saml 3.0.0 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (33) hide show
  1. package/README.md +23 -0
  2. package/lib/saml11.js +4 -0
  3. package/lib/saml20.js +4 -0
  4. package/lib/xml/encrypt.js +3 -1
  5. package/package.json +14 -14
  6. package/.github/workflows/semgrep.yml +0 -15
  7. package/.idea/aws.xml +0 -11
  8. package/.idea/inspectionProfiles/Project_Default.xml +0 -6
  9. package/.idea/jsLibraryMappings.xml +0 -6
  10. package/.idea/modules.xml +0 -8
  11. package/.idea/node-saml.iml +0 -13
  12. package/.idea/prettier.xml +0 -7
  13. package/.idea/sonarlint/issuestore/1/5/152d3f39906314d7648bee688e6cf0e074eac700 +0 -0
  14. package/.idea/sonarlint/issuestore/1/6/16c55078736dc7b024c5f6aee3724b578a6f762e +0 -0
  15. package/.idea/sonarlint/issuestore/7/0/7030d0b2f71b999ff89a343de08c414af32fc93a +0 -0
  16. package/.idea/sonarlint/issuestore/9/7/97145ab6a3556e0c76c6cdf36c0a30bb088f382f +0 -2
  17. package/.idea/sonarlint/issuestore/9/8/988145bf095565ed2790e577ca6610aae3f148eb +0 -0
  18. package/.idea/sonarlint/issuestore/a/b/ab09011fa121d0a2bb9fa4ca76094f2482b902b7 +0 -0
  19. package/.idea/sonarlint/issuestore/b/f/bf580f9fe6b7aafd1864a1b474928848f50d9486 +0 -0
  20. package/.idea/sonarlint/issuestore/index.pb +0 -15
  21. package/.idea/vcs.xml +0 -6
  22. package/.travis.yml +0 -4
  23. package/CHANGELOG.md +0 -75
  24. package/commitlint.config.js +0 -1
  25. package/test/saml11.tests.js +0 -489
  26. package/test/saml20.tests.js +0 -688
  27. package/test/test-auth0-chain.pem +0 -160
  28. package/test/test-auth0.der +0 -0
  29. package/test/test-auth0.key +0 -27
  30. package/test/test-auth0.pem +0 -24
  31. package/test/test-auth0_rsa.pub +0 -9
  32. package/test/utils.js +0 -116
  33. package/test/utils.tests.js +0 -63
package/README.md CHANGED
@@ -32,6 +32,29 @@ var signedAssertion = saml.create(options);
32
32
 
33
33
  Everything except the cert and key is optional.
34
34
 
35
+ ### Encryption
36
+
37
+ SAML assertions can optionally be encrypted, by providing a certificate and public key, as follows:
38
+
39
+ ```js
40
+ var saml = require('saml').Saml20; // or Saml11
41
+
42
+ var options = {
43
+ cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
44
+ key: fs.readFileSync(__dirname + '/test-auth0.key'),
45
+ nameIdentifier: 'foo',
46
+ encryptionPublicKey: fs.readFileSync(__dirname + '/encryption-key.pub'),
47
+ encryptionCert: fs.readFileSync(__dirname + '/encryption-cert.pem'),
48
+ encryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc', // Defaults to http://www.w3.org/2009/xmlenc11#aes256-gcm if not specified
49
+ disallowEncryptionWithInsecureAlgorithm: true,
50
+ warnOnInsecureEncryptionAlgorithm: true
51
+ }
52
+ ```
53
+
54
+ See [node-xml-encryption](https://github.com/auth0/node-xml-encryption) for documentation on the allowed algorithms. If using algorithms treated as insecure by [node-xml-encryption](https://github.com/auth0/node-xml-encryption), you must provide disallowEncryptionWithInsecureAlgorithm option set to false.
55
+ A warning will be piped to `stderr` using console.warn() by default when the insecure algorithms are used and above mentioned flag is false. This can be disabled via the `warnOnInsecureEncryptionAlgorithm` flag.
56
+
57
+
35
58
  ## Issue Reporting
36
59
 
37
60
  If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues.
package/lib/saml11.js CHANGED
@@ -56,6 +56,8 @@ function extractSaml11Options(opts) {
56
56
  * @param [options.encryptionPublicKey] {Buffer}
57
57
  * @param [options.encryptionAlgorithm] {string}
58
58
  * @param [options.keyEncryptionAlgorithm] {string}
59
+ * @param [options.disallowEncryptionWithInsecureAlgorithm] {boolean}
60
+ * @param [options.warnOnInsecureEncryptionAlgorithm] {boolean}
59
61
  *
60
62
  * @param {Function} [callback] required if encrypting
61
63
  * @return {String|*}
@@ -89,6 +91,8 @@ exports.create = function(options, callback) {
89
91
  * @param [options.encryptionPublicKey] {Buffer}
90
92
  * @param [options.encryptionAlgorithm] {string}
91
93
  * @param [options.keyEncryptionAlgorithm] {string}
94
+ * @param [options.disallowEncryptionWithInsecureAlgorithm] {boolean}
95
+ * @param [options.warnOnInsecureEncryptionAlgorithm] {boolean}
92
96
  *
93
97
  * @param {Function} [callback] required if encrypting
94
98
  * @return {String|*}
package/lib/saml20.js CHANGED
@@ -95,6 +95,8 @@ function extractSaml20Options(opts) {
95
95
  * @param [options.encryptionPublicKey] {Buffer}
96
96
  * @param [options.encryptionAlgorithm] {string}
97
97
  * @param [options.keyEncryptionAlgorithm] {string}
98
+ * @param [options.disallowEncryptionWithInsecureAlgorithm] {boolean}
99
+ * @param [options.warnOnInsecureEncryptionAlgorithm] {boolean}
98
100
  *
99
101
  * @param {Function} [callback] required if encrypting
100
102
  * @return {*}
@@ -134,6 +136,8 @@ exports.create = function createSignedAssertion(options, callback) {
134
136
  * @param [options.encryptionPublicKey] {Buffer}
135
137
  * @param [options.encryptionAlgorithm] {string}
136
138
  * @param [options.keyEncryptionAlgorithm] {string}
139
+ * @param [options.disallowEncryptionWithInsecureAlgorithm] {boolean}
140
+ * @param [options.warnOnInsecureEncryptionAlgorithm] {boolean}
137
141
  *
138
142
  * @param {Function} [callback] required if encrypting
139
143
  * @return {*}
package/lib/xml/encrypt.js CHANGED
@@ -9,8 +9,10 @@ exports.fromEncryptXmlOptions = function (options) {
9
9
  const encryptOptions = {
10
10
  rsa_pub: options.encryptionPublicKey,
11
11
  pem: options.encryptionCert,
12
- encryptionAlgorithm: options.encryptionAlgorithm || 'http://www.w3.org/2001/04/xmlenc#aes256-cbc',
12
+ encryptionAlgorithm: options.encryptionAlgorithm || 'http://www.w3.org/2009/xmlenc11#aes256-gcm',
13
13
  keyEncryptionAlgorithm: options.keyEncryptionAlgorithm || 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p',
14
+ disallowEncryptionWithInsecureAlgorithm: options?.disallowEncryptionWithInsecureAlgorithm !== false,
15
+ warnInsecureAlgorithm: options?.warnOnInsecureEncryptionAlgorithm !== false,
14
16
  };
15
17
 
16
18
  // expose the encryptOptions as these are needed when adding the SubjectConfirmation
package/package.json CHANGED
@@ -1,18 +1,23 @@
1
1
  {
2
2
  "name": "saml",
3
- "version": "3.0.0",
3
+ "version": "4.0.0",
4
4
  "engines": {
5
5
  "node": ">=12"
6
6
  },
7
7
  "devDependencies": {
8
- "@commitlint/cli": "^11.0.0",
9
- "@commitlint/config-conventional": "^11.0.0",
8
+ "@commitlint/cli": "^20.3.1",
9
+ "@commitlint/config-conventional": "^20.3.1",
10
+ "@semantic-release/exec": "^7.0.3",
10
11
  "chai": "^4.2.0",
11
- "husky": "^4.3.0",
12
+ "husky": "^9.1.7",
12
13
  "mocha": "^8.2.0",
14
+ "semantic-release": "^25.0.2",
13
15
  "should": "~1.2.1",
14
- "standard-version": "^9.0.0"
16
+ "sinon": "^9.0.2"
15
17
  },
18
+ "files": [
19
+ "lib"
20
+ ],
16
21
  "main": "./lib",
17
22
  "repository": "https://github.com/auth0/node-saml",
18
23
  "keywords": [
@@ -23,21 +28,16 @@
23
28
  "license": "MIT",
24
29
  "dependencies": {
25
30
  "@xmldom/xmldom": "^0.7.4",
26
- "async": "~0.2.9",
27
- "moment": "2.19.3",
31
+ "async": "^3.2.4",
32
+ "moment": "^2.29.4",
28
33
  "valid-url": "~1.0.9",
29
34
  "xml-crypto": "^2.1.3",
30
- "xml-encryption": "^2.0.0",
35
+ "xml-encryption": "^4.0.0",
31
36
  "xml-name-validator": "~2.0.1",
32
37
  "xpath": "0.0.5"
33
38
  },
34
39
  "scripts": {
35
- "release": "standard-version",
40
+ "prepare": "husky",
36
41
  "test": "mocha"
37
- },
38
- "husky": {
39
- "hooks": {
40
- "commit-msg": "commitlint -E HUSKY_GIT_PARAMS"
41
- }
42
42
  }
43
43
  }
package/.github/workflows/semgrep.yml DELETED
@@ -1,15 +0,0 @@
1
- name: Semgrep
2
- on:
3
- pull_request: {}
4
- push:
5
- branches: ["master"]
6
- jobs:
7
- semgrep:
8
- name: Scan
9
- runs-on: ubuntu-latest
10
- if: (github.actor != 'dependabot[bot]' && github.actor != 'snyk-bot')
11
- steps:
12
- - uses: actions/checkout@v2
13
- - uses: returntocorp/semgrep-action@v1
14
- with:
15
- publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
package/.idea/aws.xml DELETED
@@ -1,11 +0,0 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
2
- <project version="4">
3
- <component name="accountSettings">
4
- <option name="activeRegion" value="us-east-1" />
5
- <option name="recentlyUsedRegions">
6
- <list>
7
- <option value="us-east-1" />
8
- </list>
9
- </option>
10
- </component>
11
- </project>
package/.idea/inspectionProfiles/Project_Default.xml DELETED
@@ -1,6 +0,0 @@
1
- <component name="InspectionProjectProfileManager">
2
- <profile version="1.0">
3
- <option name="myName" value="Project Default" />
4
- <inspection_tool class="Eslint" enabled="true" level="WARNING" enabled_by_default="true" />
5
- </profile>
6
- </component>
package/.idea/jsLibraryMappings.xml DELETED
@@ -1,6 +0,0 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
2
- <project version="4">
3
- <component name="JavaScriptLibraryMappings">
4
- <includedPredefinedLibrary name="Node.js Core" />
5
- </component>
6
- </project>
package/.idea/modules.xml DELETED
@@ -1,8 +0,0 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
2
- <project version="4">
3
- <component name="ProjectModuleManager">
4
- <modules>
5
- <module fileurl="file://$PROJECT_DIR$/.idea/node-saml.iml" filepath="$PROJECT_DIR$/.idea/node-saml.iml" />
6
- </modules>
7
- </component>
8
- </project>
package/.idea/node-saml.iml DELETED
@@ -1,13 +0,0 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
2
- <module type="WEB_MODULE" version="4">
3
- <component name="NewModuleRootManager">
4
- <content url="file://$MODULE_DIR$">
5
- <excludeFolder url="file://$MODULE_DIR$/temp" />
6
- <excludeFolder url="file://$MODULE_DIR$/.tmp" />
7
- <excludeFolder url="file://$MODULE_DIR$/tmp" />
8
- <excludeFolder url="file://$MODULE_DIR$/.idea" />
9
- </content>
10
- <orderEntry type="inheritedJdk" />
11
- <orderEntry type="sourceFolder" forTests="false" />
12
- </component>
13
- </module>
package/.idea/prettier.xml DELETED
@@ -1,7 +0,0 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
2
- <project version="4">
3
- <component name="PrettierConfiguration">
4
- <option name="myRunOnSave" value="true" />
5
- <option name="myRunOnReformat" value="true" />
6
- </component>
7
- </project>
package/.idea/sonarlint/issuestore/9/7/97145ab6a3556e0c76c6cdf36c0a30bb088f382f DELETED
@@ -1,2 +0,0 @@
1
-
2
- �javascript:S1488"bImmediately return this expression instead of assigning it to the temporary variable "signatures".(����8�����/
package/.idea/sonarlint/issuestore/index.pb DELETED
@@ -1,15 +0,0 @@
1
-
2
- <
3
- CHANGELOG.md,a/b/ab09011fa121d0a2bb9fa4ca76094f2482b902b7
4
- G
5
- test/test-auth0_rsa.pub,1/6/16c55078736dc7b024c5f6aee3724b578a6f762e
6
- <
7
- package.json,7/0/7030d0b2f71b999ff89a343de08c414af32fc93a
8
- C
9
- test/test-auth0.pem,9/8/988145bf095565ed2790e577ca6610aae3f148eb
10
- C
11
- test/test-auth0.key,b/f/bf580f9fe6b7aafd1864a1b474928848f50d9486
12
- =
13
-
14
- I
15
- test/test-auth0-chain.pem,1/5/152d3f39906314d7648bee688e6cf0e074eac700
package/.idea/vcs.xml DELETED
@@ -1,6 +0,0 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
2
- <project version="4">
3
- <component name="VcsDirectoryMappings">
4
- <mapping directory="$PROJECT_DIR$" vcs="Git" />
5
- </component>
6
- </project>
package/.travis.yml DELETED
@@ -1,4 +0,0 @@
1
- language: node_js
2
- node_js:
3
- - 10.16.0
4
- - 12.10.0
package/CHANGELOG.md DELETED
@@ -1,75 +0,0 @@
1
- # Changelog
2
-
3
- All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
4
-
5
- ## [3.0.0](https://github.com/auth0/node-saml/compare/v2.0.1...v3.0.0) (2022-05-12)
6
-
7
-
8
- ### ⚠ BREAKING CHANGES
9
-
10
- * handle poorly formatted PEM files (#85)
11
-
12
- ### Bug Fixes
13
-
14
- * handle poorly formatted PEM files ([#85](https://github.com/auth0/node-saml/issues/85)) ([8830a23](https://github.com/auth0/node-saml/commit/8830a238d33e2e198acd81fb6d972583848bfe26))
15
-
16
- ### [2.0.1](https://github.com/auth0/node-saml/compare/v2.0.0...v2.0.1) (2022-02-09)
17
-
18
-
19
- ### Bug Fixes
20
-
21
- * **saml11:** do not mutate moment() when options.lifetimeInSeconds is provided ([0a5afd1](https://github.com/auth0/node-saml/commit/0a5afd1977dc832f1cc51de6af7c801cc95f78b5))
22
-
23
- ## [2.0.0](https://github.com/auth0/node-saml/compare/v1.0.1...v2.0.0) (2022-02-04)
24
-
25
-
26
- ### ⚠ BREAKING CHANGES
27
-
28
- * Requires NodeJS >= 12
29
-
30
- Upgraded the xml-encryption package which removes the vulnerable node-forge dependency
31
- See https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
32
-
33
- ### Bug Fixes
34
-
35
- * remove vulnerable node-forge dependency ([0106c61](https://github.com/auth0/node-saml/commit/0106c611a1263150e42692411aeeea0c95ec0755))
36
-
37
- ### [1.0.1](https://github.com/auth0/node-saml/compare/v1.0.0...v1.0.1) (2021-09-17)
38
-
39
-
40
- ### Bug Fixes
41
-
42
- * update xmldom and xml-crypto to fix security issues ([6ad0243](https://github.com/auth0/node-saml/commit/6ad0243fe8c2f90d71d335500e9a9c8a2c436cb7))
43
-
44
- ## [1.0.0](https://github.com/auth0/node-saml/compare/v0.15.0...v1.0.0) (2020-11-04)
45
-
46
-
47
- ### ⚠ BREAKING CHANGES
48
-
49
- * update xml-crypto and xmldom dependencies to fix sec issues
50
- * stop supporting node v4 and v8
51
- * xml-encryption major version bump, fix typo in config property
52
- from `keyEncryptionAlgorighm` to `keyEncryptionAlgorithm` consumed by
53
- new xml-encryption library version.
54
-
55
- ### Features
56
-
57
- * fix sec issues with dependencies ([06acc02](https://github.com/auth0/node-saml/commit/06acc0238d7161c123f2f6924aa9f5984a5a2f32))
58
- * update xml-crypto and xmldom dependencies to fix sec issues ([772c30e](https://github.com/auth0/node-saml/commit/772c30e4333d0af0e783c163e371c49ec0386c23))
59
-
60
-
61
- * remove node v4 and v8 in travis configuration ([d8c62af](https://github.com/auth0/node-saml/commit/d8c62af972e6c6edbc052fafed749b254e73569c))
62
-
63
- ## [0.15.0](https://github.com/auth0/node-saml/compare/v0.13.0...v0.15.0) (2020-10-01)
64
-
65
-
66
- ### Features
67
-
68
- * **saml11:** adds saml11.createUnsignedAssertion() ([51170c9](https://github.com/auth0/node-saml/commit/51170c91f5ddf9c31cb00b03fe5d8c513131e165))
69
- * **saml20:** adds Saml20.createUnsignedAssertion() ([de0e766](https://github.com/auth0/node-saml/commit/de0e766f3fcb52913a93ff52cc1feefebf47eb00))
70
- * **xml/sign:** unsigned assertions should have whitespace removed as well ([968d0e7](https://github.com/auth0/node-saml/commit/968d0e7559dd72f7d029752ced9887855e7d44c4))
71
-
72
-
73
- ### Bug Fixes
74
-
75
- * **saml20:** parses saml20.template only once at start up ([cb3bfcd](https://github.com/auth0/node-saml/commit/cb3bfcdc4b034b6ac3ea52172c1be7d6193fddec))
package/commitlint.config.js DELETED
@@ -1 +0,0 @@
1
- module.exports = { extends: ['@commitlint/config-conventional'] };