samlesa 2.16.6 → 2.17.1

package/build/src/libsamlSoap.js

@@ -0,0 +1,115 @@
+import { getContext } from "./api.js";
+import { select } from "xpath";
+import { SignedXml } from "xml-crypto";
+import fs from "fs";
+import utility, { flattenDeep } from "./utility.js";
+import libsaml from "./libsaml.js";
+import { wording } from "./urn.js";
+import { DOMParser } from '@xmldom/xmldom';
+const certUse = wording.certUse;
+const docParser = new DOMParser();
+async function verifyAndDecryptSoapMessage(xml, opts) {
+    const { dom } = getContext();
+    const doc = dom.parseFromString(xml, 'application/xml');
+    const docParser = new DOMParser();
+    let type = '';
+    // 为 SOAP 消息定义 XPath
+    const artifactResolveXpath = "/*[local-name()='Envelope']/*[local-name()='Body']/*[local-name()='ArtifactResolve']";
+    const artifactResponseXpath = "/*[local-name()='Envelope']/*[local-name()='Body']/*[local-name()='ArtifactResponse']";
+    // 检测 ArtifactResolve 或 ArtifactResponse 的存在
+    // @ts-expect-error
+    const artifactResolveNodes = select(artifactResolveXpath, doc);
+    // @ts-expect-error
+    const artifactResponseNodes = select(artifactResponseXpath, doc);
+    // 根据消息类型选择合适的 XPath
+    let basePath = "";
+    if (artifactResolveNodes?.length > 0) {
+        type = 'artifactResolve';
+        basePath = "/*[local-name()='Envelope']/*[local-name()='Body']/*[local-name()='ArtifactResolve']";
+    }
+    else if (artifactResponseNodes?.length > 0) {
+        type = 'artifactResponse';
+        basePath = "/*[local-name()='Envelope']/*[local-name()='Body']/*[local-name()='ArtifactResponse']";
+    }
+    else {
+        throw new Error('ERR_UNSUPPORTED_SOAP_MESSAGE_TYPE');
+    }
+    // 基于 SOAP 结构重新定义 XPath
+    const messageSignatureXpath = `${basePath}/*[local-name(.)='Signature']`;
+    // @ts-expect-error
+    const messageSignatureNode = select(messageSignatureXpath, doc);
+    let selection = [];
+    if (messageSignatureNode?.length > 0) {
+        selection = selection.concat(messageSignatureNode);
+    }
+    if (selection.length === 0) {
+        throw new Error('ERR_ZERO_SIGNATURE');
+    }
+    return verifySignature(xml, selection, opts);
+}
+function verifySignature(xml, selection, opts) {
+    // 尝试所有签名节点
+    for (const signatureNode of selection) {
+        const sig = new SignedXml();
+        let verified = false;
+        sig.signatureAlgorithm = opts.signatureAlgorithm;
+        if (!opts.keyFile && !opts.metadata) {
+            throw new Error('ERR_UNDEFINED_SIGNATURE_VERIFIER_OPTIONS');
+        }
+        if (opts.keyFile) {
+            sig.publicCert = fs.readFileSync(opts.keyFile);
+        }
+        if (opts.metadata) {
+            const certificateNode = select(".//*[local-name(.)='X509Certificate']", signatureNode);
+            // 证书处理逻辑
+            let metadataCert = opts.metadata.getX509Certificate(certUse.signing);
+            if (Array.isArray(metadataCert)) {
+                metadataCert = flattenDeep(metadataCert);
+            }
+            else if (typeof metadataCert === 'string') {
+                metadataCert = [metadataCert];
+            }
+            metadataCert = metadataCert.map(utility.normalizeCerString);
+            // 没有证书的情况
+            if (certificateNode.length === 0 && metadataCert.length === 0) {
+                throw new Error('NO_SELECTED_CERTIFICATE');
+            }
+            if (certificateNode.length !== 0) {
+                const x509CertificateData = certificateNode[0].firstChild.data;
+                const x509Certificate = utility.normalizeCerString(x509CertificateData);
+                if (metadataCert.length >= 1 && !metadataCert.includes(x509Certificate)) {
+                    throw new Error('ERROR_UNMATCH_CERTIFICATE_DECLARATION_IN_METADATA');
+                }
+                sig.publicCert = libsaml.getKeyInfo(x509Certificate).getKey();
+            }
+            else {
+                sig.publicCert = libsaml.getKeyInfo(metadataCert[0]).getKey();
+            }
+        }
+        sig.loadSignature(signatureNode);
+        verified = sig.checkSignature(xml); // 使用原始XML验证
+        if (!verified) {
+            throw new Error('ERR_FAILED_TO_VERIFY_SIGNATURE');
+        }
+        if (sig.getSignedReferences().length < 1) {
+            throw new Error('NO_SIGNATURE_REFERENCES');
+        }
+        const signedVerifiedXML = sig.getSignedReferences()[0];
+        const rootNode = docParser.parseFromString(signedVerifiedXML, 'application/xml').documentElement;
+        // 处理签名的内容
+        switch (rootNode?.localName) {
+            case 'ArtifactResolve':
+                return [true, rootNode.toString(), false, false];
+            case 'ArtifactResponse':
+                // @ts-expect-error
+                const Response = select("/*[local-name()='ArtifactResponse']/*[local-name()='Response']", rootNode);
+                return [true, Response?.[0].toString(), false, false]; // 签名验证成功但未找到断言
+            default:
+                return [true, null, false, true]; // 签名验证成功但未找到可识别的内容
+        }
+    }
+    return [false, null, false, true];
+}
+export default {
+    verifyAndDecryptSoapMessage
+};

package/build/src/schema/xml.xsd

@@ -1,88 +1,88 @@
-<?xml version="1.0"?>
-<!-- DOCTYPE xs:schema PUBLIC "-//W3C//DTD XMLSCHEMA 200102//EN" "XMLSchema.dtd" -->
-<xs:schema targetNamespace="http://www.w3.org/XML/1998/namespace"
-		   xmlns:xs="http://www.w3.org/2001/XMLSchema"
-		   xml:lang="en">
-
-	<xs:annotation>
-		<xs:documentation>
-			See http://www.w3.org/XML/1998/namespace.html and
-			http://www.w3.org/TR/REC-xml for information about this namespace.
-		</xs:documentation>
-	</xs:annotation>
-
-	<xs:annotation>
-		<xs:documentation>
-			This schema defines attributes and an attribute group
-			suitable for use by schemas wishing to allow xml:base,
-			xml:lang or xml:space attributes on elements they define.
-			To enable this, such a schema must import this schema
-			for the XML namespace, e.g. as follows:
-			&lt;schema . . .>
-			. . .
-			&lt;import namespace="http://www.w3.org/XML/1998/namespace"
-			schemaLocation="http://www.w3.org/2001/03/xml.xsd"/>
-
-			Subsequently, qualified reference to any of the attributes
-			or the group defined below will have the desired effect, e.g.
-
-			&lt;type . . .>
-			. . .
-			&lt;attributeGroup ref="xml:specialAttrs"/>
-
-			will define a type which will schema-validate an instance
-			element with any of those attributes
-		</xs:documentation>
-	</xs:annotation>
-
-	<xs:annotation>
-		<xs:documentation>
-			In keeping with the XML Schema WG's standard versioning
-			policy, this schema document will persist at
-			http://www.w3.org/2001/03/xml.xsd.
-			At the date of issue it can also be found at
-			http://www.w3.org/2001/xml.xsd.
-			The schema document at that URI may however change in the future,
-			in order to remain compatible with the latest version of XML Schema
-			itself. In other words, if the XML Schema namespace changes, the version
-			of this document at
-			http://www.w3.org/2001/xml.xsd will change
-			accordingly; the version at
-			http://www.w3.org/2001/03/xml.xsd will not change.
-		</xs:documentation>
-	</xs:annotation>
-
-	<xs:attribute name="lang" type="xs:language">
-		<xs:annotation>
-			<xs:documentation>
-				In due course, we should install the relevant ISO 2- and 3-letter
-				codes as the enumerated possible values . . .
-			</xs:documentation>
-		</xs:annotation>
-	</xs:attribute>
-
-	<xs:attribute name="space" default="preserve">
-		<xs:simpleType>
-			<xs:restriction base="xs:NCName">
-				<xs:enumeration value="default"/>
-				<xs:enumeration value="preserve"/>
-			</xs:restriction>
-		</xs:simpleType>
-	</xs:attribute>
-
-	<xs:attribute name="base" type="xs:anyURI">
-		<xs:annotation>
-			<xs:documentation>
-				See http://www.w3.org/TR/xmlbase/ for
-				information about this attribute.
-			</xs:documentation>
-		</xs:annotation>
-	</xs:attribute>
-
-	<xs:attributeGroup name="specialAttrs">
-		<xs:attribute ref="xml:base"/>
-		<xs:attribute ref="xml:lang"/>
-		<xs:attribute ref="xml:space"/>
-	</xs:attributeGroup>
-
-</xs:schema>
+<?xml version="1.0"?>
+<!-- DOCTYPE xs:schema PUBLIC "-//W3C//DTD XMLSCHEMA 200102//EN" "XMLSchema.dtd" -->
+<xs:schema targetNamespace="http://www.w3.org/XML/1998/namespace"
+		   xmlns:xs="http://www.w3.org/2001/XMLSchema"
+		   xml:lang="en">
+
+	<xs:annotation>
+		<xs:documentation>
+			See http://www.w3.org/XML/1998/namespace.html and
+			http://www.w3.org/TR/REC-xml for information about this namespace.
+		</xs:documentation>
+	</xs:annotation>
+
+	<xs:annotation>
+		<xs:documentation>
+			This schema defines attributes and an attribute group
+			suitable for use by schemas wishing to allow xml:base,
+			xml:lang or xml:space attributes on elements they define.
+			To enable this, such a schema must import this schema
+			for the XML namespace, e.g. as follows:
+			&lt;schema . . .>
+			. . .
+			&lt;import namespace="http://www.w3.org/XML/1998/namespace"
+			schemaLocation="http://www.w3.org/2001/03/xml.xsd"/>
+
+			Subsequently, qualified reference to any of the attributes
+			or the group defined below will have the desired effect, e.g.
+
+			&lt;type . . .>
+			. . .
+			&lt;attributeGroup ref="xml:specialAttrs"/>
+
+			will define a type which will schema-validate an instance
+			element with any of those attributes
+		</xs:documentation>
+	</xs:annotation>
+
+	<xs:annotation>
+		<xs:documentation>
+			In keeping with the XML Schema WG's standard versioning
+			policy, this schema document will persist at
+			http://www.w3.org/2001/03/xml.xsd.
+			At the date of issue it can also be found at
+			http://www.w3.org/2001/xml.xsd.
+			The schema document at that URI may however change in the future,
+			in order to remain compatible with the latest version of XML Schema
+			itself. In other words, if the XML Schema namespace changes, the version
+			of this document at
+			http://www.w3.org/2001/xml.xsd will change
+			accordingly; the version at
+			http://www.w3.org/2001/03/xml.xsd will not change.
+		</xs:documentation>
+	</xs:annotation>
+
+	<xs:attribute name="lang" type="xs:language">
+		<xs:annotation>
+			<xs:documentation>
+				In due course, we should install the relevant ISO 2- and 3-letter
+				codes as the enumerated possible values . . .
+			</xs:documentation>
+		</xs:annotation>
+	</xs:attribute>
+
+	<xs:attribute name="space" default="preserve">
+		<xs:simpleType>
+			<xs:restriction base="xs:NCName">
+				<xs:enumeration value="default"/>
+				<xs:enumeration value="preserve"/>
+			</xs:restriction>
+		</xs:simpleType>
+	</xs:attribute>
+
+	<xs:attribute name="base" type="xs:anyURI">
+		<xs:annotation>
+			<xs:documentation>
+				See http://www.w3.org/TR/xmlbase/ for
+				information about this attribute.
+			</xs:documentation>
+		</xs:annotation>
+	</xs:attribute>
+
+	<xs:attributeGroup name="specialAttrs">
+		<xs:attribute ref="xml:base"/>
+		<xs:attribute ref="xml:lang"/>
+		<xs:attribute ref="xml:space"/>
+	</xs:attributeGroup>
+
+</xs:schema>

package/build/src/schemaValidator.js

@@ -4,9 +4,7 @@ import * as path from 'node:path';
 import { fileURLToPath } from 'node:url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
-let obj = [
-    'soap-envelope.xsd',
-    'xml.xsd',
+let normal = [
     'saml-schema-protocol-2.0.xsd',
     'saml-schema-assertion-2.0.xsd',
     'xmldsig-core-schema.xsd',
@@ -15,7 +13,7 @@ let obj = [
     'saml-schema-ecp-2.0.xsd',
     'saml-schema-dce-2.0.xsd'
 ];
-let normal = [
+let soapSchema = [
     'soap-envelope.xsd',
     'xml.xsd',
     // 2. SOAP核心模式（所有SOAP消息的基础）
@@ -32,7 +30,7 @@ let normal = [
     'saml-schema-ecp-2.0.xsd', // ECP扩展
     'saml-schema-dce-2.0.xsd' // DCE扩展
 ];
-const schemas = obj;
+let schemas = normal;
 function detectXXEIndicators(samlString) {
     const xxePatterns = [
         /<!DOCTYPE\s[^>]*>/i,
@@ -55,12 +53,12 @@ function detectXXEIndicators(samlString) {
     });
     return Object.keys(matches).length > 0 ? matches : null;
 }
-export const validate = async (xml) => {
+export const validate = async (xml, isSoap = false) => {
     const indicators = detectXXEIndicators(xml);
     if (indicators) {
-        console.error('XXE风险特征:', indicators);
         throw new Error('ERR_EXCEPTION_VALIDATE_XML');
     }
+    schemas = isSoap ? soapSchema : normal;
     const schemaPath = path.resolve(__dirname, 'schema');
     const [xmlParse, ...preload] = await Promise.all(schemas.map(async (file) => ({
         fileName: file,
@@ -79,17 +77,11 @@ export const validate = async (xml) => {
             preload: [xmlParse, ...preload],
         });
         if (validationResult.valid) {
-            console.log("---------------------验证通过--------------------");
-            console.log("---------------------验证通过--------------------");
             return true;
         }
-        console.log('-----------------------没验证通过-----------------------');
-        console.debug(validationResult);
         throw validationResult.errors;
     }
     catch (error) {
-        console.log('-----------------------没验证通过error-----------------------');
-        console.error('[ERROR] validateXML', error);
         throw new Error('ERR_EXCEPTION_VALIDATE_XML');
     }
 };

package/build/src/soap.js

@@ -1,5 +1,8 @@
 import axios from 'axios';
 import https from 'node:https';
+import crypto from "node:crypto";
+import { Builder } from 'xml2js';
+import iconv from 'iconv-lite';
 // 2. 配置 Axios 实例（处理自签名证书）
 const axiosInstance = axios.create({
     httpsAgent: new https.Agent({
@@ -10,16 +13,133 @@ export async function sendArtifactResolve(url, soapRequest) {
     try {
         const response = await axiosInstance.post(url, soapRequest, {
             headers: {
-                'Content-Type': 'application/soap+xml; charset=utf-8',
+                'Content-Type': 'text/xml',
                 'SOAPAction': '"ArtifactResolve"'
             },
             timeout: 5000 // 5秒超时
         });
-        console.log('✅ Resolve请求成功');
         return response.data;
     }
     catch (error) {
-        console.error('❌ Resolve请求失败');
         throw error.response.data;
     }
 }
+export async function sendArtifactResponse(url, soapRequest) {
+    try {
+        const response = await axiosInstance.post(url, soapRequest, {
+            headers: {
+                'Content-Type': 'text/xml',
+                'SOAPAction': '"ArtifactResponse"'
+            },
+            timeout: 5000 // 5秒超时
+        });
+        return response.data;
+    }
+    catch (error) {
+        throw error.response.data;
+    }
+}
+/**
+ * @desc   generate Art id
+ *
+ * @param entityIDString
+ * @param endpointIndex
+ */
+export function createArt(entityIDString, endpointIndex = 0) {
+    // 安全获取 sourceEntityId
+    let sourceEntityId;
+    if (typeof entityIDString === "string") {
+        sourceEntityId = entityIDString;
+    }
+    else {
+        // 确保只在非字符串类型上访问 entityMeta
+        sourceEntityId = entityIDString.entityMeta.getEntityID();
+    }
+    // 1. 固定类型代码 (0x0004 - 2字节)
+    const typeCode = Buffer.from([0x00, 0x04]);
+    // 2. 端点索引 (2字节，大端序)
+    if (endpointIndex < 0 || endpointIndex > 65535) {
+        throw new Error("Endpoint index must be between 0 and 65535");
+    }
+    const endpointBuf = Buffer.alloc(2);
+    endpointBuf.writeUInt16BE(endpointIndex);
+    // 3. Source ID - 实体ID的SHA-1哈希 (20字节)
+    const sourceId = crypto
+        .createHash("sha1")
+        .update(sourceEntityId)
+        .digest();
+    // 4. Message Handler - 20字节随机值
+    const messageHandler = crypto.randomBytes(20);
+    // 组合所有组件 (2+2+20+20 = 44字节)
+    const artifact = Buffer.concat([
+        typeCode,
+        endpointBuf,
+        sourceId,
+        messageHandler,
+    ]);
+    // 返回Base64编码的Artifact
+    return {
+        artifact: artifact.toString("base64"),
+        origin: {
+            typeCode: typeCode.readUInt16BE(0), // 改为整数值
+            endpointIndex: endpointIndex, // 修复字段名并赋正确的值
+            sourceId: sourceId.toString("hex"), // 转为十六进制
+            messageHandle: messageHandler.toString("hex"), // 转为十六进制
+        },
+    };
+}
+/**
+ * @desc   generate Art id
+ * @param artifact
+ */
+export function parseArt(artifact) {
+    // 解码 Base64
+    console.log(Object.prototype.toString.call(artifact));
+    if (Object.prototype.toString.call(artifact) !== '[object String]') {
+        return;
+    }
+    const decoded = Buffer.from(artifact, 'base64');
+    // 确保长度正确（SAML 工件固定为 44 字节）
+    if (decoded.length !== 44) {
+        throw new Error(`Invalid artifact length: ${decoded.length}, expected 44 bytes`);
+    }
+    // 读取前 4 字节（TypeCode + EndpointIndex）
+    const typeCode = decoded.readUInt16BE(0);
+    const endpointIndex = decoded.readUInt16BE(2);
+    // 使用 Buffer.from() 替代 slice()
+    const sourceId = Buffer.from(decoded.buffer, // 底层 ArrayBuffer
+    decoded.byteOffset + 4, // 起始偏移量
+    20 // 长度
+    ).toString('hex');
+    const messageHandle = Buffer.from(decoded.buffer, // 底层 ArrayBuffer
+    decoded.byteOffset + 24, // 起始偏移量
+    20 // 长度
+    ).toString('hex');
+    return { typeCode, endpointIndex, sourceId, messageHandle };
+}
+/**
+* 将对象转换为 ISO-8859-1 编码的 XML 字符串
+* @param {Object} data - 要转换的数据对象
+* @returns {Buffer} - ISO-8859-1 编码的 XML 数据 (Buffer)
+*/
+export function encodeXmlToIso88591(data) {
+    try {
+        // 1. 创建 XML 构建器
+        const builder = new Builder({
+            headless: false, // 包含 XML 声明
+            renderOpts: { 'pretty': false }, // 紧凑格式
+            xmldec: {
+                version: '1.0',
+                encoding: 'ISO-8859-1',
+                standalone: true
+            }
+        });
+        // 2. 构建 XML 字符串 (UTF-8 格式)
+        const utf8Xml = builder.buildObject(data);
+        // 3. 转换为 ISO-8859-1 编码的 Buffer
+        return iconv.encode(utf8Xml, 'iso-8859-1');
+    }
+    catch (error) {
+        throw new Error(`XML 编码失败: ${error.message}`);
+    }
+}

package/build/src/utility.js

@@ -3,8 +3,8 @@
  * @author tngan
  * @desc  Library for some common functions (e.g. de/inflation, en/decoding)
  */
-import { X509Certificate, createPrivateKey } from 'node:crypto';
-import { inflate, deflateRaw } from 'pako';
+import { createPrivateKey, X509Certificate } from 'node:crypto';
+import { deflateRaw, inflateRaw } from 'pako';
 const BASE64_STR = 'base64';
 /**
  * @desc Mimic lodash.zipObject
@@ -107,11 +107,16 @@ function deflateString(message) {
  * @return {string} decompressed string
  */
 export function inflateString(compressedString) {
-    const inputBuffer = Buffer.from(compressedString, BASE64_STR);
-    const input = Array.prototype.map.call(inputBuffer.toString('binary'), char => char.charCodeAt(0));
-    return Array.from(inflate(input, { raw: true }))
-        .map((byte) => String.fromCharCode(byte))
-        .join('');
+    const base64Encoded = decodeURIComponent(compressedString);
+    // 2. Base64解码为Uint8Array
+    const binaryStr = atob(base64Encoded) ?? base64Encoded;
+    const data = Uint8Array.from(binaryStr, (c) => c.charCodeAt(0));
+    try {
+        return inflateRaw(data, { to: 'string' });
+    }
+    catch (e) {
+        return e.message;
+    }
 }
 /**
  * @desc Abstract the normalizeCerString and normalizePemString