samlesa 4.3.5 → 4.5.0

package/build/src/libsamlSoap.js

@@ -1,122 +1,114 @@
-import { getContext } from "./api.js";
-import { select } from "xpath";
-import { SignedXml } from "xml-crypto-next";
-import fs from "fs";
-import utility, { flattenDeep } from "./utility.js";
-import libsaml from "./libsaml.js";
-import { wording } from "./urn.js";
+import fs from 'fs';
 import { DOMParser } from '@xmldom/xmldom';
+import { select } from 'xpath';
+import { SignedXml } from 'xml-crypto-next';
+import utility, { normalizeCertificates } from './utility.js';
+import libsaml from './libsaml.js';
+import { wording } from './urn.js';
+import { getContext } from './api.js';
 function toNodeArray(result) {
-    if (Array.isArray(result))
+    if (Array.isArray(result)) {
         return result;
-    if (result != null && typeof result === 'object' && 'nodeType' in result)
+    }
+    if (result != null && typeof result === 'object' && 'nodeType' in result) {
         return [result];
+    }
     return [];
 }
 const certUse = wording.certUse;
 const docParser = new DOMParser();
-async function verifyAndDecryptSoapMessage(xml, opts) {
-    const { dom } = getContext();
-    const doc = dom.parseFromString(xml, 'application/xml');
-    const docParser = new DOMParser();
-    let type = '';
-    // 为 SOAP 消息定义 XPath
-    const artifactResolveXpath = "/*[local-name()='Envelope']/*[local-name()='Body']/*[local-name()='ArtifactResolve']";
-    const artifactResponseXpath = "/*[local-name()='Envelope']/*[local-name()='Body']/*[local-name()='ArtifactResponse']";
-    // 检测 ArtifactResolve 或 ArtifactResponse 的存在
-    // @ts-expect-error
-    const artifactResolveNodes = toNodeArray(select(artifactResolveXpath, doc));
-    // @ts-expect-error
-    const artifactResponseNodes = toNodeArray(select(artifactResponseXpath, doc));
-    // 根据消息类型选择合适的 XPath
-    let basePath = "";
-    if (artifactResolveNodes?.length > 0) {
-        type = 'artifactResolve';
-        basePath = "/*[local-name()='Envelope']/*[local-name()='Body']/*[local-name()='ArtifactResolve']";
+function resolvePublicCertificate(signatureNode, opts) {
+    if (!opts.keyFile && !opts.metadata) {
+        throw new Error('ERR_UNDEFINED_SIGNATURE_VERIFIER_OPTIONS');
     }
-    else if (artifactResponseNodes?.length > 0) {
-        type = 'artifactResponse';
-        basePath = "/*[local-name()='Envelope']/*[local-name()='Body']/*[local-name()='ArtifactResponse']";
+    if (opts.keyFile) {
+        return fs.readFileSync(opts.keyFile);
     }
-    else {
-        throw new Error('ERR_UNSUPPORTED_SOAP_MESSAGE_TYPE');
+    const certificateNode = toNodeArray(select(".//*[local-name(.)='X509Certificate']", signatureNode));
+    const metadataCerts = normalizeCertificates(opts.metadata.getX509Certificate(certUse.signing));
+    if (certificateNode.length === 0 && metadataCerts.length === 0) {
+        throw new Error('NO_SELECTED_CERTIFICATE');
     }
-    // 基于 SOAP 结构重新定义 XPath
-    const messageSignatureXpath = `${basePath}/*[local-name(.)='Signature']`;
-    // @ts-expect-error
-    const messageSignatureNode = toNodeArray(select(messageSignatureXpath, doc));
-    let selection = [];
-    if (messageSignatureNode?.length > 0) {
-        selection = selection.concat(messageSignatureNode);
+    if (certificateNode.length > 0) {
+        const x509CertificateData = certificateNode[0].firstChild?.nodeValue || '';
+        const x509Certificate = utility.normalizeCerString(x509CertificateData);
+        if (metadataCerts.length > 0 && !metadataCerts.includes(x509Certificate)) {
+            throw new Error('ERROR_UNMATCH_CERTIFICATE_DECLARATION_IN_METADATA');
+        }
+        return libsaml.getKeyInfo(x509Certificate).getKey();
     }
-    if (selection.length === 0) {
-        throw new Error('ERR_ZERO_SIGNATURE');
+    return libsaml.getKeyInfo(metadataCerts[0]).getKey();
+}
+function extractResolvedMessage(rootNode) {
+    const resolvedNodes = toNodeArray(select("./*[local-name()='Response' or local-name()='AuthnRequest' or local-name()='LogoutRequest' or local-name()='LogoutResponse']", rootNode));
+    if (resolvedNodes.length === 0) {
+        return null;
     }
-    return verifySignature(xml, selection, opts);
+    return resolvedNodes[0].toString();
 }
-function verifySignature(xml, selection, opts) {
-    // 尝试所有签名节点
-    for (const signatureNode of selection) {
+function verifySignature(xml, signatureNodes, opts) {
+    for (const signatureNode of signatureNodes) {
         const sig = new SignedXml();
-        let verified = false;
-        sig.signatureAlgorithm = opts.signatureAlgorithm;
-        if (!opts.keyFile && !opts.metadata) {
-            throw new Error('ERR_UNDEFINED_SIGNATURE_VERIFIER_OPTIONS');
-        }
-        if (opts.keyFile) {
-            sig.publicCert = fs.readFileSync(opts.keyFile);
-        }
-        if (opts.metadata) {
-            const certificateNode = select(".//*[local-name(.)='X509Certificate']", signatureNode);
-            // 证书处理逻辑
-            let metadataCert = opts.metadata.getX509Certificate(certUse.signing);
-            if (Array.isArray(metadataCert)) {
-                metadataCert = flattenDeep(metadataCert);
-            }
-            else if (typeof metadataCert === 'string') {
-                metadataCert = [metadataCert];
-            }
-            metadataCert = metadataCert.map(utility.normalizeCerString);
-            // 没有证书的情况
-            if (certificateNode.length === 0 && metadataCert.length === 0) {
-                throw new Error('NO_SELECTED_CERTIFICATE');
-            }
-            if (certificateNode.length !== 0) {
-                const x509CertificateData = certificateNode[0].firstChild.data;
-                const x509Certificate = utility.normalizeCerString(x509CertificateData);
-                if (metadataCert.length >= 1 && !metadataCert.includes(x509Certificate)) {
-                    throw new Error('ERROR_UNMATCH_CERTIFICATE_DECLARATION_IN_METADATA');
-                }
-                sig.publicCert = libsaml.getKeyInfo(x509Certificate).getKey();
-            }
-            else {
-                sig.publicCert = libsaml.getKeyInfo(metadataCert[0]).getKey();
-            }
-        }
+        sig.publicCert = resolvePublicCertificate(signatureNode, opts);
         sig.loadSignature(signatureNode);
-        verified = sig.checkSignature(xml); // 使用原始XML验证
+        const verified = sig.checkSignature(xml);
         if (!verified) {
             throw new Error('ERR_FAILED_TO_VERIFY_SIGNATURE');
         }
-        if (sig.getSignedReferences().length < 1) {
+        const signedReferences = sig.getSignedReferences();
+        if (signedReferences.length < 1) {
             throw new Error('NO_SIGNATURE_REFERENCES');
         }
-        const signedVerifiedXML = sig.getSignedReferences()[0];
-        const rootNode = docParser.parseFromString(signedVerifiedXML, 'application/xml').documentElement;
-        // 处理签名的内容
-        switch (rootNode?.localName) {
-            case 'ArtifactResolve':
-                return [true, rootNode.toString(), false, false];
-            case 'ArtifactResponse':
-                // @ts-expect-error
-                const Response = select("/*[local-name()='ArtifactResponse']/*[local-name()='Response']", rootNode);
-                return [true, Response?.[0].toString(), false, false]; // 签名验证成功但未找到断言
-            default:
-                return [true, null, false, true]; // 签名验证成功但未找到可识别的内容
+        const signedXml = signedReferences[0];
+        const rootNode = docParser.parseFromString(signedXml, 'application/xml').documentElement;
+        if (!rootNode) {
+            throw new Error('ERR_INVALID_SOAP_PAYLOAD');
         }
+        if (rootNode.localName === 'ArtifactResolve') {
+            return {
+                verified: true,
+                soapContent: xml,
+                message: rootNode.toString(),
+                type: 'ArtifactResolve',
+                resolvedMessage: null,
+            };
+        }
+        if (rootNode.localName === 'ArtifactResponse') {
+            return {
+                verified: true,
+                soapContent: xml,
+                message: rootNode.toString(),
+                type: 'ArtifactResponse',
+                resolvedMessage: extractResolvedMessage(rootNode),
+            };
+        }
+    }
+    throw new Error('ERR_UNSUPPORTED_SOAP_MESSAGE_TYPE');
+}
+async function verifyAndDecryptSoapMessage(xml, opts) {
+    const { dom } = getContext();
+    const doc = dom.parseFromString(xml, 'application/xml');
+    const artifactResolveXpath = "/*[local-name()='Envelope']/*[local-name()='Body']/*[local-name()='ArtifactResolve']";
+    const artifactResponseXpath = "/*[local-name()='Envelope']/*[local-name()='Body']/*[local-name()='ArtifactResponse']";
+    const artifactResolveNodes = toNodeArray(select(artifactResolveXpath, doc));
+    const artifactResponseNodes = toNodeArray(select(artifactResponseXpath, doc));
+    let basePath = '';
+    if (artifactResolveNodes.length > 0) {
+        basePath = artifactResolveXpath;
+    }
+    else if (artifactResponseNodes.length > 0) {
+        basePath = artifactResponseXpath;
+    }
+    else {
+        throw new Error('ERR_UNSUPPORTED_SOAP_MESSAGE_TYPE');
+    }
+    const messageSignatureXpath = `${basePath}/*[local-name(.)='Signature']`;
+    const messageSignatureNodes = toNodeArray(select(messageSignatureXpath, doc));
+    if (messageSignatureNodes.length === 0) {
+        throw new Error('ERR_ZERO_SIGNATURE');
     }
-    return [false, null, false, true];
+    return verifySignature(xml, messageSignatureNodes, opts);
 }
 export default {
-    verifyAndDecryptSoapMessage
+    verifyAndDecryptSoapMessage,
 };

package/build/src/saml2-enhancements-integration.js

@@ -29,16 +29,15 @@ export function applyAuthnRequestEnhancements(rawSamlRequest, enhancements) {
     if (enhancements.providerName) {
         authnRequestElement.setAttribute('ProviderName', enhancements.providerName);
     }
-    // 2. 添加 Scoping 元素
-    if (enhancements.scoping) {
-        const scopingElement = buildScopingElement(enhancements.scoping, doc);
-        authnRequestElement.appendChild(scopingElement);
-    }
-    // 3. 添加 RequestedAuthnContext 元素
+    // AuthnRequestType 要求 RequestedAuthnContext 先于 Scoping
     if (enhancements.requestedAuthnContext) {
         const contextElement = buildRequestedAuthnContextElement(enhancements.requestedAuthnContext, doc);
         authnRequestElement.appendChild(contextElement);
     }
+    if (enhancements.scoping) {
+        const scopingElement = buildScopingElement(enhancements.scoping, doc);
+        authnRequestElement.appendChild(scopingElement);
+    }
     return new XMLSerializer().serializeToString(doc);
 }
 /**

package/build/src/saml2-enhancements.js

@@ -30,15 +30,7 @@ export function buildScoping(config) {
     if (config.proxyCount !== undefined) {
         scoping['samlp:Scoping'][0]._attr.ProxyCount = config.proxyCount.toString();
     }
-    // 添加 RequesterID 元素
-    if (config.requesterID && config.requesterID.length > 0) {
-        config.requesterID.forEach(id => {
-            scoping['samlp:Scoping'].push({
-                'samlp:RequesterID': [{ _attr: { URI: id } }]
-            });
-        });
-    }
-    // 添加 IDPList 元素
+    // SAML Core 要求 IDPList 先于 RequesterID 出现
     if (config.idpList && config.idpList.length > 0) {
         const idpList = { 'samlp:IDPList': [] };
         config.idpList.forEach(entry => {
@@ -55,6 +47,14 @@ export function buildScoping(config) {
         });
         scoping['samlp:Scoping'].push(idpList);
     }
+    // RequesterID 的类型是 anyURI，值必须写在元素文本中而不是属性里
+    if (config.requesterID && config.requesterID.length > 0) {
+        config.requesterID.forEach(id => {
+            scoping['samlp:Scoping'].push({
+                'samlp:RequesterID': [id]
+            });
+        });
+    }
     return scoping;
 }
 /**
@@ -86,7 +86,7 @@ export function buildRequestedAuthnContext(config) {
     if (config.declRefs && config.declRefs.length > 0) {
         config.declRefs.forEach(ref => {
             requestedAuthnContext['samlp:RequestedAuthnContext'].push({
-                'saml:AuthnContextDeclRef': [{ _attr: { URI: ref } }]
+                'saml:AuthnContextDeclRef': [ref]
             });
         });
     }
@@ -292,14 +292,13 @@ export function enhanceAuthnRequest(baseAuthnRequest, enhancedConfig) {
         }
         authnRequestContent[0]._attr.ProviderName = enhancedConfig.providerName;
     }
-    // 添加 Scoping 元素
-    if (enhancedConfig.scoping) {
-        authnRequestContent.push(buildScoping(enhancedConfig.scoping));
-    }
-    // 添加 RequestedAuthnContext 元素
+    // AuthnRequestType 的序列顺序为 RequestedAuthnContext 在前、Scoping 在后
     if (enhancedConfig.requestedAuthnContext) {
         authnRequestContent.push(buildRequestedAuthnContext(enhancedConfig.requestedAuthnContext));
     }
+    if (enhancedConfig.scoping) {
+        authnRequestContent.push(buildScoping(enhancedConfig.scoping));
+    }
     return authnRequest;
 }
 /**

package/build/src/soap.js

@@ -1,144 +1,73 @@
 import axios from 'axios';
-import https from 'node:https';
-import crypto from "node:crypto";
 import { Builder } from 'xml2js';
 import iconv from 'iconv-lite';
-// 2. 配置 Axios 实例（处理自签名证书）
+import { generateArtifactId, parseArtifact } from './artifact.js';
 const axiosInstance = axios.create({
-    httpsAgent: new https.Agent({
-        rejectUnauthorized: false // 允许自签名证书
-    })
+    timeout: 5000,
 });
-export async function sendArtifactResolve(url, soapRequest) {
-    try {
-        const response = await axiosInstance.post(url, soapRequest, {
-            headers: {
-                'Content-Type': 'text/xml',
-                'SOAPAction': '"ArtifactResolve"'
-            },
-            timeout: 5000 // 5秒超时
-        });
-        return response.data;
+function getAxiosErrorPayload(error) {
+    if (error?.response?.data) {
+        return error.response.data;
     }
-    catch (error) {
-        throw error.response.data;
+    if (error instanceof Error) {
+        return error;
     }
+    return new Error('ERR_SOAP_REQUEST_FAILED');
 }
-export async function sendArtifactResponse(url, soapRequest) {
+async function sendSoapRequest(url, soapRequest, soapAction) {
     try {
         const response = await axiosInstance.post(url, soapRequest, {
             headers: {
-                'Content-Type': 'text/xml',
-                'SOAPAction': '"ArtifactResponse"'
+                'Content-Type': 'text/xml; charset=utf-8',
+                SOAPAction: `"${soapAction}"`,
             },
-            timeout: 5000 // 5秒超时
         });
         return response.data;
     }
     catch (error) {
-        throw error.response.data;
+        throw getAxiosErrorPayload(error);
     }
 }
-/**
- * @desc   generate Art id
- *
- * @param entityIDString
- * @param endpointIndex
- */
+export async function sendArtifactResolve(url, soapRequest) {
+    return sendSoapRequest(url, soapRequest, 'ArtifactResolve');
+}
+export async function sendArtifactResponse(url, soapRequest) {
+    return sendSoapRequest(url, soapRequest, 'ArtifactResponse');
+}
 export function createArt(entityIDString, endpointIndex = 0) {
-    // 安全获取 sourceEntityId
-    let sourceEntityId;
-    if (typeof entityIDString === "string") {
-        sourceEntityId = entityIDString;
-    }
-    else {
-        // 确保只在非字符串类型上访问 entityMeta
-        sourceEntityId = entityIDString.entityMeta.getEntityID();
-    }
-    // 1. 固定类型代码 (0x0004 - 2字节)
-    const typeCode = Buffer.from([0x00, 0x04]);
-    // 2. 端点索引 (2字节，大端序)
-    if (endpointIndex < 0 || endpointIndex > 65535) {
-        throw new Error("Endpoint index must be between 0 and 65535");
-    }
-    const endpointBuf = Buffer.alloc(2);
-    endpointBuf.writeUInt16BE(endpointIndex);
-    // 3. Source ID - 实体ID的SHA-1哈希 (20字节)
-    const sourceId = crypto
-        .createHash("sha1")
-        .update(sourceEntityId)
-        .digest();
-    // 4. Message Handler - 20字节随机值
-    const messageHandler = crypto.randomBytes(20);
-    // 组合所有组件 (2+2+20+20 = 44字节)
-    const artifact = Buffer.concat([
-        typeCode,
-        endpointBuf,
-        sourceId,
-        messageHandler,
-    ]);
-    // 返回Base64编码的Artifact
+    const sourceEntityId = typeof entityIDString === 'string'
+        ? entityIDString
+        : entityIDString.entityMeta.getEntityID();
+    const artifact = generateArtifactId(sourceEntityId, endpointIndex);
+    const origin = parseArtifact(artifact);
     return {
-        artifact: artifact.toString("base64"),
+        artifact,
         origin: {
-            typeCode: typeCode.readUInt16BE(0), // 改为整数值
-            endpointIndex: endpointIndex, // 修复字段名并赋正确的值
-            sourceId: sourceId.toString("hex"), // 转为十六进制
-            messageHandle: messageHandler.toString("hex"), // 转为十六进制
+            typeCode: origin.typeCode,
+            endpointIndex: origin.endpointIndex,
+            sourceId: origin.sourceId,
+            messageHandle: origin.messageHandle,
         },
     };
 }
-/**
- * @desc   generate Art id
- * @param artifact
- */
 export function parseArt(artifact) {
-    // 解码 Base64
-    if (Object.prototype.toString.call(artifact) !== '[object String]') {
-        return;
-    }
-    const decoded = Buffer.from(artifact, 'base64');
-    // 确保长度正确（SAML 工件固定为 44 字节）
-    if (decoded.length !== 44) {
-        throw new Error(`Invalid artifact length: ${decoded.length}, expected 44 bytes`);
-    }
-    // 读取前 4 字节（TypeCode + EndpointIndex）
-    const typeCode = decoded.readUInt16BE(0);
-    const endpointIndex = decoded.readUInt16BE(2);
-    // 使用 Buffer.from() 替代 slice()
-    const sourceId = Buffer.from(decoded.buffer, // 底层 ArrayBuffer
-    decoded.byteOffset + 4, // 起始偏移量
-    20 // 长度
-    ).toString('hex');
-    const messageHandle = Buffer.from(decoded.buffer, // 底层 ArrayBuffer
-    decoded.byteOffset + 24, // 起始偏移量
-    20 // 长度
-    ).toString('hex');
-    return { typeCode, endpointIndex, sourceId, messageHandle };
+    return parseArtifact(artifact);
 }
-/**
-* 将对象转换为 ISO-8859-1 编码的 XML 字符串
-* @param {Object} data - 要转换的数据对象
-* @returns {Buffer} - ISO-8859-1 编码的 XML 数据 (Buffer)
-*/
 export function encodeXmlToIso88591(data) {
     try {
-        // 1. 创建 XML 构建器
         const builder = new Builder({
-            headless: false, // 包含 XML 声明
-            renderOpts: { 'pretty': false }, // 紧凑格式
+            headless: false,
+            renderOpts: { pretty: false },
             xmldec: {
                 version: '1.0',
                 encoding: 'ISO-8859-1',
-                standalone: true
-            }
+                standalone: true,
+            },
         });
-        // 2. 构建 XML 字符串 (UTF-8 格式)
         const utf8Xml = builder.buildObject(data);
-        // 3. 转换为 ISO-8859-1 编码的 Buffer
         return iconv.encode(utf8Xml, 'iso-8859-1');
     }
     catch (error) {
-        throw new Error(`XML 编码失败: ${error.message}`);
+        throw new Error(`XML 缂栫爜澶辫触: ${error.message}`);
     }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "samlesa",
-  "version": "4.3.5",
+  "version": "4.5.0",
   "description": "High-level API for Single Sign On (SAML 2.0) baseed on samlify ",
   "main": "build/index.js",
   "keywords": [
@@ -55,8 +55,8 @@
   "docs": "https://saml.veclea.com",
   "license": "MIT",
   "dependencies": {
-    "@xmldom/xmldom": "^0.9.8",
-    "axios": "^1.13.6",
+    "@xmldom/xmldom": "^0.9.10",
+    "axios": "^1.15.2",
     "camelcase": "^9.0.0",
     "cross-env": "^10.1.0",
     "iconv-lite": "^0.7.2",
@@ -71,17 +71,17 @@
     "xpath": "^0.0.34"
   },
   "devDependencies": {
-    "@types/node": "^25.5.0",
+    "@types/node": "^25.6.0",
     "@types/pako": "2.0.4",
     "@types/uuid": "11.0.0",
-    "@vitest/coverage-istanbul": "^4.1.2",
-    "@vitest/coverage-v8": "4.1.2",
+    "@vitest/coverage-istanbul": "^4.1.5",
+    "@vitest/coverage-v8": "4.1.5",
     "copyfiles": "^2.4.1",
     "coveralls": "^3.1.1",
-    "esbuild": "^0.27.4",
-    "jsdom": "^29.0.1",
+    "esbuild": "^0.28.0",
+    "jsdom": "^29.0.2",
     "timekeeper": "^2.3.1",
-    "typescript": "6.0.2",
-    "vitest": "^4.1.2"
+    "typescript": "6.0.3",
+    "vitest": "^4.1.5"
   }
 }

package/types/src/artifact.d.ts

@@ -0,0 +1,14 @@
+export declare const SAML2_ARTIFACT_TYPE_CODE = 4;
+export declare const SAML2_ARTIFACT_LENGTH = 44;
+export interface ParsedArtifact {
+    artifact: string;
+    typeCode: number;
+    endpointIndex: number;
+    sourceId: string;
+    messageHandle: string;
+}
+export declare function computeArtifactSourceId(entityId: string): Buffer;
+export declare function generateArtifactId(entityId: string, endpointIndex?: number): string;
+export declare function parseArtifact(artifact: string): ParsedArtifact;
+export declare function validateArtifact(artifact: string, expectedEntityId?: string): ParsedArtifact;
+//# sourceMappingURL=artifact.d.ts.map

package/types/src/artifact.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"artifact.d.ts","sourceRoot":"","sources":["../../src/artifact.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,wBAAwB,IAAS,CAAC;AAC/C,eAAO,MAAM,qBAAqB,KAAK,CAAC;AAExC,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAEhE;AAED,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,aAAa,SAAI,GAAG,MAAM,CAsB9E;AAED,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,CAsB9D;AAED,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,gBAAgB,CAAC,EAAE,MAAM,GAAG,cAAc,CAS5F"}