Feature/iot 1201 simplified passport saml (#202)

* Update passport-saml

* feat: use info from public certificate

* refactor: update logout flow with notes for testing

* refactor: add logging to logout for test

* Fix CVE–2022–33171

* build(deps): bump typeorm to v0.3.6 for nestjs.

* deps(build): bump typeorm to v0.3.6

* fix: typeorm migrations

* fix: typeorm errors

* deps(build): bump @nestjs to v9.x

* Added all autofixes from npm audit 31/10/22

* User can now only be seen and edited by user admins of their own organization

* Awaiting users are now also sorted based on organization

* Added error message if trying to use email already in use.

* Simplified the public certificate off the Passport SAML

* User admin can now change email for KOMBIT users

* Updated @nestjs/cli to fix minimist dependency

* Minor fixes and added SSL to ORM Config CLI

* Fixed moment dependency issue

* Updated passport-saml in package-lock.json

Co-authored-by: Aram Al-Sabti <[email protected]>

Author: GufCab

ormconfig.js

@@ -8,7 +8,7 @@
     "scripts": {
         "prebuild": "rimraf dist",
         "build": "nest build",
-        "generate-migration": "npm run typeorm migration:generate -- -n",
+        "generate-migration": "npm run typeorm migration:generate -n",
         "format": "prettier --write \"src/**/*.ts\" \"test/**/*.ts\"",
         "prestart": "npm run run-migrations",
         "prestart:debug": "npm run run-migrations",
@@ -25,23 +25,24 @@
         "test:cov": "jest --coverage",
         "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
         "test:e2e": "jest --config ./jest-e2e.js --detectOpenHandles --colors",
-        "typeorm": "ts-node -r tsconfig-paths/register ./node_modules/typeorm/cli.js --config ./ormconfig.js",
+        "typeorm": "ts-node -r tsconfig-paths/register ./node_modules/typeorm/cli.js -d \"src/repositories/os2iot.repository.ts\"",
         "typeorm-e2e": "ts-node -r tsconfig-paths/register ./node_modules/typeorm/cli.js --config ./ormconfig-e2e.json"
     },
     "dependencies": {
-        "@nestjs/common": "^7.6.1",
-        "@nestjs/config": "^0.6.1",
-        "@nestjs/core": "^7.6.1",
-        "@nestjs/jwt": "^7.2.0",
-        "@nestjs/passport": "^7.1.5",
-        "@nestjs/platform-express": "^7.6.1",
-        "@nestjs/schedule": "^0.4.1",
-        "@nestjs/swagger": "^4.8.2",
-        "@nestjs/typeorm": "^7.1.5",
+        "@nestjs/axios": "^0.1.0",
+        "@nestjs/common": "^9.1.2",
+        "@nestjs/config": "^2.2.0",
+        "@nestjs/core": "^9.1.2",
+        "@nestjs/jwt": "^9.0.0",
+        "@nestjs/passport": "^9.0.0",
+        "@nestjs/platform-express": "^9.1.2",
+        "@nestjs/schedule": "^2.1.0",
+        "@nestjs/swagger": "^6.1.2",
+        "@nestjs/typeorm": "^9.0.1",
         "@types/bcryptjs": "^2.4.2",
         "@types/geojson": "^7946.0.7",
         "@types/kafkajs": "^1.9.0",
-        "@types/passport-saml": "^1.1.2",
+        "@types/passport-saml": "^1.1.3",
         "@types/uuid": "^8.3.0",
         "@types/ws": "^8.5.3",
         "@types/xml2js": "^0.4.7",
@@ -56,50 +57,55 @@
         "kafkajs": "^1.15.0",
         "lodash": "^4.17.20",
         "mqtt": "^4.3.7",
-        "nestjs-pino": "^1.3.0",
         "njwt": "^1.0.0",
         "nodemailer": "^6.7.2",
-        "passport": "^0.4.1",
+        "passport": "^0.6.0",
         "passport-headerapikey": "^1.2.2",
         "passport-jwt": "^4.0.0",
         "passport-local": "^1.0.0",
-        "passport-saml": "^1.3.5",
+        "passport-saml": "^3.2.4",
         "pg": "^8.5.1",
         "protobufjs": "^6.11.3",
         "reflect-metadata": "^0.1.13",
         "rimraf": "^3.0.2",
-        "rxjs": "^6.6.3",
+        "rxjs": "^7.5.7",
         "swagger-ui-express": "^4.1.5",
-        "typeorm": "^0.2.34",
+        "typeorm": "^0.3.10",
         "uuid": "^8.3.2",
-        "vm2": "^3.9.9",
+        "vm2": "^3.9.11",
         "wait-for-expect": "^3.0.2"
     },
     "devDependencies": {
-        "@nestjs/cli": "^7.5.4",
-        "@nestjs/testing": "^7.6.1",
+        "@nestjs/cli": "^9.1.4",
+        "@nestjs/testing": "^9.1.2",
+        "@types/bcryptjs": "^2.4.2",
         "@types/bluebird": "^3.5.33",
         "@types/compression": "^1.7.0",
         "@types/cookie-parser": "^1.4.2",
         "@types/cron": "^1.7.2",
         "@types/express": "^4.17.9",
+        "@types/geojson": "^7946.0.7",
+        "@types/kafkajs": "^1.9.0",
         "@types/lodash": "^4.14.165",
         "@types/node": "^14.14.14",
         "@types/nodemailer": "^6.4.4",
         "@types/passport-jwt": "^3.0.3",
         "@types/passport-local": "^1.0.33",
+        "@types/passport-saml": "^1.1.2",
         "@types/supertest": "^2.0.10",
+        "@types/uuid": "^8.3.0",
         "@types/validator": "^13.7.1",
-        "@types/ws": "^8.5.2",
-        "@typescript-eslint/eslint-plugin": "^4.10.0",
-        "@typescript-eslint/parser": "^4.10.0",
-        "eslint": "^7.15.0",
+        "@types/ws": "^8.5.3",
+        "@types/xml2js": "^0.4.7",
+        "@typescript-eslint/eslint-plugin": "^5.38.1",
+        "@typescript-eslint/parser": "^5.38.1",
+        "eslint": "^8.24.0",
         "eslint-config-prettier": "^7.0.0",
         "jest": "26.6.3",
         "prettier": "^2.2.1",
         "supertest": "^6.0.1",
         "ts-jest": "^26.4.4",
-        "ts-node": "^9.1.1",
-        "typescript": "^3.9.7"
+        "ts-node": "^10.9.1",
+        "typescript": "^4.8.3"
     }
 }

package-lock.json

@@ -1,10 +1,10 @@
+import configuration from "@config/configuration";
+import { UserResponseDto } from "@dto/user-response.dto";
+import { ErrorCodes } from "@enum/error-codes.enum";
 import { Injectable, Logger } from "@nestjs/common";
 import { PassportStrategy } from "@nestjs/passport";
 import { AuthService } from "@services/user-management/auth.service";
 import { Profile, Strategy } from "passport-saml";
-import { UserResponseDto } from "@dto/user-response.dto";
-import configuration from "@config/configuration";
-import { ErrorCodes } from "@enum/error-codes.enum";
 
 @Injectable()
 export class KombitStrategy extends PassportStrategy(Strategy, "kombit") {
@@ -26,6 +26,7 @@ export class KombitStrategy extends PassportStrategy(Strategy, "kombit") {
             logoutUrl: configuration()["kombit"]["entryPoint"],
             entryPoint: configuration()["kombit"]["entryPoint"],
             identifierFormat: "",
+            cert: configuration()["kombit"]["certificatePublicKey"],
             privateCert: configuration()["kombit"]["certificatePrivateKey"],
             decryptionPvk: configuration()["kombit"]["certificatePrivateKey"],
             signatureAlgorithm: "sha256",

package-lock_BACKUP_772.json

@@ -23,7 +23,8 @@ export default (): any => {
         kombit: {
             entryPoint:
                 process.env.KOMBIT_ENTRYPOINT ||
-                "https://adgangsstyring.eksterntest-stoettesystemerne.dk/runtime/saml2/issue.idp",
+                "https://adgangsstyring.eksterntest-stoettesystemerne.dk/runtime/saml2/issue.idp",            
+            certificatePublicKey: process.env.KOMBIT_CERTIFICATEPUBLICKEY || "INSERT_KOMBIT_CERT", // Public certificate from Kombit Test server
             certificatePrivateKey: process.env.KOMBIT_CERTIFICATEPRIVATEKEY || null,
             roleUri:
                 process.env.KOMBIT_ROLE_NAME ||

package-lock_BASE_772.json

@@ -40,6 +40,7 @@ import { Request as expressRequest, Response } from "express";
 import { KombitStrategy } from "@auth/kombit.strategy";
 import { ErrorCodes } from "@enum/error-codes.enum";
 import { CustomExceptionFilter } from "@auth/custom-exception-filter";
+import { RequestWithUser, Profile } from "passport-saml/lib/passport-saml/types";
 import { isOrganizationPermission } from "@helpers/security-helper";
 
 @UseFilters(new CustomExceptionFilter())
@@ -99,8 +100,21 @@ export class AuthController {
     @UseGuards(JwtAuthGuard)
     @ApiOperation({ summary: "Initiates the SAML logout flow" })
     public async logout(@Req() req: expressRequest, @Res() res: Response): Promise<any> {
-        this.logger.debug("Get logout Logging out ...");
-        this.strategy.logout(req, (err: Error, url: string): void => {
+        this.logger.debug("Logging out ...");
+        const reqConverted: RequestWithUser = req as RequestWithUser;
+        // TODO: Not tested as KOMBIT isn't set up locally. Test on test environment
+        // Inspecting the source code (v3.2.1), we gather that
+        // - ID is unknown. Might be unused or required for @InResponseTo in saml.js
+        // - nameID is used. Corresponds to user.nameId in DB
+        // - nameIDFormat is used. Correspond to <NameIDFormat> in the public certificate
+        reqConverted.samlLogoutRequest = null; // Property must be set, but it is unused in the source code
+        // reqConverted.user.nameID = reqConverted.user.nameID;
+        reqConverted.user.nameIDFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName";
+        // reqConverted.user = { reqCo };
+        // TODO: Remove after test
+        this.logger.debug(`KOMBIT logout request: ${JSON.stringify(req)}`)
+
+        this.strategy.logout(reqConverted, (err: Error, url: string): void => {
             req.logout();
             this.logger.debug("Inside callback");
             if (!err) {