@opengovsg/mockpass 2.9.5 → 3.0.0

package/index.js

@@ -5,12 +5,7 @@ const morgan = require('morgan')
 const path = require('path')
 require('dotenv').config()
 
-const {
-  configSAML,
-  configOIDC,
-  configMyInfo,
-  configSGID,
-} = require('./lib/express')
+const { configOIDC, configMyInfo, configSGID } = require('./lib/express')
 
 const PORT = process.env.MOCKPASS_PORT || process.env.PORT || 5156
 
@@ -49,18 +44,6 @@ const cryptoConfig = {
 
 const options = {
   serviceProvider,
-  idpConfig: {
-    singPass: {
-      id:
-        process.env.SINGPASS_IDP_ID || 'http://localhost:5156/singpass/saml20',
-      assertEndpoint: process.env.SINGPASS_ASSERT_ENDPOINT,
-    },
-    corpPass: {
-      id:
-        process.env.CORPPASS_IDP_ID || 'http://localhost:5156/corppass/saml20',
-      assertEndpoint: process.env.CORPPASS_ASSERT_ENDPOINT,
-    },
-  },
   showLoginPage: (req) =>
     (req.header('X-Show-Login-Page') || process.env.SHOW_LOGIN_PAGE) === 'true',
   encryptMyInfo: process.env.ENCRYPT_MYINFO === 'true',
@@ -70,12 +53,10 @@ const options = {
 const app = express()
 app.use(morgan('combined'))
 
-configSAML(app, options)
 configOIDC(app, options)
 configSGID(app, options)
 
 configMyInfo.consent(app)
-configMyInfo.v2(app, options)
 configMyInfo.v3(app, options)
 
 app.enable('trust proxy')

package/lib/assertions.js

@@ -1,20 +1,10 @@
-const base64 = require('base-64')
 const crypto = require('crypto')
 const fs = require('fs')
-const { render } = require('mustache')
-const moment = require('moment')
 const jose = require('node-jose')
 const path = require('path')
 
 const readFrom = (p) => fs.readFileSync(path.resolve(__dirname, p), 'utf8')
 
-const TEMPLATE = readFrom('../static/saml/unsigned-assertion.xml')
-const corpPassTemplate = readFrom('../static/saml/corppass.xml')
-
-const defaultAudience =
-  process.env.SERVICE_PROVIDER_ENTITY_ID ||
-  'http://sp.example.com/demo1/metadata.php'
-
 const signingPem = fs.readFileSync(
   path.resolve(__dirname, '../static/certs/spcp-key.pem'),
 )
@@ -34,95 +24,9 @@ const hashToken = (token) => {
 }
 
 const myinfo = {
-  v2: JSON.parse(readFrom('../static/myinfo/v2.json')),
   v3: JSON.parse(readFrom('../static/myinfo/v3.json')),
 }
 
-const saml = {
-  singPass: [
-    { nric: 'S8979373D' },
-    { nric: 'S8116474F' },
-    { nric: 'S8723211E' },
-    { nric: 'S5062854Z' },
-    { nric: 'T0066846F' },
-    { nric: 'F9477325W' },
-    { nric: 'S3000024B' },
-    { nric: 'S6005040F' },
-    { nric: 'S6005041D' },
-    { nric: 'S6005042B' },
-    { nric: 'S6005043J' },
-    { nric: 'S6005044I' },
-    { nric: 'S6005045G' },
-    { nric: 'S6005046E' },
-    { nric: 'S6005047C' },
-    { nric: 'S6005064C' },
-    { nric: 'S6005065A' },
-    { nric: 'S6005066Z' },
-    { nric: 'S6005037F' },
-    { nric: 'S6005038D' },
-    { nric: 'S6005039B' },
-    { nric: 'G1612357P' },
-    { nric: 'G1612358M' },
-    { nric: 'F1612359P' },
-    { nric: 'F1612360U' },
-    { nric: 'F1612361R' },
-    { nric: 'F1612362P' },
-    { nric: 'F1612363M' },
-    { nric: 'F1612364K' },
-    { nric: 'F1612365W' },
-    { nric: 'F1612366T' },
-    { nric: 'F1612367Q' },
-    { nric: 'F1612358R' },
-    { nric: 'F1612354N' },
-    { nric: 'F1612357U' },
-    ...Object.keys(myinfo.v2.personas).map((nric) => ({ nric })),
-  ],
-  corpPass: [
-    { nric: 'S8979373D', uen: '123456789A' },
-    { nric: 'S8116474F', uen: '123456789A' },
-    { nric: 'S8723211E', uen: '123456789A' },
-    { nric: 'S5062854Z', uen: '123456789B' },
-    { nric: 'T0066846F', uen: '123456789B' },
-    { nric: 'F9477325W', uen: '123456789B' },
-    { nric: 'S3000024B', uen: '123456789C' },
-    { nric: 'S6005040F', uen: '123456789C' },
-  ],
-  create: {
-    singPass: (
-      { nric },
-      issuer,
-      recipient,
-      inResponseTo,
-      audience = defaultAudience,
-    ) =>
-      render(TEMPLATE, {
-        name: 'UserName',
-        value: nric,
-        issueInstant: moment.utc().format(),
-        recipient,
-        issuer,
-        inResponseTo,
-        audience,
-      }),
-    corpPass: (
-      { nric, uen },
-      issuer,
-      recipient,
-      inResponseTo,
-      audience = defaultAudience,
-    ) =>
-      render(TEMPLATE, {
-        issueInstant: moment.utc().format(),
-        name: uen,
-        value: base64.encode(render(corpPassTemplate, { nric, uen })),
-        recipient,
-        issuer,
-        inResponseTo,
-        audience,
-      }),
-  },
-}
-
 const oidc = {
   singPass: [
     { nric: 'S8979373D', uuid: 'a9865837-7bd7-46ac-bef4-42a76a946424' },
@@ -321,7 +225,6 @@ const oidc = {
 }
 
 module.exports = {
-  saml,
   oidc,
   myinfo,
 }

package/lib/crypto/myinfo-signature.js

@@ -1,86 +1,5 @@
 const _ = require('lodash')
 
-const apex = function apex(authHeader, req, context = {}) {
-  const authHeaderFieldPairs = _(authHeader)
-    .replace(/"/g, '')
-    .replace(/apex_l2_eg_/g, '')
-    .split(',')
-    .map((v) => v.replace('=', '~').split('~'))
-
-  const authHeaderFields = _(authHeaderFieldPairs)
-    .fromPairs()
-    .mapKeys((v, k) => _.camelCase(k))
-    .value()
-
-  const url = `${req.protocol}://${req.get('host')}${req.baseUrl}${req.path}`
-
-  const { clientSecret, redirectURI } = context
-
-  const {
-    method: httpMethod,
-    query: { attributes, singpassEserviceId },
-  } = req
-
-  const { code } = req.body || {}
-
-  const {
-    signature,
-    appId,
-    appId: clientId,
-    nonce,
-    timestamp,
-  } = authHeaderFields
-
-  const baseString = req.path.endsWith('/token')
-    ? httpMethod.toUpperCase() +
-      // url string replacement was dictated by MyInfo docs - no explanation
-      // was provided for why this is necessary
-      '&' +
-      url.replace('.api.gov.sg', '.e.api.gov.sg') +
-      '&apex_l2_eg_app_id=' +
-      appId +
-      '&apex_l2_eg_nonce=' +
-      nonce +
-      '&apex_l2_eg_signature_method=SHA256withRSA' +
-      '&apex_l2_eg_timestamp=' +
-      timestamp +
-      '&apex_l2_eg_version=1.0' +
-      '&client_id=' +
-      clientId +
-      '&client_secret=' +
-      clientSecret +
-      '&code=' +
-      code +
-      '&grant_type=authorization_code' +
-      '&redirect_uri=' +
-      redirectURI
-    : httpMethod.toUpperCase() +
-      // url string replacement was dictated by MyInfo docs - no explanation
-      // was provided for why this is necessary
-      '&' +
-      url.replace('.api.gov.sg', '.e.api.gov.sg') +
-      '&apex_l2_eg_app_id=' +
-      appId +
-      '&apex_l2_eg_nonce=' +
-      nonce +
-      '&apex_l2_eg_signature_method=SHA256withRSA' +
-      '&apex_l2_eg_timestamp=' +
-      timestamp +
-      '&apex_l2_eg_version=1.0' +
-      '&attributes=' +
-      attributes +
-      '&client_id=' +
-      clientId +
-      (req.path.includes('/person-basic')
-        ? '&singpassEserviceId=' + singpassEserviceId
-        : '')
-
-  return {
-    signature,
-    baseString,
-  }
-}
-
 const pki = function pki(authHeader, req, context = {}) {
   const authHeaderFieldPairs = _(authHeader)
     .replace(/"/g, '')
@@ -150,4 +69,4 @@ const pki = function pki(authHeader, req, context = {}) {
   }
 }
 
-module.exports = { pki, apex }
+module.exports = { pki }

package/lib/express/index.js

@@ -1,5 +1,4 @@
 module.exports = {
-  configSAML: require('./saml'),
   configOIDC: require('./oidc'),
   configMyInfo: require('./myinfo'),
   configSGID: require('./sgid'),

package/lib/express/myinfo/consent.js

@@ -9,7 +9,6 @@ const { v1: uuid } = require('uuid')
 
 const assertions = require('../../assertions')
 const { lookUpByAuthCode } = require('../../auth-code')
-const { lookUpBySamlArtifact } = require('../../saml-artifact')
 
 const MYINFO_ASSERT_ENDPOINT = '/consent/myinfo-com'
 const AUTHORIZE_ENDPOINT = '/consent/oauth2/authorize'
@@ -43,11 +42,6 @@ const authorize = (redirectTo) => (req, res) => {
   res.redirect(redirectTo(relayState))
 }
 
-const authorizeViaSAML = authorize(
-  (relayState) =>
-    `/singpass/logininitial?esrvcID=MYINFO-CONSENTPLATFORM&PartnerId=${MYINFO_ASSERT_ENDPOINT}&Target=${relayState}`,
-)
-
 const authorizeViaOIDC = authorize(
   (state) =>
     `/singpass/authorize?client_id=MYINFO-CONSENTPLATFORM&redirect_uri=${MYINFO_ASSERT_ENDPOINT}&state=${state}`,
@@ -59,14 +53,9 @@ function config(app) {
     const artifact = rawArtifact.replace(/ /g, '+')
     const state = req.query.RelayState || req.query.state
 
-    let profile, myinfoVersion
-    if (req.query.code) {
-      profile = lookUpByAuthCode(artifact).profile
-      myinfoVersion = 'v3'
-    } else {
-      profile = lookUpBySamlArtifact(artifact)
-      myinfoVersion = 'v2'
-    }
+    const profile = lookUpByAuthCode(artifact).profile
+    const myinfoVersion = 'v3'
+
     const { nric: id } = profile
 
     const persona = assertions.myinfo[myinfoVersion].personas[id]
@@ -147,7 +136,6 @@ function config(app) {
 }
 
 module.exports = {
-  authorizeViaSAML,
   authorizeViaOIDC,
   authorizations,
   config,

package/lib/express/myinfo/controllers.js

@@ -31,12 +31,9 @@ module.exports =
     }
 
     const encryptPersona = async (persona) => {
-      const signedPersona =
-        version === 'v3'
-          ? jwt.sign(persona, MOCKPASS_PRIVATE_KEY, {
-              algorithm: 'RS256',
-            })
-          : persona
+      const signedPersona = jwt.sign(persona, MOCKPASS_PRIVATE_KEY, {
+        algorithm: 'RS256',
+      })
       const serviceCertAsKey = await jose.JWK.asKey(serviceProvider.cert, 'pem')
       const encryptedAndSignedPersona = await jose.JWE.createEncrypt(
         { format: 'compact' },
@@ -126,10 +123,7 @@ module.exports =
       }
     })
 
-    app.get(
-      `/myinfo/${version}/authorise`,
-      version === 'v3' ? consent.authorizeViaOIDC : consent.authorizeViaSAML,
-    )
+    app.get(`/myinfo/${version}/authorise`, consent.authorizeViaOIDC)
 
     app.post(
       `/myinfo/${version}/token`,

package/lib/express/myinfo/index.js

@@ -1,10 +1,9 @@
 const { config: consent } = require('./consent')
 const controllers = require('./controllers')
 
-const { pki, apex } = require('../../crypto/myinfo-signature')
+const { pki } = require('../../crypto/myinfo-signature')
 
 module.exports = {
   consent,
-  v2: controllers('v2', apex),
   v3: controllers('v3', pki),
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opengovsg/mockpass",
-  "version": "2.9.5",
+  "version": "3.0.0",
   "description": "A mock SingPass/CorpPass server for dev purposes",
   "main": "index.js",
   "bin": {
@@ -44,13 +44,10 @@
     "express": "^4.16.3",
     "jsonwebtoken": "^8.4.0",
     "lodash": "^4.17.11",
-    "moment": "^2.24.0",
     "morgan": "^1.9.1",
     "mustache": "^4.2.0",
     "node-jose": "^2.0.0",
     "uuid": "^9.0.0",
-    "xml-crypto": "^3.0.0",
-    "xml-encryption": "^3.0.0",
     "xpath": "0.0.32"
   },
   "devDependencies": {

package/lib/crypto/index.js

@@ -1,61 +0,0 @@
-const fs = require('fs')
-const path = require('path')
-const { SignedXml } = require('xml-crypto')
-const { encrypt } = require('xml-encryption')
-const xpath = require('xpath')
-
-module.exports = (serviceProvider) => {
-  // NOTE - the typo in keyEncryptionAlgorighm is deliberate
-  const ENCRYPT_OPTIONS = {
-    rsa_pub: serviceProvider.pubKey,
-    pem: serviceProvider.cert,
-    encryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc',
-    keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-1_5',
-  }
-
-  return {
-    verifySignature(xml) {
-      const [signature] =
-        xpath.select("//*[local-name(.)='Signature']", xml) || []
-      const [artifactResolvePayload] =
-        xpath.select("//*[local-name(.)='ArtifactResolve']", xml) || []
-      const verifier = new SignedXml()
-      verifier.keyInfoProvider = { getKey: () => ENCRYPT_OPTIONS.pem }
-      verifier.loadSignature(signature.toString())
-      return verifier.checkSignature(artifactResolvePayload.toString())
-    },
-
-    sign(payload, reference) {
-      const sig = new SignedXml()
-      const transforms = [
-        'http://www.w3.org/2000/09/xmldsig#enveloped-signature',
-        'http://www.w3.org/2001/10/xml-exc-c14n#',
-      ]
-      const digestAlgorithm = 'http://www.w3.org/2001/04/xmlenc#sha256'
-      sig.addReference(reference, transforms, digestAlgorithm)
-
-      sig.signingKey = fs.readFileSync(
-        path.resolve(__dirname, '../../static/certs/spcp-key.pem'),
-      )
-      sig.signatureAlgorithm =
-        'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
-      const options = {
-        prefix: 'ds',
-        location: { reference, action: 'prepend' },
-      }
-      sig.computeSignature(payload, options)
-      return sig.getSignedXml()
-    },
-
-    promiseToEncryptAssertion: (assertion) =>
-      new Promise((resolve, reject) => {
-        encrypt(assertion, ENCRYPT_OPTIONS, (err, data) =>
-          err
-            ? reject(err)
-            : resolve(
-                `<saml:EncryptedAssertion>${data}</saml:EncryptedAssertion>`,
-              ),
-        )
-      }),
-  }
-}

package/lib/express/saml.js

@@ -1,195 +0,0 @@
-const express = require('express')
-const fs = require('fs')
-const { render } = require('mustache')
-const path = require('path')
-const { DOMParser } = require('@xmldom/xmldom')
-const xpath = require('xpath')
-const moment = require('moment')
-
-const assertions = require('../assertions')
-const crypto = require('../crypto')
-const {
-  generateSamlArtifact,
-  lookUpBySamlArtifact,
-} = require('../saml-artifact')
-
-const domParser = new DOMParser()
-const dom = (xmlString) => domParser.parseFromString(xmlString)
-
-const TEMPLATE = fs.readFileSync(
-  path.resolve(__dirname, '../../static/saml/unsigned-response.xml'),
-  'utf8',
-)
-const LOGIN_TEMPLATE = fs.readFileSync(
-  path.resolve(__dirname, '../../static/html/login-page.html'),
-  'utf8',
-)
-
-const MYINFO_ASSERT_ENDPOINT = '/consent/myinfo-com'
-
-const buildAssertURL = (assertEndpoint, samlArt, relayState) => {
-  let assertURL = `${assertEndpoint}?SAMLart=${encodeURIComponent(samlArt)}`
-  if (relayState !== undefined) {
-    assertURL += `&RelayState=${encodeURIComponent(relayState)}`
-  }
-  return assertURL
-}
-
-const idGenerator = {
-  singPass: ({ nric }) =>
-    assertions.myinfo.v2.personas[nric] ? `${nric} [MyInfo]` : nric,
-  corpPass: ({ nric, uen }) => `${nric} / UEN: ${uen}`,
-}
-
-const customProfileFromHeaders = {
-  singPass: (req) => {
-    const customNricHeader = req.header('X-Custom-NRIC')
-    if (!customNricHeader) {
-      return false
-    }
-    return { nric: customNricHeader }
-  },
-  corpPass: (req) => {
-    const customNricHeader = req.header('X-Custom-NRIC')
-    const customUenHeader = req.header('X-Custom-UEN')
-    if (!customNricHeader || !customUenHeader) {
-      return false
-    }
-    return { nric: customNricHeader, uen: customUenHeader }
-  },
-}
-
-function config(
-  app,
-  { showLoginPage, serviceProvider, idpConfig, cryptoConfig },
-) {
-  const { verifySignature, sign, promiseToEncryptAssertion } =
-    crypto(serviceProvider)
-
-  for (const idp of ['singPass', 'corpPass']) {
-    const partnerId = idpConfig[idp].id
-    const partnerAssertEndpoint = idpConfig[idp].assertEndpoint
-
-    const profiles = assertions.saml[idp]
-    const defaultProfile =
-      profiles.find((p) => p.nric === process.env.MOCKPASS_NRIC) || profiles[0]
-
-    app.get(`/${idp.toLowerCase()}/logininitial`, (req, res) => {
-      const assertEndpoint =
-        req.query.esrvcID === 'MYINFO-CONSENTPLATFORM' && idp === 'singPass'
-          ? MYINFO_ASSERT_ENDPOINT
-          : partnerAssertEndpoint || req.query.PartnerId
-      const relayState = req.query.Target
-      if (showLoginPage(req)) {
-        const values = profiles.map((profile) => {
-          const samlArt = generateSamlArtifact(partnerId, profile)
-          const assertURL = buildAssertURL(assertEndpoint, samlArt, relayState)
-          const id = idGenerator[idp](profile)
-          return { id, assertURL }
-        })
-        const response = render(LOGIN_TEMPLATE, {
-          values,
-          customProfileConfig: {
-            endpoint: `/${idp.toLowerCase()}/logininitial/custom-profile`,
-            showUuid: false,
-            showUen: idp === 'corpPass',
-            assertEndpoint,
-            relayState,
-          },
-        })
-        res.send(response)
-      } else {
-        const profile = customProfileFromHeaders[idp](req) || defaultProfile
-        const samlArt = generateSamlArtifact(partnerId, profile)
-        const assertURL = buildAssertURL(assertEndpoint, samlArt, relayState)
-        console.warn(
-          `Redirecting login from ${req.query.PartnerId} to ${assertURL}`,
-        )
-        res.redirect(assertURL)
-      }
-    })
-
-    app.get(`/${idp.toLowerCase()}/logininitial/custom-profile`, (req, res) => {
-      const { nric, uen, assertEndpoint, relayState } = req.query
-
-      const profile = { nric }
-      if (idp === 'corpPass') {
-        profile.uen = uen
-      }
-
-      const samlArt = generateSamlArtifact(partnerId, profile)
-      const assertURL = buildAssertURL(assertEndpoint, samlArt, relayState)
-      res.redirect(assertURL)
-    })
-
-    app.post(
-      `/${idp.toLowerCase()}/soap`,
-      express.text({ type: 'text/xml' }),
-      (req, res) => {
-        // Extract the body of the SOAP request
-        const { body } = req
-        const xml = dom(body)
-
-        if (
-          cryptoConfig.resolveArtifactRequestSigned &&
-          !verifySignature(xml)
-        ) {
-          res.status(400).send('Request has bad signature')
-        } else {
-          // Grab the SAML artifact
-          // TODO: verify the SAML artifact is something we sent
-          // TODO: do something about the partner entity id
-          const samlArtifact = xpath.select(
-            "string(//*[local-name(.)='Artifact'])",
-            xml,
-          )
-          console.warn(`Received SAML Artifact ${samlArtifact}`)
-          // Handle encoded base64 Artifact
-          // Take the template and plug in the typical SingPass/CorpPass response
-          // Sign and encrypt the assertion
-          const profile = lookUpBySamlArtifact(samlArtifact)
-
-          const samlArtifactResolveId = xpath.select(
-            "string(//*[local-name(.)='ArtifactResolve']/@ID)",
-            xml,
-          )
-
-          let result = assertions.saml.create[idp](
-            profile,
-            partnerId,
-            partnerAssertEndpoint,
-            samlArtifactResolveId,
-          )
-
-          if (cryptoConfig.signAssertion) {
-            result = sign(result, "//*[local-name(.)='Assertion']")
-          }
-          const assertionPromise = cryptoConfig.encryptAssertion
-            ? promiseToEncryptAssertion(result)
-            : Promise.resolve(result)
-
-          assertionPromise.then((assertion) => {
-            let response = render(TEMPLATE, {
-              assertion,
-              issueInstant: moment.utc().format(),
-              issuer: partnerId,
-              destination: partnerAssertEndpoint,
-              inResponseTo: samlArtifactResolveId,
-            })
-            if (cryptoConfig.signResponse) {
-              response = sign(
-                sign(response, "//*[local-name(.)='Response']"),
-                "//*[local-name(.)='ArtifactResponse']",
-              )
-            }
-            res.send(response)
-          })
-        }
-      },
-    )
-  }
-
-  return app
-}
-
-module.exports = config

package/lib/saml-artifact.js

@@ -1,39 +0,0 @@
-const ExpiryMap = require('expiry-map')
-const crypto = require('crypto')
-
-const SAML_ARTIFACT_TIMEOUT = 5 * 60 * 1000
-const profileStore = new ExpiryMap(SAML_ARTIFACT_TIMEOUT)
-
-/**
- * Construct a SingPass/CorpPass SAML artifact, a base64
- * encoding of a byte sequence consisting of the following:
- *  - a two-byte type code, always 0x0004, per SAML 2.0;
- *  - a two-byte endpoint index, currently always 0x0000;
- *  - a 20-byte sha1 hash of the partner id, and;
- *  - a 20-byte random sequence that is effectively the message id
- * @param {string} partnerId - the partner id
- * @param {string} profile - the profile (identity) to store
- * @return {string} the SAML artifact, a base64 string
- * containing the type code, the endpoint index,
- * the hash of the partner id, followed by 20 random bytes;
- * this can be used to look up the stored profile (identity)
- */
-function generateSamlArtifact(partnerId, profile) {
-  const hashedPartnerId = crypto
-    .createHash('sha1')
-    .update(partnerId, 'utf8')
-    .digest('hex')
-  const randomBytes = crypto.randomBytes(20).toString('hex')
-  const samlArtifact = Buffer.from(
-    `00040000${hashedPartnerId}${randomBytes}`,
-    'hex',
-  ).toString('base64')
-  profileStore.set(samlArtifact, profile)
-  return samlArtifact
-}
-
-function lookUpBySamlArtifact(samlArtifact) {
-  return profileStore.get(samlArtifact)
-}
-
-module.exports = { generateSamlArtifact, lookUpBySamlArtifact }