@boxyhq/saml-jackson 0.2.3-beta.177 → 0.2.3-beta.206

package/src/jackson.js

@@ -1,161 +0,0 @@
-const express = require('express');
-const cors = require('cors');
-
-const env = require('./env.js');
-const { extractAuthToken } = require('./controller/utils.js');
-
-let apiController;
-let oauthController;
-
-const oauthPath = '/oauth';
-const apiPath = '/api/v1/saml';
-
-const app = express();
-
-app.use(express.json());
-app.use(express.urlencoded({ extended: true }));
-
-app.get(oauthPath + '/authorize', async (req, res) => {
-  try {
-    const { redirect_url } = await oauthController.authorize(req.query);
-
-    res.redirect(redirect_url);
-  } catch (err) {
-    const { message, statusCode = 500 } = err;
-
-    res.status(statusCode).send(message);
-  }
-});
-
-app.post(env.samlPath, async (req, res) => {
-  try {
-    const { redirect_url } = await oauthController.samlResponse(req.body);
-
-    res.redirect(redirect_url);
-  } catch (err) {
-    const { message, statusCode = 500 } = err;
-
-    res.status(statusCode).send(message);
-  }
-});
-
-app.post(oauthPath + '/token', cors(), async (req, res) => {
-  try {
-    const result = await oauthController.token(req.body);
-
-    res.json(result);
-  } catch (err) {
-    const { message, statusCode = 500 } = err;
-
-    res.status(statusCode).send(message);
-  }
-});
-
-app.get(oauthPath + '/userinfo', async (req, res) => {
-  try {
-    let token = extractAuthToken(req);
-
-    // check for query param
-    if (!token) {
-      token = req.query.access_token;
-    }
-
-    if (!token) {
-      res.status(401).json({ message: 'Unauthorized' });
-    }
-
-    const profile = await oauthController.userInfo(token);
-
-    res.json(profile);
-  } catch (err) {
-    const { message, statusCode = 500 } = err;
-
-    res.status(statusCode).json({ message });
-  }
-});
-
-const server = app.listen(env.hostPort, async () => {
-  console.log(
-    `🚀 The path of the righteous server: http://${env.hostUrl}:${env.hostPort}`
-  );
-
-  const ret = await require('./index.js')(env);
-  apiController = ret.apiController;
-  oauthController = ret.oauthController;
-});
-
-// Internal routes, recommended not to expose this to the public interface though it would be guarded by API key(s)
-let internalApp = app;
-
-if (env.useInternalServer) {
-  internalApp = express();
-
-  internalApp.use(express.json());
-  internalApp.use(express.urlencoded({ extended: true }));
-}
-
-const validateApiKey = (token) => {
-  return env.apiKeys.includes(token);
-};
-
-internalApp.post(apiPath + '/config', async (req, res) => {
-  try {
-    const apiKey = extractAuthToken(req);
-    if (!validateApiKey(apiKey)) {
-      res.status(401).send('Unauthorized');
-      return;
-    }
-
-    res.json(await apiController.config(req.body));
-  } catch (err) {
-    res.status(500).json({
-      error: err.message,
-    });
-  }
-});
-
-internalApp.get(apiPath + '/config', async (req, res) => {
-  try {
-    const apiKey = extractAuthToken(req);
-    if (!validateApiKey(apiKey)) {
-      res.status(401).send('Unauthorized');
-      return;
-    }
-
-    res.json(await apiController.getConfig(req.query));
-  } catch (err) {
-    res.status(500).json({
-      error: err.message,
-    });
-  }
-});
-
-internalApp.delete(apiPath + '/config', async (req, res) => {
-  try {
-    const apiKey = extractAuthToken(req);
-    if (!validateApiKey(apiKey)) {
-      res.status(401).send('Unauthorized');
-      return;
-    }
-    await apiController.deleteConfig(req.body);
-    res.status(200).end();
-  } catch (err) {
-    res.status(500).json({
-      error: err.message,
-    });
-  }
-});
-
-let internalServer = server;
-if (env.useInternalServer) {
-  internalServer = internalApp.listen(env.internalHostPort, async () => {
-    console.log(
-      `🚀 The path of the righteous internal server: http://${env.internalHostUrl}:${env.internalHostPort}`
-    );
-  });
-}
-
-module.exports = {
-  server,
-  internalServer,
-};

package/src/read-config.js

@@ -1,24 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-
-module.exports = async function (preLoadedConfig) {
-  if (preLoadedConfig.startsWith('./')) {
-    preLoadedConfig = path.resolve(process.cwd(), preLoadedConfig);
-  }
-  const files = await fs.promises.readdir(preLoadedConfig);
-  const configs = [];
-  for (let idx in files) {
-    const file = files[idx];
-    if (file.endsWith('.js')) {
-      const config = require(path.join(preLoadedConfig, file));
-      const rawMetadata = await fs.promises.readFile(
-        path.join(preLoadedConfig, path.parse(file).name + '.xml'),
-        'utf8'
-      );
-      config.rawMetadata = rawMetadata;
-      configs.push(config);
-    }
-  }
-
-  return configs;
-};

package/src/saml/claims.js

@@ -1,40 +0,0 @@
-const mapping = [
-  {
-    attribute: 'id',
-    schema:
-      'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier',
-  },
-  {
-    attribute: 'email',
-    schema:
-      'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
-  },
-  {
-    attribute: 'firstName',
-    schema: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
-  },
-  {
-    attribute: 'lastName',
-    schema: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
-  },
-];
-
-const map = (claims) => {
-  const profile = {
-    raw: claims,
-  };
-
-  mapping.forEach((m) => {
-    if (claims[m.attribute]) {
-      profile[m.attribute] = claims[m.attribute];
-    } else if (claims[m.schema]) {
-      profile[m.attribute] = claims[m.schema];
-    }
-  });
-
-  return profile;
-};
-
-module.exports = {
-  map,
-};

package/src/saml/saml.js

@@ -1,223 +0,0 @@
-const saml = require('@boxyhq/saml20');
-const xml2js = require('xml2js');
-const rambda = require('rambda');
-const thumbprint = require('thumbprint');
-const xmlbuilder = require('xmlbuilder');
-const crypto = require('crypto');
-const xmlcrypto = require('xml-crypto');
-const claims = require('./claims');
-
-const idPrefix = '_';
-const authnXPath =
-  '/*[local-name(.)="AuthnRequest" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:protocol"]';
-const issuerXPath =
-  '/*[local-name(.)="Issuer" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:assertion"]';
-
-const signRequest = (xml, signingKey) => {
-  if (!xml) {
-    throw new Error('Please specify xml');
-  }
-  if (!signingKey) {
-    throw new Error('Please specify signingKey');
-  }
-
-  const sig = new xmlcrypto.SignedXml();
-  sig.signatureAlgorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256';
-  sig.signingKey = signingKey;
-  sig.addReference(
-    authnXPath,
-    [
-      'http://www.w3.org/2000/09/xmldsig#enveloped-signature',
-      'http://www.w3.org/2001/10/xml-exc-c14n#',
-    ],
-    'http://www.w3.org/2001/04/xmlenc#sha256'
-  );
-  sig.computeSignature(xml, {
-    location: { reference: authnXPath + issuerXPath, action: 'after' },
-  });
-
-  return sig.getSignedXml();
-};
-
-module.exports = {
-  request: ({
-    ssoUrl,
-    entityID,
-    callbackUrl,
-    isPassive = false,
-    forceAuthn = false,
-    identifierFormat = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
-    providerName = 'BoxyHQ',
-    signingKey,
-  }) => {
-    const id = idPrefix + crypto.randomBytes(10).toString('hex');
-    const date = new Date().toISOString();
-
-    const samlReq = {
-      'samlp:AuthnRequest': {
-        '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
-        '@ID': id,
-        '@Version': '2.0',
-        '@IssueInstant': date,
-        '@ProtocolBinding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
-        '@Destination': ssoUrl,
-        'saml:Issuer': {
-          '@xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion',
-          '#text': entityID,
-        },
-      },
-    };
-
-    if (isPassive) samlReq['samlp:AuthnRequest']['@IsPassive'] = true;
-
-    if (forceAuthn) {
-      samlReq['samlp:AuthnRequest']['@ForceAuthn'] = true;
-    }
-
-    samlReq['samlp:AuthnRequest']['@AssertionConsumerServiceURL'] = callbackUrl;
-
-    samlReq['samlp:AuthnRequest']['samlp:NameIDPolicy'] = {
-      '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
-      '@Format': identifierFormat,
-      '@AllowCreate': 'true',
-    };
-
-    if (providerName != null) {
-      samlReq['samlp:AuthnRequest']['@ProviderName'] = providerName;
-    }
-
-    let xml = xmlbuilder.create(samlReq).end({});
-    if (signingKey) {
-      xml = signRequest(xml, signingKey);
-    }
-
-    return {
-      id,
-      request: xml,
-    };
-  },
-
-  parseAsync: async (rawAssertion) => {
-    return new Promise((resolve, reject) => {
-      saml.parse(rawAssertion, function onParseAsync(err, profile) {
-        if (err) {
-          reject(err);
-          return;
-        }
-
-        resolve(profile);
-      });
-    });
-  },
-
-  validateAsync: async (rawAssertion, options) => {
-    return new Promise((resolve, reject) => {
-      saml.validate(
-        rawAssertion,
-        options,
-        function onValidateAsync(err, profile) {
-          if (err) {
-            reject(err);
-            return;
-          }
-
-          if (profile && profile.claims) {
-            // we map claims to our attributes id, email, firstName, lastName where possible. We also map original claims to raw
-            profile.claims = claims.map(profile.claims);
-
-            // some providers don't return the id in the assertion, we set it to a sha256 hash of the email
-            if (!profile.claims.id) {
-              profile.claims.id = crypto
-                .createHash('sha256')
-                .update(profile.claims.email)
-                .digest('hex');
-            }
-          }
-
-          resolve(profile);
-        }
-      );
-    });
-  },
-
-  parseMetadataAsync: async (idpMeta) => {
-    return new Promise((resolve, reject) => {
-      xml2js.parseString(
-        idpMeta,
-        { tagNameProcessors: [xml2js.processors.stripPrefix] },
-        (err, res) => {
-          if (err) {
-            reject(err);
-            return;
-          }
-
-          const entityID = rambda.path('EntityDescriptor.$.entityID', res);
-          let X509Certificate = null;
-          let ssoPostUrl = null;
-          let ssoRedirectUrl = null;
-          let loginType = 'idp';
-
-          let ssoDes = rambda.pathOr(
-            null,
-            'EntityDescriptor.IDPSSODescriptor',
-            res
-          );
-          if (!ssoDes) {
-            ssoDes = rambda.pathOr([], 'EntityDescriptor.SPSSODescriptor', res);
-            if (!ssoDes) {
-              loginType = 'sp';
-            }
-          }
-
-          for (const ssoDesRec of ssoDes) {
-            const keyDes = ssoDesRec['KeyDescriptor'];
-            for (const keyDesRec of keyDes) {
-              if (keyDesRec['$'] && keyDesRec['$'].use === 'signing') {
-                const ki = keyDesRec['KeyInfo'][0];
-                const cd = ki['X509Data'][0];
-                X509Certificate = cd['X509Certificate'][0];
-              }
-            }
-
-            const ssoSvc =
-              ssoDesRec['SingleSignOnService'] ||
-              ssoDesRec['AssertionConsumerService'] ||
-              [];
-            for (const ssoSvcRec of ssoSvc) {
-              if (
-                rambda.pathOr('', '$.Binding', ssoSvcRec).endsWith('HTTP-POST')
-              ) {
-                ssoPostUrl = rambda.path('$.Location', ssoSvcRec);
-              } else if (
-                rambda
-                  .pathOr('', '$.Binding', ssoSvcRec)
-                  .endsWith('HTTP-Redirect')
-              ) {
-                ssoRedirectUrl = rambda.path('$.Location', ssoSvcRec);
-              }
-            }
-          }
-
-          const ret = {
-            sso: {},
-          };
-          if (entityID) {
-            ret.entityID = entityID;
-          }
-          if (X509Certificate) {
-            ret.thumbprint = thumbprint.calculate(X509Certificate);
-          }
-          if (ssoPostUrl) {
-            ret.sso.postUrl = ssoPostUrl;
-          }
-          if (ssoRedirectUrl) {
-            ret.sso.redirectUrl = ssoRedirectUrl;
-          }
-          ret.loginType = loginType;
-
-          resolve(ret);
-        }
-      );
-    });
-  },
-};

package/src/saml/x509.js

@@ -1,48 +0,0 @@
-const x509 = require('@peculiar/x509');
-const { Crypto } = require('@peculiar/webcrypto');
-
-const crypto = new Crypto();
-x509.cryptoProvider.set(crypto);
-
-const alg = {
-  name: 'RSASSA-PKCS1-v1_5',
-  hash: 'SHA-256',
-  publicExponent: new Uint8Array([1, 0, 1]),
-  modulusLength: 2048,
-};
-
-const generate = async () => {
-  const keys = await crypto.subtle.generateKey(alg, true, ['sign', 'verify']);
-
-  const extensions = [
-    new x509.BasicConstraintsExtension(false, undefined, true),
-  ];
-
-  extensions.push(
-    new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature, true)
-  );
-  extensions.push(
-    await x509.SubjectKeyIdentifierExtension.create(keys.publicKey)
-  );
-
-  const cert = await x509.X509CertificateGenerator.createSelfSigned({
-    serialNumber: '01',
-    name: 'CN=BoxyHQ Jackson',
-    notBefore: new Date(),
-    notAfter: new Date('3021/01/01'), // TODO: set shorter expiry and rotate ceritifcates
-    signingAlgorithm: alg,
-    keys: keys,
-    extensions,
-  });
-
-  const pkcs8 = await crypto.subtle.exportKey('pkcs8', keys.privateKey);
-
-  return {
-    publicKey: cert.toString('pem'),
-    privateKey: x509.PemConverter.encode(pkcs8, 'private key'),
-  };
-};
-
-module.exports = {
-  generate,
-};

package/src/test/api.test.js

@@ -1,186 +0,0 @@
-const tap = require('tap');
-const path = require('path');
-const sinon = require('sinon');
-const crypto = require('crypto');
-
-const readConfig = require('../read-config');
-const dbutils = require('../db/utils');
-
-let apiController;
-
-const CLIENT_ID = '75edb050796a0eb1cf2cfb0da7245f85bc50baa7';
-const PROVIDER = 'accounts.google.com';
-const OPTIONS = {
-  externalUrl: 'https://my-cool-app.com',
-  samlAudience: 'https://saml.boxyhq.com',
-  samlPath: '/sso/oauth/saml',
-  db: {
-    engine: 'mem',
-  },
-};
-
-tap.before(async () => {
-  const controller = await require('../index.js')(OPTIONS);
-
-  apiController = controller.apiController;
-});
-
-tap.teardown(async () => {
-  process.exit(0);
-});
-
-tap.test('controller/api', async (t) => {
-  const metadataPath = path.join(__dirname, '/data/metadata');
-  const config = await readConfig(metadataPath);
-
-  t.test('.config()', async (t) => {
-    t.test('when required fields are missing or invalid', async (t) => {
-      t.test('when `rawMetadata` is empty', async (t) => {
-        const body = Object.assign({}, config[0]);
-        delete body['rawMetadata'];
-
-        try {
-          await apiController.config(body);
-          t.fail('Expecting JacksonError.');
-        } catch (err) {
-          t.equal(err.message, 'Please provide rawMetadata');
-          t.equal(err.statusCode, 400);
-        }
-
-        t.end();
-      });
-
-      t.test('when `defaultRedirectUrl` is empty', async (t) => {
-        const body = Object.assign({}, config[0]);
-        delete body['defaultRedirectUrl'];
-
-        try {
-          await apiController.config(body);
-          t.fail('Expecting JacksonError.');
-        } catch (err) {
-          t.equal(err.message, 'Please provide a defaultRedirectUrl');
-          t.equal(err.statusCode, 400);
-        }
-
-        t.end();
-      });
-
-      t.test('when `redirectUrl` is empty', async (t) => {
-        const body = Object.assign({}, config[0]);
-        delete body['redirectUrl'];
-
-        try {
-          await apiController.config(body);
-          t.fail('Expecting JacksonError.');
-        } catch (err) {
-          t.equal(err.message, 'Please provide redirectUrl');
-          t.equal(err.statusCode, 400);
-        }
-
-        t.end();
-      });
-
-      t.test('when `tenant` is empty', async (t) => {
-        const body = Object.assign({}, config[0]);
-        delete body['tenant'];
-
-        try {
-          await apiController.config(body);
-          t.fail('Expecting JacksonError.');
-        } catch (err) {
-          t.equal(err.message, 'Please provide tenant');
-          t.equal(err.statusCode, 400);
-        }
-
-        t.end();
-      });
-
-      t.test('when `product` is empty', async (t) => {
-        const body = Object.assign({}, config[0]);
-        delete body['product'];
-
-        try {
-          await apiController.config(body);
-          t.fail('Expecting JacksonError.');
-        } catch (err) {
-          t.equal(err.message, 'Please provide product');
-          t.equal(err.statusCode, 400);
-        }
-
-        t.end();
-      });
-
-      t.test('when `rawMetadata` is not a valid XML', async (t) => {
-        const body = Object.assign({}, config[0]);
-        body['rawMetadata'] = 'not a valid XML';
-
-        try {
-          await apiController.config(body);
-          t.fail('Expecting Error.');
-        } catch (err) {
-          t.match(err.message, /Non-whitespace before first tag./);
-        }
-
-        t.end();
-      });
-    });
-
-    t.test('when the request is good', async (t) => {
-      const body = Object.assign({}, config[0]);
-
-      const kdStub = sinon.stub(dbutils, 'keyDigest').returns(CLIENT_ID);
-      const rbStub = sinon
-        .stub(crypto, 'randomBytes')
-        .returns('f3b0f91eb8f4a9f7cc2254e08682d50b05b5d36262929e7f');
-
-      const response = await apiController.config(body);
-      t.ok(kdStub.called);
-      t.ok(rbStub.calledOnce);
-      t.equal(response.client_id, CLIENT_ID);
-      t.equal(
-        response.client_secret,
-        'f3b0f91eb8f4a9f7cc2254e08682d50b05b5d36262929e7f'
-      );
-      t.equal(response.provider, PROVIDER);
-
-      let savedConf = await apiController.getConfig({
-        clientID: CLIENT_ID,
-      });
-      t.equal(savedConf.provider, PROVIDER);
-      try {
-        await apiController.deleteConfig({ clientID: CLIENT_ID });
-        t.fail('Expecting JacksonError.');
-      } catch (err) {
-        t.equal(err.message, 'Please provide clientSecret');
-        t.equal(err.statusCode, 400);
-      }
-      try {
-        await apiController.deleteConfig({
-          clientID: CLIENT_ID,
-          clientSecret: 'xxxxx',
-        });
-        t.fail('Expecting JacksonError.');
-      } catch (err) {
-        t.equal(err.message, 'clientSecret mismatch');
-        t.equal(err.statusCode, 400);
-      }
-      await apiController.deleteConfig({
-        clientID: CLIENT_ID,
-        clientSecret: 'f3b0f91eb8f4a9f7cc2254e08682d50b05b5d36262929e7f',
-      });
-      savedConf = await apiController.getConfig({
-        clientID: CLIENT_ID,
-      });
-      t.same(savedConf, {}, 'should return empty config');
-
-      dbutils.keyDigest.restore();
-      crypto.randomBytes.restore();
-
-      t.end();
-    });
-
-    t.end();
-  });
-
-  t.end();
-});

package/src/test/data/metadata/boxyhq.js

@@ -1,6 +0,0 @@
-module.exports = {
-  defaultRedirectUrl: 'http://localhost:3000/sso/oauth/completed',
-  redirectUrl: '["http://localhost:3000"]',
-  tenant: 'boxyhq.com',
-  product: 'crm',
-};