@boxyhq/saml-jackson 0.2.3-beta.210 → 0.2.3-beta.222

package/.eslintrc.js

@@ -0,0 +1,13 @@
+module.exports = {
+    "env": {
+        "es2021": true,
+        "node": true
+    },
+    "extends": "eslint:recommended",
+    "parserOptions": {
+        "ecmaVersion": 13,
+        "sourceType": "module"
+    },
+    "rules": {
+    }
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@boxyhq/saml-jackson",
-  "version": "0.2.3-beta.210",
+  "version": "0.2.3-beta.222",
   "license": "Apache 2.0",
   "description": "SAML 2.0 service",
   "main": "dist/index.js",
@@ -16,7 +16,7 @@
     "SAML 2.0"
   ],
   "scripts": {
-    "build": "tsc",
+    "build": "tsc -p tsconfig.build.json",
     "start": "cross-env IDP_ENABLED=true node src/jackson.js",
     "dev": "cross-env IDP_ENABLED=true nodemon src/jackson.js",
     "mongo": "cross-env JACKSON_API_KEYS=secret DB_ENGINE=mongo DB_URL=mongodb://localhost:27017/jackson DB_ENCRYPTION_KEY=RiVoTxDoLUUoIUOp224abMxK6PGGfFuF nodemon --config nodemon.json src/jackson.ts",

package/prettier.config.js

@@ -0,0 +1,4 @@
+module.exports = {
+  singleQuote: true,
+  trailingComma: 'es5',
+};

package/src/controller/api.ts

@@ -0,0 +1,225 @@
+import crypto from 'crypto';
+import { IdPConfig, ISAMLConfig, OAuth, Storable } from 'saml-jackson';
+import * as dbutils from '../db/utils';
+import saml from '../saml/saml';
+import { JacksonError } from './error';
+import { IndexNames } from './utils';
+import x509 from '../saml/x509';
+
+export class SAMLConfig implements ISAMLConfig {
+  private configStore: Storable;
+
+  constructor({ configStore }) {
+    this.configStore = configStore;
+  }
+
+  private _validateIdPConfig(body: IdPConfig): void {
+    const { rawMetadata, defaultRedirectUrl, redirectUrl, tenant, product } =
+      body;
+
+    if (!rawMetadata) {
+      throw new JacksonError('Please provide rawMetadata', 400);
+    }
+
+    if (!defaultRedirectUrl) {
+      throw new JacksonError('Please provide a defaultRedirectUrl', 400);
+    }
+
+    if (!redirectUrl) {
+      throw new JacksonError('Please provide redirectUrl', 400);
+    }
+
+    if (!tenant) {
+      throw new JacksonError('Please provide tenant', 400);
+    }
+
+    if (!product) {
+      throw new JacksonError('Please provide product', 400);
+    }
+  }
+
+  public async create(body: IdPConfig): Promise<OAuth> {
+    const { rawMetadata, defaultRedirectUrl, redirectUrl, tenant, product } =
+      body;
+
+    this._validateIdPConfig(body);
+
+    const idpMetadata = await saml.parseMetadataAsync(rawMetadata);
+
+    // extract provider
+    let providerName = extractHostName(idpMetadata.entityID);
+    if (!providerName) {
+      providerName = extractHostName(
+        idpMetadata.sso.redirectUrl || idpMetadata.sso.postUrl
+      );
+    }
+
+    idpMetadata.provider = providerName ? providerName : 'Unknown';
+
+    let clientID = dbutils.keyDigest(
+      dbutils.keyFromParts(tenant, product, idpMetadata.entityID)
+    );
+
+    let clientSecret;
+
+    let exists = await this.configStore.get(clientID);
+
+    if (exists) {
+      clientSecret = exists.clientSecret;
+    } else {
+      clientSecret = crypto.randomBytes(24).toString('hex');
+    }
+
+    const certs = await x509.generate();
+
+    if (!certs) {
+      throw new Error('Error generating x59 certs');
+    }
+
+    await this.configStore.put(
+      clientID,
+      {
+        idpMetadata,
+        defaultRedirectUrl,
+        redirectUrl: JSON.parse(redirectUrl), // redirectUrl is a stringified array
+        tenant,
+        product,
+        clientID,
+        clientSecret,
+        certs,
+      },
+      {
+        // secondary index on entityID
+        name: IndexNames.EntityID,
+        value: idpMetadata.entityID,
+      },
+      {
+        // secondary index on tenant + product
+        name: IndexNames.TenantProduct,
+        value: dbutils.keyFromParts(tenant, product),
+      }
+    );
+
+    return {
+      client_id: clientID,
+      client_secret: clientSecret,
+      provider: idpMetadata.provider,
+    };
+  }
+
+  public async get(body: {
+    clientID: string;
+    tenant: string;
+    product: string;
+  }): Promise<Partial<OAuth>> {
+    const { clientID, tenant, product } = body;
+
+    if (clientID) {
+      const samlConfig = await this.configStore.get(clientID);
+
+      return samlConfig ? { provider: samlConfig.idpMetadata.provider } : {};
+    }
+
+    if (tenant && product) {
+      const samlConfigs = await this.configStore.getByIndex({
+        name: IndexNames.TenantProduct,
+        value: dbutils.keyFromParts(tenant, product),
+      });
+
+      if (!samlConfigs || !samlConfigs.length) {
+        return {};
+      }
+
+      return { provider: samlConfigs[0].idpMetadata.provider };
+    }
+
+    throw new JacksonError(
+      'Please provide `clientID` or `tenant` and `product`.',
+      400
+    );
+  }
+
+  public async delete(body: {
+    clientID: string;
+    clientSecret: string;
+    tenant: string;
+    product: string;
+  }): Promise<void> {
+    const { clientID, clientSecret, tenant, product } = body;
+
+    if (clientID && clientSecret) {
+      const samlConfig = await this.configStore.get(clientID);
+
+      if (!samlConfig) {
+        return;
+      }
+
+      if (samlConfig.clientSecret === clientSecret) {
+        await this.configStore.delete(clientID);
+      } else {
+        throw new JacksonError('clientSecret mismatch.', 400);
+      }
+
+      return;
+    }
+
+    if (tenant && product) {
+      const samlConfigs = await this.configStore.getByIndex({
+        name: IndexNames.TenantProduct,
+        value: dbutils.keyFromParts(tenant, product),
+      });
+
+      if (!samlConfigs || !samlConfigs.length) {
+        return;
+      }
+
+      for (const conf of samlConfigs) {
+        await this.configStore.delete(conf.clientID);
+      }
+
+      return;
+    }
+
+    throw new JacksonError(
+      'Please provide `clientID` and `clientSecret` or `tenant` and `product`.',
+      400
+    );
+  }
+
+  // Ensure backward compatibility
+
+  async config(body: IdPConfig): Promise<OAuth> {
+    return this.create(body);
+  }
+
+  async getConfig(body: {
+    clientID: string;
+    tenant: string;
+    product: string;
+  }): Promise<Partial<OAuth>> {
+    return this.get(body);
+  }
+
+  async deleteConfig(body: {
+    clientID: string;
+    clientSecret: string;
+    tenant: string;
+    product: string;
+  }): Promise<void> {
+    return this.delete(body);
+  }
+}
+
+const extractHostName = (url: string): string | null => {
+  try {
+    const pUrl = new URL(url);
+
+    if (pUrl.hostname.startsWith('www.')) {
+      return pUrl.hostname.substring(4);
+    }
+
+    return pUrl.hostname;
+  } catch (err) {
+    return null;
+  }
+};

package/src/controller/error.ts

@@ -0,0 +1,13 @@
+export class JacksonError extends Error {
+  public name: string;
+  public statusCode: number;
+
+  constructor(message: string, statusCode: number = 500) {
+    super(message);
+
+    this.name = this.constructor.name;
+    this.statusCode = statusCode;
+
+    Error.captureStackTrace(this, this.constructor);
+  }
+}

package/src/controller/oauth/allowed.ts

@@ -0,0 +1,22 @@
+export const redirect = (
+  redirectUrl: string,
+  redirectUrls: string[]
+): boolean => {
+  const url: URL = new URL(redirectUrl);
+
+  for (const idx in redirectUrls) {
+    const rUrl: URL = new URL(redirectUrls[idx]);
+
+    // TODO: Check pathname, for now pathname is ignored
+
+    if (
+      rUrl.protocol === url.protocol &&
+      rUrl.hostname === url.hostname &&
+      rUrl.port === url.port
+    ) {
+      return true;
+    }
+  }
+
+  return false;
+};

package/src/controller/oauth/code-verifier.ts

@@ -0,0 +1,11 @@
+import crypto from 'crypto';
+
+export const transformBase64 = (input: string): string => {
+  return input.replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
+};
+
+export const encode = (code_challenge: string): string => {
+  return transformBase64(
+    crypto.createHash('sha256').update(code_challenge).digest('base64')
+  );
+};

package/src/controller/oauth/redirect.ts

@@ -0,0 +1,12 @@
+export const success = (
+  redirectUrl: string,
+  params: Record<string, string>
+): string => {
+  const url: URL = new URL(redirectUrl);
+
+  for (const [key, value] of Object.entries(params)) {
+    url.searchParams.set(key, value);
+  }
+
+  return url.href;
+};

package/src/controller/oauth.ts

@@ -0,0 +1,337 @@
+import crypto from 'crypto';
+import {
+  IOAuthController,
+  JacksonOption,
+  OAuthReqBody,
+  OAuthTokenReq,
+  OAuthTokenRes,
+  Profile,
+  SAMLResponsePayload,
+  Storable,
+} from 'saml-jackson';
+import * as dbutils from '../db/utils';
+import saml from '../saml/saml';
+import { JacksonError } from './error';
+import * as allowed from './oauth/allowed';
+import * as codeVerifier from './oauth/code-verifier';
+import * as redirect from './oauth/redirect';
+import { IndexNames } from './utils';
+
+const relayStatePrefix = 'boxyhq_jackson_';
+
+function getEncodedClientId(
+  client_id: string
+): { tenant: string | null; product: string | null } | null {
+  try {
+    const sp = new URLSearchParams(client_id);
+    const tenant = sp.get('tenant');
+    const product = sp.get('product');
+    if (tenant && product) {
+      return {
+        tenant: sp.get('tenant'),
+        product: sp.get('product'),
+      };
+    }
+
+    return null;
+  } catch (err) {
+    return null;
+  }
+}
+
+export class OAuthController implements IOAuthController {
+  private configStore: Storable;
+  private sessionStore: Storable;
+  private codeStore: Storable;
+  private tokenStore: Storable;
+  private opts: JacksonOption;
+
+  constructor({ configStore, sessionStore, codeStore, tokenStore, opts }) {
+    this.configStore = configStore;
+    this.sessionStore = sessionStore;
+    this.codeStore = codeStore;
+    this.tokenStore = tokenStore;
+    this.opts = opts;
+  }
+
+  public async authorize(
+    body: OAuthReqBody
+  ): Promise<{ redirect_url: string }> {
+    const {
+      response_type = 'code',
+      client_id,
+      redirect_uri,
+      state,
+      tenant,
+      product,
+      code_challenge,
+      code_challenge_method = '',
+      // eslint-disable-next-line no-unused-vars
+      provider = 'saml',
+    } = body;
+
+    if (!redirect_uri) {
+      throw new JacksonError('Please specify a redirect URL.', 400);
+    }
+
+    if (!state) {
+      throw new JacksonError(
+        'Please specify a state to safeguard against XSRF attacks.',
+        400
+      );
+    }
+
+    let samlConfig;
+
+    if (tenant && product) {
+      const samlConfigs = await this.configStore.getByIndex({
+        name: IndexNames.TenantProduct,
+        value: dbutils.keyFromParts(tenant, product),
+      });
+
+      if (!samlConfigs || samlConfigs.length === 0) {
+        throw new JacksonError('SAML configuration not found.', 403);
+      }
+
+      // TODO: Support multiple matches
+      samlConfig = samlConfigs[0];
+    } else if (
+      client_id &&
+      client_id !== '' &&
+      client_id !== 'undefined' &&
+      client_id !== 'null'
+    ) {
+      // if tenant and product are encoded in the client_id then we parse it and check for the relevant config(s)
+      const sp = getEncodedClientId(client_id);
+      if (sp?.tenant) {
+        const samlConfigs = await this.configStore.getByIndex({
+          name: IndexNames.TenantProduct,
+          value: dbutils.keyFromParts(sp.tenant, sp.product || ''),
+        });
+
+        if (!samlConfigs || samlConfigs.length === 0) {
+          throw new JacksonError('SAML configuration not found.', 403);
+        }
+
+        // TODO: Support multiple matches
+        samlConfig = samlConfigs[0];
+      } else {
+        samlConfig = await this.configStore.get(client_id);
+      }
+    } else {
+      throw new JacksonError(
+        'You need to specify client_id or tenant & product',
+        403
+      );
+    }
+
+    if (!samlConfig) {
+      throw new JacksonError('SAML configuration not found.', 403);
+    }
+
+    if (!allowed.redirect(redirect_uri, samlConfig.redirectUrl)) {
+      throw new JacksonError('Redirect URL is not allowed.', 403);
+    }
+
+    const samlReq = saml.request({
+      // @ts-ignore
+      entityID: this.opts.samlAudience,
+      callbackUrl: this.opts.externalUrl + this.opts.samlPath,
+      signingKey: samlConfig.certs.privateKey,
+    });
+
+    const sessionId = crypto.randomBytes(16).toString('hex');
+
+    await this.sessionStore.put(sessionId, {
+      id: samlReq.id,
+      redirect_uri,
+      response_type,
+      state,
+      code_challenge,
+      code_challenge_method,
+    });
+
+    const redirectUrl = redirect.success(
+      samlConfig.idpMetadata.sso.redirectUrl,
+      {
+        RelayState: relayStatePrefix + sessionId,
+        SAMLRequest: Buffer.from(samlReq.request).toString('base64'),
+      }
+    );
+
+    return { redirect_url: redirectUrl };
+  }
+
+  public async samlResponse(
+    body: SAMLResponsePayload
+  ): Promise<{ redirect_url: string }> {
+    const { SAMLResponse } = body; // RelayState will contain the sessionId from earlier quasi-oauth flow
+
+    let RelayState = body.RelayState || '';
+
+    if (!this.opts.idpEnabled && !RelayState.startsWith(relayStatePrefix)) {
+      // IDP is disabled so block the request
+
+      throw new JacksonError(
+        'IdP (Identity Provider) flow has been disabled. Please head to your Service Provider to login.',
+        403
+      );
+    }
+
+    if (!RelayState.startsWith(relayStatePrefix)) {
+      RelayState = '';
+    }
+
+    RelayState = RelayState.replace(relayStatePrefix, '');
+
+    const rawResponse = Buffer.from(SAMLResponse, 'base64').toString();
+
+    const parsedResp = await saml.parseAsync(rawResponse);
+
+    const samlConfigs = await this.configStore.getByIndex({
+      name: IndexNames.EntityID,
+
+      // @ts-ignore
+      value: parsedResp?.issuer,
+    });
+
+    if (!samlConfigs || samlConfigs.length === 0) {
+      throw new JacksonError('SAML configuration not found.', 403);
+    }
+
+    // TODO: Support multiple matches
+    const samlConfig = samlConfigs[0];
+
+    let session;
+
+    if (RelayState !== '') {
+      session = await this.sessionStore.get(RelayState);
+      if (!session) {
+        throw new JacksonError(
+          'Unable to validate state from the origin request.',
+          403
+        );
+      }
+    }
+
+    let validateOpts: any = {
+      thumbprint: samlConfig.idpMetadata.thumbprint,
+      audience: this.opts.samlAudience,
+    };
+
+    if (session && session.id) {
+      validateOpts.inResponseTo = session.id;
+    }
+
+    const profile = await saml.validateAsync(rawResponse, validateOpts);
+
+    // store details against a code
+    const code = crypto.randomBytes(20).toString('hex');
+
+    let codeVal: any = {
+      profile,
+      clientID: samlConfig.clientID,
+      clientSecret: samlConfig.clientSecret,
+    };
+
+    if (session) {
+      codeVal.session = session;
+    }
+
+    await this.codeStore.put(code, codeVal);
+
+    if (
+      session &&
+      session.redirect_uri &&
+      !allowed.redirect(session.redirect_uri, samlConfig.redirectUrl)
+    ) {
+      throw new JacksonError('Redirect URL is not allowed.', 403);
+    }
+
+    let params: any = {
+      code,
+    };
+
+    if (session && session.state) {
+      params.state = session.state;
+    }
+
+    const redirectUrl = redirect.success(
+      (session && session.redirect_uri) || samlConfig.defaultRedirectUrl,
+      params
+    );
+
+    return { redirect_url: redirectUrl };
+  }
+
+  public async token(body: OAuthTokenReq): Promise<OAuthTokenRes> {
+    const {
+      client_id,
+      client_secret,
+      code_verifier,
+      code,
+      grant_type = 'authorization_code',
+    } = body;
+
+    if (grant_type !== 'authorization_code') {
+      throw new JacksonError('Unsupported grant_type', 400);
+    }
+
+    if (!code) {
+      throw new JacksonError('Please specify code', 400);
+    }
+
+    const codeVal = await this.codeStore.get(code);
+    if (!codeVal || !codeVal.profile) {
+      throw new JacksonError('Invalid code', 403);
+    }
+
+    if (client_id && client_secret) {
+      // check if we have an encoded client_id
+      if (client_id !== 'dummy' && client_secret !== 'dummy') {
+        const sp = getEncodedClientId(client_id);
+        if (!sp) {
+          // OAuth flow
+          if (
+            client_id !== codeVal.clientID ||
+            client_secret !== codeVal.clientSecret
+          ) {
+            throw new JacksonError('Invalid client_id or client_secret', 401);
+          }
+        }
+      }
+    } else if (code_verifier) {
+      // PKCE flow
+      let cv = code_verifier;
+      if (codeVal.session.code_challenge_method.toLowerCase() === 's256') {
+        cv = codeVerifier.encode(code_verifier);
+      }
+
+      if (codeVal.session.code_challenge !== cv) {
+        throw new JacksonError('Invalid code_verifier', 401);
+      }
+    } else if (codeVal && codeVal.session) {
+      throw new JacksonError(
+        'Please specify client_secret or code_verifier',
+        401
+      );
+    }
+
+    // store details against a token
+    const token = crypto.randomBytes(20).toString('hex');
+
+    await this.tokenStore.put(token, codeVal.profile);
+
+    return {
+      access_token: token,
+      token_type: 'bearer',
+      expires_in: this.opts.db.ttl,
+    };
+  }
+
+  public async userInfo(token: string): Promise<Profile> {
+    const { claims } = await this.tokenStore.get(token);
+
+    return claims;
+  }
+}

package/src/controller/utils.ts

@@ -0,0 +1,17 @@
+import { Request } from 'express';
+
+export const extractAuthToken = (req: Request): string | null => {
+  const authHeader = req.get('authorization');
+  const parts = (authHeader || '').split(' ');
+
+  if (parts.length > 1) {
+    return parts[1];
+  }
+
+  return null;
+};
+
+export enum IndexNames {
+  EntityID = 'entityID',
+  TenantProduct = 'tenantProduct',
+}