@boxyhq/saml-jackson 0.2.3-beta.231 → 0.2.3-beta.235

package/src/index.ts

@@ -1,84 +0,0 @@
-import { JacksonOption } from 'saml-jackson';
-import { SAMLConfig } from './controller/api';
-import { OAuthController } from './controller/oauth';
-import DB from './db/db';
-import readConfig from './read-config';
-
-const defaultOpts = (opts: JacksonOption): JacksonOption => {
-  const newOpts = {
-    ...opts,
-  };
-
-  if (!newOpts.externalUrl) {
-    throw new Error('externalUrl is required');
-  }
-
-  if (!newOpts.samlPath) {
-    throw new Error('samlPath is required');
-  }
-
-  newOpts.samlAudience = newOpts.samlAudience || 'https://saml.boxyhq.com';
-  newOpts.preLoadedConfig = newOpts.preLoadedConfig || ''; // path to folder containing static SAML config that will be preloaded. This is useful for self-hosted deployments that only have to support a single tenant (or small number of known tenants).
-  newOpts.idpEnabled = newOpts.idpEnabled === true;
-
-  newOpts.db = newOpts.db || {};
-  newOpts.db.engine = newOpts.db.engine || 'sql';
-  newOpts.db.url =
-    newOpts.db.url || 'postgresql://postgres:postgres@localhost:5432/postgres';
-  newOpts.db.type = newOpts.db.type || 'postgres'; // Only needed if DB_ENGINE is sql.
-  newOpts.db.ttl = (newOpts.db.ttl || 300) * 1; // TTL for the code, session and token stores (in seconds)
-  newOpts.db.cleanupLimit = (newOpts.db.cleanupLimit || 1000) * 1; // Limit cleanup of TTL entries to this many items at a time
-
-  return newOpts;
-};
-
-const controllers = async (
-  opts: JacksonOption
-): Promise<{
-  apiController: SAMLConfig;
-  oauthController: OAuthController;
-}> => {
-  opts = defaultOpts(opts);
-
-  const db = await DB.new(opts.db);
-
-  const configStore = db.store('saml:config');
-  const sessionStore = db.store('oauth:session', opts.db.ttl);
-  const codeStore = db.store('oauth:code', opts.db.ttl);
-  const tokenStore = db.store('oauth:token', opts.db.ttl);
-
-  const apiController = new SAMLConfig({ configStore });
-
-  const oauthController = new OAuthController({
-    configStore,
-    sessionStore,
-    codeStore,
-    tokenStore,
-    opts,
-  });
-
-  // write pre-loaded config if present
-  if (opts.preLoadedConfig && opts.preLoadedConfig.length > 0) {
-    const configs = await readConfig(opts.preLoadedConfig);
-
-    for (const config of configs) {
-      await apiController.config(config);
-
-      console.log(
-        `loaded config for tenant "${config.tenant}" and product "${config.product}"`
-      );
-    }
-  }
-
-  const type =
-    opts.db.engine === 'sql' && opts.db.type ? ' Type: ' + opts.db.type : '';
-
-  console.log(`Using engine: ${opts.db.engine}.${type}`);
-
-  return {
-    apiController,
-    oauthController,
-  };
-};
-
-export default controllers;

package/src/jackson.ts

@@ -1,173 +0,0 @@
-import cors from 'cors';
-import express from 'express';
-import { IOAuthController, ISAMLConfig } from 'saml-jackson';
-import { JacksonError } from './controller/error';
-import { extractAuthToken } from './controller/utils';
-import env from './env';
-
-//import jackson from './index';
-
-const jackson = require('./index');
-
-let apiController: ISAMLConfig;
-let oauthController: IOAuthController;
-
-const oauthPath = '/oauth';
-const apiPath = '/api/v1/saml';
-
-const app = express();
-
-app.use(express.json());
-app.use(express.urlencoded({ extended: true }));
-
-app.get(oauthPath + '/authorize', async (req, res) => {
-  try {
-    const { redirect_url } = await oauthController.authorize(req.query);
-
-    res.redirect(redirect_url);
-  } catch (err) {
-    const { message, statusCode = 500 } = err as JacksonError;
-
-    res.status(statusCode).send(message);
-  }
-});
-
-app.post(env.samlPath, async (req, res) => {
-  try {
-    const { redirect_url } = await oauthController.samlResponse(req.body);
-
-    res.redirect(redirect_url);
-  } catch (err) {
-    const { message, statusCode = 500 } = err as JacksonError;
-
-    res.status(statusCode).send(message);
-  }
-});
-
-app.post(oauthPath + '/token', cors(), async (req, res) => {
-  try {
-    const result = await oauthController.token(req.body);
-
-    res.json(result);
-  } catch (err) {
-    const { message, statusCode = 500 } = err as JacksonError;
-
-    res.status(statusCode).send(message);
-  }
-});
-
-app.get(oauthPath + '/userinfo', async (req, res) => {
-  try {
-    let token = extractAuthToken(req);
-
-    // check for query param
-    if (!token) {
-      token = req.query.access_token;
-    }
-
-    if (!token) {
-      return res.status(401).json({ message: 'Unauthorized' });
-    }
-
-    const profile = await oauthController.userInfo(token);
-
-    res.json(profile);
-  } catch (err) {
-    const { message, statusCode = 500 } = err as JacksonError;
-
-    res.status(statusCode).json({ message });
-  }
-});
-
-const server = app.listen(env.hostPort, async () => {
-  console.log(
-    `🚀 The path of the righteous server: http://${env.hostUrl}:${env.hostPort}`
-  );
-
-  const ctrlrModule = await jackson(env);
-
-  apiController = ctrlrModule.apiController;
-  oauthController = ctrlrModule.oauthController;
-});
-
-// Internal routes, recommended not to expose this to the public interface though it would be guarded by API key(s)
-let internalApp = app;
-
-if (env.useInternalServer) {
-  internalApp = express();
-
-  internalApp.use(express.json());
-  internalApp.use(express.urlencoded({ extended: true }));
-}
-
-const validateApiKey = (token) => {
-  return env.apiKeys.includes(token);
-};
-
-internalApp.post(apiPath + '/config', async (req, res) => {
-  try {
-    const apiKey = extractAuthToken(req);
-    if (!validateApiKey(apiKey)) {
-      res.status(401).send('Unauthorized');
-      return;
-    }
-
-    res.json(await apiController.config(req.body));
-  } catch (err) {
-    const { message } = err as JacksonError;
-
-    res.status(500).json({
-      error: message,
-    });
-  }
-});
-
-internalApp.get(apiPath + '/config', async (req, res) => {
-  try {
-    const apiKey = extractAuthToken(req);
-    if (!validateApiKey(apiKey)) {
-      res.status(401).send('Unauthorized');
-      return;
-    }
-
-    res.json(await apiController.getConfig(req.query));
-  } catch (err) {
-    const { message } = err as JacksonError;
-
-    res.status(500).json({
-      error: message,
-    });
-  }
-});
-
-internalApp.delete(apiPath + '/config', async (req, res) => {
-  try {
-    const apiKey = extractAuthToken(req);
-    if (!validateApiKey(apiKey)) {
-      res.status(401).send('Unauthorized');
-      return;
-    }
-    await apiController.deleteConfig(req.body);
-    res.status(200).end();
-  } catch (err) {
-    const { message } = err as JacksonError;
-
-    res.status(500).json({
-      error: message,
-    });
-  }
-});
-
-let internalServer = server;
-if (env.useInternalServer) {
-  internalServer = internalApp.listen(env.internalHostPort, async () => {
-    console.log(
-      `🚀 The path of the righteous internal server: http://${env.internalHostUrl}:${env.internalHostPort}`
-    );
-  });
-}
-
-module.exports = {
-  server,
-  internalServer,
-};

package/src/read-config.ts

@@ -1,29 +0,0 @@
-import * as fs from 'fs';
-import * as path from 'path';
-import { IdPConfig } from 'saml-jackson';
-
-const readConfig = async (preLoadedConfig: string): Promise<IdPConfig[]> => {
-  if (preLoadedConfig.startsWith('./')) {
-    preLoadedConfig = path.resolve(process.cwd(), preLoadedConfig);
-  }
-
-  const files = await fs.promises.readdir(preLoadedConfig);
-  const configs: IdPConfig[] = [];
-
-  for (let idx in files) {
-    const file = files[idx];
-    if (file.endsWith('.js')) {
-      const config = require(path.join(preLoadedConfig, file)) as IdPConfig;
-      const rawMetadata = await fs.promises.readFile(
-        path.join(preLoadedConfig, path.parse(file).name + '.xml'),
-        'utf8'
-      );
-      config.rawMetadata = rawMetadata;
-      configs.push(config);
-    }
-  }
-
-  return configs;
-};
-
-export default readConfig;

package/src/saml/claims.ts

@@ -1,41 +0,0 @@
-const mapping = [
-  {
-    attribute: 'id',
-    schema:
-      'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier',
-  },
-  {
-    attribute: 'email',
-    schema:
-      'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
-  },
-  {
-    attribute: 'firstName',
-    schema: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
-  },
-  {
-    attribute: 'lastName',
-    schema: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
-  },
-] as const;
-
-type attributes = typeof mapping[number]['attribute'];
-type schemas = typeof mapping[number]['schema'];
-
-const map = (claims: Record<attributes | schemas, unknown>) => {
-  const profile = {
-    raw: claims,
-  };
-
-  mapping.forEach((m) => {
-    if (claims[m.attribute]) {
-      profile[m.attribute] = claims[m.attribute];
-    } else if (claims[m.schema]) {
-      profile[m.attribute] = claims[m.schema];
-    }
-  });
-
-  return profile;
-};
-
-export default { map };

package/src/saml/saml.ts

@@ -1,233 +0,0 @@
-import saml from '@boxyhq/saml20';
-import xml2js from 'xml2js';
-import thumbprint from 'thumbprint';
-import xmlcrypto from 'xml-crypto';
-import * as rambda from 'rambda';
-import xmlbuilder from 'xmlbuilder';
-import crypto from 'crypto';
-import claims from './claims';
-import { SAMLProfile, SAMLReq } from 'saml-jackson';
-
-const idPrefix = '_';
-const authnXPath =
-  '/*[local-name(.)="AuthnRequest" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:protocol"]';
-const issuerXPath =
-  '/*[local-name(.)="Issuer" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:assertion"]';
-
-const signRequest = (xml: string, signingKey: string) => {
-  if (!xml) {
-    throw new Error('Please specify xml');
-  }
-  if (!signingKey) {
-    throw new Error('Please specify signingKey');
-  }
-
-  const sig = new xmlcrypto.SignedXml();
-  sig.signatureAlgorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256';
-  sig.signingKey = signingKey;
-  sig.addReference(
-    authnXPath,
-    [
-      'http://www.w3.org/2000/09/xmldsig#enveloped-signature',
-      'http://www.w3.org/2001/10/xml-exc-c14n#',
-    ],
-    'http://www.w3.org/2001/04/xmlenc#sha256'
-  );
-  sig.computeSignature(xml, {
-    location: { reference: authnXPath + issuerXPath, action: 'after' },
-  });
-
-  return sig.getSignedXml();
-};
-
-const request = ({
-  ssoUrl,
-  entityID,
-  callbackUrl,
-  isPassive = false,
-  forceAuthn = false,
-  identifierFormat = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
-  providerName = 'BoxyHQ',
-  signingKey,
-}: SAMLReq): { id: string; request: string } => {
-  const id = idPrefix + crypto.randomBytes(10).toString('hex');
-  const date = new Date().toISOString();
-
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  const samlReq: Record<string, any> = {
-    'samlp:AuthnRequest': {
-      '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
-      '@ID': id,
-      '@Version': '2.0',
-      '@IssueInstant': date,
-      '@ProtocolBinding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
-      '@Destination': ssoUrl,
-      'saml:Issuer': {
-        '@xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion',
-        '#text': entityID,
-      },
-    },
-  };
-
-  if (isPassive) samlReq['samlp:AuthnRequest']['@IsPassive'] = true;
-
-  if (forceAuthn) {
-    samlReq['samlp:AuthnRequest']['@ForceAuthn'] = true;
-  }
-
-  samlReq['samlp:AuthnRequest']['@AssertionConsumerServiceURL'] = callbackUrl;
-
-  samlReq['samlp:AuthnRequest']['samlp:NameIDPolicy'] = {
-    '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
-    '@Format': identifierFormat,
-    '@AllowCreate': 'true',
-  };
-
-  if (providerName != null) {
-    samlReq['samlp:AuthnRequest']['@ProviderName'] = providerName;
-  }
-
-  let xml = xmlbuilder.create(samlReq).end({});
-  if (signingKey) {
-    xml = signRequest(xml, signingKey);
-  }
-
-  return {
-    id,
-    request: xml,
-  };
-};
-
-const parseAsync = async (rawAssertion: string): Promise<SAMLProfile> => {
-  return new Promise((resolve, reject) => {
-    saml.parse(
-      rawAssertion,
-      function onParseAsync(err: Error, profile: SAMLProfile) {
-        if (err) {
-          reject(err);
-          return;
-        }
-
-        resolve(profile);
-      }
-    );
-  });
-};
-
-const validateAsync = async (
-  rawAssertion: string,
-  options
-): Promise<SAMLProfile> => {
-  return new Promise((resolve, reject) => {
-    saml.validate(
-      rawAssertion,
-      options,
-      function onValidateAsync(err, profile: SAMLProfile) {
-        if (err) {
-          reject(err);
-          return;
-        }
-
-        if (profile && profile.claims) {
-          // we map claims to our attributes id, email, firstName, lastName where possible. We also map original claims to raw
-          profile.claims = claims.map(profile.claims);
-
-          // some providers don't return the id in the assertion, we set it to a sha256 hash of the email
-          if (!profile.claims.id) {
-            profile.claims.id = crypto
-              .createHash('sha256')
-              .update(profile.claims.email)
-              .digest('hex');
-          }
-        }
-
-        resolve(profile);
-      }
-    );
-  });
-};
-
-const parseMetadataAsync = async (
-  idpMeta: string
-): Promise<Record<string, any>> => {
-  return new Promise((resolve, reject) => {
-    xml2js.parseString(
-      idpMeta,
-      { tagNameProcessors: [xml2js.processors.stripPrefix] },
-      (err: Error, res) => {
-        if (err) {
-          reject(err);
-          return;
-        }
-
-        const entityID = rambda.path('EntityDescriptor.$.entityID', res);
-        let X509Certificate = null;
-        let ssoPostUrl: null | undefined = null;
-        let ssoRedirectUrl: null | undefined = null;
-        let loginType = 'idp';
-
-        let ssoDes: any = rambda.pathOr(
-          null,
-          'EntityDescriptor.IDPSSODescriptor',
-          res
-        );
-        if (!ssoDes) {
-          ssoDes = rambda.pathOr([], 'EntityDescriptor.SPSSODescriptor', res);
-          if (!ssoDes) {
-            loginType = 'sp';
-          }
-        }
-
-        for (const ssoDesRec of ssoDes) {
-          const keyDes = ssoDesRec['KeyDescriptor'];
-          for (const keyDesRec of keyDes) {
-            if (keyDesRec['$'] && keyDesRec['$'].use === 'signing') {
-              const ki = keyDesRec['KeyInfo'][0];
-              const cd = ki['X509Data'][0];
-              X509Certificate = cd['X509Certificate'][0];
-            }
-          }
-
-          const ssoSvc =
-            ssoDesRec['SingleSignOnService'] ||
-            ssoDesRec['AssertionConsumerService'] ||
-            [];
-          for (const ssoSvcRec of ssoSvc) {
-            if (
-              rambda.pathOr('', '$.Binding', ssoSvcRec).endsWith('HTTP-POST')
-            ) {
-              ssoPostUrl = rambda.path('$.Location', ssoSvcRec);
-            } else if (
-              rambda
-                .pathOr('', '$.Binding', ssoSvcRec)
-                .endsWith('HTTP-Redirect')
-            ) {
-              ssoRedirectUrl = rambda.path('$.Location', ssoSvcRec);
-            }
-          }
-        }
-
-        const ret: Record<string, any> = {
-          sso: {},
-        };
-        if (entityID) {
-          ret.entityID = entityID;
-        }
-        if (X509Certificate) {
-          ret.thumbprint = thumbprint.calculate(X509Certificate);
-        }
-        if (ssoPostUrl) {
-          ret.sso.postUrl = ssoPostUrl;
-        }
-        if (ssoRedirectUrl) {
-          ret.sso.redirectUrl = ssoRedirectUrl;
-        }
-        ret.loginType = loginType;
-
-        resolve(ret);
-      }
-    );
-  });
-};
-
-export default { request, parseAsync, validateAsync, parseMetadataAsync };

package/src/saml/x509.ts

@@ -1,51 +0,0 @@
-import * as x509 from '@peculiar/x509';
-import { Crypto } from '@peculiar/webcrypto';
-
-const crypto = new Crypto();
-x509.cryptoProvider.set(crypto);
-
-const alg = {
-  name: 'RSASSA-PKCS1-v1_5',
-  hash: 'SHA-256',
-  publicExponent: new Uint8Array([1, 0, 1]),
-  modulusLength: 2048,
-};
-
-const generate = async () => {
-  const keys = await crypto.subtle.generateKey(alg, true, ['sign', 'verify']);
-
-  const extensions: x509.Extension[] = [
-    new x509.BasicConstraintsExtension(false, undefined, true),
-  ];
-
-  extensions.push(
-    new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature, true)
-  );
-  if (keys.publicKey) {
-    extensions.push(
-      await x509.SubjectKeyIdentifierExtension.create(keys.publicKey)
-    );
-  }
-
-  const cert = await x509.X509CertificateGenerator.createSelfSigned({
-    serialNumber: '01',
-    name: 'CN=BoxyHQ Jackson',
-    notBefore: new Date(),
-    notAfter: new Date('3021/01/01'), // TODO: set shorter expiry and rotate ceritifcates
-    signingAlgorithm: alg,
-    keys: keys,
-    extensions,
-  });
-  if (keys.privateKey) {
-    const pkcs8 = await crypto.subtle.exportKey('pkcs8', keys.privateKey);
-
-    return {
-      publicKey: cert.toString('pem'),
-      privateKey: x509.PemConverter.encode(pkcs8, 'private key'),
-    };
-  }
-};
-
-export default {
-  generate,
-};