@boxyhq/saml-jackson 0.2.4 → 0.3.0-beta.246

package/src/controller/oauth.js

@@ -1,321 +0,0 @@
-const crypto = require('crypto');
-
-const saml = require('../saml/saml.js');
-const codeVerifier = require('./oauth/code-verifier.js');
-const { indexNames } = require('./utils.js');
-const dbutils = require('../db/utils.js');
-const redirect = require('./oauth/redirect.js');
-const allowed = require('./oauth/allowed.js');
-const { JacksonError } = require('./error.js');
-
-let configStore;
-let sessionStore;
-let codeStore;
-let tokenStore;
-let options;
-
-const relayStatePrefix = 'boxyhq_jackson_';
-
-function getEncodedClientId(client_id) {
-  try {
-    const sp = new URLSearchParams(client_id);
-    const tenant = sp.get('tenant');
-    const product = sp.get('product');
-    if (tenant && product) {
-      return {
-        tenant: sp.get('tenant'),
-        product: sp.get('product'),
-      };
-    }
-
-    return null;
-  } catch (err) {
-    return null;
-  }
-}
-
-const authorize = async (body) => {
-  const {
-    response_type = 'code',
-    client_id,
-    redirect_uri,
-    state,
-    tenant,
-    product,
-    code_challenge,
-    code_challenge_method = '',
-    // eslint-disable-next-line no-unused-vars
-    provider = 'saml',
-  } = body;
-
-  if (!redirect_uri) {
-    throw new JacksonError('Please specify a redirect URL.', 400);
-  }
-
-  if (!state) {
-    throw new JacksonError(
-      'Please specify a state to safeguard against XSRF attacks.',
-      400
-    );
-  }
-
-  let samlConfig;
-
-  if (tenant && product) {
-    const samlConfigs = await configStore.getByIndex({
-      name: indexNames.tenantProduct,
-      value: dbutils.keyFromParts(tenant, product),
-    });
-
-    if (!samlConfigs || samlConfigs.length === 0) {
-      throw new JacksonError('SAML configuration not found.', 403);
-    }
-
-    // TODO: Support multiple matches
-    samlConfig = samlConfigs[0];
-  } else if (
-    client_id &&
-    client_id !== '' &&
-    client_id !== 'undefined' &&
-    client_id !== 'null'
-  ) {
-    // if tenant and product are encoded in the client_id then we parse it and check for the relevant config(s)
-    const sp = getEncodedClientId(client_id);
-    if (sp) {
-      const samlConfigs = await configStore.getByIndex({
-        name: indexNames.tenantProduct,
-        value: dbutils.keyFromParts(sp.tenant, sp.product),
-      });
-
-      if (!samlConfigs || samlConfigs.length === 0) {
-        throw new JacksonError('SAML configuration not found.', 403);
-      }
-
-      // TODO: Support multiple matches
-      samlConfig = samlConfigs[0];
-    } else {
-      samlConfig = await configStore.get(client_id);
-    }
-  } else {
-    throw new JacksonError(
-      'You need to specify client_id or tenant & product',
-      403
-    );
-  }
-
-  if (!samlConfig) {
-    throw new JacksonError('SAML configuration not found.', 403);
-  }
-
-  if (!allowed.redirect(redirect_uri, samlConfig.redirectUrl)) {
-    throw new JacksonError('Redirect URL is not allowed.', 403);
-  }
-
-  const samlReq = saml.request({
-    entityID: options.samlAudience,
-    callbackUrl: options.externalUrl + options.samlPath,
-    signingKey: samlConfig.certs.privateKey,
-  });
-
-  const sessionId = crypto.randomBytes(16).toString('hex');
-
-  await sessionStore.put(sessionId, {
-    id: samlReq.id,
-    redirect_uri,
-    response_type,
-    state,
-    code_challenge,
-    code_challenge_method,
-  });
-
-  const redirectUrl = redirect.success(samlConfig.idpMetadata.sso.redirectUrl, {
-    RelayState: relayStatePrefix + sessionId,
-    SAMLRequest: Buffer.from(samlReq.request).toString('base64'),
-  });
-
-  return { redirect_url: redirectUrl };
-};
-
-const samlResponse = async (body) => {
-  const { SAMLResponse } = body; // RelayState will contain the sessionId from earlier quasi-oauth flow
-
-  let RelayState = body.RelayState || '';
-
-  if (!options.idpEnabled && !RelayState.startsWith(relayStatePrefix)) {
-    // IDP is disabled so block the request
-
-    throw new JacksonError(
-      'IdP (Identity Provider) flow has been disabled. Please head to your Service Provider to login.',
-      403
-    );
-  }
-
-  if (!RelayState.startsWith(relayStatePrefix)) {
-    RelayState = '';
-  }
-
-  RelayState = RelayState.replace(relayStatePrefix, '');
-
-  const rawResponse = Buffer.from(SAMLResponse, 'base64').toString();
-
-  const parsedResp = await saml.parseAsync(rawResponse);
-
-  const samlConfigs = await configStore.getByIndex({
-    name: indexNames.entityID,
-    value: parsedResp.issuer,
-  });
-
-  if (!samlConfigs || samlConfigs.length === 0) {
-    throw new JacksonError('SAML configuration not found.', 403);
-  }
-
-  // TODO: Support multiple matches
-  const samlConfig = samlConfigs[0];
-
-  let session;
-
-  if (RelayState !== '') {
-    session = await sessionStore.get(RelayState);
-    if (!session) {
-      throw new JacksonError(
-        'Unable to validate state from the origin request.',
-        403
-      );
-    }
-  }
-
-  let validateOpts = {
-    thumbprint: samlConfig.idpMetadata.thumbprint,
-    audience: options.samlAudience,
-  };
-
-  if (session && session.id) {
-    validateOpts.inResponseTo = session.id;
-  }
-
-  const profile = await saml.validateAsync(rawResponse, validateOpts);
-
-  // store details against a code
-  const code = crypto.randomBytes(20).toString('hex');
-
-  let codeVal = {
-    profile,
-    clientID: samlConfig.clientID,
-    clientSecret: samlConfig.clientSecret,
-  };
-
-  if (session) {
-    codeVal.session = session;
-  }
-
-  await codeStore.put(code, codeVal);
-
-  if (
-    session &&
-    session.redirect_uri &&
-    !allowed.redirect(session.redirect_uri, samlConfig.redirectUrl)
-  ) {
-    throw new JacksonError('Redirect URL is not allowed.', 403);
-  }
-
-  let params = {
-    code,
-  };
-
-  if (session && session.state) {
-    params.state = session.state;
-  }
-
-  const redirectUrl = redirect.success(
-    (session && session.redirect_uri) || samlConfig.defaultRedirectUrl,
-    params
-  );
-
-  return { redirect_url: redirectUrl };
-};
-
-const token = async (body) => {
-  const {
-    client_id,
-    client_secret,
-    code_verifier,
-    code,
-    grant_type = 'authorization_code',
-  } = body;
-
-  if (grant_type !== 'authorization_code') {
-    throw new JacksonError('Unsupported grant_type', 400);
-  }
-
-  if (!code) {
-    throw new JacksonError('Please specify code', 400);
-  }
-
-  const codeVal = await codeStore.get(code);
-  if (!codeVal || !codeVal.profile) {
-    throw new JacksonError('Invalid code', 403);
-  }
-
-  if (client_id && client_secret) {
-    // check if we have an encoded client_id
-    if (client_id !== 'dummy' && client_secret !== 'dummy') {
-      const sp = getEncodedClientId(client_id);
-      if (!sp) {
-        // OAuth flow
-        if (
-          client_id !== codeVal.clientID ||
-          client_secret !== codeVal.clientSecret
-        ) {
-          throw new JacksonError('Invalid client_id or client_secret', 401);
-        }
-      }
-    }
-  } else if (code_verifier) {
-    // PKCE flow
-    let cv = code_verifier;
-    if (codeVal.session.code_challenge_method.toLowerCase() === 's256') {
-      cv = codeVerifier.encode(code_verifier);
-    }
-
-    if (codeVal.session.code_challenge !== cv) {
-      throw new JacksonError('Invalid code_verifier', 401);
-    }
-  } else if (codeVal && codeVal.session) {
-    throw new JacksonError(
-      'Please specify client_secret or code_verifier',
-      401
-    );
-  }
-
-  // store details against a token
-  const token = crypto.randomBytes(20).toString('hex');
-
-  await tokenStore.put(token, codeVal.profile);
-
-  return {
-    access_token: token,
-    token_type: 'bearer',
-    expires_in: options.db.ttl,
-  };
-};
-
-const userInfo = async (token) => {
-  const { claims } = await tokenStore.get(token);
-
-  return claims;
-};
-
-module.exports = (opts) => {
-  configStore = opts.configStore;
-  sessionStore = opts.sessionStore;
-  codeStore = opts.codeStore;
-  tokenStore = opts.tokenStore;
-  options = opts.opts;
-
-  return {
-    authorize,
-    samlResponse,
-    token,
-    userInfo,
-  };
-};

package/src/controller/utils.js

@@ -1,19 +0,0 @@
-const indexNames = {
-  entityID: 'entityID',
-  tenantProduct: 'tenantProduct',
-};
-
-const extractAuthToken = (req) => {
-  const authHeader = req.get('authorization');
-  const parts = (authHeader || '').split(' ');
-  if (parts.length > 1) {
-    return parts[1];
-  }
-
-  return null;
-};
-
-module.exports = {
-  indexNames,
-  extractAuthToken,
-};

package/src/db/db.js

@@ -1,81 +0,0 @@
-const mem = require('./mem.js');
-const mongo = require('./mongo.js');
-const redis = require('./redis.js');
-const sql = require('./sql/sql.js');
-const store = require('./store.js');
-const encrypter = require('./encrypter.js');
-
-const decrypt = (res, encryptionKey) => {
-  if (res.iv && res.tag) {
-    return JSON.parse(
-      encrypter.decrypt(res.value, res.iv, res.tag, encryptionKey)
-    );
-  }
-
-  return JSON.parse(res.value);
-};
-
-class DB {
-  constructor(db, encryptionKey) {
-    this.db = db;
-    this.encryptionKey = encryptionKey;
-  }
-
-  async get(namespace, key) {
-    const res = await this.db.get(namespace, key);
-    if (!res) {
-      return null;
-    }
-
-    return decrypt(res, this.encryptionKey);
-  }
-
-  async getByIndex(namespace, idx) {
-    const res = await this.db.getByIndex(namespace, idx);
-    const encryptionKey = this.encryptionKey;
-    return res.map((r) => {
-      return decrypt(r, encryptionKey);
-    });
-  }
-
-  // ttl is in seconds
-  async put(namespace, key, val, ttl = 0, ...indexes) {
-    if (ttl > 0 && indexes && indexes.length > 0) {
-      throw new Error('secondary indexes not allow on a store with ttl');
-    }
-
-    const dbVal = this.encryptionKey
-      ? encrypter.encrypt(JSON.stringify(val), this.encryptionKey)
-      : { value: JSON.stringify(val) };
-
-    return await this.db.put(namespace, key, dbVal, ttl, ...indexes);
-  }
-
-  async delete(namespace, key) {
-    return await this.db.delete(namespace, key);
-  }
-
-  store(namespace, ttl = 0) {
-    return store.new(namespace, this, ttl);
-  }
-}
-
-module.exports = {
-  new: async (options) => {
-    const encryptionKey = options.encryptionKey
-      ? Buffer.from(options.encryptionKey, 'latin1')
-      : null;
-    switch (options.engine) {
-      case 'redis':
-        return new DB(await redis.new(options), encryptionKey);
-      case 'sql':
-        return new DB(await sql.new(options), encryptionKey);
-      case 'mongo':
-        return new DB(await mongo.new(options), encryptionKey);
-      case 'mem':
-        return new DB(await mem.new(options), encryptionKey);
-      default:
-        throw new Error('unsupported db engine: ' + options.engine);
-    }
-  },
-};

package/src/db/db.test.js

@@ -1,302 +0,0 @@
-const t = require('tap');
-
-const DB = require('./db.js');
-
-const encryptionKey = '3yGrTcnKPBqqHoH3zZMAU6nt4bmIYb2q';
-
-let configStores = [];
-let ttlStores = [];
-const ttl = 3;
-
-const record1 = {
-  id: '1',
-  name: 'Deepak',
-  city: 'London',
-};
-const record2 = {
-  id: '2',
-  name: 'Sama',
-  city: 'London',
-};
-
-const memDbConfig = {
-  engine: 'mem',
-  ttl: 1,
-};
-
-const redisDbConfig = {
-  engine: 'redis',
-  url: 'redis://localhost:6379',
-};
-
-const postgresDbConfig = {
-  engine: 'sql',
-  url: 'postgresql://postgres:postgres@localhost:5432/postgres',
-  type: 'postgres',
-  ttl: 1,
-  cleanupLimit: 1,
-};
-
-const mongoDbConfig = {
-  engine: 'mongo',
-  url: 'mongodb://localhost:27017/jackson',
-};
-
-const mysqlDbConfig = {
-  engine: 'sql',
-  url: 'mysql://root:mysql@localhost:3307/mysql',
-  type: 'mysql',
-  ttl: 1,
-  cleanupLimit: 1,
-};
-
-const mariadbDbConfig = {
-  engine: 'sql',
-  url: 'mariadb://root@localhost:3306/mysql',
-  type: 'mariadb',
-  ttl: 1,
-  cleanupLimit: 1,
-};
-
-const dbs = [
-  {
-    ...memDbConfig,
-  },
-  {
-    ...memDbConfig,
-    encryptionKey,
-  },
-  {
-    ...redisDbConfig,
-  },
-  {
-    ...redisDbConfig,
-    encryptionKey,
-  },
-  {
-    ...postgresDbConfig,
-  },
-  {
-    ...postgresDbConfig,
-    encryptionKey,
-  },
-  {
-    ...mongoDbConfig,
-  },
-  {
-    ...mongoDbConfig,
-    encryptionKey,
-  },
-  {
-    ...mysqlDbConfig,
-  },
-  {
-    ...mysqlDbConfig,
-    encryptionKey,
-  },
-  {
-    ...mariadbDbConfig,
-  },
-  {
-    ...mariadbDbConfig,
-    encryptionKey,
-  },
-];
-
-t.before(async () => {
-  for (const idx in dbs) {
-    const opts = dbs[idx];
-    const db = await DB.new(opts);
-
-    configStores.push(db.store('saml:config'));
-    ttlStores.push(db.store('oauth:session', ttl));
-  }
-});
-
-t.teardown(async () => {
-  process.exit(0);
-});
-
-t.test('dbs', ({ end }) => {
-  for (const idx in configStores) {
-    const configStore = configStores[idx];
-    const ttlStore = ttlStores[idx];
-    let dbEngine = dbs[idx].engine;
-    if (dbs[idx].type) {
-      dbEngine += ': ' + dbs[idx].type;
-    }
-    t.test('put(): ' + dbEngine, async (t) => {
-      await configStore.put(
-        record1.id,
-        record1,
-        {
-          // secondary index on city
-          name: 'city',
-          value: record1.city,
-        },
-        {
-          // secondary index on name
-          name: 'name',
-          value: record1.name,
-        }
-      );
-
-      await configStore.put(
-        record2.id,
-        record2,
-        {
-          // secondary index on city
-          name: 'city',
-          value: record2.city,
-        },
-        {
-          // secondary index on name
-          name: 'name',
-          value: record2.name,
-        }
-      );
-
-      t.end();
-    });
-
-    t.test('get(): ' + dbEngine, async (t) => {
-      const ret1 = await configStore.get(record1.id);
-      const ret2 = await configStore.get(record2.id);
-
-      t.same(ret1, record1, 'unable to get record1');
-      t.same(ret2, record2, 'unable to get record2');
-
-      t.end();
-    });
-
-    t.test('getByIndex(): ' + dbEngine, async (t) => {
-      const ret1 = await configStore.getByIndex({
-        name: 'name',
-        value: record1.name,
-      });
-
-      const ret2 = await configStore.getByIndex({
-        name: 'city',
-        value: record1.city,
-      });
-
-      t.same(ret1, [record1], 'unable to get index "name"');
-      t.same(
-        ret2.sort((a, b) => a.id.localeCompare(b.id)),
-        [record1, record2].sort((a, b) => a.id.localeCompare(b.id)),
-        'unable to get index "city"'
-      );
-
-      t.end();
-    });
-
-    t.test('delete(): ' + dbEngine, async (t) => {
-      await configStore.delete(record1.id);
-
-      const ret0 = await configStore.getByIndex({
-        name: 'city',
-        value: record1.city,
-      });
-
-      t.same(ret0, [record2], 'unable to get index "city" after delete');
-
-      await configStore.delete(record2.id);
-
-      const ret1 = await configStore.get(record1.id);
-      const ret2 = await configStore.get(record2.id);
-
-      const ret3 = await configStore.getByIndex({
-        name: 'name',
-        value: record1.name,
-      });
-      const ret4 = await configStore.getByIndex({
-        name: 'city',
-        value: record1.city,
-      });
-
-      t.same(ret1, null, 'delete for record1 failed');
-      t.same(ret2, null, 'delete for record2 failed');
-
-      t.same(ret3, [], 'delete for record1 failed');
-      t.same(ret4, [], 'delete for record2 failed');
-
-      t.end();
-    });
-
-    t.test('ttl indexes: ' + dbEngine, async (t) => {
-      try {
-        await ttlStore.put(
-          record1.id,
-          record1,
-          {
-            // secondary index on city
-            name: 'city',
-            value: record1.city,
-          },
-          {
-            // secondary index on name
-            name: 'name',
-            value: record1.name,
-          }
-        );
-
-        t.fail('expecting a secondary indexes not allow on a store with ttl');
-      } catch (err) {
-        t.ok(err, 'got expected error');
-      }
-
-      t.end();
-    });
-
-    t.test('ttl put(): ' + dbEngine, async (t) => {
-      await ttlStore.put(record1.id, record1);
-
-      await ttlStore.put(record2.id, record2);
-
-      t.end();
-    });
-
-    t.test('ttl get(): ' + dbEngine, async (t) => {
-      const ret1 = await ttlStore.get(record1.id);
-      const ret2 = await ttlStore.get(record2.id);
-
-      t.same(ret1, record1, 'unable to get record1');
-      t.same(ret2, record2, 'unable to get record2');
-
-      t.end();
-    });
-
-    t.test('ttl expiry: ' + dbEngine, async (t) => {
-      // mongo runs ttl task every 60 seconds
-      if (dbEngine.startsWith('mongo')) {
-        t.end();
-        return;
-      }
-
-      await new Promise((resolve) =>
-        setTimeout(resolve, (2 * ttl + 0.5) * 1000)
-      );
-
-      const ret1 = await ttlStore.get(record1.id);
-      const ret2 = await ttlStore.get(record2.id);
-
-      t.same(ret1, null, 'ttl for record1 failed');
-      t.same(ret2, null, 'ttl for record2 failed');
-
-      t.end();
-    });
-  }
-
-  t.test('db.new() error', async (t) => {
-    try {
-      await DB.new('somedb');
-      t.fail('expecting an unsupported db error');
-    } catch (err) {
-      t.ok(err, 'got expected error');
-    }
-
-    t.end();
-  });
-
-  end();
-});