@boxyhq/saml-jackson 0.2.3-beta.210 → 0.2.3-beta.222

package/src/test/db.test.ts

@@ -0,0 +1,313 @@
+import {
+  DatabaseEngine,
+  DatabaseOption,
+  EncryptionKey,
+  Storable,
+} from 'saml-jackson';
+import tap from 'tap';
+import DB from '../db/db';
+
+const encryptionKey: EncryptionKey = '3yGrTcnKPBqqHoH3zZMAU6nt4bmIYb2q';
+
+let configStores: Storable[] = [];
+let ttlStores: Storable[] = [];
+const ttl = 3;
+
+const record1 = {
+  id: '1',
+  name: 'Deepak',
+  city: 'London',
+};
+
+const record2 = {
+  id: '2',
+  name: 'Sama',
+  city: 'London',
+};
+
+const memDbConfig = <DatabaseOption>{
+  engine: 'mem',
+  ttl: 1,
+};
+
+const redisDbConfig = <DatabaseOption>{
+  engine: 'redis',
+  url: 'redis://localhost:6379',
+};
+
+const postgresDbConfig = <DatabaseOption>{
+  engine: 'sql',
+  url: 'postgresql://postgres:postgres@localhost:5432/postgres',
+  type: 'postgres',
+  ttl: 1,
+  cleanupLimit: 1,
+};
+
+const mongoDbConfig = <DatabaseOption>{
+  engine: 'mongo',
+  url: 'mongodb://localhost:27017/jackson',
+};
+
+const mysqlDbConfig = <DatabaseOption>{
+  engine: 'sql',
+  url: 'mysql://root:mysql@localhost:3307/mysql',
+  type: 'mysql',
+  ttl: 1,
+  cleanupLimit: 1,
+};
+
+const mariadbDbConfig = <DatabaseOption>{
+  engine: 'sql',
+  url: 'mariadb://root@localhost:3306/mysql',
+  type: 'mariadb',
+  ttl: 1,
+  cleanupLimit: 1,
+};
+
+const dbs = [
+  {
+    ...memDbConfig,
+  },
+  {
+    ...memDbConfig,
+    encryptionKey,
+  },
+  {
+    ...redisDbConfig,
+  },
+  {
+    ...redisDbConfig,
+    encryptionKey,
+  },
+  {
+    ...postgresDbConfig,
+  },
+  {
+    ...postgresDbConfig,
+    encryptionKey,
+  },
+  {
+    ...mongoDbConfig,
+  },
+  {
+    ...mongoDbConfig,
+    encryptionKey,
+  },
+  {
+    ...mysqlDbConfig,
+  },
+  {
+    ...mysqlDbConfig,
+    encryptionKey,
+  },
+  {
+    ...mariadbDbConfig,
+  },
+  {
+    ...mariadbDbConfig,
+    encryptionKey,
+  },
+];
+
+tap.before(async () => {
+  for (const idx in dbs) {
+    const opts = dbs[idx];
+    const db = await DB.new(opts);
+
+    configStores.push(db.store('saml:config'));
+    ttlStores.push(db.store('oauth:session', ttl));
+  }
+});
+
+tap.teardown(async () => {
+  process.exit(0);
+});
+
+tap.test('dbs', ({ end }) => {
+  for (const idx in configStores) {
+    const configStore = configStores[idx];
+    const ttlStore = ttlStores[idx];
+    let dbEngine = dbs[idx].engine;
+
+    if (dbs[idx].type) {
+      dbEngine += ': ' + dbs[idx].type;
+    }
+
+    tap.test('put(): ' + dbEngine, async (t) => {
+      await configStore.put(
+        record1.id,
+        record1,
+        {
+          // secondary index on city
+          name: 'city',
+          value: record1.city,
+        },
+        {
+          // secondary index on name
+          name: 'name',
+          value: record1.name,
+        }
+      );
+
+      await configStore.put(
+        record2.id,
+        record2,
+        {
+          // secondary index on city
+          name: 'city',
+          value: record2.city,
+        },
+        {
+          // secondary index on name
+          name: 'name',
+          value: record2.name,
+        }
+      );
+
+      t.end();
+    });
+
+    tap.test('get(): ' + dbEngine, async (t) => {
+      const ret1 = await configStore.get(record1.id);
+      const ret2 = await configStore.get(record2.id);
+
+      t.same(ret1, record1, 'unable to get record1');
+      t.same(ret2, record2, 'unable to get record2');
+
+      t.end();
+    });
+
+    tap.test('getByIndex(): ' + dbEngine, async (t) => {
+      const ret1 = await configStore.getByIndex({
+        name: 'name',
+        value: record1.name,
+      });
+
+      const ret2 = await configStore.getByIndex({
+        name: 'city',
+        value: record1.city,
+      });
+
+      t.same(ret1, [record1], 'unable to get index "name"');
+      t.same(
+        ret2.sort((a, b) => a.id.localeCompare(b.id)),
+        [record1, record2].sort((a, b) => a.id.localeCompare(b.id)),
+        'unable to get index "city"'
+      );
+
+      t.end();
+    });
+
+    tap.test('delete(): ' + dbEngine, async (t) => {
+      await configStore.delete(record1.id);
+
+      const ret0 = await configStore.getByIndex({
+        name: 'city',
+        value: record1.city,
+      });
+
+      t.same(ret0, [record2], 'unable to get index "city" after delete');
+
+      await configStore.delete(record2.id);
+
+      const ret1 = await configStore.get(record1.id);
+      const ret2 = await configStore.get(record2.id);
+
+      const ret3 = await configStore.getByIndex({
+        name: 'name',
+        value: record1.name,
+      });
+      const ret4 = await configStore.getByIndex({
+        name: 'city',
+        value: record1.city,
+      });
+
+      t.same(ret1, null, 'delete for record1 failed');
+      t.same(ret2, null, 'delete for record2 failed');
+
+      t.same(ret3, [], 'delete for record1 failed');
+      t.same(ret4, [], 'delete for record2 failed');
+
+      t.end();
+    });
+
+    tap.test('ttl indexes: ' + dbEngine, async (t) => {
+      try {
+        await ttlStore.put(
+          record1.id,
+          record1,
+          {
+            // secondary index on city
+            name: 'city',
+            value: record1.city,
+          },
+          {
+            // secondary index on name
+            name: 'name',
+            value: record1.name,
+          }
+        );
+
+        t.fail('expecting a secondary indexes not allow on a store with ttl');
+      } catch (err) {
+        t.ok(err, 'got expected error');
+      }
+
+      t.end();
+    });
+
+    tap.test('ttl put(): ' + dbEngine, async (t) => {
+      await ttlStore.put(record1.id, record1);
+
+      await ttlStore.put(record2.id, record2);
+
+      t.end();
+    });
+
+    tap.test('ttl get(): ' + dbEngine, async (t) => {
+      const ret1 = await ttlStore.get(record1.id);
+      const ret2 = await ttlStore.get(record2.id);
+
+      t.same(ret1, record1, 'unable to get record1');
+      t.same(ret2, record2, 'unable to get record2');
+
+      t.end();
+    });
+
+    tap.test('ttl expiry: ' + dbEngine, async (t) => {
+      // mongo runs ttl task every 60 seconds
+      if (dbEngine.startsWith('mongo')) {
+        t.end();
+        return;
+      }
+
+      await new Promise((resolve) =>
+        setTimeout(resolve, (2 * ttl + 0.5) * 1000)
+      );
+
+      const ret1 = await ttlStore.get(record1.id);
+      const ret2 = await ttlStore.get(record2.id);
+
+      t.same(ret1, null, 'ttl for record1 failed');
+      t.same(ret2, null, 'ttl for record2 failed');
+
+      t.end();
+    });
+  }
+
+  tap.test('db.new() error', async (t) => {
+    try {
+      await DB.new(<DatabaseOption>{
+        engine: <DatabaseEngine>'somedb',
+      });
+
+      t.fail('expecting an unsupported db error');
+    } catch (err) {
+      t.ok(err, 'got expected error');
+    }
+
+    t.end();
+  });
+
+  end();
+});

package/src/test/oauth.test.ts

@@ -0,0 +1,353 @@
+import crypto from 'crypto';
+import { promises as fs } from 'fs';
+import path from 'path';
+import { JacksonOption } from 'saml-jackson';
+import sinon from 'sinon';
+import tap from 'tap';
+import { JacksonError } from '../controller/error';
+import readConfig from '../read-config';
+import saml from '../saml/saml';
+
+// TODO: Add type
+let apiController;
+let oauthController;
+
+const code = '1234567890';
+const token = '24c1550190dd6a5a9bd6fe2a8ff69d593121c7b9';
+
+const metadataPath = path.join(__dirname, '/data/metadata');
+
+const options = {
+  externalUrl: 'https://my-cool-app.com',
+  samlAudience: 'https://saml.boxyhq.com',
+  samlPath: '/sso/oauth/saml',
+  db: {
+    engine: 'mem',
+  },
+} as JacksonOption;
+
+const samlConfig = {
+  tenant: 'boxyhq.com',
+  product: 'crm',
+  redirectUrl: '["http://localhost:3000/*"]',
+  defaultRedirectUrl: 'http://localhost:3000/login/saml',
+  rawMetadata: null,
+};
+
+const addMetadata = async (metadataPath) => {
+  const configs = await readConfig(metadataPath);
+
+  for (const config of configs) {
+    await apiController.config(config);
+  }
+};
+
+tap.before(async () => {
+  const controller = await (await import('../index')).default(options);
+
+  apiController = controller.apiController;
+  oauthController = controller.oauthController;
+
+  await addMetadata(metadataPath);
+});
+
+tap.teardown(async () => {
+  process.exit(0);
+});
+
+tap.test('authorize()', async (t) => {
+  t.test('Should throw an error if `redirect_uri` null', async (t) => {
+    const body = {
+      redirect_uri: null,
+      state: 'state',
+    };
+
+    try {
+      await oauthController.authorize(body);
+      t.fail('Expecting JacksonError.');
+    } catch (err) {
+      const { message, statusCode } = err as JacksonError;
+      t.equal(
+        message,
+        'Please specify a redirect URL.',
+        'got expected error message'
+      );
+      t.equal(statusCode, 400, 'got expected status code');
+    }
+
+    t.end();
+  });
+
+  t.test('Should throw an error if `state` null', async (t) => {
+    const body = {
+      redirect_uri: 'https://example.com/',
+      state: null,
+    };
+
+    try {
+      await oauthController.authorize(body);
+
+      t.fail('Expecting JacksonError.');
+    } catch (err) {
+      const { message, statusCode } = err as JacksonError;
+      t.equal(
+        message,
+        'Please specify a state to safeguard against XSRF attacks.',
+        'got expected error message'
+      );
+      t.equal(statusCode, 400, 'got expected status code');
+    }
+
+    t.end();
+  });
+
+  t.test('Should throw an error if `client_id` is invalid', async (t) => {
+    const body = {
+      redirect_uri: 'https://example.com/',
+      state: 'state-123',
+      client_id: '27fa9a11875ec3a0',
+    };
+
+    try {
+      await oauthController.authorize(body);
+
+      t.fail('Expecting JacksonError.');
+    } catch (err) {
+      const { message, statusCode } = err as JacksonError;
+      t.equal(
+        message,
+        'SAML configuration not found.',
+        'got expected error message'
+      );
+      t.equal(statusCode, 403, 'got expected status code');
+    }
+
+    t.end();
+  });
+
+  t.test(
+    'Should throw an error if `redirect_uri` is not allowed',
+    async (t) => {
+      const body = {
+        redirect_uri: 'https://example.com/',
+        state: 'state-123',
+        client_id: `tenant=${samlConfig.tenant}&product=${samlConfig.product}`,
+      };
+
+      try {
+        await oauthController.authorize(body);
+
+        t.fail('Expecting JacksonError.');
+      } catch (err) {
+        const { message, statusCode } = err as JacksonError;
+        t.equal(
+          message,
+          'Redirect URL is not allowed.',
+          'got expected error message'
+        );
+        t.equal(statusCode, 403, 'got expected status code');
+      }
+
+      t.end();
+    }
+  );
+
+  t.test('Should return the Idp SSO URL', async (t) => {
+    const body = {
+      redirect_uri: samlConfig.defaultRedirectUrl,
+      state: 'state-123',
+      client_id: `tenant=${samlConfig.tenant}&product=${samlConfig.product}`,
+    };
+
+    const response = await oauthController.authorize(body);
+    const params = new URLSearchParams(new URL(response.redirect_url).search);
+
+    t.ok('redirect_url' in response, 'got the Idp authorize URL');
+    t.ok(params.has('RelayState'), 'RelayState present in the query string');
+    t.ok(params.has('SAMLRequest'), 'SAMLRequest present in the query string');
+
+    t.end();
+  });
+
+  t.end();
+});
+
+tap.test('samlResponse()', async (t) => {
+  const authBody = {
+    redirect_uri: samlConfig.defaultRedirectUrl,
+    state: 'state-123',
+    client_id: `tenant=${samlConfig.tenant}&product=${samlConfig.product}`,
+  };
+
+  const { redirect_url } = await oauthController.authorize(authBody);
+
+  const relayState = new URLSearchParams(new URL(redirect_url).search).get(
+    'RelayState'
+  );
+
+  const rawResponse = await fs.readFile(
+    path.join(__dirname, '/data/saml_response'),
+    'utf8'
+  );
+
+  t.test('Should throw an error if `RelayState` is missing', async (t) => {
+    const responseBody = {
+      SAMLResponse: rawResponse,
+    };
+
+    try {
+      await oauthController.samlResponse(responseBody);
+
+      t.fail('Expecting JacksonError.');
+    } catch (err) {
+      const { message, statusCode } = err as JacksonError;
+      t.equal(
+        message,
+        'IdP (Identity Provider) flow has been disabled. Please head to your Service Provider to login.',
+        'got expected error message'
+      );
+
+      t.equal(statusCode, 403, 'got expected status code');
+    }
+
+    t.end();
+  });
+
+  t.test(
+    'Should return a URL with code and state as query params',
+    async (t) => {
+      const responseBody = {
+        SAMLResponse: rawResponse,
+        RelayState: relayState,
+      };
+
+      const stubValidateAsync = sinon
+        .stub(saml, 'validateAsync')
+        .resolves({ audience: '', claims: {}, issuer: '', sessionIndex: '' });
+      //@ts-ignore
+      const stubRandomBytes = sinon.stub(crypto, 'randomBytes').returns(code);
+
+      const response = await oauthController.samlResponse(responseBody);
+
+      const params = new URLSearchParams(new URL(response.redirect_url).search);
+
+      t.ok(stubValidateAsync.calledOnce, 'validateAsync called once');
+      t.ok(stubRandomBytes.calledOnce, 'randomBytes called once');
+      t.ok('redirect_url' in response, 'response contains redirect_url');
+      t.ok(params.has('code'), 'query string includes code');
+      t.ok(params.has('state'), 'query string includes state');
+      t.match(params.get('state'), authBody.state, 'state value is valid');
+
+      stubRandomBytes.restore();
+      stubValidateAsync.restore();
+
+      t.end();
+    }
+  );
+
+  t.end();
+});
+
+tap.test('token()', (t) => {
+  t.test(
+    'Should throw an error if `grant_type` is not `authorization_code`',
+    async (t) => {
+      const body = {
+        grant_type: 'authorization_code_1',
+      };
+
+      try {
+        await oauthController.token(body);
+
+        t.fail('Expecting JacksonError.');
+      } catch (err) {
+        const { message, statusCode } = err as JacksonError;
+        t.equal(
+          message,
+          'Unsupported grant_type',
+          'got expected error message'
+        );
+        t.equal(statusCode, 400, 'got expected status code');
+      }
+
+      t.end();
+    }
+  );
+
+  t.test('Should throw an error if `code` is missing', async (t) => {
+    const body = {
+      grant_type: 'authorization_code',
+    };
+
+    try {
+      await oauthController.token(body);
+
+      t.fail('Expecting JacksonError.');
+    } catch (err) {
+      const { message, statusCode } = err as JacksonError;
+      t.equal(message, 'Please specify code', 'got expected error message');
+      t.equal(statusCode, 400, 'got expected status code');
+    }
+
+    t.end();
+  });
+
+  t.test('Should throw an error if `code` is invalid', async (t) => {
+    const body = {
+      grant_type: 'authorization_code',
+      client_id: `tenant=${samlConfig.tenant}&product=${samlConfig.product}`,
+      client_secret: 'some-secret',
+      redirect_uri: null,
+      code: 'invalid-code',
+    };
+
+    try {
+      await oauthController.token(body);
+
+      t.fail('Expecting JacksonError.');
+    } catch (err) {
+      const { message, statusCode } = err as JacksonError;
+      t.equal(message, 'Invalid code', 'got expected error message');
+      t.equal(statusCode, 403, 'got expected status code');
+    }
+
+    t.end();
+  });
+
+  t.test('Should return the `access_token` for a valid request', async (t) => {
+    const body = {
+      grant_type: 'authorization_code',
+      client_id: `tenant=${samlConfig.tenant}&product=${samlConfig.product}`,
+      client_secret: 'some-secret',
+      redirect_uri: null,
+      code: code,
+    };
+
+    const stubRandomBytes = sinon
+      .stub(crypto, 'randomBytes')
+      .onFirstCall()
+      //@ts-ignore
+      .returns(token);
+
+    const response = await oauthController.token(body);
+
+    t.ok(stubRandomBytes.calledOnce, 'randomBytes called once');
+    t.ok('access_token' in response, 'includes access_token');
+    t.ok('token_type' in response, 'includes token_type');
+    t.ok('expires_in' in response, 'includes expires_in');
+    t.match(response.access_token, token);
+    t.match(response.token_type, 'bearer');
+    t.match(response.expires_in, 300);
+
+    stubRandomBytes.restore();
+
+    t.end();
+  });
+
+  // TODO
+  t.test('Handle invalid client_id', async (t) => {
+    t.end();
+  });
+
+  t.end();
+});