@boxyhq/saml-jackson 0.2.3-beta.237 → 0.2.3-beta.242

package/dist/saml/claims.d.ts

@@ -0,0 +1,6 @@
+declare const _default: {
+    map: (claims: Record<"id" | "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" | "email" | "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" | "firstName" | "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" | "lastName" | "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", unknown>) => {
+        raw: Record<"id" | "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" | "email" | "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" | "firstName" | "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" | "lastName" | "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", unknown>;
+    };
+};
+export default _default;

package/dist/saml/claims.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const mapping = [
+    {
+        attribute: 'id',
+        schema: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier',
+    },
+    {
+        attribute: 'email',
+        schema: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
+    },
+    {
+        attribute: 'firstName',
+        schema: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
+    },
+    {
+        attribute: 'lastName',
+        schema: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
+    },
+];
+const map = (claims) => {
+    const profile = {
+        raw: claims,
+    };
+    mapping.forEach((m) => {
+        if (claims[m.attribute]) {
+            profile[m.attribute] = claims[m.attribute];
+        }
+        else if (claims[m.schema]) {
+            profile[m.attribute] = claims[m.schema];
+        }
+    });
+    return profile;
+};
+exports.default = { map };

package/dist/saml/saml.d.ts

@@ -0,0 +1,11 @@
+import { SAMLProfile, SAMLReq } from '../typings';
+declare const _default: {
+    request: ({ ssoUrl, entityID, callbackUrl, isPassive, forceAuthn, identifierFormat, providerName, signingKey, }: SAMLReq) => {
+        id: string;
+        request: string;
+    };
+    parseAsync: (rawAssertion: string) => Promise<SAMLProfile>;
+    validateAsync: (rawAssertion: string, options: any) => Promise<SAMLProfile>;
+    parseMetadataAsync: (idpMeta: string) => Promise<Record<string, any>>;
+};
+export default _default;

package/dist/saml/saml.js

@@ -0,0 +1,200 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const saml20_1 = __importDefault(require("@boxyhq/saml20"));
+const xml2js_1 = __importDefault(require("xml2js"));
+const thumbprint_1 = __importDefault(require("thumbprint"));
+const xml_crypto_1 = __importDefault(require("xml-crypto"));
+const rambda = __importStar(require("rambda"));
+const xmlbuilder_1 = __importDefault(require("xmlbuilder"));
+const crypto_1 = __importDefault(require("crypto"));
+const claims_1 = __importDefault(require("./claims"));
+const idPrefix = '_';
+const authnXPath = '/*[local-name(.)="AuthnRequest" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:protocol"]';
+const issuerXPath = '/*[local-name(.)="Issuer" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:assertion"]';
+const signRequest = (xml, signingKey) => {
+    if (!xml) {
+        throw new Error('Please specify xml');
+    }
+    if (!signingKey) {
+        throw new Error('Please specify signingKey');
+    }
+    const sig = new xml_crypto_1.default.SignedXml();
+    sig.signatureAlgorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256';
+    sig.signingKey = signingKey;
+    sig.addReference(authnXPath, [
+        'http://www.w3.org/2000/09/xmldsig#enveloped-signature',
+        'http://www.w3.org/2001/10/xml-exc-c14n#',
+    ], 'http://www.w3.org/2001/04/xmlenc#sha256');
+    sig.computeSignature(xml, {
+        location: { reference: authnXPath + issuerXPath, action: 'after' },
+    });
+    return sig.getSignedXml();
+};
+const request = ({ ssoUrl, entityID, callbackUrl, isPassive = false, forceAuthn = false, identifierFormat = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', providerName = 'BoxyHQ', signingKey, }) => {
+    const id = idPrefix + crypto_1.default.randomBytes(10).toString('hex');
+    const date = new Date().toISOString();
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const samlReq = {
+        'samlp:AuthnRequest': {
+            '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
+            '@ID': id,
+            '@Version': '2.0',
+            '@IssueInstant': date,
+            '@ProtocolBinding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+            '@Destination': ssoUrl,
+            'saml:Issuer': {
+                '@xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion',
+                '#text': entityID,
+            },
+        },
+    };
+    if (isPassive)
+        samlReq['samlp:AuthnRequest']['@IsPassive'] = true;
+    if (forceAuthn) {
+        samlReq['samlp:AuthnRequest']['@ForceAuthn'] = true;
+    }
+    samlReq['samlp:AuthnRequest']['@AssertionConsumerServiceURL'] = callbackUrl;
+    samlReq['samlp:AuthnRequest']['samlp:NameIDPolicy'] = {
+        '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
+        '@Format': identifierFormat,
+        '@AllowCreate': 'true',
+    };
+    if (providerName != null) {
+        samlReq['samlp:AuthnRequest']['@ProviderName'] = providerName;
+    }
+    let xml = xmlbuilder_1.default.create(samlReq).end({});
+    if (signingKey) {
+        xml = signRequest(xml, signingKey);
+    }
+    return {
+        id,
+        request: xml,
+    };
+};
+const parseAsync = (rawAssertion) => __awaiter(void 0, void 0, void 0, function* () {
+    return new Promise((resolve, reject) => {
+        saml20_1.default.parse(rawAssertion, function onParseAsync(err, profile) {
+            if (err) {
+                reject(err);
+                return;
+            }
+            resolve(profile);
+        });
+    });
+});
+const validateAsync = (rawAssertion, options) => __awaiter(void 0, void 0, void 0, function* () {
+    return new Promise((resolve, reject) => {
+        saml20_1.default.validate(rawAssertion, options, function onValidateAsync(err, profile) {
+            if (err) {
+                reject(err);
+                return;
+            }
+            if (profile && profile.claims) {
+                // we map claims to our attributes id, email, firstName, lastName where possible. We also map original claims to raw
+                profile.claims = claims_1.default.map(profile.claims);
+                // some providers don't return the id in the assertion, we set it to a sha256 hash of the email
+                if (!profile.claims.id) {
+                    profile.claims.id = crypto_1.default
+                        .createHash('sha256')
+                        .update(profile.claims.email)
+                        .digest('hex');
+                }
+            }
+            resolve(profile);
+        });
+    });
+});
+const parseMetadataAsync = (idpMeta) => __awaiter(void 0, void 0, void 0, function* () {
+    return new Promise((resolve, reject) => {
+        xml2js_1.default.parseString(idpMeta, { tagNameProcessors: [xml2js_1.default.processors.stripPrefix] }, (err, res) => {
+            if (err) {
+                reject(err);
+                return;
+            }
+            const entityID = rambda.path('EntityDescriptor.$.entityID', res);
+            let X509Certificate = null;
+            let ssoPostUrl = null;
+            let ssoRedirectUrl = null;
+            let loginType = 'idp';
+            let ssoDes = rambda.pathOr(null, 'EntityDescriptor.IDPSSODescriptor', res);
+            if (!ssoDes) {
+                ssoDes = rambda.pathOr([], 'EntityDescriptor.SPSSODescriptor', res);
+                if (!ssoDes) {
+                    loginType = 'sp';
+                }
+            }
+            for (const ssoDesRec of ssoDes) {
+                const keyDes = ssoDesRec['KeyDescriptor'];
+                for (const keyDesRec of keyDes) {
+                    if (keyDesRec['$'] && keyDesRec['$'].use === 'signing') {
+                        const ki = keyDesRec['KeyInfo'][0];
+                        const cd = ki['X509Data'][0];
+                        X509Certificate = cd['X509Certificate'][0];
+                    }
+                }
+                const ssoSvc = ssoDesRec['SingleSignOnService'] ||
+                    ssoDesRec['AssertionConsumerService'] ||
+                    [];
+                for (const ssoSvcRec of ssoSvc) {
+                    if (rambda.pathOr('', '$.Binding', ssoSvcRec).endsWith('HTTP-POST')) {
+                        ssoPostUrl = rambda.path('$.Location', ssoSvcRec);
+                    }
+                    else if (rambda
+                        .pathOr('', '$.Binding', ssoSvcRec)
+                        .endsWith('HTTP-Redirect')) {
+                        ssoRedirectUrl = rambda.path('$.Location', ssoSvcRec);
+                    }
+                }
+            }
+            const ret = {
+                sso: {},
+            };
+            if (entityID) {
+                ret.entityID = entityID;
+            }
+            if (X509Certificate) {
+                ret.thumbprint = thumbprint_1.default.calculate(X509Certificate);
+            }
+            if (ssoPostUrl) {
+                ret.sso.postUrl = ssoPostUrl;
+            }
+            if (ssoRedirectUrl) {
+                ret.sso.redirectUrl = ssoRedirectUrl;
+            }
+            ret.loginType = loginType;
+            resolve(ret);
+        });
+    });
+});
+exports.default = { request, parseAsync, validateAsync, parseMetadataAsync };

package/dist/saml/x509.d.ts

@@ -0,0 +1,7 @@
+declare const _default: {
+    generate: () => Promise<{
+        publicKey: string;
+        privateKey: string;
+    } | undefined>;
+};
+export default _default;

package/dist/saml/x509.js

@@ -0,0 +1,69 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const x509 = __importStar(require("@peculiar/x509"));
+const webcrypto_1 = require("@peculiar/webcrypto");
+const crypto = new webcrypto_1.Crypto();
+x509.cryptoProvider.set(crypto);
+const alg = {
+    name: 'RSASSA-PKCS1-v1_5',
+    hash: 'SHA-256',
+    publicExponent: new Uint8Array([1, 0, 1]),
+    modulusLength: 2048,
+};
+const generate = () => __awaiter(void 0, void 0, void 0, function* () {
+    const keys = yield crypto.subtle.generateKey(alg, true, ['sign', 'verify']);
+    const extensions = [
+        new x509.BasicConstraintsExtension(false, undefined, true),
+    ];
+    extensions.push(new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature, true));
+    if (keys.publicKey) {
+        extensions.push(yield x509.SubjectKeyIdentifierExtension.create(keys.publicKey));
+    }
+    const cert = yield x509.X509CertificateGenerator.createSelfSigned({
+        serialNumber: '01',
+        name: 'CN=BoxyHQ Jackson',
+        notBefore: new Date(),
+        notAfter: new Date('3021/01/01'),
+        signingAlgorithm: alg,
+        keys: keys,
+        extensions,
+    });
+    if (keys.privateKey) {
+        const pkcs8 = yield crypto.subtle.exportKey('pkcs8', keys.privateKey);
+        return {
+            publicKey: cert.toString('pem'),
+            privateKey: x509.PemConverter.encode(pkcs8, 'private key'),
+        };
+    }
+});
+exports.default = {
+    generate,
+};

package/dist/typings.d.ts

@@ -0,0 +1,137 @@
+export declare type IdPConfig = {
+    defaultRedirectUrl: string;
+    redirectUrl: string;
+    tenant: string;
+    product: string;
+    rawMetadata: string;
+};
+export interface OAuth {
+    client_id: string;
+    client_secret: string;
+    provider: string;
+}
+export interface ISAMLConfig {
+    config(body: IdPConfig): Promise<OAuth>;
+    getConfig(body: {
+        clientID: string;
+        tenant: string;
+        product: string;
+    }): Promise<Partial<OAuth>>;
+    deleteConfig(body: {
+        clientID: string;
+        clientSecret: string;
+        tenant: string;
+        product: string;
+    }): Promise<void>;
+    create(body: IdPConfig): Promise<OAuth>;
+    get(body: {
+        clientID: string;
+        tenant: string;
+        product: string;
+    }): Promise<Partial<OAuth>>;
+    delete(body: {
+        clientID: string;
+        clientSecret: string;
+        tenant: string;
+        product: string;
+    }): Promise<void>;
+}
+export interface IOAuthController {
+    authorize(body: OAuthReqBody): Promise<{
+        redirect_url: string;
+    }>;
+    samlResponse(body: SAMLResponsePayload): Promise<{
+        redirect_url: string;
+    }>;
+    token(body: OAuthTokenReq): Promise<OAuthTokenRes>;
+    userInfo(token: string): Promise<Profile>;
+}
+export interface OAuthReqBody {
+    response_type: 'code';
+    client_id: string;
+    redirect_uri: string;
+    state: string;
+    tenant: string;
+    product: string;
+    code_challenge: string;
+    code_challenge_method: 'plain' | 'S256' | '';
+    provider: 'saml';
+}
+export interface SAMLResponsePayload {
+    SAMLResponse: string;
+    RelayState: string;
+}
+export interface OAuthTokenReq {
+    client_id: string;
+    client_secret: string;
+    code_verifier: string;
+    code: string;
+    grant_type: 'authorization_code';
+}
+export interface OAuthTokenRes {
+    access_token: string;
+    token_type: 'bearer';
+    expires_in: number;
+}
+export interface Profile {
+    id: string;
+    email: string;
+    firstName: string;
+    lastName: string;
+}
+export interface Index {
+    name: string;
+    value: string;
+}
+export interface DatabaseDriver {
+    get(namespace: string, key: string): Promise<any>;
+    put(namespace: string, key: string, val: any, ttl: number, ...indexes: Index[]): Promise<any>;
+    delete(namespace: string, key: string): Promise<any>;
+    getByIndex(namespace: string, idx: Index): Promise<any>;
+}
+export interface Storable {
+    get(key: string): Promise<any>;
+    put(key: string, val: any, ...indexes: Index[]): Promise<any>;
+    delete(key: string): Promise<any>;
+    getByIndex(idx: Index): Promise<any>;
+}
+export interface Encrypted {
+    iv?: string;
+    tag?: string;
+    value: string;
+}
+export declare type EncryptionKey = any;
+export declare type DatabaseEngine = 'redis' | 'sql' | 'mongo' | 'mem';
+export declare type DatabaseType = 'postgres' | 'mysql' | 'mariadb';
+export interface DatabaseOption {
+    engine: DatabaseEngine;
+    url: string;
+    type: DatabaseType;
+    ttl: number;
+    cleanupLimit: number;
+    encryptionKey: string;
+}
+export interface SAMLReq {
+    ssoUrl?: string;
+    entityID: string;
+    callbackUrl: string;
+    isPassive?: boolean;
+    forceAuthn?: boolean;
+    identifierFormat?: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress';
+    providerName?: 'BoxyHQ';
+    signingKey: string;
+}
+export interface SAMLProfile {
+    audience: string;
+    claims: Record<string, any>;
+    issuer: string;
+    sessionIndex: string;
+}
+export interface JacksonOption {
+    externalUrl: string;
+    samlPath: string;
+    samlAudience: string;
+    preLoadedConfig?: string;
+    idpEnabled?: boolean;
+    db: DatabaseOption;
+}

package/dist/typings.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@boxyhq/saml-jackson",
-  "version": "0.2.3-beta.237",
+  "version": "0.2.3-beta.242",
   "license": "Apache 2.0",
   "description": "SAML 2.0 service",
   "main": "dist/index.js",
@@ -17,13 +17,14 @@
   ],
   "scripts": {
     "build": "tsc -p tsconfig.build.json",
+    "prepublish": "npm run build",
     "start": "cross-env IDP_ENABLED=true node dist/jackson.js",
     "dev": "cross-env IDP_ENABLED=true nodemon --config nodemon.json src/jackson.ts",
     "mongo": "cross-env JACKSON_API_KEYS=secret DB_ENGINE=mongo DB_URL=mongodb://localhost:27017/jackson nodemon --config nodemon.json src/jackson.ts",
     "sql": "cross-env JACKSON_API_KEYS=secret DB_ENGINE=sql DB_TYPE=postgres DB_URL=postgres://postgres:postgres@localhost:5432/jackson nodemon --config nodemon.json src/jackson.ts",
     "pre-loaded": "cross-env JACKSON_API_KEYS=secret DB_ENGINE=mem PRE_LOADED_CONFIG='./_config' nodemon --config nodemon.json src/jackson.ts",
     "pre-loaded-db": "cross-env JACKSON_API_KEYS=secret PRE_LOADED_CONFIG='./_config' nodemon --config nodemon.json src/jackson.ts",
-    "test": "tap --ts --timeout=100 src/**/*.test.ts",
+    "test": "tap --ts --timeout=100 --coverage src/**/*.test.ts ",
     "dev-dbs": "docker-compose -f ./_dev/docker-compose.yml up -d",
     "dev-dbs-destroy": "docker-compose -f ./_dev/docker-compose.yml down --volumes --remove-orphans",
     "db:migration:generate": "ts-node -r tsconfig-paths/register ./node_modules/typeorm/cli.js migration:generate --config ormconfig.js  -n Initial"
@@ -50,6 +51,7 @@
     "ripemd160": "2.0.2",
     "thumbprint": "0.0.1",
     "typeorm": "0.2.41",
+    "typescript": "4.5.4",
     "xml-crypto": "2.1.3",
     "xml2js": "0.4.23",
     "xmlbuilder": "15.1.1"
@@ -72,8 +74,7 @@
     "sinon": "12.0.1",
     "tap": "15.1.5",
     "ts-node": "10.4.0",
-    "tsconfig-paths": "3.12.0",
-    "typescript": "4.5.4"
+    "tsconfig-paths": "3.12.0"
   },
   "lint-staged": {
     "*.{js,ts}": "eslint --cache --fix",