samlesa 4.7.2 → 4.7.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/build/src/extractor.js
CHANGED
|
@@ -176,6 +176,7 @@ export const logoutResponseStatusFields = [
|
|
|
176
176
|
];
|
|
177
177
|
export const loginResponseFields = assertion => [
|
|
178
178
|
{ key: 'conditions', localPath: ['Assertion', 'Conditions'], attributes: ['NotBefore', 'NotOnOrAfter'], shortcut: assertion },
|
|
179
|
+
{ key: 'audienceRestrictions', localPath: ['Assertion', 'Conditions', 'AudienceRestriction'], attributes: [], context: true, shortcut: assertion },
|
|
179
180
|
{ key: 'response', localPath: ['Response'], attributes: ['ID', 'IssueInstant', 'Destination', 'InResponseTo', 'Version'] },
|
|
180
181
|
{ key: 'responseIssuer', localPath: ['Response', 'Issuer'], attributes: [] },
|
|
181
182
|
{ key: 'audience', localPath: ['Assertion', 'Conditions', 'AudienceRestriction', 'Audience'], attributes: [], shortcut: assertion },
|
package/build/src/flow.js
CHANGED
|
@@ -101,6 +101,55 @@ function validateResponseTimes(parserType, extractedProperties, self) {
|
|
|
101
101
|
}
|
|
102
102
|
return null;
|
|
103
103
|
}
|
|
104
|
+
function normalizeStringList(value) {
|
|
105
|
+
if (Array.isArray(value)) {
|
|
106
|
+
return value.flatMap(item => normalizeStringList(item));
|
|
107
|
+
}
|
|
108
|
+
if (typeof value !== 'string') {
|
|
109
|
+
return [];
|
|
110
|
+
}
|
|
111
|
+
const normalized = value.trim();
|
|
112
|
+
return normalized ? [normalized] : [];
|
|
113
|
+
}
|
|
114
|
+
function collectAudienceValues(extractedProperties) {
|
|
115
|
+
return [
|
|
116
|
+
...normalizeStringList(extractedProperties?.audience),
|
|
117
|
+
...normalizeStringList(extractedProperties?.conditions?.audiences),
|
|
118
|
+
];
|
|
119
|
+
}
|
|
120
|
+
function collectAudienceRestrictionGroups(extractedProperties) {
|
|
121
|
+
const restrictionFragments = normalizeStringList(extractedProperties?.audienceRestrictions);
|
|
122
|
+
if (restrictionFragments.length === 0) {
|
|
123
|
+
const flattenedAudiences = collectAudienceValues(extractedProperties);
|
|
124
|
+
return flattenedAudiences.length > 0 ? [flattenedAudiences] : [];
|
|
125
|
+
}
|
|
126
|
+
return restrictionFragments.map((fragment) => {
|
|
127
|
+
const parsedRestriction = extract(fragment, [{
|
|
128
|
+
key: 'audience',
|
|
129
|
+
localPath: ['AudienceRestriction', 'Audience'],
|
|
130
|
+
attributes: [],
|
|
131
|
+
}]);
|
|
132
|
+
return normalizeStringList(parsedRestriction?.audience);
|
|
133
|
+
});
|
|
134
|
+
}
|
|
135
|
+
function validateAudienceRestriction(parserType, extractedProperties, self) {
|
|
136
|
+
if (parserType !== ParserType.SAMLResponse) {
|
|
137
|
+
return null;
|
|
138
|
+
}
|
|
139
|
+
const expectedAudience = self?.entityMeta?.getEntityID?.();
|
|
140
|
+
if (typeof expectedAudience !== 'string' || expectedAudience.trim().length === 0) {
|
|
141
|
+
return null;
|
|
142
|
+
}
|
|
143
|
+
const audienceRestrictionGroups = collectAudienceRestrictionGroups(extractedProperties);
|
|
144
|
+
if (audienceRestrictionGroups.length === 0 ||
|
|
145
|
+
audienceRestrictionGroups.some(group => group.length === 0)) {
|
|
146
|
+
return self?.entitySetting?.strictSecurity === false ? null : 'ERR_MISSING_AUDIENCE';
|
|
147
|
+
}
|
|
148
|
+
if (!audienceRestrictionGroups.every(group => group.includes(expectedAudience.trim()))) {
|
|
149
|
+
return 'ERR_UNMATCH_AUDIENCE';
|
|
150
|
+
}
|
|
151
|
+
return null;
|
|
152
|
+
}
|
|
104
153
|
function validateEndpointConstraints(parserType, extractedProperties, self, from) {
|
|
105
154
|
const requestData = extractedProperties?.request ?? {};
|
|
106
155
|
const responseData = extractedProperties?.response ?? {};
|
|
@@ -170,6 +219,10 @@ function runCommonValidation(parserType, extractedProperties, self, from) {
|
|
|
170
219
|
if (timeError) {
|
|
171
220
|
return timeError;
|
|
172
221
|
}
|
|
222
|
+
const audienceError = validateAudienceRestriction(parserType, extractedProperties, self);
|
|
223
|
+
if (audienceError) {
|
|
224
|
+
return audienceError;
|
|
225
|
+
}
|
|
173
226
|
return validateEndpointConstraints(parserType, extractedProperties, self, from);
|
|
174
227
|
}
|
|
175
228
|
// proceed the redirect binding flow
|
package/package.json
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"extractor.d.ts","sourceRoot":"","sources":["../../src/extractor.ts"],"names":[],"mappings":"AAMA,UAAU,cAAc;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,EAAE,CAAC;IAClC,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,aAAa,CAAC,EAAE,CAAC,IAAI,EAAE,GAAG,KAAK,GAAG,CAAC;IAEnC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAOD,MAAM,MAAM,eAAe,GAAG,cAAc,EAAE,CAAC;AA4B/C,eAAO,MAAM,kBAAkB,EAAE,eAsFhC,CAAC;AAKF,eAAO,MAAM,qBAAqB,EAAE,eAsBnC,CAAC;AAEF,eAAO,MAAM,sBAAsB,EAAE,eAsBpC,CAAC;AAEF,eAAO,MAAM,yBAAyB,EAAE,eAGvC,CAAC;AAEF,eAAO,MAAM,iCAAiC,EAAE,eAG/C,CAAC;AAEF,eAAO,MAAM,0BAA0B,EAAE,eAGxC,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,CAAC,CAAC,SAAS,EAAE,GAAG,KAAK,eAAe,
|
|
1
|
+
{"version":3,"file":"extractor.d.ts","sourceRoot":"","sources":["../../src/extractor.ts"],"names":[],"mappings":"AAMA,UAAU,cAAc;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,EAAE,CAAC;IAClC,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,aAAa,CAAC,EAAE,CAAC,IAAI,EAAE,GAAG,KAAK,GAAG,CAAC;IAEnC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAOD,MAAM,MAAM,eAAe,GAAG,cAAc,EAAE,CAAC;AA4B/C,eAAO,MAAM,kBAAkB,EAAE,eAsFhC,CAAC;AAKF,eAAO,MAAM,qBAAqB,EAAE,eAsBnC,CAAC;AAEF,eAAO,MAAM,sBAAsB,EAAE,eAsBpC,CAAC;AAEF,eAAO,MAAM,yBAAyB,EAAE,eAGvC,CAAC;AAEF,eAAO,MAAM,iCAAiC,EAAE,eAG/C,CAAC;AAEF,eAAO,MAAM,0BAA0B,EAAE,eAGxC,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,CAAC,CAAC,SAAS,EAAE,GAAG,KAAK,eAAe,CAarE,CAAC;AAqMF,eAAO,MAAM,mBAAmB,EAAE,eAMjC,CAAC;AAEF,eAAO,MAAM,oBAAoB,EAAE,eAIlC,CAAC;AAKF,eAAO,MAAM,iBAAiB,EAAE,eAiI/B,CAAC;AAOF,eAAO,MAAM,gBAAgB,EAAE,eAyL9B,CAAC;AAEF,wBAAgB,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,eAAe,OAiN/D;AASD,eAAO,MAAM,2BAA2B,EAAE,eAkZzC,CAAC;AAIF;;GAEG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,eAAe,OAkRrE;AAKD,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,OAE5C;AAED,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,OAEzC;AAGD,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,OAExC;AACD,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,OAEjD;AACD,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,OAE9C;AACD,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,OAErD"}
|
package/types/src/flow.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"flow.d.ts","sourceRoot":"","sources":["../../src/flow.ts"],"names":[],"mappings":"AAqBA,MAAM,WAAW,UAAU;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,GAAG,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;
|
|
1
|
+
{"version":3,"file":"flow.d.ts","sourceRoot":"","sources":["../../src/flow.ts"],"names":[],"mappings":"AAqBA,MAAM,WAAW,UAAU;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,GAAG,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AA4rBD,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CA8BhG;AAED,wBAAgB,IAAI,CAAC,OAAO,KAAA,GAAG,OAAO,CAAC,UAAU,CAAC,CA0BjD"}
|