samlesa 2.14.6 → 2.14.8

package/README.md

@@ -5,51 +5,125 @@ Highly configurable Node.js SAML 2.0 library for Single Sign On
 
 ---
 
-## 🔄 本仓库为 [samlify](https://github.com/tngan/samlify) 的改进分支
-
-## 🔄 This repository is a fork of [samlify](https://github.com/tngan/samlify) with the following improvements:
+## 🔄 本仓库为 [samlify](https://github.com/tngan/samlify) 的改进分支版本，原作者[tngan](https://github.com/tngan)
 
 ### 主要改进 / Key Improvements
-- ✅ 将依赖包 `@authenio/xml-encryption` 替换为 `xml-encryption` 并升级版本，支持 SHA-256/512 加密和 OAEP 摘要方法  
-  ✅ Replaced `@authenio/xml-encryption` with `xml-encryption` (latest version adds SHA-256/512 and OAEP support)
 
-- 🛠️ 修复加密断言逻辑，支持 `EncryptedAssertion` 字段提取  
-  🛠️ Fixed encrypted assertion logic to handle `EncryptedAssertion` field
+- 📦 将 CJS模块打包转为 ESModule
 
-- 📦 默认配置增加 `AttributeConsumingService` 和属性声明生成  
-  📦 Added `AttributeConsumingService` to default elements and attribute value generation
+- ✅ 将依赖包 `@authenio/xml-encryption` 替换为 `xml-encryption` 并升级版本对 sha256/512 加密密钥 OAEP 摘要方法的支持
 
-- 🗑️ 移除自定义函数模板，通过 `AttributeStatement` 配置多值属性  
-  🗑️ Removed custom templates, added multi-value attribute support via `AttributeStatement`
+- 🛠️ 修复加密断言验证签名函数 verifySignature 提取`Assertion` 字段的错误，增加对加密断言  `EncryptedAssertion` 字段提取逻辑
 
-- 🔒 签名算法升级为 SHA-256+，默认加密算法 AES_256_GCM  
-  🔒 Upgraded signature algorithm to SHA-256+, default encryption to AES_256_GCM
+- 📦 ServiceProvider实例化函数 attributeConsumingService字段参函数， 生成默认的 `AttributeConsumingService` 元素和属性值
 
-- 📦 将 CJS 模块打包转为 ESModule  
-  📦 Migrated from CJS to ESModule packaging
+- 🗑️ 移除作为Idp使用 IdentityProvider 函数自定义函数模板loginResponseTemplate字段的支持，并改进了自定义函数替换。
+  改进createLoginResponse函数签名改为对象的传参方式
 
-- ⚙️ 将 `createLoginResponse` 改为对象传参，新增 `AttributeStatement` 参数  
-  ⚙️ Refactored `createLoginResponse` to use object parameters with `AttributeStatement`
+- 🔒 默认签名算法升级为 SHA-256，Idp默认加密算法为 AES_256_GCM
 
-- ⬆️ 升级依赖版本，移除 `node-rsa`/`node-forge`，改用原生 `crypto` 模块  
-  ⬆️ Upgraded dependencies, replaced `node-rsa`/`node-forge` with native `crypto`
+- ⬆️ 升级所有能够升级的依赖版本，移除 `node-rsa`/`node-forge` 模块儿,改用原生nodejs `crypto` 模块实现。
 
-- 🌐 将 `url` 库替换为 `URL` 原生 API  
-  🌐 Replaced `url` library with native `URL` API
+- 🌐 将 `url` 库替换为 `URL` 原生 API
+- 改进了如果响应为的绑定`urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect`,某些情况下未能DEFLATE压缩导致不能提取xml的异常情况的处理
+- 现在如果遇到加密响应无需显示传递 `isAssertionEncrypted` 字段,也无需传递 `MessageSignatureOrder`
+  字段。因为我认为是否加密应该是可以自动判断的，MessageSignatureOrder我修改了判断逻辑并在Keycloak 验证可以通过。使用前你应该自行验证这其中的风险
+- 默认 elementsOrder 增加了 AttributeConsumingService 适配
+- 我已经使用 Burp SAML Raider测试了 八种XSW都能良好的应对，以及XXE。你应该自行验证
 
 ---
 
 ## 欢迎 PR / Welcome PRs
+
 欢迎贡献代码或提供与其他框架集成的用例  
 Welcome contributions or integration examples with frameworks
 
 ---
 
 ## 安装 / Installation
+宁应该在使用的前提下首先设置验证其
 ```js
-import * as samlify from 'samlify';
-import * as validator from '@authenio/samlify-xsd-schema-validator';
 
+import * as validator from '@authenio/samlify-xsd-schema-validator';
+import * as Saml from "samlesa";
+import {Extractor,} from "samlesa";
+import validator from '@authenio/samlify-node-xmllint'
 // 设置模式验证器 / Set schema validator
-samlify.setSchemaValidator(validator);
+Saml.setSchemaValidator(validator);
+
+
+```
+
+## 生成密钥
+
+我们使用 openssl 生成密钥和证书用于测试。私钥可以使用密码保护，这是可选的。以下是生成私钥和自签名证书的命令。
+
+> openssl genrsa -passout pass:foobar -out encryptKey.pem 4096
+> openssl req -new -x509 -key encryptKey.pem -out encryptionCert.cer -days 3650
+
+## 当您作为IDP的伪代码使用示例
+
+```js
+/** 本代码正对不同的绑定做出的方式伪代码*/
+if (request.method === 'GET') {
+	data = request.query
+	bind = 'redirect'
+	infoQuery.query = request.query
+	let compressedResult = validateAndInflateSamlResponse(data.SAMLResponse)
+	console.log(compressedResult);
+	console.log("压缩结果---------------------")
+	infoQuery.octetString = buildOctetStringFromQuery(request.query)
+	dataResult = Extractor.extract(compressedResult.xml, loginResponseFields);
+}
+if (request.method === 'POST') {
+	data = request.body
+	bind = 'post'
+	infoQuery.body = request.body
+	dataResult = Extractor.extract(Base64.decode(decodeURIComponent(data.SAMLResponse)), loginResponseFields)
+}
+/** 宁应该自行实施根据响应提取出来的Issur去数据库查找元数据*/
+// 1. 提取SAML发行者信息
+if (!dataResult.issuer) {
+	return reply.view('errorHtml.html', {
+		errorMessage: `无效的发行者`, errorCode: StatusCode?.Responder, requestId: ""
+	})
+}
+
+let result = await samlCollection.findOne({issuer:dataResult.issuer});
+const idp = new Saml.IdentityProvider({
+	metadata: result.metadata,
+});
+
+/** 检查断言*/
+let extract = null
+/** 先看数据库有没有*/
+let bindType = 'post' //redirect post ......您应该自定判断 
+let parseResult = await sp.parseLoginResponse(idp, bindType, infoQuery)
+
+/**如果解析成功 你应该去验证元素结果中的 attribute 和 Audience issur是否是你期待的  inResponseTo检查  是否有必须的属性没有 都需要您进行严密的的考察 */
+
+if(upaboveFieldCheckAllSuccess){
+	return repla.view('success.ejs',{...your template data})
+}
+/*success.ejs template example */
+/**/
+<!-- 隐藏的 SAML 表单 -->
+/*
+<form id="saml-form" method="post" action="<%= entityEndpoint %>" style="display: none;">
+	<input type="hidden" name="<%= type %>" value="<%= context %>" />
+	<input type="hidden" name="RelayState" value="<%= relayState %>" />
+</form>
+
+<script>
+	// 延迟 1.5 秒提交以展示加载效果
+
+	document.getElementById('saml-form').submit();
+
+	// 兼容性处理：若 5 秒后仍未跳转显示提示
+	setTimeout(() => {
+	document.querySelector('.loading-subtext').textContent =
+		'跳转时间较长，请检查网络或联系系统管理员';
+}, 1500);
+</script>*/
+
 ```

package/build/index.js

@@ -16,4 +16,3 @@ export { Constants, Extractor,
 IdentityProvider, IdentityProviderInstance, ServiceProvider, ServiceProviderInstance, 
 // set context
 setSchemaValidator, setDOMParserOptions };
-//# sourceMappingURL=index.js.map

package/build/src/api.js

@@ -1,6 +1,7 @@
 import { DOMParser as dom } from '@xmldom/xmldom';
+import { validate as defaultValidator } from "./schemaValidator.js";
 const context = {
-    validate: undefined,
+    validate: defaultValidator,
     dom: new dom()
 };
 export function getContext() {
@@ -16,4 +17,3 @@ export function setSchemaValidator(params) {
 export function setDOMParserOptions(options = {}) {
     context.dom = new dom(options);
 }
-//# sourceMappingURL=api.js.map

package/build/src/binding-post.js

@@ -335,4 +335,3 @@ const postBinding = {
     base64LogoutResponse,
 };
 export default postBinding;
-//# sourceMappingURL=binding-post.js.map

package/build/src/binding-redirect.js

@@ -310,4 +310,3 @@ const redirectBinding = {
     logoutResponseRedirectURL,
 };
 export default redirectBinding;
-//# sourceMappingURL=binding-redirect.js.map

package/build/src/binding-simplesign.js

@@ -199,4 +199,3 @@ const simpleSignBinding = {
     base64LoginResponse,
 };
 export default simpleSignBinding;
-//# sourceMappingURL=binding-simplesign.js.map

package/build/src/entity-idp.js

@@ -91,4 +91,3 @@ export class IdentityProvider extends Entity {
         });
     }
 }
-//# sourceMappingURL=entity-idp.js.map

package/build/src/entity-sp.js

@@ -86,4 +86,3 @@ export class ServiceProvider extends Entity {
         });
     }
 }
-//# sourceMappingURL=entity-sp.js.map

package/build/src/entity.js

@@ -191,4 +191,3 @@ export default class Entity {
         });
     }
 }
-//# sourceMappingURL=entity.js.map

package/build/src/extractor.js

@@ -359,4 +359,3 @@ export function extract(context, fields) {
         return result;
     }, {});
 }
-//# sourceMappingURL=extractor.js.map

package/build/src/flow.js

@@ -371,4 +371,3 @@ export function flow(options) {
     }
     return Promise.reject('ERR_UNEXPECTED_FLOW');
 }
-//# sourceMappingURL=flow.js.map

package/build/src/libsaml.js

@@ -311,79 +311,6 @@ const libSaml = () => {
             }
             return isBase64Output !== false ? utility.base64Encode(sig.getSignedXml()) : sig.getSignedXml();
         },
-        checkSamlSignatureOrder(samlResponseXml) {
-            const { dom } = getContext();
-            const doc = dom.parseFromString(samlResponseXml, 'application/xml');
-            // 获取 Response 根节点
-            const response = doc.documentElement;
-            if (!response || response.localName !== "Response") {
-                throw new Error("Invalid SAML Response");
-            }
-            // 获取 Response 的 ID
-            const responseId = response.getAttribute("ID");
-            // 查找 Response 下的直接子节点
-            const children = Array.from(response.childNodes).filter((node) => node.nodeType === 1); // 过滤非元素节点
-            // 1. 查找签名块 (可能带不同前缀: ds: 或 dsig:)
-            const signature = children.find((node) => {
-                // @ts-ignore
-                const localName = node.nodeName;
-                console.log("这就是名字1");
-                console.log(localName);
-                // @ts-ignore
-                const ns = node.namespaceURI;
-                return ((localName.includes("Signature") && ns === "http://www.w3.org/2000/09/xmldsig#")
-                    || node.nodeName.includes("Signature"));
-            });
-            if (!signature) {
-                throw new Error("SAML Response is not signed");
-            }
-            // @ts-ignore
-            // 2. 检查签名的 Reference URI
-            // @ts-ignore
-            console.log(signature.getElementsByTagName("Reference"));
-            console.log("找到了神恶魔---------------");
-            // @ts-ignore
-            const reference = Array.from(signature.getElementsByTagName("Reference")).find((ref) => {
-                // @ts-ignore
-                console.log(ref?.parentNode?.localName);
-                console.log("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
-                // @ts-ignore
-                return ref?.parentNode?.localName?.includes("SignedInfo");
-            });
-            console.log(reference);
-            console.log("给我看一下-----------------");
-            // @ts-ignore
-            const referenceUri = reference?.getAttribute("URI") || "";
-            console.log("1他妈的-------------------");
-            console.log(referenceUri);
-            console.log(`#${responseId}`);
-            console.log("他妈的-------------------");
-            // 是否对整个 Response 签名
-            const isSignWholeResponse = referenceUri === `#${responseId}`;
-            // 3. 查找 EncryptedAssertion
-            const encryptedAssertion = children.find((node) => {
-                // @ts-ignore
-                const localName = node?.localName;
-                return ((localName === "EncryptedAssertion")
-                    || node.nodeName.includes("EncryptedAssertion"));
-            });
-            if (!encryptedAssertion) {
-                throw new Error("EncryptedAssertion not found");
-            }
-            // 4. 比较签名和加密断言的位置索引
-            const signatureIndex = children.indexOf(signature);
-            const encryptedIndex = children.indexOf(encryptedAssertion);
-            console.log(signatureIndex);
-            console.log(encryptedIndex);
-            console.log("66666666666666666");
-            // 判断逻辑
-            if (isSignWholeResponse && encryptedIndex > signatureIndex) {
-                return "encrypt-then-sign"; // 先加密后签名
-            }
-            else {
-                return "sign-then-encrypt"; // 先签名后加密
-            }
-        },
         /**
          * @desc Verify the XML signature
          * @param  {string} xml xml
@@ -767,4 +694,3 @@ const libSaml = () => {
     };
 };
 export default libSaml();
-//# sourceMappingURL=libsaml.js.map

package/build/src/metadata-idp.js

@@ -131,4 +131,3 @@ export class IdpMetadata extends Metadata {
         return this.meta.singleSignOnService;
     }
 }
-//# sourceMappingURL=metadata-idp.js.map

package/build/src/metadata-sp.js

@@ -237,4 +237,3 @@ export class SpMetadata extends Metadata {
         return this.meta.assertionConsumerService;
     }
 }
-//# sourceMappingURL=metadata-sp.js.map

package/build/src/metadata.js

@@ -136,4 +136,3 @@ export default class Metadata {
         return supportBindings;
     }
 }
-//# sourceMappingURL=metadata.js.map