samlify 2.10.2 → 2.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.circleci/config.yml +0 -30
- package/.snyk +2 -6
- package/build/index.js +17 -7
- package/build/index.js.map +1 -1
- package/build/src/api.js +3 -4
- package/build/src/api.js.map +1 -1
- package/build/src/binding-post.js +25 -15
- package/build/src/binding-post.js.map +1 -1
- package/build/src/binding-redirect.js +21 -7
- package/build/src/binding-redirect.js.map +1 -1
- package/build/src/binding-simplesign.js +24 -14
- package/build/src/binding-simplesign.js.map +1 -1
- package/build/src/entity-idp.js +4 -4
- package/build/src/entity-idp.js.map +1 -1
- package/build/src/entity-sp.js +2 -2
- package/build/src/entity-sp.js.map +1 -1
- package/build/src/entity.js +2 -25
- package/build/src/entity.js.map +1 -1
- package/build/src/extractor.js +28 -20
- package/build/src/extractor.js.map +1 -1
- package/build/src/flow.js +4 -5
- package/build/src/flow.js.map +1 -1
- package/build/src/libsaml.js +37 -18
- package/build/src/libsaml.js.map +1 -1
- package/build/src/metadata-idp.js +9 -9
- package/build/src/metadata-idp.js.map +1 -1
- package/build/src/metadata-sp.js +9 -9
- package/build/src/metadata-sp.js.map +1 -1
- package/build/src/metadata.js +17 -7
- package/build/src/metadata.js.map +1 -1
- package/build/src/urn.js +4 -4
- package/build/src/urn.js.map +1 -1
- package/build/src/utility.js +26 -26
- package/build/src/utility.js.map +1 -1
- package/build/src/validator.js +1 -2
- package/build/src/validator.js.map +1 -1
- package/package.json +18 -19
- package/src/binding-redirect.ts +4 -0
- package/src/entity.ts +2 -2
- package/src/extractor.ts +27 -20
- package/src/libsaml.ts +18 -11
- package/src/utility.ts +14 -13
- package/types/src/binding-post.d.ts +1 -1
- package/types/src/binding-simplesign.d.ts +1 -1
- package/types/src/entity.d.ts +1 -2
- package/types/src/extractor.d.ts +1 -1
- package/types/src/libsaml.d.ts +5 -6
- package/types/src/metadata.d.ts +0 -1
- package/types/src/types.d.ts +7 -8
- package/types/src/utility.d.ts +1 -2
- package/types/src/validator.d.ts +1 -1
- package/.travis.yml +0 -29
- package/CHANGELOG.md +0 -7
- package/types/vitest.config.d.ts +0 -2
package/src/utility.ts
CHANGED
|
@@ -3,8 +3,8 @@
|
|
|
3
3
|
* @author tngan
|
|
4
4
|
* @desc Library for some common functions (e.g. de/inflation, en/decoding)
|
|
5
5
|
*/
|
|
6
|
-
import {
|
|
7
|
-
import {
|
|
6
|
+
import { X509Certificate, createPrivateKey } from 'crypto';
|
|
7
|
+
import { deflateRawSync, inflateRawSync } from 'zlib';
|
|
8
8
|
|
|
9
9
|
const BASE64_STR = 'base64';
|
|
10
10
|
|
|
@@ -102,8 +102,8 @@ export function base64Decode(base64Message: string, isBytes?: boolean): string |
|
|
|
102
102
|
* @return {string} compressed string
|
|
103
103
|
*/
|
|
104
104
|
function deflateString(message: string): number[] {
|
|
105
|
-
const input =
|
|
106
|
-
return Array.from(
|
|
105
|
+
const input = Buffer.from(message, 'utf8');
|
|
106
|
+
return Array.from(deflateRawSync(input));
|
|
107
107
|
}
|
|
108
108
|
/**
|
|
109
109
|
* @desc Decompress the compressed string
|
|
@@ -112,10 +112,7 @@ function deflateString(message: string): number[] {
|
|
|
112
112
|
*/
|
|
113
113
|
export function inflateString(compressedString: string): string {
|
|
114
114
|
const inputBuffer = Buffer.from(compressedString, BASE64_STR);
|
|
115
|
-
|
|
116
|
-
return Array.from(inflate(input, { raw: true }))
|
|
117
|
-
.map((byte: number) => String.fromCharCode(byte))
|
|
118
|
-
.join('');
|
|
115
|
+
return inflateRawSync(inputBuffer).toString('utf8');
|
|
119
116
|
}
|
|
120
117
|
/**
|
|
121
118
|
* @desc Abstract the normalizeCerString and normalizePemString
|
|
@@ -173,10 +170,9 @@ function applyDefault(obj1, obj2) {
|
|
|
173
170
|
* @return {string} public key fetched from the certificate
|
|
174
171
|
*/
|
|
175
172
|
function getPublicKeyPemFromCertificate(x509Certificate: string) {
|
|
176
|
-
const
|
|
177
|
-
const
|
|
178
|
-
|
|
179
|
-
return pki.publicKeyToPem(cert.publicKey);
|
|
173
|
+
const der = Buffer.from(x509Certificate, 'base64');
|
|
174
|
+
const cert = new X509Certificate(der);
|
|
175
|
+
return cert.publicKey.export({ type: 'spki', format: 'pem' });
|
|
180
176
|
}
|
|
181
177
|
/**
|
|
182
178
|
* @desc Read private key from pem-formatted string
|
|
@@ -186,7 +182,12 @@ function getPublicKeyPemFromCertificate(x509Certificate: string) {
|
|
|
186
182
|
* If passphrase is used to protect the .pem content (recommend)
|
|
187
183
|
*/
|
|
188
184
|
export function readPrivateKey(keyString: string | Buffer, passphrase: string | undefined, isOutputString?: boolean) {
|
|
189
|
-
|
|
185
|
+
if (isString(passphrase)) {
|
|
186
|
+
const key = createPrivateKey({ key: keyString, format: 'pem', passphrase });
|
|
187
|
+
const pem = key.export({ type: 'pkcs1', format: 'pem' });
|
|
188
|
+
return convertToString(pem, isOutputString);
|
|
189
|
+
}
|
|
190
|
+
return keyString;
|
|
190
191
|
}
|
|
191
192
|
/**
|
|
192
193
|
* @desc Inline syntax sugar
|
|
@@ -19,7 +19,7 @@ declare function base64LoginRequest(referenceTagXPath: string, entity: any, cust
|
|
|
19
19
|
* @param {function} customTagReplacement used when developers have their own login response template
|
|
20
20
|
* @param {boolean} encryptThenSign whether or not to encrypt then sign first (if signing). Defaults to sign-then-encrypt
|
|
21
21
|
*/
|
|
22
|
-
declare function base64LoginResponse(requestInfo: any, entity: any, user?: any, customTagReplacement?: (template: string) => BindingContext, encryptThenSign?: boolean): Promise<BindingContext>;
|
|
22
|
+
declare function base64LoginResponse(requestInfo: any | undefined, entity: any, user?: any, customTagReplacement?: (template: string) => BindingContext, encryptThenSign?: boolean): Promise<BindingContext>;
|
|
23
23
|
/**
|
|
24
24
|
* @desc Generate a base64 encoded logout request
|
|
25
25
|
* @param {object} user current logged user (e.g. req.user)
|
|
@@ -31,7 +31,7 @@ declare function base64LoginRequest(entity: any, customTagReplacement?: (templat
|
|
|
31
31
|
* @param {string} relayState the relay state
|
|
32
32
|
* @param {function} customTagReplacement used when developers have their own login response template
|
|
33
33
|
*/
|
|
34
|
-
declare function base64LoginResponse(requestInfo: any, entity: any, user?: any, relayState?: string, customTagReplacement?: (template: string) => BindingContext): Promise<BindingSimpleSignContext>;
|
|
34
|
+
declare function base64LoginResponse(requestInfo: any | undefined, entity: any, user?: any, relayState?: string, customTagReplacement?: (template: string) => BindingContext): Promise<BindingSimpleSignContext>;
|
|
35
35
|
declare const simpleSignBinding: {
|
|
36
36
|
base64LoginRequest: typeof base64LoginRequest;
|
|
37
37
|
base64LoginResponse: typeof base64LoginResponse;
|
package/types/src/entity.d.ts
CHANGED
|
@@ -1,4 +1,3 @@
|
|
|
1
|
-
/// <reference types="node" />
|
|
2
1
|
import { IdpMetadata as IdpMetadataConstructor } from './metadata-idp';
|
|
3
2
|
import { SpMetadata as SpMetadataConstructor } from './metadata-sp';
|
|
4
3
|
import { MetadataIdpConstructor, MetadataSpConstructor, EntitySetting } from './types';
|
|
@@ -31,7 +30,7 @@ export interface ParseResult {
|
|
|
31
30
|
extract: any;
|
|
32
31
|
sigAlg: string;
|
|
33
32
|
}
|
|
34
|
-
export
|
|
33
|
+
export type EntityConstructor = (MetadataIdpConstructor | MetadataSpConstructor) & {
|
|
35
34
|
metadata?: string | Buffer;
|
|
36
35
|
};
|
|
37
36
|
export default class Entity {
|
package/types/src/extractor.d.ts
CHANGED
|
@@ -6,7 +6,7 @@ interface ExtractorField {
|
|
|
6
6
|
attributePath?: string[];
|
|
7
7
|
context?: boolean;
|
|
8
8
|
}
|
|
9
|
-
export
|
|
9
|
+
export type ExtractorFields = ExtractorField[];
|
|
10
10
|
export declare const loginRequestFields: ExtractorFields;
|
|
11
11
|
export declare const loginResponseStatusFields: {
|
|
12
12
|
key: string;
|
package/types/src/libsaml.d.ts
CHANGED
|
@@ -3,7 +3,6 @@
|
|
|
3
3
|
* @author tngan
|
|
4
4
|
* @desc A simple library including some common functions
|
|
5
5
|
*/
|
|
6
|
-
/// <reference types="node" />
|
|
7
6
|
import { MetadataInterface } from './metadata';
|
|
8
7
|
export interface SignatureConstructor {
|
|
9
8
|
rawSamlMessage: string;
|
|
@@ -58,7 +57,7 @@ export interface LogoutRequestTemplate extends BaseSamlTemplate {
|
|
|
58
57
|
}
|
|
59
58
|
export interface LogoutResponseTemplate extends BaseSamlTemplate {
|
|
60
59
|
}
|
|
61
|
-
export
|
|
60
|
+
export type KeyUse = 'signing' | 'encryption';
|
|
62
61
|
export interface KeyComponent {
|
|
63
62
|
[key: string]: any;
|
|
64
63
|
}
|
|
@@ -86,7 +85,7 @@ export interface LibSamlInterface {
|
|
|
86
85
|
defaultLogoutResponseTemplate: LogoutResponseTemplate;
|
|
87
86
|
}
|
|
88
87
|
declare const _default: {
|
|
89
|
-
createXPath: (local: any, isExtractAll?: boolean
|
|
88
|
+
createXPath: (local: any, isExtractAll?: boolean) => string;
|
|
90
89
|
getQueryParamByType: (type: string) => "SAMLRequest" | "SAMLResponse";
|
|
91
90
|
defaultLoginRequestTemplate: {
|
|
92
91
|
context: string;
|
|
@@ -166,7 +165,7 @@ declare const _default: {
|
|
|
166
165
|
* @param {string} signingAlgorithm signing algorithm
|
|
167
166
|
* @return {string} message signature
|
|
168
167
|
*/
|
|
169
|
-
constructMessageSignature(octetString: string, key: string, passphrase?: string
|
|
168
|
+
constructMessageSignature(octetString: string, key: string, passphrase?: string, isBase64?: boolean, signingAlgorithm?: string): string | Buffer<ArrayBufferLike>;
|
|
170
169
|
/**
|
|
171
170
|
* @desc Verifies message signature
|
|
172
171
|
* @param {Metadata} metadata metadata object of identity provider or service provider
|
|
@@ -175,7 +174,7 @@ declare const _default: {
|
|
|
175
174
|
* @param {string} verifyAlgorithm algorithm used to verify
|
|
176
175
|
* @return {boolean} verification result
|
|
177
176
|
*/
|
|
178
|
-
verifyMessageSignature(metadata: any, octetString: string, signature: string | Buffer, verifyAlgorithm?: string
|
|
177
|
+
verifyMessageSignature(metadata: any, octetString: string, signature: string | Buffer, verifyAlgorithm?: string): boolean;
|
|
179
178
|
/**
|
|
180
179
|
* @desc Get the public key in string format
|
|
181
180
|
* @param {string} x509Certificate certificate
|
|
@@ -192,7 +191,7 @@ declare const _default: {
|
|
|
192
191
|
* @param {string} xml response in xml string format
|
|
193
192
|
* @return {Promise} a promise to resolve the finalized xml
|
|
194
193
|
*/
|
|
195
|
-
encryptAssertion(sourceEntity: any, targetEntity: any, xml?: string
|
|
194
|
+
encryptAssertion(sourceEntity: any, targetEntity: any, xml?: string): Promise<string>;
|
|
196
195
|
/**
|
|
197
196
|
* @desc Decrypt the assertion section in Response
|
|
198
197
|
* @param {string} type only accept SAMLResponse to proceed decryption
|
package/types/src/metadata.d.ts
CHANGED
package/types/src/types.d.ts
CHANGED
|
@@ -1,11 +1,10 @@
|
|
|
1
|
-
/// <reference types="node" />
|
|
2
1
|
import { LoginResponseTemplate } from './libsaml';
|
|
3
2
|
export { IdentityProvider as IdentityProviderConstructor } from './entity-idp';
|
|
4
3
|
export { IdpMetadata as IdentityProviderMetadata } from './metadata-idp';
|
|
5
4
|
export { ServiceProvider as ServiceProviderConstructor } from './entity-sp';
|
|
6
5
|
export { SpMetadata as ServiceProviderMetadata } from './metadata-sp';
|
|
7
|
-
export
|
|
8
|
-
|
|
6
|
+
export type MetadataFile = string | Buffer;
|
|
7
|
+
type SSOService = {
|
|
9
8
|
isDefault?: boolean;
|
|
10
9
|
Binding: string;
|
|
11
10
|
Location: string;
|
|
@@ -20,7 +19,7 @@ export interface MetadataIdpOptions {
|
|
|
20
19
|
singleLogoutService?: SSOService[];
|
|
21
20
|
requestSignatureAlgorithm?: string;
|
|
22
21
|
}
|
|
23
|
-
export
|
|
22
|
+
export type MetadataIdpConstructor = MetadataIdpOptions | MetadataFile;
|
|
24
23
|
export interface MetadataSpOptions {
|
|
25
24
|
entityID?: string;
|
|
26
25
|
signingCert?: string | Buffer | (string | Buffer)[];
|
|
@@ -37,8 +36,8 @@ export interface MetadataSpOptions {
|
|
|
37
36
|
assertionConsumerService?: SSOService[];
|
|
38
37
|
elementsOrder?: string[];
|
|
39
38
|
}
|
|
40
|
-
export
|
|
41
|
-
export
|
|
39
|
+
export type MetadataSpConstructor = MetadataSpOptions | MetadataFile;
|
|
40
|
+
export type EntitySetting = ServiceProviderSettings & IdentityProviderSettings;
|
|
42
41
|
export interface SignatureConfig {
|
|
43
42
|
prefix?: string;
|
|
44
43
|
location?: {
|
|
@@ -49,7 +48,7 @@ export interface SignatureConfig {
|
|
|
49
48
|
export interface SAMLDocumentTemplate {
|
|
50
49
|
context?: string;
|
|
51
50
|
}
|
|
52
|
-
export
|
|
51
|
+
export type ServiceProviderSettings = {
|
|
53
52
|
metadata?: string | Buffer;
|
|
54
53
|
entityID?: string;
|
|
55
54
|
authnRequestsSigned?: boolean;
|
|
@@ -76,7 +75,7 @@ export declare type ServiceProviderSettings = {
|
|
|
76
75
|
relayState?: string;
|
|
77
76
|
clockDrifts?: [number, number];
|
|
78
77
|
};
|
|
79
|
-
export
|
|
78
|
+
export type IdentityProviderSettings = {
|
|
80
79
|
metadata?: string | Buffer;
|
|
81
80
|
/** signature algorithm */
|
|
82
81
|
requestSignatureAlgorithm?: string;
|
package/types/src/utility.d.ts
CHANGED
|
@@ -1,4 +1,3 @@
|
|
|
1
|
-
/// <reference types="node" />
|
|
2
1
|
/**
|
|
3
2
|
* @desc Mimic lodash.zipObject
|
|
4
3
|
* @param arr1 {string[]}
|
|
@@ -35,7 +34,7 @@ export declare function get(obj: any, path: any, defaultValue: any): any;
|
|
|
35
34
|
* @desc Check if the input is string
|
|
36
35
|
* @param {any} input
|
|
37
36
|
*/
|
|
38
|
-
export declare function isString(input: any):
|
|
37
|
+
export declare function isString(input: any): input is string;
|
|
39
38
|
/**
|
|
40
39
|
* @desc Encode string with base64 format
|
|
41
40
|
* @param {string} message plain-text message
|
package/types/src/validator.d.ts
CHANGED
package/.travis.yml
DELETED
|
@@ -1,29 +0,0 @@
|
|
|
1
|
-
language: node_js
|
|
2
|
-
|
|
3
|
-
node_js:
|
|
4
|
-
- "16"
|
|
5
|
-
- "18"
|
|
6
|
-
- "20"
|
|
7
|
-
|
|
8
|
-
env:
|
|
9
|
-
- INSTALL_JDK=1
|
|
10
|
-
- INSTALL_JDK=0
|
|
11
|
-
|
|
12
|
-
before_install:
|
|
13
|
-
- if [[ "$INSTALL_JDK" == "1" ]] ; then make install_jdk ; fi
|
|
14
|
-
|
|
15
|
-
install:
|
|
16
|
-
- yarn install --production=true
|
|
17
|
-
|
|
18
|
-
script:
|
|
19
|
-
- yarn add @authenio/samlify-xsd-schema-validator
|
|
20
|
-
- yarn test --timeout=30s
|
|
21
|
-
|
|
22
|
-
branches:
|
|
23
|
-
only:
|
|
24
|
-
- master
|
|
25
|
-
- /^.*-alpha$/
|
|
26
|
-
- /^.*-rc.*$/
|
|
27
|
-
- /^feature\/.*$/
|
|
28
|
-
|
|
29
|
-
after_success: npm run coverage
|
package/CHANGELOG.md
DELETED
|
@@ -1,7 +0,0 @@
|
|
|
1
|
-
# 2.10.1
|
|
2
|
-
|
|
3
|
-
* Changes to libsaml.ts verifySignature. This is an internal function, but we still document changes
|
|
4
|
-
- Does not raise error when signature is missing/invalid. Instead it now returns false. This is to simplify logic
|
|
5
|
-
- When there are encrypted assertions, returns the entire response, as the "verifiedAssertionNode"
|
|
6
|
-
|
|
7
|
-
* Fix logic around handling encrypted assertions
|
package/types/vitest.config.d.ts
DELETED