@boxyhq/saml-jackson 0.2.3-beta.207 → 0.2.3-beta.219

package/src/db/sql/sql.ts

@@ -0,0 +1,184 @@
+/*eslint no-constant-condition: ["error", { "checkLoops": false }]*/
+
+require('reflect-metadata');
+
+import { DatabaseDriver, DatabaseOption, Index } from 'saml-jackson';
+import { Connection, createConnection } from 'typeorm';
+import * as dbutils from '../utils';
+import { JacksonIndex } from './model/JacksonIndex';
+import { JacksonStore } from './model/JacksonStore';
+import { JacksonTTL } from './entity/JacksonTTL';
+
+import JacksonStoreEntity from './entity/JacksonStore';
+import JacksonIndexEntity from './entity/JacksonIndex';
+import { JacksonTTL as JacksonTTLEntity } from './entity/JacksonTTL';
+
+class Sql implements DatabaseDriver {
+  private options: DatabaseOption;
+  private connection!: Connection;
+  private storeRepository; //!: typeorm.Repository<JacksonStore>;
+  private indexRepository; //!: typeorm.Repository<JacksonIndex>;
+  private ttlRepository; //!: typeorm.Repository<JacksonTTL>;
+  private ttlCleanup;
+  private timerId;
+
+  constructor(options: DatabaseOption) {
+    this.options = options;
+  }
+
+  async init(): Promise<Sql> {
+    while (true) {
+      try {
+        // TODO: Fix it
+        // @ts-ignore
+        this.connection = await createConnection({
+          name: this.options.type + Math.floor(Math.random() * 100000),
+          type: this.options.type,
+          url: this.options.url,
+          synchronize: true,
+          migrationsTableName: '_jackson_migrations',
+          logging: false,
+          entities: [
+            JacksonStoreEntity(this.options.type),
+            JacksonIndexEntity,
+            JacksonTTLEntity,
+          ],
+        });
+
+        break;
+      } catch (err) {
+        console.error(`error connecting to ${this.options.type} db: ${err}`);
+        await dbutils.sleep(1000);
+        continue;
+      }
+    }
+
+    this.storeRepository = this.connection.getRepository(JacksonStore);
+    this.indexRepository = this.connection.getRepository(JacksonIndex);
+    this.ttlRepository = this.connection.getRepository(JacksonTTL);
+
+    if (this.options.ttl && this.options.cleanupLimit) {
+      this.ttlCleanup = async () => {
+        const now = Date.now();
+
+        while (true) {
+          const ids = await this.ttlRepository
+            .createQueryBuilder('jackson_ttl')
+            .limit(this.options.cleanupLimit)
+            .where('jackson_ttl.expiresAt <= :expiresAt', {
+              expiresAt: now,
+            })
+            .getMany();
+
+          if (ids.length <= 0) {
+            break;
+          }
+
+          const delIds = ids.map((id) => {
+            return id.key;
+          });
+
+          await this.storeRepository.remove(ids);
+          await this.ttlRepository.delete(delIds);
+        }
+
+        this.timerId = setTimeout(this.ttlCleanup, this.options.ttl * 1000);
+      };
+
+      this.timerId = setTimeout(this.ttlCleanup, this.options.ttl * 1000);
+    } else {
+      console.log(
+        'Warning: ttl cleanup not enabled, set both "ttl" and "cleanupLimit" options to enable it!'
+      );
+    }
+
+    return this;
+  }
+
+  async get(namespace: string, key: string): Promise<any> {
+    let res = await this.storeRepository.findOne({
+      key: dbutils.key(namespace, key),
+    });
+
+    if (res && res.value) {
+      return {
+        value: res.value,
+        iv: res.iv,
+        tag: res.tag,
+      };
+    }
+
+    return null;
+  }
+
+  async getByIndex(namespace: string, idx: Index): Promise<any> {
+    const res = await this.indexRepository.find({
+      key: dbutils.keyForIndex(namespace, idx),
+    });
+
+    const ret: string[] = [];
+
+    if (res) {
+      res.forEach((r) => {
+        // @ts-ignore
+        ret.push({
+          value: r.store.value,
+          iv: r.store.iv,
+          tag: r.store.tag,
+        });
+      });
+    }
+
+    return ret;
+  }
+
+  async put(
+    namespace: string,
+    key: string,
+    val: string,
+    ttl: number = 0,
+    ...indexes: any[]
+  ): Promise<void> {
+    await this.connection.transaction(async (transactionalEntityManager) => {
+      const dbKey = dbutils.key(namespace, key);
+
+      // @ts-ignore
+      const store = new JacksonStore(dbKey, val.value, val.iv, val.tag);
+
+      await transactionalEntityManager.save(store);
+
+      if (ttl) {
+        const ttlRec = new JacksonTTL();
+        ttlRec.key = dbKey;
+        ttlRec.expiresAt = Date.now() + ttl * 1000;
+        await transactionalEntityManager.save(ttlRec);
+      }
+
+      // no ttl support for secondary indexes
+      for (const idx of indexes || []) {
+        const key = dbutils.keyForIndex(namespace, idx);
+        const rec = await this.indexRepository.findOne({
+          key,
+          storeKey: store.key,
+        });
+        if (!rec) {
+          await transactionalEntityManager.save(
+            new JacksonIndex(0, key, store)
+          );
+        }
+      }
+    });
+  }
+
+  async delete(namespace: string, key: string): Promise<any> {
+    return await this.storeRepository.remove({
+      key: dbutils.key(namespace, key),
+    });
+  }
+}
+
+export default {
+  new: async (options: DatabaseOption): Promise<Sql> => {
+    return await new Sql(options).init();
+  },
+};

package/src/db/store.ts

@@ -0,0 +1,49 @@
+import { Index, Storable } from 'saml-jackson';
+import * as dbutils from './utils';
+
+class Store implements Storable {
+  private namespace: string;
+  private db: any;
+  private ttl: number;
+
+  constructor(namespace: string, db: any, ttl: number = 0) {
+    this.namespace = namespace;
+    this.db = db;
+    this.ttl = ttl;
+  }
+
+  async get(key: string): Promise<any> {
+    return await this.db.get(this.namespace, dbutils.keyDigest(key));
+  }
+
+  async getByIndex(idx: Index): Promise<any> {
+    idx.value = dbutils.keyDigest(idx.value);
+
+    return await this.db.getByIndex(this.namespace, idx);
+  }
+
+  async put(key: string, val: any, ...indexes: Index[]): Promise<any> {
+    indexes = (indexes || []).map((idx) => {
+      idx.value = dbutils.keyDigest(idx.value);
+      return idx;
+    });
+
+    return await this.db.put(
+      this.namespace,
+      dbutils.keyDigest(key),
+      val,
+      this.ttl,
+      ...indexes
+    );
+  }
+
+  async delete(key: string): Promise<any> {
+    return await this.db.delete(this.namespace, dbutils.keyDigest(key));
+  }
+}
+
+export default {
+  new: (namespace: string, db: any, ttl: number = 0): Storable => {
+    return new Store(namespace, db, ttl);
+  },
+};

package/src/db/utils.ts

@@ -0,0 +1,26 @@
+import Ripemd160 from 'ripemd160';
+import { Index } from 'saml-jackson';
+
+export const key = (namespace: string, k: string): string => {
+  return namespace + ':' + k;
+};
+
+export const keyForIndex = (namespace: string, idx: Index): string => {
+  return key(key(namespace, idx.name), idx.value);
+};
+
+export const keyDigest = (k: string): string => {
+  return new Ripemd160().update(k).digest('hex');
+};
+
+export const keyFromParts = (...parts: string[]): string => {
+  // TODO: pick a better strategy, keys can collide now
+
+  return parts.join(':');
+};
+
+export const sleep = (ms: number): Promise<void> => {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+};
+
+export const indexPrefix = '_index';

package/src/env.ts

@@ -0,0 +1,42 @@
+const hostUrl = process.env.HOST_URL || 'localhost';
+const hostPort = +(process.env.HOST_PORT || '5000');
+const externalUrl =
+  process.env.EXTERNAL_URL || 'http://' + hostUrl + ':' + hostPort;
+const samlPath = process.env.SAML_PATH || '/oauth/saml';
+
+const internalHostUrl = process.env.INTERNAL_HOST_URL || 'localhost';
+const internalHostPort = +(process.env.INTERNAL_HOST_PORT || '6000');
+
+const apiKeys = (process.env.JACKSON_API_KEYS || '').split(',');
+
+const samlAudience = process.env.SAML_AUDIENCE;
+const preLoadedConfig = process.env.PRE_LOADED_CONFIG;
+
+const idpEnabled = process.env.IDP_ENABLED;
+
+const db = {
+  engine: process.env.DB_ENGINE,
+  url: process.env.DB_URL,
+  type: process.env.DB_TYPE,
+  ttl: process.env.DB_TTL,
+  encryptionKey: process.env.DB_ENCRYPTION_KEY,
+};
+
+const env = {
+  hostUrl,
+  hostPort,
+  externalUrl,
+  samlPath,
+  samlAudience,
+  preLoadedConfig,
+  internalHostUrl,
+  internalHostPort,
+  apiKeys,
+  idpEnabled,
+  db,
+  useInternalServer: !(
+    hostUrl === internalHostUrl && hostPort === internalHostPort
+  ),
+};
+
+export default env;

package/src/index.ts

@@ -0,0 +1,79 @@
+import { JacksonOption } from 'saml-jackson';
+import { SAMLConfig } from './controller/api';
+import { OAuthController } from './controller/oauth';
+import DB from './db/db';
+import readConfig from './read-config';
+
+const defaultOpts = (opts: JacksonOption): JacksonOption => {
+  const newOpts = {
+    ...opts,
+  };
+
+  if (!newOpts.externalUrl) {
+    throw new Error('externalUrl is required');
+  }
+
+  if (!newOpts.samlPath) {
+    throw new Error('samlPath is required');
+  }
+
+  newOpts.samlAudience = newOpts.samlAudience || 'https://saml.boxyhq.com';
+  newOpts.preLoadedConfig = newOpts.preLoadedConfig || ''; // path to folder containing static SAML config that will be preloaded. This is useful for self-hosted deployments that only have to support a single tenant (or small number of known tenants).
+  newOpts.idpEnabled = newOpts.idpEnabled === true;
+
+  newOpts.db = newOpts.db || {};
+  newOpts.db.engine = newOpts.db.engine || 'sql';
+  newOpts.db.url =
+    newOpts.db.url || 'postgresql://postgres:postgres@localhost:5432/postgres';
+  newOpts.db.type = newOpts.db.type || 'postgres'; // Only needed if DB_ENGINE is sql.
+  newOpts.db.ttl = (newOpts.db.ttl || 300) * 1; // TTL for the code, session and token stores (in seconds)
+  newOpts.db.cleanupLimit = (newOpts.db.cleanupLimit || 1000) * 1; // Limit cleanup of TTL entries to this many items at a time
+
+  return newOpts;
+};
+
+export default async function controllers(
+  opts: JacksonOption
+): Promise<{ apiController: SAMLConfig; oauthController: OAuthController }> {
+  opts = defaultOpts(opts);
+
+  const db = await DB.new(opts.db);
+
+  const configStore = db.store('saml:config');
+  const sessionStore = db.store('oauth:session', opts.db.ttl);
+  const codeStore = db.store('oauth:code', opts.db.ttl);
+  const tokenStore = db.store('oauth:token', opts.db.ttl);
+
+  const apiController = new SAMLConfig({ configStore });
+
+  const oauthController = new OAuthController({
+    configStore,
+    sessionStore,
+    codeStore,
+    tokenStore,
+    opts,
+  });
+
+  // write pre-loaded config if present
+  if (opts.preLoadedConfig && opts.preLoadedConfig.length > 0) {
+    const configs = await readConfig(opts.preLoadedConfig);
+
+    for (const config of configs) {
+      await apiController.config(config);
+
+      console.log(
+        `loaded config for tenant "${config.tenant}" and product "${config.product}"`
+      );
+    }
+  }
+
+  const type =
+    opts.db.engine === 'sql' && opts.db.type ? ' Type: ' + opts.db.type : '';
+
+  console.log(`Using engine: ${opts.db.engine}.${type}`);
+
+  return {
+    apiController,
+    oauthController,
+  };
+}

package/src/jackson.ts

@@ -0,0 +1,171 @@
+import cors from 'cors';
+import express from 'express';
+import { JacksonError } from './controller/error';
+import { extractAuthToken } from './controller/utils';
+import env from './env';
+import jackson from './index';
+
+let apiController;
+let oauthController;
+
+const oauthPath = '/oauth';
+const apiPath = '/api/v1/saml';
+
+const app = express();
+
+app.use(express.json());
+app.use(express.urlencoded({ extended: true }));
+
+app.get(oauthPath + '/authorize', async (req, res) => {
+  try {
+    const { redirect_url } = await oauthController.authorize(req.query);
+
+    res.redirect(redirect_url);
+  } catch (err) {
+    const { message, statusCode = 500 } = err as JacksonError;
+
+    res.status(statusCode).send(message);
+  }
+});
+
+app.post(env.samlPath, async (req, res) => {
+  try {
+    const { redirect_url } = await oauthController.samlResponse(req.body);
+
+    res.redirect(redirect_url);
+  } catch (err) {
+    const { message, statusCode = 500 } = err as JacksonError;
+
+    res.status(statusCode).send(message);
+  }
+});
+
+app.post(oauthPath + '/token', cors(), async (req, res) => {
+  try {
+    const result = await oauthController.token(req.body);
+
+    res.json(result);
+  } catch (err) {
+    const { message, statusCode = 500 } = err as JacksonError;
+
+    res.status(statusCode).send(message);
+  }
+});
+
+app.get(oauthPath + '/userinfo', async (req, res) => {
+  try {
+    let token = extractAuthToken(req);
+
+    // check for query param
+    if (!token) {
+      token = req.query.access_token;
+    }
+
+    if (!token) {
+      res.status(401).json({ message: 'Unauthorized' });
+    }
+
+    const profile = await oauthController.userInfo(token);
+
+    res.json(profile);
+  } catch (err) {
+    const { message, statusCode = 500 } = err as JacksonError;
+
+    res.status(statusCode).json({ message });
+  }
+});
+
+const server = app.listen(env.hostPort, async () => {
+  console.log(
+    `🚀 The path of the righteous server: http://${env.hostUrl}:${env.hostPort}`
+  );
+
+  // TODO: Fix it
+  // @ts-ignore
+  const ctrlrModule = await jackson(env);
+
+  apiController = ctrlrModule.apiController;
+  oauthController = ctrlrModule.oauthController;
+});
+
+// Internal routes, recommended not to expose this to the public interface though it would be guarded by API key(s)
+let internalApp = app;
+
+if (env.useInternalServer) {
+  internalApp = express();
+
+  internalApp.use(express.json());
+  internalApp.use(express.urlencoded({ extended: true }));
+}
+
+const validateApiKey = (token) => {
+  return env.apiKeys.includes(token);
+};
+
+internalApp.post(apiPath + '/config', async (req, res) => {
+  try {
+    const apiKey = extractAuthToken(req);
+    if (!validateApiKey(apiKey)) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
+
+    res.json(await apiController.config(req.body));
+  } catch (err) {
+    const { message } = err as JacksonError;
+
+    res.status(500).json({
+      error: message,
+    });
+  }
+});
+
+internalApp.get(apiPath + '/config', async (req, res) => {
+  try {
+    const apiKey = extractAuthToken(req);
+    if (!validateApiKey(apiKey)) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
+
+    res.json(await apiController.getConfig(req.query));
+  } catch (err) {
+    const { message } = err as JacksonError;
+
+    res.status(500).json({
+      error: message,
+    });
+  }
+});
+
+internalApp.delete(apiPath + '/config', async (req, res) => {
+  try {
+    const apiKey = extractAuthToken(req);
+    if (!validateApiKey(apiKey)) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
+    await apiController.deleteConfig(req.body);
+    res.status(200).end();
+  } catch (err) {
+    const { message } = err as JacksonError;
+
+    res.status(500).json({
+      error: message,
+    });
+  }
+});
+
+let internalServer = server;
+if (env.useInternalServer) {
+  internalServer = internalApp.listen(env.internalHostPort, async () => {
+    console.log(
+      `🚀 The path of the righteous internal server: http://${env.internalHostUrl}:${env.internalHostPort}`
+    );
+  });
+}
+
+module.exports = {
+  server,
+  internalServer,
+};

package/src/read-config.ts

@@ -0,0 +1,29 @@
+import * as fs from 'fs';
+import * as path from 'path';
+import { IdPConfig } from 'saml-jackson';
+
+const readConfig = async (preLoadedConfig: string): Promise<IdPConfig[]> => {
+  if (preLoadedConfig.startsWith('./')) {
+    preLoadedConfig = path.resolve(process.cwd(), preLoadedConfig);
+  }
+
+  const files = await fs.promises.readdir(preLoadedConfig);
+  const configs: IdPConfig[] = [];
+
+  for (let idx in files) {
+    const file = files[idx];
+    if (file.endsWith('.js')) {
+      const config = require(path.join(preLoadedConfig, file)) as IdPConfig;
+      const rawMetadata = await fs.promises.readFile(
+        path.join(preLoadedConfig, path.parse(file).name + '.xml'),
+        'utf8'
+      );
+      config.rawMetadata = rawMetadata;
+      configs.push(config);
+    }
+  }
+
+  return configs;
+};
+
+export default readConfig;

package/src/saml/claims.js

@@ -0,0 +1,40 @@
+const mapping = [
+  {
+    attribute: 'id',
+    schema:
+      'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier',
+  },
+  {
+    attribute: 'email',
+    schema:
+      'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
+  },
+  {
+    attribute: 'firstName',
+    schema: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
+  },
+  {
+    attribute: 'lastName',
+    schema: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
+  },
+];
+
+const map = (claims) => {
+  const profile = {
+    raw: claims,
+  };
+
+  mapping.forEach((m) => {
+    if (claims[m.attribute]) {
+      profile[m.attribute] = claims[m.attribute];
+    } else if (claims[m.schema]) {
+      profile[m.attribute] = claims[m.schema];
+    }
+  });
+
+  return profile;
+};
+
+module.exports = {
+  map,
+};