@opengovsg/mockpass 2.7.9

package/lib/crypto/index.js

@@ -0,0 +1,61 @@
+const fs = require('fs')
+const path = require('path')
+const { SignedXml } = require('xml-crypto')
+const { encrypt } = require('xml-encryption')
+const xpath = require('xpath')
+
+module.exports = (serviceProvider) => {
+  // NOTE - the typo in keyEncryptionAlgorighm is deliberate
+  const ENCRYPT_OPTIONS = {
+    rsa_pub: serviceProvider.pubKey,
+    pem: serviceProvider.cert,
+    encryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc',
+    keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-1_5',
+  }
+
+  return {
+    verifySignature(xml) {
+      const [signature] =
+        xpath.select("//*[local-name(.)='Signature']", xml) || []
+      const [artifactResolvePayload] =
+        xpath.select("//*[local-name(.)='ArtifactResolve']", xml) || []
+      const verifier = new SignedXml()
+      verifier.keyInfoProvider = { getKey: () => ENCRYPT_OPTIONS.pem }
+      verifier.loadSignature(signature.toString())
+      return verifier.checkSignature(artifactResolvePayload.toString())
+    },
+
+    sign(payload, reference) {
+      const sig = new SignedXml()
+      const transforms = [
+        'http://www.w3.org/2000/09/xmldsig#enveloped-signature',
+        'http://www.w3.org/2001/10/xml-exc-c14n#',
+      ]
+      const digestAlgorithm = 'http://www.w3.org/2001/04/xmlenc#sha256'
+      sig.addReference(reference, transforms, digestAlgorithm)
+
+      sig.signingKey = fs.readFileSync(
+        path.resolve(__dirname, '../../static/certs/spcp-key.pem'),
+      )
+      sig.signatureAlgorithm =
+        'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
+      const options = {
+        prefix: 'ds',
+        location: { reference, action: 'prepend' },
+      }
+      sig.computeSignature(payload, options)
+      return sig.getSignedXml()
+    },
+
+    promiseToEncryptAssertion: (assertion) =>
+      new Promise((resolve, reject) => {
+        encrypt(assertion, ENCRYPT_OPTIONS, (err, data) =>
+          err
+            ? reject(err)
+            : resolve(
+                `<saml:EncryptedAssertion>${data}</saml:EncryptedAssertion>`,
+              ),
+        )
+      }),
+  }
+}

package/lib/crypto/myinfo-signature.js

@@ -0,0 +1,153 @@
+const _ = require('lodash')
+
+const apex = function apex(authHeader, req, context = {}) {
+  const authHeaderFieldPairs = _(authHeader)
+    .replace(/"/g, '')
+    .replace(/apex_l2_eg_/g, '')
+    .split(',')
+    .map((v) => v.replace('=', '~').split('~'))
+
+  const authHeaderFields = _(authHeaderFieldPairs)
+    .fromPairs()
+    .mapKeys((v, k) => _.camelCase(k))
+    .value()
+
+  const url = `${req.protocol}://${req.get('host')}${req.baseUrl}${req.path}`
+
+  const { clientSecret, redirectURI } = context
+
+  const {
+    method: httpMethod,
+    query: { attributes, singpassEserviceId },
+  } = req
+
+  const { code } = req.body || {}
+
+  const {
+    signature,
+    appId,
+    appId: clientId,
+    nonce,
+    timestamp,
+  } = authHeaderFields
+
+  const baseString = req.path.endsWith('/token')
+    ? httpMethod.toUpperCase() +
+      // url string replacement was dictated by MyInfo docs - no explanation
+      // was provided for why this is necessary
+      '&' +
+      url.replace('.api.gov.sg', '.e.api.gov.sg') +
+      '&apex_l2_eg_app_id=' +
+      appId +
+      '&apex_l2_eg_nonce=' +
+      nonce +
+      '&apex_l2_eg_signature_method=SHA256withRSA' +
+      '&apex_l2_eg_timestamp=' +
+      timestamp +
+      '&apex_l2_eg_version=1.0' +
+      '&client_id=' +
+      clientId +
+      '&client_secret=' +
+      clientSecret +
+      '&code=' +
+      code +
+      '&grant_type=authorization_code' +
+      '&redirect_uri=' +
+      redirectURI
+    : httpMethod.toUpperCase() +
+      // url string replacement was dictated by MyInfo docs - no explanation
+      // was provided for why this is necessary
+      '&' +
+      url.replace('.api.gov.sg', '.e.api.gov.sg') +
+      '&apex_l2_eg_app_id=' +
+      appId +
+      '&apex_l2_eg_nonce=' +
+      nonce +
+      '&apex_l2_eg_signature_method=SHA256withRSA' +
+      '&apex_l2_eg_timestamp=' +
+      timestamp +
+      '&apex_l2_eg_version=1.0' +
+      '&attributes=' +
+      attributes +
+      '&client_id=' +
+      clientId +
+      (req.path.includes('/person-basic')
+        ? '&singpassEserviceId=' + singpassEserviceId
+        : '')
+
+  return {
+    signature,
+    baseString,
+  }
+}
+
+const pki = function pki(authHeader, req, context = {}) {
+  const authHeaderFieldPairs = _(authHeader)
+    .replace(/"/g, '')
+    .split(',')
+    .map((v) => v.replace('=', '~').split('~'))
+
+  const authHeaderFields = _(authHeaderFieldPairs)
+    .fromPairs()
+    .mapKeys((_v, k) => _.camelCase(k))
+    .value()
+
+  const url = `${req.protocol}://${req.get('host')}${req.baseUrl}${req.path}`
+
+  const { clientSecret, redirectURI } = context
+
+  const {
+    method: httpMethod,
+    query: { attributes, sp_esvcId },
+  } = req
+
+  const { code } = req.body || {}
+
+  const {
+    signature,
+    appId,
+    appId: clientId,
+    nonce,
+    timestamp,
+  } = authHeaderFields
+  return {
+    signature,
+    baseString: req.path.endsWith('/token')
+      ? httpMethod.toUpperCase() +
+        '&' +
+        url +
+        '&app_id=' +
+        appId +
+        '&client_id=' +
+        clientId +
+        '&client_secret=' +
+        clientSecret +
+        '&code=' +
+        code +
+        '&grant_type=authorization_code' +
+        '&nonce=' +
+        nonce +
+        '&redirect_uri=' +
+        redirectURI +
+        '&signature_method=RS256' +
+        '&timestamp=' +
+        timestamp
+      : httpMethod.toUpperCase() +
+        '&' +
+        url +
+        '&app_id=' +
+        appId +
+        '&attributes=' +
+        attributes +
+        '&client_id=' +
+        clientId +
+        '&nonce=' +
+        nonce +
+        '&signature_method=RS256' +
+        (req.path.includes('/person-basic') ? '&sp_esvcId=' + sp_esvcId : '') +
+        '&timestamp=' +
+        timestamp,
+  }
+}
+
+module.exports = { pki, apex }

package/lib/express/index.js

@@ -0,0 +1,6 @@
+module.exports = {
+  configSAML: require('./saml'),
+  configOIDC: require('./oidc'),
+  configMyInfo: require('./myinfo'),
+  configSGID: require('./sgid'),
+}

package/lib/express/myinfo/consent.js

@@ -0,0 +1,160 @@
+const express = require('express')
+const cookieParser = require('cookie-parser')
+const fs = require('fs')
+const { pick } = require('lodash')
+const { render } = require('mustache')
+const path = require('path')
+const qs = require('querystring')
+const { v1: uuid } = require('uuid')
+
+const assertions = require('../../assertions')
+
+const MYINFO_ASSERT_ENDPOINT = '/consent/myinfo-com'
+const AUTHORIZE_ENDPOINT = '/consent/oauth2/authorize'
+const CONSENT_TEMPLATE = fs.readFileSync(
+  path.resolve(__dirname, '../../../static/html/consent.html'),
+  'utf8',
+)
+
+const authorizations = {}
+
+const authorize = (redirectTo) => (req, res) => {
+  const {
+    client_id, // eslint-disable-line camelcase
+    redirect_uri, // eslint-disable-line camelcase
+    attributes,
+    purpose,
+    state,
+  } = req.query
+  const relayStateParams = qs.stringify({
+    client_id,
+    redirect_uri,
+    state,
+    purpose,
+    scope: (attributes || '').replace(/,/g, ' '),
+    realm: MYINFO_ASSERT_ENDPOINT,
+    response_type: 'code',
+  })
+  const relayState = `${AUTHORIZE_ENDPOINT}${encodeURIComponent(
+    '?' + relayStateParams,
+  )}`
+  res.redirect(redirectTo(relayState))
+}
+
+const authorizeViaSAML = authorize(
+  (relayState) =>
+    `/singpass/logininitial?esrvcID=MYINFO-CONSENTPLATFORM&PartnerId=${MYINFO_ASSERT_ENDPOINT}&Target=${relayState}`,
+)
+
+const authorizeViaOIDC = authorize(
+  (relayState) =>
+    `/singpass/authorize?client_id=MYINFO-CONSENTPLATFORM&redirect_uri=${MYINFO_ASSERT_ENDPOINT}&state=${relayState}`,
+)
+
+function config(app) {
+  app.get(MYINFO_ASSERT_ENDPOINT, (req, res) => {
+    const rawArtifact = req.query.SAMLart || req.query.code
+    const artifact = rawArtifact.replace(/ /g, '+')
+    const artifactBuffer = Buffer.from(artifact, 'base64')
+    const artifactMessage = artifactBuffer.toString('utf8', 24)
+    let index = artifactBuffer.readInt8(artifactBuffer.length - 1)
+
+    const state = req.query.RelayState || req.query.state
+    let id
+    if (artifactMessage.startsWith('customNric:')) {
+      id = artifactMessage.slice('customNric:'.length)
+    } else {
+      const assertionType = req.query.code ? 'oidc' : 'saml'
+
+      // use env NRIC when SHOW_LOGIN_PAGE is false
+      if (index === -1) {
+        index = assertions[assertionType].singPass.indexOf(
+          assertions.singPassNric,
+        )
+      }
+      id = assertions[assertionType].singPass[index]
+    }
+    const persona = assertions.myinfo[req.query.code ? 'v3' : 'v2'].personas[id]
+    if (!persona) {
+      res.status(404).send({
+        message: 'Cannot find MyInfo Persona',
+        artifact,
+        index,
+        id,
+        persona,
+      })
+    } else {
+      res.cookie('connect.sid', id)
+      res.redirect(state)
+    }
+  })
+
+  app.get(AUTHORIZE_ENDPOINT, cookieParser(), (req, res) => {
+    const params = {
+      ...req.query,
+      scope: req.query.scope.replace(/\+/g, ' '),
+      id: req.cookies['connect.sid'],
+      action: AUTHORIZE_ENDPOINT,
+    }
+
+    res.send(render(CONSENT_TEMPLATE, params))
+  })
+
+  app.post(
+    AUTHORIZE_ENDPOINT,
+    cookieParser(),
+    express.urlencoded({
+      extended: false,
+      type: 'application/x-www-form-urlencoded',
+    }),
+    (req, res) => {
+      const id = req.cookies['connect.sid']
+      const code = uuid()
+      authorizations[code] = [
+        {
+          sub: id,
+          auth_level: 0,
+          scope: req.body.scope.split(' '),
+          iss: `${req.protocol}://${req.get(
+            'host',
+          )}/consent/oauth2/consent/myinfo-com`,
+          tokenName: 'access_token',
+          token_type: 'Bearer',
+          authGrantId: code,
+          auditTrackingId: code,
+          jti: code,
+          aud: 'myinfo',
+          grant_type: 'authorization_code',
+          realm: '/consent/myinfo-com',
+        },
+        req.body.redirect_uri,
+      ]
+      const callbackParams = qs.stringify(
+        req.body.decision === 'allow'
+          ? {
+              code,
+              ...pick(req.body, ['state', 'scope', 'client_id']),
+              iss: `${req.protocol}://${req.get(
+                'host',
+              )}/consent/oauth2/consent/myinfo-com`,
+            }
+          : {
+              state: req.body.state,
+              'error-description':
+                'Resource Owner did not authorize the request',
+              error: 'access_denied',
+            },
+      )
+      res.redirect(`${req.body.redirect_uri}?${callbackParams}`)
+    },
+  )
+
+  return app
+}
+
+module.exports = {
+  authorizeViaSAML,
+  authorizeViaOIDC,
+  authorizations,
+  config,
+}

package/lib/express/myinfo/controllers.js

@@ -0,0 +1,179 @@
+const crypto = require('crypto')
+const fs = require('fs')
+const path = require('path')
+
+const express = require('express')
+const { pick, partition } = require('lodash')
+
+const jose = require('node-jose')
+const jwt = require('jsonwebtoken')
+
+const assertions = require('../../assertions')
+const consent = require('./consent')
+
+const MOCKPASS_PRIVATE_KEY = fs.readFileSync(
+  path.resolve(__dirname, '../../../static/certs/spcp-key.pem'),
+)
+const MOCKPASS_PUBLIC_KEY = fs.readFileSync(
+  path.resolve(__dirname, '../../../static/certs/spcp.crt'),
+)
+
+const MYINFO_SECRET = process.env.SERVICE_PROVIDER_MYINFO_SECRET
+
+module.exports =
+  (version, myInfoSignature) =>
+  (app, { serviceProvider, encryptMyInfo }) => {
+    const verify = (signature, baseString) => {
+      const verifier = crypto.createVerify('RSA-SHA256')
+      verifier.update(baseString)
+      verifier.end()
+      return verifier.verify(serviceProvider.pubKey, signature, 'base64')
+    }
+
+    const encryptPersona = async (persona) => {
+      const signedPersona =
+        version === 'v3'
+          ? jwt.sign(persona, MOCKPASS_PRIVATE_KEY, {
+              algorithm: 'RS256',
+            })
+          : persona
+      const serviceCertAsKey = await jose.JWK.asKey(serviceProvider.cert, 'pem')
+      const encryptedAndSignedPersona = await jose.JWE.createEncrypt(
+        { format: 'compact' },
+        serviceCertAsKey,
+      )
+        .update(JSON.stringify(signedPersona))
+        .final()
+      return encryptedAndSignedPersona
+    }
+
+    const lookupPerson = (allowedAttributes) => async (req, res) => {
+      const requestedAttributes = (req.query.attributes || '').split(',')
+
+      const [attributes, disallowedAttributes] = partition(
+        requestedAttributes,
+        (v) => allowedAttributes.includes(v),
+      )
+
+      if (disallowedAttributes.length > 0) {
+        res.status(401).send({
+          code: 401,
+          message: 'Disallowed',
+          fields: disallowedAttributes.join(','),
+        })
+      } else {
+        const transformPersona = encryptMyInfo
+          ? encryptPersona
+          : (person) => person
+        const persona = assertions.myinfo[version].personas[req.params.uinfin]
+        res.status(persona ? 200 : 404).send(
+          persona
+            ? await transformPersona(pick(persona, attributes))
+            : {
+                code: 404,
+                message: 'UIN/FIN does not exist in MyInfo.',
+                fields: '',
+              },
+        )
+      }
+    }
+
+    const allowedAttributes = assertions.myinfo[version].attributes
+
+    app.get(
+      `/myinfo/${version}/person-basic/:uinfin/`,
+      (req, res, next) => {
+        // sp_esvcId and txnNo needed as query params
+        const [, authHeader] = req.get('Authorization').split(' ')
+
+        const { signature, baseString } = myInfoSignature(authHeader, req)
+        if (verify(signature, baseString)) {
+          next()
+        } else {
+          res.status(403).send({
+            code: 403,
+            message: `Signature verification failed, ${baseString} does not result in ${signature}`,
+            fields: '',
+          })
+        }
+      },
+      lookupPerson(allowedAttributes.basic),
+    )
+    app.get(`/myinfo/${version}/person/:uinfin/`, (req, res) => {
+      const authz = req.get('Authorization').split(' ')
+      const token = authz.pop()
+
+      const authHeader = (authz[1] || '').replace(',Bearer', '')
+      const { signature, baseString } = encryptMyInfo
+        ? myInfoSignature(authHeader, req)
+        : {}
+
+      const { sub, scope } = jwt.verify(token, MOCKPASS_PUBLIC_KEY, {
+        algorithms: ['RS256'],
+      })
+      if (encryptMyInfo && !verify(signature, baseString)) {
+        res.status(401).send({
+          code: 401,
+          message: `Signature verification failed, ${baseString} does not result in ${signature}`,
+        })
+      } else if (sub !== req.params.uinfin) {
+        res.status(401).send({
+          code: 401,
+          message: 'UIN requested does not match logged in user',
+        })
+      } else {
+        lookupPerson(scope)(req, res)
+      }
+    })
+
+    app.get(
+      `/myinfo/${version}/authorise`,
+      version === 'v3' ? consent.authorizeViaOIDC : consent.authorizeViaSAML,
+    )
+
+    app.post(
+      `/myinfo/${version}/token`,
+      express.urlencoded({
+        extended: false,
+        type: 'application/x-www-form-urlencoded',
+      }),
+      (req, res) => {
+        const [tokenTemplate, redirectURI] =
+          consent.authorizations[req.body.code]
+        const [, authHeader] = (req.get('Authorization') || '').split(' ')
+
+        const { signature, baseString } = MYINFO_SECRET
+          ? myInfoSignature(authHeader, req, {
+              clientSecret: MYINFO_SECRET,
+              redirectURI,
+            })
+          : {}
+
+        if (!tokenTemplate) {
+          res.status(400).send({
+            code: 400,
+            message: 'No such authorization given',
+            fields: '',
+          })
+        } else if (MYINFO_SECRET && !verify(signature, baseString)) {
+          res.status(403).send({
+            code: 403,
+            message: `Signature verification failed, ${baseString} does not result in ${signature}`,
+          })
+        } else {
+          const token = jwt.sign(
+            { ...tokenTemplate, auth_time: Date.now() },
+            MOCKPASS_PRIVATE_KEY,
+            { expiresIn: '1800 seconds', algorithm: 'RS256' },
+          )
+          res.send({
+            access_token: token,
+            token_type: 'Bearer',
+            expires_in: 1798,
+          })
+        }
+      },
+    )
+
+    return app
+  }

package/lib/express/myinfo/index.js

@@ -0,0 +1,10 @@
+const { config: consent } = require('./consent')
+const controllers = require('./controllers')
+
+const { pki, apex } = require('../../crypto/myinfo-signature')
+
+module.exports = {
+  consent,
+  v2: controllers('v2', apex),
+  v3: controllers('v3', pki),
+}

package/lib/express/oidc.js

@@ -0,0 +1,131 @@
+const express = require('express')
+const fs = require('fs')
+const { render } = require('mustache')
+const jose = require('node-jose')
+const path = require('path')
+const ExpiryMap = require('expiry-map')
+
+const assertions = require('../assertions')
+const { samlArtifact } = require('../saml-artifact')
+
+const LOGIN_TEMPLATE = fs.readFileSync(
+  path.resolve(__dirname, '../../static/html/login-page.html'),
+  'utf8',
+)
+const NONCE_TIMEOUT = 5 * 60 * 1000
+const nonceStore = new ExpiryMap(NONCE_TIMEOUT)
+
+const signingPem = fs.readFileSync(
+  path.resolve(__dirname, '../../static/certs/spcp-key.pem'),
+)
+
+const idGenerator = {
+  singPass: (rawId) =>
+    assertions.myinfo.v3.personas[rawId] ? `${rawId} [MyInfo]` : rawId,
+  corpPass: (rawId) => `${rawId.nric} / UEN: ${rawId.uen}`,
+}
+
+function config(app, { showLoginPage, idpConfig, serviceProvider }) {
+  for (const idp of ['singPass', 'corpPass']) {
+    app.get(`/${idp.toLowerCase()}/authorize`, (req, res) => {
+      const redirectURI = req.query.redirect_uri
+      const state = encodeURIComponent(req.query.state)
+      if (showLoginPage) {
+        const oidc = assertions.oidc[idp]
+        const values = oidc.map((rawId, index) => {
+          const code = encodeURIComponent(
+            samlArtifact(idpConfig[idp].id, index),
+          )
+          if (req.query.nonce) {
+            nonceStore.set(code, req.query.nonce)
+          }
+          const assertURL = `${redirectURI}?code=${code}&state=${state}`
+          const id = idGenerator[idp](rawId)
+          return { id, assertURL }
+        })
+        const response = render(LOGIN_TEMPLATE, { values })
+        res.send(response)
+      } else {
+        const code = encodeURIComponent(samlArtifact(idpConfig[idp].id))
+        if (req.query.nonce) {
+          nonceStore.set(code, req.query.nonce)
+        }
+        const assertURL = `${redirectURI}?code=${code}&state=${state}`
+        console.warn(
+          `Redirecting login from ${req.query.client_id} to ${redirectURI}`,
+        )
+        res.redirect(assertURL)
+      }
+    })
+
+    app.post(
+      `/${idp.toLowerCase()}/token`,
+      express.urlencoded({ extended: false }),
+      async (req, res) => {
+        const { client_id: aud, grant_type: grant } = req.body
+        let nonce, uuid
+
+        if (grant === 'refresh_token') {
+          const { refresh_token: refreshToken } = req.body
+          console.warn(`Refreshing tokens with ${refreshToken}`)
+
+          uuid = refreshToken.split('/')[0]
+        } else {
+          const { code: artifact } = req.body
+          console.warn(
+            `Received artifact ${artifact} from ${aud} and ${req.body.redirect_uri}`,
+          )
+          const artifactBuffer = Buffer.from(artifact, 'base64')
+          uuid = artifactBuffer.readInt8(artifactBuffer.length - 1)
+          nonce = nonceStore.get(encodeURIComponent(artifact))
+        }
+
+        // use env NRIC when SHOW_LOGIN_PAGE is false
+        if (uuid === -1) {
+          uuid =
+            idp === 'singPass'
+              ? assertions.oidc.singPass.indexOf(assertions.singPassNric)
+              : assertions.oidc.corpPass.findIndex(
+                  (c) => c.nric === assertions.corpPassNric,
+                )
+        }
+
+        const { idTokenClaims, accessToken, refreshToken } =
+          await assertions.oidc.create[idp](
+            uuid,
+            `${req.protocol}://${req.get('host')}`,
+            aud,
+            nonce,
+          )
+
+        const signingKey = await jose.JWK.asKey(signingPem, 'pem')
+        const signedIdToken = await jose.JWS.createSign(
+          { format: 'compact' },
+          signingKey,
+        )
+          .update(JSON.stringify(idTokenClaims))
+          .final()
+
+        const encryptionKey = await jose.JWK.asKey(serviceProvider.cert, 'pem')
+        const idToken = await jose.JWE.createEncrypt(
+          { format: 'compact', fields: { cty: 'JWT' } },
+          encryptionKey,
+        )
+          .update(signedIdToken)
+          .final()
+
+        res.send({
+          access_token: accessToken,
+          refresh_token: refreshToken,
+          expires_in: 24 * 60 * 60,
+          scope: 'openid',
+          token_type: 'bearer',
+          id_token: idToken,
+        })
+      },
+    )
+  }
+  return app
+}
+
+module.exports = config