samlesa 2.16.6 → 2.17.1

package/build/src/binding-post.js

@@ -1,18 +1,18 @@
 /**
-* @file binding-post.ts
-* @author tngan
-* @desc Binding-level API, declare the functions using POST binding
-*/
+ * @file binding-post.ts
+ * @author tngan
+ * @desc Binding-level API, declare the functions using POST binding
+ */
 import { wording, StatusCode } from './urn.js';
 import libsaml from './libsaml.js';
 import utility, { get } from './utility.js';
 const binding = wording.binding;
 /**
-* @desc Generate a base64 encoded login request
-* @param  {string} referenceTagXPath           reference uri
-* @param  {object} entity                      object includes both idp and sp
-* @param  {function} customTagReplacement     used when developers have their own login response template
-*/
+ * @desc Generate a base64 encoded login request
+ * @param  {string} referenceTagXPath           reference uri
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ */
 function base64LoginRequest(referenceTagXPath, entity, customTagReplacement) {
     const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta };
     const spSetting = entity.sp.entitySetting;
@@ -141,7 +141,6 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
         };
         // step: sign assertion ? -> encrypted ? -> sign message ?
         if (metadata.sp.isWantAssertionsSigned()) {
-            // console.debug('sp wants assertion signed');
             rawSamlResponse = libsaml.constructSAMLSignature({
                 ...config,
                 rawSamlMessage: rawSamlResponse,
@@ -149,7 +148,10 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
                 referenceTagXPath: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']",
                 signatureConfig: {
                     prefix: 'ds',
-                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']", action: 'after' },
+                    location: {
+                        reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']",
+                        action: 'after'
+                    },
                 },
             });
         }
@@ -168,7 +170,19 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
                 },
             });
         }
-        // console.debug('after message signed', rawSamlResponse);
+        /*    if (spSetting.wantMessageSigned) {
+              // console.debug('sign then encrypt and sign entire message');
+              rawSamlResponse = libsaml.constructSAMLSignature({
+                ...config,
+                rawSamlMessage: rawSamlResponse,
+                isMessageSigned: true,
+                transformationAlgorithms: spSetting.transformationAlgorithms,
+                signatureConfig: spSetting.signatureConfig || {
+                  prefix: 'ds',
+                  location: {reference: "/!*[local-name(.)='Response']/!*[local-name(.)='Issuer']", action: 'after'},
+                },
+              });
+            }*/
         if (idpSetting.isAssertionEncrypted) {
             // console.debug('idp is configured to do encryption');
             const context = await libsaml.encryptAssertion(entity.idp, entity.sp, rawSamlResponse);
@@ -181,18 +195,18 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
             }
         }
         //sign after encrypting
-        if (encryptThenSign && (spSetting.wantMessageSigned || !metadata.sp.isWantAssertionsSigned())) {
-            rawSamlResponse = libsaml.constructSAMLSignature({
+        /*    if (encryptThenSign && (spSetting.wantMessageSigned || !metadata.sp.isWantAssertionsSigned())) {
+              rawSamlResponse = libsaml.constructSAMLSignature({
                 ...config,
                 rawSamlMessage: rawSamlResponse,
                 isMessageSigned: true,
                 transformationAlgorithms: spSetting.transformationAlgorithms,
                 signatureConfig: spSetting.signatureConfig || {
-                    prefix: 'ds',
-                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Issuer']", action: 'after' },
+                  prefix: 'ds',
+                  location: {reference: "/!*[local-name(.)='Response']/!*[local-name(.)='Issuer']", action: 'after'},
                 },
-            });
-        }
+              });
+            }*/
         return Promise.resolve({
             id,
             context: utility.base64Encode(rawSamlResponse),
@@ -201,13 +215,13 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
     throw new Error('ERR_GENERATE_POST_LOGIN_RESPONSE_MISSING_METADATA');
 }
 /**
-* @desc Generate a base64 encoded logout request
-* @param  {object} user                         current logged user (e.g. req.user)
-* @param  {string} referenceTagXPath            reference uri
-* @param  {object} entity                       object includes both idp and sp
-* @param  {function} customTagReplacement      used when developers have their own login response template
-* @return {string} base64 encoded request
-*/
+ * @desc Generate a base64 encoded logout request
+ * @param  {object} user                         current logged user (e.g. req.user)
+ * @param  {string} referenceTagXPath            reference uri
+ * @param  {object} entity                       object includes both idp and sp
+ * @param  {function} customTagReplacement      used when developers have their own login response template
+ * @return {string} base64 encoded request
+ */
 function base64LogoutRequest(user, referenceTagXPath, entity, customTagReplacement) {
     const metadata = { init: entity.init.entityMeta, target: entity.target.entityMeta };
     const initSetting = entity.init.entitySetting;
@@ -262,12 +276,12 @@ function base64LogoutRequest(user, referenceTagXPath, entity, customTagReplaceme
     throw new Error('ERR_GENERATE_POST_LOGOUT_REQUEST_MISSING_METADATA');
 }
 /**
-* @desc Generate a base64 encoded logout response
-* @param  {object} requestInfo                 corresponding request, used to obtain the id
-* @param  {string} referenceTagXPath           reference uri
-* @param  {object} entity                      object includes both idp and sp
-* @param  {function} customTagReplacement     used when developers have their own login response template
-*/
+ * @desc Generate a base64 encoded logout response
+ * @param  {object} requestInfo                 corresponding request, used to obtain the id
+ * @param  {string} referenceTagXPath           reference uri
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ */
 function base64LogoutResponse(requestInfo, entity, customTagReplacement) {
     const metadata = {
         init: entity.init.entityMeta,

package/build/src/binding-redirect.js

@@ -135,8 +135,6 @@ function loginRequestRedirectURLArt(entity, customTagReplacement) {
                 AllowCreate: spSetting.allowCreate,
             });
         }
-        console.log(rawSamlRequest);
-        console.log("-----------------这是原始请求模板-------------------");
         const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
         if (metadata.idp.isWantAuthnRequestsSigned()) {
             let signAuthnRequest = libsaml.constructSAMLSignature({
@@ -156,8 +154,6 @@ function loginRequestRedirectURLArt(entity, customTagReplacement) {
                     },
                 }
             });
-            console.log(signAuthnRequest);
-            console.log("签名后的模板");
             rawSamlRequest = signAuthnRequest;
         }
         /*            console.log(metadata.idp)
@@ -169,9 +165,6 @@ function loginRequestRedirectURLArt(entity, customTagReplacement) {
             Issuer: metadata.sp.getEntityID(),
             AuthnRequest: rawSamlRequest
         });
-        console.log(soapTemplate);
-        console.log("======================最后结果========================");
-        console.log("======================开始签名根节点========================");
         let rootSignSoap = libsaml.constructSAMLSignature({
             isMessageSigned: true,
             isBase64Output: false,
@@ -186,8 +179,6 @@ function loginRequestRedirectURLArt(entity, customTagReplacement) {
                 location: { reference: "//*[local-name()='Header']", action: 'after' },
             }
         });
-        console.log(rootSignSoap);
-        console.log("======================已经签名========================");
         return {
             authnRequest: rootSignSoap
         };
@@ -224,7 +215,6 @@ function loginResponseRedirectURL(requestInfo, entity, user = {}, relayState, cu
         // Five minutes later : nowtime  + 5 * 60 * 1000 (in milliseconds)
         const fiveMinutesLaterTime = new Date(nowTime.getTime() + 300_000);
         const now = nowTime.toISOString();
-        console.log(`现在是北京时间:${nowTime.toLocaleString()}`);
         const sessionIndex = 'session' + idpSetting.generateID(); // 这个是当前系统的会话索引，用于单点注销
         const tenHoursLaterTime = new Date(nowTime.getTime());
         tenHoursLaterTime.setHours(tenHoursLaterTime.getHours() + 10);

package/build/src/binding-simplesign.js

@@ -119,7 +119,6 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, relaySta
         // Five minutes later : nowtime  + 5 * 60 * 1000 (in milliseconds)
         const fiveMinutesLaterTime = new Date(nowTime.getTime() + 300_000);
         const now = nowTime.toISOString();
-        console.log(`现在是北京时间:${nowTime.toLocaleString()}`);
         const sessionIndex = 'session' + idpSetting.generateID(); // 这个是当前系统的会话索引，用于单点注销
         const tenHoursLaterTime = new Date(nowTime.getTime());
         tenHoursLaterTime.setHours(tenHoursLaterTime.getHours() + 10);

package/build/src/entity-idp.js

@@ -59,11 +59,7 @@ export class IdentityProvider extends Entity {
                     sp,
                 }, user, relayState, customTagReplacement, AttributeStatement);
             default:
-                context = await postBinding.base64LoginResponse(requestInfo, {
-                    idp: this,
-                    sp,
-                }, user, customTagReplacement, encryptThenSign, AttributeStatement);
-            /*       throw new Error('ERR_CREATE_RESPONSE_UNDEFINED_BINDING');*/
+                throw new Error('ERR_CREATE_RESPONSE_UNDEFINED_BINDING');
         }
         return {
             ...context,

package/build/src/entity-sp.js

@@ -4,7 +4,7 @@
  * @desc  Declares the actions taken by service provider
  */
 import Entity from './entity.js';
-import * as crypto from "node:crypto";
+import Artifact from './binding-artifact.js';
 import { namespace } from './urn.js';
 import redirectBinding from './binding-redirect.js';
 import postBinding from './binding-post.js';
@@ -61,12 +61,6 @@ export class ServiceProvider extends Entity {
                 // Object context = {id, context, signature, sigAlg}
                 context = simpleSignBinding.base64LoginRequest({ idp, sp: this }, customTagReplacement);
                 break;
-            case nsBinding.artifact:
-                context = artifactSignBinding.base64LoginRequest("/*[local-name(.)='AuthnRequest']", {
-                    idp,
-                    sp: this
-                }, customTagReplacement);
-                break;
             default:
                 // Will support artifact in the next release
                 throw new Error('ERR_SP_LOGIN_REQUEST_UNDEFINED_BINDING');
@@ -78,39 +72,20 @@ export class ServiceProvider extends Entity {
             type: 'SAMLRequest',
         };
     }
-    /**
-     * @desc  Generates the Art login request for developers to design their own method
-     * @param  {IdentityProvider} idp               object of identity provider
-     * @param  {string}   binding                   protocol binding
-     * @param  {function} customTagReplacement     used when developers have their own login response template
-     */
-    createLoginRequestArt(idp, binding = 'redirect', customTagReplacement) {
+    async createLoginSoapRequest(idp, binding = 'artifact', config) {
         const nsBinding = namespace.binding;
         const protocol = nsBinding[binding];
         if (this.entityMeta.isAuthnRequestSigned() !== idp.entityMeta.isWantAuthnRequestsSigned()) {
             throw new Error('ERR_METADATA_CONFLICT_REQUEST_SIGNED_FLAG');
         }
         let context = null;
-        switch (protocol) {
-            case nsBinding.redirect:
-                return redirectBinding.loginRequestRedirectURLArt({ idp, sp: this }, customTagReplacement);
-            case nsBinding.post:
-                context = postBinding.base64LoginRequest("/*[local-name(.)='AuthnRequest']", {
-                    idp,
-                    sp: this,
-                    soap: true
-                }, customTagReplacement);
-                break;
-            default:
-                // Will support artifact in the next release
-                throw new Error('ERR_SP_LOGIN_REQUEST_UNDEFINED_BINDING');
-        }
-        return {
-            ...context,
-            relayState: this.entitySetting.relayState,
-            entityEndpoint: idp.entityMeta.getSingleSignOnService(binding),
-            type: 'SAMLRequest',
-        };
+        context = await artifactSignBinding.soapLoginRequest("/*[local-name(.)='AuthnRequest']", {
+            idp,
+            sp: this,
+            inResponse: config?.inResponseTo,
+            relayState: config?.relayState,
+        }, config?.customTagReplacement);
+        return context;
     }
     /**
      * @desc   Validation of the parsed the URL parameters
@@ -136,70 +111,20 @@ export class ServiceProvider extends Entity {
      * @param  {string}   binding                   protocol binding
      * @param  {request}   req                      request
      */
-    parseLoginResponseArt(idp, binding, request) {
+    parseLoginRequestResolve(idp, xml) {
         const self = this;
-        return flow({
-            soap: true,
-            from: idp,
-            self: self,
-            checkSignature: true, // saml response must have signature
-            parserType: 'SAMLResponse',
-            type: 'login',
-            binding: binding,
-            request: request
+        return Artifact.parseLoginRequestResolve({
+            idp: idp,
+            sp: self,
+            xml: xml
         });
     }
-    /**
-     * @desc   generate Art id
-     *
-     * @param entityIDString
-     */
-    createArt(entityIDString, endpointIndex = 0) {
-        let sourceEntityId = entityIDString ? entityIDString : this.entityMeta.getEntityID();
-        console.log(sourceEntityId);
-        console.log("0000000000000000000000000000000000000000");
-        // 1. 固定类型代码 (0x0004 - 2字节)
-        const typeCode = Buffer.from([0x00, 0x04]);
-        // 2. 端点索引 (2字节，大端序)
-        if (endpointIndex < 0 || endpointIndex > 65535) {
-            throw new Error('Endpoint index must be between 0 and 65535');
-        }
-        const endpointBuf = Buffer.alloc(2);
-        endpointBuf.writeUInt16BE(endpointIndex);
-        // 3. Source ID - 实体ID的SHA-1哈希 (20字节)
-        const sourceId = crypto.createHash('sha1')
-            .update(sourceEntityId)
-            .digest();
-        // 4. Message Handler - 20字节随机值
-        const messageHandler = crypto.randomBytes(20);
-        // 组合所有组件 (2+2+20+20 = 44字节)
-        const artifact = Buffer.concat([typeCode, endpointBuf, sourceId, messageHandler]);
-        // 返回Base64编码的Artifact
-        return artifact.toString('base64');
-    }
-    /**
-     * @desc   generate Art id
-     * @param artifact
-     */
-    parseArt(artifact) {
-        // 解码 Base64
-        const decoded = Buffer.from(artifact, 'base64');
-        // 确保长度正确（SAML 工件固定为 44 字节）
-        if (decoded.length !== 44) {
-            throw new Error(`Invalid artifact length: ${decoded.length}, expected 44 bytes`);
-        }
-        // 读取前 4 字节（TypeCode + EndpointIndex）
-        const typeCode = decoded.readUInt16BE(0);
-        const endpointIndex = decoded.readUInt16BE(2);
-        // 使用 Buffer.from() 替代 slice()
-        const sourceId = Buffer.from(decoded.buffer, // 底层 ArrayBuffer
-        decoded.byteOffset + 4, // 起始偏移量
-        20 // 长度
-        ).toString('hex');
-        const messageHandle = Buffer.from(decoded.buffer, // 底层 ArrayBuffer
-        decoded.byteOffset + 24, // 起始偏移量
-        20 // 长度
-        ).toString('hex');
-        return { typeCode, endpointIndex, sourceId, messageHandle };
+    parseLoginResponseResolve(idp, art, request) {
+        const self = this;
+        return Artifact.parseLoginResponseResolve({
+            idp: idp,
+            sp: self,
+            art: art
+        });
     }
 }

package/build/src/extractor.js

@@ -54,6 +54,38 @@ export const loginRequestFields = [
         context: true
     }
 ];
+export const artifactResolveFields = [
+    {
+        key: 'request',
+        localPath: ['ArtifactResolve'],
+        attributes: ['ID', 'IssueInstant', 'Version']
+    },
+    {
+        key: 'issuer', localPath: ['ArtifactResolve', 'Issuer'], attributes: []
+    },
+    {
+        key: 'Artifact', localPath: ['ArtifactResolve', 'Artifact'], attributes: []
+    },
+    {
+        key: 'signature', localPath: ['ArtifactResolve', 'Signature'], attributes: [], context: true
+    },
+];
+export const artifactResponseFields = [
+    {
+        key: 'request',
+        localPath: ['Envelope', 'Body', 'ArtifactResolve'],
+        attributes: ['ID', 'IssueInstant', 'Version']
+    },
+    {
+        key: 'issuer', localPath: ['Envelope', 'Body', 'ArtifactResolve', 'Issuer'], attributes: []
+    },
+    {
+        key: 'Artifact', localPath: ['Envelope', 'Body', 'ArtifactResolve', 'Artifact'], attributes: []
+    },
+    {
+        key: 'signature', localPath: ['Envelope', 'Body', 'ArtifactResolve', 'Signature'], attributes: [], context: true
+    },
+];
 // support two-tiers status code
 export const loginResponseStatusFields = [
     {
@@ -191,7 +223,7 @@ export const logoutResponseFields = [
 ];
 export function extract(context, fields) {
     const { dom } = getContext();
-    const rootDoc = dom.parseFromString(context);
+    const rootDoc = dom.parseFromString(context, 'application/xml');
     return fields.reduce((result, field) => {
         // get essential fields
         const key = field.key;
@@ -207,7 +239,7 @@ export function extract(context, fields) {
         // if shortcut is used, then replace the doc
         // it's a design for overriding the doc used during runtime
         if (shortcut) {
-            targetDoc = dom.parseFromString(shortcut);
+            targetDoc = dom.parseFromString(shortcut, 'application/xml');
         }
         // special case: multiple path
         /*
@@ -229,6 +261,7 @@ export function extract(context, fields) {
                 .join(' | ');
             return {
                 ...result,
+                // @ts-expect-error misssing Node properties are not needed
                 [key]: uniq(select(multiXPaths, targetDoc).map((n) => n.nodeValue).filter(notEmpty))
             };
         }
@@ -249,8 +282,10 @@ export function extract(context, fields) {
             // find the index in localpath
             const indexPath = buildAttributeXPath(index);
             const fullLocalXPath = `${baseXPath}${indexPath}`;
+            // @ts-expect-error misssing Node properties are not needed
             const parentNodes = select(baseXPath, targetDoc);
             // [uid, mail, edupersonaffiliation], ready for aggregate
+            // @ts-expect-error misssing Node properties are not needed
             const parentAttributes = select(fullLocalXPath, targetDoc).map((n) => n.value);
             // [attribute, attributevalue]
             const childXPath = buildAbsoluteXPath([last(localPath)].concat(attributePath));
@@ -258,8 +293,9 @@ export function extract(context, fields) {
             const fullChildXPath = `${childXPath}${childAttributeXPath}`;
             // [ 'test', 'test@example.com', [ 'users', 'examplerole1' ] ]
             const childAttributes = parentNodes.map(node => {
-                const nodeDoc = dom.parseFromString(node.toString());
+                const nodeDoc = dom.parseFromString(node.toString(), 'application/xml');
                 if (attributes.length === 0) {
+                    // @ts-ignore
                     const childValues = select(fullChildXPath, nodeDoc).map((n) => n.nodeValue);
                     if (childValues.length === 1) {
                         return childValues[0];
@@ -267,6 +303,7 @@ export function extract(context, fields) {
                     return childValues;
                 }
                 if (attributes.length > 0) {
+                    // @ts-ignore
                     const childValues = select(fullChildXPath, nodeDoc).map((n) => n.value);
                     if (childValues.length === 1) {
                         return childValues[0];
@@ -292,6 +329,7 @@ export function extract(context, fields) {
           }
         */
         if (isEntire) {
+            // @ts-expect-error misssing Node properties are not needed
             const node = select(baseXPath, targetDoc);
             let value = null;
             if (node.length === 1) {
@@ -314,10 +352,13 @@ export function extract(context, fields) {
           }
         */
         if (attributes.length > 1) {
+            // @ts-ignore
             const baseNode = select(baseXPath, targetDoc).map(n => n.toString());
             const childXPath = `${buildAbsoluteXPath([last(localPath)])}${attributeXPath}`;
             const attributeValues = baseNode.map((node) => {
-                const nodeDoc = dom.parseFromString(node);
+                // @ts-ignore
+                const nodeDoc = dom.parseFromString(node, 'application/xml');
+                // @ts-ignore
                 const values = select(childXPath, nodeDoc).reduce((r, n) => {
                     r[camelCase(n.name, { locale: 'en-us' })] = n.value;
                     return r;
@@ -339,6 +380,7 @@ export function extract(context, fields) {
         */
         if (attributes.length === 1) {
             const fullPath = `${baseXPath}${attributeXPath}`;
+            // @ts-ignore
             const attributeValues = select(fullPath, targetDoc).map((n) => n.value);
             return {
                 ...result,
@@ -355,9 +397,11 @@ export function extract(context, fields) {
         */
         if (attributes.length === 0) {
             let attributeValue = null;
+            // @ts-expect-error misssing Node properties are not needed
             const node = select(baseXPath, targetDoc);
             if (node.length === 1) {
                 const fullPath = `string(${baseXPath}${attributeXPath})`;
+                // @ts-expect-error misssing Node properties are not needed
                 attributeValue = select(fullPath, targetDoc);
             }
             if (node.length > 1) {