@opengovsg/mockpass 2.9.5 → 3.0.1

package/README.md

@@ -18,22 +18,18 @@ A mock SingPass/CorpPass/MyInfo server for dev purposes
 Configure your application to point to the following endpoints:
 
 SingPass:
- - http://localhost:5156/singpass/logininitial - SAML login redirect with optional page
- - http://localhost:5156/singpass/soap - receives SAML artifact and returns assertion
  - http://localhost:5156/singpass/authorize - OIDC login redirect with optional page
  - http://localhost:5156/singpass/token - receives OIDC authorization code and returns id_token
 
 CorpPass:
- - http://localhost:5156/corppass/logininitial
- - http://localhost:5156/corppass/soap
  - http://localhost:5156/corppass/authorize - OIDC login redirect with optional page
  - http://localhost:5156/corppass/token - receives OIDC authorization code and returns id_token
 
 MyInfo:
- - http://localhost:5156/myinfo/{v2,v3}/person-basic (exclusive to government systems)
- - http://localhost:5156/myinfo/{v2,v3}/authorise
- - http://localhost:5156/myinfo/{v2,v3}/token
- - http://localhost:5156/myinfo/{v2,v3}/person
+ - http://localhost:5156/myinfo/v3/person-basic (exclusive to government systems)
+ - http://localhost:5156/myinfo/v3/authorise
+ - http://localhost:5156/myinfo/v3/token
+ - http://localhost:5156/myinfo/v3/person
 
 sgID:
  - http://localhost:5156/sgid/v1/oauth/authorize
@@ -49,11 +45,6 @@ Alternatively, provide the paths to your app cert as env vars
 ```
 $ npm install @opengovsg/mockpass
 
-# Some familiarity with SAML Artifact Binding is assumed
-# Optional: Configure where MockPass should send SAML artifact to, default endpoint will be `PartnerId` in request query parameter.
-$ export SINGPASS_ASSERT_ENDPOINT=http://localhost:5000/singpass/assert
-$ export CORPPASS_ASSERT_ENDPOINT=http://localhost:5000/corppass/assert
-
 # All values shown here are defaults
 $ export MOCKPASS_PORT=5156
 
@@ -69,7 +60,7 @@ $ export ENCRYPT_ASSERTION=false
 $ export SIGN_RESPONSE=false
 $ export RESOLVE_ARTIFACT_REQUEST_SIGNED=false
 
-# Encrypt payloads returned by /myinfo/*/{person, person-basic},
+# Encrypt payloads returned by /myinfo/v3/{person, person-basic},
 # equivalent to MyInfo Auth Level L2 (testing and production)
 $ export ENCRYPT_MYINFO=false
 
@@ -89,7 +80,7 @@ who then need to connect to the staging servers hosted by SingPass/CorpPass,
 which may not always be available (eg, down for maintenance, or no Internet).
 
 MockPass tries to solves this by providing an extremely lightweight implementation
-of a SAML 2.0 Identity Provider that returns mock SingPass and CorpPass assertions.
+of an OIDC Provider that returns mock SingPass and CorpPass assertions.
 It optionally provides a mock login page that (badly) mimics the SingPass/CorpPass
 login experience.
 

package/index.js

@@ -5,25 +5,10 @@ const morgan = require('morgan')
 const path = require('path')
 require('dotenv').config()
 
-const {
-  configSAML,
-  configOIDC,
-  configMyInfo,
-  configSGID,
-} = require('./lib/express')
+const { configOIDC, configMyInfo, configSGID } = require('./lib/express')
 
 const PORT = process.env.MOCKPASS_PORT || process.env.PORT || 5156
 
-if (
-  !process.env.SINGPASS_ASSERT_ENDPOINT &&
-  !process.env.CORPPASS_ASSERT_ENDPOINT
-) {
-  console.warn(
-    'SINGPASS_ASSERT_ENDPOINT or CORPPASS_ASSERT_ENDPOINT is not set. ' +
-      'Value of `PartnerId` request query parameter in redirect URL will be used.',
-  )
-}
-
 const serviceProvider = {
   cert: fs.readFileSync(
     path.resolve(
@@ -49,18 +34,6 @@ const cryptoConfig = {
 
 const options = {
   serviceProvider,
-  idpConfig: {
-    singPass: {
-      id:
-        process.env.SINGPASS_IDP_ID || 'http://localhost:5156/singpass/saml20',
-      assertEndpoint: process.env.SINGPASS_ASSERT_ENDPOINT,
-    },
-    corpPass: {
-      id:
-        process.env.CORPPASS_IDP_ID || 'http://localhost:5156/corppass/saml20',
-      assertEndpoint: process.env.CORPPASS_ASSERT_ENDPOINT,
-    },
-  },
   showLoginPage: (req) =>
     (req.header('X-Show-Login-Page') || process.env.SHOW_LOGIN_PAGE) === 'true',
   encryptMyInfo: process.env.ENCRYPT_MYINFO === 'true',
@@ -70,12 +43,10 @@ const options = {
 const app = express()
 app.use(morgan('combined'))
 
-configSAML(app, options)
 configOIDC(app, options)
 configSGID(app, options)
 
 configMyInfo.consent(app)
-configMyInfo.v2(app, options)
 configMyInfo.v3(app, options)
 
 app.enable('trust proxy')

package/lib/assertions.js

@@ -1,20 +1,10 @@
-const base64 = require('base-64')
 const crypto = require('crypto')
 const fs = require('fs')
-const { render } = require('mustache')
-const moment = require('moment')
 const jose = require('node-jose')
 const path = require('path')
 
 const readFrom = (p) => fs.readFileSync(path.resolve(__dirname, p), 'utf8')
 
-const TEMPLATE = readFrom('../static/saml/unsigned-assertion.xml')
-const corpPassTemplate = readFrom('../static/saml/corppass.xml')
-
-const defaultAudience =
-  process.env.SERVICE_PROVIDER_ENTITY_ID ||
-  'http://sp.example.com/demo1/metadata.php'
-
 const signingPem = fs.readFileSync(
   path.resolve(__dirname, '../static/certs/spcp-key.pem'),
 )
@@ -34,95 +24,9 @@ const hashToken = (token) => {
 }
 
 const myinfo = {
-  v2: JSON.parse(readFrom('../static/myinfo/v2.json')),
   v3: JSON.parse(readFrom('../static/myinfo/v3.json')),
 }
 
-const saml = {
-  singPass: [
-    { nric: 'S8979373D' },
-    { nric: 'S8116474F' },
-    { nric: 'S8723211E' },
-    { nric: 'S5062854Z' },
-    { nric: 'T0066846F' },
-    { nric: 'F9477325W' },
-    { nric: 'S3000024B' },
-    { nric: 'S6005040F' },
-    { nric: 'S6005041D' },
-    { nric: 'S6005042B' },
-    { nric: 'S6005043J' },
-    { nric: 'S6005044I' },
-    { nric: 'S6005045G' },
-    { nric: 'S6005046E' },
-    { nric: 'S6005047C' },
-    { nric: 'S6005064C' },
-    { nric: 'S6005065A' },
-    { nric: 'S6005066Z' },
-    { nric: 'S6005037F' },
-    { nric: 'S6005038D' },
-    { nric: 'S6005039B' },
-    { nric: 'G1612357P' },
-    { nric: 'G1612358M' },
-    { nric: 'F1612359P' },
-    { nric: 'F1612360U' },
-    { nric: 'F1612361R' },
-    { nric: 'F1612362P' },
-    { nric: 'F1612363M' },
-    { nric: 'F1612364K' },
-    { nric: 'F1612365W' },
-    { nric: 'F1612366T' },
-    { nric: 'F1612367Q' },
-    { nric: 'F1612358R' },
-    { nric: 'F1612354N' },
-    { nric: 'F1612357U' },
-    ...Object.keys(myinfo.v2.personas).map((nric) => ({ nric })),
-  ],
-  corpPass: [
-    { nric: 'S8979373D', uen: '123456789A' },
-    { nric: 'S8116474F', uen: '123456789A' },
-    { nric: 'S8723211E', uen: '123456789A' },
-    { nric: 'S5062854Z', uen: '123456789B' },
-    { nric: 'T0066846F', uen: '123456789B' },
-    { nric: 'F9477325W', uen: '123456789B' },
-    { nric: 'S3000024B', uen: '123456789C' },
-    { nric: 'S6005040F', uen: '123456789C' },
-  ],
-  create: {
-    singPass: (
-      { nric },
-      issuer,
-      recipient,
-      inResponseTo,
-      audience = defaultAudience,
-    ) =>
-      render(TEMPLATE, {
-        name: 'UserName',
-        value: nric,
-        issueInstant: moment.utc().format(),
-        recipient,
-        issuer,
-        inResponseTo,
-        audience,
-      }),
-    corpPass: (
-      { nric, uen },
-      issuer,
-      recipient,
-      inResponseTo,
-      audience = defaultAudience,
-    ) =>
-      render(TEMPLATE, {
-        issueInstant: moment.utc().format(),
-        name: uen,
-        value: base64.encode(render(corpPassTemplate, { nric, uen })),
-        recipient,
-        issuer,
-        inResponseTo,
-        audience,
-      }),
-  },
-}
-
 const oidc = {
   singPass: [
     { nric: 'S8979373D', uuid: 'a9865837-7bd7-46ac-bef4-42a76a946424' },
@@ -321,7 +225,6 @@ const oidc = {
 }
 
 module.exports = {
-  saml,
   oidc,
   myinfo,
 }

package/lib/crypto/myinfo-signature.js

@@ -1,86 +1,5 @@
 const _ = require('lodash')
 
-const apex = function apex(authHeader, req, context = {}) {
-  const authHeaderFieldPairs = _(authHeader)
-    .replace(/"/g, '')
-    .replace(/apex_l2_eg_/g, '')
-    .split(',')
-    .map((v) => v.replace('=', '~').split('~'))
-
-  const authHeaderFields = _(authHeaderFieldPairs)
-    .fromPairs()
-    .mapKeys((v, k) => _.camelCase(k))
-    .value()
-
-  const url = `${req.protocol}://${req.get('host')}${req.baseUrl}${req.path}`
-
-  const { clientSecret, redirectURI } = context
-
-  const {
-    method: httpMethod,
-    query: { attributes, singpassEserviceId },
-  } = req
-
-  const { code } = req.body || {}
-
-  const {
-    signature,
-    appId,
-    appId: clientId,
-    nonce,
-    timestamp,
-  } = authHeaderFields
-
-  const baseString = req.path.endsWith('/token')
-    ? httpMethod.toUpperCase() +
-      // url string replacement was dictated by MyInfo docs - no explanation
-      // was provided for why this is necessary
-      '&' +
-      url.replace('.api.gov.sg', '.e.api.gov.sg') +
-      '&apex_l2_eg_app_id=' +
-      appId +
-      '&apex_l2_eg_nonce=' +
-      nonce +
-      '&apex_l2_eg_signature_method=SHA256withRSA' +
-      '&apex_l2_eg_timestamp=' +
-      timestamp +
-      '&apex_l2_eg_version=1.0' +
-      '&client_id=' +
-      clientId +
-      '&client_secret=' +
-      clientSecret +
-      '&code=' +
-      code +
-      '&grant_type=authorization_code' +
-      '&redirect_uri=' +
-      redirectURI
-    : httpMethod.toUpperCase() +
-      // url string replacement was dictated by MyInfo docs - no explanation
-      // was provided for why this is necessary
-      '&' +
-      url.replace('.api.gov.sg', '.e.api.gov.sg') +
-      '&apex_l2_eg_app_id=' +
-      appId +
-      '&apex_l2_eg_nonce=' +
-      nonce +
-      '&apex_l2_eg_signature_method=SHA256withRSA' +
-      '&apex_l2_eg_timestamp=' +
-      timestamp +
-      '&apex_l2_eg_version=1.0' +
-      '&attributes=' +
-      attributes +
-      '&client_id=' +
-      clientId +
-      (req.path.includes('/person-basic')
-        ? '&singpassEserviceId=' + singpassEserviceId
-        : '')
-
-  return {
-    signature,
-    baseString,
-  }
-}
-
 const pki = function pki(authHeader, req, context = {}) {
   const authHeaderFieldPairs = _(authHeader)
     .replace(/"/g, '')
@@ -150,4 +69,4 @@ const pki = function pki(authHeader, req, context = {}) {
   }
 }
 
-module.exports = { pki, apex }
+module.exports = { pki }

package/lib/express/index.js

@@ -1,5 +1,4 @@
 module.exports = {
-  configSAML: require('./saml'),
   configOIDC: require('./oidc'),
   configMyInfo: require('./myinfo'),
   configSGID: require('./sgid'),

package/lib/express/myinfo/consent.js

@@ -9,7 +9,6 @@ const { v1: uuid } = require('uuid')
 
 const assertions = require('../../assertions')
 const { lookUpByAuthCode } = require('../../auth-code')
-const { lookUpBySamlArtifact } = require('../../saml-artifact')
 
 const MYINFO_ASSERT_ENDPOINT = '/consent/myinfo-com'
 const AUTHORIZE_ENDPOINT = '/consent/oauth2/authorize'
@@ -43,11 +42,6 @@ const authorize = (redirectTo) => (req, res) => {
   res.redirect(redirectTo(relayState))
 }
 
-const authorizeViaSAML = authorize(
-  (relayState) =>
-    `/singpass/logininitial?esrvcID=MYINFO-CONSENTPLATFORM&PartnerId=${MYINFO_ASSERT_ENDPOINT}&Target=${relayState}`,
-)
-
 const authorizeViaOIDC = authorize(
   (state) =>
     `/singpass/authorize?client_id=MYINFO-CONSENTPLATFORM&redirect_uri=${MYINFO_ASSERT_ENDPOINT}&state=${state}`,
@@ -59,14 +53,9 @@ function config(app) {
     const artifact = rawArtifact.replace(/ /g, '+')
     const state = req.query.RelayState || req.query.state
 
-    let profile, myinfoVersion
-    if (req.query.code) {
-      profile = lookUpByAuthCode(artifact).profile
-      myinfoVersion = 'v3'
-    } else {
-      profile = lookUpBySamlArtifact(artifact)
-      myinfoVersion = 'v2'
-    }
+    const profile = lookUpByAuthCode(artifact).profile
+    const myinfoVersion = 'v3'
+
     const { nric: id } = profile
 
     const persona = assertions.myinfo[myinfoVersion].personas[id]
@@ -147,7 +136,6 @@ function config(app) {
 }
 
 module.exports = {
-  authorizeViaSAML,
   authorizeViaOIDC,
   authorizations,
   config,

package/lib/express/myinfo/controllers.js

@@ -31,12 +31,9 @@ module.exports =
     }
 
     const encryptPersona = async (persona) => {
-      const signedPersona =
-        version === 'v3'
-          ? jwt.sign(persona, MOCKPASS_PRIVATE_KEY, {
-              algorithm: 'RS256',
-            })
-          : persona
+      const signedPersona = jwt.sign(persona, MOCKPASS_PRIVATE_KEY, {
+        algorithm: 'RS256',
+      })
       const serviceCertAsKey = await jose.JWK.asKey(serviceProvider.cert, 'pem')
       const encryptedAndSignedPersona = await jose.JWE.createEncrypt(
         { format: 'compact' },
@@ -126,10 +123,7 @@ module.exports =
       }
     })
 
-    app.get(
-      `/myinfo/${version}/authorise`,
-      version === 'v3' ? consent.authorizeViaOIDC : consent.authorizeViaSAML,
-    )
+    app.get(`/myinfo/${version}/authorise`, consent.authorizeViaOIDC)
 
     app.post(
       `/myinfo/${version}/token`,

package/lib/express/myinfo/index.js

@@ -1,10 +1,9 @@
 const { config: consent } = require('./consent')
 const controllers = require('./controllers')
 
-const { pki, apex } = require('../../crypto/myinfo-signature')
+const { pki } = require('../../crypto/myinfo-signature')
 
 module.exports = {
   consent,
-  v2: controllers('v2', apex),
   v3: controllers('v3', pki),
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opengovsg/mockpass",
-  "version": "2.9.5",
+  "version": "3.0.1",
   "description": "A mock SingPass/CorpPass server for dev purposes",
   "main": "index.js",
   "bin": {
@@ -44,13 +44,10 @@
     "express": "^4.16.3",
     "jsonwebtoken": "^8.4.0",
     "lodash": "^4.17.11",
-    "moment": "^2.24.0",
     "morgan": "^1.9.1",
     "mustache": "^4.2.0",
     "node-jose": "^2.0.0",
     "uuid": "^9.0.0",
-    "xml-crypto": "^3.0.0",
-    "xml-encryption": "^3.0.0",
     "xpath": "0.0.32"
   },
   "devDependencies": {

package/lib/crypto/index.js

@@ -1,61 +0,0 @@
-const fs = require('fs')
-const path = require('path')
-const { SignedXml } = require('xml-crypto')
-const { encrypt } = require('xml-encryption')
-const xpath = require('xpath')
-
-module.exports = (serviceProvider) => {
-  // NOTE - the typo in keyEncryptionAlgorighm is deliberate
-  const ENCRYPT_OPTIONS = {
-    rsa_pub: serviceProvider.pubKey,
-    pem: serviceProvider.cert,
-    encryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc',
-    keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-1_5',
-  }
-
-  return {
-    verifySignature(xml) {
-      const [signature] =
-        xpath.select("//*[local-name(.)='Signature']", xml) || []
-      const [artifactResolvePayload] =
-        xpath.select("//*[local-name(.)='ArtifactResolve']", xml) || []
-      const verifier = new SignedXml()
-      verifier.keyInfoProvider = { getKey: () => ENCRYPT_OPTIONS.pem }
-      verifier.loadSignature(signature.toString())
-      return verifier.checkSignature(artifactResolvePayload.toString())
-    },
-
-    sign(payload, reference) {
-      const sig = new SignedXml()
-      const transforms = [
-        'http://www.w3.org/2000/09/xmldsig#enveloped-signature',
-        'http://www.w3.org/2001/10/xml-exc-c14n#',
-      ]
-      const digestAlgorithm = 'http://www.w3.org/2001/04/xmlenc#sha256'
-      sig.addReference(reference, transforms, digestAlgorithm)
-
-      sig.signingKey = fs.readFileSync(
-        path.resolve(__dirname, '../../static/certs/spcp-key.pem'),
-      )
-      sig.signatureAlgorithm =
-        'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
-      const options = {
-        prefix: 'ds',
-        location: { reference, action: 'prepend' },
-      }
-      sig.computeSignature(payload, options)
-      return sig.getSignedXml()
-    },
-
-    promiseToEncryptAssertion: (assertion) =>
-      new Promise((resolve, reject) => {
-        encrypt(assertion, ENCRYPT_OPTIONS, (err, data) =>
-          err
-            ? reject(err)
-            : resolve(
-                `<saml:EncryptedAssertion>${data}</saml:EncryptedAssertion>`,
-              ),
-        )
-      }),
-  }
-}