ttl = 3;
@@ -17,39 +19,87 @@ const record2 = {
   city: 'London',
 };
 
+const memDbConfig = {
+  engine: 'mem',
+  ttl: 1,
+};
+
+const redisDbConfig = {
+  engine: 'redis',
+  url: 'redis://localhost:6379',
+};
+
+const postgresDbConfig = {
+  engine: 'sql',
+  url: 'postgresql://postgres:postgres@localhost:5432/postgres',
+  type: 'postgres',
+  ttl: 1,
+  limit: 1,
+};
+
+const mongoDbConfig = {
+  engine: 'mongo',
+  url: 'mongodb://localhost:27017/jackson',
+};
+
+const mysqlDbConfig = {
+  engine: 'sql',
+  url: 'mysql://root:mysql@localhost:3307/mysql',
+  type: 'mysql',
+  ttl: 1,
+  limit: 1,
+};
+
+const mariadbDbConfig = {
+  engine: 'sql',
+  url: 'mariadb://root@localhost:3306/mysql',
+  type: 'mariadb',
+  ttl: 1,
+  limit: 1,
+};
+
 const dbs = [
   {
-    engine: 'mem',
-    ttl: 1,
+    ...memDbConfig,
+  },
+  {
+    ...memDbConfig,
+    encryptionKey,
+  },
+  {
+    ...redisDbConfig,
+  },
+  {
+    ...redisDbConfig,
+    encryptionKey,
+  },
+  {
+    ...postgresDbConfig,
+  },
+  {
+    ...postgresDbConfig,
+    encryptionKey,
+  },
+  {
+    ...mongoDbConfig,
   },
   {
-    engine: 'redis',
-    url: 'redis://localhost:6379',
+    ...mongoDbConfig,
+    encryptionKey,
   },
   {
-    engine: 'sql',
-    url: 'postgresql://postgres:postgres@localhost:5432/postgres',
-    type: 'postgres',
-    ttl: 1,
-    limit: 1,
+    ...mysqlDbConfig,
   },
   {
-    engine: 'mongo',
-    url: 'mongodb://localhost:27017/jackson',
+    ...mysqlDbConfig,
+    encryptionKey,
   },
   {
-    engine: 'sql',
-    url: 'mysql://root:mysql@localhost:3307/mysql',
-    type: 'mysql',
-    ttl: 1,
-    limit: 1,
+    ...mariadbDbConfig,
   },
   {
-    engine: 'sql',
-    url: 'mariadb://root@localhost:3306/mysql',
-    type: 'mariadb',
-    ttl: 1,
-    limit: 1,
+    ...mariadbDbConfig,
+    encryptionKey,
   },
 ];
 
@@ -224,7 +274,7 @@ t.test('dbs', ({ end }) => {
       }
 
       await new Promise((resolve) =>
-        setTimeout(resolve, (2*ttl + 0.5) * 1000)
+        setTimeout(resolve, (2 * ttl + 0.5) * 1000)
       );
 
       const ret1 = await ttlStore.get(record1.id);

package/src/db/encrypter.js

@@ -0,0 +1,36 @@
+const crypto = require('crypto');
+
+const ALGO = 'aes-256-gcm';
+const BLOCK_SIZE = 16; // 128 bit
+
+const encrypt = (text, key) => {
+  const iv = crypto.randomBytes(BLOCK_SIZE);
+  const cipher = crypto.createCipheriv(ALGO, key, iv);
+
+  let ciphertext = cipher.update(text, 'utf8', 'base64');
+  ciphertext += cipher.final('base64');
+  return {
+    iv: iv.toString('base64'),
+    tag: cipher.getAuthTag().toString('base64'),
+    value: ciphertext,
+  };
+};
+
+const decrypt = (ciphertext, iv, tag, key) => {
+  const decipher = crypto.createDecipheriv(
+    ALGO,
+    key,
+    Buffer.from(iv, 'base64')
+  );
+  decipher.setAuthTag(Buffer.from(tag, 'base64'));
+
+  let cleartext = decipher.update(ciphertext, 'base64', 'utf8');
+  cleartext += decipher.final('utf8');
+
+  return cleartext;
+};
+
+module.exports = {
+  encrypt,
+  decrypt,
+};

package/src/db/mem.js

@@ -34,7 +34,7 @@ class Mem {
   async get(namespace, key) {
     let res = this.store[dbutils.key(namespace, key)];
     if (res) {
-      return JSON.parse(res);
+      return res;
     }
 
     return null;
@@ -54,7 +54,7 @@ class Mem {
   async put(namespace, key, val, ttl = 0, ...indexes) {
     const k = dbutils.key(namespace, key);
 
-    this.store[k] = JSON.stringify(val);
+    this.store[k] = val;
 
     if (ttl) {
       this.ttlStore[k] = {

package/src/db/mongo.js

@@ -25,7 +25,7 @@ class Mongo {
       _id: dbutils.key(namespace, key),
     });
     if (res && res.value) {
-      return JSON.parse(res.value);
+      return res.value;
     }
 
     return null;
@@ -40,7 +40,7 @@ class Mongo {
 
     const ret = [];
     for (const doc of docs || []) {
-      ret.push(JSON.parse(doc.value));
+      ret.push(doc.value);
     }
 
     return ret;
@@ -48,7 +48,7 @@ class Mongo {
 
   async put(namespace, key, val, ttl = 0, ...indexes) {
     const doc = {
-      value: JSON.stringify(val),
+      value: val,
     };
 
     if (ttl) {

package/src/db/sql/entity/JacksonStore.js

@@ -27,6 +27,16 @@ module.exports = (type) => {
       value: {
         type: valueType(type),
       },
+      iv: {
+        type: 'varchar',
+        length: 64,
+        nullable: true,
+      },
+      tag: {
+        type: 'varchar',
+        length: 64,
+        nullable: true,
+      },
     },
   });
 };

package/src/db/sql/model/JacksonStore.js

@@ -1,7 +1,9 @@
 /*export */ class JacksonStore {
-  constructor(key, value) {
+  constructor(key, value, iv, tag) {
     this.key = key;
     this.value = value;
+    this.iv = iv;
+    this.tag = tag;
   }
 }
 

package/src/db/sql/sql.js

@@ -1,3 +1,5 @@
+/*eslint no-constant-condition: ["error", { "checkLoops": false }]*/
+
 require('reflect-metadata');
 const typeorm = require('typeorm');
 const JacksonStore = require('./model/JacksonStore.js');
@@ -12,7 +14,7 @@ class Sql {
       while (true) {
         try {
           this.connection = await typeorm.createConnection({
-            name: options.type,
+            name: options.type + Math.floor(Math.random() * 100000),
             type: options.type,
             url: options.url,
             synchronize: true,
@@ -79,8 +81,12 @@ class Sql {
       key: dbutils.key(namespace, key),
     });
 
-    if (res) {
-      return JSON.parse(res.value);
+    if (res && res.value) {
+      return {
+        value: res.value,
+        iv: res.iv,
+        tag: res.tag,
+      };
     }
 
     return null;
@@ -95,21 +101,21 @@ class Sql {
 
     if (res) {
       res.forEach((r) => {
-        ret.push(JSON.parse(r.store.value));
+        ret.push({
+          value: r.store.value,
+          iv: r.store.iv,
+          tag: r.store.tag,
+        });
       });
     }
 
-    if (res && res.store) {
-      return JSON.parse(res.store.value);
-    }
-
     return ret;
   }
 
   async put(namespace, key, val, ttl = 0, ...indexes) {
     await this.connection.transaction(async (transactionalEntityManager) => {
       const dbKey = dbutils.key(namespace, key);
-      const store = new JacksonStore(dbKey, JSON.stringify(val));
+      const store = new JacksonStore(dbKey, val.value, val.iv, val.tag);
       await transactionalEntityManager.save(store);
 
       if (ttl) {

package/src/env.js

@@ -18,6 +18,7 @@ const db = {
   url: process.env.DB_URL,
   type: process.env.DB_TYPE,
   ttl: process.env.DB_TTL,
+  encryptionKey: process.env.DB_ENCRYPTION_KEY,
 };
 
 module.exports = {