samlesa 2.17.0 → 2.17.1

package/build/src/entity-sp.js

@@ -4,7 +4,7 @@
  * @desc  Declares the actions taken by service provider
  */
 import Entity from './entity.js';
-import * as crypto from "node:crypto";
+import Artifact from './binding-artifact.js';
 import { namespace } from './urn.js';
 import redirectBinding from './binding-redirect.js';
 import postBinding from './binding-post.js';
@@ -61,12 +61,6 @@ export class ServiceProvider extends Entity {
                 // Object context = {id, context, signature, sigAlg}
                 context = simpleSignBinding.base64LoginRequest({ idp, sp: this }, customTagReplacement);
                 break;
-            case nsBinding.artifact:
-                context = artifactSignBinding.base64LoginRequest("/*[local-name(.)='AuthnRequest']", {
-                    idp,
-                    sp: this
-                }, customTagReplacement);
-                break;
             default:
                 // Will support artifact in the next release
                 throw new Error('ERR_SP_LOGIN_REQUEST_UNDEFINED_BINDING');
@@ -78,39 +72,20 @@ export class ServiceProvider extends Entity {
             type: 'SAMLRequest',
         };
     }
-    /**
-     * @desc  Generates the Art login request for developers to design their own method
-     * @param  {IdentityProvider} idp               object of identity provider
-     * @param  {string}   binding                   protocol binding
-     * @param  {function} customTagReplacement     used when developers have their own login response template
-     */
-    createLoginRequestArt(idp, binding = 'redirect', customTagReplacement) {
+    async createLoginSoapRequest(idp, binding = 'artifact', config) {
         const nsBinding = namespace.binding;
         const protocol = nsBinding[binding];
         if (this.entityMeta.isAuthnRequestSigned() !== idp.entityMeta.isWantAuthnRequestsSigned()) {
             throw new Error('ERR_METADATA_CONFLICT_REQUEST_SIGNED_FLAG');
         }
         let context = null;
-        switch (protocol) {
-            case nsBinding.redirect:
-                return redirectBinding.loginRequestRedirectURLArt({ idp, sp: this }, customTagReplacement);
-            case nsBinding.post:
-                context = postBinding.base64LoginRequest("/*[local-name(.)='AuthnRequest']", {
-                    idp,
-                    sp: this,
-                    soap: true
-                }, customTagReplacement);
-                break;
-            default:
-                // Will support artifact in the next release
-                throw new Error('ERR_SP_LOGIN_REQUEST_UNDEFINED_BINDING');
-        }
-        return {
-            ...context,
-            relayState: this.entitySetting.relayState,
-            entityEndpoint: idp.entityMeta.getSingleSignOnService(binding),
-            type: 'SAMLRequest',
-        };
+        context = await artifactSignBinding.soapLoginRequest("/*[local-name(.)='AuthnRequest']", {
+            idp,
+            sp: this,
+            inResponse: config?.inResponseTo,
+            relayState: config?.relayState,
+        }, config?.customTagReplacement);
+        return context;
     }
     /**
      * @desc   Validation of the parsed the URL parameters
@@ -136,68 +111,20 @@ export class ServiceProvider extends Entity {
      * @param  {string}   binding                   protocol binding
      * @param  {request}   req                      request
      */
-    parseLoginResponseArt(idp, binding, request) {
+    parseLoginRequestResolve(idp, xml) {
         const self = this;
-        return flow({
-            soap: true,
-            from: idp,
-            self: self,
-            checkSignature: true, // saml response must have signature
-            parserType: 'SAMLResponse',
-            type: 'login',
-            binding: binding,
-            request: request
+        return Artifact.parseLoginRequestResolve({
+            idp: idp,
+            sp: self,
+            xml: xml
         });
     }
-    /**
-     * @desc   generate Art id
-     *
-     * @param entityIDString
-     */
-    createArt(entityIDString, endpointIndex = 0) {
-        let sourceEntityId = entityIDString ? entityIDString : this.entityMeta.getEntityID();
-        // 1. 固定类型代码 (0x0004 - 2字节)
-        const typeCode = Buffer.from([0x00, 0x04]);
-        // 2. 端点索引 (2字节，大端序)
-        if (endpointIndex < 0 || endpointIndex > 65535) {
-            throw new Error('Endpoint index must be between 0 and 65535');
-        }
-        const endpointBuf = Buffer.alloc(2);
-        endpointBuf.writeUInt16BE(endpointIndex);
-        // 3. Source ID - 实体ID的SHA-1哈希 (20字节)
-        const sourceId = crypto.createHash('sha1')
-            .update(sourceEntityId)
-            .digest();
-        // 4. Message Handler - 20字节随机值
-        const messageHandler = crypto.randomBytes(20);
-        // 组合所有组件 (2+2+20+20 = 44字节)
-        const artifact = Buffer.concat([typeCode, endpointBuf, sourceId, messageHandler]);
-        // 返回Base64编码的Artifact
-        return artifact.toString('base64');
-    }
-    /**
-     * @desc   generate Art id
-     * @param artifact
-     */
-    parseArt(artifact) {
-        // 解码 Base64
-        const decoded = Buffer.from(artifact, 'base64');
-        // 确保长度正确（SAML 工件固定为 44 字节）
-        if (decoded.length !== 44) {
-            throw new Error(`Invalid artifact length: ${decoded.length}, expected 44 bytes`);
-        }
-        // 读取前 4 字节（TypeCode + EndpointIndex）
-        const typeCode = decoded.readUInt16BE(0);
-        const endpointIndex = decoded.readUInt16BE(2);
-        // 使用 Buffer.from() 替代 slice()
-        const sourceId = Buffer.from(decoded.buffer, // 底层 ArrayBuffer
-        decoded.byteOffset + 4, // 起始偏移量
-        20 // 长度
-        ).toString('hex');
-        const messageHandle = Buffer.from(decoded.buffer, // 底层 ArrayBuffer
-        decoded.byteOffset + 24, // 起始偏移量
-        20 // 长度
-        ).toString('hex');
-        return { typeCode, endpointIndex, sourceId, messageHandle };
+    parseLoginResponseResolve(idp, art, request) {
+        const self = this;
+        return Artifact.parseLoginResponseResolve({
+            idp: idp,
+            sp: self,
+            art: art
+        });
     }
 }

package/build/src/extractor.js

@@ -54,6 +54,38 @@ export const loginRequestFields = [
         context: true
     }
 ];
+export const artifactResolveFields = [
+    {
+        key: 'request',
+        localPath: ['ArtifactResolve'],
+        attributes: ['ID', 'IssueInstant', 'Version']
+    },
+    {
+        key: 'issuer', localPath: ['ArtifactResolve', 'Issuer'], attributes: []
+    },
+    {
+        key: 'Artifact', localPath: ['ArtifactResolve', 'Artifact'], attributes: []
+    },
+    {
+        key: 'signature', localPath: ['ArtifactResolve', 'Signature'], attributes: [], context: true
+    },
+];
+export const artifactResponseFields = [
+    {
+        key: 'request',
+        localPath: ['Envelope', 'Body', 'ArtifactResolve'],
+        attributes: ['ID', 'IssueInstant', 'Version']
+    },
+    {
+        key: 'issuer', localPath: ['Envelope', 'Body', 'ArtifactResolve', 'Issuer'], attributes: []
+    },
+    {
+        key: 'Artifact', localPath: ['Envelope', 'Body', 'ArtifactResolve', 'Artifact'], attributes: []
+    },
+    {
+        key: 'signature', localPath: ['Envelope', 'Body', 'ArtifactResolve', 'Signature'], attributes: [], context: true
+    },
+];
 // support two-tiers status code
 export const loginResponseStatusFields = [
     {

package/build/src/flow.js

@@ -1,10 +1,6 @@
 import { base64Decode } from './utility.js';
 import { verifyTime } from './validator.js';
 import libsaml from './libsaml.js';
-import * as uuid from 'uuid';
-import { select } from 'xpath';
-import { DOMParser } from '@xmldom/xmldom';
-import { sendArtifactResolve } from "./soap.js";
 import { extract, loginRequestFields, loginResponseFields, loginResponseStatusFields, loginArtifactResponseStatusFields, logoutRequestFields, logoutResponseFields, logoutResponseStatusFields } from './extractor.js';
 import { BindingNamespace, ParserType, StatusCode, wording } from './urn.js';
 const bindDict = wording.binding;
@@ -126,58 +122,15 @@ async function redirectFlow(options) {
 }
 // proceed the post flow
 async function postFlow(options) {
-    const { soap = false, request, from, self, parserType, checkSignature = true } = options;
+    const { request, from, self, parserType, checkSignature = true } = options;
     const { body } = request;
     const direction = libsaml.getQueryParamByType(parserType);
     let encodedRequest = '';
     let samlContent = '';
-    if (!soap) {
-        encodedRequest = body[direction];
-        // @ts-ignore
-        samlContent = String(base64Decode(encodedRequest));
-    }
+    encodedRequest = body[direction];
+    // @ts-ignore
+    samlContent = String(base64Decode(encodedRequest));
     /** 增加判断是不是Soap 工件绑定*/
-    if (soap) {
-        const metadata = {
-            idp: from.entityMeta,
-            sp: self.entityMeta,
-        };
-        const spSetting = self.entitySetting;
-        let ID = '_' + uuid.v4();
-        let url = metadata.idp.getArtifactResolutionService(bindDict.soap);
-        let samlSoapRaw = libsaml.replaceTagsByValue(libsaml.defaultArtifactResolveTemplate.context, {
-            ID: ID,
-            Destination: url,
-            Issuer: metadata.sp.getEntityID(),
-            IssueInstant: new Date().toISOString(),
-            Art: request.Art
-        });
-        if (!metadata.idp.isWantAuthnRequestsSigned()) {
-            samlContent = await sendArtifactResolve(url, samlSoapRaw);
-        }
-        if (metadata.idp.isWantAuthnRequestsSigned()) {
-            const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
-            let signatureSoap = libsaml.constructSAMLSignature({
-                referenceTagXPath: "//*[local-name(.)='ArtifactResolve']",
-                isMessageSigned: false,
-                isBase64Output: false,
-                transformationAlgorithms: transformationAlgorithms,
-                privateKey,
-                privateKeyPass,
-                signatureAlgorithm,
-                rawSamlMessage: samlSoapRaw,
-                signingCert: metadata.sp.getX509Certificate('signing'),
-                signatureConfig: {
-                    prefix: 'ds',
-                    location: {
-                        reference: "//*[local-name(.)='Issuer']",
-                        action: 'after'
-                    }
-                }
-            });
-            samlContent = await sendArtifactResolve(url, signatureSoap);
-        }
-    }
     const verificationOptions = {
         metadata: from.entityMeta,
         signatureAlgorithm: from.entitySetting.requestSignatureAlgorithm,
@@ -186,7 +139,7 @@ async function postFlow(options) {
     let decryptRequired = from.entitySetting.isAssertionEncrypted;
     let extractorFields = [];
     // validate the xml first
-    let res = await libsaml.isValidXml(samlContent, soap).catch((error) => {
+    let res = await libsaml.isValidXml(samlContent).catch((error) => {
         return Promise.reject('ERR_EXCEPTION_VALIDATE_XML');
     });
     if (res !== true) {
@@ -196,67 +149,25 @@ async function postFlow(options) {
         extractorFields = getDefaultExtractorFields(parserType, null);
     }
     // check status based on different scenarios
-    await checkStatus(samlContent, parserType, soap);
+    await checkStatus(samlContent, parserType);
     /**检查签名顺序 */
-    if (soap) {
-        const [verified, verifiedAssertionNode, isDecryptRequired] = libsaml.verifySignatureSoap(samlContent, verificationOptions);
-        decryptRequired = isDecryptRequired;
-        if (!verified) {
-            return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
-        }
-        if (!decryptRequired) {
-            extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
-        }
-        if (parserType === 'SAMLResponse' && decryptRequired) {
-            // 1. 解密断言
-            const [decryptedSAML, decryptedAssertion] = await libsaml.decryptAssertionSoap(self, samlContent);
-            // 2. 检查解密后的断言是否包含签名
-            const assertionDoc = new DOMParser().parseFromString(decryptedAssertion, 'application/xml');
-            // @ts-ignore
-            const assertionSignatureNodes = select("./*[local-name()='Signature']", assertionDoc.documentElement);
-            // 3. 如果存在签名则验证
-            if (assertionSignatureNodes.length > 0) {
-                // 3.1 创建新的验证选项（保持原配置）
-                const assertionVerificationOptions = {
-                    ...verificationOptions,
-                    isAssertion: true // 添加标识表示正在验证断言
-                };
-                // 3.2 验证断言签名
-                const [assertionVerified, result] = libsaml.verifySignatureSoap(decryptedAssertion, assertionVerificationOptions);
-                if (!assertionVerified) {
-                    return Promise.reject('ERR_FAIL_TO_VERIFY_ASSERTION_SIGNATURE');
-                }
-                if (assertionVerified) {
-                    // @ts-ignore
-                    samlContent = result;
-                    extractorFields = getDefaultExtractorFields(parserType, result);
-                }
-            }
-            else {
-                samlContent = decryptedAssertion;
-                extractorFields = getDefaultExtractorFields(parserType, decryptedAssertion);
-            }
-        }
+    const [verified, verifiedAssertionNode, isDecryptRequired, noSignature] = libsaml.verifySignature(samlContent, verificationOptions);
+    decryptRequired = isDecryptRequired;
+    if (isDecryptRequired && noSignature) {
+        const result = await libsaml.decryptAssertion(self, samlContent);
+        samlContent = result[0];
+        extractorFields = getDefaultExtractorFields(parserType, result[1]);
     }
-    if (!soap) {
-        const [verified, verifiedAssertionNode, isDecryptRequired, noSignature] = libsaml.verifySignature(samlContent, verificationOptions);
-        decryptRequired = isDecryptRequired;
-        if (isDecryptRequired && noSignature) {
-            const result = await libsaml.decryptAssertion(self, samlContent);
-            samlContent = result[0];
-            extractorFields = getDefaultExtractorFields(parserType, result[1]);
-        }
-        if (!verified && !noSignature && !isDecryptRequired) {
-            return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
-        }
-        if (!decryptRequired) {
-            extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
-        }
-        if (parserType === 'SAMLResponse' && decryptRequired && !noSignature) {
-            const result = await libsaml.decryptAssertion(self, samlContent);
-            samlContent = result[0];
-            extractorFields = getDefaultExtractorFields(parserType, result[1]);
-        }
+    if (!verified && !noSignature && !isDecryptRequired) {
+        return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
+    }
+    if (!isDecryptRequired) {
+        extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
+    }
+    if (parserType === 'SAMLResponse' && isDecryptRequired && !noSignature) {
+        const result = await libsaml.decryptAssertion(self, samlContent);
+        samlContent = result[0];
+        extractorFields = getDefaultExtractorFields(parserType, result[1]);
     }
     const parseResult = {
         samlContent: samlContent,
@@ -493,7 +404,7 @@ async function postSimpleSignFlow(options) {
     }
     return Promise.resolve(parseResult);
 }
-function checkStatus(content, parserType, soap) {
+export function checkStatus(content, parserType, soap) {
     // only check response parser
     if (parserType !== urlParams.samlResponse && parserType !== urlParams.logoutResponse) {
         return Promise.resolve('SKIPPED');