Support Confidential SSO login (#243)

Confidential SSO makes use of secure enclaves and secure tunnel to send
data to them.
This PR aims to implement the different pieces to manage this flow.

Author: Corentin Mors

package.json

@@ -23,10 +23,10 @@
         "lint": "eslint src",
         "format": "prettier --write src && eslint --fix src",
         "start": "node dist/index.cjs",
-        "pkg:linux": "pkg . -t node18-linux-x64 -o bundle/dcli-linux -C GZip --public --public-packages tslib,thirty-two --no-bytecode",
-        "pkg:macos": "pkg . -t node18-macos-x64 -o bundle/dcli-macos -C GZip --public --public-packages tslib,thirty-two --no-bytecode",
-        "pkg:macos-arm": "pkg . -t node18-macos-arm64 -o bundle/dcli-macos-arm -C GZip --public --public-packages tslib,thirty-two --no-bytecode",
-        "pkg:win": "pkg . -t node18-win-x64 -o bundle/dcli-win.exe -C GZip --public --public-packages tslib,thirty-two --no-bytecode",
+        "pkg:linux": "pkg . -t node18-linux-x64 -o bundle/dcli-linux -C GZip --public --public-packages tslib,thirty-two,node-hkdf-sync,vows --no-bytecode",
+        "pkg:macos": "pkg . -t node18-macos-x64 -o bundle/dcli-macos -C GZip --public --public-packages tslib,thirty-two,node-hkdf-sync,vows --no-bytecode",
+        "pkg:macos-arm": "pkg . -t node18-macos-arm64 -o bundle/dcli-macos-arm -C GZip --public --public-packages tslib,thirty-two,node-hkdf-sync,vows --no-bytecode",
+        "pkg:win": "pkg . -t node18-win-x64 -o bundle/dcli-win.exe -C GZip --public --public-packages tslib,thirty-two,node-hkdf-sync,vows --no-bytecode",
         "pkg": "yarn run build && yarn run pkg:linux && yarn run pkg:macos && yarn run pkg:win",
         "version:bump": "ts-node src/bumpVersion.ts",
         "prepare": "husky",
@@ -40,6 +40,7 @@
     "contributors": [],
     "license": "Apache-2.0",
     "nativeDependencies": {
+        "@dashlane/nsm-attestation": "*",
         "better-sqlite3": "*",
         "@json2csv/plainjs": "*",
         "@json2csv/transforms": "*",
@@ -54,6 +55,7 @@
         "@types/better-sqlite3": "^7.6.10",
         "@types/chai": "^4.3.16",
         "@types/inquirer": "^9.0.7",
+        "@types/libsodium-wrappers": "^0",
         "@types/mocha": "^10.0.6",
         "@types/node": "^18.19.33",
         "@typescript-eslint/eslint-plugin": "^7.8.0",
@@ -71,17 +73,21 @@
         "typescript": "^5.4.5"
     },
     "dependencies": {
+        "@dashlane/nsm-attestation": "^1.0.1",
         "@json2csv/plainjs": "^7.0.6",
         "@json2csv/transforms": "^7.0.6",
         "@napi-rs/clipboard": "^1.1.2",
         "@napi-rs/keyring": "^1.1.6",
         "@node-rs/argon2": "^1.8.3",
+        "ajv": "^8.13.0",
+        "ajv-formats": "^3.0.1",
         "better-sqlite3": "^10.0.0",
         "commander": "^12.0.0",
         "got": "^14.2.1",
         "inquirer": "^9.2.21",
         "inquirer-search-list": "^1.2.6",
         "jsonpath-plus": "^9.0.0",
+        "libsodium-wrappers": "^0.7.13",
         "node-mac-auth": "^1.0.0",
         "otplib": "^12.0.1",
         "playwright-core": "^1.44.0",

src/modules/auth/confidential-sso/errors.ts

@@ -0,0 +1,5 @@
+export class SAMLResponseNotFound extends Error {
+    constructor() {
+        super('SAML Response not found');
+    }
+}

src/modules/auth/confidential-sso/index.ts

@@ -0,0 +1,67 @@
+import { chromium } from 'playwright-core';
+import { ConfirmLogin2Request, RequestLogin2Request } from './types';
+import { SAMLResponseNotFound } from './errors';
+import { apiConnect } from '../../tunnel-api-connect';
+import { performSSOVerification } from '../../../endpoints/performSSOVerification';
+
+interface ConfidentialSSOParams {
+    requestedLogin: string;
+}
+
+export const doConfidentialSSOVerification = async ({ requestedLogin }: ConfidentialSSOParams) => {
+    const api = await apiConnect({
+        isProduction: true,
+        enclavePcrList: [
+            [3, 'dfb6428f132530b8c021bea8cbdba2c87c96308ba7e81c7aff0655ec71228122a9297fd31fe5db7927a7322e396e4c16'],
+            [8, '4dbb92401207e019e132d86677857081d8e4d21f946f3561b264b7389c6982d3a86bcf9560cef4a2327eac5c5c6ab820'],
+        ],
+    });
+    const requestLoginResponse = await api.sendSecureContent<RequestLogin2Request>({
+        ...api,
+        path: 'authentication/RequestLogin2',
+        payload: { login: requestedLogin },
+    });
+
+    const { idpAuthorizeUrl, spCallbackUrl, teamUuid, domainName } = requestLoginResponse;
+
+    const browser = await chromium.launch({ headless: false, channel: 'chrome' });
+    const context = await browser.newContext();
+    const page = await context.newPage();
+
+    await page.goto(idpAuthorizeUrl);
+
+    let samlResponseData;
+    const samlResponsePromise = new Promise((resolve) => {
+        page.on('request', (req) => {
+            const reqURL = req.url();
+            if (reqURL === spCallbackUrl) {
+                samlResponseData = req.postData();
+                if (browser) {
+                    void browser.close();
+                }
+                resolve(undefined);
+            }
+        });
+    });
+
+    await samlResponsePromise;
+
+    const samlResponse = new URLSearchParams(samlResponseData).get('SAMLResponse');
+
+    if (!samlResponse) {
+        throw new SAMLResponseNotFound();
+    }
+
+    const confirmLoginResponse = await api.sendSecureContent<ConfirmLogin2Request>({
+        ...api,
+        path: 'authentication/ConfirmLogin2',
+        payload: { teamUuid, domainName, samlResponse },
+    });
+
+    const ssoVerificationResult = await performSSOVerification({
+        login: requestedLogin,
+        ssoToken: confirmLoginResponse.ssoToken,
+    });
+
+    return { ...ssoVerificationResult, ssoSpKey: confirmLoginResponse.userServiceProviderKey };
+};

src/modules/auth/confidential-sso/types.ts

@@ -0,0 +1,37 @@
+export interface RequestLogin2Data {
+    login: string;
+}
+
+export interface RequestLogin2Output {
+    domainName: string;
+    idpAuthorizeUrl: string;
+    spCallbackUrl: string;
+    teamUuid: string;
+    validatedDomains: string[];
+}
+
+export interface RequestLogin2Request {
+    path: 'authentication/RequestLogin2';
+    input: RequestLogin2Data;
+    output: RequestLogin2Output;
+}
+
+export interface ConfirmLogin2Data {
+    teamUuid: string;
+    domainName: string;
+    samlResponse: string;
+}
+
+export interface ConfirmLogin2Output {
+    ssoToken: string;
+    userServiceProviderKey: string;
+    exists: boolean;
+    currentAuthenticationMethods: string[];
+    expectedAuthenticationMethods: string[];
+}
+
+export interface ConfirmLogin2Request {
+    path: 'authentication/ConfirmLogin2';
+    input: ConfirmLogin2Data;
+    output: ConfirmLogin2Output;
+}

src/modules/auth/registerDevice.ts

@@ -1,5 +1,6 @@
 import winston from 'winston';
 import { doSSOVerification } from './sso';
+import { doConfidentialSSOVerification } from './confidential-sso';
 import {
     completeDeviceRegistration,
     performDashlaneAuthenticatorVerification,
@@ -63,13 +64,15 @@ export const registerDevice = async (params: RegisterDevice) => {
         }));
     } else if (selectedVerificationMethod.type === 'sso') {
         if (selectedVerificationMethod.ssoInfo.isNitroProvider) {
-            throw new Error('Confidential SSO is currently not supported');
+            ({ authTicket, ssoSpKey } = await doConfidentialSSOVerification({
+                requestedLogin: login,
+            }));
+        } else {
+            ({ authTicket, ssoSpKey } = await doSSOVerification({
+                requestedLogin: login,
+                serviceProviderURL: selectedVerificationMethod.ssoInfo.serviceProviderUrl,
+            }));
         }
-
-        ({ authTicket, ssoSpKey } = await doSSOVerification({
-            requestedLogin: login,
-            serviceProviderURL: selectedVerificationMethod.ssoInfo.serviceProviderUrl,
-        }));
     } else {
         throw new Error('Auth verification method not supported: ' + selectedVerificationMethod.type);
     }

src/modules/tunnel-api-connect/apiconnect.ts

@@ -0,0 +1,47 @@
+import * as sodium from 'libsodium-wrappers';
+import { clientHello, terminateHello, SendSecureContentParams, sendSecureContent } from './steps';
+import { ApiConnectParams, ApiConnect, ApiData, ApiRequestsDefault } from './types';
+import { makeClientKeyPair, makeOrRefreshSession } from './utils';
+
+/** Type predicates
+ * https://www.typescriptlang.org/docs/handbook/2/narrowing.html#using-type-predicates
+ *
+ * From Partial<ApiData> to ApiData
+ */
+const hasFullApiData = (data: Partial<ApiData>): data is ApiData => {
+    if (data.clientHello && data.terminateHello) {
+        return true;
+    }
+    return false;
+};
+
+/** Return an object that can be used to send secure content through the tunnel
+ */
+export const apiConnect = async (apiParametersIn: ApiConnectParams): Promise<ApiConnect> => {
+    await sodium.ready;
+
+    const apiParameters = {
+        ...apiParametersIn,
+        ...{ clientKeyPair: apiParametersIn.clientKeyPair ?? makeClientKeyPair() },
+    };
+
+    const apiData: Partial<ApiData> = {};
+    const api: ApiConnect = {
+        apiData,
+        apiParameters,
+        clientHello: () => clientHello(apiParameters),
+        terminateHello: ({ attestation }: { attestation: Buffer }, apiData: Partial<ApiData>) =>
+            terminateHello({ ...apiParameters, attestation }, apiData),
+        makeOrRefreshSession,
+        sendSecureContent: async <R extends ApiRequestsDefault>(
+            params: Pick<SendSecureContentParams<R>, 'path' | 'payload'>
+        ) => {
+            await api.makeOrRefreshSession({ api, apiData });
+            if (!hasFullApiData(apiData)) {
+                throw new Error('ShouldNotHappen');
+            }
+            return sendSecureContent({ ...apiParameters, ...apiData.terminateHello, ...params }, apiData);
+        },
+    };
+    return api;
+};

src/modules/tunnel-api-connect/errors.ts

@@ -0,0 +1,30 @@
+export class HTTPError extends Error {
+    constructor(
+        readonly statusCode: number,
+        readonly message: string
+    ) {
+        super(`HTTP error: ${statusCode}`);
+    }
+}
+
+export class ApiError extends Error {
+    constructor(
+        readonly status: string,
+        readonly code: string,
+        readonly message: string
+    ) {
+        super(`Api error: ${code}`);
+    }
+}
+
+export class SecureTunnelNotInitialized extends Error {
+    constructor() {
+        super('Secure tunnel not initialized');
+    }
+}
+
+export class SendSecureContentDataDecryptionError extends Error {
+    constructor() {
+        super('Send secure content data decryption error');
+    }
+}

src/modules/tunnel-api-connect/index.ts

@@ -0,0 +1 @@
+export * from './apiconnect';

src/modules/tunnel-api-connect/steps/clientHello.ts

@@ -0,0 +1,32 @@
+import sodium from 'libsodium-wrappers';
+import type { ClientHelloParsedResponse, ClientHelloRequest, ClientHelloResponse } from './types';
+import { clientHelloResponseSchema } from './schemas';
+import type { ApiConnectInternalParams } from '../types';
+import { TypeCheck, TypeCheckError } from '../../typecheck';
+import { requestAppApi } from '../../../requestApi';
+
+export const clientHelloRequestSchemaValidator = new TypeCheck<ClientHelloResponse>(clientHelloResponseSchema);
+
+export const clientHello = async (params: ApiConnectInternalParams): Promise<ClientHelloParsedResponse> => {
+    const { clientKeyPair } = params;
+
+    const payload = {
+        clientPublicKey: sodium.to_hex(clientKeyPair.publicKey),
+    } satisfies ClientHelloRequest;
+
+    const response = await requestAppApi<ClientHelloResponse>({
+        path: `tunnel/ClientHello`,
+        payload,
+        isNitroEncryptionService: true,
+    });
+
+    const validated = clientHelloRequestSchemaValidator.validate(response);
+    if (validated instanceof TypeCheckError) {
+        throw validated;
+    }
+
+    return {
+        attestation: Buffer.from(validated.attestation, 'hex'),
+        tunnelUuid: validated.tunnelUuid,
+    };
+};

src/modules/tunnel-api-connect/steps/index.ts

@@ -0,0 +1,4 @@
+export * from './clientHello';
+export * from './sendSecureContent';
+export * from './terminateHello';
+export * from './types';

src/modules/tunnel-api-connect/steps/schemas.ts

@@ -0,0 +1,59 @@
+import { JSONSchema4 } from 'json-schema';
+
+/**
+ * https://docs.aws.amazon.com/enclaves/latest/user/verify-root.html
+ * Attestation document specification
+ * - user_data = bytes .size (0..1024)
+ * To accommodate base64 encoding 1024 * 1.3 ~= 1332
+ */
+export const attestationUserDataSchema: JSONSchema4 = {
+    type: 'object',
+    description: 'User data from verifyAttestation',
+    properties: {
+        publicKey: {
+            type: 'string',
+            base64: true,
+            maxLength: 1500,
+            minLength: 4,
+        },
+        header: {
+            type: 'string',
+            base64: true,
+            maxLength: 1500,
+            minLength: 4,
+        },
+    },
+    required: ['publicKey', 'header'],
+    additionalProperties: false,
+};
+
+export const clientHelloResponseSchema: JSONSchema4 = {
+    type: 'object',
+    properties: {
+        attestation: {
+            type: 'string',
+            pattern: '^[A-Fa-f0-9]+$',
+            description: 'NSM enclave attestation in hexadecimal format',
+        },
+        tunnelUuid: {
+            type: 'string',
+            description: 'The UUID of the tunnel used for the cryptographic session',
+        },
+    },
+    required: ['attestation', 'tunnelUuid'],
+    additionalProperties: false,
+};
+
+export const secureContentBodyDataSchema: JSONSchema4 = {
+    type: 'object',
+    description: 'Send secure content data',
+    properties: {
+        encryptedData: {
+            type: 'string',
+            // TODO: Extends AJV with an `encoding` keyword to support base64 | hex
+            pattern: '^[A-Fa-f0-9]+$',
+        },
+    },
+    required: ['encryptedData'],
+    additionalProperties: false,
+};