@boxyhq/saml-jackson 1.2.2 → 1.3.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (22) hide show
  1. package/dist/controller/admin.d.ts +4 -4
  2. package/dist/controller/admin.js +6 -6
  3. package/dist/controller/api.d.ts +448 -204
  4. package/dist/controller/api.js +547 -378
  5. package/dist/controller/connection/oidc.d.ts +18 -0
  6. package/dist/controller/connection/oidc.js +145 -0
  7. package/dist/controller/connection/saml.d.ts +14 -0
  8. package/dist/controller/connection/saml.js +168 -0
  9. package/dist/controller/logout.d.ts +3 -3
  10. package/dist/controller/logout.js +14 -14
  11. package/dist/controller/oauth.d.ts +26 -8
  12. package/dist/controller/oauth.js +361 -140
  13. package/dist/controller/utils.d.ts +10 -2
  14. package/dist/controller/utils.js +88 -1
  15. package/dist/index.d.ts +3 -2
  16. package/dist/index.js +26 -14
  17. package/dist/loadConnection.d.ts +3 -0
  18. package/dist/{read-config.js → loadConnection.js} +13 -12
  19. package/dist/opentelemetry/metrics.js +12 -12
  20. package/dist/typings.d.ts +109 -35
  21. package/package.json +3 -2
  22. package/dist/read-config.d.ts +0 -3
package/dist/controller/api.js CHANGED
@@ -31,394 +31,531 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
31
31
  step((generator = generator.apply(thisArg, _arguments || [])).next());
32
32
  });
33
33
  };
34
- var __rest = (this && this.__rest) || function (s, e) {
35
- var t = {};
36
- for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
37
- t[p] = s[p];
38
- if (s != null && typeof Object.getOwnPropertySymbols === "function")
39
- for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
40
- if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
41
- t[p[i]] = s[p[i]];
42
- }
43
- return t;
44
- };
45
34
  var __importDefault = (this && this.__importDefault) || function (mod) {
46
35
  return (mod && mod.__esModule) ? mod : { "default": mod };
47
36
  };
48
37
  Object.defineProperty(exports, "__esModule", { value: true });
49
- exports.APIController = void 0;
50
- const crypto_1 = __importDefault(require("crypto"));
38
+ exports.ConnectionAPIController = void 0;
51
39
  const dbutils = __importStar(require("../db/utils"));
52
40
  const metrics = __importStar(require("../opentelemetry/metrics"));
53
- const saml20_1 = __importDefault(require("@boxyhq/saml20"));
54
- const x509_1 = __importDefault(require("../saml/x509"));
55
41
  const error_1 = require("./error");
56
42
  const utils_1 = require("./utils");
57
- class APIController {
58
- constructor({ configStore }) {
59
- this.configStore = configStore;
60
- }
61
- _validateRedirectUrl({ redirectUrlList, defaultRedirectUrl }) {
62
- if (redirectUrlList) {
63
- if (redirectUrlList.length > 100) {
64
- throw new error_1.JacksonError('Exceeded maximum number of allowed redirect urls', 400);
65
- }
66
- for (const url of redirectUrlList) {
67
- (0, utils_1.validateAbsoluteUrl)(url, 'redirectUrl is invalid');
68
- }
69
- }
70
- if (defaultRedirectUrl) {
71
- (0, utils_1.validateAbsoluteUrl)(defaultRedirectUrl, 'defaultRedirectUrl is invalid');
72
- }
73
- }
74
- _validateIdPConfig(body) {
75
- const { encodedRawMetadata, rawMetadata, defaultRedirectUrl, redirectUrl, tenant, product, description } = body;
76
- if (!rawMetadata && !encodedRawMetadata) {
77
- throw new error_1.JacksonError('Please provide rawMetadata or encodedRawMetadata', 400);
78
- }
79
- if (!defaultRedirectUrl) {
80
- throw new error_1.JacksonError('Please provide a defaultRedirectUrl', 400);
81
- }
82
- if (!redirectUrl) {
83
- throw new error_1.JacksonError('Please provide redirectUrl', 400);
84
- }
85
- if (!tenant) {
86
- throw new error_1.JacksonError('Please provide tenant', 400);
87
- }
88
- if (!product) {
89
- throw new error_1.JacksonError('Please provide product', 400);
90
- }
91
- if (description && description.length > 100) {
92
- throw new error_1.JacksonError('Description should not exceed 100 characters', 400);
93
- }
43
+ const oidc_1 = __importDefault(require("./connection/oidc"));
44
+ const saml_1 = __importDefault(require("./connection/saml"));
45
+ class ConnectionAPIController {
46
+ constructor({ connectionStore }) {
47
+ this.connectionStore = connectionStore;
94
48
  }
95
49
  /**
96
50
  * @swagger
51
+ * definitions:
52
+ * Connection:
53
+ * type: object
54
+ * example:
55
+ * {
56
+ * "idpMetadata": {
57
+ * "sso": {
58
+ * "postUrl": "https://dev-20901260.okta.com/app/dev-20901260_jacksonnext_1/xxxxxxxxxxxsso/saml",
59
+ * "redirectUrl": "https://dev-20901260.okta.com/app/dev-20901260_jacksonnext_1/xxxxxxxxxxxsso/saml"
60
+ * },
61
+ * "entityID": "http://www.okta.com/xxxxxxxxxxxxx",
62
+ * "thumbprint": "Eo+eUi3UM3XIMkFFtdVK3yJ5vO9f7YZdasdasdad",
63
+ * "loginType": "idp",
64
+ * "provider": "okta.com"
65
+ * },
66
+ * "defaultRedirectUrl": "https://hoppscotch.io/",
67
+ * "redirectUrl": ["https://hoppscotch.io/"],
68
+ * "tenant": "hoppscotch.io",
69
+ * "product": "API Engine",
70
+ * "name": "Hoppscotch-SP",
71
+ * "description": "SP for hoppscotch.io",
72
+ * "clientID": "Xq8AJt3yYAxmXizsCWmUBDRiVP1iTC8Y/otnvFIMitk",
73
+ * "clientSecret": "00e3e11a3426f97d8000000738300009130cd45419c5943",
74
+ * "certs": {
75
+ * "publicKey": "-----BEGIN CERTIFICATE-----.......-----END CERTIFICATE-----",
76
+ * "privateKey": "-----BEGIN PRIVATE KEY-----......-----END PRIVATE KEY-----"
77
+ * }
78
+ * }
79
+ * validationErrorsPost:
80
+ * description: Please provide rawMetadata or encodedRawMetadata | Please provide a defaultRedirectUrl | Please provide redirectUrl | redirectUrl is invalid | Exceeded maximum number of allowed redirect urls | defaultRedirectUrl is invalid | Please provide tenant | Please provide product | Please provide a friendly name | Description should not exceed 100 characters | Strategy&#58; xxxx not supported | Please provide the clientId from OpenID Provider | Please provide the clientSecret from OpenID Provider | Please provide the discoveryUrl for the OpenID Provider
97
81
  *
82
+ * parameters:
83
+ * nameParamPost:
84
+ * name: name
85
+ * description: Name/identifier for the connection
86
+ * type: string
87
+ * in: formData
88
+ * descriptionParamPost:
89
+ * name: description
90
+ * description: A short description for the connection not more than 100 characters
91
+ * type: string
92
+ * in: formData
93
+ * encodedRawMetadataParamPost:
94
+ * name: encodedRawMetadata
95
+ * description: Base64 encoding of the XML metadata
96
+ * in: formData
97
+ * type: string
98
+ * rawMetadataParamPost:
99
+ * name: rawMetadata
100
+ * description: Raw XML metadata
101
+ * in: formData
102
+ * type: string
103
+ * defaultRedirectUrlParamPost:
104
+ * name: defaultRedirectUrl
105
+ * description: The redirect URL to use in the IdP login flow
106
+ * in: formData
107
+ * required: true
108
+ * type: string
109
+ * redirectUrlParamPost:
110
+ * name: redirectUrl
111
+ * description: JSON encoded array containing a list of allowed redirect URLs
112
+ * in: formData
113
+ * required: true
114
+ * type: string
115
+ * tenantParamPost:
116
+ * name: tenant
117
+ * description: Tenant
118
+ * in: formData
119
+ * required: true
120
+ * type: string
121
+ * productParamPost:
122
+ * name: product
123
+ * description: Product
124
+ * in: formData
125
+ * required: true
126
+ * type: string
127
+ * oidcDiscoveryUrlPost:
128
+ * name: oidcDiscoveryUrl
129
+ * description: well-known URL where the OpenID Provider configuration is exposed
130
+ * in: formData
131
+ * type: string
132
+ * oidcClientIdPost:
133
+ * name: oidcClientId
134
+ * description: clientId of the application set up on the OpenID Provider
135
+ * in: formData
136
+ * type: string
137
+ * oidcClientSecretPost:
138
+ * name: oidcClientSecret
139
+ * description: clientSecret of the application set up on the OpenID Provider
140
+ * in: formData
141
+ * type: string
98
142
  * /api/v1/saml/config:
99
143
  * post:
100
- * summary: Create SAML configuration
101
- * operationId: create-saml-config
102
- * tags: [SAML Config]
144
+ * summary: Create SAML config
145
+ * operationId: create-saml-config
146
+ * deprecated: true
147
+ * tags: [SAML Config - Deprecated]
148
+ * produces:
149
+ * - application/json
150
+ * consumes:
151
+ * - application/x-www-form-urlencoded
152
+ * - application/json
153
+ * parameters:
154
+ * - $ref: '#/parameters/nameParamPost'
155
+ * - $ref: '#/parameters/descriptionParamPost'
156
+ * - $ref: '#/parameters/encodedRawMetadataParamPost'
157
+ * - $ref: '#/parameters/rawMetadataParamPost'
158
+ * - $ref: '#/parameters/defaultRedirectUrlParamPost'
159
+ * - $ref: '#/parameters/redirectUrlParamPost'
160
+ * - $ref: '#/parameters/tenantParamPost'
161
+ * - $ref: '#/parameters/productParamPost'
162
+ * responses:
163
+ * 200:
164
+ * description: Success
165
+ * schema:
166
+ * $ref: '#/definitions/Connection'
167
+ * 400:
168
+ * $ref: '#/definitions/validationErrorsPost'
169
+ * 401:
170
+ * description: Unauthorized
171
+ * /api/v1/connections:
172
+ * post:
173
+ * summary: Create SSO connection
174
+ * operationId: create-sso-connection
175
+ * tags: [Connections]
103
176
  * produces:
104
- * - application/json
177
+ * - application/json
105
178
  * consumes:
106
- * - application/x-www-form-urlencoded
179
+ * - application/x-www-form-urlencoded
180
+ * - application/json
107
181
  * parameters:
108
- * - name: name
109
- * description: Name/identifier for the config
110
- * type: string
111
- * in: formData
112
- * - name: description
113
- * description: A short description for the config not more than 100 characters
114
- * type: string
115
- * in: formData
116
- * - name: encodedRawMetadata
117
- * description: Base64 encoding of the XML metadata
118
- * in: formData
119
- * type: string
120
- * - name: rawMetadata
121
- * description: Raw XML metadata
122
- * in: formData
123
- * type: string
124
- * - name: defaultRedirectUrl
125
- * description: The redirect URL to use in the IdP login flow
126
- * in: formData
127
- * required: true
128
- * type: string
129
- * - name: redirectUrl
130
- * description: JSON encoded array containing a list of allowed redirect URLs
131
- * in: formData
132
- * required: true
133
- * type: string
134
- * - name: tenant
135
- * description: Tenant
136
- * in: formData
137
- * required: true
138
- * type: string
139
- * - name: product
140
- * description: Product
141
- * in: formData
142
- * required: true
143
- * type: string
182
+ * - $ref: '#/parameters/nameParamPost'
183
+ * - $ref: '#/parameters/descriptionParamPost'
184
+ * - $ref: '#/parameters/encodedRawMetadataParamPost'
185
+ * - $ref: '#/parameters/rawMetadataParamPost'
186
+ * - $ref: '#/parameters/defaultRedirectUrlParamPost'
187
+ * - $ref: '#/parameters/redirectUrlParamPost'
188
+ * - $ref: '#/parameters/tenantParamPost'
189
+ * - $ref: '#/parameters/productParamPost'
190
+ * - $ref: '#/parameters/oidcDiscoveryUrlPost'
191
+ * - $ref: '#/parameters/oidcClientIdPost'
192
+ * - $ref: '#/parameters/oidcClientSecretPost'
144
193
  * responses:
145
194
  * 200:
146
195
  * description: Success
147
196
  * schema:
148
- * type: object
149
- * example:
150
- * {
151
- * "idpMetadata": {
152
- * "sso": {
153
- * "postUrl": "https://dev-20901260.okta.com/app/dev-20901260_jacksonnext_1/xxxxxxxxxxxxx/sso/saml",
154
- * "redirectUrl": "https://dev-20901260.okta.com/app/dev-20901260_jacksonnext_1/xxxxxxxxxxxxx/sso/saml"
155
- * },
156
- * "entityID": "http://www.okta.com/xxxxxxxxxxxxx",
157
- * "thumbprint": "Eo+eUi3UM3XIMkFFtdVK3yJ5vO9f7YZdasdasdad",
158
- * "loginType": "idp",
159
- * "provider": "okta.com"
160
- * },
161
- * "defaultRedirectUrl": "https://hoppscotch.io/",
162
- * "redirectUrl": ["https://hoppscotch.io/"],
163
- * "tenant": "hoppscotch.io",
164
- * "product": "API Engine",
165
- * "name": "Hoppscotch-SP",
166
- * "description": "SP for hoppscotch.io",
167
- * "clientID": "Xq8AJt3yYAxmXizsCWmUBDRiVP1iTC8Y/otnvFIMitk",
168
- * "clientSecret": "00e3e11a3426f97d8000000738300009130cd45419c5943",
169
- * "certs": {
170
- * "publicKey": "-----BEGIN CERTIFICATE-----.......-----END CERTIFICATE-----",
171
- * "privateKey": "-----BEGIN PRIVATE KEY-----......-----END PRIVATE KEY-----"
172
- * }
173
- * }
197
+ * $ref: '#/definitions/Connection'
174
198
  * 400:
175
- * description: Please provide rawMetadata or encodedRawMetadata | Please provide a defaultRedirectUrl | Please provide redirectUrl | Please provide tenant | Please provide product | Please provide a friendly name | Description should not exceed 100 characters
199
+ * $ref: '#/definitions/validationErrorsPost'
176
200
  * 401:
177
201
  * description: Unauthorized
178
202
  */
179
- config(body) {
203
+ createSAMLConnection(body) {
180
204
  return __awaiter(this, void 0, void 0, function* () {
181
- const { encodedRawMetadata, rawMetadata, defaultRedirectUrl, redirectUrl, tenant, product, name, description, } = body;
182
- const forceAuthn = body.forceAuthn == 'true' || body.forceAuthn == true;
183
- metrics.increment('createConfig');
184
- this._validateIdPConfig(body);
185
- const redirectUrlList = extractRedirectUrls(redirectUrl);
186
- this._validateRedirectUrl({ defaultRedirectUrl, redirectUrlList });
187
- let metaData = rawMetadata;
188
- if (encodedRawMetadata) {
189
- metaData = Buffer.from(encodedRawMetadata, 'base64').toString();
190
- }
191
- const idpMetadata = yield saml20_1.default.parseMetadata(metaData, {});
192
- // extract provider
193
- let providerName = extractHostName(idpMetadata.entityID);
194
- if (!providerName) {
195
- providerName = extractHostName(idpMetadata.sso.redirectUrl || idpMetadata.sso.postUrl);
196
- }
197
- idpMetadata.provider = providerName ? providerName : 'Unknown';
198
- const clientID = dbutils.keyDigest(dbutils.keyFromParts(tenant, product, idpMetadata.entityID));
199
- let clientSecret;
200
- const exists = yield this.configStore.get(clientID);
201
- if (exists) {
202
- clientSecret = exists.clientSecret;
203
- }
204
- else {
205
- clientSecret = crypto_1.default.randomBytes(24).toString('hex');
206
- }
207
- const certs = yield x509_1.default.generate();
208
- if (!certs) {
209
- throw new Error('Error generating x509 certs');
210
- }
211
- const record = {
212
- idpMetadata,
213
- defaultRedirectUrl,
214
- redirectUrl: redirectUrlList,
215
- tenant,
216
- product,
217
- name,
218
- description,
219
- clientID,
220
- clientSecret,
221
- certs,
222
- forceAuthn,
223
- };
224
- yield this.configStore.put(clientID, record, {
225
- // secondary index on entityID
226
- name: utils_1.IndexNames.EntityID,
227
- value: idpMetadata.entityID,
228
- }, {
229
- // secondary index on tenant + product
230
- name: utils_1.IndexNames.TenantProduct,
231
- value: dbutils.keyFromParts(tenant, product),
232
- });
205
+ metrics.increment('createConnection');
206
+ const record = yield saml_1.default.create(body, this.connectionStore);
207
+ return record;
208
+ });
209
+ }
210
+ // For backwards compatibility
211
+ config(...args) {
212
+ return __awaiter(this, void 0, void 0, function* () {
213
+ return this.createSAMLConnection(...args);
214
+ });
215
+ }
216
+ createOIDCConnection(body) {
217
+ return __awaiter(this, void 0, void 0, function* () {
218
+ metrics.increment('createConnection');
219
+ const record = yield oidc_1.default.create(body, this.connectionStore);
233
220
  return record;
234
221
  });
235
222
  }
236
223
  /**
237
224
  * @swagger
238
- *
225
+ * definitions:
226
+ * validationErrorsPatch:
227
+ * description: Please provide clientID | Please provide clientSecret | clientSecret mismatch | Tenant/Product config mismatch with IdP metadata | Description should not exceed 100 characters| redirectUrl is invalid | Exceeded maximum number of allowed redirect urls | defaultRedirectUrl is invalid | Tenant/Product config mismatch with OIDC Provider metadata
228
+ * parameters:
229
+ * clientIDParamPatch:
230
+ * name: clientID
231
+ * description: Client ID for the connection
232
+ * type: string
233
+ * in: formData
234
+ * required: true
235
+ * clientSecretParamPatch:
236
+ * name: clientSecret
237
+ * description: Client Secret for the connection
238
+ * type: string
239
+ * in: formData
240
+ * required: true
241
+ * nameParamPatch:
242
+ * name: name
243
+ * description: Name/identifier for the connection
244
+ * type: string
245
+ * in: formData
246
+ * descriptionParamPatch:
247
+ * name: description
248
+ * description: A short description for the connection not more than 100 characters
249
+ * type: string
250
+ * in: formData
251
+ * encodedRawMetadataParamPatch:
252
+ * name: encodedRawMetadata
253
+ * description: Base64 encoding of the XML metadata
254
+ * in: formData
255
+ * type: string
256
+ * rawMetadataParamPatch:
257
+ * name: rawMetadata
258
+ * description: Raw XML metadata
259
+ * in: formData
260
+ * type: string
261
+ * oidcDiscoveryUrlPatch:
262
+ * name: oidcDiscoveryUrl
263
+ * description: well-known URL where the OpenID Provider configuration is exposed
264
+ * in: formData
265
+ * type: string
266
+ * oidcClientIdPatch:
267
+ * name: oidcClientId
268
+ * description: clientId of the application set up on the OpenID Provider
269
+ * in: formData
270
+ * type: string
271
+ * oidcClientSecretPatch:
272
+ * name: oidcClientSecret
273
+ * description: clientSecret of the application set up on the OpenID Provider
274
+ * in: formData
275
+ * type: string
276
+ * defaultRedirectUrlParamPatch:
277
+ * name: defaultRedirectUrl
278
+ * description: The redirect URL to use in the IdP login flow
279
+ * in: formData
280
+ * type: string
281
+ * redirectUrlParamPatch:
282
+ * name: redirectUrl
283
+ * description: JSON encoded array containing a list of allowed redirect URLs
284
+ * in: formData
285
+ * type: string
286
+ * tenantParamPatch:
287
+ * name: tenant
288
+ * description: Tenant
289
+ * in: formData
290
+ * required: true
291
+ * type: string
292
+ * productParamPatch:
293
+ * name: product
294
+ * description: Product
295
+ * in: formData
296
+ * required: true
297
+ * type: string
239
298
  * /api/v1/saml/config:
240
299
  * patch:
241
- * summary: Update SAML configuration
300
+ * summary: Update SAML Config
242
301
  * operationId: update-saml-config
243
- * tags: [SAML Config]
302
+ * tags: [SAML Config - Deprecated]
303
+ * deprecated: true
304
+ * consumes:
305
+ * - application/json
306
+ * - application/x-www-form-urlencoded
307
+ * parameters:
308
+ * - $ref: '#/parameters/clientIDParamPatch'
309
+ * - $ref: '#/parameters/clientSecretParamPatch'
310
+ * - $ref: '#/parameters/nameParamPatch'
311
+ * - $ref: '#/parameters/descriptionParamPatch'
312
+ * - $ref: '#/parameters/encodedRawMetadataParamPatch'
313
+ * - $ref: '#/parameters/rawMetadataParamPatch'
314
+ * - $ref: '#/parameters/defaultRedirectUrlParamPatch'
315
+ * - $ref: '#/parameters/redirectUrlParamPatch'
316
+ * - $ref: '#/parameters/tenantParamPatch'
317
+ * - $ref: '#/parameters/productParamPatch'
318
+ * responses:
319
+ * 204:
320
+ * description: Success
321
+ * 400:
322
+ * $ref: '#/definitions/validationErrorsPatch'
323
+ * 401:
324
+ * description: Unauthorized
325
+ * /api/v1/connections:
326
+ * patch:
327
+ * summary: Update SSO Connection
328
+ * operationId: update-sso-connection
329
+ * tags: [Connections]
244
330
  * consumes:
245
331
  * - application/json
246
332
  * - application/x-www-form-urlencoded
247
333
  * parameters:
248
- * - name: clientID
249
- * description: Client ID for the config
250
- * type: string
251
- * in: formData
252
- * required: true
253
- * - name: clientSecret
254
- * description: Client Secret for the config
255
- * type: string
256
- * in: formData
257
- * required: true
258
- * - name: name
259
- * description: Name/identifier for the config
260
- * type: string
261
- * in: formData
262
- * - name: description
263
- * description: A short description for the config not more than 100 characters
264
- * type: string
265
- * in: formData
266
- * - name: encodedRawMetadata
267
- * description: Base64 encoding of the XML metadata
268
- * in: formData
269
- * type: string
270
- * - name: rawMetadata
271
- * description: Raw XML metadata
272
- * in: formData
273
- * type: string
274
- * - name: defaultRedirectUrl
275
- * description: The redirect URL to use in the IdP login flow
276
- * in: formData
277
- * required: true
278
- * type: string
279
- * - name: redirectUrl
280
- * description: JSON encoded array containing a list of allowed redirect URLs
281
- * in: formData
282
- * required: true
283
- * type: string
284
- * - name: tenant
285
- * description: Tenant
286
- * in: formData
287
- * required: true
288
- * type: string
289
- * - name: product
290
- * description: Product
291
- * in: formData
292
- * required: true
293
- * type: string
334
+ * - $ref: '#/parameters/clientIDParamPatch'
335
+ * - $ref: '#/parameters/clientSecretParamPatch'
336
+ * - $ref: '#/parameters/nameParamPatch'
337
+ * - $ref: '#/parameters/descriptionParamPatch'
338
+ * - $ref: '#/parameters/encodedRawMetadataParamPatch'
339
+ * - $ref: '#/parameters/rawMetadataParamPatch'
340
+ * - $ref: '#/parameters/oidcDiscoveryUrlPatch'
341
+ * - $ref: '#/parameters/oidcClientIdPatch'
342
+ * - $ref: '#/parameters/oidcClientSecretPatch'
343
+ * - $ref: '#/parameters/defaultRedirectUrlParamPatch'
344
+ * - $ref: '#/parameters/redirectUrlParamPatch'
345
+ * - $ref: '#/parameters/tenantParamPatch'
346
+ * - $ref: '#/parameters/productParamPatch'
294
347
  * responses:
295
348
  * 204:
296
349
  * description: Success
297
350
  * 400:
298
- * description: Please provide clientID | Please provide clientSecret | clientSecret mismatch | Tenant/Product config mismatch with IdP metadata | Description should not exceed 100 characters
351
+ * $ref: '#/definitions/validationErrorsPatch'
299
352
  * 401:
300
353
  * description: Unauthorized
301
354
  */
302
- updateConfig(body) {
355
+ updateSAMLConnection(body) {
303
356
  return __awaiter(this, void 0, void 0, function* () {
304
- const { encodedRawMetadata, // could be empty
305
- rawMetadata, // could be empty
306
- defaultRedirectUrl, redirectUrl, name, description, forceAuthn = false } = body, clientInfo = __rest(body, ["encodedRawMetadata", "rawMetadata", "defaultRedirectUrl", "redirectUrl", "name", "description", "forceAuthn"]);
307
- if (!(clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.clientID)) {
308
- throw new error_1.JacksonError('Please provide clientID', 400);
309
- }
310
- if (!(clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.clientSecret)) {
311
- throw new error_1.JacksonError('Please provide clientSecret', 400);
312
- }
313
- if (description && description.length > 100) {
314
- throw new error_1.JacksonError('Description should not exceed 100 characters', 400);
315
- }
316
- const redirectUrlList = redirectUrl ? extractRedirectUrls(redirectUrl) : null;
317
- this._validateRedirectUrl({ defaultRedirectUrl, redirectUrlList });
318
- const _currentConfig = yield this.getConfig(clientInfo);
319
- if (_currentConfig.clientSecret !== (clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.clientSecret)) {
320
- throw new error_1.JacksonError('clientSecret mismatch', 400);
321
- }
322
- let metaData = rawMetadata;
323
- if (encodedRawMetadata) {
324
- metaData = Buffer.from(encodedRawMetadata, 'base64').toString();
325
- }
326
- let newMetadata;
327
- if (metaData) {
328
- newMetadata = yield saml20_1.default.parseMetadata(metaData, {});
329
- // extract provider
330
- let providerName = extractHostName(newMetadata.entityID);
331
- if (!providerName) {
332
- providerName = extractHostName(newMetadata.sso.redirectUrl || newMetadata.sso.postUrl);
357
+ yield saml_1.default.update(body, this.connectionStore, this.getConnections.bind(this));
358
+ });
359
+ }
360
+ // For backwards compatibility
361
+ updateConfig(...args) {
362
+ return __awaiter(this, void 0, void 0, function* () {
363
+ yield this.updateSAMLConnection(...args);
364
+ });
365
+ }
366
+ updateOIDCConnection(body) {
367
+ return __awaiter(this, void 0, void 0, function* () {
368
+ yield oidc_1.default.update(body, this.connectionStore, this.getConnections.bind(this));
369
+ });
370
+ }
371
+ /**
372
+ * @swagger
373
+ * parameters:
374
+ * tenantParamGet:
375
+ * in: query
376
+ * name: tenant
377
+ * type: string
378
+ * description: Tenant
379
+ * productParamGet:
380
+ * in: query
381
+ * name: product
382
+ * type: string
383
+ * description: Product
384
+ * clientIDParamGet:
385
+ * in: query
386
+ * name: clientID
387
+ * type: string
388
+ * description: Client ID
389
+ * definitions:
390
+ * Connection:
391
+ * type: object
392
+ * properties:
393
+ * clientID:
394
+ * type: string
395
+ * description: Connection clientID
396
+ * clientSecret:
397
+ * type: string
398
+ * description: Connection clientSecret
399
+ * name:
400
+ * type: string
401
+ * description: Connection name
402
+ * description:
403
+ * type: string
404
+ * description: Connection description
405
+ * redirectUrl:
406
+ * type: string
407
+ * description: A list of allowed redirect URLs
408
+ * defaultRedirectUrl:
409
+ * type: string
410
+ * description: The redirect URL to use in the IdP login flow
411
+ * tenant:
412
+ * type: string
413
+ * description: Connection tenant
414
+ * product:
415
+ * type: string
416
+ * description: Connection product
417
+ * idpMetadata:
418
+ * type: object
419
+ * description: SAML IdP metadata
420
+ * certs:
421
+ * type: object
422
+ * description: Certs generated for SAML connection
423
+ * oidcProvider:
424
+ * type: object
425
+ * description: OIDC IdP metadata
426
+ * responses:
427
+ * '200Get':
428
+ * description: Success
429
+ * schema:
430
+ * type: array
431
+ * items:
432
+ * $ref: '#/definitions/Connection'
433
+ * '400Get':
434
+ * description: Please provide `clientID` or `tenant` and `product`.
435
+ * '401Get':
436
+ * description: Unauthorized
437
+ * /api/v1/connections:
438
+ * get:
439
+ * summary: Get SSO Connections
440
+ * parameters:
441
+ * - $ref: '#/parameters/tenantParamGet'
442
+ * - $ref: '#/parameters/productParamGet'
443
+ * - $ref: '#/parameters/clientIDParamGet'
444
+ * operationId: get-connections
445
+ * tags: [Connections]
446
+ * responses:
447
+ * '200':
448
+ * $ref: '#/responses/200Get'
449
+ * '400':
450
+ * $ref: '#/responses/400Get'
451
+ * '401':
452
+ * $ref: '#/responses/401Get'
453
+ */
454
+ getConnections(body) {
455
+ return __awaiter(this, void 0, void 0, function* () {
456
+ const clientID = 'clientID' in body ? body.clientID : undefined;
457
+ const tenant = 'tenant' in body ? body.tenant : undefined;
458
+ const product = 'product' in body ? body.product : undefined;
459
+ const strategy = 'strategy' in body ? body.strategy : undefined;
460
+ metrics.increment('getConnections');
461
+ if (clientID) {
462
+ const connection = yield this.connectionStore.get(clientID);
463
+ if (!connection || typeof connection !== 'object') {
464
+ return [];
333
465
  }
334
- newMetadata.provider = providerName ? providerName : 'Unknown';
466
+ return [connection];
335
467
  }
336
- if (newMetadata) {
337
- // check if clientID matches with new metadata payload
338
- const clientID = dbutils.keyDigest(dbutils.keyFromParts(clientInfo.tenant, clientInfo.product, newMetadata.entityID));
339
- if (clientID !== (clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.clientID)) {
340
- throw new error_1.JacksonError('Tenant/Product config mismatch with IdP metadata', 400);
468
+ if (tenant && product) {
469
+ const connections = yield this.connectionStore.getByIndex({
470
+ name: utils_1.IndexNames.TenantProduct,
471
+ value: dbutils.keyFromParts(tenant, product),
472
+ });
473
+ if (!connections || !connections.length) {
474
+ return [];
475
+ }
476
+ // filter if strategy is passed
477
+ const filteredConnections = strategy
478
+ ? connections.filter((connection) => {
479
+ if (strategy === 'saml') {
480
+ if (connection.idpMetadata) {
481
+ return true;
482
+ }
483
+ }
484
+ if (strategy === 'oidc') {
485
+ if (connection.oidcProvider) {
486
+ return true;
487
+ }
488
+ }
489
+ return false;
490
+ })
491
+ : connections;
492
+ if (!filteredConnections.length) {
493
+ return [];
341
494
  }
495
+ return filteredConnections;
342
496
  }
343
- const record = Object.assign(Object.assign({}, _currentConfig), { name: name ? name : _currentConfig.name, description: description ? description : _currentConfig.description, idpMetadata: newMetadata ? newMetadata : _currentConfig.idpMetadata, defaultRedirectUrl: defaultRedirectUrl ? defaultRedirectUrl : _currentConfig.defaultRedirectUrl, redirectUrl: redirectUrlList ? redirectUrlList : _currentConfig.redirectUrl, forceAuthn });
344
- yield this.configStore.put(clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.clientID, record, {
345
- // secondary index on entityID
346
- name: utils_1.IndexNames.EntityID,
347
- value: _currentConfig.idpMetadata.entityID,
348
- }, {
349
- // secondary index on tenant + product
350
- name: utils_1.IndexNames.TenantProduct,
351
- value: dbutils.keyFromParts(_currentConfig.tenant, _currentConfig.product),
352
- });
497
+ throw new error_1.JacksonError('Please provide `clientID` or `tenant` and `product`.', 400);
353
498
  });
354
499
  }
355
500
  /**
356
501
  * @swagger
357
- *
358
502
  * /api/v1/saml/config:
359
503
  * get:
360
- * summary: Get SAML configuration
504
+ * summary: Get SAML Config
361
505
  * operationId: get-saml-config
362
- * tags:
363
- * - SAML Config
506
+ * tags: [SAML Config - Deprecated]
507
+ * deprecated: true
364
508
  * parameters:
365
- * - in: query
366
- * name: tenant
367
- * type: string
368
- * description: Tenant
369
- * - in: query
370
- * name: product
371
- * type: string
372
- * description: Product
373
- * - in: query
374
- * name: clientID
375
- * type: string
376
- * description: Client ID
509
+ * - $ref: '#/parameters/tenantParamGet'
510
+ * - $ref: '#/parameters/productParamGet'
511
+ * - $ref: '#/parameters/clientIDParamGet'
377
512
  * responses:
378
- * '200':
513
+ * '200':
379
514
  * description: Success
380
515
  * schema:
381
516
  * type: object
382
517
  * example:
383
518
  * {
384
- * "idpMetadata": {
385
- * "sso": {
386
- * "postUrl": "https://dev-20901260.okta.com/app/dev-20901260_jacksonnext_1/xxxxxxxxxxxxx/sso/saml",
387
- * "redirectUrl": "https://dev-20901260.okta.com/app/dev-20901260_jacksonnext_1/xxxxxxxxxxxxx/sso/saml"
388
- * },
389
- * "entityID": "http://www.okta.com/xxxxxxxxxxxxx",
390
- * "thumbprint": "Eo+eUi3UM3XIMkFFtdVK3yJ5vO9f7YZdasdasdad",
391
- * "loginType": "idp",
392
- * "provider": "okta.com"
393
- * },
394
- * "defaultRedirectUrl": "https://hoppscotch.io/",
395
- * "redirectUrl": ["https://hoppscotch.io/"],
396
- * "tenant": "hoppscotch.io",
397
- * "product": "API Engine",
398
- * "name": "Hoppscotch-SP",
399
- * "description": "SP for hoppscotch.io",
400
- * "clientID": "Xq8AJt3yYAxmXizsCWmUBDRiVP1iTC8Y/otnvFIMitk",
401
- * "clientSecret": "00e3e11a3426f97d8000000738300009130cd45419c5943",
402
- * "certs": {
403
- * "publicKey": "-----BEGIN CERTIFICATE-----.......-----END CERTIFICATE-----",
404
- * "privateKey": "-----BEGIN PRIVATE KEY-----......-----END PRIVATE KEY-----"
405
- * }
406
- * }
407
- * '400':
408
- * description: Please provide `clientID` or `tenant` and `product`.
409
- * '401':
410
- * description: Unauthorized
519
+ * "idpMetadata": {
520
+ * "sso": {
521
+ * "postUrl": "https://dev-20901260.okta.com/app/dev-20901260_jacksonnext_1/xxxxxxxxxxxxx/sso/saml",
522
+ * "redirectUrl": "https://dev-20901260.okta.com/app/dev-20901260_jacksonnext_1/xxxxxxxxxxxxx/sso/saml"
523
+ * },
524
+ * "entityID": "http://www.okta.com/xxxxxxxxxxxxx",
525
+ * "thumbprint": "Eo+eUi3UM3XIMkFFtdVK3yJ5vO9f7YZdasdasdad",
526
+ * "loginType": "idp",
527
+ * "provider": "okta.com"
528
+ * },
529
+ * "defaultRedirectUrl": "https://hoppscotch.io/",
530
+ * "redirectUrl": ["https://hoppscotch.io/"],
531
+ * "tenant": "hoppscotch.io",
532
+ * "product": "API Engine",
533
+ * "name": "Hoppscotch-SP",
534
+ * "description": "SP for hoppscotch.io",
535
+ * "clientID": "Xq8AJt3yYAxmXizsCWmUBDRiVP1iTC8Y/otnvFIMitk",
536
+ * "clientSecret": "00e3e11a3426f97d8000000738300009130cd45419c5943",
537
+ * "certs": {
538
+ * "publicKey": "-----BEGIN CERTIFICATE-----.......-----END CERTIFICATE-----",
539
+ * "privateKey": "-----BEGIN PRIVATE KEY-----......-----END PRIVATE KEY-----"
540
+ * }
541
+ * }
542
+ * '400':
543
+ * $ref: '#/responses/400Get'
544
+ * '401':
545
+ * $ref: '#/responses/401Get'
411
546
  */
412
547
  getConfig(body) {
413
548
  return __awaiter(this, void 0, void 0, function* () {
414
- const { clientID, tenant, product } = body;
415
- metrics.increment('getConfig');
549
+ const clientID = 'clientID' in body ? body.clientID : undefined;
550
+ const tenant = 'tenant' in body ? body.tenant : undefined;
551
+ const product = 'product' in body ? body.product : undefined;
552
+ metrics.increment('getConnections');
416
553
  if (clientID) {
417
- const samlConfig = yield this.configStore.get(clientID);
554
+ const samlConfig = yield this.connectionStore.get(clientID);
418
555
  return samlConfig || {};
419
556
  }
420
557
  if (tenant && product) {
421
- const samlConfigs = yield this.configStore.getByIndex({
558
+ const samlConfigs = yield this.connectionStore.getByIndex({
422
559
  name: utils_1.IndexNames.TenantProduct,
423
560
  value: dbutils.keyFromParts(tenant, product),
424
561
  });
@@ -432,52 +569,90 @@ class APIController {
432
569
  }
433
570
  /**
434
571
  * @swagger
572
+ * parameters:
573
+ * clientIDDel:
574
+ * name: clientID
575
+ * in: formData
576
+ * type: string
577
+ * description: Client ID
578
+ * clientSecretDel:
579
+ * name: clientSecret
580
+ * in: formData
581
+ * type: string
582
+ * description: Client Secret
583
+ * tenantDel:
584
+ * name: tenant
585
+ * in: formData
586
+ * type: string
587
+ * description: Tenant
588
+ * productDel:
589
+ * name: product
590
+ * in: formData
591
+ * type: string
592
+ * description: Product
593
+ * strategyDel:
594
+ * name: strategy
595
+ * in: formData
596
+ * type: string
597
+ * description: Strategy
598
+ * /api/v1/connections:
599
+ * delete:
600
+ * parameters:
601
+ * - $ref: '#/parameters/clientIDDel'
602
+ * - $ref: '#/parameters/clientSecretDel'
603
+ * - $ref: '#/parameters/tenantDel'
604
+ * - $ref: '#/parameters/productDel'
605
+ * - $ref: '#/parameters/strategyDel'
606
+ * summary: Delete SSO Connections
607
+ * operationId: delete-sso-connection
608
+ * tags: [Connections]
609
+ * consumes:
610
+ * - application/x-www-form-urlencoded
611
+ * - application/json
612
+ * responses:
613
+ * '200':
614
+ * description: Success
615
+ * '400':
616
+ * description: clientSecret mismatch | Please provide `clientID` and `clientSecret` or `tenant` and `product`.
617
+ * '401':
618
+ * description: Unauthorized
435
619
  * /api/v1/saml/config:
436
620
  * delete:
437
- * summary: Delete SAML configuration
621
+ * summary: Delete SAML Config
438
622
  * operationId: delete-saml-config
439
- * tags:
440
- * - SAML Config
623
+ * tags: [SAML Config - Deprecated]
624
+ * deprecated: true
441
625
  * consumes:
442
626
  * - application/x-www-form-urlencoded
627
+ * - application/json
443
628
  * parameters:
444
- * - name: clientID
445
- * in: formData
446
- * type: string
447
- * required: true
448
- * description: Client ID
449
- * - name: clientSecret
450
- * in: formData
451
- * type: string
452
- * required: true
453
- * description: Client Secret
454
- * - name: tenant
455
- * in: formData
456
- * type: string
457
- * description: Tenant
458
- * - name: product
459
- * in: formData
460
- * type: string
461
- * description: Product
629
+ * - $ref: '#/parameters/clientIDDel'
630
+ * - $ref: '#/parameters/clientSecretDel'
631
+ * - $ref: '#/parameters/tenantDel'
632
+ * - $ref: '#/parameters/productDel'
462
633
  * responses:
463
634
  * '200':
464
635
  * description: Success
465
636
  * '400':
466
- * description: clientSecret mismatch | Please provide `clientID` and `clientSecret` or `tenant` and `product`.'
637
+ * description: clientSecret mismatch | Please provide `clientID` and `clientSecret` or `tenant` and `product`.
467
638
  * '401':
468
639
  * description: Unauthorized
469
640
  */
470
- deleteConfig(body) {
641
+ deleteConnections(body) {
471
642
  return __awaiter(this, void 0, void 0, function* () {
472
- const { clientID, clientSecret, tenant, product } = body;
473
- metrics.increment('deleteConfig');
643
+ const clientID = 'clientID' in body ? body.clientID : undefined;
644
+ const clientSecret = 'clientSecret' in body ? body.clientSecret : undefined;
645
+ const tenant = 'tenant' in body ? body.tenant : undefined;
646
+ const product = 'product' in body ? body.product : undefined;
647
+ const strategy = 'strategy' in body ? body.strategy : undefined;
648
+ metrics.increment('deleteConnections');
474
649
  if (clientID && clientSecret) {
475
- const samlConfig = yield this.configStore.get(clientID);
476
- if (!samlConfig) {
650
+ const connection = yield this.connectionStore.get(clientID);
651
+ if (!connection) {
477
652
  return;
478
653
  }
479
- if (samlConfig.clientSecret === clientSecret) {
480
- yield this.configStore.delete(clientID);
654
+ if (connection.clientSecret === clientSecret) {
655
+ yield this.connectionStore.delete(clientID);
481
656
  }
482
657
  else {
483
658
  throw new error_1.JacksonError('clientSecret mismatch', 400);
@@ -485,47 +660,41 @@ class APIController {
485
660
  return;
486
661
  }
487
662
  if (tenant && product) {
488
- const samlConfigs = yield this.configStore.getByIndex({
663
+ const connections = yield this.connectionStore.getByIndex({
489
664
  name: utils_1.IndexNames.TenantProduct,
490
665
  value: dbutils.keyFromParts(tenant, product),
491
666
  });
492
- if (!samlConfigs || !samlConfigs.length) {
667
+ if (!connections || !connections.length) {
493
668
  return;
494
669
  }
495
- for (const conf of samlConfigs) {
496
- yield this.configStore.delete(conf.clientID);
670
+ // filter if strategy is passed
671
+ const filteredConnections = strategy
672
+ ? connections.filter((connection) => {
673
+ if (strategy === 'saml') {
674
+ if (connection.idpMetadata) {
675
+ return true;
676
+ }
677
+ }
678
+ if (strategy === 'oidc') {
679
+ if (connection.oidcProvider) {
680
+ return true;
681
+ }
682
+ }
683
+ return false;
684
+ })
685
+ : connections;
686
+ for (const conf of filteredConnections) {
687
+ yield this.connectionStore.delete(conf.clientID);
497
688
  }
498
689
  return;
499
690
  }
500
691
  throw new error_1.JacksonError('Please provide `clientID` and `clientSecret` or `tenant` and `product`.', 400);
501
692
  });
502
693
  }
503
- }
504
- exports.APIController = APIController;
505
- const extractHostName = (url) => {
506
- try {
507
- const pUrl = new URL(url);
508
- if (pUrl.hostname.startsWith('www.')) {
509
- return pUrl.hostname.substring(4);
510
- }
511
- return pUrl.hostname;
512
- }
513
- catch (err) {
514
- return null;
515
- }
516
- };
517
- const extractRedirectUrls = (urls) => {
518
- if (!urls) {
519
- return [];
520
- }
521
- if (typeof urls === 'string') {
522
- if (urls.startsWith('[')) {
523
- // redirectUrl is a stringified array
524
- return JSON.parse(urls);
525
- }
526
- // redirectUrl is a single URL
527
- return [urls];
694
+ deleteConfig(body) {
695
+ return __awaiter(this, void 0, void 0, function* () {
696
+ yield this.deleteConnections(Object.assign(Object.assign({}, body), { strategy: 'saml' }));
697
+ });
528
698
  }
529
- // redirectUrl is an array of URLs
530
- return urls;
531
- };
699
+ }
700
+ exports.ConnectionAPIController = ConnectionAPIController;