cloudcms-server 3.3.1-beta.8 → 4.0.0-beta.1

package/temp/passport-saml/lib/node-saml/inmemory-cache-provider.js

@@ -0,0 +1,86 @@
+"use strict";
+/**
+ * Simple in memory cache provider.  To be used to store state of requests that needs
+ * to be validated/checked when a response is received.
+ *
+ * This is the default implementation of a cache provider used by Passport-SAML.  For
+ * multiple server instances/load balanced scenarios (I.e. the SAML request could have
+ * been generated from a different server/process handling the SAML response) this
+ * implementation will NOT be sufficient.
+ *
+ * The caller should provide their own implementation for a cache provider as defined
+ * in the config options for Passport-SAML.
+ * @param options
+ * @constructor
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CacheProvider = void 0;
+class CacheProvider {
+    constructor(options) {
+        var _a;
+        this.cacheKeys = {};
+        this.options = {
+            ...options,
+            keyExpirationPeriodMs: (_a = options === null || options === void 0 ? void 0 : options.keyExpirationPeriodMs) !== null && _a !== void 0 ? _a : 28800000, // 8 hours,
+        };
+        // Expire old cache keys
+        const expirationTimer = setInterval(() => {
+            const nowMs = new Date().getTime();
+            const keys = Object.keys(this.cacheKeys);
+            keys.forEach((key) => {
+                if (nowMs >=
+                    new Date(this.cacheKeys[key].createdAt).getTime() + this.options.keyExpirationPeriodMs) {
+                    this.removeAsync(key);
+                }
+            });
+        }, this.options.keyExpirationPeriodMs);
+        // we only want this to run if the process is still open; it shouldn't hold the process open (issue #68)
+        expirationTimer.unref();
+    }
+    /**
+     * Store an item in the cache, using the specified key and value.
+     * Internally will keep track of the time the item was added to the cache
+     * @param id
+     * @param value
+     */
+    async saveAsync(key, value) {
+        if (!this.cacheKeys[key]) {
+            this.cacheKeys[key] = {
+                createdAt: new Date().getTime(),
+                value: value,
+            };
+            return this.cacheKeys[key];
+        }
+        else {
+            return null;
+        }
+    }
+    /**
+     * Returns the value of the specified key in the cache
+     * @param id
+     * @returns {boolean}
+     */
+    async getAsync(key) {
+        if (this.cacheKeys[key]) {
+            return this.cacheKeys[key].value;
+        }
+        else {
+            return null;
+        }
+    }
+    /**
+     * Removes an item from the cache if it exists
+     * @param key
+     */
+    async removeAsync(key) {
+        if (this.cacheKeys[key]) {
+            delete this.cacheKeys[key];
+            return key;
+        }
+        else {
+            return null;
+        }
+    }
+}
+exports.CacheProvider = CacheProvider;
+//# sourceMappingURL=inmemory-cache-provider.js.map

package/temp/passport-saml/lib/node-saml/inmemory-cache-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"inmemory-cache-provider.js","sourceRoot":"","sources":["../../src/node-saml/inmemory-cache-provider.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;AAWH,MAAa,aAAa;IAIxB,YAAY,OAAsC;;QAChD,IAAI,CAAC,SAAS,GAAG,EAAE,CAAC;QAEpB,IAAI,CAAC,OAAO,GAAG;YACb,GAAG,OAAO;YACV,qBAAqB,EAAE,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,qBAAqB,mCAAI,QAAQ,EAAE,WAAW;SAC/E,CAAC;QAEF,wBAAwB;QACxB,MAAM,eAAe,GAAG,WAAW,CAAC,GAAG,EAAE;YACvC,MAAM,KAAK,GAAG,IAAI,IAAI,EAAE,CAAC,OAAO,EAAE,CAAC;YACnC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACzC,IAAI,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;gBACnB,IACE,KAAK;oBACL,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,qBAAqB,EACtF;oBACA,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;iBACvB;YACH,CAAC,CAAC,CAAC;QACL,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;QAEvC,wGAAwG;QACxG,eAAe,CAAC,KAAK,EAAE,CAAC;IAC1B,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,SAAS,CAAC,GAAW,EAAE,KAAa;QACxC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE;YACxB,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG;gBACpB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,OAAO,EAAE;gBAC/B,KAAK,EAAE,KAAK;aACb,CAAC;YACF,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;SAC5B;aAAM;YACL,OAAO,IAAI,CAAC;SACb;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,QAAQ,CAAC,GAAW;QACxB,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE;YACvB,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;SAClC;aAAM;YACL,OAAO,IAAI,CAAC;SACb;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,WAAW,CAAC,GAAW;QAC3B,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE;YACvB,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YAC3B,OAAO,GAAG,CAAC;SACZ;aAAM;YACL,OAAO,IAAI,CAAC;SACb;IACH,CAAC;CACF;AAzED,sCAyEC","sourcesContent":["/**\n * Simple in memory cache provider.  To be used to store state of requests that needs\n * to be validated/checked when a response is received.\n *\n * This is the default implementation of a cache provider used by Passport-SAML.  For\n * multiple server instances/load balanced scenarios (I.e. the SAML request could have\n * been generated from a different server/process handling the SAML response) this\n * implementation will NOT be sufficient.\n *\n * The caller should provide their own implementation for a cache provider as defined\n * in the config options for Passport-SAML.\n * @param options\n * @constructor\n */\n\nexport interface CacheItem {\n  value: string;\n  createdAt: number;\n}\n\ninterface CacheProviderOptions {\n  keyExpirationPeriodMs: number;\n}\n\nexport class CacheProvider {\n  cacheKeys: Record<string, CacheItem>;\n  options: CacheProviderOptions;\n\n  constructor(options: Partial<CacheProviderOptions>) {\n    this.cacheKeys = {};\n\n    this.options = {\n      ...options,\n      keyExpirationPeriodMs: options?.keyExpirationPeriodMs ?? 28800000, // 8 hours,\n    };\n\n    // Expire old cache keys\n    const expirationTimer = setInterval(() => {\n      const nowMs = new Date().getTime();\n      const keys = Object.keys(this.cacheKeys);\n      keys.forEach((key) => {\n        if (\n          nowMs >=\n          new Date(this.cacheKeys[key].createdAt).getTime() + this.options.keyExpirationPeriodMs\n        ) {\n          this.removeAsync(key);\n        }\n      });\n    }, this.options.keyExpirationPeriodMs);\n\n    // we only want this to run if the process is still open; it shouldn't hold the process open (issue #68)\n    expirationTimer.unref();\n  }\n\n  /**\n   * Store an item in the cache, using the specified key and value.\n   * Internally will keep track of the time the item was added to the cache\n   * @param id\n   * @param value\n   */\n  async saveAsync(key: string, value: string): Promise<CacheItem | null> {\n    if (!this.cacheKeys[key]) {\n      this.cacheKeys[key] = {\n        createdAt: new Date().getTime(),\n        value: value,\n      };\n      return this.cacheKeys[key];\n    } else {\n      return null;\n    }\n  }\n\n  /**\n   * Returns the value of the specified key in the cache\n   * @param id\n   * @returns {boolean}\n   */\n  async getAsync(key: string): Promise<string | null> {\n    if (this.cacheKeys[key]) {\n      return this.cacheKeys[key].value;\n    } else {\n      return null;\n    }\n  }\n\n  /**\n   * Removes an item from the cache if it exists\n   * @param key\n   */\n  async removeAsync(key: string): Promise<string | null> {\n    if (this.cacheKeys[key]) {\n      delete this.cacheKeys[key];\n      return key;\n    } else {\n      return null;\n    }\n  }\n}\n"]}

package/temp/passport-saml/lib/node-saml/saml-post-signing.d.ts

@@ -0,0 +1,3 @@
+import { SamlSigningOptions } from "./types";
+export declare function signSamlPost(samlMessage: string, xpath: string, options: SamlSigningOptions): string;
+export declare function signAuthnRequestPost(authnRequest: string, options: SamlSigningOptions): string;

package/temp/passport-saml/lib/node-saml/saml-post-signing.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.signAuthnRequestPost = exports.signSamlPost = void 0;
+const xml_1 = require("./xml");
+const authnRequestXPath = '/*[local-name(.)="AuthnRequest" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:protocol"]';
+const issuerXPath = '/*[local-name(.)="Issuer" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:assertion"]';
+function signSamlPost(samlMessage, xpath, options) {
+    return (0, xml_1.signXml)(samlMessage, xpath, { reference: xpath + issuerXPath, action: "after" }, options);
+}
+exports.signSamlPost = signSamlPost;
+function signAuthnRequestPost(authnRequest, options) {
+    return signSamlPost(authnRequest, authnRequestXPath, options);
+}
+exports.signAuthnRequestPost = signAuthnRequestPost;
+//# sourceMappingURL=saml-post-signing.js.map

package/temp/passport-saml/lib/node-saml/saml-post-signing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"saml-post-signing.js","sourceRoot":"","sources":["../../src/node-saml/saml-post-signing.ts"],"names":[],"mappings":";;;AACA,+BAAgC;AAEhC,MAAM,iBAAiB,GACrB,8FAA8F,CAAC;AACjG,MAAM,WAAW,GACf,yFAAyF,CAAC;AAE5F,SAAgB,YAAY,CAC1B,WAAmB,EACnB,KAAa,EACb,OAA2B;IAE3B,OAAO,IAAA,aAAO,EAAC,WAAW,EAAE,KAAK,EAAE,EAAE,SAAS,EAAE,KAAK,GAAG,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,OAAO,CAAC,CAAC;AACnG,CAAC;AAND,oCAMC;AAED,SAAgB,oBAAoB,CAAC,YAAoB,EAAE,OAA2B;IACpF,OAAO,YAAY,CAAC,YAAY,EAAE,iBAAiB,EAAE,OAAO,CAAC,CAAC;AAChE,CAAC;AAFD,oDAEC","sourcesContent":["import { SamlSigningOptions } from \"./types\";\nimport { signXml } from \"./xml\";\n\nconst authnRequestXPath =\n  '/*[local-name(.)=\"AuthnRequest\" and namespace-uri(.)=\"urn:oasis:names:tc:SAML:2.0:protocol\"]';\nconst issuerXPath =\n  '/*[local-name(.)=\"Issuer\" and namespace-uri(.)=\"urn:oasis:names:tc:SAML:2.0:assertion\"]';\n\nexport function signSamlPost(\n  samlMessage: string,\n  xpath: string,\n  options: SamlSigningOptions\n): string {\n  return signXml(samlMessage, xpath, { reference: xpath + issuerXPath, action: \"after\" }, options);\n}\n\nexport function signAuthnRequestPost(authnRequest: string, options: SamlSigningOptions): string {\n  return signSamlPost(authnRequest, authnRequestXPath, options);\n}\n"]}

package/temp/passport-saml/lib/node-saml/saml.d.ts

@@ -0,0 +1,77 @@
+/// <reference types="node" />
+import * as querystring from "querystring";
+import { CacheProvider as InMemoryCacheProvider } from "./inmemory-cache-provider";
+import { ParsedQs } from "qs";
+import { SamlOptions } from "./types";
+import { AuthenticateOptions, AuthorizeOptions, Profile, SamlConfig } from "../passport-saml/types";
+interface NameID {
+    value: string | null;
+    format: string | null;
+}
+declare class SAML {
+    options: SamlOptions;
+    cacheProvider: InMemoryCacheProvider;
+    constructor(ctorOptions: SamlConfig);
+    initialize(ctorOptions: SamlConfig): SamlOptions;
+    private getCallbackUrl;
+    _generateUniqueID(): string;
+    private generateInstant;
+    private signRequest;
+    private generateAuthorizeRequestAsync;
+    _generateLogoutRequest(user: Profile): Promise<string>;
+    _generateLogoutResponse(logoutRequest: Profile): string;
+    _requestToUrlAsync(request: string | null | undefined, response: string | null, operation: string, additionalParameters: querystring.ParsedUrlQuery): Promise<string>;
+    _getAdditionalParams(RelayState: string, operation: string, overrideParams?: querystring.ParsedUrlQuery): querystring.ParsedUrlQuery;
+    getAuthorizeUrlAsync(RelayState: string, host: string | undefined, options: AuthorizeOptions): Promise<string>;
+    getAuthorizeFormAsync(RelayState: string, host?: string): Promise<string>;
+    getLogoutUrlAsync(user: Profile, RelayState: string, options: AuthenticateOptions & AuthorizeOptions): Promise<string>;
+    getLogoutResponseUrl(samlLogoutRequest: Profile, RelayState: string, options: AuthenticateOptions & AuthorizeOptions, callback: (err: Error | null, url?: string | null) => void): void;
+    private getLogoutResponseUrlAsync;
+    _certToPEM(cert: string): string;
+    private certsToCheck;
+    validateSignature(fullXml: string, currentNode: Element, certs: string[]): boolean;
+    validatePostResponseAsync(container: Record<string, string>): Promise<{
+        profile?: Profile | null;
+        loggedOut?: boolean;
+    }>;
+    private validateInResponseTo;
+    validateRedirectAsync(container: ParsedQs, originalQuery: string | null): Promise<{
+        profile?: Profile | null;
+        loggedOut?: boolean;
+    }>;
+    private hasValidSignatureForRedirect;
+    private validateSignatureForRedirect;
+    private verifyLogoutRequest;
+    private verifyLogoutResponse;
+    private verifyIssuer;
+    private processValidlySignedAssertionAsync;
+    private checkTimestampsValidityError;
+    private checkAudienceValidityError;
+    validatePostRequestAsync(container: Record<string, string>): Promise<{
+        profile?: Profile;
+        loggedOut?: boolean;
+    }>;
+    _getNameIdAsync(self: SAML, doc: Node): Promise<NameID>;
+    generateServiceProviderMetadata(decryptionCert: string | null, signingCert?: string | null): string;
+    _keyToPEM(key: string | Buffer): typeof key extends string | Buffer ? string | Buffer : Error;
+    /**
+     * Process max age assertion and use it if it is more restrictive than the NotOnOrAfter age
+     * assertion received in the SAMLResponse.
+     *
+     * @param maxAssertionAgeMs Max time after IssueInstant that we will accept assertion, in Ms.
+     * @param notOnOrAfter Expiration provided in response.
+     * @param issueInstant Time when response was issued.
+     * @returns {*} The expiration time to be used, in Ms.
+     */
+    private processMaxAgeAssertionTime;
+    /**
+     * Convert a date string to a timestamp (in milliseconds).
+     *
+     * @param dateString A string representation of a date
+     * @param label Descriptive name of the date being passed in, e.g. "NotOnOrAfter"
+     * @throws Will throw an error if parsing `dateString` returns `NaN`
+     * @returns {number} The timestamp (in milliseconds) representation of the given date
+     */
+    private dateStringToTimestamp;
+}
+export { SAML };