@boxyhq/saml-jackson 0.2.3-beta.231 → 0.2.3-beta.235

package/src/controller/error.ts

@@ -1,13 +0,0 @@
-export class JacksonError extends Error {
-  public name: string;
-  public statusCode: number;
-
-  constructor(message: string, statusCode = 500) {
-    super(message);
-
-    this.name = this.constructor.name;
-    this.statusCode = statusCode;
-
-    Error.captureStackTrace(this, this.constructor);
-  }
-}

package/src/controller/oauth/allowed.ts

@@ -1,22 +0,0 @@
-export const redirect = (
-  redirectUrl: string,
-  redirectUrls: string[]
-): boolean => {
-  const url: URL = new URL(redirectUrl);
-
-  for (const idx in redirectUrls) {
-    const rUrl: URL = new URL(redirectUrls[idx]);
-
-    // TODO: Check pathname, for now pathname is ignored
-
-    if (
-      rUrl.protocol === url.protocol &&
-      rUrl.hostname === url.hostname &&
-      rUrl.port === url.port
-    ) {
-      return true;
-    }
-  }
-
-  return false;
-};

package/src/controller/oauth/code-verifier.ts

@@ -1,11 +0,0 @@
-import crypto from 'crypto';
-
-export const transformBase64 = (input: string): string => {
-  return input.replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
-};
-
-export const encode = (code_challenge: string): string => {
-  return transformBase64(
-    crypto.createHash('sha256').update(code_challenge).digest('base64')
-  );
-};

package/src/controller/oauth/redirect.ts

@@ -1,12 +0,0 @@
-export const success = (
-  redirectUrl: string,
-  params: Record<string, string>
-): string => {
-  const url: URL = new URL(redirectUrl);
-
-  for (const [key, value] of Object.entries(params)) {
-    url.searchParams.set(key, value);
-  }
-
-  return url.href;
-};

package/src/controller/oauth.ts

@@ -1,334 +0,0 @@
-import crypto from 'crypto';
-import {
-  IOAuthController,
-  JacksonOption,
-  OAuthReqBody,
-  OAuthTokenReq,
-  OAuthTokenRes,
-  Profile,
-  SAMLResponsePayload,
-  Storable,
-} from 'saml-jackson';
-import * as dbutils from '../db/utils';
-import saml from '../saml/saml';
-import { JacksonError } from './error';
-import * as allowed from './oauth/allowed';
-import * as codeVerifier from './oauth/code-verifier';
-import * as redirect from './oauth/redirect';
-import { IndexNames } from './utils';
-
-const relayStatePrefix = 'boxyhq_jackson_';
-
-function getEncodedClientId(
-  client_id: string
-): { tenant: string | null; product: string | null } | null {
-  try {
-    const sp = new URLSearchParams(client_id);
-    const tenant = sp.get('tenant');
-    const product = sp.get('product');
-    if (tenant && product) {
-      return {
-        tenant: sp.get('tenant'),
-        product: sp.get('product'),
-      };
-    }
-
-    return null;
-  } catch (err) {
-    return null;
-  }
-}
-
-export class OAuthController implements IOAuthController {
-  private configStore: Storable;
-  private sessionStore: Storable;
-  private codeStore: Storable;
-  private tokenStore: Storable;
-  private opts: JacksonOption;
-
-  constructor({ configStore, sessionStore, codeStore, tokenStore, opts }) {
-    this.configStore = configStore;
-    this.sessionStore = sessionStore;
-    this.codeStore = codeStore;
-    this.tokenStore = tokenStore;
-    this.opts = opts;
-  }
-
-  public async authorize(
-    body: OAuthReqBody
-  ): Promise<{ redirect_url: string }> {
-    const {
-      response_type = 'code',
-      client_id,
-      redirect_uri,
-      state,
-      tenant,
-      product,
-      code_challenge,
-      code_challenge_method = '',
-      // eslint-disable-next-line @typescript-eslint/no-unused-vars
-      provider = 'saml',
-    } = body;
-
-    if (!redirect_uri) {
-      throw new JacksonError('Please specify a redirect URL.', 400);
-    }
-
-    if (!state) {
-      throw new JacksonError(
-        'Please specify a state to safeguard against XSRF attacks.',
-        400
-      );
-    }
-
-    let samlConfig;
-
-    if (tenant && product) {
-      const samlConfigs = await this.configStore.getByIndex({
-        name: IndexNames.TenantProduct,
-        value: dbutils.keyFromParts(tenant, product),
-      });
-
-      if (!samlConfigs || samlConfigs.length === 0) {
-        throw new JacksonError('SAML configuration not found.', 403);
-      }
-
-      // TODO: Support multiple matches
-      samlConfig = samlConfigs[0];
-    } else if (
-      client_id &&
-      client_id !== '' &&
-      client_id !== 'undefined' &&
-      client_id !== 'null'
-    ) {
-      // if tenant and product are encoded in the client_id then we parse it and check for the relevant config(s)
-      const sp = getEncodedClientId(client_id);
-      if (sp?.tenant) {
-        const samlConfigs = await this.configStore.getByIndex({
-          name: IndexNames.TenantProduct,
-          value: dbutils.keyFromParts(sp.tenant, sp.product || ''),
-        });
-
-        if (!samlConfigs || samlConfigs.length === 0) {
-          throw new JacksonError('SAML configuration not found.', 403);
-        }
-
-        // TODO: Support multiple matches
-        samlConfig = samlConfigs[0];
-      } else {
-        samlConfig = await this.configStore.get(client_id);
-      }
-    } else {
-      throw new JacksonError(
-        'You need to specify client_id or tenant & product',
-        403
-      );
-    }
-
-    if (!samlConfig) {
-      throw new JacksonError('SAML configuration not found.', 403);
-    }
-
-    if (!allowed.redirect(redirect_uri, samlConfig.redirectUrl)) {
-      throw new JacksonError('Redirect URL is not allowed.', 403);
-    }
-
-    const samlReq = saml.request({
-      entityID: this.opts.samlAudience,
-      callbackUrl: this.opts.externalUrl + this.opts.samlPath,
-      signingKey: samlConfig.certs.privateKey,
-    });
-
-    const sessionId = crypto.randomBytes(16).toString('hex');
-
-    await this.sessionStore.put(sessionId, {
-      id: samlReq.id,
-      redirect_uri,
-      response_type,
-      state,
-      code_challenge,
-      code_challenge_method,
-    });
-
-    const redirectUrl = redirect.success(
-      samlConfig.idpMetadata.sso.redirectUrl,
-      {
-        RelayState: relayStatePrefix + sessionId,
-        SAMLRequest: Buffer.from(samlReq.request).toString('base64'),
-      }
-    );
-
-    return { redirect_url: redirectUrl };
-  }
-
-  public async samlResponse(
-    body: SAMLResponsePayload
-  ): Promise<{ redirect_url: string }> {
-    const { SAMLResponse } = body; // RelayState will contain the sessionId from earlier quasi-oauth flow
-
-    let RelayState = body.RelayState || '';
-
-    if (!this.opts.idpEnabled && !RelayState.startsWith(relayStatePrefix)) {
-      // IDP is disabled so block the request
-
-      throw new JacksonError(
-        'IdP (Identity Provider) flow has been disabled. Please head to your Service Provider to login.',
-        403
-      );
-    }
-
-    if (!RelayState.startsWith(relayStatePrefix)) {
-      RelayState = '';
-    }
-
-    RelayState = RelayState.replace(relayStatePrefix, '');
-
-    const rawResponse = Buffer.from(SAMLResponse, 'base64').toString();
-
-    const parsedResp = await saml.parseAsync(rawResponse);
-
-    const samlConfigs = await this.configStore.getByIndex({
-      name: IndexNames.EntityID,
-      value: parsedResp?.issuer,
-    });
-
-    if (!samlConfigs || samlConfigs.length === 0) {
-      throw new JacksonError('SAML configuration not found.', 403);
-    }
-
-    // TODO: Support multiple matches
-    const samlConfig = samlConfigs[0];
-
-    let session;
-
-    if (RelayState !== '') {
-      session = await this.sessionStore.get(RelayState);
-      if (!session) {
-        throw new JacksonError(
-          'Unable to validate state from the origin request.',
-          403
-        );
-      }
-    }
-
-    const validateOpts: Record<string, string> = {
-      thumbprint: samlConfig.idpMetadata.thumbprint,
-      audience: this.opts.samlAudience,
-    };
-
-    if (session && session.id) {
-      validateOpts.inResponseTo = session.id;
-    }
-
-    const profile = await saml.validateAsync(rawResponse, validateOpts);
-
-    // store details against a code
-    const code = crypto.randomBytes(20).toString('hex');
-
-    const codeVal: Record<string, unknown> = {
-      profile,
-      clientID: samlConfig.clientID,
-      clientSecret: samlConfig.clientSecret,
-    };
-
-    if (session) {
-      codeVal.session = session;
-    }
-
-    await this.codeStore.put(code, codeVal);
-
-    if (
-      session &&
-      session.redirect_uri &&
-      !allowed.redirect(session.redirect_uri, samlConfig.redirectUrl)
-    ) {
-      throw new JacksonError('Redirect URL is not allowed.', 403);
-    }
-
-    const params: Record<string, string> = {
-      code,
-    };
-
-    if (session && session.state) {
-      params.state = session.state;
-    }
-
-    const redirectUrl = redirect.success(
-      (session && session.redirect_uri) || samlConfig.defaultRedirectUrl,
-      params
-    );
-
-    return { redirect_url: redirectUrl };
-  }
-
-  public async token(body: OAuthTokenReq): Promise<OAuthTokenRes> {
-    const {
-      client_id,
-      client_secret,
-      code_verifier,
-      code,
-      grant_type = 'authorization_code',
-    } = body;
-
-    if (grant_type !== 'authorization_code') {
-      throw new JacksonError('Unsupported grant_type', 400);
-    }
-
-    if (!code) {
-      throw new JacksonError('Please specify code', 400);
-    }
-
-    const codeVal = await this.codeStore.get(code);
-    if (!codeVal || !codeVal.profile) {
-      throw new JacksonError('Invalid code', 403);
-    }
-
-    if (client_id && client_secret) {
-      // check if we have an encoded client_id
-      if (client_id !== 'dummy' && client_secret !== 'dummy') {
-        const sp = getEncodedClientId(client_id);
-        if (!sp) {
-          // OAuth flow
-          if (
-            client_id !== codeVal.clientID ||
-            client_secret !== codeVal.clientSecret
-          ) {
-            throw new JacksonError('Invalid client_id or client_secret', 401);
-          }
-        }
-      }
-    } else if (code_verifier) {
-      // PKCE flow
-      let cv = code_verifier;
-      if (codeVal.session.code_challenge_method.toLowerCase() === 's256') {
-        cv = codeVerifier.encode(code_verifier);
-      }
-
-      if (codeVal.session.code_challenge !== cv) {
-        throw new JacksonError('Invalid code_verifier', 401);
-      }
-    } else if (codeVal && codeVal.session) {
-      throw new JacksonError(
-        'Please specify client_secret or code_verifier',
-        401
-      );
-    }
-
-    // store details against a token
-    const token = crypto.randomBytes(20).toString('hex');
-
-    await this.tokenStore.put(token, codeVal.profile);
-
-    return {
-      access_token: token,
-      token_type: 'bearer',
-      expires_in: this.opts.db.ttl,
-    };
-  }
-
-  public async userInfo(token: string): Promise<Profile> {
-    const { claims } = await this.tokenStore.get(token);
-
-    return claims;
-  }
-}

package/src/controller/utils.ts

@@ -1,17 +0,0 @@
-import { Request } from 'express';
-
-export const extractAuthToken = (req: Request): string | null => {
-  const authHeader = req.get('authorization');
-  const parts = (authHeader || '').split(' ');
-
-  if (parts.length > 1) {
-    return parts[1];
-  }
-
-  return null;
-};
-
-export enum IndexNames {
-  EntityID = 'entityID',
-  TenantProduct = 'tenantProduct',
-}

package/src/db/db.ts

@@ -1,100 +0,0 @@
-import {
-  DatabaseDriver,
-  DatabaseOption,
-  Encrypted,
-  EncryptionKey,
-  Index,
-  Storable,
-} from 'saml-jackson';
-import * as encrypter from './encrypter';
-import mem from './mem';
-import mongo from './mongo';
-import redis from './redis';
-import sql from './sql/sql';
-import store from './store';
-
-const decrypt = (res: Encrypted, encryptionKey: EncryptionKey): unknown => {
-  if (res.iv && res.tag) {
-    return JSON.parse(
-      encrypter.decrypt(res.value, res.iv, res.tag, encryptionKey)
-    );
-  }
-
-  return JSON.parse(res.value);
-};
-
-class DB implements DatabaseDriver {
-  private db: DatabaseDriver;
-  private encryptionKey: EncryptionKey;
-
-  constructor(db: DatabaseDriver, encryptionKey: EncryptionKey) {
-    this.db = db;
-    this.encryptionKey = encryptionKey;
-  }
-
-  async get(namespace: string, key: string): Promise<unknown> {
-    const res = await this.db.get(namespace, key);
-
-    if (!res) {
-      return null;
-    }
-
-    return decrypt(res, this.encryptionKey);
-  }
-
-  async getByIndex(namespace: string, idx: Index): Promise<unknown[]> {
-    const res = await this.db.getByIndex(namespace, idx);
-    const encryptionKey = this.encryptionKey;
-    return res.map((r) => {
-      return decrypt(r, encryptionKey);
-    });
-  }
-
-  // ttl is in seconds
-  async put(
-    namespace: string,
-    key: string,
-    val: unknown,
-    ttl = 0,
-    ...indexes: Index[]
-  ): Promise<unknown> {
-    if (ttl > 0 && indexes && indexes.length > 0) {
-      throw new Error('secondary indexes not allow on a store with ttl');
-    }
-
-    const dbVal = this.encryptionKey
-      ? encrypter.encrypt(JSON.stringify(val), this.encryptionKey)
-      : { value: JSON.stringify(val) };
-
-    return await this.db.put(namespace, key, dbVal, ttl, ...indexes);
-  }
-
-  async delete(namespace: string, key: string): Promise<unknown> {
-    return await this.db.delete(namespace, key);
-  }
-
-  store(namespace: string, ttl = 0): Storable {
-    return store.new(namespace, this, ttl);
-  }
-}
-
-export = {
-  new: async (options: DatabaseOption) => {
-    const encryptionKey = options.encryptionKey
-      ? Buffer.from(options.encryptionKey, 'latin1')
-      : null;
-
-    switch (options.engine) {
-      case 'redis':
-        return new DB(await redis.new(options), encryptionKey);
-      case 'sql':
-        return new DB(await sql.new(options), encryptionKey);
-      case 'mongo':
-        return new DB(await mongo.new(options), encryptionKey);
-      case 'mem':
-        return new DB(await mem.new(options), encryptionKey);
-      default:
-        throw new Error('unsupported db engine: ' + options.engine);
-    }
-  },
-};

package/src/db/encrypter.ts

@@ -1,38 +0,0 @@
-import crypto from 'crypto';
-import { Encrypted, EncryptionKey } from 'saml-jackson';
-
-const ALGO = 'aes-256-gcm';
-const BLOCK_SIZE = 16; // 128 bit
-
-export const encrypt = (text: string, key: EncryptionKey): Encrypted => {
-  const iv = crypto.randomBytes(BLOCK_SIZE);
-  const cipher = crypto.createCipheriv(ALGO, key, iv);
-
-  let ciphertext = cipher.update(text, 'utf8', 'base64');
-  ciphertext += cipher.final('base64');
-
-  return {
-    iv: iv.toString('base64'),
-    tag: cipher.getAuthTag().toString('base64'),
-    value: ciphertext,
-  };
-};
-
-export const decrypt = (
-  ciphertext: string,
-  iv: string,
-  tag: string,
-  key: EncryptionKey
-): string => {
-  const decipher = crypto.createDecipheriv(
-    ALGO,
-    key,
-    Buffer.from(iv, 'base64')
-  );
-  decipher.setAuthTag(Buffer.from(tag, 'base64'));
-
-  let cleartext = decipher.update(ciphertext, 'base64', 'utf8');
-  cleartext += decipher.final('utf8');
-
-  return cleartext;
-};

package/src/db/mem.ts

@@ -1,128 +0,0 @@
-// This is an in-memory implementation to be used with testing and prototyping only
-
-import { DatabaseDriver, DatabaseOption, Index, Encrypted } from 'saml-jackson';
-import * as dbutils from './utils';
-
-class Mem implements DatabaseDriver {
-  private options: DatabaseOption;
-  private store: any;
-  private indexes: any;
-  private cleanup: any;
-  private ttlStore: any;
-  private ttlCleanup: any;
-  private timerId: any;
-
-  constructor(options: DatabaseOption) {
-    this.options = options;
-  }
-
-  async init(): Promise<Mem> {
-    this.store = {}; // map of key, value
-    this.indexes = {}; // map of key, Set
-    this.cleanup = {}; // map of indexes for cleanup when store key is deleted
-    this.ttlStore = {}; // map of key to ttl
-
-    if (this.options.ttl) {
-      this.ttlCleanup = async () => {
-        const now = Date.now();
-        for (const k in this.ttlStore) {
-          if (this.ttlStore[k].expiresAt < now) {
-            await this.delete(this.ttlStore[k].namespace, this.ttlStore[k].key);
-          }
-        }
-
-        if (this.options.ttl) {
-          this.timerId = setTimeout(this.ttlCleanup, this.options.ttl * 1000);
-        }
-      };
-
-      this.timerId = setTimeout(this.ttlCleanup, this.options.ttl * 1000);
-    }
-
-    return this;
-  }
-
-  async get(namespace: string, key: string): Promise<any> {
-    const res = this.store[dbutils.key(namespace, key)];
-    if (res) {
-      return res;
-    }
-
-    return null;
-  }
-
-  async getByIndex(namespace: string, idx: Index): Promise<any> {
-    const dbKeys = await this.indexes[dbutils.keyForIndex(namespace, idx)];
-
-    const ret: string[] = [];
-    for (const dbKey of dbKeys || []) {
-      ret.push(await this.get(namespace, dbKey));
-    }
-
-    return ret;
-  }
-
-  async put(
-    namespace: string,
-    key: string,
-    val: Encrypted,
-    ttl = 0,
-    ...indexes: any[]
-  ): Promise<any> {
-    const k = dbutils.key(namespace, key);
-
-    this.store[k] = val;
-
-    if (ttl) {
-      this.ttlStore[k] = {
-        namespace,
-        key,
-        expiresAt: Date.now() + ttl * 1000,
-      };
-    }
-
-    // no ttl support for secondary indexes
-    for (const idx of indexes || []) {
-      const idxKey = dbutils.keyForIndex(namespace, idx);
-      let set = this.indexes[idxKey];
-      if (!set) {
-        set = new Set();
-        this.indexes[idxKey] = set;
-      }
-
-      set.add(key);
-
-      const cleanupKey = dbutils.keyFromParts(dbutils.indexPrefix, k);
-      let cleanup = this.cleanup[cleanupKey];
-      if (!cleanup) {
-        cleanup = new Set();
-        this.cleanup[cleanupKey] = cleanup;
-      }
-
-      cleanup.add(idxKey);
-    }
-  }
-
-  async delete(namespace: string, key: string): Promise<any> {
-    const k = dbutils.key(namespace, key);
-
-    delete this.store[k];
-
-    const idxKey = dbutils.keyFromParts(dbutils.indexPrefix, k);
-    // delete secondary indexes and then the mapping of the seconary indexes
-    const dbKeys = this.cleanup[idxKey];
-
-    for (const dbKey of dbKeys || []) {
-      this.indexes[dbKey] && this.indexes[dbKey].delete(key);
-    }
-
-    delete this.cleanup[idxKey];
-    delete this.ttlStore[k];
-  }
-}
-
-export default {
-  new: async (options: DatabaseOption) => {
-    return await new Mem(options).init();
-  },
-};