@lateos/npm-scan 0.4.1 → 0.6.0

package/api/routers/sso.py

@@ -0,0 +1,385 @@
+"""SSO / SAML 2.0 endpoints for npm-scan enterprise tier.
+
+Endpoints:
+  GET  /sso/metadata    — SP metadata XML for IdP registration
+  GET  /sso/login       — SP-initiated SSO redirect
+  POST /sso/acs         — Assertion Consumer Service (IdP POSTs here)
+  POST /sso/slo         — Single Logout
+  GET  /sso/session     — Check current SAML session status
+  POST /sso/provision   — Auto-provision user from SAML attributes
+"""
+
+import os
+import uuid
+import json
+import logging
+from datetime import datetime, timezone
+from typing import Optional
+from urllib.parse import urlencode
+
+from fastapi import APIRouter, Request, Response, HTTPException, Depends
+from fastapi.responses import RedirectResponse, HTMLResponse
+from pydantic import BaseModel
+
+from ..deps import UserSession, create_access_token, create_refresh_token, get_current_user, require_feature
+from ..saml import get_saml_config, SAMLConfig
+
+logger = logging.getLogger("npm-scan.sso")
+
+router = APIRouter(prefix="/sso", tags=["sso"])
+
+# In-memory SAML session store (PostgreSQL in production)
+_saml_sessions: dict[str, dict] = {}
+
+# User provisioning store (PostgreSQL in production)
+_provisioned_users: dict[str, UserSession] = {}
+
+
+def _build_auth_request(config: SAMLConfig) -> tuple[str, str]:
+    """Build SAML AuthnRequest and return (redirect_url, request_id)."""
+    import base64
+    from xml.etree import ElementTree as ET
+
+    request_id = "_" + uuid.uuid4().hex
+    now = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+
+    authn = ET.Element(
+        "{urn:oasis:names:tc:SAML:2.0:protocol}AuthnRequest",
+        attrib={
+            "ID": request_id,
+            "Version": "2.0",
+            "IssueInstant": now,
+            "Destination": config.idp_sso_url,
+            "AssertionConsumerServiceURL": config.acs_url,
+            "ProtocolBinding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+            "ForceAuthn": "false",
+            "IsPassive": "false",
+        },
+    )
+    issuer = ET.SubElement(
+        authn,
+        "{urn:oasis:names:tc:SAML:2.0:assertion}Issuer",
+    )
+    issuer.text = config.entity_id
+
+    nameid = ET.SubElement(
+        authn,
+        "{urn:oasis:names:tc:SAML:2.0:protocol}NameIDPolicy",
+        attrib={
+            "Format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+            "AllowCreate": "true",
+        },
+    )
+
+    raw = ET.tostring(authn, encoding="unicode")
+    encoded = base64.b64encode(raw.encode()).decode()
+
+    params = urlencode({"SAMLRequest": encoded})
+    redirect_url = f"{config.idp_sso_url}?{params}"
+    return redirect_url, request_id
+
+
+def _parse_saml_response(saml_response: str, config: SAMLConfig) -> dict:
+    """Parse and validate a SAML Response.
+    
+    In production this uses python3-saml for full XML sig validation.
+    For the skeleton, we extract attributes from the base64-decoded XML.
+    """
+    import base64
+    from xml.etree import ElementTree as ET
+
+    try:
+        decoded = base64.b64decode(saml_response)
+        root = ET.fromstring(decoded)
+    except Exception as e:
+        raise HTTPException(status_code=400, detail=f"Invalid SAML response: {e}")
+
+    ns = {
+        "saml2p": "urn:oasis:names:tc:SAML:2.0:protocol",
+        "saml2": "urn:oasis:names:tc:SAML:2.0:assertion",
+    }
+
+    # Extract attributes from the SAML assertion
+    attrs = {}
+    for attr_stmt in root.iter("{urn:oasis:names:tc:SAML:2.0:assertion}AttributeStatement"):
+        for attr in attr_stmt.iter("{urn:oasis:names:tc:SAML:2.0:assertion}Attribute"):
+            name = attr.get("Name", "")
+            values = [v.text or "" for v in attr.iter("{urn:oasis:names:tc:SAML:2.0:assertion}AttributeValue")]
+            attrs[name] = values[0] if len(values) == 1 else values
+
+    # Extract NameID
+    name_id = None
+    for subject in root.iter("{urn:oasis:names:tc:SAML:2.0:assertion}Subject"):
+        for nid in subject.iter("{urn:oasis:names:tc:SAML:2.0:assertion}NameID"):
+            name_id = nid.text
+            break
+
+    return {
+        "name_id": name_id,
+        "attributes": attrs,
+        "issuer": root.findtext(".//saml2:Issuer", "", ns),
+        "session_index": root.findtext(".//saml2:AuthnStatement/@SessionIndex", ""),
+    }
+
+
+def _provision_user(assertion_data: dict, config: SAMLConfig) -> UserSession:
+    """Create or update a user from SAML attributes.
+    
+    In production this upserts into PostgreSQL. For the skeleton,
+    we maintain an in-memory store.
+    """
+    mapping = config.attribute_mapping
+    attrs = assertion_data.get("attributes", {})
+    raw_name_id = assertion_data.get("name_id", "")
+
+    email = (
+        attrs.get(mapping.get("email", "email"))
+        or attrs.get("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress")
+        or raw_name_id
+        or ""
+    )
+    display_name = (
+        attrs.get(mapping.get("name", "displayName"))
+        or attrs.get("http://schemas.microsoft.com/identity/claims/displayname")
+        or email.split("@")[0]
+        or "SAML User"
+    )
+    groups = attrs.get(mapping.get("groups", "groups"), [])
+    if isinstance(groups, str):
+        groups = [groups]
+
+    # Determine role from groups or admin domains
+    role = config.default_role
+    if isinstance(groups, list):
+        group_str = " ".join(groups).lower()
+        if "admin" in group_str:
+            role = "admin"
+        elif "editor" in group_str:
+            role = "editor"
+    if config.admin_domains:
+        email_domain = email.split("@")[-1] if "@" in email else ""
+        if email_domain in config.admin_domains:
+            role = "admin"
+
+    user_id = str(uuid.uuid4())
+    if raw_name_id:
+        _provisioned_users[raw_name_id] = UserSession(
+            user_id=user_id,
+            email=email,
+            name=display_name,
+            role=role,
+            auth_method="saml",
+            idp=assertion_data.get("issuer", "unknown"),
+        )
+
+    return _provisioned_users.get(raw_name_id, UserSession(
+        user_id=user_id,
+        email=email,
+        name=display_name,
+        role=role,
+        auth_method="saml",
+    ))
+
+
+@router.get("/metadata")
+async def saml_metadata():
+    """Generate SAML 2.0 SP metadata XML for IdP registration."""
+    config = get_saml_config()
+    if not config.is_configured():
+        return HTMLResponse(
+            content="<h1>SAML Not Configured</h1><p>Set SAML_IDP_SSO_URL and SAML_IDP_ENTITY_ID environment variables.</p>",
+            status_code=200,
+        )
+
+    from xml.etree import ElementTree as ET
+
+    root = ET.Element(
+        "{urn:oasis:names:tc:SAML:2.0:metadata}EntityDescriptor",
+        attrib={
+            "entityID": config.entity_id,
+            "xmlns:md": "urn:oasis:names:tc:SAML:2.0:metadata",
+            "xmlns:ds": "http://www.w3.org/2000/09/xmldsig#",
+        },
+    )
+
+    sp_sso = ET.SubElement(
+        root,
+        "{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor",
+        attrib={
+            "protocolSupportEnumeration": "urn:oasis:names:tc:SAML:2.0:protocol",
+            "AuthnRequestsSigned": "true",
+            "WantAssertionsSigned": str(config.want_assertions_signed).lower(),
+        },
+    )
+
+    # Key descriptor (if SP cert is configured)
+    if config.sp_x509_cert:
+        key_desc = ET.SubElement(
+            sp_sso,
+            "{urn:oasis:names:tc:SAML:2.0:metadata}KeyDescriptor",
+            attrib={"use": "signing"},
+        )
+        key_info = ET.SubElement(
+            key_desc,
+            "{http://www.w3.org/2000/09/xmldsig#}KeyInfo",
+        )
+        x509_data = ET.SubElement(
+            key_info,
+            "{http://www.w3.org/2000/09/xmldsig#}X509Data",
+        )
+        x509_cert = ET.SubElement(
+            x509_data,
+            "{http://www.w3.org/2000/09/xmldsig#}X509Certificate",
+        )
+        x509_cert.text = config.sp_x509_cert.replace("-----BEGIN CERTIFICATE-----", "").replace("-----END CERTIFICATE-----", "").replace("\n", "").strip()
+
+    # ACS
+    acs = ET.SubElement(
+        sp_sso,
+        "{urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService",
+        attrib={
+            "index": "0",
+            "isDefault": "true",
+            "Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+            "Location": config.acs_url,
+        },
+    )
+
+    # SLO
+    slo = ET.SubElement(
+        sp_sso,
+        "{urn:oasis:names:tc:SAML:2.0:metadata}SingleLogoutService",
+        attrib={
+            "Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+            "Location": config.slo_url,
+        },
+    )
+
+    # NameID format
+    nid = ET.SubElement(
+        sp_sso,
+        "{urn:oasis:names:tc:SAML:2.0:metadata}NameIDFormat",
+    )
+    nid.text = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+
+    raw = ET.tostring(root, encoding="unicode")
+    return Response(content=raw, media_type="application/xml")
+
+
+@router.get("/login")
+async def saml_login():
+    """SP-initiated SSO. Redirects user to IdP with SAML AuthnRequest."""
+    config = get_saml_config()
+    if not config.is_configured():
+        raise HTTPException(
+            status_code=501,
+            detail="SAML not configured. Set SAML_IDP_SSO_URL and SAML_IDP_ENTITY_ID env vars",
+        )
+
+    redirect_url, request_id = _build_auth_request(config)
+    _saml_sessions[request_id] = {"created_at": datetime.now(timezone.utc).isoformat()}
+    return RedirectResponse(url=redirect_url)
+
+
+@router.post("/acs")
+async def saml_acs(request: Request):
+    """Assertion Consumer Service — IdP POSTs SAML Response here after authentication.
+    
+    Returns JWT tokens on success.
+    """
+    form = await request.form()
+    saml_response = form.get("SAMLResponse")
+    relay_state = form.get("RelayState", "/")
+
+    if not saml_response:
+        raise HTTPException(status_code=400, detail="Missing SAMLResponse")
+
+    config = get_saml_config()
+    assertion_data = _parse_saml_response(saml_response, config)
+
+    if not assertion_data.get("name_id"):
+        raise HTTPException(status_code=400, detail="No NameID in SAML assertion")
+
+    # Provision or look up user
+    user = _provision_user(assertion_data, config)
+    if not user:
+        raise HTTPException(status_code=403, detail="User provisioning failed")
+
+    # Store SAML session
+    _saml_sessions[assertion_data["name_id"]] = {
+        "user_id": user.user_id,
+        "email": user.email,
+        "session_index": assertion_data.get("session_index", ""),
+        "created_at": datetime.now(timezone.utc).isoformat(),
+    }
+
+    # Issue JWT
+    access_token = create_access_token(user)
+    refresh_token = create_refresh_token(user)
+
+    return {
+        "access_token": access_token,
+        "refresh_token": refresh_token,
+        "token_type": "bearer",
+        "user": {
+            "id": user.user_id,
+            "email": user.email,
+            "name": user.name,
+            "role": user.role,
+        },
+    }
+
+
+@router.post("/slo")
+async def saml_slo(request: Request):
+    """Single Logout — terminates SAML session and invalidates tokens."""
+    form = await request.form()
+    logout_request = form.get("SAMLRequest")
+
+    if logout_request:
+        # Decode to find the NameID and clear session
+        import base64
+        from xml.etree import ElementTree as ET
+        try:
+            decoded = base64.b64decode(logout_request)
+            root = ET.fromstring(decoded)
+            ns = {"saml2": "urn:oasis:names:tc:SAML:2.0:assertion"}
+            name_id = root.findtext(".//saml2:NameID", "", ns)
+            if name_id and name_id in _saml_sessions:
+                del _saml_sessions[name_id]
+        except Exception:
+            pass
+
+    return {
+        "status": "logged_out",
+        "message": "SAML session terminated",
+    }
+
+
+@router.get("/session")
+async def saml_session(current_user: UserSession = Depends(get_current_user)):
+    """Current SAML session status."""
+    return {
+        "authenticated": True,
+        "user": {
+            "id": current_user.user_id,
+            "email": current_user.email,
+            "name": current_user.name,
+            "role": current_user.role,
+        },
+        "auth_method": current_user.auth_method,
+        "idp": current_user.idp,
+    }
+
+
+@router.get("/config")
+async def saml_config_status():
+    """Check whether SAML is configured (no auth required)."""
+    config = get_saml_config()
+    return {
+        "configured": config.is_configured(),
+        "entity_id": config.entity_id,
+        "acs_url": config.acs_url,
+        "auto_provision": config.auto_provision,
+        "default_role": config.default_role,
+    }

package/api/routers/webhooks.py

@@ -0,0 +1,78 @@
+"""Webhook endpoints — register, list, delete webhooks."""
+
+from fastapi import APIRouter, HTTPException
+from pydantic import BaseModel, HttpUrl
+from typing import List, Optional
+from datetime import datetime
+import hashlib
+import hmac
+import json
+import os
+
+router = APIRouter()
+
+
+class WebhookCreate(BaseModel):
+    url: HttpUrl
+    events: List[str] = ["scan.completed", "finding.critical"]
+
+
+class Webhook(BaseModel):
+    id: str
+    url: str
+    events: List[str]
+    active: bool = True
+    secret: Optional[str] = None
+    created_at: datetime
+
+
+HOOKS_DB: list[Webhook] = []
+
+
+@router.post("/webhooks", status_code=201)
+async def create_webhook(hook: WebhookCreate):
+    """Register a new webhook endpoint."""
+    wh = Webhook(
+        id=hash(str(hook.url) + str(datetime.now())),
+        url=str(hook.url),
+        events=list(set(hook.events)),
+        secret=os.urandom(16).hex(),
+        created_at=datetime.now(),
+    )
+    HOOKS_DB.append(wh)
+    return wh
+
+
+@router.get("/webhooks")
+async def list_webhooks():
+    """List all registered webhooks."""
+    return HOOKS_DB
+
+
+@router.delete("/webhooks/{hook_id}")
+async def delete_webhook(hook_id: str):
+    """Delete a webhook by ID."""
+    for i, wh in enumerate(HOOKS_DB):
+        if wh.id == hook_id:
+            HOOKS_DB.pop(i)
+            return {"deleted": hook_id}
+    raise HTTPException(status_code=404, detail="Webhook not found")
+
+
+async def dispatch_webhooks(event: str, payload: dict):
+    """Dispatch an event to all subscribed webhooks (called by worker)."""
+    import httpx
+
+    for wh in HOOKS_DB:
+        if not wh.active or event not in wh.events:
+            continue
+        body = json.dumps({"event": event, "payload": payload, "timestamp": datetime.now().isoformat()})
+        sig = hmac.new(wh.secret.encode(), body.encode(), hashlib.sha256).hexdigest()
+        async with httpx.AsyncClient() as client:
+            try:
+                await client.post(wh.url, content=body, headers={
+                    "Content-Type": "application/json",
+                    "X-Webhook-Signature": sig,
+                })
+            except Exception:
+                pass  # log failure in production

package/api/saml-config.yaml

@@ -0,0 +1,58 @@
+# npm-scan SAML 2.0 Configuration
+# Copy to saml-config.yaml or set via environment variables.
+# Requires enterprise license with 'sso' feature.
+
+# --- SP (Service Provider) Identity ---
+sp:
+  entity_id: "https://npm-scan.example.com/saml/metadata"
+  acs_url: "https://npm-scan.example.com/api/v1/sso/acs"
+  slo_url: "https://npm-scan.example.com/api/v1/sso/slo"
+
+  # Generate: openssl req -x509 -newkey rsa:2048 -keyout sp.key -out sp.crt -days 3650 -nodes
+  # private_key: |
+  #   -----BEGIN PRIVATE KEY-----
+  #   ...
+  #   -----END PRIVATE KEY-----
+  # x509_cert: |
+  #   -----BEGIN CERTIFICATE-----
+  #   ...
+  #   -----END CERTIFICATE-----
+
+# --- IdP (Identity Provider) ---
+idp:
+  # Option A: Metadata URL (preferred — auto-discovers all endpoints)
+  metadata_url: "https://idp.example.com/metadata"
+
+  # Option B: Manual configuration
+  # entity_id: "https://idp.example.com"
+  # sso_url: "https://idp.example.com/saml/sso"
+  # slo_url: "https://idp.example.com/saml/slo"
+  # x509_cert: |
+  #   -----BEGIN CERTIFICATE-----
+  #   ...
+  #   -----END CERTIFICATE-----
+
+# --- Security ---
+security:
+  want_assertions_signed: true
+  want_response_signed: true
+  want_assertions_encrypted: false
+  signature_algorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+  digest_algorithm: "http://www.w3.org/2001/04/xmlenc#sha256"
+
+# --- User Provisioning ---
+provisioning:
+  auto_provision: true
+  default_role: viewer
+  admin_domains:
+    - "example.com"
+  attribute_mapping:
+    email: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
+    name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname"
+    firstName: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
+    lastName: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
+    groups: "http://schemas.xmlsoap.org/claims/Group"
+
+# --- Session ---
+session:
+  duration_hours: 24

package/api/saml.py

@@ -0,0 +1,184 @@
+"""npm-scan SAML 2.0 Service Provider implementation.
+
+Supports:
+  - IdP-initiated SSO
+  - SP-initiated SSO
+  - Signed + encrypted assertions
+  - Metadata exchange
+  - Single Logout (SLO)
+  - Auto-provisioning via attribute mapping
+
+Requires enterprise license with 'sso' feature flag.
+"""
+
+import os
+import json
+from typing import Optional
+from pathlib import Path
+from dataclasses import dataclass, field
+
+
+@dataclass
+class SAMLConfig:
+    """SAML 2.0 configuration loaded from environment / config file."""
+    # SP identity
+    entity_id: str = field(
+        default_factory=lambda: os.environ.get(
+            "SAML_SP_ENTITY_ID",
+            "https://npm-scan.io/saml/metadata"
+        )
+    )
+    acs_url: str = field(
+        default_factory=lambda: os.environ.get(
+            "SAML_ACS_URL",
+            "https://npm-scan.io/api/v1/sso/acs"
+        )
+    )
+    slo_url: str = field(
+        default_factory=lambda: os.environ.get(
+            "SAML_SLO_URL",
+            "https://npm-scan.io/api/v1/sso/slo"
+        )
+    )
+
+    # IdP metadata (discovery)
+    idp_metadata_url: str = field(
+        default_factory=lambda: os.environ.get(
+            "SAML_IDP_METADATA_URL",
+            ""
+        )
+    )
+    idp_metadata_xml: str = field(
+        default_factory=lambda: os.environ.get(
+            "SAML_IDP_METADATA_XML",
+            ""
+        )
+    )
+    idp_entity_id: str = field(
+        default_factory=lambda: os.environ.get(
+            "SAML_IDP_ENTITY_ID",
+            ""
+        )
+    )
+    idp_sso_url: str = field(
+        default_factory=lambda: os.environ.get(
+            "SAML_IDP_SSO_URL",
+            ""
+        )
+    )
+    idp_slo_url: str = field(
+        default_factory=lambda: os.environ.get(
+            "SAML_IDP_SLO_URL",
+            ""
+        )
+    )
+    idp_x509_cert: str = field(
+        default_factory=lambda: os.environ.get(
+            "SAML_IDP_X509_CERT",
+            ""
+        )
+    )
+
+    # SP private key for decryption + signing
+    sp_private_key: str = field(
+        default_factory=lambda: os.environ.get(
+            "SAML_SP_PRIVATE_KEY",
+            ""
+        )
+    )
+    sp_x509_cert: str = field(
+        default_factory=lambda: os.environ.get(
+            "SAML_SP_X509_CERT",
+            ""
+        )
+    )
+
+    # Security settings
+    want_assertions_signed: bool = True
+    want_response_signed: bool = True
+    want_assertions_encrypted: bool = False
+    signature_algorithm: str = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+    digest_algorithm: str = "http://www.w3.org/2001/04/xmlenc#sha256"
+
+    # User provisioning
+    auto_provision: bool = True
+    default_role: str = "viewer"
+    admin_domains: list[str] = field(default_factory=list)
+    attribute_mapping: dict[str, str] = field(default_factory=lambda: {
+        "email": "email",
+        "name": "displayName",
+        "firstName": "firstName",
+        "lastName": "lastName",
+        "groups": "groups",
+        "role": "Role",
+    })
+
+    # Session
+    session_duration_hours: int = 24
+
+    def to_onelogin_settings(self) -> dict:
+        """Convert to python3-saml settings dict."""
+        settings = {
+            "strict": True,
+            "debug": os.environ.get("SAML_DEBUG", "false").lower() == "true",
+            "sp": {
+                "entityId": self.entity_id,
+                "assertionConsumerService": {
+                    "url": self.acs_url,
+                    "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+                },
+                "singleLogoutService": {
+                    "url": self.slo_url,
+                    "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+                },
+                "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+                "x509cert": self.sp_x509_cert or "",
+                "privateKey": self.sp_private_key or "",
+            },
+            "idp": {
+                "entityId": self.idp_entity_id,
+                "singleSignOnService": {
+                    "url": self.idp_sso_url,
+                    "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+                },
+                "singleLogoutService": {
+                    "url": self.idp_slo_url or self.idp_sso_url,
+                    "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+                },
+                "x509cert": self.idp_x509_cert,
+            },
+            "security": {
+                "wantAssertionsSigned": self.want_assertions_signed,
+                "wantResponseSigned": self.want_response_signed,
+                "wantAssertionsEncrypted": self.want_assertions_encrypted,
+                "signatureAlgorithm": self.signature_algorithm,
+                "digestAlgorithm": self.digest_algorithm,
+                "nameIdEncrypted": False,
+                "authnRequestsSigned": True,
+                "logoutRequestSigned": True,
+                "logoutResponseSigned": True,
+                "signMetadata": bool(self.sp_private_key),
+                "requestedAuthnContext": True,
+            },
+        }
+        return settings
+
+    def is_configured(self) -> bool:
+        """Check if SAML has enough config to operate."""
+        return bool(self.idp_sso_url and self.idp_entity_id) or bool(self.idp_metadata_url or self.idp_metadata_xml)
+
+
+# Global singleton
+_config: Optional[SAMLConfig] = None
+
+
+def get_saml_config() -> SAMLConfig:
+    global _config
+    if _config is None:
+        _config = SAMLConfig()
+    return _config
+
+
+def set_saml_config(cfg: SAMLConfig) -> None:
+    global _config
+    _config = cfg