samlesa 2.12.3

package/src/entity-idp.ts

@@ -0,0 +1,145 @@
+/**
+* @file entity-idp.ts
+* @author tngan
+* @desc  Declares the actions taken by identity provider
+*/
+import Entity, { ESamlHttpRequest } from './entity.js';
+import {
+  ServiceProviderConstructor as ServiceProvider,
+  ServiceProviderMetadata,
+  IdentityProviderMetadata,
+  IdentityProviderSettings,
+} from './types.js';
+import libsaml from './libsaml.js';
+import { namespace } from './urn.js';
+import postBinding from './binding-post.js';
+import redirectBinding from './binding-redirect.js';
+import simpleSignBinding from './binding-simplesign.js';
+import { flow, FlowResult } from  './flow.js';
+import { isString } from './utility.js';
+import { BindingContext } from './entity.js';
+
+/**
+ * Identity provider can be configured using either metadata importing or idpSetting
+ */
+export default function(props: IdentityProviderSettings) {
+  return new IdentityProvider(props);
+}
+
+/**
+ * Identity provider can be configured using either metadata importing or idpSetting
+ */
+export class IdentityProvider extends Entity {
+
+  declare entityMeta: IdentityProviderMetadata;
+
+  constructor(idpSetting: IdentityProviderSettings) {
+    const defaultIdpEntitySetting = {
+      wantAuthnRequestsSigned: false,
+      tagPrefix: {
+        encryptedAssertion: 'saml',
+      },
+    };
+    const entitySetting = Object.assign(defaultIdpEntitySetting, idpSetting);
+    // build attribute part
+    if (idpSetting.loginResponseTemplate) {
+      if (isString(idpSetting.loginResponseTemplate.context) && Array.isArray(idpSetting.loginResponseTemplate.attributes)) {
+        let attributeStatementTemplate;
+        let attributeTemplate;
+        if (!idpSetting.loginResponseTemplate.additionalTemplates || !idpSetting.loginResponseTemplate.additionalTemplates!.attributeStatementTemplate) {
+          attributeStatementTemplate = libsaml.defaultAttributeStatementTemplate;
+        } else {
+          attributeStatementTemplate = idpSetting.loginResponseTemplate.additionalTemplates!.attributeStatementTemplate!;
+        }
+        if (!idpSetting.loginResponseTemplate.additionalTemplates || !idpSetting.loginResponseTemplate.additionalTemplates!.attributeTemplate) {
+          attributeTemplate = libsaml.defaultAttributeTemplate;
+        } else {
+          attributeTemplate = idpSetting.loginResponseTemplate.additionalTemplates!.attributeTemplate!;
+        }
+        const replacement = {
+          AttributeStatement: libsaml.attributeStatementBuilder(idpSetting.loginResponseTemplate.attributes, attributeTemplate, attributeStatementTemplate),
+        };
+        entitySetting.loginResponseTemplate = {
+          ...entitySetting.loginResponseTemplate,
+          context: libsaml.replaceTagsByValue(entitySetting.loginResponseTemplate!.context, replacement),
+        };
+      } else {
+        console.warn('Invalid login response template');
+      }
+    }
+    super(entitySetting, 'idp');
+  }
+
+  /**
+  * @desc  Generates the login response for developers to design their own method
+  * @param  sp                        object of service provider
+  * @param  requestInfo               corresponding request, used to obtain the id
+  * @param  binding                   protocol binding
+  * @param  user                      current logged user (e.g. req.user)
+  * @param  customTagReplacement      used when developers have their own login response template
+  * @param  encryptThenSign           whether or not to encrypt then sign first (if signing)
+  * @param  relayState             the relayState from corresponding request
+  */
+  public async createLoginResponse(
+    sp: ServiceProvider,
+    requestInfo: { [key: string]: any },
+    binding: string,
+    user: { [key: string]: any },
+    customTagReplacement?: (template: string) => BindingContext,
+    encryptThenSign?: boolean,
+    relayState?: string,
+  ) {
+    const protocol = namespace.binding[binding];
+    // can support post, redirect and post simple sign bindings for login response
+    let context: any = null;
+    switch (protocol) {
+      case namespace.binding.post:
+        context = await postBinding.base64LoginResponse(requestInfo, {
+          idp: this,
+          sp,
+        }, user, customTagReplacement, encryptThenSign);
+        break;
+
+      case namespace.binding.simpleSign:
+        context = await simpleSignBinding.base64LoginResponse( requestInfo, {
+          idp: this, sp,
+        }, user, relayState, customTagReplacement);
+        break;
+
+      case namespace.binding.redirect:
+        return redirectBinding.loginResponseRedirectURL(requestInfo, {
+          idp: this,
+          sp,
+        }, user, relayState, customTagReplacement);
+
+      default:
+        throw new Error('ERR_CREATE_RESPONSE_UNDEFINED_BINDING');
+    }
+
+    return {
+      ...context,
+      relayState,
+      entityEndpoint: (sp.entityMeta as ServiceProviderMetadata).getAssertionConsumerService(binding) as string,
+      type: 'SAMLResponse'
+    };
+  }
+
+  /**
+   * Validation of the parsed URL parameters
+   * @param sp ServiceProvider instance
+   * @param binding Protocol binding
+   * @param req RequesmessageSigningOrderst
+   */
+  parseLoginRequest(sp: ServiceProvider, binding: string, req: ESamlHttpRequest) {
+    const self = this;
+    return flow({
+      from: sp,
+      self: self,
+      checkSignature: self.entityMeta.isWantAuthnRequestsSigned(),
+      parserType: 'SAMLRequest',
+      type: 'login',
+      binding: binding,
+      request: req
+    });
+  }
+}

package/src/entity-sp.ts

@@ -0,0 +1,114 @@
+/**
+* @file entity-sp.ts
+* @author tngan
+* @desc  Declares the actions taken by service provider
+*/
+import Entity, {
+  BindingContext,
+  PostBindingContext,
+  ESamlHttpRequest,
+  SimpleSignBindingContext,
+} from './entity.js';
+import {
+  IdentityProviderConstructor as IdentityProvider,
+  ServiceProviderMetadata,
+  ServiceProviderSettings,
+} from './types.js';
+import { namespace } from './urn.js';
+import redirectBinding from './binding-redirect.js';
+import postBinding from './binding-post.js';
+import simpleSignBinding from './binding-simplesign.js';
+import { flow, FlowResult } from  './flow.js';
+
+/*
+ * @desc interface function
+ */
+export default function(props: ServiceProviderSettings) {
+  return new ServiceProvider(props);
+}
+
+/**
+* @desc Service provider can be configured using either metadata importing or spSetting
+* @param  {object} spSettingimport { FlowResult } from '../types/src/flow.d';
+
+*/
+export class ServiceProvider extends Entity {
+  declare  entityMeta: ServiceProviderMetadata;
+
+  /**
+  * @desc  Inherited from Entity
+  * @param {object} spSetting    setting of service provider
+  */
+  constructor(spSetting: ServiceProviderSettings) {
+    const entitySetting = Object.assign({
+      authnRequestsSigned: false,
+      wantAssertionsSigned: false,
+      wantMessageSigned: false,
+    }, spSetting);
+    super(entitySetting, 'sp');
+  }
+
+  /**
+  * @desc  Generates the login request for developers to design their own method
+  * @param  {IdentityProvider} idp               object of identity provider
+  * @param  {string}   binding                   protocol binding
+  * @param  {function} customTagReplacement     used when developers have their own login response template
+  */
+  public createLoginRequest(
+    idp: IdentityProvider,
+    binding = 'redirect',
+    customTagReplacement?: (template: string) => BindingContext,
+  ): BindingContext | PostBindingContext| SimpleSignBindingContext  {
+    const nsBinding = namespace.binding;
+    const protocol = nsBinding[binding];
+    if (this.entityMeta.isAuthnRequestSigned() !== idp.entityMeta.isWantAuthnRequestsSigned()) {
+      throw new Error('ERR_METADATA_CONFLICT_REQUEST_SIGNED_FLAG');
+    }
+
+    let context: any = null;
+    switch (protocol) {
+      case nsBinding.redirect:
+        return redirectBinding.loginRequestRedirectURL({ idp, sp: this }, customTagReplacement);
+
+      case nsBinding.post:
+        context = postBinding.base64LoginRequest("/*[local-name(.)='AuthnRequest']", { idp, sp: this }, customTagReplacement);
+        break;
+
+      case nsBinding.simpleSign:
+        // Object context = {id, context, signature, sigAlg}
+        context = simpleSignBinding.base64LoginRequest( { idp, sp: this }, customTagReplacement);
+        break;
+
+      default:
+        // Will support artifact in the next release
+        throw new Error('ERR_SP_LOGIN_REQUEST_UNDEFINED_BINDING');
+    }
+
+    return {
+      ...context,
+      relayState: this.entitySetting.relayState,
+      entityEndpoint: idp.entityMeta.getSingleSignOnService(binding) as string,
+      type: 'SAMLRequest',
+    };
+  }
+
+  /**
+  * @desc   Validation of the parsed the URL parameters
+  * @param  {IdentityProvider}   idp             object of identity provider
+  * @param  {string}   binding                   protocol binding
+  * @param  {request}   req                      request
+  */
+  public parseLoginResponse(idp, binding, request: ESamlHttpRequest) {
+    const self = this;
+    return flow({
+      from: idp,
+      self: self,
+      checkSignature: true, // saml response must have signature
+      parserType: 'SAMLResponse',
+      type: 'login',
+      binding: binding,
+      request: request
+    });
+  }
+
+}

package/src/entity.ts

@@ -0,0 +1,243 @@
+/**
+* @file entity.ts
+* @author tngan
+* @desc  An abstraction for identity provider and service provider.
+*/
+import { isString, isNonEmptyArray } from './utility.js';
+import { namespace, wording, algorithms, messageConfigurations } from './urn.js';
+import * as uuid from 'uuid';
+import IdpMetadata, { IdpMetadata as IdpMetadataConstructor } from './metadata-idp.js';
+import SpMetadata, { SpMetadata as SpMetadataConstructor } from './metadata-sp.js';
+import redirectBinding from './binding-redirect.js';
+import postBinding from './binding-post.js';
+import { MetadataIdpConstructor, MetadataSpConstructor, EntitySetting } from './types.js';
+import { flow, FlowResult } from  './flow.js';
+
+const dataEncryptionAlgorithm = algorithms.encryption.data;
+const keyEncryptionAlgorithm = algorithms.encryption.key;
+const signatureAlgorithms = algorithms.signature;
+const messageSigningOrders = messageConfigurations.signingOrder;
+
+const defaultEntitySetting = {
+  wantLogoutResponseSigned: false,
+  messageSigningOrder: messageSigningOrders.SIGN_THEN_ENCRYPT,
+  wantLogoutRequestSigned: false,
+  allowCreate: false,
+  isAssertionEncrypted: false,
+  requestSignatureAlgorithm: signatureAlgorithms.RSA_SHA512,
+  dataEncryptionAlgorithm: dataEncryptionAlgorithm.AES_256_GCM,
+  keyEncryptionAlgorithm: keyEncryptionAlgorithm.RSA_OAEP_MGF1P,
+  generateID: (): string => ('_' + uuid.v4()),
+  relayState: '',
+};
+
+export interface ESamlHttpRequest {
+  query?: any;
+  body?: any;
+  octetString?: string;
+}
+
+export interface BindingContext {
+  context: string;
+  id: string;
+}
+
+export interface PostBindingContext extends BindingContext {
+  relayState?: string;
+  entityEndpoint: string;
+  type: string;
+}
+
+export interface SimpleSignBindingContext extends PostBindingContext {
+  sigAlg?: string;
+  signature?: string;
+  keyInfo?: string;
+}
+
+export interface SimpleSignComputedContext extends BindingContext {
+  sigAlg?: string;
+  signature?: string;
+}
+
+export interface ParseResult {
+  samlContent: string;
+  extract: any;
+  sigAlg: string;
+}
+
+export type EntityConstructor = (MetadataIdpConstructor | MetadataSpConstructor)
+  & { metadata?: string | Buffer };
+
+export default class Entity {
+  entitySetting: EntitySetting;
+  entityType: string;
+  entityMeta: IdpMetadataConstructor | SpMetadataConstructor;
+
+  /**
+  * @param entitySetting
+  * @param entityMeta is the entity metadata, deprecated after 2.0
+  */
+  constructor(entitySetting: EntityConstructor, entityType: 'idp' | 'sp') {
+    this.entitySetting = Object.assign({}, defaultEntitySetting, entitySetting);
+    const metadata = entitySetting.metadata || entitySetting;
+    switch (entityType) {
+      case 'idp':
+        this.entityMeta = IdpMetadata(metadata);
+        // setting with metadata has higher precedence
+        this.entitySetting.wantAuthnRequestsSigned = this.entityMeta.isWantAuthnRequestsSigned();
+        this.entitySetting.nameIDFormat = this.entityMeta.getNameIDFormat() || this.entitySetting.nameIDFormat;
+        break;
+      case 'sp':
+        this.entityMeta = SpMetadata(metadata);
+        // setting with metadata has higher precedence
+        this.entitySetting.authnRequestsSigned = this.entityMeta.isAuthnRequestSigned();
+        this.entitySetting.wantAssertionsSigned = this.entityMeta.isWantAssertionsSigned();
+        this.entitySetting.nameIDFormat = this.entityMeta.getNameIDFormat() || this.entitySetting.nameIDFormat;
+        break;
+      default:
+        throw new Error('ERR_UNDEFINED_ENTITY_TYPE');
+    }
+  }
+
+  /**
+  * @desc  Returns the setting of entity
+  * @return {object}
+  */
+  getEntitySetting() {
+    return this.entitySetting;
+  }
+  /**
+  * @desc  Returns the xml string of entity metadata
+  * @return {string}
+  */
+  getMetadata(): string {
+    return this.entityMeta.getMetadata();
+  }
+
+  /**
+  * @desc  Exports the entity metadata into specified folder
+  * @param  {string} exportFile indicates the file name
+  */
+  exportMetadata(exportFile: string) {
+    return this.entityMeta.exportMetadata(exportFile);
+  }
+
+  /** * @desc  Verify fields with the one specified in metadata
+  * @param  {string/[string]} field is a string or an array of string indicating the field value in SAML message
+  * @param  {string} metaField is a string indicating the same field specified in metadata
+  * @return {boolean} True/False
+  */
+  verifyFields(field: string | string[], metaField: string): boolean {
+    if (isString(field)) {
+      return field === metaField;
+    }
+    if (isNonEmptyArray(field)) {
+      let res = true;
+      (field as string[]).forEach(f => {
+        if (f !== metaField) {
+          res = false;
+          return;
+        }
+      });
+      return res;
+    }
+    return false;
+  }
+  /** @desc   Generates the logout request for developers to design their own method
+  * @param  {ServiceProvider} sp     object of service provider
+  * @param  {string}   binding       protocol binding
+  * @param  {object}   user          current logged user (e.g. user)
+  * @param  {string} relayState      the URL to which to redirect the user when logout is complete
+  * @param  {function} customTagReplacement     used when developers have their own login response template
+  */
+  createLogoutRequest(targetEntity, binding, user, relayState = '', customTagReplacement?): BindingContext | PostBindingContext {
+    if (binding === wording.binding.redirect) {
+      return redirectBinding.logoutRequestRedirectURL(user, {
+        init: this,
+        target: targetEntity,
+      }, relayState, customTagReplacement);
+    }
+    if (binding === wording.binding.post) {
+      const entityEndpoint = targetEntity.entityMeta.getSingleLogoutService(binding);
+      const context = postBinding.base64LogoutRequest(user, "/*[local-name(.)='LogoutRequest']", { init: this, target: targetEntity }, customTagReplacement);
+      return {
+        ...context,
+        relayState,
+        entityEndpoint,
+        type: 'SAMLRequest',
+      };
+    }
+    // Will support artifact in the next release
+    throw new Error('ERR_UNDEFINED_BINDING');
+  }
+
+  /**
+  * @desc  Generates the logout response for developers to design their own method
+  * @param  {IdentityProvider} idp               object of identity provider
+  * @param  {object} requestInfo                 corresponding request, used to obtain the id
+  * @param  {string} relayState                  the URL to which to redirect the user when logout is complete.
+  * @param  {string} binding                     protocol binding
+  * @param  {function} customTagReplacement                 used when developers have their own login response template
+  */
+  createLogoutResponse(target, requestInfo, binding, relayState = '', customTagReplacement?): BindingContext | PostBindingContext {
+    const protocol = namespace.binding[binding];
+    if (protocol === namespace.binding.redirect) {
+      return redirectBinding.logoutResponseRedirectURL(requestInfo, {
+        init: this,
+        target,
+      }, relayState, customTagReplacement);
+    }
+    if (protocol === namespace.binding.post) {
+      const context = postBinding.base64LogoutResponse(requestInfo, {
+        init: this,
+        target,
+      }, customTagReplacement);
+      return {
+        ...context,
+        relayState,
+        entityEndpoint: target.entityMeta.getSingleLogoutService(binding),
+        type: 'SAMLResponse',
+      };
+    }
+    throw new Error('ERR_CREATE_LOGOUT_RESPONSE_UNDEFINED_BINDING');
+  }
+
+  /**
+  * @desc   Validation of the parsed the URL parameters
+  * @param  {IdentityProvider}   idp             object of identity provider
+  * @param  {string}   binding                   protocol binding
+  * @param  {request}   req                      request
+  * @return {Promise}
+  */
+  parseLogoutRequest(from, binding, request: ESamlHttpRequest) {
+    const self = this;
+    return flow({
+      from: from,
+      self: self,
+      type: 'logout',
+      parserType: 'LogoutRequest',
+      checkSignature: this.entitySetting.wantLogoutRequestSigned,
+      binding: binding,
+      request: request,
+    });
+  }
+  /**
+  * @desc   Validation of the parsed the URL parameters
+  * @param  {object} config                      config for the parser
+  * @param  {string}   binding                   protocol binding
+  * @param  {request}   req                      request
+  * @return {Promise}
+  */
+  parseLogoutResponse(from, binding, request: ESamlHttpRequest) {
+    const self = this;
+    return flow({
+      from: from,
+      self: self,
+      type: 'logout',
+      parserType: 'LogoutResponse',
+      checkSignature: self.entitySetting.wantLogoutResponseSigned,
+      binding: binding,
+      request: request
+    });
+  }
+}