npm - samlify - Versions diffs - 2.11.0 → 2.13.0 - Mend

samlify 2.11.0 → 2.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (83) hide show

package/README.md +1 -1
package/build/src/api.js +52 -3
package/build/src/api.js.map +1 -1
package/build/src/binding-post.js +236 -182
package/build/src/binding-post.js.map +1 -1
package/build/src/binding-redirect.js +303 -215
package/build/src/binding-redirect.js.map +1 -1
package/build/src/binding-simplesign.js +285 -137
package/build/src/binding-simplesign.js.map +1 -1
package/build/src/entity-idp.js +130 -47
package/build/src/entity-idp.js.map +1 -1
package/build/src/entity-sp.js +81 -39
package/build/src/entity-sp.js.map +1 -1
package/build/src/entity.js +100 -62
package/build/src/entity.js.map +1 -1
package/build/src/extractor.js +119 -155
package/build/src/extractor.js.map +1 -1
package/build/src/flow.js +100 -96
package/build/src/flow.js.map +1 -1
package/build/src/libsaml.js +318 -261
package/build/src/libsaml.js.map +1 -1
package/build/src/metadata-idp.js +60 -30
package/build/src/metadata-idp.js.map +1 -1
package/build/src/metadata-sp.js +51 -41
package/build/src/metadata-sp.js.map +1 -1
package/build/src/metadata.js +47 -43
package/build/src/metadata.js.map +1 -1
package/build/src/options.js +73 -0
package/build/src/options.js.map +1 -0
package/build/src/urn.js +28 -1
package/build/src/urn.js.map +1 -1
package/build/src/utility.js +165 -83
package/build/src/utility.js.map +1 -1
package/build/src/validator.js +27 -10
package/build/src/validator.js.map +1 -1
package/package.json +17 -7
package/types/src/api.d.ts +33 -3
package/types/src/binding-post.d.ts +67 -34
package/types/src/binding-redirect.d.ts +58 -31
package/types/src/binding-simplesign.d.ts +77 -21
package/types/src/entity-idp.d.ts +40 -31
package/types/src/entity-sp.d.ts +37 -27
package/types/src/entity.d.ts +71 -77
package/types/src/extractor.d.ts +31 -22
package/types/src/flow.d.ts +24 -2
package/types/src/libsaml.d.ts +172 -118
package/types/src/metadata-idp.d.ts +27 -11
package/types/src/metadata-sp.d.ts +29 -19
package/types/src/metadata.d.ts +59 -34
package/types/src/options.d.ts +37 -0
package/types/src/types.d.ts +250 -24
package/types/src/urn.d.ts +7 -0
package/types/src/utility.d.ts +144 -89
package/types/src/validator.d.ts +21 -0
package/.circleci/config.yml +0 -98
package/.editorconfig +0 -19
package/.github/FUNDING.yml +0 -1
package/.github/workflows/deploy-docs.yml +0 -56
package/.pre-commit.sh +0 -15
package/.snyk +0 -4
package/Makefile +0 -25
package/index.ts +0 -28
package/src/api.ts +0 -36
package/src/binding-post.ts +0 -336
package/src/binding-redirect.ts +0 -335
package/src/binding-simplesign.ts +0 -231
package/src/entity-idp.ts +0 -145
package/src/entity-sp.ts +0 -114
package/src/entity.ts +0 -243
package/src/extractor.ts +0 -399
package/src/flow.ts +0 -469
package/src/libsaml.ts +0 -777
package/src/metadata-idp.ts +0 -146
package/src/metadata-sp.ts +0 -203
package/src/metadata.ts +0 -166
package/src/types.ts +0 -127
package/src/urn.ts +0 -210
package/src/utility.ts +0 -231
package/src/validator.ts +0 -44
package/tsconfig.json +0 -41
package/tslint.json +0 -35
package/types.d.ts +0 -2
package/vitest.config.ts +0 -12

package/src/binding-simplesign.ts DELETED Viewed

@@ -1,231 +0,0 @@
-/**
-* @file binding-simplesign.ts
-* @author Orange
-* @desc Binding-level API, declare the functions using POST SimpleSign binding
-*/
-import { wording, StatusCode } from './urn';
-import { BindingContext, SimpleSignComputedContext } from './entity';
-import libsaml from './libsaml';
-import utility, { get } from './utility';
-const binding = wording.binding;
-const urlParams = wording.urlParams;
-export interface BuildSimpleSignConfig {
-  type: string;
-  context: string;
-  entitySetting: any;
-  relayState?: string;
-}
-export interface BindingSimpleSignContext {
-  id: string;
-  context: string;
-  signature: any;
-  sigAlg: string;
-}
-/**
-* @private
-* @desc Helper of generating URL param/value pair
-* @param  {string} param     key
-* @param  {string} value     value of key
-* @param  {boolean} first    determine whether the param is the starting one in order to add query header '?'
-* @return {string}
-*/
-function pvPair(param: string, value: string, first?: boolean): string {
-  return (first === true ? '?' : '&') + param + '=' + value;
-}
-/**
-* @private
-* @desc Refactored part of simple signature generation for login/logout request
-* @param  {string} type
-* @param  {string} rawSamlRequest
-* @param  {object} entitySetting
-* @return {string}
-*/
-function buildSimpleSignature(opts: BuildSimpleSignConfig) : string {
-  const {
-    type,
-    context,
-    entitySetting,
-  } = opts;
-  let { relayState = '' } = opts;
-  const queryParam = libsaml.getQueryParamByType(type);
-  if (relayState !== '') {
-    relayState = pvPair(urlParams.relayState, relayState);
-  }
-  const sigAlg = pvPair(urlParams.sigAlg, entitySetting.requestSignatureAlgorithm);
-  const octetString = context + relayState + sigAlg;
-  return libsaml.constructMessageSignature(
-    queryParam + '=' + octetString,
-    entitySetting.privateKey,
-    entitySetting.privateKeyPass,
-    undefined,
-    entitySetting.requestSignatureAlgorithm
-  ).toString();
-}
-/**
-* @desc Generate a base64 encoded login request
-* @param  {string} referenceTagXPath           reference uri
-* @param  {object} entity                      object includes both idp and sp
-* @param  {function} customTagReplacement     used when developers have their own login response template
-*/
-function base64LoginRequest(entity: any, customTagReplacement?: (template: string) => BindingContext): SimpleSignComputedContext {
-  const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta };
-  const spSetting = entity.sp.entitySetting;
-  let id: string = '';
-  if (metadata && metadata.idp && metadata.sp) {
-    const base = metadata.idp.getSingleSignOnService(binding.simpleSign);
-    let rawSamlRequest: string;
-    if (spSetting.loginRequestTemplate && customTagReplacement) {
-      const info = customTagReplacement(spSetting.loginRequestTemplate.context);
-      id = get(info, 'id', null);
-      rawSamlRequest = get(info, 'context', null);
-    } else {
-      const nameIDFormat = spSetting.nameIDFormat;
-      const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
-      id = spSetting.generateID();
-      rawSamlRequest = libsaml.replaceTagsByValue(libsaml.defaultLoginRequestTemplate.context, {
-        ID: id,
-        Destination: base,
-        Issuer: metadata.sp.getEntityID(),
-        IssueInstant: new Date().toISOString(),
-        AssertionConsumerServiceURL: metadata.sp.getAssertionConsumerService(binding.simpleSign),
-        EntityID: metadata.sp.getEntityID(),
-        AllowCreate: spSetting.allowCreate,
-        NameIDFormat: selectedNameIDFormat
-      } as any);
-    }
-    let simpleSignatureContext : any = null;
-    if (metadata.idp.isWantAuthnRequestsSigned()) {
-        const simpleSignature = buildSimpleSignature({
-            type: urlParams.samlRequest,
-            context: rawSamlRequest,
-            entitySetting: spSetting,
-            relayState: spSetting.relayState,
-        });
-        simpleSignatureContext = {
-          signature: simpleSignature,
-          sigAlg: spSetting.requestSignatureAlgorithm,
-        };
-    }
-    // No need to embeded XML signature
-    return {
-      id,
-      context: utility.base64Encode(rawSamlRequest),
-      ...simpleSignatureContext,
-    };
-  }
-  throw new Error('ERR_GENERATE_POST_SIMPLESIGN_LOGIN_REQUEST_MISSING_METADATA');
-}
-/**
-* @desc Generate a base64 encoded login response
-* @param  {object} requestInfo                 corresponding request, used to obtain the id
-* @param  {object} entity                      object includes both idp and sp
-* @param  {object} user                        current logged user (e.g. req.user)
-* @param  {string}  relayState               the relay state
-* @param  {function} customTagReplacement     used when developers have their own login response template
-*/
-async function base64LoginResponse(requestInfo: any = {}, entity: any, user: any = {}, relayState?: string, customTagReplacement?: (template: string) => BindingContext): Promise<BindingSimpleSignContext> {
-  const idpSetting = entity.idp.entitySetting;
-  const spSetting = entity.sp.entitySetting;
-  const id = idpSetting.generateID();
-  const metadata = {
-    idp: entity.idp.entityMeta,
-    sp: entity.sp.entityMeta,
-  };
-  const nameIDFormat = idpSetting.nameIDFormat;
-  const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
-  if (metadata && metadata.idp && metadata.sp) {
-    const base = metadata.sp.getAssertionConsumerService(binding.simpleSign);
-    let rawSamlResponse: string;
-    const nowTime = new Date();
-    // Five minutes later : nowtime  + 5 * 60 * 1000 (in milliseconds)
-    const fiveMinutesLaterTime = new Date(nowTime.getTime() + 300_000 );
-    const tvalue: any = {
-      ID: id,
-      AssertionID: idpSetting.generateID(),
-      Destination: base,
-      Audience: metadata.sp.getEntityID(),
-      EntityID: metadata.sp.getEntityID(),
-      SubjectRecipient: base,
-      Issuer: metadata.idp.getEntityID(),
-      IssueInstant: nowTime.toISOString(),
-      AssertionConsumerServiceURL: base,
-      StatusCode: StatusCode.Success,
-      // can be customized
-      ConditionsNotBefore: nowTime.toISOString(),
-      ConditionsNotOnOrAfter: fiveMinutesLaterTime.toISOString(),
-      SubjectConfirmationDataNotOnOrAfter: fiveMinutesLaterTime.toISOString(),
-      NameIDFormat: selectedNameIDFormat,
-      NameID: user.email || '',
-      InResponseTo: get(requestInfo, 'extract.request.id', ''),
-      AuthnStatement: '',
-      AttributeStatement: '',
-    };
-    if (idpSetting.loginResponseTemplate && customTagReplacement) {
-      const template = customTagReplacement(idpSetting.loginResponseTemplate.context);
-      rawSamlResponse = get(template, 'context', null);
-    } else {
-      if (requestInfo !== null) {
-        tvalue.InResponseTo = requestInfo.extract.request.id;
-      }
-      rawSamlResponse = libsaml.replaceTagsByValue(libsaml.defaultLoginResponseTemplate.context, tvalue);
-    }
-    const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm } = idpSetting;
-    const config = {
-      privateKey,
-      privateKeyPass,
-      signatureAlgorithm,
-      signingCert: metadata.idp.getX509Certificate('signing'),
-      isBase64Output: false,
-    };
-    // step: sign assertion ? -> encrypted ? -> sign message ?
-    if (metadata.sp.isWantAssertionsSigned()) {
-      rawSamlResponse = libsaml.constructSAMLSignature({
-        ...config,
-        rawSamlMessage: rawSamlResponse,
-        transformationAlgorithms: spSetting.transformationAlgorithms,
-        referenceTagXPath: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']",
-        signatureConfig: {
-          prefix: 'ds',
-          location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']", action: 'after' },
-        },
-      });
-    }
-    // SAML response must be signed sign message first, then encrypt
-    let simpleSignature: string = '';
-    // like in post and redirect bindings, login response is always signed.
-    simpleSignature = buildSimpleSignature({
-        type: urlParams.samlResponse,
-        context: rawSamlResponse,
-        entitySetting: idpSetting,
-        relayState: relayState,
-    } );
-    return Promise.resolve({
-      id,
-      context: utility.base64Encode(rawSamlResponse),
-      signature: simpleSignature,
-      sigAlg: idpSetting.requestSignatureAlgorithm,
-    });
-  }
-  throw new Error('ERR_GENERATE_POST_SIMPLESIGN_LOGIN_RESPONSE_MISSING_METADATA');
-}
-const simpleSignBinding = {
-    base64LoginRequest,
-    base64LoginResponse,
-  };
-export default simpleSignBinding;

package/src/entity-idp.ts DELETED Viewed

@@ -1,145 +0,0 @@
-/**
-* @file entity-idp.ts
-* @author tngan
-* @desc  Declares the actions taken by identity provider
-*/
-import Entity, { ESamlHttpRequest } from './entity';
-import {
-  ServiceProviderConstructor as ServiceProvider,
-  ServiceProviderMetadata,
-  IdentityProviderMetadata,
-  IdentityProviderSettings,
-} from './types';
-import libsaml from './libsaml';
-import { namespace } from './urn';
-import postBinding from './binding-post';
-import redirectBinding from './binding-redirect';
-import simpleSignBinding from './binding-simplesign';
-import { flow, FlowResult } from './flow';
-import { isString } from './utility';
-import { BindingContext } from './entity';
-/**
- * Identity provider can be configured using either metadata importing or idpSetting
- */
-export default function(props: IdentityProviderSettings) {
-  return new IdentityProvider(props);
-}
-/**
- * Identity provider can be configured using either metadata importing or idpSetting
- */
-export class IdentityProvider extends Entity {
-  entityMeta: IdentityProviderMetadata;
-  constructor(idpSetting: IdentityProviderSettings) {
-    const defaultIdpEntitySetting = {
-      wantAuthnRequestsSigned: false,
-      tagPrefix: {
-        encryptedAssertion: 'saml',
-      },
-    };
-    const entitySetting = Object.assign(defaultIdpEntitySetting, idpSetting);
-    // build attribute part
-    if (idpSetting.loginResponseTemplate) {
-      if (isString(idpSetting.loginResponseTemplate.context) && Array.isArray(idpSetting.loginResponseTemplate.attributes)) {
-        let attributeStatementTemplate;
-        let attributeTemplate;
-        if (!idpSetting.loginResponseTemplate.additionalTemplates || !idpSetting.loginResponseTemplate.additionalTemplates!.attributeStatementTemplate) {
-          attributeStatementTemplate = libsaml.defaultAttributeStatementTemplate;
-        } else {
-          attributeStatementTemplate = idpSetting.loginResponseTemplate.additionalTemplates!.attributeStatementTemplate!;
-        }
-        if (!idpSetting.loginResponseTemplate.additionalTemplates || !idpSetting.loginResponseTemplate.additionalTemplates!.attributeTemplate) {
-          attributeTemplate = libsaml.defaultAttributeTemplate;
-        } else {
-          attributeTemplate = idpSetting.loginResponseTemplate.additionalTemplates!.attributeTemplate!;
-        }
-        const replacement = {
-          AttributeStatement: libsaml.attributeStatementBuilder(idpSetting.loginResponseTemplate.attributes, attributeTemplate, attributeStatementTemplate),
-        };
-        entitySetting.loginResponseTemplate = {
-          ...entitySetting.loginResponseTemplate,
-          context: libsaml.replaceTagsByValue(entitySetting.loginResponseTemplate!.context, replacement),
-        };
-      } else {
-        console.warn('Invalid login response template');
-      }
-    }
-    super(entitySetting, 'idp');
-  }
-  /**
-  * @desc  Generates the login response for developers to design their own method
-  * @param  sp                        object of service provider
-  * @param  requestInfo               corresponding request, used to obtain the id
-  * @param  binding                   protocol binding
-  * @param  user                      current logged user (e.g. req.user)
-  * @param  customTagReplacement      used when developers have their own login response template
-  * @param  encryptThenSign           whether or not to encrypt then sign first (if signing)
-  * @param  relayState             the relayState from corresponding request
-  */
-  public async createLoginResponse(
-    sp: ServiceProvider,
-    requestInfo: { [key: string]: any },
-    binding: string,
-    user: { [key: string]: any },
-    customTagReplacement?: (template: string) => BindingContext,
-    encryptThenSign?: boolean,
-    relayState?: string,
-  ) {
-    const protocol = namespace.binding[binding];
-    // can support post, redirect and post simple sign bindings for login response
-    let context: any = null;
-    switch (protocol) {
-      case namespace.binding.post:
-        context = await postBinding.base64LoginResponse(requestInfo, {
-          idp: this,
-          sp,
-        }, user, customTagReplacement, encryptThenSign);
-        break;
-      case namespace.binding.simpleSign:
-        context = await simpleSignBinding.base64LoginResponse( requestInfo, {
-          idp: this, sp,
-        }, user, relayState, customTagReplacement);
-        break;
-      case namespace.binding.redirect:
-        return redirectBinding.loginResponseRedirectURL(requestInfo, {
-          idp: this,
-          sp,
-        }, user, relayState, customTagReplacement);
-      default:
-        throw new Error('ERR_CREATE_RESPONSE_UNDEFINED_BINDING');
-    }
-    return {
-      ...context,
-      relayState,
-      entityEndpoint: (sp.entityMeta as ServiceProviderMetadata).getAssertionConsumerService(binding) as string,
-      type: 'SAMLResponse'
-    };
-  }
-  /**
-   * Validation of the parsed URL parameters
-   * @param sp ServiceProvider instance
-   * @param binding Protocol binding
-   * @param req RequesmessageSigningOrderst
-   */
-  parseLoginRequest(sp: ServiceProvider, binding: string, req: ESamlHttpRequest) {
-    const self = this;
-    return flow({
-      from: sp,
-      self: self,
-      checkSignature: self.entityMeta.isWantAuthnRequestsSigned(),
-      parserType: 'SAMLRequest',
-      type: 'login',
-      binding: binding,
-      request: req
-    });
-  }
-}

package/src/entity-sp.ts DELETED Viewed

@@ -1,114 +0,0 @@
-/**
-* @file entity-sp.ts
-* @author tngan
-* @desc  Declares the actions taken by service provider
-*/
-import Entity, {
-  BindingContext,
-  PostBindingContext,
-  ESamlHttpRequest,
-  SimpleSignBindingContext,
-} from './entity';
-import {
-  IdentityProviderConstructor as IdentityProvider,
-  ServiceProviderMetadata,
-  ServiceProviderSettings,
-} from './types';
-import { namespace } from './urn';
-import redirectBinding from './binding-redirect';
-import postBinding from './binding-post';
-import simpleSignBinding from './binding-simplesign';
-import { flow, FlowResult } from './flow';
-/*
- * @desc interface function
- */
-export default function(props: ServiceProviderSettings) {
-  return new ServiceProvider(props);
-}
-/**
-* @desc Service provider can be configured using either metadata importing or spSetting
-* @param  {object} spSettingimport { FlowResult } from '../types/src/flow.d';
-*/
-export class ServiceProvider extends Entity {
-  entityMeta: ServiceProviderMetadata;
-  /**
-  * @desc  Inherited from Entity
-  * @param {object} spSetting    setting of service provider
-  */
-  constructor(spSetting: ServiceProviderSettings) {
-    const entitySetting = Object.assign({
-      authnRequestsSigned: false,
-      wantAssertionsSigned: false,
-      wantMessageSigned: false,
-    }, spSetting);
-    super(entitySetting, 'sp');
-  }
-  /**
-  * @desc  Generates the login request for developers to design their own method
-  * @param  {IdentityProvider} idp               object of identity provider
-  * @param  {string}   binding                   protocol binding
-  * @param  {function} customTagReplacement     used when developers have their own login response template
-  */
-  public createLoginRequest(
-    idp: IdentityProvider,
-    binding = 'redirect',
-    customTagReplacement?: (template: string) => BindingContext,
-  ): BindingContext | PostBindingContext| SimpleSignBindingContext  {
-    const nsBinding = namespace.binding;
-    const protocol = nsBinding[binding];
-    if (this.entityMeta.isAuthnRequestSigned() !== idp.entityMeta.isWantAuthnRequestsSigned()) {
-      throw new Error('ERR_METADATA_CONFLICT_REQUEST_SIGNED_FLAG');
-    }
-    let context: any = null;
-    switch (protocol) {
-      case nsBinding.redirect:
-        return redirectBinding.loginRequestRedirectURL({ idp, sp: this }, customTagReplacement);
-      case nsBinding.post:
-        context = postBinding.base64LoginRequest("/*[local-name(.)='AuthnRequest']", { idp, sp: this }, customTagReplacement);
-        break;
-      case nsBinding.simpleSign:
-        // Object context = {id, context, signature, sigAlg}
-        context = simpleSignBinding.base64LoginRequest( { idp, sp: this }, customTagReplacement);
-        break;
-      default:
-        // Will support artifact in the next release
-        throw new Error('ERR_SP_LOGIN_REQUEST_UNDEFINED_BINDING');
-    }
-    return {
-      ...context,
-      relayState: this.entitySetting.relayState,
-      entityEndpoint: idp.entityMeta.getSingleSignOnService(binding) as string,
-      type: 'SAMLRequest',
-    };
-  }
-  /**
-  * @desc   Validation of the parsed the URL parameters
-  * @param  {IdentityProvider}   idp             object of identity provider
-  * @param  {string}   binding                   protocol binding
-  * @param  {request}   req                      request
-  */
-  public parseLoginResponse(idp, binding, request: ESamlHttpRequest) {
-    const self = this;
-    return flow({
-      from: idp,
-      self: self,
-      checkSignature: true, // saml response must have signature
-      parserType: 'SAMLResponse',
-      type: 'login',
-      binding: binding,
-      request: request
-    });
-  }
-}