@boxyhq/saml-jackson 0.2.3-beta.228 → 0.2.3-beta.233

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@boxyhq/saml-jackson",
-  "version": "0.2.3-beta.228",
+  "version": "0.2.3-beta.233",
   "license": "Apache 2.0",
   "description": "SAML 2.0 service",
   "main": "dist/index.js",
@@ -54,6 +54,8 @@
     "xmlbuilder": "15.1.1"
   },
   "devDependencies": {
+    "@types/express": "^4.17.13",
+    "@types/node": "^16.11.17",
     "@types/redis": "4.0.11",
     "@types/sinon": "10.0.6",
     "@types/tap": "15.0.5",
@@ -74,5 +76,9 @@
   "lint-staged": {
     "*.{js,ts}": "eslint --cache --fix",
     "*.{js,ts,css,md}": "prettier --write"
-  }
+  },
+  "files": [
+    "dist",
+    "Dockerfile"
+  ]
 }

package/ nodemon.json

@@ -1,12 +0,0 @@
-{
-  "restartable": "rs",
-  "ignore": [".git", "node_modules/", "dist/", "coverage/"],
-  "watch": ["src/"],
-  "execMap": {
-    "ts": "node -r ts-node/register"
-  },
-  "env": {
-    "NODE_ENV": "development"
-  },
-  "ext": "js,json,ts"
-}

package/.dockerignore

@@ -1,2 +0,0 @@
-node_modules
-npm-debug.log

package/.eslintrc.js

@@ -1,18 +0,0 @@
-module.exports = {
-  env: {
-    es2021: true,
-    node: true,
-  },
-  parserOptions: {
-    ecmaVersion: 13,
-    sourceType: 'module',
-  },
-  root: true,
-  parser: '@typescript-eslint/parser',
-  plugins: ['@typescript-eslint'],
-  extends: [
-    'eslint:recommended',
-    'plugin:@typescript-eslint/recommended',
-    'prettier',
-  ],
-};

package/.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,27 +0,0 @@
----
-name: Bug report
-about: Report any issues with the platform
-title: ""
-labels: bug
-assignees: ""
----
-
-Found a bug? Please fill out the sections below. 👍
-
-### Issue Summary
-
-A summary of the issue. This needs to be a clear detailed-rich summary.
-
-### Steps to Reproduce
-
-1. (for example) Went to ...
-2. Clicked on...
-3. ...
-
-Any other relevant information. For example, why do you consider this a bug and what did you expect to happen instead?
-
-### Technical details
-
-- Browser version: You can use https://www.whatsmybrowser.org/ to find this out.
-- Node.js version
-- Anything else that you think could be an issue.

package/.github/ISSUE_TEMPLATE/config.yml

@@ -1,5 +0,0 @@
-blank_issues_enabled: false
-contact_links:
-  - name: Questions
-    url: https://github.com/boxyhq/jackson/discussions
-    about: Ask a general question about the project on our GitHub Discussion page

package/.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,43 +0,0 @@
----
-name: Feature request
-about: Suggest a feature or idea
-title: ""
-labels: enhancement
-assignees: ""
----
-
-> Please check if your Feature Request has not been already raised in the [Discussions Tab](https://github.com/boxyhq/jackson/discussions), as we would like to reduce duplicates. If it has been already raised, simply upvote it 🔼.
-
-### Is your proposal related to a problem?
-
-<!--
-  Provide a clear and concise description of what the problem is.
-  For example, "I'm always frustrated when..."
--->
-
-(Write your answer here.)
-
-### Describe the solution you'd like
-
-<!--
-  Provide a clear and concise description of what you want to happen.
--->
-
-(Describe your proposed solution here.)
-
-### Describe alternatives you've considered
-
-<!--
-  Let us know about other solutions you've tried or researched.
--->
-
-(Write your answer here.)
-
-### Additional context
-
-<!--
-  Is there anything else you can add about the proposal?
-  You might want to link to related issues here, if you haven't already.
--->
-
-(Write your answer here.)

package/.github/pull_request_template.md

@@ -1,31 +0,0 @@
-## What does this PR do?
-
-<!-- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. -->
-
-Fixes # (issue)
-
-## Type of change
-
-<!-- Please delete options that are not relevant. -->
-
-- [ ] Bug fix (non-breaking change which fixes an issue)
-- [ ] New feature (non-breaking change which adds functionality)
-- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
-- [ ] This change requires a documentation update
-
-## How should this be tested?
-
-<!-- Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration -->
-
-- [ ] Test A
-- [ ] Test B
-
-## Checklist:
-
-- [ ] My code follows the style guidelines of this project
-- [ ] I have performed a self-review of my own code and corrected any misspellings
-- [ ] I have commented my code, particularly in hard-to-understand areas
-- [ ] I have made corresponding changes to the documentation
-- [ ] My changes generate no new warnings
-- [ ] I have added tests that prove my fix is effective or that my feature works
-- [ ] New and existing unit tests pass locally with my changes

package/.github/workflows/codesee-arch-diagram.yml

@@ -1,81 +0,0 @@
-on:
-  push:
-    branches:
-      - main
-  pull_request_target:
-    types: [opened, synchronize, reopened]
-
-name: CodeSee Map
-
-jobs:
-  test_map_action:
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    name: Run CodeSee Map Analysis
-    steps:
-      - name: checkout
-        id: checkout
-        uses: actions/checkout@v2
-        with:
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
-          ref: ${{ github.event.pull_request.head.ref }}
-          fetch-depth: 0
-
-      # codesee-detect-languages has an output with id languages.
-      - name: Detect Languages
-        id: detect-languages
-        uses: Codesee-io/codesee-detect-languages-action@latest
-
-      - name: Configure JDK 16
-        uses: actions/setup-java@v2
-        if: ${{ fromJSON(steps.detect-languages.outputs.languages).java }}
-        with:
-          java-version: '16'
-          distribution: 'zulu'
-
-      # CodeSee Maps Go support uses a static binary so there's no setup step required.
-
-      - name: Configure Node.js 14
-        uses: actions/setup-node@v2
-        if: ${{ fromJSON(steps.detect-languages.outputs.languages).javascript }}
-        with:
-          node-version: '14'
-
-      - name: Configure Python 3.x
-        uses: actions/setup-python@v2
-        if: ${{ fromJSON(steps.detect-languages.outputs.languages).python }}
-        with:
-          python-version: '3.x'
-          architecture: 'x64'
-
-      - name: Configure Ruby '3.x'
-        uses: ruby/setup-ruby@v1
-        if: ${{ fromJSON(steps.detect-languages.outputs.languages).ruby }}
-        with:
-          ruby-version: '3.0'
-
-      # CodeSee Maps Rust support uses a static binary so there's no setup step required.
-
-      - name: Generate Map
-        id: generate-map
-        uses: Codesee-io/codesee-map-action@latest
-        with:
-          step: map
-          github_ref: ${{ github.ref }}
-          languages: ${{ steps.detect-languages.outputs.languages }}
-
-      - name: Upload Map
-        id: upload-map
-        uses: Codesee-io/codesee-map-action@latest
-        with:
-          step: mapUpload
-          api_token: ${{ secrets.CODESEE_ARCH_DIAG_API_TOKEN }}
-          github_ref: ${{ github.ref }}
-      
-      - name: Insights
-        id: insights
-        uses: Codesee-io/codesee-map-action@latest
-        with:
-          step: insights
-          api_token: ${{ secrets.CODESEE_ARCH_DIAG_API_TOKEN }}
-          github_ref: ${{ github.ref }}

package/.github/workflows/main.yml

@@ -1,123 +0,0 @@
-# This is a basic workflow to help you get started with Actions
-
-name: CI
-
-# Controls when the workflow will run
-on:
-  # Triggers the workflow on push or pull request events but only for the main branch
-  push:
-    branches:
-      - '*'
-  pull_request:
-    types: [opened, synchronize, reopened]
-
-  # Allows you to run this workflow manually from the Actions tab
-  workflow_dispatch:
-
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-
-    strategy:
-      matrix:
-        node-version: [16.x]
-        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
-
-    services:
-      postgres:
-        image: postgres:13
-        ports:
-          - 5432:5432
-        env:
-          POSTGRES_PASSWORD: ""
-          POSTGRES_HOST_AUTH_METHOD: "trust"
-        # Set health checks to wait until postgres has started
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-      redis:
-        image: redis:6.2.5-alpine
-        ports:
-          - 6379:6379
-      mongo:
-        image: mongo:4.4.10
-        ports:
-          - 27017:27017
-      mysql:
-        image: mysql:5.7
-        ports:
-          - 3307:3306
-        env:
-          MYSQL_DATABASE: mysql
-          MYSQL_ROOT_PASSWORD: mysql
-      maria:
-        image: mariadb:10.4.22
-        ports:
-          - 3306:3306
-        env:
-          MARIADB_DATABASE: mysql
-          MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: "yes"
-          
-    steps:
-    - uses: actions/checkout@v2
-    - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v2
-      with:
-        always-auth: true
-        node-version: ${{ matrix.node-version }}
-        registry-url: https://registry.npmjs.org
-        scope: '@boxyhq'
-        cache: 'npm'
-    - run: npm ci
-    - run: npm run test
-    - run: |
-        publishTag="latest"
-        if [[ "$GITHUB_REF" == *\/release ]]
-        then
-          echo "Release branch"
-        else
-          echo "Dev branch"
-          publishTag="beta"
-          versionSuffixTag="-beta.${GITHUB_RUN_NUMBER}"
-          sed "s/\(^[ ]*\"version\"\:[ ]*\".*\)\",/\1${versionSuffixTag}\",/" < package.json > package.json.new
-          mv package.json.new package.json
-        fi
-        npm publish --tag $publishTag --access public
-      env:
-        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-  build:
-    needs: publish
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check Out Repo 
-        uses: actions/checkout@v2
-
-      - name: Get short SHA
-        id: slug
-        run: echo "::set-output name=sha7::$(echo ${GITHUB_SHA} | cut -c1-7)"
-
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v1
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
-
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          context: ./
-          file: ./Dockerfile
-          push: true
-          tags: ${{ github.repository }}:latest,${{ github.repository }}:${{ steps.slug.outputs.sha7 }}
-
-      - name: Image digest
-        run: echo ${{ steps.docker_build.outputs.digest }}

package/_dev/docker-compose.yml

@@ -1,37 +0,0 @@
-# this file is a helper to run all the supported dbs locally, the data is ephemeral since no host volumes will be mounted
-version: "3.6"
-services:
-  postgres:
-    image: postgres:13
-    ports:
-      - "5432:5432"
-    restart: always
-    environment:
-      POSTGRES_PASSWORD: ""
-      POSTGRES_HOST_AUTH_METHOD: trust
-  redis:
-    image: redis:6.2.5-alpine
-    ports:
-      - "6379:6379"
-    restart: always
-  mongo:
-    image: mongo:4.4.10
-    ports:
-      - "27017:27017"
-    restart: always
-  mysql:
-    image: mysql:5.7
-    ports:
-      - "3307:3306"
-    restart: always
-    environment:
-      MYSQL_DATABASE: mysql
-      MYSQL_ROOT_PASSWORD: mysql
-  maria:
-    image: mariadb:10.4.22
-    ports:
-      - "3306:3306"
-    restart: always
-    environment:
-      MARIADB_DATABASE: mysql
-      MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: "yes"

package/map.js

@@ -1 +0,0 @@
-module.exports = (test) => test.replace(/\.test\.js$/, '.js');

package/prettier.config.js

@@ -1,4 +0,0 @@
-module.exports = {
-  singleQuote: true,
-  trailingComma: 'es5',
-};

package/src/controller/api.ts

@@ -1,225 +0,0 @@
-import crypto from 'crypto';
-import { IdPConfig, ISAMLConfig, OAuth, Storable } from 'saml-jackson';
-import * as dbutils from '../db/utils';
-import saml from '../saml/saml';
-import { JacksonError } from './error';
-import { IndexNames } from './utils';
-import x509 from '../saml/x509';
-
-export class SAMLConfig implements ISAMLConfig {
-  private configStore: Storable;
-
-  constructor({ configStore }) {
-    this.configStore = configStore;
-  }
-
-  private _validateIdPConfig(body: IdPConfig): void {
-    const { rawMetadata, defaultRedirectUrl, redirectUrl, tenant, product } =
-      body;
-
-    if (!rawMetadata) {
-      throw new JacksonError('Please provide rawMetadata', 400);
-    }
-
-    if (!defaultRedirectUrl) {
-      throw new JacksonError('Please provide a defaultRedirectUrl', 400);
-    }
-
-    if (!redirectUrl) {
-      throw new JacksonError('Please provide redirectUrl', 400);
-    }
-
-    if (!tenant) {
-      throw new JacksonError('Please provide tenant', 400);
-    }
-
-    if (!product) {
-      throw new JacksonError('Please provide product', 400);
-    }
-  }
-
-  public async create(body: IdPConfig): Promise<OAuth> {
-    const { rawMetadata, defaultRedirectUrl, redirectUrl, tenant, product } =
-      body;
-
-    this._validateIdPConfig(body);
-
-    const idpMetadata = await saml.parseMetadataAsync(rawMetadata);
-
-    // extract provider
-    let providerName = extractHostName(idpMetadata.entityID);
-    if (!providerName) {
-      providerName = extractHostName(
-        idpMetadata.sso.redirectUrl || idpMetadata.sso.postUrl
-      );
-    }
-
-    idpMetadata.provider = providerName ? providerName : 'Unknown';
-
-    let clientID = dbutils.keyDigest(
-      dbutils.keyFromParts(tenant, product, idpMetadata.entityID)
-    );
-
-    let clientSecret;
-
-    let exists = await this.configStore.get(clientID);
-
-    if (exists) {
-      clientSecret = exists.clientSecret;
-    } else {
-      clientSecret = crypto.randomBytes(24).toString('hex');
-    }
-
-    const certs = await x509.generate();
-
-    if (!certs) {
-      throw new Error('Error generating x59 certs');
-    }
-
-    await this.configStore.put(
-      clientID,
-      {
-        idpMetadata,
-        defaultRedirectUrl,
-        redirectUrl: JSON.parse(redirectUrl), // redirectUrl is a stringified array
-        tenant,
-        product,
-        clientID,
-        clientSecret,
-        certs,
-      },
-      {
-        // secondary index on entityID
-        name: IndexNames.EntityID,
-        value: idpMetadata.entityID,
-      },
-      {
-        // secondary index on tenant + product
-        name: IndexNames.TenantProduct,
-        value: dbutils.keyFromParts(tenant, product),
-      }
-    );
-
-    return {
-      client_id: clientID,
-      client_secret: clientSecret,
-      provider: idpMetadata.provider,
-    };
-  }
-
-  public async get(body: {
-    clientID: string;
-    tenant: string;
-    product: string;
-  }): Promise<Partial<OAuth>> {
-    const { clientID, tenant, product } = body;
-
-    if (clientID) {
-      const samlConfig = await this.configStore.get(clientID);
-
-      return samlConfig ? { provider: samlConfig.idpMetadata.provider } : {};
-    }
-
-    if (tenant && product) {
-      const samlConfigs = await this.configStore.getByIndex({
-        name: IndexNames.TenantProduct,
-        value: dbutils.keyFromParts(tenant, product),
-      });
-
-      if (!samlConfigs || !samlConfigs.length) {
-        return {};
-      }
-
-      return { provider: samlConfigs[0].idpMetadata.provider };
-    }
-
-    throw new JacksonError(
-      'Please provide `clientID` or `tenant` and `product`.',
-      400
-    );
-  }
-
-  public async delete(body: {
-    clientID: string;
-    clientSecret: string;
-    tenant: string;
-    product: string;
-  }): Promise<void> {
-    const { clientID, clientSecret, tenant, product } = body;
-
-    if (clientID && clientSecret) {
-      const samlConfig = await this.configStore.get(clientID);
-
-      if (!samlConfig) {
-        return;
-      }
-
-      if (samlConfig.clientSecret === clientSecret) {
-        await this.configStore.delete(clientID);
-      } else {
-        throw new JacksonError('clientSecret mismatch.', 400);
-      }
-
-      return;
-    }
-
-    if (tenant && product) {
-      const samlConfigs = await this.configStore.getByIndex({
-        name: IndexNames.TenantProduct,
-        value: dbutils.keyFromParts(tenant, product),
-      });
-
-      if (!samlConfigs || !samlConfigs.length) {
-        return;
-      }
-
-      for (const conf of samlConfigs) {
-        await this.configStore.delete(conf.clientID);
-      }
-
-      return;
-    }
-
-    throw new JacksonError(
-      'Please provide `clientID` and `clientSecret` or `tenant` and `product`.',
-      400
-    );
-  }
-
-  // Ensure backward compatibility
-
-  async config(body: IdPConfig): Promise<OAuth> {
-    return this.create(body);
-  }
-
-  async getConfig(body: {
-    clientID: string;
-    tenant: string;
-    product: string;
-  }): Promise<Partial<OAuth>> {
-    return this.get(body);
-  }
-
-  async deleteConfig(body: {
-    clientID: string;
-    clientSecret: string;
-    tenant: string;
-    product: string;
-  }): Promise<void> {
-    return this.delete(body);
-  }
-}
-
-const extractHostName = (url: string): string | null => {
-  try {
-    const pUrl = new URL(url);
-
-    if (pUrl.hostname.startsWith('www.')) {
-      return pUrl.hostname.substring(4);
-    }
-
-    return pUrl.hostname;
-  } catch (err) {
-    return null;
-  }
-};

package/src/controller/error.ts

@@ -1,13 +0,0 @@
-export class JacksonError extends Error {
-  public name: string;
-  public statusCode: number;
-
-  constructor(message: string, statusCode: number = 500) {
-    super(message);
-
-    this.name = this.constructor.name;
-    this.statusCode = statusCode;
-
-    Error.captureStackTrace(this, this.constructor);
-  }
-}

package/src/controller/oauth/allowed.ts

@@ -1,22 +0,0 @@
-export const redirect = (
-  redirectUrl: string,
-  redirectUrls: string[]
-): boolean => {
-  const url: URL = new URL(redirectUrl);
-
-  for (const idx in redirectUrls) {
-    const rUrl: URL = new URL(redirectUrls[idx]);
-
-    // TODO: Check pathname, for now pathname is ignored
-
-    if (
-      rUrl.protocol === url.protocol &&
-      rUrl.hostname === url.hostname &&
-      rUrl.port === url.port
-    ) {
-      return true;
-    }
-  }
-
-  return false;
-};

package/src/controller/oauth/code-verifier.ts

@@ -1,11 +0,0 @@
-import crypto from 'crypto';
-
-export const transformBase64 = (input: string): string => {
-  return input.replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
-};
-
-export const encode = (code_challenge: string): string => {
-  return transformBase64(
-    crypto.createHash('sha256').update(code_challenge).digest('base64')
-  );
-};