@opengovsg/mockpass 2.7.9

package/lib/express/saml.js

@@ -0,0 +1,171 @@
+const express = require('express')
+const fs = require('fs')
+const { render } = require('mustache')
+const path = require('path')
+const { DOMParser } = require('@xmldom/xmldom')
+const xpath = require('xpath')
+const moment = require('moment')
+
+const assertions = require('../assertions')
+const crypto = require('../crypto')
+const { samlArtifact, hashPartnerId } = require('../saml-artifact')
+
+const domParser = new DOMParser()
+const dom = (xmlString) => domParser.parseFromString(xmlString)
+
+const TEMPLATE = fs.readFileSync(
+  path.resolve(__dirname, '../../static/saml/unsigned-response.xml'),
+  'utf8',
+)
+const LOGIN_TEMPLATE = fs.readFileSync(
+  path.resolve(__dirname, '../../static/html/login-page.html'),
+  'utf8',
+)
+
+const MYINFO_ASSERT_ENDPOINT = '/consent/myinfo-com'
+
+const idGenerator = {
+  singPass: (rawId) =>
+    assertions.myinfo.v2.personas[rawId] ? `${rawId} [MyInfo]` : rawId,
+  corpPass: (rawId) => `${rawId.nric} / UEN: ${rawId.uen}`,
+}
+
+function config(
+  app,
+  { showLoginPage, serviceProvider, idpConfig, cryptoConfig },
+) {
+  const { verifySignature, sign, promiseToEncryptAssertion } =
+    crypto(serviceProvider)
+
+  for (const idp of ['singPass', 'corpPass']) {
+    app.get(`/${idp.toLowerCase()}/logininitial`, (req, res) => {
+      const assertEndpoint =
+        req.query.esrvcID === 'MYINFO-CONSENTPLATFORM' && idp === 'singPass'
+          ? MYINFO_ASSERT_ENDPOINT
+          : idpConfig[idp].assertEndpoint || req.query.PartnerId
+      const relayState = req.query.Target
+      const partnerId = idpConfig[idp].id
+      if (showLoginPage) {
+        const saml = assertions.saml[idp]
+        const values = saml.map((rawId, index) => {
+          const samlArt = encodeURIComponent(samlArtifact(partnerId, index))
+          let assertURL = `${assertEndpoint}?SAMLart=${samlArt}`
+          if (relayState !== undefined) {
+            assertURL += `&RelayState=${encodeURIComponent(relayState)}`
+          }
+          const id = idGenerator[idp](rawId)
+          return { id, assertURL }
+        })
+        const hashedPartnerId = hashPartnerId(partnerId)
+        const response = render(LOGIN_TEMPLATE, {
+          values,
+          assertEndpoint,
+          relayState,
+          hashedPartnerId,
+        })
+        res.send(response)
+      } else {
+        const samlArt = encodeURIComponent(samlArtifact(partnerId))
+        let assertURL = `${assertEndpoint}?SAMLart=${samlArt}`
+        if (relayState !== undefined) {
+          assertURL += `&RelayState=${encodeURIComponent(relayState)}`
+        }
+        console.warn(
+          `Redirecting login from ${req.query.PartnerId} to ${assertURL}`,
+        )
+        res.redirect(assertURL)
+      }
+    })
+
+    app.post(
+      `/${idp.toLowerCase()}/soap`,
+      express.text({ type: 'text/xml' }),
+      (req, res) => {
+        // Extract the body of the SOAP request
+        const { body } = req
+        const xml = dom(body)
+
+        if (
+          cryptoConfig.resolveArtifactRequestSigned &&
+          !verifySignature(xml)
+        ) {
+          res.status(400).send('Request has bad signature')
+        } else {
+          // Grab the SAML artifact
+          // TODO: verify the SAML artifact is something we sent
+          // TODO: do something about the partner entity id
+          const samlArtifact = xpath.select(
+            "string(//*[local-name(.)='Artifact'])",
+            xml,
+          )
+          console.warn(`Received SAML Artifact ${samlArtifact}`)
+          // Handle encoded base64 Artifact
+          // Take the template and plug in the typical SingPass/CorpPass response
+          // Sign and encrypt the assertion
+          const samlArtifactBuffer = Buffer.from(samlArtifact, 'base64')
+          const samlArtifactMessage = samlArtifactBuffer.toString('utf8', 24)
+
+          let nric
+          if (samlArtifactMessage.startsWith('customNric:')) {
+            nric = samlArtifactMessage.slice('customNric:'.length)
+          } else {
+            let index = samlArtifactBuffer.readInt8(
+              samlArtifactBuffer.length - 1,
+            )
+            // use env NRIC when SHOW_LOGIN_PAGE is false
+            if (index === -1) {
+              index =
+                idp === 'singPass'
+                  ? assertions.saml.singPass.indexOf(assertions.singPassNric)
+                  : assertions.saml.corpPass.findIndex(
+                      (c) => c.nric === assertions.corpPassNric,
+                    )
+            }
+
+            nric = assertions.saml[idp][index]
+          }
+
+          const samlArtifactResolveId = xpath.select(
+            "string(//*[local-name(.)='ArtifactResolve']/@ID)",
+            xml,
+          )
+
+          let result = assertions.saml.create[idp](
+            nric,
+            idpConfig[idp].id,
+            idpConfig[idp].assertEndpoint,
+            samlArtifactResolveId,
+          )
+
+          if (cryptoConfig.signAssertion) {
+            result = sign(result, "//*[local-name(.)='Assertion']")
+          }
+          const assertionPromise = cryptoConfig.encryptAssertion
+            ? promiseToEncryptAssertion(result)
+            : Promise.resolve(result)
+
+          assertionPromise.then((assertion) => {
+            let response = render(TEMPLATE, {
+              assertion,
+              issueInstant: moment.utc().format(),
+              issuer: idpConfig[idp].id,
+              destination: idpConfig[idp].assertEndpoint,
+              inResponseTo: samlArtifactResolveId,
+            })
+            if (cryptoConfig.signResponse) {
+              response = sign(
+                sign(response, "//*[local-name(.)='Response']"),
+                "//*[local-name(.)='ArtifactResponse']",
+              )
+            }
+            res.send(response)
+          })
+        }
+      },
+    )
+  }
+
+  return app
+}
+
+module.exports = config

package/lib/express/sgid.js

@@ -0,0 +1,168 @@
+const express = require('express')
+const fs = require('fs')
+const { render } = require('mustache')
+const jose = require('node-jose')
+const path = require('path')
+const ExpiryMap = require('expiry-map')
+
+const assertions = require('../assertions')
+const { samlArtifact } = require('../saml-artifact')
+
+const LOGIN_TEMPLATE = fs.readFileSync(
+  path.resolve(__dirname, '../../static/html/login-page.html'),
+  'utf8',
+)
+const NONCE_TIMEOUT = 5 * 60 * 1000
+const nonceStore = new ExpiryMap(NONCE_TIMEOUT)
+
+const PATH_PREFIX = '/sgid/v1/oauth'
+
+const signingPem = fs.readFileSync(
+  path.resolve(__dirname, '../../static/certs/spcp-key.pem'),
+)
+
+const idGenerator = {
+  singPass: (rawId) =>
+    assertions.myinfo.v3.personas[rawId] ? `${rawId} [MyInfo]` : rawId,
+}
+
+function config(app, { showLoginPage, idpConfig, serviceProvider }) {
+  app.get(`${PATH_PREFIX}/authorize`, (req, res) => {
+    const redirectURI = req.query.redirect_uri
+    const state = encodeURIComponent(req.query.state)
+    if (showLoginPage) {
+      const oidc = assertions.oidc.singPass
+      const values = oidc
+        .filter((rawId) => assertions.myinfo.v3.personas[rawId])
+        .map((rawId) => {
+          const index = oidc.indexOf(rawId)
+          const code = encodeURIComponent(
+            samlArtifact(idpConfig.singPass.id, index),
+          )
+          if (req.query.nonce) {
+            nonceStore.set(code, req.query.nonce)
+          }
+          const assertURL = `${redirectURI}?code=${code}&state=${state}`
+          const id = idGenerator.singPass(rawId)
+          return { id, assertURL }
+        })
+      const response = render(LOGIN_TEMPLATE, { values })
+      res.send(response)
+    } else {
+      const code = encodeURIComponent(samlArtifact(idpConfig.singPass.id))
+      if (req.query.nonce) {
+        nonceStore.set(code, req.query.nonce)
+      }
+      const assertURL = `${redirectURI}?code=${code}&state=${state}`
+      console.warn(
+        `Redirecting login from ${req.query.client_id} to ${assertURL}`,
+      )
+      res.redirect(assertURL)
+    }
+  })
+
+  app.post(
+    `${PATH_PREFIX}/token`,
+    express.json(),
+    express.urlencoded({ extended: true }),
+    async (req, res) => {
+      console.log(req.body)
+      const { client_id: aud, code: artifact } = req.body
+      let uuid
+
+      console.warn(
+        `Received artifact ${artifact} from ${aud} and ${req.body.redirect_uri}`,
+      )
+      try {
+        const artifactBuffer = Buffer.from(artifact, 'base64')
+        uuid = artifactBuffer.readInt8(artifactBuffer.length - 1)
+        const nonce = nonceStore.get(encodeURIComponent(artifact))
+
+        // use env NRIC when SHOW_LOGIN_PAGE is false
+        if (uuid === -1) {
+          uuid = assertions.oidc.singPass.indexOf(assertions.singPassNric)
+        }
+
+        const accessToken = `${uuid}`
+        const { idTokenClaims, refreshToken } =
+          await assertions.oidc.create.singPass(
+            uuid,
+            `${req.protocol}://${req.get('host')}`,
+            aud,
+            nonce,
+            accessToken,
+          )
+
+        const signingKey = await jose.JWK.asKey(signingPem, 'pem')
+        const idToken = await jose.JWS.createSign(
+          { format: 'compact' },
+          signingKey,
+        )
+          .update(JSON.stringify(idTokenClaims))
+          .final()
+
+        res.json({
+          access_token: accessToken,
+          refresh_token: refreshToken,
+          expires_in: 24 * 60 * 60,
+          scope: 'openid',
+          token_type: 'bearer',
+          id_token: idToken,
+        })
+      } catch (error) {
+        console.error(error)
+        res.status(500).json({ message: error.message })
+      }
+    },
+  )
+
+  app.get(`${PATH_PREFIX}/userinfo`, async (req, res) => {
+    const uuid = (
+      req.headers.authorization || req.headers.Authorization
+    ).replace('Bearer ', '')
+    const nric = assertions.oidc.singPass[uuid]
+    const persona = assertions.myinfo.v3.personas[nric]
+    const name = persona.name.value
+    const dateOfBirth = persona.dob.value
+
+    const payloadKey = await jose.JWK.createKey('oct', 256, {
+      alg: 'A256GCM',
+    })
+
+    const encryptedNric = await jose.JWE.createEncrypt(payloadKey)
+      .update(nric)
+      .final()
+    const encryptedName = await jose.JWE.createEncrypt(payloadKey)
+      .update(name)
+      .final()
+    const encryptedDateOfBirth = await jose.JWE.createEncrypt(payloadKey)
+      .update(dateOfBirth)
+      .final()
+    const data = {
+      'myinfo.nric_number': encryptedNric,
+      'myinfo.name': encryptedName,
+      'myinfo.date_of_birth': encryptedDateOfBirth,
+    }
+    const encryptionKey = await jose.JWK.asKey(serviceProvider.cert, 'pem')
+
+    const plaintextPayloadKey = JSON.stringify(payloadKey.toJSON(true))
+    console.log(plaintextPayloadKey)
+    const encryptedPayloadKey = await jose.JWE.createEncrypt(encryptionKey)
+      .update(plaintextPayloadKey)
+      .final()
+    res.json({
+      sub: `u=${uuid}`,
+      key: encryptedPayloadKey,
+      data,
+    })
+  })
+
+  app.get('/.well-known/jwks.json', async (_req, res) => {
+    const key = await jose.JWK.asKey(signingPem, 'pem')
+    const jwk = key.toJSON()
+    jwk.use = 'sig'
+    res.json({ keys: [jwk] })
+  })
+}
+
+module.exports = config

package/lib/saml-artifact.js

@@ -0,0 +1,32 @@
+const crypto = require('crypto')
+
+/**
+ * Construct a SingPass/CorpPass SAML artifact, a base64
+ * encoding of a byte sequence consisting of the following:
+ *  - a two-byte type code, always 0x0004, per SAML 2.0;
+ *  - a two-byte endpoint index, currently always 0x0000;
+ *  - a 20-byte sha1 hash of the partner id, and;
+ *  - a 20-byte random sequence that is effectively the message id
+ * @param {string} partnerId - the partner id
+ * @param {number} [index] - represents the nth identity to use. Defaults to -1
+ * @return {string} the SAML artifact, a base64 string
+ * containing the type code, the endpoint index,
+ * the hash of the partner id, followed by 20 random bytes
+ */
+function samlArtifact(partnerId, index) {
+  const hashedPartnerId = hashPartnerId(partnerId)
+  const randomBytes = crypto.randomBytes(19).toString('hex')
+  const indexBuffer = Buffer.alloc(1)
+  indexBuffer.writeInt8(index || index === 0 ? index : -1)
+  const indexString = indexBuffer.toString('hex')
+  return Buffer.from(
+    `00040000${hashedPartnerId}${randomBytes}${indexString}`,
+    'hex',
+  ).toString('base64')
+}
+
+function hashPartnerId(partnerId) {
+  return crypto.createHash('sha1').update(partnerId, 'utf8').digest('hex')
+}
+
+module.exports = { samlArtifact, hashPartnerId }

package/package.json

@@ -0,0 +1,81 @@
+{
+  "name": "@opengovsg/mockpass",
+  "version": "2.7.9",
+  "description": "A mock SingPass/CorpPass server for dev purposes",
+  "main": "index.js",
+  "bin": {
+    "mockpass": "index.js"
+  },
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "start": "nodemon",
+    "cz": "git-cz",
+    "lint": "eslint lib",
+    "lint-fix": "eslint --fix lib",
+    "_postinstall": "husky install",
+    "prepublishOnly": "pinst --disable",
+    "postpublish": "pinst --enable"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/opengovsg/mockpass.git"
+  },
+  "keywords": [
+    "mock",
+    "test",
+    "singpass",
+    "corppass"
+  ],
+  "author": "Government Technology Agency of Singapore (https://www.tech.gov.sg)",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/opengovsg/mockpass/issues"
+  },
+  "homepage": "https://github.com/opengovsg/mockpass#readme",
+  "engines": {
+    "node": ">=8.0.0"
+  },
+  "dependencies": {
+    "@xmldom/xmldom": "^0.7.2",
+    "base-64": "^1.0.0",
+    "cookie-parser": "^1.4.3",
+    "dotenv": "^10.0.0",
+    "expiry-map": "^1.1.0",
+    "express": "^4.16.3",
+    "jsonwebtoken": "^8.4.0",
+    "lodash": "^4.17.11",
+    "moment": "^2.24.0",
+    "morgan": "^1.9.1",
+    "mustache": "^4.2.0",
+    "node-jose": "^2.0.0",
+    "uuid": "^8.0.0",
+    "xml-crypto": "^2.1.2",
+    "xml-encryption": "^1.2.4",
+    "xpath": "0.0.32"
+  },
+  "devDependencies": {
+    "@commitlint/cli": "^13.1.0",
+    "@commitlint/config-conventional": "^13.1.0",
+    "@commitlint/travis-cli": "^13.1.0",
+    "commitizen": "^4.2.4",
+    "cz-conventional-changelog": "^3.2.0",
+    "eslint": "^8.0.0",
+    "eslint-config-prettier": "^8.3.0",
+    "eslint-plugin-prettier": "^4.0.0",
+    "husky": "^7.0.0",
+    "lint-staged": "^11.0.0",
+    "nodemon": "^2.0.4",
+    "pinst": "^2.1.6",
+    "prettier": "^2.0.5"
+  },
+  "lint-staged": {
+    "**/*.(js|jsx|ts|tsx)": [
+      "eslint --fix"
+    ]
+  },
+  "config": {
+    "commitizen": {
+      "path": "./node_modules/cz-conventional-changelog"
+    }
+  }
+}

package/public/mockpass/resources/css/animate.css

@@ -0,0 +1,43 @@
+@charset "UTF-8";
+
+/* login page, qr tab tooltip animation */
+@keyframes tooltip-ani {
+    0% {
+        transform: translateX(0) rotateY(-16deg);
+        opacity: 1;
+    }
+    5% {
+        transform: translateX(0) rotateY(20deg);
+        opacity: 1;
+    }
+    10% {
+        transform: translateX(0) rotateY(-12deg);
+        opacity: 1;
+    }
+    15% {
+        transform: translateX(0) rotateY(6deg);
+        opacity: 1;
+    }
+    20% {
+        transform: translateX(0) rotateY(-4deg);
+        opacity: 1;
+    }
+    25% {
+        transform: translateX(0) rotateY(1deg);
+        opacity: 1;
+    }
+    30% {
+        transform: translateX(0) rotateY(0deg);
+        opacity: 1;
+    }
+    100% {
+        transform: translateX(0) rotateY(0deg);
+        opacity: 1;
+    }
+}
+.ani-rotate {
+    animation-name: tooltip-ani;
+    animation-duration: 1.5s;
+    animation-iteration-count: 3;
+    animation-timing-function: cubic-bezier(1.000, 0.000, 0.000, 1.000);
+}

package/public/mockpass/resources/css/common.css

@@ -0,0 +1,121 @@
+/*------------------------------------------------
+            LOADING SCREEN START
+------------------------------------------------ */
+.loading-screen-wrappper {
+    background-color: #000;
+    position: fixed;
+    height: 100%;
+    width: 100vw;
+    left: 0;
+    top: 0;
+    opacity: 0.7;
+    z-index: 9999;
+}
+
+.loading-screen-container {
+    position: relative;
+    top: 50%;
+    transform: translateY(-50%);
+}
+
+.loader-title {
+    width: 300px;
+    height: 50px;
+    color: #fff;
+    font-weight: bold;
+    font-size: 16px;
+    margin: auto;
+    text-align: center;
+}
+
+.loader {
+    border: 16px solid #f3f3f3;
+    border-radius: 50%;
+    border-top: 16px solid #ff0000;
+    width: 50px;
+    height: 50px;
+    -webkit-animation: spin 2s linear infinite;
+    animation: spin 2s linear infinite;
+    margin: auto;
+}
+
+@-webkit-keyframes spin {
+    0% { -webkit-transform: rotate(0deg); }
+    100% { -webkit-transform: rotate(360deg); }
+}
+
+@keyframes spin {
+    0% { transform: rotate(0deg); }
+    100% { transform: rotate(360deg); }
+}
+
+/*------------------------------------------------
+            LOADING SCREEN END
+------------------------------------------------ */
+
+/*------------------------------------------------
+            PASSWORD COMPLEXITY START
+------------------------------------------------ */
+.password-complexity-checker-wrapper {
+    position: relative;
+}
+
+.pwd-complexity-hidden {
+    display: none;
+}
+
+.pwd-complexity-info {
+    border: 1px solid #a4a4a4;
+    background-color: #fff;
+    position: absolute;
+    z-index: 61;
+    font-size: 14px;
+    padding: 5px 10px;
+    width: 100%;
+}
+
+.pc-form-success {
+    color: #2fa13e;
+    padding-right: 3px;
+    font-size: inherit;
+    vertical-align: top;
+}
+
+.pc-form-error {
+    color: #cf2010;
+    padding-right: 3px;
+    font-size: inherit;
+    vertical-align: top;
+}
+
+.pc-form-error .icon-exclamation, .pc-form-success .icon-exclamation {
+    display: inline-block;
+    width: 16px;
+    height: 16px;
+    margin-right: 10px;
+    position: relative;
+    top: 4px;
+    background: url("../img/pwd-complexity-icon-0a8ed77b6b99b6fd7cf2206943de1612.png");
+}
+
+.pc-form-success .icon-exclamation {
+    background-position: -16px 0;
+}
+
+.pwd-complexity-info>p {
+    margin: 0 0 5px 0;
+}
+
+.pwd-complexity-info>ul {
+    list-style: none;
+    margin: 0;
+    padding: 0 0 10px 0;
+    font-size: 12px;
+}
+
+input.password-error {
+    border: 1px solid red;
+}
+/*------------------------------------------------
+            PASSWORD COMPLEXITY END
+------------------------------------------------ */