@opengovsg/mockpass 2.7.9

package/.eslintrc.json

@@ -0,0 +1,13 @@
+{
+  "extends": [
+    "eslint:recommended",
+    "plugin:prettier/recommended"
+  ],
+  "parserOptions": {
+    "ecmaVersion": 2018
+  },
+  "env": {
+    "node": true,
+    "es6": true
+  }
+}

package/.gitattributes

@@ -0,0 +1,2 @@
+# Set to not apply eol conversion for subresource integrity check
+public/mockpass/resources/js/*.js -text

package/.github/dependabot.yml

@@ -0,0 +1,14 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "npm" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "daily"
+    commit-message: 
+      prefix: "chore(deps):"
+    target-branch: "dependabot"

package/.github/mergify.yml

@@ -0,0 +1,12 @@
+pull_request_rules:
+  - name: command dependabot to squash and merge
+    conditions:
+      - 'author=dependabot[bot]'
+      - 'check-success~=CI'
+      - 'title~=bump [^\s]+ from ([\d]+)\..+ to \1\.'
+      - 'base=dependabot'
+    actions:
+      review:
+        type: APPROVE
+      merge:
+        method: squash

package/.github/workflows/ci.yml

@@ -0,0 +1,27 @@
+name: ci
+on:
+  push:
+  pull_request:
+    types: [opened, reopened]
+jobs:
+  ci:
+    name: CI
+    runs-on: ubuntu-18.04
+    steps:
+      - uses: actions/checkout@v2
+      - name: Use Node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: '12.x'
+      - name: Cache Node.js modules
+        uses: actions/cache@v2
+        with:
+          # npm cache files are stored in `~/.npm` on Linux/macOS
+          path: ~/.npm
+          key: ${{ runner.OS }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.OS }}-node-
+            ${{ runner.OS }}-
+      - run: npm ci
+      - run: npx lockfile-lint --type npm --path package-lock.json --validate-https --allowed-hosts npm
+      - run: npm run lint

package/.github/workflows/npmpublish.yml

@@ -0,0 +1,22 @@
+# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
+# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
+
+name: Node.js Package
+
+on:
+  release:
+    types: [created]
+
+jobs:
+  publish-npm:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v1
+        with:
+          node-version: 12
+          registry-url: https://registry.npmjs.org/
+      - run: npm ci
+      - run: npm publish --access public
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}

package/.gitpod.yml

@@ -0,0 +1,5 @@
+tasks:
+  - init: npm install 
+    command: SHOW_LOGIN_PAGE=true npm start
+ports:
+  - port: 5156

package/.husky/pre-commit

@@ -0,0 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
+npx lint-staged

package/.husky/pre-push

@@ -0,0 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
+npx commitlint --from origin/master --to HEAD --verbose

package/.prettierrc.js

@@ -0,0 +1,5 @@
+module.exports = {
+  semi: false,
+  trailingComma: 'all',
+  singleQuote: true,
+}

package/Dockerfile

@@ -0,0 +1,11 @@
+FROM node:slim
+
+WORKDIR /usr/src/mockpass
+
+COPY package* ./
+
+RUN npm ci
+
+COPY . ./
+
+CMD ["node", "index.js"]

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Open Government Products, Government Technology Agency of Singapore
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,99 @@
+# MockPass
+
+[![Gitpod Ready-to-Code](https://img.shields.io/badge/Gitpod-ready--to--code-blue?logo=gitpod)](https://gitpod.io/#https://github.com/opengovsg/mockpass)
+
+A mock SingPass/CorpPass/MyInfo server for dev purposes
+
+## Quick Start (hosted by Gitpod)
+
+- Click the ready-to-code badge above
+- Wait for MockPass to start
+- Make port 5156 public
+- Open Browser to note the URL hosting MockPass
+- Configure your application per local machine quick start, changing
+  the localhost:5156 to the Gitpod hostname
+
+## Quick Start (on local machine)
+
+Configure your application to point to the following endpoints:
+
+SingPass:
+ - http://localhost:5156/singpass/logininitial - SAML login redirect with optional page
+ - http://localhost:5156/singpass/soap - receives SAML artifact and returns assertion
+ - http://localhost:5156/singpass/authorize - OIDC login redirect with optional page
+ - http://localhost:5156/singpass/token - receives OIDC authorization code and returns id_token
+
+CorpPass:
+ - http://localhost:5156/corppass/logininitial
+ - http://localhost:5156/corppass/soap
+ - http://localhost:5156/corppass/authorize - OIDC login redirect with optional page
+ - http://localhost:5156/corppass/token - receives OIDC authorization code and returns id_token
+
+MyInfo:
+ - http://localhost:5156/myinfo/{v2,v3}/person-basic (exclusive to government systems)
+ - http://localhost:5156/myinfo/{v2,v3}/authorise
+ - http://localhost:5156/myinfo/{v2,v3}/token
+ - http://localhost:5156/myinfo/{v2,v3}/person
+
+sgID:
+ - http://localhost:5156/sgid/v1/oauth/authorize
+ - http://localhost:5156/sgid/v1/oauth/token
+ - http://localhost:5156/sgid/v1/oauth/userinfo
+
+Provide your application with the `spcp*` certs found in `static/certs`
+and with application certs at `static/certs/{key.pem|server.crt}`
+
+Alternatively, provide the paths to your app cert as env vars
+`SERVICE_PROVIDER_CERT_PATH` and `SERVICE_PROVIDER_PUB_KEY`
+
+```
+$ npm install @opengovsg/mockpass
+
+# Some familiarity with SAML Artifact Binding is assumed
+# Optional: Configure where MockPass should send SAML artifact to, default endpoint will be `PartnerId` in request query parameter.
+$ export SINGPASS_ASSERT_ENDPOINT=http://localhost:5000/singpass/assert
+$ export CORPPASS_ASSERT_ENDPOINT=http://localhost:5000/corppass/assert
+
+# All values shown here are defaults
+$ export MOCKPASS_PORT=5156
+$ export MOCKPASS_NRIC=S8979373D
+$ export MOCKPASS_UEN=123456789A
+
+$ export SHOW_LOGIN_PAGE=true # Optional, defaults to `false`
+
+# Disable signing/encryption (Optional, by default `true`)
+$ export SIGN_ASSERTION=false
+$ export ENCRYPT_ASSERTION=false
+$ export SIGN_RESPONSE=false
+$ export RESOLVE_ARTIFACT_REQUEST_SIGNED=false
+
+# Encrypt payloads returned by /myinfo/*/{person, person-basic},
+# equivalent to MyInfo Auth Level L2 (testing and production)
+$ export ENCRYPT_MYINFO=false
+
+# If specified, will verify token provided in Authorization header
+# for requests to /myinfo/*/token
+$ export SERVICE_PROVIDER_MYINFO_SECRET=<your secret here>
+
+$ npx mockpass
+MockPass listening on 5156
+```
+
+## Background
+
+There currently is nothing widely available to test an application's integration
+with SingPass/CorpPass using a dev machine alone. This is awkward for developers
+who then need to connect to the staging servers hosted by SingPass/CorpPass,
+which may not always be available (eg, down for maintenance, or no Internet).
+
+MockPass tries to solves this by providing an extremely lightweight implementation
+of a SAML 2.0 Identity Provider that returns mock SingPass and CorpPass assertions.
+It optionally provides a mock login page that (badly) mimics the SingPass/CorpPass
+login experience.
+
+## Contributing
+
+We welcome contributions to code open-sourced by the Government Technology
+Agency of Singapore. All contributors will be asked to sign a Contributor
+License Agreement (CLA) in order to ensure that everybody is free to use their
+contributions.

package/commitlint.config.js

@@ -0,0 +1,7 @@
+module.exports = {
+  extends: ['@commitlint/config-conventional'],
+  rules: {
+    'subject-case': [2, 'never', ['start-case', 'pascal-case', 'upper-case']],
+    'scope-case': [2, 'always', ['pascal-case', 'lower-case', 'camel-case']],
+  },
+}

package/index.js

@@ -0,0 +1,87 @@
+#!/usr/bin/env node
+const fs = require('fs')
+const express = require('express')
+const morgan = require('morgan')
+const path = require('path')
+require('dotenv').config()
+
+const {
+  configSAML,
+  configOIDC,
+  configMyInfo,
+  configSGID,
+} = require('./lib/express')
+
+const PORT = process.env.MOCKPASS_PORT || process.env.PORT || 5156
+
+if (
+  !process.env.SINGPASS_ASSERT_ENDPOINT &&
+  !process.env.CORPPASS_ASSERT_ENDPOINT
+) {
+  console.warn(
+    'SINGPASS_ASSERT_ENDPOINT or CORPPASS_ASSERT_ENDPOINT is not set. ' +
+      'Value of `PartnerId` request query parameter in redirect URL will be used.',
+  )
+}
+
+const serviceProvider = {
+  cert: fs.readFileSync(
+    path.resolve(
+      __dirname,
+      process.env.SERVICE_PROVIDER_CERT_PATH || './static/certs/server.crt',
+    ),
+  ),
+  pubKey: fs.readFileSync(
+    path.resolve(
+      __dirname,
+      process.env.SERVICE_PROVIDER_PUB_KEY || './static/certs/key.pub',
+    ),
+  ),
+}
+
+const cryptoConfig = {
+  signAssertion: process.env.SIGN_ASSERTION !== 'false', // default to true to be backward compatable
+  signResponse: process.env.SIGN_RESPONSE !== 'false',
+  encryptAssertion: process.env.ENCRYPT_ASSERTION !== 'false',
+  resolveArtifactRequestSigned:
+    process.env.RESOLVE_ARTIFACT_REQUEST_SIGNED !== 'false',
+}
+
+const options = {
+  serviceProvider,
+  idpConfig: {
+    singPass: {
+      id:
+        process.env.SINGPASS_IDP_ID || 'http://localhost:5156/singpass/saml20',
+      assertEndpoint: process.env.SINGPASS_ASSERT_ENDPOINT,
+    },
+    corpPass: {
+      id:
+        process.env.CORPPASS_IDP_ID || 'http://localhost:5156/corppass/saml20',
+      assertEndpoint: process.env.CORPPASS_ASSERT_ENDPOINT,
+    },
+  },
+  showLoginPage: process.env.SHOW_LOGIN_PAGE === 'true',
+  encryptMyInfo: process.env.ENCRYPT_MYINFO === 'true',
+  cryptoConfig,
+}
+
+const app = express()
+app.use(morgan('combined'))
+
+configSAML(app, options)
+configOIDC(app, options)
+configSGID(app, options)
+
+configMyInfo.consent(app)
+configMyInfo.v2(app, options)
+configMyInfo.v3(app, options)
+
+app.enable('trust proxy')
+app.use(express.static(path.join(__dirname, 'public')))
+
+app.listen(PORT, (err) =>
+  err
+    ? console.error('Unable to start MockPass', err)
+    : console.warn(`MockPass listening on ${PORT}`),
+)

package/lib/assertions.js

@@ -0,0 +1,319 @@
+const base64 = require('base-64')
+const crypto = require('crypto')
+const fs = require('fs')
+const { render } = require('mustache')
+const moment = require('moment')
+const jose = require('node-jose')
+const path = require('path')
+
+const readFrom = (p) => fs.readFileSync(path.resolve(__dirname, p), 'utf8')
+
+const TEMPLATE = readFrom('../static/saml/unsigned-assertion.xml')
+const corpPassTemplate = readFrom('../static/saml/corppass.xml')
+
+const defaultAudience =
+  process.env.SERVICE_PROVIDER_ENTITY_ID ||
+  'http://sp.example.com/demo1/metadata.php'
+
+const signingPem = fs.readFileSync(
+  path.resolve(__dirname, '../static/certs/spcp-key.pem'),
+)
+
+const createRefreshToken = (uuid) => {
+  const prefixSize = (`${uuid}`.length + 1) / 2
+  const padding = Number.isInteger(prefixSize) ? '/' : '/f'
+
+  return (
+    uuid +
+    padding +
+    crypto.randomBytes(20 - Math.floor(prefixSize)).toString('hex')
+  )
+}
+
+const hashToken = (token) => {
+  const fullHash = crypto.createHash('sha256')
+  fullHash.update(token, 'utf8')
+  const fullDigest = fullHash.digest()
+  const digestBuffer = fullDigest.slice(0, fullDigest.length / 2)
+  if (Buffer.isEncoding('base64url')) {
+    return digestBuffer.toString('base64url')
+  } else {
+    const fromBase64 = (base64) =>
+      base64.replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_')
+    return fromBase64(digestBuffer.toString('base64'))
+  }
+}
+
+const myinfo = {
+  v2: JSON.parse(readFrom('../static/myinfo/v2.json')),
+  v3: JSON.parse(readFrom('../static/myinfo/v3.json')),
+}
+
+const saml = {
+  singPass: [
+    'S8979373D',
+    'S8116474F',
+    'S8723211E',
+    'S5062854Z',
+    'T0066846F',
+    'F9477325W',
+    'S3000024B',
+    'S6005040F',
+    'S6005041D',
+    'S6005042B',
+    'S6005043J',
+    'S6005044I',
+    'S6005045G',
+    'S6005046E',
+    'S6005047C',
+    'S6005064C',
+    'S6005065A',
+    'S6005066Z',
+    'S6005037F',
+    'S6005038D',
+    'S6005039B',
+    'G1612357P',
+    'G1612358M',
+    'F1612359P',
+    'F1612360U',
+    'F1612361R',
+    'F1612362P',
+    'F1612363M',
+    'F1612364K',
+    'F1612365W',
+    'F1612366T',
+    'F1612367Q',
+    'F1612358R',
+    'F1612354N',
+    'F1612357U',
+    ...Object.keys(myinfo.v2.personas),
+  ],
+  corpPass: [
+    { nric: 'S8979373D', uen: '123456789A' },
+    { nric: 'S8116474F', uen: '123456789A' },
+    { nric: 'S8723211E', uen: '123456789A' },
+    { nric: 'S5062854Z', uen: '123456789B' },
+    { nric: 'T0066846F', uen: '123456789B' },
+    { nric: 'F9477325W', uen: '123456789B' },
+    { nric: 'S3000024B', uen: '123456789C' },
+    { nric: 'S6005040F', uen: '123456789C' },
+  ],
+  create: {
+    singPass: (
+      nric,
+      issuer,
+      recipient,
+      inResponseTo,
+      audience = defaultAudience,
+    ) =>
+      render(TEMPLATE, {
+        name: 'UserName',
+        value: nric,
+        issueInstant: moment.utc().format(),
+        recipient,
+        issuer,
+        inResponseTo,
+        audience,
+      }),
+    corpPass: (
+      source,
+      issuer,
+      recipient,
+      inResponseTo,
+      audience = defaultAudience,
+    ) =>
+      render(TEMPLATE, {
+        issueInstant: moment.utc().format(),
+        name: source.uen,
+        value: base64.encode(render(corpPassTemplate, source)),
+        recipient,
+        issuer,
+        inResponseTo,
+        audience,
+      }),
+  },
+}
+
+const oidc = {
+  singPass: [
+    'S8979373D',
+    'S8116474F',
+    'S8723211E',
+    'S5062854Z',
+    'T0066846F',
+    'F9477325W',
+    'S3000024B',
+    'S6005040F',
+    'S6005041D',
+    'S6005042B',
+    'S6005043J',
+    'S6005044I',
+    'S6005045G',
+    'S6005046E',
+    'S6005047C',
+    'S6005064C',
+    'S6005065A',
+    'S6005066Z',
+    'S6005037F',
+    'S6005038D',
+    'S6005039B',
+    'G1612357P',
+    'G1612358M',
+    'F1612359P',
+    'F1612360U',
+    'F1612361R',
+    'F1612362P',
+    'F1612363M',
+    'F1612364K',
+    'F1612365W',
+    'F1612366T',
+    'F1612367Q',
+    'F1612358R',
+    'F1612354N',
+    'F1612357U',
+    ...Object.keys(myinfo.v3.personas),
+  ],
+  corpPass: [
+    {
+      nric: 'S8979373D',
+      name: 'Name of S8979373D',
+      isSingPassHolder: true,
+      uen: '123456789A',
+    },
+    {
+      nric: 'S8116474F',
+      name: 'Name of S8116474F',
+      isSingPassHolder: true,
+      uen: '123456789A',
+    },
+    {
+      nric: 'S8723211E',
+      name: 'Name of S8723211E',
+      isSingPassHolder: true,
+      uen: '123456789A',
+    },
+    {
+      nric: 'S5062854Z',
+      name: 'Name of S5062854Z',
+      isSingPassHolder: true,
+      uen: '123456789B',
+    },
+    {
+      nric: 'T0066846F',
+      name: 'Name of T0066846F',
+      isSingPassHolder: true,
+      uen: '123456789B',
+    },
+    {
+      nric: 'F9477325W',
+      name: 'Name of F9477325W',
+      isSingPassHolder: false,
+      uen: '123456789B',
+    },
+    {
+      nric: 'S3000024B',
+      name: 'Name of S3000024B',
+      isSingPassHolder: true,
+      uen: '123456789C',
+    },
+    {
+      nric: 'S6005040F',
+      name: 'Name of S6005040F',
+      isSingPassHolder: true,
+      uen: '123456789C',
+    },
+  ],
+  create: {
+    singPass: (
+      uuid,
+      iss,
+      aud,
+      nonce,
+      accessToken = crypto.randomBytes(15).toString('hex'),
+    ) => {
+      const nric = oidc.singPass[uuid]
+      const sub = `s=${nric},u=${uuid}`
+
+      const refreshToken = createRefreshToken(uuid)
+      const accessTokenHash = hashToken(accessToken)
+      const refreshTokenHash = hashToken(refreshToken)
+
+      return {
+        accessToken,
+        refreshToken,
+        idTokenClaims: {
+          rt_hash: refreshTokenHash,
+          at_hash: accessTokenHash,
+          iat: Math.floor(Date.now() / 1000),
+          exp: Math.floor(Date.now() / 1000) + 24 * 60 * 60,
+          iss,
+          amr: ['pwd'],
+          aud,
+          sub,
+          ...(nonce ? { nonce } : {}),
+        },
+      }
+    },
+    corpPass: async (uuid, iss, aud, nonce) => {
+      const baseClaims = {
+        iat: Math.floor(Date.now() / 1000),
+        exp: Math.floor(Date.now() / 1000) + 24 * 60 * 60,
+        iss,
+        aud,
+      }
+
+      const profile = oidc.corpPass[uuid]
+      const sub = `s=${profile.nric},u=${uuid},c=SG`
+
+      const accessTokenClaims = {
+        ...baseClaims,
+        authorization: {
+          EntityInfo: {},
+          AccessInfo: {},
+          TPAccessInfo: {},
+        },
+      }
+
+      const signingKey = await jose.JWK.asKey(signingPem, 'pem')
+      const accessToken = await jose.JWS.createSign(
+        { format: 'compact' },
+        signingKey,
+      )
+        .update(JSON.stringify(accessTokenClaims))
+        .final()
+
+      const accessTokenHash = hashToken(accessToken)
+
+      return {
+        refreshToken: 'refresh',
+        accessToken,
+        idTokenClaims: {
+          ...baseClaims,
+          rt_hash: '',
+          at_hash: accessTokenHash,
+          amr: ['pwd'],
+          sub,
+          ...(nonce ? { nonce } : {}),
+          userInfo: {
+            CPAccType: 'User',
+            CPUID_FullName: profile.name,
+            ISSPHOLDER: profile.isSingPassHolder ? 'YES' : 'NO',
+          },
+        },
+      }
+    },
+  },
+}
+
+const singPassNric = process.env.MOCKPASS_NRIC || saml.singPass[0]
+const corpPassNric = process.env.MOCKPASS_NRIC || saml.corpPass[0].nric
+const uen = process.env.MOCKPASS_UEN || saml.corpPass[0].uen
+
+module.exports = {
+  saml,
+  oidc,
+  myinfo,
+  singPassNric,
+  corpPassNric,
+  uen,
+}