samlesa 2.16.5 → 2.17.0

package/build/src/extractor.js

@@ -68,6 +68,19 @@ export const loginResponseStatusFields = [
     }
 ];
 // support two-tiers status code
+export const loginArtifactResponseStatusFields = [
+    {
+        key: 'top',
+        localPath: ['Envelope', 'Body', 'ArtifactResponse', 'Status', 'StatusCode'],
+        attributes: ['Value'],
+    },
+    {
+        key: 'second',
+        localPath: ['Envelope', 'Body', 'ArtifactResponse', 'Status', 'StatusCode', 'StatusCode'],
+        attributes: ['Value'],
+    }
+];
+// support two-tiers status code
 export const logoutResponseStatusFields = [
     {
         key: 'top',
@@ -178,7 +191,7 @@ export const logoutResponseFields = [
 ];
 export function extract(context, fields) {
     const { dom } = getContext();
-    const rootDoc = dom.parseFromString(context);
+    const rootDoc = dom.parseFromString(context, 'application/xml');
     return fields.reduce((result, field) => {
         // get essential fields
         const key = field.key;
@@ -194,7 +207,7 @@ export function extract(context, fields) {
         // if shortcut is used, then replace the doc
         // it's a design for overriding the doc used during runtime
         if (shortcut) {
-            targetDoc = dom.parseFromString(shortcut);
+            targetDoc = dom.parseFromString(shortcut, 'application/xml');
         }
         // special case: multiple path
         /*
@@ -216,6 +229,7 @@ export function extract(context, fields) {
                 .join(' | ');
             return {
                 ...result,
+                // @ts-expect-error misssing Node properties are not needed
                 [key]: uniq(select(multiXPaths, targetDoc).map((n) => n.nodeValue).filter(notEmpty))
             };
         }
@@ -236,8 +250,10 @@ export function extract(context, fields) {
             // find the index in localpath
             const indexPath = buildAttributeXPath(index);
             const fullLocalXPath = `${baseXPath}${indexPath}`;
+            // @ts-expect-error misssing Node properties are not needed
             const parentNodes = select(baseXPath, targetDoc);
             // [uid, mail, edupersonaffiliation], ready for aggregate
+            // @ts-expect-error misssing Node properties are not needed
             const parentAttributes = select(fullLocalXPath, targetDoc).map((n) => n.value);
             // [attribute, attributevalue]
             const childXPath = buildAbsoluteXPath([last(localPath)].concat(attributePath));
@@ -245,8 +261,9 @@ export function extract(context, fields) {
             const fullChildXPath = `${childXPath}${childAttributeXPath}`;
             // [ 'test', 'test@example.com', [ 'users', 'examplerole1' ] ]
             const childAttributes = parentNodes.map(node => {
-                const nodeDoc = dom.parseFromString(node.toString());
+                const nodeDoc = dom.parseFromString(node.toString(), 'application/xml');
                 if (attributes.length === 0) {
+                    // @ts-ignore
                     const childValues = select(fullChildXPath, nodeDoc).map((n) => n.nodeValue);
                     if (childValues.length === 1) {
                         return childValues[0];
@@ -254,6 +271,7 @@ export function extract(context, fields) {
                     return childValues;
                 }
                 if (attributes.length > 0) {
+                    // @ts-ignore
                     const childValues = select(fullChildXPath, nodeDoc).map((n) => n.value);
                     if (childValues.length === 1) {
                         return childValues[0];
@@ -279,6 +297,7 @@ export function extract(context, fields) {
           }
         */
         if (isEntire) {
+            // @ts-expect-error misssing Node properties are not needed
             const node = select(baseXPath, targetDoc);
             let value = null;
             if (node.length === 1) {
@@ -301,10 +320,13 @@ export function extract(context, fields) {
           }
         */
         if (attributes.length > 1) {
+            // @ts-ignore
             const baseNode = select(baseXPath, targetDoc).map(n => n.toString());
             const childXPath = `${buildAbsoluteXPath([last(localPath)])}${attributeXPath}`;
             const attributeValues = baseNode.map((node) => {
-                const nodeDoc = dom.parseFromString(node);
+                // @ts-ignore
+                const nodeDoc = dom.parseFromString(node, 'application/xml');
+                // @ts-ignore
                 const values = select(childXPath, nodeDoc).reduce((r, n) => {
                     r[camelCase(n.name, { locale: 'en-us' })] = n.value;
                     return r;
@@ -326,6 +348,7 @@ export function extract(context, fields) {
         */
         if (attributes.length === 1) {
             const fullPath = `${baseXPath}${attributeXPath}`;
+            // @ts-ignore
             const attributeValues = select(fullPath, targetDoc).map((n) => n.value);
             return {
                 ...result,
@@ -342,9 +365,11 @@ export function extract(context, fields) {
         */
         if (attributes.length === 0) {
             let attributeValue = null;
+            // @ts-expect-error misssing Node properties are not needed
             const node = select(baseXPath, targetDoc);
             if (node.length === 1) {
                 const fullPath = `string(${baseXPath}${attributeXPath})`;
+                // @ts-expect-error misssing Node properties are not needed
                 attributeValue = select(fullPath, targetDoc);
             }
             if (node.length > 1) {

package/build/src/flow.js

@@ -5,8 +5,8 @@ import * as uuid from 'uuid';
 import { select } from 'xpath';
 import { DOMParser } from '@xmldom/xmldom';
 import { sendArtifactResolve } from "./soap.js";
-import { extract, loginRequestFields, loginResponseFields, logoutRequestFields, logoutResponseFields, logoutResponseStatusFields, loginResponseStatusFields } from './extractor.js';
-import { BindingNamespace, ParserType, wording, StatusCode } from './urn.js';
+import { extract, loginRequestFields, loginResponseFields, loginResponseStatusFields, loginArtifactResponseStatusFields, logoutRequestFields, logoutResponseFields, logoutResponseStatusFields } from './extractor.js';
+import { BindingNamespace, ParserType, StatusCode, wording } from './urn.js';
 const bindDict = wording.binding;
 const urlParams = wording.urlParams;
 // get the default extractor fields based on the parserType
@@ -131,7 +131,7 @@ async function postFlow(options) {
     const direction = libsaml.getQueryParamByType(parserType);
     let encodedRequest = '';
     let samlContent = '';
-    if (soap === false) {
+    if (!soap) {
         encodedRequest = body[direction];
         // @ts-ignore
         samlContent = String(base64Decode(encodedRequest));
@@ -146,12 +146,15 @@ async function postFlow(options) {
         let ID = '_' + uuid.v4();
         let url = metadata.idp.getArtifactResolutionService(bindDict.soap);
         let samlSoapRaw = libsaml.replaceTagsByValue(libsaml.defaultArtifactResolveTemplate.context, {
-            ID: request?.messageHandle,
+            ID: ID,
             Destination: url,
             Issuer: metadata.sp.getEntityID(),
             IssueInstant: new Date().toISOString(),
             Art: request.Art
         });
+        if (!metadata.idp.isWantAuthnRequestsSigned()) {
+            samlContent = await sendArtifactResolve(url, samlSoapRaw);
+        }
         if (metadata.idp.isWantAuthnRequestsSigned()) {
             const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
             let signatureSoap = libsaml.constructSAMLSignature({
@@ -172,14 +175,8 @@ async function postFlow(options) {
                     }
                 }
             });
-            let data = await sendArtifactResolve(url, signatureSoap);
-            /*            console.log(signatureSoap)
-                        console.log("签过名的")*/
-            console.log(data);
-            console.log("keycloak数据----------------------");
-            samlContent = data;
+            samlContent = await sendArtifactResolve(url, signatureSoap);
         }
-        // No need to embeded XML signature
     }
     const verificationOptions = {
         metadata: from.entityMeta,
@@ -189,57 +186,33 @@ async function postFlow(options) {
     let decryptRequired = from.entitySetting.isAssertionEncrypted;
     let extractorFields = [];
     // validate the xml first
-    /*    let res = await libsaml.isValidXml(samlContent).catch((error)=>{
-            console.log(error);
-            console.log("验证和结果-----------------------")
-            console.log("验证和结果-----------------------")
-            console.log("验证和结果-----------------------")
-            console.log("验证和结果-----------------------")
-            console.log("验证和结果-----------------------")
-            console.log("验证和结果-----------------------")
-            console.log("验证和结果-----------------------")
-        });
-        console.log(res);
-        console.log("验证和结果-----------------------")*/
+    let res = await libsaml.isValidXml(samlContent, soap).catch((error) => {
+        return Promise.reject('ERR_EXCEPTION_VALIDATE_XML');
+    });
+    if (res !== true) {
+        return Promise.reject('ERR_EXCEPTION_VALIDATE_XML');
+    }
     if (parserType !== urlParams.samlResponse) {
         extractorFields = getDefaultExtractorFields(parserType, null);
     }
     // check status based on different scenarios
-    /*    await checkStatus(samlContent, parserType);*/
+    await checkStatus(samlContent, parserType, soap);
     /**检查签名顺序 */
-    /*  if (
-        checkSignature &&
-        from.entitySetting.messageSigningOrder === MessageSignatureOrder.ETS
-      ) {
-        console.log("===============我走的这里=========================")
-        const [verified, verifiedAssertionNode,isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
-        console.log(verified);
-        console.log("verified")
-        decryptRequired = isDecryptRequired
-        if (!verified) {
-          return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
-        }
-        if (!decryptRequired) {
-          extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
-        }
-      }*/
-    if (soap === true) {
+    if (soap) {
         const [verified, verifiedAssertionNode, isDecryptRequired] = libsaml.verifySignatureSoap(samlContent, verificationOptions);
         decryptRequired = isDecryptRequired;
         if (!verified) {
             return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
         }
         if (!decryptRequired) {
-            console.log("-------------------走到了这里----------------------");
             extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
         }
         if (parserType === 'SAMLResponse' && decryptRequired) {
             // 1. 解密断言
             const [decryptedSAML, decryptedAssertion] = await libsaml.decryptAssertionSoap(self, samlContent);
-            console.log(decryptedAssertion);
-            console.log("解密数据-----------------------------");
             // 2. 检查解密后的断言是否包含签名
-            const assertionDoc = new DOMParser().parseFromString(decryptedAssertion, 'text/xml');
+            const assertionDoc = new DOMParser().parseFromString(decryptedAssertion, 'application/xml');
+            // @ts-ignore
             const assertionSignatureNodes = select("./*[local-name()='Signature']", assertionDoc.documentElement);
             // 3. 如果存在签名则验证
             if (assertionSignatureNodes.length > 0) {
@@ -250,11 +223,7 @@ async function postFlow(options) {
                 };
                 // 3.2 验证断言签名
                 const [assertionVerified, result] = libsaml.verifySignatureSoap(decryptedAssertion, assertionVerificationOptions);
-                console.log(assertionVerified);
-                console.log(result);
-                console.log("验证机结果--------------");
                 if (!assertionVerified) {
-                    console.error("解密后的断言签名验证失败");
                     return Promise.reject('ERR_FAIL_TO_VERIFY_ASSERTION_SIGNATURE');
                 }
                 if (assertionVerified) {
@@ -269,34 +238,26 @@ async function postFlow(options) {
             }
         }
     }
-    if (soap === false) {
-        const [verified, verifiedAssertionNode, isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
+    if (!soap) {
+        const [verified, verifiedAssertionNode, isDecryptRequired, noSignature] = libsaml.verifySignature(samlContent, verificationOptions);
         decryptRequired = isDecryptRequired;
-        if (!verified) {
+        if (isDecryptRequired && noSignature) {
+            const result = await libsaml.decryptAssertion(self, samlContent);
+            samlContent = result[0];
+            extractorFields = getDefaultExtractorFields(parserType, result[1]);
+        }
+        if (!verified && !noSignature && !isDecryptRequired) {
             return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
         }
         if (!decryptRequired) {
             extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
         }
-        if (parserType === 'SAMLResponse' && decryptRequired) {
+        if (parserType === 'SAMLResponse' && decryptRequired && !noSignature) {
             const result = await libsaml.decryptAssertion(self, samlContent);
             samlContent = result[0];
             extractorFields = getDefaultExtractorFields(parserType, result[1]);
         }
     }
-    // verify the signatures (the response is signed then encrypted, then decrypt first then verify)
-    /*  if (
-        checkSignature &&
-        from.entitySetting.messageSigningOrder === MessageSignatureOrder.STE
-      ) {
-        const [verified, verifiedAssertionNode,isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
-        decryptRequired = isDecryptRequired
-        if (verified) {
-          extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
-        } else {
-          return Promise.reject('ERR_FAIL_TO_VERIFY_STE_SIGNATURE');
-        }
-      }*/
     const parseResult = {
         samlContent: samlContent,
         extract: extract(samlContent, extractorFields),
@@ -307,10 +268,6 @@ async function postFlow(options) {
     const targetEntityMetadata = from.entityMeta;
     const issuer = targetEntityMetadata.getEntityID();
     const extractedProperties = parseResult.extract;
-    console.log(extractedProperties);
-    console.log(parseResult);
-    console.log("解析结果----------------------------------");
-    console.log("签发这-----------");
     // unmatched issuer
     if ((parserType === 'LogoutResponse' || parserType === 'SAMLResponse')
         && extractedProperties
@@ -370,29 +327,13 @@ async function postArtifactFlow(options) {
     let decryptRequired = from.entitySetting.isAssertionEncrypted;
     let extractorFields = [];
     // validate the xml first
-    let res = await libsaml.isValidXml(samlContent);
+    let res = await libsaml.isValidXml(samlContent, true);
     if (parserType !== urlParams.samlResponse) {
         extractorFields = getDefaultExtractorFields(parserType, null);
     }
     // check status based on different scenarios
     await checkStatus(samlContent, parserType);
     /**检查签名顺序 */
-    /*  if (
-        checkSignature &&
-        from.entitySetting.messageSigningOrder === MessageSignatureOrder.ETS
-      ) {
-        console.log("===============我走的这里=========================")
-        const [verified, verifiedAssertionNode,isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
-        console.log(verified);
-        console.log("verified")
-        decryptRequired = isDecryptRequired
-        if (!verified) {
-          return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
-        }
-        if (!decryptRequired) {
-          extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
-        }
-      }*/
     const [verified, verifiedAssertionNode, isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
     decryptRequired = isDecryptRequired;
     if (!verified) {
@@ -406,19 +347,6 @@ async function postArtifactFlow(options) {
         samlContent = result[0];
         extractorFields = getDefaultExtractorFields(parserType, result[1]);
     }
-    // verify the signatures (the response is signed then encrypted, then decrypt first then verify)
-    /*  if (
-        checkSignature &&
-        from.entitySetting.messageSigningOrder === MessageSignatureOrder.STE
-      ) {
-        const [verified, verifiedAssertionNode,isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
-        decryptRequired = isDecryptRequired
-        if (verified) {
-          extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
-        } else {
-          return Promise.reject('ERR_FAIL_TO_VERIFY_STE_SIGNATURE');
-        }
-      }*/
     const parseResult = {
         samlContent: samlContent,
         extract: extract(samlContent, extractorFields),
@@ -488,7 +416,7 @@ async function postSimpleSignFlow(options) {
     const xmlString = String(base64Decode(encodedRequest));
     // validate the xml
     try {
-        await libsaml.isValidXml(xmlString);
+        await libsaml.isValidXml(xmlString, false);
     }
     catch (e) {
         return Promise.reject('ERR_INVALID_XML');
@@ -565,14 +493,19 @@ async function postSimpleSignFlow(options) {
     }
     return Promise.resolve(parseResult);
 }
-function checkStatus(content, parserType) {
+function checkStatus(content, parserType, soap) {
     // only check response parser
     if (parserType !== urlParams.samlResponse && parserType !== urlParams.logoutResponse) {
         return Promise.resolve('SKIPPED');
     }
-    const fields = parserType === urlParams.samlResponse
+    let fields = parserType === urlParams.samlResponse
         ? loginResponseStatusFields
         : logoutResponseStatusFields;
+    if (soap === true) {
+        fields = parserType === urlParams.samlResponse
+            ? loginArtifactResponseStatusFields
+            : logoutResponseStatusFields;
+    }
     const { top, second } = extract(content, fields);
     // only resolve when top-tier status code is success
     if (top === StatusCode.Success) {