@boxyhq/saml-jackson 0.5.1 → 1.0.2

package/README.md

@@ -14,7 +14,7 @@ npm i @boxyhq/saml-jackson
 
 ## Documentation
 
-For full documentation, visit [boxyhq.com/docs/jackson/npm-library](https://boxyhq.com/docs/jackson/npm-library)
+For full documentation, visit [boxyhq.com/docs/jackson/deploy/npm-library](https://boxyhq.com/docs/jackson/deploy/npm-library)
 
 ## License
 

package/dist/controller/api.d.ts

@@ -4,6 +4,7 @@ export declare class APIController implements IAPIController {
     constructor({ configStore }: {
         configStore: any;
     });
+    private _validateRedirectUrl;
     private _validateIdPConfig;
     /**
      * @swagger

package/dist/controller/api.js

@@ -50,7 +50,7 @@ exports.APIController = void 0;
 const crypto_1 = __importDefault(require("crypto"));
 const dbutils = __importStar(require("../db/utils"));
 const metrics = __importStar(require("../opentelemetry/metrics"));
-const saml_1 = __importDefault(require("../saml/saml"));
+const saml20_1 = __importDefault(require("@boxyhq/saml20"));
 const x509_1 = __importDefault(require("../saml/x509"));
 const error_1 = require("./error");
 const utils_1 = require("./utils");
@@ -58,6 +58,19 @@ class APIController {
     constructor({ configStore }) {
         this.configStore = configStore;
     }
+    _validateRedirectUrl({ redirectUrlList, defaultRedirectUrl }) {
+        if (redirectUrlList) {
+            if (redirectUrlList.length > 100) {
+                throw new error_1.JacksonError('Exceeded maximum number of allowed redirect urls', 400);
+            }
+            for (const url of redirectUrlList) {
+                (0, utils_1.validateAbsoluteUrl)(url, 'redirectUrl is invalid');
+            }
+        }
+        if (defaultRedirectUrl) {
+            (0, utils_1.validateAbsoluteUrl)(defaultRedirectUrl, 'defaultRedirectUrl is invalid');
+        }
+    }
     _validateIdPConfig(body) {
         const { encodedRawMetadata, rawMetadata, defaultRedirectUrl, redirectUrl, tenant, product, description } = body;
         if (!rawMetadata && !encodedRawMetadata) {
@@ -168,11 +181,13 @@ class APIController {
             const { encodedRawMetadata, rawMetadata, defaultRedirectUrl, redirectUrl, tenant, product, name, description, } = body;
             metrics.increment('createConfig');
             this._validateIdPConfig(body);
+            const redirectUrlList = extractRedirectUrls(redirectUrl);
+            this._validateRedirectUrl({ defaultRedirectUrl, redirectUrlList });
             let metaData = rawMetadata;
             if (encodedRawMetadata) {
                 metaData = Buffer.from(encodedRawMetadata, 'base64').toString();
             }
-            const idpMetadata = yield saml_1.default.parseMetadataAsync(metaData);
+            const idpMetadata = yield saml20_1.default.parseMetadataAsync(metaData);
             // extract provider
             let providerName = extractHostName(idpMetadata.entityID);
             if (!providerName) {
@@ -195,7 +210,7 @@ class APIController {
             const record = {
                 idpMetadata,
                 defaultRedirectUrl,
-                redirectUrl: JSON.parse(redirectUrl),
+                redirectUrl: redirectUrlList,
                 tenant,
                 product,
                 name,
@@ -296,6 +311,8 @@ class APIController {
             if (description && description.length > 100) {
                 throw new error_1.JacksonError('Description should not exceed 100 characters', 400);
             }
+            const redirectUrlList = redirectUrl ? extractRedirectUrls(redirectUrl) : null;
+            this._validateRedirectUrl({ defaultRedirectUrl, redirectUrlList });
             const _currentConfig = yield this.getConfig(clientInfo);
             if (_currentConfig.clientSecret !== (clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.clientSecret)) {
                 throw new error_1.JacksonError('clientSecret mismatch', 400);
@@ -306,7 +323,7 @@ class APIController {
             }
             let newMetadata;
             if (metaData) {
-                newMetadata = yield saml_1.default.parseMetadataAsync(metaData);
+                newMetadata = yield saml20_1.default.parseMetadataAsync(metaData);
                 // extract provider
                 let providerName = extractHostName(newMetadata.entityID);
                 if (!providerName) {
@@ -321,7 +338,7 @@ class APIController {
                     throw new error_1.JacksonError('Tenant/Product config mismatch with IdP metadata', 400);
                 }
             }
-            const record = Object.assign(Object.assign({}, _currentConfig), { name: name ? name : _currentConfig.name, description: description ? description : _currentConfig.description, idpMetadata: newMetadata ? newMetadata : _currentConfig.idpMetadata, defaultRedirectUrl: defaultRedirectUrl ? defaultRedirectUrl : _currentConfig.defaultRedirectUrl, redirectUrl: redirectUrl ? JSON.parse(redirectUrl) : _currentConfig.redirectUrl });
+            const record = Object.assign(Object.assign({}, _currentConfig), { name: name ? name : _currentConfig.name, description: description ? description : _currentConfig.description, idpMetadata: newMetadata ? newMetadata : _currentConfig.idpMetadata, defaultRedirectUrl: defaultRedirectUrl ? defaultRedirectUrl : _currentConfig.defaultRedirectUrl, redirectUrl: redirectUrlList ? redirectUrlList : _currentConfig.redirectUrl });
             yield this.configStore.put(clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.clientID, record, {
                 // secondary index on entityID
                 name: utils_1.IndexNames.EntityID,
@@ -495,3 +512,18 @@ const extractHostName = (url) => {
         return null;
     }
 };
+const extractRedirectUrls = (urls) => {
+    if (!urls) {
+        return [];
+    }
+    if (typeof urls === 'string') {
+        if (urls.startsWith('[')) {
+            // redirectUrl is a stringified array
+            return JSON.parse(urls);
+        }
+        // redirectUrl is a single URL
+        return [urls];
+    }
+    // redirectUrl is an array of URLs
+    return urls;
+};

package/dist/controller/health-check.d.ts

@@ -0,0 +1,11 @@
+import { IHealthCheckController, Storable } from '../typings';
+export declare class HealthCheckController implements IHealthCheckController {
+    healthCheckStore: Storable;
+    constructor({ healthCheckStore }: {
+        healthCheckStore: any;
+    });
+    init(): Promise<void>;
+    status(): Promise<{
+        status: number;
+    }>;
+}

package/dist/controller/health-check.js

@@ -0,0 +1,53 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HealthCheckController = void 0;
+const error_1 = require("./error");
+const healthKey = 'amihealthy';
+const healthValue = 'fit';
+const g = global;
+class HealthCheckController {
+    constructor({ healthCheckStore }) {
+        this.healthCheckStore = healthCheckStore;
+    }
+    init() {
+        return __awaiter(this, void 0, void 0, function* () {
+            this.healthCheckStore.put(healthKey, healthValue);
+        });
+    }
+    status() {
+        return __awaiter(this, void 0, void 0, function* () {
+            try {
+                if (!g.isJacksonReady) {
+                    return {
+                        status: 503,
+                    };
+                }
+                const response = yield Promise.race([
+                    this.healthCheckStore.get(healthKey),
+                    new Promise((_, reject) => setTimeout(() => reject(new Error('timeout')), 1000)),
+                ]);
+                if (response === healthValue) {
+                    return {
+                        status: 200,
+                    };
+                }
+                return {
+                    status: 503,
+                };
+            }
+            catch (err) {
+                throw new error_1.JacksonError('Service not available', 503);
+            }
+        });
+    }
+}
+exports.HealthCheckController = HealthCheckController;

package/dist/controller/logout.d.ts

@@ -0,0 +1,18 @@
+import { SAMLResponsePayload, SLORequestParams } from '../typings';
+export declare class LogoutController {
+    private configStore;
+    private sessionStore;
+    private opts;
+    constructor({ configStore, sessionStore, opts }: {
+        configStore: any;
+        sessionStore: any;
+        opts: any;
+    });
+    createRequest({ nameId, tenant, product, redirectUrl }: SLORequestParams): Promise<{
+        logoutUrl: string | null;
+        logoutForm: string | null;
+    }>;
+    handleResponse({ SAMLResponse, RelayState }: SAMLResponsePayload): Promise<{
+        redirectUrl: any;
+    }>;
+}

package/dist/controller/logout.js

@@ -0,0 +1,199 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LogoutController = void 0;
+const crypto_1 = __importDefault(require("crypto"));
+const util_1 = require("util");
+const xml2js_1 = __importDefault(require("xml2js"));
+const xmlbuilder_1 = __importDefault(require("xmlbuilder"));
+const zlib_1 = require("zlib");
+const dbutils = __importStar(require("../db/utils"));
+const saml20_1 = __importDefault(require("@boxyhq/saml20"));
+const error_1 = require("./error");
+const redirect = __importStar(require("./oauth/redirect"));
+const utils_1 = require("./utils");
+const deflateRawAsync = (0, util_1.promisify)(zlib_1.deflateRaw);
+const relayStatePrefix = 'boxyhq_jackson_';
+const logoutXPath = "/*[local-name(.)='LogoutRequest']";
+class LogoutController {
+    constructor({ configStore, sessionStore, opts }) {
+        this.opts = opts;
+        this.configStore = configStore;
+        this.sessionStore = sessionStore;
+    }
+    // Create SLO Request
+    createRequest({ nameId, tenant, product, redirectUrl }) {
+        return __awaiter(this, void 0, void 0, function* () {
+            let samlConfig = null;
+            if (tenant && product) {
+                const samlConfigs = yield this.configStore.getByIndex({
+                    name: utils_1.IndexNames.TenantProduct,
+                    value: dbutils.keyFromParts(tenant, product),
+                });
+                if (!samlConfigs || samlConfigs.length === 0) {
+                    throw new error_1.JacksonError('SAML configuration not found.', 403);
+                }
+                samlConfig = samlConfigs[0];
+            }
+            if (!samlConfig) {
+                throw new error_1.JacksonError('SAML configuration not found.', 403);
+            }
+            const { idpMetadata: { slo, provider }, certs: { privateKey, publicKey }, } = samlConfig;
+            if ('redirectUrl' in slo === false && 'postUrl' in slo === false) {
+                throw new error_1.JacksonError(`${provider} doesn't support SLO or disabled by IdP.`, 400);
+            }
+            const { id, xml } = buildRequestXML(nameId, this.opts.samlAudience, slo.redirectUrl);
+            const sessionId = crypto_1.default.randomBytes(16).toString('hex');
+            let logoutUrl = null;
+            let logoutForm = null;
+            const relayState = relayStatePrefix + sessionId;
+            const signedXML = yield signXML(xml, privateKey, publicKey);
+            yield this.sessionStore.put(sessionId, {
+                id,
+                redirectUrl,
+            });
+            // HTTP-Redirect binding
+            if ('redirectUrl' in slo) {
+                logoutUrl = redirect.success(slo.redirectUrl, {
+                    SAMLRequest: Buffer.from(yield deflateRawAsync(signedXML)).toString('base64'),
+                    RelayState: relayState,
+                });
+            }
+            // HTTP-POST binding
+            if ('postUrl' in slo) {
+                logoutForm = saml20_1.default.createPostForm(slo.postUrl, [
+                    {
+                        name: 'RelayState',
+                        value: relayState,
+                    },
+                    {
+                        name: 'SAMLRequest',
+                        value: Buffer.from(signedXML).toString('base64'),
+                    },
+                ]);
+            }
+            return { logoutUrl, logoutForm };
+        });
+    }
+    // Handle SLO Response
+    handleResponse({ SAMLResponse, RelayState }) {
+        var _a;
+        return __awaiter(this, void 0, void 0, function* () {
+            const rawResponse = Buffer.from(SAMLResponse, 'base64').toString();
+            const sessionId = RelayState.replace(relayStatePrefix, '');
+            const session = yield this.sessionStore.get(sessionId);
+            if (!session) {
+                throw new error_1.JacksonError('Unable to validate state from the origin request.', 403);
+            }
+            const parsedResponse = yield parseSAMLResponse(rawResponse);
+            if (parsedResponse.status !== 'urn:oasis:names:tc:SAML:2.0:status:Success') {
+                throw new error_1.JacksonError(`SLO failed with status ${parsedResponse.status}.`, 400);
+            }
+            if (parsedResponse.inResponseTo !== session.id) {
+                throw new error_1.JacksonError(`SLO failed with mismatched request ID.`, 400);
+            }
+            const samlConfigs = yield this.configStore.getByIndex({
+                name: utils_1.IndexNames.EntityID,
+                value: parsedResponse.issuer,
+            });
+            if (!samlConfigs || samlConfigs.length === 0) {
+                throw new error_1.JacksonError('SAML configuration not found.', 403);
+            }
+            const { idpMetadata, defaultRedirectUrl } = samlConfigs[0];
+            if (!(yield saml20_1.default.validateSignature(rawResponse, null, idpMetadata.thumbprint))) {
+                throw new error_1.JacksonError('Invalid signature.', 403);
+            }
+            try {
+                yield this.sessionStore.delete(sessionId);
+            }
+            catch (_err) {
+                // Ignore
+            }
+            return {
+                redirectUrl: (_a = session.redirectUrl) !== null && _a !== void 0 ? _a : defaultRedirectUrl,
+            };
+        });
+    }
+}
+exports.LogoutController = LogoutController;
+// Create the XML for the SLO Request
+const buildRequestXML = (nameId, providerName, sloUrl) => {
+    const id = '_' + crypto_1.default.randomBytes(10).toString('hex');
+    const xml = {
+        'samlp:LogoutRequest': {
+            '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
+            '@xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion',
+            '@ID': id,
+            '@Version': '2.0',
+            '@IssueInstant': new Date().toISOString(),
+            '@Destination': sloUrl,
+            'saml:Issuer': {
+                '#text': providerName,
+            },
+            'saml:NameID': {
+                '@Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
+                '#text': nameId,
+            },
+        },
+    };
+    return {
+        id,
+        xml: xmlbuilder_1.default.create(xml).end({}),
+    };
+};
+// Parse SAMLResponse
+const parseSAMLResponse = (rawResponse) => __awaiter(void 0, void 0, void 0, function* () {
+    return new Promise((resolve, reject) => {
+        xml2js_1.default.parseString(rawResponse, { tagNameProcessors: [xml2js_1.default.processors.stripPrefix] }, (err, { LogoutResponse }) => {
+            if (err) {
+                reject(err);
+                return;
+            }
+            resolve({
+                issuer: LogoutResponse.Issuer[0]._,
+                id: LogoutResponse.$.ID,
+                status: LogoutResponse.Status[0].StatusCode[0].$.Value,
+                destination: LogoutResponse.$.Destination,
+                inResponseTo: LogoutResponse.$.InResponseTo,
+            });
+        });
+    });
+});
+// Sign the XML
+const signXML = (xml, signingKey, publicKey) => __awaiter(void 0, void 0, void 0, function* () {
+    return yield saml20_1.default.sign(xml, signingKey, publicKey, logoutXPath);
+});

package/dist/controller/oauth/redirect.d.ts

@@ -1 +1 @@
-export declare const success: (redirectUrl: string, params: Record<string, string>) => string;
+export declare const success: (redirectUrl: string, params: Record<string, string | string[] | undefined>) => string;

package/dist/controller/oauth/redirect.js

@@ -4,7 +4,12 @@ exports.success = void 0;
 const success = (redirectUrl, params) => {
     const url = new URL(redirectUrl);
     for (const [key, value] of Object.entries(params)) {
-        url.searchParams.set(key, value);
+        if (Array.isArray(value)) {
+            value.forEach((v) => url.searchParams.append(key, v));
+        }
+        else if (value !== undefined) {
+            url.searchParams.set(key, value);
+        }
     }
     return url.href;
 };

package/dist/controller/oauth.d.ts

@@ -12,12 +12,14 @@ export declare class OAuthController implements IOAuthController {
         tokenStore: any;
         opts: any;
     });
+    private resolveMultipleConfigMatches;
     authorize(body: OAuthReqBody): Promise<{
-        redirect_url: string;
-        authorize_form: string;
+        redirect_url?: string;
+        authorize_form?: string;
     }>;
     samlResponse(body: SAMLResponsePayload): Promise<{
-        redirect_url: string;
+        redirect_url?: string;
+        app_select_form?: string;
     }>;
     /**
      * @swagger