samlesa 2.12.3

package/src/metadata-idp.ts

@@ -0,0 +1,146 @@
+/**
+* @file metadata-idp.ts
+* @author tngan
+* @desc  Metadata of identity provider
+*/
+import Metadata, { MetadataInterface } from './metadata.js';
+import { MetadataIdpOptions, MetadataIdpConstructor } from './types.js';
+import { namespace } from './urn.js';
+import libsaml from './libsaml.js';
+import { castArrayOpt, isNonEmptyArray, isString } from './utility.js';
+import xml from 'xml';
+
+export interface IdpMetadataInterface extends MetadataInterface {
+
+}
+
+/*
+ * @desc interface function
+ */
+export default function(meta: MetadataIdpConstructor) {
+  return new IdpMetadata(meta);
+}
+
+export class IdpMetadata extends Metadata {
+
+  constructor(meta: MetadataIdpConstructor) {
+
+    const isFile = isString(meta) || meta instanceof Buffer;
+
+    if (!isFile) {
+
+      const {
+        entityID,
+        signingCert,
+        encryptCert,
+        wantAuthnRequestsSigned = false,
+        nameIDFormat = [],
+        singleSignOnService = [],
+        singleLogoutService = [],
+      } = meta as MetadataIdpOptions;
+
+      const IDPSSODescriptor: any[] = [{
+        _attr: {
+          WantAuthnRequestsSigned: String(wantAuthnRequestsSigned),
+          protocolSupportEnumeration: namespace.names.protocol,
+        },
+      }];
+
+      for(const cert of castArrayOpt(signingCert)) {
+        IDPSSODescriptor.push(libsaml.createKeySection('signing', cert));
+      }
+
+      for(const cert of castArrayOpt(encryptCert)) {
+        IDPSSODescriptor.push(libsaml.createKeySection('encryption', cert));
+      }
+
+      if (isNonEmptyArray(nameIDFormat)) {
+        nameIDFormat.forEach(f => IDPSSODescriptor.push({ NameIDFormat: f }));
+      }
+
+      if (isNonEmptyArray(singleSignOnService)) {
+        singleSignOnService.forEach((a, indexCount) => {
+          const attr: any = {
+            Binding: a.Binding,
+            Location: a.Location,
+          };
+          if (a.isDefault) {
+            attr.isDefault = true;
+          }
+          IDPSSODescriptor.push({ SingleSignOnService: [{ _attr: attr }] });
+        });
+      } else {
+        throw new Error('ERR_IDP_METADATA_MISSING_SINGLE_SIGN_ON_SERVICE');
+      }
+
+      if (isNonEmptyArray(singleLogoutService)) {
+        singleLogoutService.forEach((a, indexCount) => {
+          const attr: any = {};
+          if (a.isDefault) {
+            attr.isDefault = true;
+          }
+          attr.Binding = a.Binding;
+          attr.Location = a.Location;
+          IDPSSODescriptor.push({ SingleLogoutService: [{ _attr: attr }] });
+        });
+      } else {
+        console.warn('Construct identity  provider - missing endpoint of SingleLogoutService');
+      }
+      // Create a new metadata by setting
+      meta = xml([{
+        EntityDescriptor: [{
+          _attr: {
+            'xmlns': namespace.names.metadata,
+            'xmlns:assertion': namespace.names.assertion,
+            'xmlns:ds': 'http://www.w3.org/2000/09/xmldsig#',
+            entityID,
+          },
+        }, { IDPSSODescriptor }],
+      }]);
+    }
+
+    super(meta as string | Buffer, [
+      {
+        key: 'wantAuthnRequestsSigned',
+        localPath: ['EntityDescriptor', 'IDPSSODescriptor'],
+        attributes: ['WantAuthnRequestsSigned'],
+      },
+      {
+        key: 'singleSignOnService',
+        localPath: ['EntityDescriptor', 'IDPSSODescriptor', 'SingleSignOnService'],
+        index: ['Binding'],
+        attributePath: [],
+        attributes: ['Location']
+      },
+    ]);
+
+  }
+
+  /**
+  * @desc Get the preference whether it wants a signed request
+  * @return {boolean} WantAuthnRequestsSigned
+  */
+  isWantAuthnRequestsSigned(): boolean {
+    const was = this.meta.wantAuthnRequestsSigned;
+    if (was === undefined) {
+      return false;
+    }
+    return String(was) === 'true';
+  }
+
+  /**
+  * @desc Get the entity endpoint for single sign on service
+  * @param  {string} binding      protocol binding (e.g. redirect, post)
+  * @return {string/object} location
+  */
+  getSingleSignOnService(binding: string): string | object {
+    if (isString(binding)) {
+      const bindName = namespace.binding[binding];
+      const service = this.meta.singleSignOnService[bindName];
+      if (service) {
+        return service;
+      }
+    }
+    return this.meta.singleSignOnService;
+  }
+}

package/src/metadata-sp.ts

@@ -0,0 +1,268 @@
+/**
+* @file metadata-sp.ts
+* @author tngan
+* @desc  Metadata of service provider
+*/
+import Metadata, { MetadataInterface } from './metadata.js';
+import { MetadataSpConstructor, MetadataSpOptions } from './types.js';
+import { namespace, elementsOrder as order } from './urn.js';
+import libsaml from './libsaml.js';
+import { castArrayOpt, isNonEmptyArray, isString } from './utility.js';
+import xml from 'xml';
+import {AttrService,ServiceName,RequestedAttribute,AttributeConsumingService} from './types.js'
+export interface SpMetadataInterface extends MetadataInterface {
+
+}
+
+// https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf (P.16, 18)
+interface MetaElement {
+  KeyDescriptor?: any[];
+  NameIDFormat?: any[];
+  SingleLogoutService?: any[];
+  AssertionConsumerService?: any[];
+  AttributeConsumingService?: any[];
+}
+
+/*
+ * @desc interface function
+ */
+export default function(meta: MetadataSpConstructor) {
+  return new SpMetadata(meta);
+}
+
+/**
+* @desc SP Metadata is for creating Service Provider, provides a set of API to manage the actions in SP.
+*/
+export class SpMetadata extends Metadata {
+
+  /**
+  * @param  {object/string} meta (either xml string or configuration in object)
+  * @return {object} prototypes including public functions
+  */
+  constructor(meta: MetadataSpConstructor) {
+
+    const isFile = isString(meta) || meta instanceof Buffer;
+
+    // use object configuration instead of importing metadata file directly
+    if (!isFile) {
+
+      const {
+        elementsOrder = order.default,
+        entityID,
+        signingCert,
+        encryptCert,
+        authnRequestsSigned = false,
+        wantAssertionsSigned = false,
+        wantMessageSigned = false,
+        signatureConfig,
+        nameIDFormat = [],
+        singleLogoutService = [],
+        assertionConsumerService = [],
+        attributeConsumingService = []
+      } = meta as MetadataSpOptions;
+
+      const descriptors: MetaElement = {
+        KeyDescriptor: [],
+        NameIDFormat: [],
+        SingleLogoutService: [],
+        AssertionConsumerService: [],
+        AttributeConsumingService: [],
+      };
+
+      const SPSSODescriptor: any[] = [{
+        _attr: {
+          AuthnRequestsSigned: String(authnRequestsSigned),
+          WantAssertionsSigned: String(wantAssertionsSigned),
+          protocolSupportEnumeration: namespace.names.protocol,
+        },
+      }];
+
+      if (wantMessageSigned && signatureConfig === undefined) {
+        console.warn('Construct service provider - missing signatureConfig');
+      }
+
+      for(const cert of castArrayOpt(signingCert)) {
+        descriptors.KeyDescriptor!.push(libsaml.createKeySection('signing', cert).KeyDescriptor);
+      }
+
+      for(const cert of castArrayOpt(encryptCert)) {
+        descriptors.KeyDescriptor!.push(libsaml.createKeySection('encryption', cert).KeyDescriptor);
+      }
+
+      if (isNonEmptyArray(nameIDFormat)) {
+        nameIDFormat.forEach(f => descriptors.NameIDFormat!.push(f));
+      } else {
+        // default value
+        descriptors.NameIDFormat!.push(namespace.format.emailAddress);
+      }
+
+      if (isNonEmptyArray(singleLogoutService)) {
+        singleLogoutService.forEach(a => {
+          const attr: any = {
+            Binding: a.Binding,
+            Location: a.Location,
+          };
+          if (a.isDefault) {
+            attr.isDefault = true;
+          }
+          descriptors.SingleLogoutService!.push([{ _attr: attr }]);
+        });
+      }
+
+      if (isNonEmptyArray(assertionConsumerService)) {
+        let indexCount = 0;
+        assertionConsumerService.forEach(a => {
+          const attr: any = {
+            index: String(indexCount++),
+            Binding: a.Binding,
+            Location: a.Location,
+          };
+          if (a.isDefault) {
+            attr.isDefault = true;
+          }
+          descriptors.AssertionConsumerService!.push([{ _attr: attr }]);
+        });
+      } else {
+        console.warn('Missing endpoint of AssertionConsumerService');
+      }
+      // 修改原有处理逻辑
+      if (isNonEmptyArray(attributeConsumingService)) {
+        attributeConsumingService.forEach((service,index)=> {
+          // 1. 构建AttributeConsumingService主元素
+          let indexCount = 0;
+          let  attrConsumingService: any[] = [{
+            _attr: {
+              index: String(index + 1),
+            }
+          }];
+          if (service.isDefault) {
+            attrConsumingService[0]._attr.isDefault = true;
+          }
+          // 2. 添加ServiceName子元素
+          if (isNonEmptyArray(  service.serviceName)){
+            service.serviceName.forEach(({ value, lang }) => {
+              attrConsumingService.push({
+                ServiceName: [
+                  {
+                    _attr: lang ? { 'xml:lang': lang } : {},
+                  },
+                  value
+                ]
+              });
+            });
+          }
+
+          if (isNonEmptyArray(  service.serviceDescription)){
+            service.serviceDescription.forEach(({ value, lang }) => {
+              attrConsumingService.push({
+                ServiceDescription: [
+                  {
+                    _attr: lang ? { 'xml:lang': lang } : {},
+                  },
+                  value
+                ]
+              });
+            });
+          }
+          // 3. 添加RequestedAttribute子元素
+          if (isNonEmptyArray(service.requestedAttributes)) {
+            service.requestedAttributes.forEach(attr => {
+              const requestedAttr: any = {
+                _attr: {
+                  ...(attr.isRequired && { isRequired: String(attr.isRequired) }),
+                  Name: attr.name,
+                  ...(attr.friendlyName && { FriendlyName: attr.friendlyName }),
+                }
+              };
+/*              // 处理属性值白名单
+              if (isNonEmptyArray(attr.attributeValue)) {
+                requestedAttr[namespace.tags.attributeValue] = attr.attributeValue.map(val => ({
+                  _: val
+                }));
+              }*/
+              attrConsumingService.push({
+                RequestedAttribute: [requestedAttr]
+              });
+            });
+          }
+
+          // 4. 将完整元素加入描述符
+          descriptors.AttributeConsumingService!.push(attrConsumingService);
+        });
+      }
+
+      // handle element order
+      const existedElements = elementsOrder.filter(name => isNonEmptyArray(descriptors[name]));
+      existedElements.forEach(name => {
+        descriptors[name].forEach(e => SPSSODescriptor.push({ [name]: e }));
+      });
+      // Re-assign the meta reference as a XML string|Buffer for use with the parent constructor
+      meta = xml([{
+        EntityDescriptor: [{
+          _attr: {
+            entityID,
+            'xmlns': namespace.names.metadata,
+            'xmlns:assertion': namespace.names.assertion,
+            'xmlns:ds': 'http://www.w3.org/2000/09/xmldsig#',
+          },
+        }, { SPSSODescriptor }],
+      }]);
+
+    }
+
+    // Use the re-assigned meta object reference here
+    super(meta as string | Buffer, [
+      {
+        key: 'spSSODescriptor',
+        localPath: ['EntityDescriptor', 'SPSSODescriptor'],
+        attributes: ['WantAssertionsSigned', 'AuthnRequestsSigned'],
+      },
+      {
+        key: 'assertionConsumerService',
+        localPath: ['EntityDescriptor', 'SPSSODescriptor', 'AssertionConsumerService'],
+        attributes: ['Binding', 'Location', 'isDefault', 'index'],
+      }
+    ]);
+
+  }
+
+  /**
+  * @desc Get the preference whether it wants a signed assertion response
+  * @return {boolean} Wantassertionssigned
+  */
+  public isWantAssertionsSigned(): boolean {
+    return this.meta.spSSODescriptor.wantAssertionsSigned === 'true';
+  }
+  /**
+  * @desc Get the preference whether it signs request
+  * @return {boolean} Authnrequestssigned
+  */
+  public isAuthnRequestSigned(): boolean {
+    return this.meta.spSSODescriptor.authnRequestsSigned === 'true';
+  }
+  /**
+  * @desc Get the entity endpoint for assertion consumer service
+  * @param  {string} binding         protocol binding (e.g. redirect, post)
+  * @return {string/[string]} URL of endpoint(s)
+  */
+  public getAssertionConsumerService(binding: string): string | string[] {
+    if (isString(binding)) {
+      let location;
+      const bindName = namespace.binding[binding];
+      if (isNonEmptyArray(this.meta.assertionConsumerService)) {
+        this.meta.assertionConsumerService.forEach(obj => {
+          if (obj.binding === bindName) {
+            location = obj.location;
+            return;
+          }
+        });
+      } else {
+        if (this.meta.assertionConsumerService.binding === bindName) {
+          location = this.meta.assertionConsumerService.location;
+        }
+      }
+      return location;
+    }
+    return this.meta.assertionConsumerService;
+  }
+}

package/src/metadata.ts

@@ -0,0 +1,166 @@
+/**
+* @file metadata.ts
+* @author tngan
+* @desc An abstraction for metadata of identity provider and service provider
+*/
+import * as fs from 'fs';
+import { namespace } from './urn.js';
+import { extract } from './extractor.js';
+import { isString } from './utility.js';
+
+export interface MetadataInterface {
+  xmlString: string;
+  getMetadata: () => string;
+  exportMetadata: (exportFile: string) => void;
+  getEntityID: () => string;
+  getX509Certificate: (certType: string) => string | string[];
+  getNameIDFormat: () => any[];
+  getSingleLogoutService: (binding: string | undefined) => string | object;
+  getSupportBindings: (services: string[]) => string[];
+}
+
+export default class Metadata implements MetadataInterface {
+
+  xmlString: string;
+  meta: any;
+
+  /**
+  * @param  {string | Buffer} xml
+  * @param  {object} extraParse for custom metadata extractor
+  */
+  constructor(xml: string | Buffer, extraParse: any = []) {
+    this.xmlString = xml.toString();
+    this.meta = extract(this.xmlString, extraParse.concat([
+      {
+        key: 'entityDescriptor',
+        localPath: ['EntityDescriptor'],
+        attributes: [],
+        context: true
+      },
+      {
+        key: 'entityID',
+        localPath: ['EntityDescriptor'],
+        attributes: ['entityID']
+      },
+      {
+        // shared certificate for both encryption and signing
+        key: 'sharedCertificate',
+        localPath: ['EntityDescriptor', '~SSODescriptor', 'KeyDescriptor', 'KeyInfo', 'X509Data', 'X509Certificate'],
+        attributes: []
+      },
+      {
+        // explicit certificate declaration for encryption and signing
+        key: 'certificate',
+        localPath: ['EntityDescriptor', '~SSODescriptor', 'KeyDescriptor'],
+        index: ['use'],
+        attributePath: ['KeyInfo', 'X509Data', 'X509Certificate'],
+        attributes: []
+      },
+      {
+        key: 'singleLogoutService',
+        localPath: ['EntityDescriptor', '~SSODescriptor', 'SingleLogoutService'],
+        attributes: ['Binding', 'Location']
+      },
+      {
+        key: 'nameIDFormat',
+        localPath: ['EntityDescriptor', '~SSODescriptor', 'NameIDFormat'],
+        attributes: [],
+      }
+    ]));
+
+    // get shared certificate
+    const sharedCertificate = this.meta.sharedCertificate;
+    if (typeof sharedCertificate === 'string') {
+      this.meta.certificate = {
+        signing: sharedCertificate,
+        encryption: sharedCertificate
+      };
+      delete this.meta.sharedCertificate;
+    }
+
+    if (
+      Array.isArray(this.meta.entityDescriptor) &&
+      this.meta.entityDescriptor.length > 1
+    ) {
+      throw new Error('ERR_MULTIPLE_METADATA_ENTITYDESCRIPTOR');
+    }
+
+  }
+
+  /**
+  * @desc Get the metadata in xml format
+  * @return {string} metadata in xml format
+  */
+  public getMetadata(): string {
+    return this.xmlString;
+  }
+
+  /**
+  * @desc Export the metadata to specific file
+  * @param {string} exportFile is the output file path
+  */
+  public exportMetadata(exportFile: string): void {
+    fs.writeFileSync(exportFile, this.xmlString);
+  }
+
+  /**
+  * @desc Get the entityID in metadata
+  * @return {string} entityID
+  */
+  public getEntityID(): string {
+    return this.meta.entityID;
+  }
+
+  /**
+  * @desc Get the x509 certificate declared in entity metadata
+  * @param  {string} use declares the type of certificate
+  * @return {string} certificate in string format
+  */
+  public getX509Certificate(use: string) {
+    return this.meta.certificate[use] || null;
+  }
+
+  /**
+  * @desc Get the support NameID format declared in entity metadata
+  * @return {array} support NameID format
+  */
+  public getNameIDFormat(): any {
+    return this.meta.nameIDFormat;
+  }
+
+  /**
+  * @desc Get the entity endpoint for single logout service
+  * @param  {string} binding e.g. redirect, post
+  * @return {string/object} location
+  */
+  public getSingleLogoutService(binding: string | undefined): string | object {
+    if (binding && isString(binding)) {
+      const bindType = namespace.binding[binding];
+      let singleLogoutService = this.meta.singleLogoutService;
+      if (!(singleLogoutService instanceof Array)) {
+        singleLogoutService = [singleLogoutService];
+       }
+      const service = singleLogoutService.find(obj => obj.binding === bindType);
+      if (service) {
+        return service.location;
+      }
+    }
+    return this.meta.singleLogoutService;
+  }
+
+  /**
+  * @desc Get the support bindings
+  * @param  {[string]} services
+  * @return {[string]} support bindings
+  */
+  public getSupportBindings(services: string[]): string[] {
+    let supportBindings = [];
+    if (services) {
+      supportBindings = services.reduce((acc: any, service) => {
+        const supportBinding = Object.keys(service)[0];
+        return acc.push(supportBinding);
+      }, []);
+    }
+    return supportBindings;
+  }
+}