samlesa 2.12.3 → 2.12.6

package/build/src/binding-post.js

@@ -1,369 +1,359 @@
-"use strict";
-/**
-* @file binding-post.ts
-* @author tngan
-* @desc Binding-level API, declare the functions using POST binding
-*/
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-const urn_js_1 = require("./urn.js");
-const libsaml_js_1 = __importDefault(require("./libsaml.js"));
-const utility_js_1 = __importStar(require("./utility.js"));
-const binding = urn_js_1.wording.binding;
-/**
-* @desc Generate a base64 encoded login request
-* @param  {string} referenceTagXPath           reference uri
-* @param  {object} entity                      object includes both idp and sp
-* @param  {function} customTagReplacement     used when developers have their own login response template
-*/
-function base64LoginRequest(referenceTagXPath, entity, customTagReplacement) {
-    const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta };
-    const spSetting = entity.sp.entitySetting;
-    let id = '';
-    if (metadata && metadata.idp && metadata.sp) {
-        const base = metadata.idp.getSingleSignOnService(binding.post);
-        let rawSamlRequest;
-        if (spSetting.loginRequestTemplate && customTagReplacement) {
-            const info = customTagReplacement(spSetting.loginRequestTemplate.context);
-            id = (0, utility_js_1.get)(info, 'id', null);
-            rawSamlRequest = (0, utility_js_1.get)(info, 'context', null);
-        }
-        else {
-            const nameIDFormat = spSetting.nameIDFormat;
-            const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
-            id = spSetting.generateID();
-            rawSamlRequest = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLoginRequestTemplate.context, {
-                ID: id,
-                Destination: base,
-                Issuer: metadata.sp.getEntityID(),
-                IssueInstant: new Date().toISOString(),
-                AssertionConsumerServiceURL: metadata.sp.getAssertionConsumerService(binding.post),
-                EntityID: metadata.sp.getEntityID(),
-                AllowCreate: spSetting.allowCreate,
-                NameIDFormat: selectedNameIDFormat
-            });
-        }
-        if (metadata.idp.isWantAuthnRequestsSigned()) {
-            const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
-            return {
-                id,
-                context: libsaml_js_1.default.constructSAMLSignature({
-                    referenceTagXPath,
-                    privateKey,
-                    privateKeyPass,
-                    signatureAlgorithm,
-                    transformationAlgorithms,
-                    rawSamlMessage: rawSamlRequest,
-                    signingCert: metadata.sp.getX509Certificate('signing'),
-                    signatureConfig: spSetting.signatureConfig || {
-                        prefix: 'ds',
-                        location: { reference: "/*[local-name(.)='AuthnRequest']/*[local-name(.)='Issuer']", action: 'after' },
-                    }
-                }),
-            };
-        }
-        // No need to embeded XML signature
-        return {
-            id,
-            context: utility_js_1.default.base64Encode(rawSamlRequest),
-        };
-    }
-    throw new Error('ERR_GENERATE_POST_LOGIN_REQUEST_MISSING_METADATA');
-}
-/**
-* @desc Generate a base64 encoded login response
-* @param  {object} requestInfo                 corresponding request, used to obtain the id
-* @param  {object} entity                      object includes both idp and sp
-* @param  {object} user                        current logged user (e.g. req.user)
-* @param  {function} customTagReplacement     used when developers have their own login response template
-* @param  {boolean}  encryptThenSign           whether or not to encrypt then sign first (if signing). Defaults to sign-then-encrypt
-*/
-async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTagReplacement, encryptThenSign = false) {
-    const idpSetting = entity.idp.entitySetting;
-    const spSetting = entity.sp.entitySetting;
-    const id = idpSetting.generateID();
-    const metadata = {
-        idp: entity.idp.entityMeta,
-        sp: entity.sp.entityMeta,
-    };
-    const nameIDFormat = idpSetting.nameIDFormat;
-    const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
-    if (metadata && metadata.idp && metadata.sp) {
-        const base = metadata.sp.getAssertionConsumerService(binding.post);
-        let rawSamlResponse;
-        const nowTime = new Date();
-        const spEntityID = metadata.sp.getEntityID();
-        const fiveMinutesLaterTime = new Date(nowTime.getTime());
-        fiveMinutesLaterTime.setMinutes(fiveMinutesLaterTime.getMinutes() + 5);
-        const fiveMinutesLater = fiveMinutesLaterTime.toISOString();
-        const now = nowTime.toISOString();
-        const acl = metadata.sp.getAssertionConsumerService(binding.post);
-        const tvalue = {
-            ID: id,
-            AssertionID: idpSetting.generateID(),
-            Destination: base,
-            Audience: spEntityID,
-            EntityID: spEntityID,
-            SubjectRecipient: acl,
-            Issuer: metadata.idp.getEntityID(),
-            IssueInstant: now,
-            AssertionConsumerServiceURL: acl,
-            StatusCode: urn_js_1.StatusCode.Success,
-            // can be customized
-            ConditionsNotBefore: now,
-            ConditionsNotOnOrAfter: fiveMinutesLater,
-            SubjectConfirmationDataNotOnOrAfter: fiveMinutesLater,
-            NameIDFormat: selectedNameIDFormat,
-            NameID: user.email || '',
-            InResponseTo: (0, utility_js_1.get)(requestInfo, 'extract.request.id', ''),
-            AuthnStatement: '',
-            AttributeStatement: '',
-        };
-        if (idpSetting.loginResponseTemplate && customTagReplacement) {
-            const template = customTagReplacement(idpSetting.loginResponseTemplate.context);
-            rawSamlResponse = (0, utility_js_1.get)(template, 'context', null);
-        }
-        else {
-            if (requestInfo !== null) {
-                tvalue.InResponseTo = requestInfo.extract.request.id;
-            }
-            rawSamlResponse = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLoginResponseTemplate.context, tvalue);
-        }
-        const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm } = idpSetting;
-        const config = {
-            privateKey,
-            privateKeyPass,
-            signatureAlgorithm,
-            signingCert: metadata.idp.getX509Certificate('signing'),
-            isBase64Output: false,
-        };
-        // step: sign assertion ? -> encrypted ? -> sign message ?
-        if (metadata.sp.isWantAssertionsSigned()) {
-            // console.debug('sp wants assertion signed');
-            rawSamlResponse = libsaml_js_1.default.constructSAMLSignature({
-                ...config,
-                rawSamlMessage: rawSamlResponse,
-                transformationAlgorithms: spSetting.transformationAlgorithms,
-                referenceTagXPath: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']",
-                signatureConfig: {
-                    prefix: 'ds',
-                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']", action: 'after' },
-                },
-            });
-        }
-        // console.debug('after assertion signed', rawSamlResponse);
-        // SAML response must be signed sign message first, then encrypt
-        if (!encryptThenSign && (spSetting.wantMessageSigned || !metadata.sp.isWantAssertionsSigned())) {
-            // console.debug('sign then encrypt and sign entire message');
-            rawSamlResponse = libsaml_js_1.default.constructSAMLSignature({
-                ...config,
-                rawSamlMessage: rawSamlResponse,
-                isMessageSigned: true,
-                transformationAlgorithms: spSetting.transformationAlgorithms,
-                signatureConfig: spSetting.signatureConfig || {
-                    prefix: 'ds',
-                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Issuer']", action: 'after' },
-                },
-            });
-            console.log(rawSamlResponse);
-            console.log("这他妈是什么------------------");
-        }
-        // console.debug('after message signed', rawSamlResponse);
-        if (idpSetting.isAssertionEncrypted) {
-            // console.debug('idp is configured to do encryption');
-            const context = await libsaml_js_1.default.encryptAssertion(entity.idp, entity.sp, rawSamlResponse);
-            if (encryptThenSign) {
-                //need to decode it
-                rawSamlResponse = utility_js_1.default.base64Decode(context);
-            }
-            else {
-                return Promise.resolve({ id, context });
-            }
-        }
-        //sign after encrypting
-        if (encryptThenSign && (spSetting.wantMessageSigned || !metadata.sp.isWantAssertionsSigned())) {
-            rawSamlResponse = libsaml_js_1.default.constructSAMLSignature({
-                ...config,
-                rawSamlMessage: rawSamlResponse,
-                isMessageSigned: true,
-                transformationAlgorithms: spSetting.transformationAlgorithms,
-                signatureConfig: spSetting.signatureConfig || {
-                    prefix: 'ds',
-                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Issuer']", action: 'after' },
-                },
-            });
-        }
-        return Promise.resolve({
-            id,
-            context: utility_js_1.default.base64Encode(rawSamlResponse),
-        });
-    }
-    throw new Error('ERR_GENERATE_POST_LOGIN_RESPONSE_MISSING_METADATA');
-}
-/**
-* @desc Generate a base64 encoded logout request
-* @param  {object} user                         current logged user (e.g. req.user)
-* @param  {string} referenceTagXPath            reference uri
-* @param  {object} entity                       object includes both idp and sp
-* @param  {function} customTagReplacement      used when developers have their own login response template
-* @return {string} base64 encoded request
-*/
-function base64LogoutRequest(user, referenceTagXPath, entity, customTagReplacement) {
-    const metadata = { init: entity.init.entityMeta, target: entity.target.entityMeta };
-    const initSetting = entity.init.entitySetting;
-    const nameIDFormat = initSetting.nameIDFormat;
-    const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
-    let id = '';
-    if (metadata && metadata.init && metadata.target) {
-        let rawSamlRequest;
-        if (initSetting.logoutRequestTemplate && customTagReplacement) {
-            const template = customTagReplacement(initSetting.logoutRequestTemplate.context);
-            id = (0, utility_js_1.get)(template, 'id', null);
-            rawSamlRequest = (0, utility_js_1.get)(template, 'context', null);
-        }
-        else {
-            id = initSetting.generateID();
-            const tvalue = {
-                ID: id,
-                Destination: metadata.target.getSingleLogoutService(binding.post),
-                Issuer: metadata.init.getEntityID(),
-                IssueInstant: new Date().toISOString(),
-                EntityID: metadata.init.getEntityID(),
-                NameIDFormat: selectedNameIDFormat,
-                NameID: user.logoutNameID,
-            };
-            rawSamlRequest = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLogoutRequestTemplate.context, tvalue);
-        }
-        if (entity.target.entitySetting.wantLogoutRequestSigned) {
-            // Need to embeded XML signature
-            const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = initSetting;
-            return {
-                id,
-                context: libsaml_js_1.default.constructSAMLSignature({
-                    referenceTagXPath,
-                    privateKey,
-                    privateKeyPass,
-                    signatureAlgorithm,
-                    transformationAlgorithms,
-                    rawSamlMessage: rawSamlRequest,
-                    signingCert: metadata.init.getX509Certificate('signing'),
-                    signatureConfig: initSetting.signatureConfig || {
-                        prefix: 'ds',
-                        location: { reference: "/*[local-name(.)='LogoutRequest']/*[local-name(.)='Issuer']", action: 'after' },
-                    }
-                }),
-            };
-        }
-        return {
-            id,
-            context: utility_js_1.default.base64Encode(rawSamlRequest),
-        };
-    }
-    throw new Error('ERR_GENERATE_POST_LOGOUT_REQUEST_MISSING_METADATA');
-}
-/**
-* @desc Generate a base64 encoded logout response
-* @param  {object} requestInfo                 corresponding request, used to obtain the id
-* @param  {string} referenceTagXPath           reference uri
-* @param  {object} entity                      object includes both idp and sp
-* @param  {function} customTagReplacement     used when developers have their own login response template
-*/
-function base64LogoutResponse(requestInfo, entity, customTagReplacement) {
-    const metadata = {
-        init: entity.init.entityMeta,
-        target: entity.target.entityMeta,
-    };
-    let id = '';
-    const initSetting = entity.init.entitySetting;
-    if (metadata && metadata.init && metadata.target) {
-        let rawSamlResponse;
-        if (initSetting.logoutResponseTemplate) {
-            const template = customTagReplacement(initSetting.logoutResponseTemplate.context);
-            id = template.id;
-            rawSamlResponse = template.context;
-        }
-        else {
-            id = initSetting.generateID();
-            const tvalue = {
-                ID: id,
-                Destination: metadata.target.getSingleLogoutService(binding.post),
-                EntityID: metadata.init.getEntityID(),
-                Issuer: metadata.init.getEntityID(),
-                IssueInstant: new Date().toISOString(),
-                StatusCode: urn_js_1.StatusCode.Success,
-                InResponseTo: (0, utility_js_1.get)(requestInfo, 'extract.request.id', null)
-            };
-            rawSamlResponse = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLogoutResponseTemplate.context, tvalue);
-        }
-        if (entity.target.entitySetting.wantLogoutResponseSigned) {
-            const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = initSetting;
-            return {
-                id,
-                context: libsaml_js_1.default.constructSAMLSignature({
-                    isMessageSigned: true,
-                    transformationAlgorithms: transformationAlgorithms,
-                    privateKey,
-                    privateKeyPass,
-                    signatureAlgorithm,
-                    rawSamlMessage: rawSamlResponse,
-                    signingCert: metadata.init.getX509Certificate('signing'),
-                    signatureConfig: {
-                        prefix: 'ds',
-                        location: {
-                            reference: "/*[local-name(.)='LogoutResponse']/*[local-name(.)='Issuer']",
-                            action: 'after'
-                        }
-                    }
-                }),
-            };
-        }
-        return {
-            id,
-            context: utility_js_1.default.base64Encode(rawSamlResponse),
-        };
-    }
-    throw new Error('ERR_GENERATE_POST_LOGOUT_RESPONSE_MISSING_METADATA');
-}
-const postBinding = {
-    base64LoginRequest,
-    base64LoginResponse,
-    base64LogoutRequest,
-    base64LogoutResponse,
-};
-exports.default = postBinding;
+"use strict";
+/**
+* @file binding-post.ts
+* @author tngan
+* @desc Binding-level API, declare the functions using POST binding
+*/
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const urn_js_1 = require("./urn.js");
+const libsaml_js_1 = __importDefault(require("./libsaml.js"));
+const utility_js_1 = __importStar(require("./utility.js"));
+const binding = urn_js_1.wording.binding;
+/**
+* @desc Generate a base64 encoded login request
+* @param  {string} referenceTagXPath           reference uri
+* @param  {object} entity                      object includes both idp and sp
+* @param  {function} customTagReplacement     used when developers have their own login response template
+*/
+function base64LoginRequest(referenceTagXPath, entity, customTagReplacement) {
+    const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta };
+    const spSetting = entity.sp.entitySetting;
+    let id = '';
+    if (metadata && metadata.idp && metadata.sp) {
+        const base = metadata.idp.getSingleSignOnService(binding.post);
+        let rawSamlRequest;
+        if (spSetting.loginRequestTemplate && customTagReplacement) {
+            const info = customTagReplacement(spSetting.loginRequestTemplate.context);
+            id = (0, utility_js_1.get)(info, 'id', null);
+            rawSamlRequest = (0, utility_js_1.get)(info, 'context', null);
+        }
+        else {
+            const nameIDFormat = spSetting.nameIDFormat;
+            const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
+            id = spSetting.generateID();
+            rawSamlRequest = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLoginRequestTemplate.context, {
+                ID: id,
+                Destination: base,
+                Issuer: metadata.sp.getEntityID(),
+                IssueInstant: new Date().toISOString(),
+                AssertionConsumerServiceURL: metadata.sp.getAssertionConsumerService(binding.post),
+                EntityID: metadata.sp.getEntityID(),
+                AllowCreate: spSetting.allowCreate,
+                NameIDFormat: selectedNameIDFormat
+            });
+        }
+        if (metadata.idp.isWantAuthnRequestsSigned()) {
+            const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
+            return {
+                id,
+                context: libsaml_js_1.default.constructSAMLSignature({
+                    referenceTagXPath,
+                    privateKey,
+                    privateKeyPass,
+                    signatureAlgorithm,
+                    transformationAlgorithms,
+                    rawSamlMessage: rawSamlRequest,
+                    signingCert: metadata.sp.getX509Certificate('signing'),
+                    signatureConfig: spSetting.signatureConfig || {
+                        prefix: 'ds',
+                        location: { reference: "/*[local-name(.)='AuthnRequest']/*[local-name(.)='Issuer']", action: 'after' },
+                    }
+                }),
+            };
+        }
+        // No need to embeded XML signature
+        return {
+            id,
+            context: utility_js_1.default.base64Encode(rawSamlRequest),
+        };
+    }
+    throw new Error('ERR_GENERATE_POST_LOGIN_REQUEST_MISSING_METADATA');
+}
+/**
+* @desc Generate a base64 encoded login response
+* @param  {object} requestInfo                 corresponding request, used to obtain the id
+* @param  {object} entity                      object includes both idp and sp
+* @param  {object} user                        current logged user (e.g. req.user)
+* @param  {function} customTagReplacement     used when developers have their own login response template
+* @param  {boolean}  encryptThenSign           whether or not to encrypt then sign first (if signing). Defaults to sign-then-encrypt
+*/
+async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTagReplacement, encryptThenSign = false) {
+    const idpSetting = entity.idp.entitySetting;
+    const spSetting = entity.sp.entitySetting;
+    const id = idpSetting.generateID();
+    const metadata = {
+        idp: entity.idp.entityMeta,
+        sp: entity.sp.entityMeta,
+    };
+    const nameIDFormat = idpSetting.nameIDFormat;
+    const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
+    if (metadata && metadata.idp && metadata.sp) {
+        const base = metadata.sp.getAssertionConsumerService(binding.post);
+        let rawSamlResponse;
+        const nowTime = new Date();
+        const spEntityID = metadata.sp.getEntityID();
+        const fiveMinutesLaterTime = new Date(nowTime.getTime());
+        fiveMinutesLaterTime.setMinutes(fiveMinutesLaterTime.getMinutes() + 5);
+        const fiveMinutesLater = fiveMinutesLaterTime.toISOString();
+        const now = nowTime.toISOString();
+        const acl = metadata.sp.getAssertionConsumerService(binding.post);
+        const tvalue = {
+            ID: id,
+            AssertionID: idpSetting.generateID(),
+            Destination: base,
+            Audience: spEntityID,
+            EntityID: spEntityID,
+            SubjectRecipient: acl,
+            Issuer: metadata.idp.getEntityID(),
+            IssueInstant: now,
+            AssertionConsumerServiceURL: acl,
+            StatusCode: urn_js_1.StatusCode.Success,
+            // can be customized
+            ConditionsNotBefore: now,
+            ConditionsNotOnOrAfter: fiveMinutesLater,
+            SubjectConfirmationDataNotOnOrAfter: fiveMinutesLater,
+            NameIDFormat: selectedNameIDFormat,
+            NameID: user.email || '',
+            InResponseTo: (0, utility_js_1.get)(requestInfo, 'extract.request.id', ''),
+            AuthnStatement: '',
+            AttributeStatement: '',
+        };
+        if (idpSetting.loginResponseTemplate && customTagReplacement) {
+            const template = customTagReplacement(idpSetting.loginResponseTemplate.context);
+            rawSamlResponse = (0, utility_js_1.get)(template, 'context', null);
+        }
+        else {
+            if (requestInfo !== null) {
+                tvalue.InResponseTo = requestInfo.extract.request.id;
+            }
+            rawSamlResponse = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLoginResponseTemplate.context, tvalue);
+        }
+        const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm } = idpSetting;
+        const config = {
+            privateKey,
+            privateKeyPass,
+            signatureAlgorithm,
+            signingCert: metadata.idp.getX509Certificate('signing'),
+            isBase64Output: false,
+        };
+        // step: sign assertion ? -> encrypted ? -> sign message ?
+        if (metadata.sp.isWantAssertionsSigned()) {
+            // console.debug('sp wants assertion signed');
+            rawSamlResponse = libsaml_js_1.default.constructSAMLSignature({
+                ...config,
+                rawSamlMessage: rawSamlResponse,
+                transformationAlgorithms: spSetting.transformationAlgorithms,
+                referenceTagXPath: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']",
+                signatureConfig: {
+                    prefix: 'ds',
+                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']", action: 'after' },
+                },
+            });
+        }
+        // console.debug('after assertion signed', rawSamlResponse);
+        // SAML response must be signed sign message first, then encrypt
+        if (!encryptThenSign && (spSetting.wantMessageSigned || !metadata.sp.isWantAssertionsSigned())) {
+            // console.debug('sign then encrypt and sign entire message');
+            rawSamlResponse = libsaml_js_1.default.constructSAMLSignature({
+                ...config,
+                rawSamlMessage: rawSamlResponse,
+                isMessageSigned: true,
+                transformationAlgorithms: spSetting.transformationAlgorithms,
+                signatureConfig: spSetting.signatureConfig || {
+                    prefix: 'ds',
+                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Issuer']", action: 'after' },
+                },
+            });
+            console.log(rawSamlResponse);
+            console.log('这他妈是什么------------------');
+        }
+        // console.debug('after message signed', rawSamlResponse);
+        if (idpSetting.isAssertionEncrypted) {
+            // console.debug('idp is configured to do encryption');
+            const context = await libsaml_js_1.default.encryptAssertion(entity.idp, entity.sp, rawSamlResponse);
+            if (encryptThenSign) {
+                //need to decode it
+                rawSamlResponse = utility_js_1.default.base64Decode(context);
+            }
+            else {
+                return Promise.resolve({ id, context });
+            }
+        }
+        //sign after encrypting
+        if (encryptThenSign && (spSetting.wantMessageSigned || !metadata.sp.isWantAssertionsSigned())) {
+            rawSamlResponse = libsaml_js_1.default.constructSAMLSignature({
+                ...config,
+                rawSamlMessage: rawSamlResponse,
+                isMessageSigned: true,
+                transformationAlgorithms: spSetting.transformationAlgorithms,
+                signatureConfig: spSetting.signatureConfig || {
+                    prefix: 'ds',
+                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Issuer']", action: 'after' },
+                },
+            });
+        }
+        return Promise.resolve({
+            id,
+            context: utility_js_1.default.base64Encode(rawSamlResponse),
+        });
+    }
+    throw new Error('ERR_GENERATE_POST_LOGIN_RESPONSE_MISSING_METADATA');
+}
+/**
+* @desc Generate a base64 encoded logout request
+* @param  {object} user                         current logged user (e.g. req.user)
+* @param  {string} referenceTagXPath            reference uri
+* @param  {object} entity                       object includes both idp and sp
+* @param  {function} customTagReplacement      used when developers have their own login response template
+* @return {string} base64 encoded request
+*/
+function base64LogoutRequest(user, referenceTagXPath, entity, customTagReplacement) {
+    const metadata = { init: entity.init.entityMeta, target: entity.target.entityMeta };
+    const initSetting = entity.init.entitySetting;
+    const nameIDFormat = initSetting.nameIDFormat;
+    const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
+    let id = '';
+    if (metadata && metadata.init && metadata.target) {
+        let rawSamlRequest;
+        if (initSetting.logoutRequestTemplate && customTagReplacement) {
+            const template = customTagReplacement(initSetting.logoutRequestTemplate.context);
+            id = (0, utility_js_1.get)(template, 'id', null);
+            rawSamlRequest = (0, utility_js_1.get)(template, 'context', null);
+        }
+        else {
+            id = initSetting.generateID();
+            const tvalue = {
+                ID: id,
+                Destination: metadata.target.getSingleLogoutService(binding.post),
+                Issuer: metadata.init.getEntityID(),
+                IssueInstant: new Date().toISOString(),
+                EntityID: metadata.init.getEntityID(),
+                NameIDFormat: selectedNameIDFormat,
+                NameID: user.logoutNameID,
+            };
+            rawSamlRequest = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLogoutRequestTemplate.context, tvalue);
+        }
+        if (entity.target.entitySetting.wantLogoutRequestSigned) {
+            // Need to embeded XML signature
+            const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = initSetting;
+            return {
+                id,
+                context: libsaml_js_1.default.constructSAMLSignature({
+                    referenceTagXPath,
+                    privateKey,
+                    privateKeyPass,
+                    signatureAlgorithm,
+                    transformationAlgorithms,
+                    rawSamlMessage: rawSamlRequest,
+                    signingCert: metadata.init.getX509Certificate('signing'),
+                    signatureConfig: initSetting.signatureConfig || {
+                        prefix: 'ds',
+                        location: { reference: "/*[local-name(.)='LogoutRequest']/*[local-name(.)='Issuer']", action: 'after' },
+                    }
+                }),
+            };
+        }
+        return {
+            id,
+            context: utility_js_1.default.base64Encode(rawSamlRequest),
+        };
+    }
+    throw new Error('ERR_GENERATE_POST_LOGOUT_REQUEST_MISSING_METADATA');
+}
+/**
+* @desc Generate a base64 encoded logout response
+* @param  {object} requestInfo                 corresponding request, used to obtain the id
+* @param  {string} referenceTagXPath           reference uri
+* @param  {object} entity                      object includes both idp and sp
+* @param  {function} customTagReplacement     used when developers have their own login response template
+*/
+function base64LogoutResponse(requestInfo, entity, customTagReplacement) {
+    const metadata = {
+        init: entity.init.entityMeta,
+        target: entity.target.entityMeta,
+    };
+    let id = '';
+    const initSetting = entity.init.entitySetting;
+    if (metadata && metadata.init && metadata.target) {
+        let rawSamlResponse;
+        if (initSetting.logoutResponseTemplate) {
+            const template = customTagReplacement(initSetting.logoutResponseTemplate.context);
+            id = template.id;
+            rawSamlResponse = template.context;
+        }
+        else {
+            id = initSetting.generateID();
+            const tvalue = {
+                ID: id,
+                Destination: metadata.target.getSingleLogoutService(binding.post),
+                EntityID: metadata.init.getEntityID(),
+                Issuer: metadata.init.getEntityID(),
+                IssueInstant: new Date().toISOString(),
+                StatusCode: urn_js_1.StatusCode.Success,
+                InResponseTo: (0, utility_js_1.get)(requestInfo, 'extract.request.id', null)
+            };
+            rawSamlResponse = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLogoutResponseTemplate.context, tvalue);
+        }
+        if (entity.target.entitySetting.wantLogoutResponseSigned) {
+            const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = initSetting;
+            return {
+                id,
+                context: libsaml_js_1.default.constructSAMLSignature({
+                    isMessageSigned: true,
+                    transformationAlgorithms: transformationAlgorithms,
+                    privateKey,
+                    privateKeyPass,
+                    signatureAlgorithm,
+                    rawSamlMessage: rawSamlResponse,
+                    signingCert: metadata.init.getX509Certificate('signing'),
+                    signatureConfig: {
+                        prefix: 'ds',
+                        location: {
+                            reference: "/*[local-name(.)='LogoutResponse']/*[local-name(.)='Issuer']",
+                            action: 'after'
+                        }
+                    }
+                }),
+            };
+        }
+        return {
+            id,
+            context: utility_js_1.default.base64Encode(rawSamlResponse),
+        };
+    }
+    throw new Error('ERR_GENERATE_POST_LOGOUT_RESPONSE_MISSING_METADATA');
+}
+const postBinding = {
+    base64LoginRequest,
+    base64LoginResponse,
+    base64LogoutRequest,
+    base64LogoutResponse,
+};
+exports.default = postBinding;
 //# sourceMappingURL=binding-post.js.map