npm - samlesa - Versions diffs - 2.16.6 → 2.17.1 - Mend

samlesa 2.16.6 → 2.17.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of samlesa might be problematic. Click here for more details.

Files changed (82) hide show

package/README.md +30 -50
package/build/index.js +2 -1
package/build/src/binding-artifact.js +330 -146
package/build/src/binding-post.js +45 -31
package/build/src/binding-redirect.js +0 -10
package/build/src/binding-simplesign.js +0 -1
package/build/src/entity-idp.js +1 -5
package/build/src/entity-sp.js +21 -96
package/build/src/extractor.js +48 -4
package/build/src/flow.js +24 -166
package/build/src/libsaml.js +468 -264
package/build/src/libsamlSoap.js +115 -0
package/build/src/schema/xml.xsd +88 -88
package/build/src/schemaValidator.js +5 -13
package/build/src/soap.js +123 -3
package/build/src/utility.js +12 -7
package/package.json +77 -81
package/types/api.d.ts +15 -0
package/types/api.d.ts.map +1 -0
package/types/binding-post.d.ts +48 -0
package/types/binding-post.d.ts.map +1 -0
package/types/binding-redirect.d.ts +54 -0
package/types/binding-redirect.d.ts.map +1 -0
package/types/binding-simplesign.d.ts +41 -0
package/types/binding-simplesign.d.ts.map +1 -0
package/types/entity-idp.d.ts +38 -0
package/types/entity-idp.d.ts.map +1 -0
package/types/entity-sp.d.ts +38 -0
package/types/entity-sp.d.ts.map +1 -0
package/types/entity.d.ts +100 -0
package/types/entity.d.ts.map +1 -0
package/types/extractor.d.ts +26 -0
package/types/extractor.d.ts.map +1 -0
package/types/flow.d.ts +7 -0
package/types/flow.d.ts.map +1 -0
package/types/index.d.ts +2 -1
package/types/index.d.ts.map +1 -1
package/types/libsaml.d.ts +208 -0
package/types/libsaml.d.ts.map +1 -0
package/types/metadata-idp.d.ts +25 -0
package/types/metadata-idp.d.ts.map +1 -0
package/types/metadata-sp.d.ts +37 -0
package/types/metadata-sp.d.ts.map +1 -0
package/types/metadata.d.ts +58 -0
package/types/metadata.d.ts.map +1 -0
package/types/src/api.d.ts +3 -3
package/types/src/api.d.ts.map +1 -1
package/types/src/binding-artifact.d.ts +24 -29
package/types/src/binding-artifact.d.ts.map +1 -1
package/types/src/binding-post.d.ts +22 -22
package/types/src/binding-post.d.ts.map +1 -1
package/types/src/binding-redirect.d.ts.map +1 -1
package/types/src/binding-simplesign.d.ts.map +1 -1
package/types/src/entity-idp.d.ts +3 -4
package/types/src/entity-idp.d.ts.map +1 -1
package/types/src/entity-sp.d.ts +13 -24
package/types/src/entity-sp.d.ts.map +1 -1
package/types/src/entity.d.ts.map +1 -1
package/types/src/extractor.d.ts +22 -0
package/types/src/extractor.d.ts.map +1 -1
package/types/src/flow.d.ts +1 -0
package/types/src/flow.d.ts.map +1 -1
package/types/src/libsaml.d.ts +16 -7
package/types/src/libsaml.d.ts.map +1 -1
package/types/src/libsamlSoap.d.ts +7 -0
package/types/src/libsamlSoap.d.ts.map +1 -0
package/types/src/schemaValidator.d.ts +1 -1
package/types/src/schemaValidator.d.ts.map +1 -1
package/types/src/soap.d.ts +33 -0
package/types/src/soap.d.ts.map +1 -1
package/types/src/utility.d.ts.map +1 -1
package/types/src/validator.d.ts.map +1 -1
package/types/types.d.ts +128 -0
package/types/types.d.ts.map +1 -0
package/types/urn.d.ts +195 -0
package/types/urn.d.ts.map +1 -0
package/types/utility.d.ts +133 -0
package/types/utility.d.ts.map +1 -0
package/types/validator.d.ts +4 -0
package/types/validator.d.ts.map +1 -0
package/build/src/schema/XMLSchema.dtd +0 -402
package/build/src/schema/datatypes.dtd +0 -203

package/build/src/flow.js CHANGED Viewed

@@ -1,10 +1,6 @@
 import { base64Decode } from './utility.js';
 import { verifyTime } from './validator.js';
 import libsaml from './libsaml.js';
-import * as uuid from 'uuid';
-import { select } from 'xpath';
-import { DOMParser } from '@xmldom/xmldom';
-import { sendArtifactResolve } from "./soap.js";
 import { extract, loginRequestFields, loginResponseFields, loginResponseStatusFields, loginArtifactResponseStatusFields, logoutRequestFields, logoutResponseFields, logoutResponseStatusFields } from './extractor.js';
 import { BindingNamespace, ParserType, StatusCode, wording } from './urn.js';
 const bindDict = wording.binding;
@@ -126,58 +122,15 @@ async function redirectFlow(options) {
 }
 // proceed the post flow
 async function postFlow(options) {
-    const { soap = false, request, from, self, parserType, checkSignature = true } = options;
+    const { request, from, self, parserType, checkSignature = true } = options;
     const { body } = request;
     const direction = libsaml.getQueryParamByType(parserType);
     let encodedRequest = '';
     let samlContent = '';
-    if (soap === false) {
-        encodedRequest = body[direction];
-        // @ts-ignore
-        samlContent = String(base64Decode(encodedRequest));
-    }
+    encodedRequest = body[direction];
+    // @ts-ignore
+    samlContent = String(base64Decode(encodedRequest));
     /** 增加判断是不是Soap 工件绑定*/
-    if (soap) {
-        const metadata = {
-            idp: from.entityMeta,
-            sp: self.entityMeta,
-        };
-        const spSetting = self.entitySetting;
-        let ID = '_' + uuid.v4();
-        let url = metadata.idp.getArtifactResolutionService(bindDict.soap);
-        let samlSoapRaw = libsaml.replaceTagsByValue(libsaml.defaultArtifactResolveTemplate.context, {
-            ID: ID,
-            Destination: url,
-            Issuer: metadata.sp.getEntityID(),
-            IssueInstant: new Date().toISOString(),
-            Art: request.Art
-        });
-        if (!metadata.idp.isWantAuthnRequestsSigned()) {
-            samlContent = await sendArtifactResolve(url, samlSoapRaw);
-        }
-        if (metadata.idp.isWantAuthnRequestsSigned()) {
-            const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
-            let signatureSoap = libsaml.constructSAMLSignature({
-                referenceTagXPath: "//*[local-name(.)='ArtifactResolve']",
-                isMessageSigned: false,
-                isBase64Output: false,
-                transformationAlgorithms: transformationAlgorithms,
-                privateKey,
-                privateKeyPass,
-                signatureAlgorithm,
-                rawSamlMessage: samlSoapRaw,
-                signingCert: metadata.sp.getX509Certificate('signing'),
-                signatureConfig: {
-                    prefix: 'ds',
-                    location: {
-                        reference: "//*[local-name(.)='Issuer']",
-                        action: 'after'
-                    }
-                }
-            });
-            samlContent = await sendArtifactResolve(url, signatureSoap);
-        }
-    }
     const verificationOptions = {
         metadata: from.entityMeta,
         signatureAlgorithm: from.entitySetting.requestSignatureAlgorithm,
@@ -196,92 +149,26 @@ async function postFlow(options) {
         extractorFields = getDefaultExtractorFields(parserType, null);
     }
     // check status based on different scenarios
-    await checkStatus(samlContent, parserType, soap);
+    await checkStatus(samlContent, parserType);
     /**检查签名顺序 */
-    /*  if (
-        checkSignature &&
-        from.entitySetting.messageSigningOrder === MessageSignatureOrder.ETS
-      ) {
-        console.log("===============我走的这里=========================")
-        const [verified, verifiedAssertionNode,isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
-        console.log(verified);
-        console.log("verified")
-        decryptRequired = isDecryptRequired
-        if (!verified) {
-          return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
-        }
-        if (!decryptRequired) {
-          extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
-        }
-      }*/
-    if (soap === true) {
-        const [verified, verifiedAssertionNode, isDecryptRequired] = libsaml.verifySignatureSoap(samlContent, verificationOptions);
-        decryptRequired = isDecryptRequired;
-        if (!verified) {
-            return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
-        }
-        if (!decryptRequired) {
-            extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
-        }
-        if (parserType === 'SAMLResponse' && decryptRequired) {
-            // 1. 解密断言
-            const [decryptedSAML, decryptedAssertion] = await libsaml.decryptAssertionSoap(self, samlContent);
-            // 2. 检查解密后的断言是否包含签名
-            const assertionDoc = new DOMParser().parseFromString(decryptedAssertion, 'text/xml');
-            const assertionSignatureNodes = select("./*[local-name()='Signature']", assertionDoc.documentElement);
-            // 3. 如果存在签名则验证
-            if (assertionSignatureNodes.length > 0) {
-                // 3.1 创建新的验证选项（保持原配置）
-                const assertionVerificationOptions = {
-                    ...verificationOptions,
-                    isAssertion: true // 添加标识表示正在验证断言
-                };
-                // 3.2 验证断言签名
-                const [assertionVerified, result] = libsaml.verifySignatureSoap(decryptedAssertion, assertionVerificationOptions);
-                if (!assertionVerified) {
-                    console.error("解密后的断言签名验证失败");
-                    return Promise.reject('ERR_FAIL_TO_VERIFY_ASSERTION_SIGNATURE');
-                }
-                if (assertionVerified) {
-                    // @ts-ignore
-                    samlContent = result;
-                    extractorFields = getDefaultExtractorFields(parserType, result);
-                }
-            }
-            else {
-                samlContent = decryptedAssertion;
-                extractorFields = getDefaultExtractorFields(parserType, decryptedAssertion);
-            }
-        }
+    const [verified, verifiedAssertionNode, isDecryptRequired, noSignature] = libsaml.verifySignature(samlContent, verificationOptions);
+    decryptRequired = isDecryptRequired;
+    if (isDecryptRequired && noSignature) {
+        const result = await libsaml.decryptAssertion(self, samlContent);
+        samlContent = result[0];
+        extractorFields = getDefaultExtractorFields(parserType, result[1]);
     }
-    if (soap === false) {
-        const [verified, verifiedAssertionNode, isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
-        decryptRequired = isDecryptRequired;
-        if (!verified) {
-            return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
-        }
-        if (!decryptRequired) {
-            extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
-        }
-        if (parserType === 'SAMLResponse' && decryptRequired) {
-            const result = await libsaml.decryptAssertion(self, samlContent);
-            samlContent = result[0];
-            extractorFields = getDefaultExtractorFields(parserType, result[1]);
-        }
+    if (!verified && !noSignature && !isDecryptRequired) {
+        return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
+    }
+    if (!isDecryptRequired) {
+        extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
+    }
+    if (parserType === 'SAMLResponse' && isDecryptRequired && !noSignature) {
+        const result = await libsaml.decryptAssertion(self, samlContent);
+        samlContent = result[0];
+        extractorFields = getDefaultExtractorFields(parserType, result[1]);
     }
-    // verify the signatures (the response is signed then encrypted, then decrypt first then verify)
-    /*  if (
-        checkSignature &&
-        from.entitySetting.messageSigningOrder === MessageSignatureOrder.STE
-      ) {
-        const [verified, verifiedAssertionNode,isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
-        decryptRequired = isDecryptRequired
-        if (verified) {
-          extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
-        } else {
-          return Promise.reject('ERR_FAIL_TO_VERIFY_STE_SIGNATURE');
-        }
-      }*/
     const parseResult = {
         samlContent: samlContent,
         extract: extract(samlContent, extractorFields),
@@ -351,29 +238,13 @@ async function postArtifactFlow(options) {
     let decryptRequired = from.entitySetting.isAssertionEncrypted;
     let extractorFields = [];
     // validate the xml first
-    let res = await libsaml.isValidXml(samlContent);
+    let res = await libsaml.isValidXml(samlContent, true);
     if (parserType !== urlParams.samlResponse) {
         extractorFields = getDefaultExtractorFields(parserType, null);
     }
     // check status based on different scenarios
     await checkStatus(samlContent, parserType);
     /**检查签名顺序 */
-    /*  if (
-        checkSignature &&
-        from.entitySetting.messageSigningOrder === MessageSignatureOrder.ETS
-      ) {
-        console.log("===============我走的这里=========================")
-        const [verified, verifiedAssertionNode,isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
-        console.log(verified);
-        console.log("verified")
-        decryptRequired = isDecryptRequired
-        if (!verified) {
-          return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
-        }
-        if (!decryptRequired) {
-          extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
-        }
-      }*/
     const [verified, verifiedAssertionNode, isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
     decryptRequired = isDecryptRequired;
     if (!verified) {
@@ -387,19 +258,6 @@ async function postArtifactFlow(options) {
         samlContent = result[0];
         extractorFields = getDefaultExtractorFields(parserType, result[1]);
     }
-    // verify the signatures (the response is signed then encrypted, then decrypt first then verify)
-    /*  if (
-        checkSignature &&
-        from.entitySetting.messageSigningOrder === MessageSignatureOrder.STE
-      ) {
-        const [verified, verifiedAssertionNode,isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
-        decryptRequired = isDecryptRequired
-        if (verified) {
-          extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
-        } else {
-          return Promise.reject('ERR_FAIL_TO_VERIFY_STE_SIGNATURE');
-        }
-      }*/
     const parseResult = {
         samlContent: samlContent,
         extract: extract(samlContent, extractorFields),
@@ -469,7 +327,7 @@ async function postSimpleSignFlow(options) {
     const xmlString = String(base64Decode(encodedRequest));
     // validate the xml
     try {
-        await libsaml.isValidXml(xmlString);
+        await libsaml.isValidXml(xmlString, false);
     }
     catch (e) {
         return Promise.reject('ERR_INVALID_XML');
@@ -546,7 +404,7 @@ async function postSimpleSignFlow(options) {
     }
     return Promise.resolve(parseResult);
 }
-function checkStatus(content, parserType, soap) {
+export function checkStatus(content, parserType, soap) {
     // only check response parser
     if (parserType !== urlParams.samlResponse && parserType !== urlParams.logoutResponse) {
         return Promise.resolve('SKIPPED');