@tachybase/plugin-auth-saml 0.23.8

package/dist/node_modules/@node-saml/node-saml/lib/inmemory-cache-provider.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Simple in memory cache provider.  To be used to store state of requests that needs
+ * to be validated/checked when a response is received.
+ *
+ * This is the default implementation of a cache provider used by Node SAML.  For
+ * multiple server instances/load balanced scenarios (I.e. the SAML request could have
+ * been generated from a different server/process handling the SAML response) this
+ * implementation will NOT be sufficient.
+ *
+ * The caller should provide their own implementation for a cache provider as defined
+ * in the config options.
+ */
+import { CacheItem, CacheProvider } from "./types";
+interface CacheProviderOptions {
+    keyExpirationPeriodMs: number;
+}
+export declare class InMemoryCacheProvider implements CacheProvider {
+    private cacheKeys;
+    private options;
+    private lastPrune;
+    private prune;
+    private removeKeyIfExpired;
+    constructor(options: Partial<CacheProviderOptions>);
+    /**
+     * Store an item in the cache, using the specified key and value.
+     * Internally will keep track of the time the item was added to the cache
+     */
+    saveAsync(key: string, value: string): Promise<CacheItem | null>;
+    /**
+     * Returns the value of the specified key in the cache
+     */
+    getAsync(key: string): Promise<string | null>;
+    /**
+     * Removes an item from the cache if it exists
+     */
+    removeAsync(key: string | null): Promise<string | null>;
+}
+export {};

package/dist/node_modules/@node-saml/node-saml/lib/inmemory-cache-provider.js

@@ -0,0 +1,100 @@
+"use strict";
+/**
+ * Simple in memory cache provider.  To be used to store state of requests that needs
+ * to be validated/checked when a response is received.
+ *
+ * This is the default implementation of a cache provider used by Node SAML.  For
+ * multiple server instances/load balanced scenarios (I.e. the SAML request could have
+ * been generated from a different server/process handling the SAML response) this
+ * implementation will NOT be sufficient.
+ *
+ * The caller should provide their own implementation for a cache provider as defined
+ * in the config options.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InMemoryCacheProvider = void 0;
+class InMemoryCacheProvider {
+    constructor(options) {
+        var _a;
+        this.lastPrune = 0;
+        this.cacheKeys = {};
+        this.options = {
+            ...options,
+            keyExpirationPeriodMs: (_a = options.keyExpirationPeriodMs) !== null && _a !== void 0 ? _a : 28800000, // 8 hours,
+        };
+        // Remove expired cache keys
+        this.prune = () => {
+            const nowMs = new Date().getTime();
+            // Don't call this function more than is needed in high-load environments
+            if (nowMs > this.lastPrune + this.options.keyExpirationPeriodMs) {
+                const keys = Object.keys(this.cacheKeys);
+                const keysToRemove = [];
+                keys.forEach((key) => {
+                    if (nowMs >= this.cacheKeys[key].createdAt + this.options.keyExpirationPeriodMs) {
+                        keysToRemove.push(key);
+                    }
+                });
+                // No need to await this because we don't care when it gets done
+                keysToRemove.forEach((key) => this.removeAsync(key));
+                this.lastPrune = nowMs;
+            }
+        };
+        this.removeKeyIfExpired = async (key, nowMs) => {
+            if (this.cacheKeys[key] &&
+                nowMs >= this.cacheKeys[key].createdAt + this.options.keyExpirationPeriodMs) {
+                await this.removeAsync(key);
+            }
+        };
+    }
+    /**
+     * Store an item in the cache, using the specified key and value.
+     * Internally will keep track of the time the item was added to the cache
+     */
+    async saveAsync(key, value) {
+        // Remove all expired keys at a later time
+        this.prune();
+        // Remove the key if it is expired
+        const nowMs = new Date().getTime();
+        await this.removeKeyIfExpired(key, nowMs);
+        if (!this.cacheKeys[key]) {
+            this.cacheKeys[key] = {
+                createdAt: nowMs,
+                value: value,
+            };
+            return this.cacheKeys[key];
+        }
+        else {
+            return null;
+        }
+    }
+    /**
+     * Returns the value of the specified key in the cache
+     */
+    async getAsync(key) {
+        // Remove all expired keys at a later time
+        this.prune();
+        // Remove the key if it is expired
+        const nowMs = new Date().getTime();
+        await this.removeKeyIfExpired(key, nowMs);
+        if (this.cacheKeys[key]) {
+            return this.cacheKeys[key].value;
+        }
+        else {
+            return null;
+        }
+    }
+    /**
+     * Removes an item from the cache if it exists
+     */
+    async removeAsync(key) {
+        if (key != null && this.cacheKeys[key]) {
+            delete this.cacheKeys[key];
+            return key;
+        }
+        else {
+            return null;
+        }
+    }
+}
+exports.InMemoryCacheProvider = InMemoryCacheProvider;
+//# sourceMappingURL=inmemory-cache-provider.js.map

package/dist/node_modules/@node-saml/node-saml/lib/metadata.d.ts

@@ -0,0 +1,2 @@
+import { GenerateServiceProviderMetadataParams } from "./types";
+export declare const generateServiceProviderMetadata: (params: GenerateServiceProviderMetadataParams) => string;

package/dist/node_modules/@node-saml/node-saml/lib/metadata.js

@@ -0,0 +1,112 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateServiceProviderMetadata = void 0;
+const crypto_1 = require("./crypto");
+const types_1 = require("./types");
+const utility_1 = require("./utility");
+const xml_1 = require("./xml");
+const generateServiceProviderMetadata = (params) => {
+    const { issuer, callbackUrl, logoutCallbackUrl, identifierFormat, wantAssertionsSigned, decryptionPvk, privateKey, metadataContactPerson, metadataOrganization, generateUniqueId, } = params;
+    let { signingCerts, decryptionCert } = params;
+    if (decryptionPvk != null) {
+        if (!decryptionCert) {
+            throw new Error("Missing decryptionCert while generating metadata for decrypting service provider");
+        }
+    }
+    else {
+        decryptionCert = null;
+    }
+    if (privateKey != null) {
+        if (!signingCerts) {
+            throw new Error("Missing signingCert while generating metadata for signing service provider messages");
+        }
+        signingCerts = !Array.isArray(signingCerts) ? [signingCerts] : signingCerts;
+    }
+    else {
+        signingCerts = null;
+    }
+    const metadata = {
+        EntityDescriptor: {
+            "@xmlns": "urn:oasis:names:tc:SAML:2.0:metadata",
+            "@xmlns:ds": "http://www.w3.org/2000/09/xmldsig#",
+            "@entityID": issuer,
+            "@ID": generateUniqueId(),
+            SPSSODescriptor: {
+                "@protocolSupportEnumeration": "urn:oasis:names:tc:SAML:2.0:protocol",
+                "@AuthnRequestsSigned": "false",
+            },
+            ...(metadataContactPerson ? { ContactPerson: metadataContactPerson } : {}),
+            ...(metadataOrganization ? { Organization: metadataOrganization } : {}),
+        },
+    };
+    if (decryptionCert != null || signingCerts != null) {
+        metadata.EntityDescriptor.SPSSODescriptor.KeyDescriptor = [];
+        if ((0, types_1.isValidSamlSigningOptions)(params)) {
+            (0, utility_1.assertRequired)(signingCerts, "Missing signingCert while generating metadata for signing service provider messages");
+            metadata.EntityDescriptor.SPSSODescriptor["@AuthnRequestsSigned"] = true;
+            const certArray = Array.isArray(signingCerts) ? signingCerts : [signingCerts];
+            const signingKeyDescriptors = certArray.map((cert) => ({
+                "@use": "signing",
+                "ds:KeyInfo": {
+                    "ds:X509Data": {
+                        "ds:X509Certificate": {
+                            "#text": (0, crypto_1.removeCertPEMHeaderAndFooter)(cert),
+                        },
+                    },
+                },
+            }));
+            metadata.EntityDescriptor.SPSSODescriptor.KeyDescriptor.push(signingKeyDescriptors);
+        }
+        if (decryptionPvk != null) {
+            (0, utility_1.assertRequired)(decryptionCert, "Missing decryptionCert while generating metadata for decrypting service provider");
+            decryptionCert = (0, crypto_1.removeCertPEMHeaderAndFooter)(decryptionCert);
+            metadata.EntityDescriptor.SPSSODescriptor.KeyDescriptor.push({
+                "@use": "encryption",
+                "ds:KeyInfo": {
+                    "ds:X509Data": {
+                        "ds:X509Certificate": {
+                            "#text": decryptionCert,
+                        },
+                    },
+                },
+                EncryptionMethod: [
+                    // this should be the set that the xmlenc library supports
+                    { "@Algorithm": "http://www.w3.org/2009/xmlenc11#aes256-gcm" },
+                    { "@Algorithm": "http://www.w3.org/2009/xmlenc11#aes128-gcm" },
+                    { "@Algorithm": "http://www.w3.org/2001/04/xmlenc#aes256-cbc" },
+                    { "@Algorithm": "http://www.w3.org/2001/04/xmlenc#aes128-cbc" },
+                ],
+            });
+        }
+    }
+    if (logoutCallbackUrl != null) {
+        metadata.EntityDescriptor.SPSSODescriptor.SingleLogoutService = {
+            "@Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+            "@Location": logoutCallbackUrl,
+        };
+    }
+    if (identifierFormat != null) {
+        metadata.EntityDescriptor.SPSSODescriptor.NameIDFormat = identifierFormat;
+    }
+    if (wantAssertionsSigned) {
+        metadata.EntityDescriptor.SPSSODescriptor["@WantAssertionsSigned"] = true;
+    }
+    metadata.EntityDescriptor.SPSSODescriptor.AssertionConsumerService = {
+        "@index": "1",
+        "@isDefault": "true",
+        "@Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+        "@Location": callbackUrl,
+    };
+    let metadataXml = (0, xml_1.buildXmlBuilderObject)(metadata, true);
+    if (params.signMetadata === true && (0, types_1.isValidSamlSigningOptions)(params)) {
+        metadataXml = (0, utility_1.signXmlMetadata)(metadataXml, {
+            privateKey: params.privateKey,
+            signatureAlgorithm: params.signatureAlgorithm,
+            xmlSignatureTransforms: params.xmlSignatureTransforms,
+            digestAlgorithm: params.digestAlgorithm,
+        });
+    }
+    return metadataXml;
+};
+exports.generateServiceProviderMetadata = generateServiceProviderMetadata;
+//# sourceMappingURL=metadata.js.map

package/dist/node_modules/@node-saml/node-saml/lib/passport-saml-types.d.ts

@@ -0,0 +1,8 @@
+import * as passport from "passport";
+export interface AuthenticateOptions extends passport.AuthenticateOptions {
+    samlFallback?: "login-request" | "logout-request";
+    additionalParams?: Record<string, string | string[]>;
+}
+export interface AuthorizeOptions extends AuthenticateOptions {
+    samlFallback?: "login-request" | "logout-request";
+}

package/dist/node_modules/@node-saml/node-saml/lib/passport-saml-types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=passport-saml-types.js.map

package/dist/node_modules/@node-saml/node-saml/lib/saml-post-signing.d.ts

@@ -0,0 +1,3 @@
+import { SamlSigningOptions } from "./types";
+export declare function signSamlPost(samlMessage: string, xpath: string, options: SamlSigningOptions): string;
+export declare function signAuthnRequestPost(authnRequest: string, options: SamlSigningOptions): string;

package/dist/node_modules/@node-saml/node-saml/lib/saml-post-signing.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.signAuthnRequestPost = exports.signSamlPost = void 0;
+const xml_1 = require("./xml");
+const authnRequestXPath = '/*[local-name(.)="AuthnRequest" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:protocol"]';
+const issuerXPath = '/*[local-name(.)="Issuer" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:assertion"]';
+function signSamlPost(samlMessage, xpath, options) {
+    return (0, xml_1.signXml)(samlMessage, xpath, { reference: xpath + issuerXPath, action: "after" }, options);
+}
+exports.signSamlPost = signSamlPost;
+function signAuthnRequestPost(authnRequest, options) {
+    return signSamlPost(authnRequest, authnRequestXPath, options);
+}
+exports.signAuthnRequestPost = signAuthnRequestPost;
+//# sourceMappingURL=saml-post-signing.js.map

package/dist/node_modules/@node-saml/node-saml/lib/saml.d.ts

@@ -0,0 +1,75 @@
+/// <reference types="node" />
+/// <reference types="node" />
+import * as crypto from "crypto";
+import * as querystring from "querystring";
+import { ParsedQs } from "qs";
+import { AudienceRestrictionXML, CacheProvider, Profile, SamlOptions, SamlConfig, XMLOutput } from "./types";
+import { AuthenticateOptions, AuthorizeOptions } from "./passport-saml-types";
+declare class SAML {
+    /**
+     * Note that some methods in SAML are not yet marked as protected as they are used in testing.
+     * Those methods start with an underscore, e.g. _generateLogoutRequest
+     */
+    options: SamlOptions;
+    cacheProvider: CacheProvider;
+    constructor(ctorOptions: SamlConfig);
+    initialize(ctorOptions: SamlConfig): SamlOptions;
+    protected getCallbackUrl(host?: string | undefined): string;
+    protected signRequest(samlMessage: querystring.ParsedUrlQueryInput): void;
+    protected generateAuthorizeRequestAsync(this: SAML, isPassive: boolean, isHttpPostBinding: boolean, host: string | undefined): Promise<string>;
+    _generateLogoutRequest(this: SAML, user: Profile): Promise<string>;
+    _generateLogoutResponse(this: SAML, logoutRequest: Profile, success: boolean): string;
+    _requestToUrlAsync(request: string | null | undefined, response: string | null, operation: string, additionalParameters: querystring.ParsedUrlQuery): Promise<string>;
+    _getAdditionalParams(relayState: string, operation: "authorize" | "logout", overrideParams?: querystring.ParsedUrlQuery): querystring.ParsedUrlQuery;
+    getAuthorizeUrlAsync(RelayState: string, host: string | undefined, options: AuthorizeOptions): Promise<string>;
+    getAuthorizeFormAsync(RelayState: string, host?: string): Promise<string>;
+    getLogoutUrlAsync(user: Profile, RelayState: string, options: AuthenticateOptions & AuthorizeOptions): Promise<string>;
+    getLogoutResponseUrl(samlLogoutRequest: Profile, RelayState: string, options: AuthenticateOptions & AuthorizeOptions, success: boolean, callback: (err: Error | null, url?: string) => void): void;
+    getLogoutResponseUrlAsync(samlLogoutRequest: Profile, RelayState: string, options: AuthenticateOptions & AuthorizeOptions, success: boolean): Promise<string>;
+    protected certsToCheck(): Promise<string[]>;
+    validatePostResponseAsync(container: Record<string, string>): Promise<{
+        profile: Profile | null;
+        loggedOut: boolean;
+    }>;
+    protected validateInResponseTo(inResponseTo: string | null): Promise<void>;
+    validateRedirectAsync(container: ParsedQs, originalQuery: string): Promise<{
+        profile: Profile | null;
+        loggedOut: boolean;
+    }>;
+    protected hasValidSignatureForRedirect(container: ParsedQs, originalQuery: string): Promise<boolean | void>;
+    protected validateSignatureForRedirect(urlString: crypto.BinaryLike, signature: string, alg: string, cert: string): boolean;
+    protected verifyLogoutRequest(doc: XMLOutput): void;
+    protected verifyLogoutResponse(doc: XMLOutput): Promise<void>;
+    protected verifyIssuer(samlMessage: XMLOutput): void;
+    protected processValidlySignedAssertionAsync(this: SAML, xml: string, samlResponseXml: string, inResponseTo: string | null): Promise<{
+        profile: Profile;
+        loggedOut: boolean;
+    }>;
+    protected checkTimestampsValidityError(nowMs: number, notBefore: string, notOnOrAfter: string, maxTimeLimitMs?: number): Error | null;
+    protected checkAudienceValidityError(expectedAudience: string, audienceRestrictions: AudienceRestrictionXML[]): Error | null;
+    validatePostRequestAsync(container: Record<string, string>): Promise<{
+        profile: Profile;
+        loggedOut: boolean;
+    }>;
+    protected processValidlySignedPostRequestAsync(this: SAML, doc: XMLOutput, dom: Document): Promise<{
+        profile: Profile;
+        loggedOut: boolean;
+    }>;
+    protected processValidlySignedSamlLogoutAsync(this: SAML, doc: XMLOutput, dom: Document): Promise<{
+        profile: Profile | null;
+        loggedOut: boolean;
+    }>;
+    generateServiceProviderMetadata(this: SAML, decryptionCert: string | null, signingCerts?: string | string[] | null): string;
+    /**
+     * Process max age assertion and use it if it is more restrictive than the NotOnOrAfter age
+     * assertion received in the SAMLResponse.
+     *
+     * @param maxAssertionAgeMs Max time after IssueInstant that we will accept assertion, in Ms.
+     * @param notOnOrAfter Expiration provided in response.
+     * @param issueInstant Time when response was issued.
+     * @returns {*} The expiration time to be used, in Ms.
+     */
+    protected calcMaxAgeAssertionTime(maxAssertionAgeMs: number, notOnOrAfter: string, issueInstant: string): number;
+    protected mustValidateInResponseTo(hasInResponseTo: boolean): boolean;
+}
+export { SAML };