Add BU specific config

Author: ROODAY

.env.example

@@ -0,0 +1,7 @@
+ENTRY_POINT=https://shib-test.bu.edu/idp/profile/SAML2/Redirect/SSO
+CALLBACK_URL=https://app.bostonhacks.io/login/callback
+ISSUER=https://app.bostonhacks.io/shibboleth
+SESSION_SECRET=secret
+SHIBBOLETH_CERT='XXXXXXXXXXXXXXXX'
+SHIBBOLETH_KEY='XXXXXXXXXXXXXXXX'
+SHIBBOLETH_IDP_CERT='XXXXXXXXXXXXXXXX'

.env.sample

@@ -2,4 +2,4 @@
 cert/*
 node_modules/*
 npm-debug.log
-
+yarn-error.log

.gitignore

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2015 RIT Student Government
+Copyright (c) 2020 BostonHacks
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

LICENSE

@@ -1,37 +1,36 @@
-# passport-saml-example
+# BU SSO Example
 
-This node.js web application demonstrates SSO authentication provided by RIT's Shibboleth Server (https://shibboleth.main.ad.rit.edu/), using the `passport-saml` package.
+This Node.js web application demonstrates SSO authentication provided by BU's Shibboleth Server using the `passport-saml` package.
 
 Config
 ======
-
-This app requires 3 files to be placed in a folder named `cert` located in the project's root directory. These files include (1) the certificate  of the Identity Provider (IdP). In this case, RIT's Shibboleth Server is the IdP. As a Service Provider (SP), you need to generate your own (2) certificate and (3) private key. These files are named as follows:
+In order to use Shibboleth authentication, your application requires a certificate/private key pair, as well as BU's Shibboleth Identity Provider (IdP) Certificate. The files should be named as such:
 
 - `cert.pem`: SP's certificate (Generated by you)
-- `cert_idp.pem`: IdP's certificate (RIT's is contained in https://shibboleth.main.ad.rit.edu/rit-metadata.xml)
 - `key.pem`: SP's private key (Generated by you)
+- `cert_idp.pem`: IdP's certificate (BU's is contained in https://shib-test.bu.edu/idp/shibboleth)
+
+Alternatively, instead of storing the certificates in files, they can be stored as environment variables. Simply collapse the contents of each file into one line, inserting `\n` for line breaks, and then store them in your `.env` file. This can be useful when running your application on a service like Heroku and you want to minimize the number/size of files uploaded, or you are not allowed to upload extra files, etc.
 
 Creating Private Key and Certificates
 =====================================
-
-Generate the SP files with the following command:
+Generate your certificate/private key files with the following command:
 - `openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -days 900`
 
-The IdP Certificate is contained within the `ds:X509Certificate` tag.
+The [IdP Certificate](https://shib-test.bu.edu/idp/shibboleth) is contained within the `ds:X509Certificate` tag.
 - Copy the tag's contents into a file named `cert_idp.pem`.
 
-Next, copy `.env.sample` to `.env` and edit appropriately. Running this app locally will likely not work since the IdP can't redirect to `localhost`.
+Next, copy `.env.example` to `.env` and edit appropriately. Running this app locally will likely not work since the IdP can't redirect to `localhost`.
 
 Registering the Service Provider
 ================================
-
-Contact ITS to register your Service Provider. During this step, the IdP Administrator downloads the metadata from the `/Shibboleth.sso/Metadata` endpoint and loads it into the IdP.
+Fill out BU's [Service Provider Checklist](https://www.bu.edu/tech/services/security/iam/authentication/shibboleth/service-provider-checklist/) form to register your application (for the "Service Provider Metadata" textbox, go to your app's `/shibboleth/metadata` route and copy the entire XML content into the textbox). After a few days, it will be processed and your authentication setup will be live!
 
 Usage
 =====
-
 ```
-npm install
-node app.js
+yarn install
+yarn start
 ```
 
+Shoutout to Dharmesh Tarapore's [BU Shibboleth guide](https://cs-people.bu.edu/dharmesh/teaching/shibboleth/) for Apache, it was very useful in figuring out the BU specific configuration for `passport-saml`. Another shoutout to the [RIT Student Goverment](https://github.com/ritstudentgovernment), who's repo we forked.

README.md

@@ -1,14 +1,13 @@
-var http = require('http');
-var fs = require('fs');
-var express = require("express");
-var dotenv = require('dotenv');
-var bodyParser = require('body-parser');
-var cookieParser = require('cookie-parser');
-var session = require('express-session');
-var passport = require('passport');
-var saml = require('passport-saml');
-
-dotenv.load();
+const fs = require('fs');
+const express = require("express");
+const dotenv = require('dotenv');
+const bodyParser = require('body-parser');
+const cookieParser = require('cookie-parser');
+const session = require('express-session');
+const passport = require('passport');
+const SamlStrategy = require('passport-saml').Strategy;
+
+dotenv.config();
 
 passport.serializeUser(function(user, done) {
   done(null, user);
@@ -18,37 +17,51 @@ passport.deserializeUser(function(user, done) {
   done(null, user);
 });
 
-var samlStrategy = new saml.Strategy({
+const SamlOptions = {
   // URL that goes from the Identity Provider -> Service Provider
   callbackUrl: process.env.CALLBACK_URL,
   // URL that goes from the Service Provider -> Identity Provider
   entryPoint: process.env.ENTRY_POINT,
   // Usually specified as `/shibboleth` from site root
   issuer: process.env.ISSUER,
   identifierFormat: null,
-  // Service Provider private key
-  decryptionPvk: fs.readFileSync(__dirname + '/cert/key.pem', 'utf8'),
-  // Service Provider Certificate
-  privateCert: fs.readFileSync(__dirname + '/cert/key.pem', 'utf8'),
-  // Identity Provider's public key
-  cert: fs.readFileSync(__dirname + '/cert/idp_cert.pem', 'utf8'),
   validateInResponseTo: false,
   disableRequestedAuthnContext: true
-}, function(profile, done) {
-  return done(null, profile); 
-});
+}
+
+// Service Provider private key
+if (process.env.SHIBBOLETH_KEY) {
+  SamlOptions.decryptionPvk = JSON.parse(`"${process.env.SHIBBOLETH_KEY}"`);
+  SamlOptions.privateCert = JSON.parse(`"${process.env.SHIBBOLETH_KEY}"`);
+} else {
+  SamlOptions.decryptionPvk = fs.readFileSync(__dirname + '/cert/key.pem', 'utf8');
+  SamlOptions.privateCert = fs.readFileSync(__dirname + '/cert/key.pem', 'utf8');
+}
+
+// Identity Provider's public key
+if (process.env.SHIBBOLETH_IDP_CERT) {
+  SamlOptions.cert = JSON.parse(`"${process.env.SHIBBOLETH_IDP_CERT}"`);
+} else {
+  SamlOptions.cert = fs.readFileSync(__dirname + '/cert/cert_idp.pem', 'utf8');
+}
 
+const samlStrategy = new SamlStrategy(SamlOptions, (profile, done) => done(null, profile));
 passport.use(samlStrategy);
 
-var app = express();
+const app = express();
 
 app.use(cookieParser());
-app.use(bodyParser());
-app.use(session({secret: process.env.SESSION_SECRET}));
+app.use(bodyParser.json());
+app.use(bodyParser.urlencoded({ extended: true }));
+app.use(session({
+  secret: process.env.SESSION_SECRET,
+  resave: true,
+  saveUninitialized: true
+}));
 app.use(passport.initialize());
 app.use(passport.session());
 
-function ensureAuthenticated(req, res, next) {
+const ensureAuthenticated = (req, res, next) => {
   if (req.isAuthenticated())
     return next();
   else
@@ -57,45 +70,41 @@ function ensureAuthenticated(req, res, next) {
 
 app.get('/',
   ensureAuthenticated, 
-  function(req, res) {
-    res.send('Authenticated');
-  }
+  (req, res) => res.send('Authenticated')
 );
 
 app.get('/login',
   passport.authenticate('saml', { failureRedirect: '/login/fail' }),
-  function (req, res) {
-    res.redirect('/');
-  }
+  (req, res) => res.redirect('/')
 );
 
 app.post('/login/callback',
    passport.authenticate('saml', { failureRedirect: '/login/fail' }),
-  function(req, res) {
-    res.redirect('/');
-  }
+  (req, res) => res.redirect('/')
 );
 
 app.get('/login/fail', 
-  function(req, res) {
-    res.status(401).send('Login failed');
-  }
+  (req, res) => res.status(401).send('Login failed')
 );
 
-app.get('/Shibboleth.sso/Metadata', 
-  function(req, res) {
+app.get('/shibboleth/metadata',
+  (req, res) => {
     res.type('application/xml');
-    res.status(200).send(samlStrategy.generateServiceProviderMetadata(fs.readFileSync(__dirname + '/cert/cert.pem', 'utf8')));
+    let cert = null;
+    if (process.env.SHIBBOLETH_CERT) {
+      cert = JSON.parse(`"${process.env.SHIBBOLETH_CERT}"`);
+    } else {
+      cert = fs.readFileSync(__dirname + '/cert/cert.pem', 'utf8');
+    }
+    res.status(200).send(samlStrategy.generateServiceProviderMetadata(cert, cert));
   }
 );
 
 //general error handler
 app.use(function(err, req, res, next) {
-  console.log("Fatal error: " + JSON.stringify(err));
+  console.error("Fatal error: " + JSON.stringify(err));
   next(err);
 });
 
-var server = app.listen(4006, function () {
-  console.log('Listening on port %d', server.address().port)
-});
-
+const serverPort = process.env.PORT || 3030;
+const server = app.listen(serverPort, () => console.log(`Listening on port ${serverPort}`));

app.js

@@ -1,14 +1,16 @@
 {
-  "name": "passport-saml-rit-example",
-  "version": "0.0.0",
-  "description": "An example web app that connects to RIT's SSO Shibboleth Identity Provider.", 
+  "name": "passport-saml-bu-example",
+  "version": "1.0.0",
+  "description": "An example web app that connects to BU's SSO Shibboleth Identity Provider.",
   "dependencies": {
-    "body-parser": "1.11.0",
-    "cookie-parser": "1.3.3",
-    "dotenv": "0.5.1",
-    "express": "4.11.2",
-    "express-session": "1.10.2",
-    "passport": "0.2.1",
-    "passport-saml": "0.9.0"
+    "cookie-parser": "^1.4.4",
+    "dotenv": "^8.2.0",
+    "express": "^4.17.1",
+    "express-session": "^1.17.0",
+    "passport": "^0.4.1",
+    "passport-saml": "^1.3.3"
+  },
+  "scripts": {
+    "start": "node app.js"
   }
 }