@boxyhq/saml-jackson 1.1.4 → 1.2.0

package/dist/controller/error.d.ts

@@ -1,5 +1,10 @@
+import { ApiError } from '../typings';
 export declare class JacksonError extends Error {
     name: string;
     statusCode: number;
     constructor(message: string, statusCode?: number);
 }
+export declare const apiError: (err: any) => {
+    data: null;
+    error: ApiError;
+};

package/dist/controller/error.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.JacksonError = void 0;
+exports.apiError = exports.JacksonError = void 0;
 class JacksonError extends Error {
     constructor(message, statusCode = 500) {
         super(message);
@@ -10,3 +10,8 @@ class JacksonError extends Error {
     }
 }
 exports.JacksonError = JacksonError;
+const apiError = (err) => {
+    const { message, statusCode = 500 } = err;
+    return { data: null, error: { message, code: statusCode } };
+};
+exports.apiError = apiError;

package/dist/controller/oauth.js

@@ -161,6 +161,10 @@ class OAuthController {
                     state,
                     tenant,
                     product,
+                    access_type,
+                    resource,
+                    scope,
+                    nonce,
                     code_challenge,
                     code_challenge_method,
                     provider,
@@ -206,6 +210,10 @@ class OAuthController {
                         state,
                         tenant,
                         product,
+                        access_type,
+                        resource,
+                        scope,
+                        nonce,
                         code_challenge,
                         code_challenge_method,
                         provider,
@@ -294,7 +302,7 @@ class OAuthController {
                     publicKey: samlConfig.certs.publicKey,
                 });
                 const sessionId = crypto_1.default.randomBytes(16).toString('hex');
-                const requested = { client_id, state };
+                const requested = { client_id, state, redirect_uri };
                 if (requestedTenant) {
                     requested.tenant = requestedTenant;
                 }
@@ -542,8 +550,9 @@ class OAuthController {
      *             expires_in: 300
      */
     token(body) {
+        var _a, _b, _c;
         return __awaiter(this, void 0, void 0, function* () {
-            const { client_id, client_secret, code_verifier, code, grant_type = 'authorization_code' } = body;
+            const { client_id, client_secret, code_verifier, code, grant_type = 'authorization_code', redirect_uri, } = body;
             metrics.increment('oauthToken');
             if (grant_type !== 'authorization_code') {
                 throw new error_1.JacksonError('Unsupported grant_type', 400);
@@ -555,6 +564,11 @@ class OAuthController {
             if (!codeVal || !codeVal.profile) {
                 throw new error_1.JacksonError('Invalid code', 403);
             }
+            if ((_a = codeVal.requested) === null || _a === void 0 ? void 0 : _a.redirect_uri) {
+                if (redirect_uri !== codeVal.requested.redirect_uri) {
+                    throw new error_1.JacksonError(`Invalid request: ${!redirect_uri ? 'redirect_uri missing' : 'redirect_uri mismatch'}`, 400);
+                }
+            }
             if (code_verifier) {
                 // PKCE flow
                 let cv = code_verifier;
@@ -594,8 +608,8 @@ class OAuthController {
             // store details against a token
             const token = crypto_1.default.randomBytes(20).toString('hex');
             const tokenVal = Object.assign(Object.assign({}, codeVal.profile), { requested: codeVal.requested });
-            const requestedOIDCFlow = !!codeVal.requested.oidc;
-            const requestHasNonce = !!codeVal.requested.nonce;
+            const requestedOIDCFlow = !!((_b = codeVal.requested) === null || _b === void 0 ? void 0 : _b.oidc);
+            const requestHasNonce = !!((_c = codeVal.requested) === null || _c === void 0 ? void 0 : _c.nonce);
             if (requestedOIDCFlow) {
                 const { jwtSigningKeys, jwsAlg } = this.opts.openid;
                 if (!jwtSigningKeys || !(0, utils_1.isJWSKeyPairLoaded)(jwtSigningKeys)) {

package/dist/controller/sp-config.d.ts

@@ -0,0 +1,21 @@
+import type { JacksonOption } from '../typings';
+export declare class SPSAMLConfig {
+    private opts;
+    constructor(opts: JacksonOption);
+    private get acsUrl();
+    private get entityId();
+    private get responseSigned();
+    private get assertionSignature();
+    private get signatureAlgorithm();
+    private get assertionEncryption();
+    get(): {
+        acsUrl: string;
+        entityId: string;
+        response: string;
+        assertionSignature: string;
+        signatureAlgorithm: string;
+        assertionEncryption: string;
+    };
+    toMarkdown(): string;
+    toHTML(): string;
+}

package/dist/controller/sp-config.js

@@ -0,0 +1,74 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SPSAMLConfig = void 0;
+const marked_1 = require("marked");
+// Service Provider SAML Configuration
+class SPSAMLConfig {
+    constructor(opts) {
+        this.opts = opts;
+    }
+    get acsUrl() {
+        return `${this.opts.externalUrl}${this.opts.samlPath}`;
+    }
+    get entityId() {
+        return `${this.opts.samlAudience}`;
+    }
+    get responseSigned() {
+        return 'Signed';
+    }
+    get assertionSignature() {
+        return 'Signed';
+    }
+    get signatureAlgorithm() {
+        return 'RSA-SHA256';
+    }
+    get assertionEncryption() {
+        return 'Unencrypted';
+    }
+    get() {
+        return {
+            acsUrl: this.acsUrl,
+            entityId: this.entityId,
+            response: this.responseSigned,
+            assertionSignature: this.assertionSignature,
+            signatureAlgorithm: this.signatureAlgorithm,
+            assertionEncryption: this.assertionEncryption,
+        };
+    }
+    toMarkdown() {
+        return markdownTemplate
+            .replace('{{acsUrl}}', this.acsUrl)
+            .replace('{{entityId}}', this.entityId)
+            .replace('{{responseSigned}}', this.responseSigned)
+            .replace('{{assertionSignature}}', this.assertionSignature)
+            .replace('{{signatureAlgorithm}}', this.signatureAlgorithm)
+            .replace('{{assertionEncryption}}', this.assertionEncryption);
+    }
+    toHTML() {
+        return marked_1.marked.parse(this.toMarkdown());
+    }
+}
+exports.SPSAMLConfig = SPSAMLConfig;
+const markdownTemplate = `
+## Service Provider (SP) SAML Configuration
+
+Your Identity Provider (IdP) will ask for the following information while configuring the SAML application. Share this information with your IT administrator.
+
+**ACS (Assertion Consumer Service) URL / Single Sign-On URL / Destination URL** <br />
+{{acsUrl}}
+
+**SP Entity ID / Identifier / Audience URI / Audience Restriction** <br />
+{{entityId}}
+
+**Response** <br />
+{{responseSigned}}
+
+**Assertion Signature** <br />
+{{assertionSignature}}
+
+**Signature Algorithm** <br />
+{{signatureAlgorithm}}
+
+**Assertion Encryption** <br />
+{{assertionEncryption}}
+`;

package/dist/controller/utils.d.ts

@@ -4,10 +4,23 @@ export declare enum IndexNames {
     EntityID = "entityID",
     TenantProduct = "tenantProduct"
 }
+export declare const storeNamespacePrefix: {
+    dsync: {
+        config: string;
+        logs: string;
+        users: string;
+        groups: string;
+        members: string;
+    };
+    saml: {
+        config: string;
+    };
+};
 export declare const relayStatePrefix = "boxyhq_jackson_";
 export declare const validateAbsoluteUrl: (url: any, message: any) => void;
 export declare const OAuthErrorResponse: ({ error, error_description, redirect_uri, state, }: OAuthErrorHandlerParams) => string;
 export declare function getErrorMessage(error: unknown): string;
+export declare const createRandomSecret: (length: number) => Promise<string>;
 export declare function loadJWSPrivateKey(key: string, alg: string): Promise<jose.KeyLike>;
 export declare function isJWSKeyPairLoaded(jwsKeyPair: {
     private: string;

package/dist/controller/utils.js

@@ -31,16 +31,33 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateJwkThumbprint = exports.exportPublicKeyJWK = exports.importJWTPublicKey = exports.isJWSKeyPairLoaded = exports.loadJWSPrivateKey = exports.getErrorMessage = exports.OAuthErrorResponse = exports.validateAbsoluteUrl = exports.relayStatePrefix = exports.IndexNames = void 0;
+exports.generateJwkThumbprint = exports.exportPublicKeyJWK = exports.importJWTPublicKey = exports.isJWSKeyPairLoaded = exports.loadJWSPrivateKey = exports.createRandomSecret = exports.getErrorMessage = exports.OAuthErrorResponse = exports.validateAbsoluteUrl = exports.relayStatePrefix = exports.storeNamespacePrefix = exports.IndexNames = void 0;
 const error_1 = require("./error");
 const redirect = __importStar(require("./oauth/redirect"));
+const crypto_1 = __importDefault(require("crypto"));
 const jose = __importStar(require("jose"));
 var IndexNames;
 (function (IndexNames) {
     IndexNames["EntityID"] = "entityID";
     IndexNames["TenantProduct"] = "tenantProduct";
 })(IndexNames = exports.IndexNames || (exports.IndexNames = {}));
+// The namespace prefix for the database store
+exports.storeNamespacePrefix = {
+    dsync: {
+        config: 'dsync:config',
+        logs: 'dsync:logs',
+        users: 'dsync:users',
+        groups: 'dsync:groups',
+        members: 'dsync:members',
+    },
+    saml: {
+        config: 'saml:config',
+    },
+};
 exports.relayStatePrefix = 'boxyhq_jackson_';
 const validateAbsoluteUrl = (url, message) => {
     try {
@@ -63,6 +80,15 @@ function getErrorMessage(error) {
     return String(error);
 }
 exports.getErrorMessage = getErrorMessage;
+const createRandomSecret = (length) => __awaiter(void 0, void 0, void 0, function* () {
+    return crypto_1.default
+        .randomBytes(length)
+        .toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=/g, '');
+});
+exports.createRandomSecret = createRandomSecret;
 function loadJWSPrivateKey(key, alg) {
     return __awaiter(this, void 0, void 0, function* () {
         const pkcs8 = Buffer.from(key, 'base64').toString('ascii');

package/dist/db/mem.js

@@ -73,13 +73,17 @@ class Mem {
     getAll(namespace, pageOffset, pageLimit) {
         return __awaiter(this, void 0, void 0, function* () {
             const offsetAndLimitValueCheck = !dbutils.isNumeric(pageOffset) && !dbutils.isNumeric(pageLimit);
-            let take = Number(offsetAndLimitValueCheck ? this.options.pageLimit : pageLimit);
+            const returnValue = [];
             const skip = Number(offsetAndLimitValueCheck ? 0 : pageOffset);
+            let take = Number(offsetAndLimitValueCheck ? this.options.pageLimit : pageLimit);
             let count = 0;
             take += skip;
-            const returnValue = [];
             if (namespace) {
-                const val = Array.from(this.indexes[dbutils.keyFromParts(dbutils.createdAtPrefix, namespace)]);
+                const index = dbutils.keyFromParts(dbutils.createdAtPrefix, namespace);
+                if (this.indexes[index] === undefined) {
+                    return [];
+                }
+                const val = Array.from(this.indexes[index]);
                 const iterator = val.reverse().values();
                 for (const value of iterator) {
                     if (count >= take) {

package/dist/directory-sync/Base.d.ts

@@ -0,0 +1,15 @@
+import type { Storable, DatabaseStore } from '../typings';
+export declare class Base {
+    protected db: DatabaseStore;
+    protected tenant: null | string;
+    protected product: null | string;
+    constructor({ db }: {
+        db: DatabaseStore;
+    });
+    store(type: 'groups' | 'members' | 'users' | 'logs'): Storable;
+    setTenant(tenant: string): this;
+    setProduct(product: string): this;
+    setTenantAndProduct(tenant: string, product: string): this;
+    with(tenant: string, product: string): this;
+    createId(): string;
+}

package/dist/directory-sync/Base.js

@@ -0,0 +1,39 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Base = void 0;
+const utils_1 = require("../controller/utils");
+const uuid_1 = require("uuid");
+class Base {
+    constructor({ db }) {
+        this.tenant = null;
+        this.product = null;
+        this.db = db;
+    }
+    // Return the database store
+    store(type) {
+        if (!this.tenant || !this.product) {
+            throw new Error('Set tenant and product before using store.');
+        }
+        return this.db.store(`${utils_1.storeNamespacePrefix.dsync[type]}:${this.tenant}:${this.product}`);
+    }
+    setTenant(tenant) {
+        this.tenant = tenant;
+        return this;
+    }
+    setProduct(product) {
+        this.product = product;
+        return this;
+    }
+    // Set the tenant and product
+    setTenantAndProduct(tenant, product) {
+        return this.setTenant(tenant).setProduct(product);
+    }
+    // Set the tenant and product
+    with(tenant, product) {
+        return this.setTenant(tenant).setProduct(product);
+    }
+    createId() {
+        return (0, uuid_1.v4)();
+    }
+}
+exports.Base = Base;

package/dist/directory-sync/DirectoryConfig.d.ts

@@ -0,0 +1,43 @@
+import type { Directory, JacksonOption, DatabaseStore, DirectoryType, ApiError } from '../typings';
+export declare class DirectoryConfig {
+    private _store;
+    private opts;
+    private db;
+    constructor({ db, opts }: {
+        db: DatabaseStore;
+        opts: JacksonOption;
+    });
+    private store;
+    create({ name, tenant, product, webhook_url, webhook_secret, type, }: {
+        name?: string;
+        tenant: string;
+        product: string;
+        webhook_url?: string;
+        webhook_secret?: string;
+        type?: DirectoryType;
+    }): Promise<{
+        data: Directory | null;
+        error: ApiError | null;
+    }>;
+    get(id: string): Promise<{
+        data: Directory | null;
+        error: ApiError | null;
+    }>;
+    update(id: string, param: Omit<Partial<Directory>, 'id' | 'tenant' | 'prodct' | 'scim'>): Promise<{
+        data: Directory | null;
+        error: ApiError | null;
+    }>;
+    getByTenantAndProduct(tenant: string, product: string): Promise<{
+        data: Directory | null;
+        error: ApiError | null;
+    }>;
+    list({ pageOffset, pageLimit, }: {
+        pageOffset: number;
+        pageLimit: number;
+    }): Promise<{
+        data: Directory[] | null;
+        error: ApiError | null;
+    }>;
+    delete(id: string): Promise<void>;
+    private transform;
+}

package/dist/directory-sync/DirectoryConfig.js

@@ -0,0 +1,186 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DirectoryConfig = void 0;
+const dbutils = __importStar(require("../db/utils"));
+const utils_1 = require("../controller/utils");
+const error_1 = require("../controller/error");
+const utils_2 = require("../controller/utils");
+class DirectoryConfig {
+    constructor({ db, opts }) {
+        this._store = null;
+        this.opts = opts;
+        this.db = db;
+    }
+    // Return the database store
+    store() {
+        return this._store || (this._store = this.db.store(utils_2.storeNamespacePrefix.dsync.config));
+    }
+    // Create the configuration
+    create({ name, tenant, product, webhook_url, webhook_secret, type = 'generic-scim-v2', }) {
+        return __awaiter(this, void 0, void 0, function* () {
+            try {
+                if (!tenant || !product) {
+                    throw new error_1.JacksonError('Missing required parameters.', 400);
+                }
+                if (!name) {
+                    name = `scim-${tenant}-${product}`;
+                }
+                const id = dbutils.keyDigest(dbutils.keyFromParts(tenant, product));
+                const hasWebhook = webhook_url && webhook_secret;
+                const directory = {
+                    id,
+                    name,
+                    tenant,
+                    product,
+                    type,
+                    log_webhook_events: false,
+                    scim: {
+                        path: `${this.opts.scimPath}/${id}`,
+                        secret: yield (0, utils_1.createRandomSecret)(16),
+                    },
+                    webhook: {
+                        endpoint: hasWebhook ? webhook_url : '',
+                        secret: hasWebhook ? webhook_secret : '',
+                    },
+                };
+                yield this.store().put(id, directory);
+                return { data: this.transform(directory), error: null };
+            }
+            catch (err) {
+                return (0, error_1.apiError)(err);
+            }
+        });
+    }
+    // Get the configuration by id
+    get(id) {
+        return __awaiter(this, void 0, void 0, function* () {
+            try {
+                if (!id) {
+                    throw new error_1.JacksonError('Missing required parameters.', 400);
+                }
+                const directory = yield this.store().get(id);
+                if (!directory) {
+                    throw new error_1.JacksonError('Directory configuration not found.', 404);
+                }
+                return { data: this.transform(directory), error: null };
+            }
+            catch (err) {
+                return (0, error_1.apiError)(err);
+            }
+        });
+    }
+    // Update the configuration. Partial updates are supported
+    update(id, param) {
+        return __awaiter(this, void 0, void 0, function* () {
+            try {
+                if (!id) {
+                    throw new error_1.JacksonError('Missing required parameters.', 400);
+                }
+                const { name, log_webhook_events, webhook, type } = param;
+                const directory = yield this.store().get(id);
+                if (name) {
+                    directory.name = name;
+                }
+                if (log_webhook_events !== undefined) {
+                    directory.log_webhook_events = log_webhook_events;
+                }
+                if (webhook) {
+                    directory.webhook = webhook;
+                }
+                if (type) {
+                    directory.type = type;
+                }
+                yield this.store().put(id, Object.assign({}, directory));
+                return { data: this.transform(directory), error: null };
+            }
+            catch (err) {
+                return (0, error_1.apiError)(err);
+            }
+        });
+    }
+    // Get the configuration by tenant and product
+    getByTenantAndProduct(tenant, product) {
+        return __awaiter(this, void 0, void 0, function* () {
+            try {
+                if (!tenant || !product) {
+                    throw new error_1.JacksonError('Missing required parameters.', 400);
+                }
+                return yield this.get(dbutils.keyDigest(dbutils.keyFromParts(tenant, product)));
+            }
+            catch (err) {
+                return (0, error_1.apiError)(err);
+            }
+        });
+    }
+    // Get all configurations
+    list({ pageOffset, pageLimit, }) {
+        return __awaiter(this, void 0, void 0, function* () {
+            try {
+                const directories = (yield this.store().getAll(pageOffset, pageLimit));
+                const transformedDirectories = directories
+                    ? directories.map((directory) => this.transform(directory))
+                    : [];
+                return {
+                    data: transformedDirectories,
+                    error: null,
+                };
+            }
+            catch (err) {
+                return (0, error_1.apiError)(err);
+            }
+        });
+    }
+    // Delete a configuration by id
+    // Note: This feature is not yet implemented
+    delete(id) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!id) {
+                throw new error_1.JacksonError('Missing required parameter.', 400);
+            }
+            // TODO: Delete the users and groups associated with the configuration
+            yield this.store().delete(id);
+            return;
+        });
+    }
+    transform(directory) {
+        // Add the flag to ensure SCIM compliance when using Azure AD
+        if (directory.type === 'azure-scim-v2') {
+            directory.scim.path = `${directory.scim.path}/?aadOptscim062020`;
+        }
+        directory.scim.endpoint = `${this.opts.externalUrl}${directory.scim.path}`;
+        return directory;
+    }
+}
+exports.DirectoryConfig = DirectoryConfig;

package/dist/directory-sync/DirectoryGroups.d.ts

@@ -0,0 +1,26 @@
+import type { Group, DirectoryConfig, DirectorySyncResponse, Directory, DirectorySyncGroupMember, DirectorySyncRequest, Users, Groups, IDirectoryGroups, EventCallback } from '../typings';
+export declare class DirectoryGroups implements IDirectoryGroups {
+    private directories;
+    private users;
+    private groups;
+    private callback;
+    constructor({ directories, users, groups, }: {
+        directories: DirectoryConfig;
+        users: Users;
+        groups: Groups;
+    });
+    create(directory: Directory, body: any): Promise<DirectorySyncResponse>;
+    get(group: Group): Promise<DirectorySyncResponse>;
+    delete(directory: Directory, group: Group): Promise<DirectorySyncResponse>;
+    getAll(queryParams: {
+        filter?: string;
+    }): Promise<DirectorySyncResponse>;
+    updateDisplayName(directory: Directory, group: Group, body: any): Promise<Group>;
+    patch(directory: Directory, group: Group, body: any): Promise<DirectorySyncResponse>;
+    update(directory: Directory, group: Group, body: any): Promise<DirectorySyncResponse>;
+    addGroupMembers(directory: Directory, group: Group, members: DirectorySyncGroupMember[] | undefined, sendWebhookEvent?: boolean): Promise<void>;
+    removeGroupMembers(directory: Directory, group: Group, members: DirectorySyncGroupMember[], sendWebhookEvent?: boolean): Promise<void>;
+    addOrRemoveGroupMembers(directory: Directory, group: Group, members: DirectorySyncGroupMember[]): Promise<void>;
+    private respondWithError;
+    handleRequest(request: DirectorySyncRequest, callback?: EventCallback): Promise<DirectorySyncResponse>;
+}