samlify 2.11.0 → 2.13.0

package/src/entity.ts

@@ -1,243 +0,0 @@
-/**
-* @file entity.ts
-* @author tngan
-* @desc  An abstraction for identity provider and service provider.
-*/
-import { randomUUID } from 'crypto';
-import { isString, isNonEmptyArray } from './utility';
-import { namespace, wording, algorithms, messageConfigurations } from './urn';
-import IdpMetadata, { IdpMetadata as IdpMetadataConstructor } from './metadata-idp';
-import SpMetadata, { SpMetadata as SpMetadataConstructor } from './metadata-sp';
-import redirectBinding from './binding-redirect';
-import postBinding from './binding-post';
-import { MetadataIdpConstructor, MetadataSpConstructor, EntitySetting } from './types';
-import { flow, FlowResult } from './flow';
-
-const dataEncryptionAlgorithm = algorithms.encryption.data;
-const keyEncryptionAlgorithm = algorithms.encryption.key;
-const signatureAlgorithms = algorithms.signature;
-const messageSigningOrders = messageConfigurations.signingOrder;
-
-const defaultEntitySetting = {
-  wantLogoutResponseSigned: false,
-  messageSigningOrder: messageSigningOrders.SIGN_THEN_ENCRYPT,
-  wantLogoutRequestSigned: false,
-  allowCreate: false,
-  isAssertionEncrypted: false,
-  requestSignatureAlgorithm: signatureAlgorithms.RSA_SHA256,
-  dataEncryptionAlgorithm: dataEncryptionAlgorithm.AES_256,
-  keyEncryptionAlgorithm: keyEncryptionAlgorithm.RSA_OAEP_MGF1P,
-  generateID: (): string => ('_' + randomUUID()),
-  relayState: '',
-};
-
-export interface ESamlHttpRequest {
-  query?: any;
-  body?: any;
-  octetString?: string;
-}
-
-export interface BindingContext {
-  context: string;
-  id: string;
-}
-
-export interface PostBindingContext extends BindingContext {
-  relayState?: string;
-  entityEndpoint: string;
-  type: string;
-}
-
-export interface SimpleSignBindingContext extends PostBindingContext {
-  sigAlg?: string;
-  signature?: string;
-  keyInfo?: string;
-}
-
-export interface SimpleSignComputedContext extends BindingContext {
-  sigAlg?: string;
-  signature?: string;
-}
-
-export interface ParseResult {
-  samlContent: string;
-  extract: any;
-  sigAlg: string;
-}
-
-export type EntityConstructor = (MetadataIdpConstructor | MetadataSpConstructor)
-  & { metadata?: string | Buffer };
-
-export default class Entity {
-  entitySetting: EntitySetting;
-  entityType: string;
-  entityMeta: IdpMetadataConstructor | SpMetadataConstructor;
-
-  /**
-  * @param entitySetting
-  * @param entityMeta is the entity metadata, deprecated after 2.0
-  */
-  constructor(entitySetting: EntityConstructor, entityType: 'idp' | 'sp') {
-    this.entitySetting = Object.assign({}, defaultEntitySetting, entitySetting);
-    const metadata = entitySetting.metadata || entitySetting;
-    switch (entityType) {
-      case 'idp':
-        this.entityMeta = IdpMetadata(metadata);
-        // setting with metadata has higher precedence 
-        this.entitySetting.wantAuthnRequestsSigned = this.entityMeta.isWantAuthnRequestsSigned();
-        this.entitySetting.nameIDFormat = this.entityMeta.getNameIDFormat() || this.entitySetting.nameIDFormat;
-        break;
-      case 'sp':
-        this.entityMeta = SpMetadata(metadata);
-        // setting with metadata has higher precedence 
-        this.entitySetting.authnRequestsSigned = this.entityMeta.isAuthnRequestSigned();
-        this.entitySetting.wantAssertionsSigned = this.entityMeta.isWantAssertionsSigned();
-        this.entitySetting.nameIDFormat = this.entityMeta.getNameIDFormat() || this.entitySetting.nameIDFormat;
-        break;
-      default:
-        throw new Error('ERR_UNDEFINED_ENTITY_TYPE');
-    }
-  }
-
-  /**
-  * @desc  Returns the setting of entity
-  * @return {object}
-  */
-  getEntitySetting() {
-    return this.entitySetting;
-  }
-  /**
-  * @desc  Returns the xml string of entity metadata
-  * @return {string}
-  */
-  getMetadata(): string {
-    return this.entityMeta.getMetadata();
-  }
-
-  /**
-  * @desc  Exports the entity metadata into specified folder
-  * @param  {string} exportFile indicates the file name
-  */
-  exportMetadata(exportFile: string) {
-    return this.entityMeta.exportMetadata(exportFile);
-  }
-
-  /** * @desc  Verify fields with the one specified in metadata
-  * @param  {string/[string]} field is a string or an array of string indicating the field value in SAML message
-  * @param  {string} metaField is a string indicating the same field specified in metadata
-  * @return {boolean} True/False
-  */
-  verifyFields(field: string | string[], metaField: string): boolean {
-    if (isString(field)) {
-      return field === metaField;
-    }
-    if (isNonEmptyArray(field)) {
-      let res = true;
-      (field as string[]).forEach(f => {
-        if (f !== metaField) {
-          res = false;
-          return;
-        }
-      });
-      return res;
-    }
-    return false;
-  }
-  /** @desc   Generates the logout request for developers to design their own method
-  * @param  {ServiceProvider} sp     object of service provider
-  * @param  {string}   binding       protocol binding
-  * @param  {object}   user          current logged user (e.g. user)
-  * @param  {string} relayState      the URL to which to redirect the user when logout is complete
-  * @param  {function} customTagReplacement     used when developers have their own login response template
-  */
-  createLogoutRequest(targetEntity, binding, user, relayState = '', customTagReplacement?): BindingContext | PostBindingContext {
-    if (binding === wording.binding.redirect) {
-      return redirectBinding.logoutRequestRedirectURL(user, {
-        init: this,
-        target: targetEntity,
-      }, relayState, customTagReplacement);
-    }
-    if (binding === wording.binding.post) {
-      const entityEndpoint = targetEntity.entityMeta.getSingleLogoutService(binding);
-      const context = postBinding.base64LogoutRequest(user, "/*[local-name(.)='LogoutRequest']", { init: this, target: targetEntity }, customTagReplacement);
-      return {
-        ...context,
-        relayState,
-        entityEndpoint,
-        type: 'SAMLRequest',
-      };
-    }
-    // Will support artifact in the next release
-    throw new Error('ERR_UNDEFINED_BINDING');
-  }
-
-  /**
-  * @desc  Generates the logout response for developers to design their own method
-  * @param  {IdentityProvider} idp               object of identity provider
-  * @param  {object} requestInfo                 corresponding request, used to obtain the id
-  * @param  {string} relayState                  the URL to which to redirect the user when logout is complete.
-  * @param  {string} binding                     protocol binding
-  * @param  {function} customTagReplacement                 used when developers have their own login response template
-  */
-  createLogoutResponse(target, requestInfo, binding, relayState = '', customTagReplacement?): BindingContext | PostBindingContext {
-    const protocol = namespace.binding[binding];
-    if (protocol === namespace.binding.redirect) {
-      return redirectBinding.logoutResponseRedirectURL(requestInfo, {
-        init: this,
-        target,
-      }, relayState, customTagReplacement);
-    }
-    if (protocol === namespace.binding.post) {
-      const context = postBinding.base64LogoutResponse(requestInfo, {
-        init: this,
-        target,
-      }, customTagReplacement);
-      return {
-        ...context,
-        relayState,
-        entityEndpoint: target.entityMeta.getSingleLogoutService(binding),
-        type: 'SAMLResponse',
-      };
-    }
-    throw new Error('ERR_CREATE_LOGOUT_RESPONSE_UNDEFINED_BINDING');
-  }
-
-  /**
-  * @desc   Validation of the parsed the URL parameters
-  * @param  {IdentityProvider}   idp             object of identity provider
-  * @param  {string}   binding                   protocol binding
-  * @param  {request}   req                      request
-  * @return {Promise}
-  */
-  parseLogoutRequest(from, binding, request: ESamlHttpRequest) {
-    const self = this;
-    return flow({
-      from: from,
-      self: self,
-      type: 'logout',
-      parserType: 'LogoutRequest',
-      checkSignature: this.entitySetting.wantLogoutRequestSigned,
-      binding: binding,
-      request: request,
-    });
-  }
-  /**
-  * @desc   Validation of the parsed the URL parameters
-  * @param  {object} config                      config for the parser
-  * @param  {string}   binding                   protocol binding
-  * @param  {request}   req                      request
-  * @return {Promise}
-  */
-  parseLogoutResponse(from, binding, request: ESamlHttpRequest) {
-    const self = this;
-    return flow({
-      from: from,
-      self: self,
-      type: 'logout',
-      parserType: 'LogoutResponse',
-      checkSignature: self.entitySetting.wantLogoutResponseSigned,
-      binding: binding,
-      request: request
-    });
-  }
-}

package/src/extractor.ts

@@ -1,399 +0,0 @@
-import { select, SelectedValue, SelectReturnType } from 'xpath';
-import { uniq, last, zipObject, notEmpty } from './utility';
-
-function toNodeArray(result: SelectReturnType): Node[] {
-  if (Array.isArray(result)) return result;
-  if (result != null && typeof result === 'object' && 'nodeType' in (result as object)) return [result as Node];
-  return [];
-}
-import { getContext } from './api';
-import camelCase from 'camelcase';
-
-interface ExtractorField {
-  key: string;
-  localPath: string[] | string[][];
-  attributes: string[];
-  index?: string[];
-  attributePath?: string[];
-  context?: boolean;
-}
-
-export type ExtractorFields = ExtractorField[];
-
-function buildAbsoluteXPath(paths) {
-  return paths.reduce((currentPath, name) => {
-    let appendedPath = currentPath;
-    const isWildcard = name.startsWith('~');
-    if (isWildcard) {
-      const pathName = name.replace('~', '');
-      appendedPath = currentPath + `/*[contains(local-name(), '${pathName}')]`;
-    }
-    if (!isWildcard) {
-      appendedPath = currentPath + `/*[local-name(.)='${name}']`;
-    }
-    return appendedPath;
-  }, '');
-}
-
-function buildAttributeXPath(attributes) {
-  if (attributes.length === 0) {
-    return '/text()';
-  }
-  if (attributes.length === 1) {
-    return `/@${attributes[0]}`;
-  }
-  const filters = attributes.map(attribute => `name()='${attribute}'`).join(' or ');
-  return `/@*[${filters}]`;
-}
-
-export const loginRequestFields: ExtractorFields = [
-  {
-    key: 'request',
-    localPath: ['AuthnRequest'],
-    attributes: ['ID', 'IssueInstant', 'Destination', 'AssertionConsumerServiceURL']
-  },
-  {
-    key: 'issuer',
-    localPath: ['AuthnRequest', 'Issuer'],
-    attributes: []
-  },
-  {
-    key: 'nameIDPolicy',
-    localPath: ['AuthnRequest', 'NameIDPolicy'],
-    attributes: ['Format', 'AllowCreate']
-  },
-  {
-    key: 'authnContextClassRef',
-    localPath: ['AuthnRequest', 'AuthnContextClassRef'],
-    attributes: []
-  },
-  {
-    key: 'signature',
-    localPath: ['AuthnRequest', 'Signature'],
-    attributes: [],
-    context: true
-  }
-];
-
-// support two-tiers status code
-export const loginResponseStatusFields = [
-  {
-    key: 'top',
-    localPath: ['Response', 'Status', 'StatusCode'],
-    attributes: ['Value'],
-  },
-  {
-    key: 'second',
-    localPath: ['Response', 'Status', 'StatusCode', 'StatusCode'],
-    attributes: ['Value'],
-  }
-];
-
-// support two-tiers status code
-export const logoutResponseStatusFields = [
-  {
-    key: 'top',
-    localPath: ['LogoutResponse', 'Status', 'StatusCode'],
-    attributes: ['Value']
-  },
-  {
-    key: 'second',
-    localPath: ['LogoutResponse', 'Status', 'StatusCode', 'StatusCode'],
-    attributes: ['Value'],
-  }
-];
-
-export const loginResponseFields: ((assertion: any) => ExtractorFields) = assertion => [
-  {
-    key: 'conditions',
-    localPath: ['Assertion', 'Conditions'],
-    attributes: ['NotBefore', 'NotOnOrAfter'],
-    shortcut: assertion
-  },
-  {
-    key: 'response',
-    localPath: ['Response'],
-    attributes: ['ID', 'IssueInstant', 'Destination', 'InResponseTo'],
-  },
-  {
-    key: 'audience',
-    localPath: ['Assertion', 'Conditions', 'AudienceRestriction', 'Audience'],
-    attributes: [],
-    shortcut: assertion
-  },
-  // {
-  //   key: 'issuer',
-  //   localPath: ['Response', 'Issuer'],
-  //   attributes: []
-  // },
-  {
-    key: 'issuer',
-    localPath: ['Assertion', 'Issuer'],
-    attributes: [],
-    shortcut: assertion
-  },
-  {
-    key: 'nameID',
-    localPath: ['Assertion', 'Subject', 'NameID'],
-    attributes: [],
-    shortcut: assertion
-  },
-  {
-    key: 'sessionIndex',
-    localPath: ['Assertion', 'AuthnStatement'],
-    attributes: ['AuthnInstant', 'SessionNotOnOrAfter', 'SessionIndex'],
-    shortcut: assertion
-  },
-  {
-    key: 'attributes',
-    localPath: ['Assertion', 'AttributeStatement', 'Attribute'],
-    index: ['Name'],
-    attributePath: ['AttributeValue'],
-    attributes: [],
-    shortcut: assertion
-  }
-];
-
-export const logoutRequestFields: ExtractorFields = [
-  {
-    key: 'request',
-    localPath: ['LogoutRequest'],
-    attributes: ['ID', 'IssueInstant', 'Destination']
-  },
-  {
-    key: 'issuer',
-    localPath: ['LogoutRequest', 'Issuer'],
-    attributes: []
-  },
-  {
-    key: 'nameID',
-    localPath: ['LogoutRequest', 'NameID'],
-    attributes: []
-  },
-  {
-    key: 'sessionIndex',
-    localPath: ['LogoutRequest', 'SessionIndex'],
-    attributes: []
-  },
-  {
-    key: 'signature',
-    localPath: ['LogoutRequest', 'Signature'],
-    attributes: [],
-    context: true
-  }
-];
-
-export const logoutResponseFields: ExtractorFields = [
-  {
-    key: 'response',
-    localPath: ['LogoutResponse'],
-    attributes: ['ID', 'Destination', 'InResponseTo']
-  },
-  {
-    key: 'issuer',
-    localPath: ['LogoutResponse', 'Issuer'],
-    attributes: []
-  },
-  {
-    key: 'signature',
-    localPath: ['LogoutResponse', 'Signature'],
-    attributes: [],
-    context: true
-  }
-];
-
-export function extract(context: string, fields) {
-  const { dom } = getContext();
-  const rootDoc = dom.parseFromString(context);
-
-  return fields.reduce((result: any, field) => {
-    // get essential fields
-    const key = field.key;
-    const localPath = field.localPath;
-    const attributes = field.attributes;
-    const isEntire = field.context;
-    const shortcut = field.shortcut;
-    // get optional fields
-    const index = field.index;
-    const attributePath = field.attributePath;
-
-    // set allowing overriding if there is a shortcut injected
-    let targetDoc = rootDoc;
-
-    // if shortcut is used, then replace the doc
-    // it's a design for overriding the doc used during runtime
-    if (shortcut) {
-      targetDoc = dom.parseFromString(shortcut);
-    }
-
-    // special case: multiple path
-    /*
-      {
-        key: 'issuer',
-        localPath: [
-          ['Response', 'Issuer'],
-          ['Response', 'Assertion', 'Issuer']
-        ],
-        attributes: []
-      }
-     */
-    if (localPath.every(path => Array.isArray(path))) {
-      const multiXPaths = localPath
-        .map(path => {
-          // not support attribute yet, so ignore it
-          return `${buildAbsoluteXPath(path)}/text()`;
-        })
-        .join(' | ');
-
-      return {
-        ...result,
-        [key]: uniq(toNodeArray(select(multiXPaths, targetDoc)).map((n: Node) => n.nodeValue).filter(notEmpty))
-      };
-    }
-    // eo special case: multiple path
-
-    const baseXPath = buildAbsoluteXPath(localPath);
-    const attributeXPath = buildAttributeXPath(attributes);
-
-    // special case: get attributes where some are in child, some are in parent
-    /*
-      {
-        key: 'attributes',
-        localPath: ['Response', 'Assertion', 'AttributeStatement', 'Attribute'],
-        index: ['Name'],
-        attributePath: ['AttributeValue'],
-        attributes: []
-      }
-    */
-    if (index && attributePath) {
-      // find the index in localpath
-      const indexPath = buildAttributeXPath(index);
-      const fullLocalXPath = `${baseXPath}${indexPath}`;
-      const parentNodes = toNodeArray(select(baseXPath, targetDoc));
-      // [uid, mail, edupersonaffiliation], ready for aggregate
-      const parentAttributes = toNodeArray(select(fullLocalXPath, targetDoc)).map((n: Attr) => n.value);
-      // [attribute, attributevalue]
-      const childXPath = buildAbsoluteXPath([last(localPath)].concat(attributePath));
-      const childAttributeXPath = buildAttributeXPath(attributes);
-      const fullChildXPath = `${childXPath}${childAttributeXPath}`;
-      // [ 'test', 'test@example.com', [ 'users', 'examplerole1' ] ]
-      const childAttributes = parentNodes.map(node => {
-        const nodeDoc = dom.parseFromString(node.toString());
-        if (attributes.length === 0) {
-          const childValues = toNodeArray(select(fullChildXPath, nodeDoc)).map((n: Node) => n.nodeValue);
-          if (childValues.length === 1) {
-            return childValues[0];
-          }
-          return childValues;
-        }
-        if (attributes.length > 0) {
-          const childValues = toNodeArray(select(fullChildXPath, nodeDoc)).map((n: Attr) => n.value);
-          if (childValues.length === 1) {
-            return childValues[0];
-          }
-          return childValues;
-        }
-        return null;
-      });
-      // aggregation
-      const obj = zipObject(parentAttributes, childAttributes, false);
-      return {
-        ...result,
-        [key]: obj
-      };
-
-    }
-    // case: fetch entire content, only allow one existence
-    /*
-      {
-        key: 'signature',
-        localPath: ['AuthnRequest', 'Signature'],
-        attributes: [],
-        context: true
-      }
-    */
-    if (isEntire) {
-      const nodes = toNodeArray(select(baseXPath, targetDoc));
-      let value: string | string[] | null = null;
-      if (nodes.length === 1) {
-        value = nodes[0].toString();
-      }
-      if (nodes.length > 1) {
-        value = nodes.map(n => n.toString());
-      }
-      return {
-        ...result,
-        [key]: value
-      };
-    }
-
-    // case: multiple attribute
-    /*
-      {
-        key: 'nameIDPolicy',
-        localPath: ['AuthnRequest', 'NameIDPolicy'],
-        attributes: ['Format', 'AllowCreate']
-      }
-    */
-    if (attributes.length > 1) {
-      const baseNode = toNodeArray(select(baseXPath, targetDoc)).map(n => n.toString());
-      const childXPath = `${buildAbsoluteXPath([last(localPath)])}${attributeXPath}`;
-      const attributeValues = baseNode.map((node: string) => {
-        const nodeDoc = dom.parseFromString(node);
-        const values = toNodeArray(select(childXPath, nodeDoc)).reduce((r: any, n: Attr) => {
-          r[camelCase(n.name, {locale: 'en-us'})] = n.value;
-          return r;
-        }, {});
-        return values;
-      });
-      return {
-        ...result,
-        [key]: attributeValues.length === 1 ? attributeValues[0] : attributeValues
-      };
-    }
-    // case: single attribute
-    /*
-      {
-        key: 'statusCode',
-        localPath: ['Response', 'Status', 'StatusCode'],
-        attributes: ['Value'],
-      }
-    */
-    if (attributes.length === 1) {
-      const fullPath = `${baseXPath}${attributeXPath}`;
-      const attributeValues = toNodeArray(select(fullPath, targetDoc)).map((n: Attr) => n.value);
-      return {
-        ...result,
-        [key]: attributeValues[0]
-      };
-    }
-    // case: zero attribute
-    /*
-      {
-        key: 'issuer',
-        localPath: ['AuthnRequest', 'Issuer'],
-        attributes: []
-      }
-    */
-    if (attributes.length === 0) {
-      let attributeValue: SelectedValue[] | (string | null)[] | string | null = null;
-      const nodes = toNodeArray(select(baseXPath, targetDoc));
-      if (nodes.length === 1) {
-        const fullPath = `string(${baseXPath}${attributeXPath})`;
-        const strResult = select(fullPath, targetDoc);
-        attributeValue = typeof strResult === 'string' ? strResult : strResult === null ? null : Array.isArray(strResult) ? strResult : null;
-      }
-      if (nodes.length > 1) {
-        attributeValue = nodes.filter((n: Node) => n.firstChild)
-          .map((n: Node) => n.firstChild!.nodeValue);
-      }
-      return {
-        ...result,
-        [key]: attributeValue
-      };
-    }
-
-    return result;
-  }, {});
-
-}