samlify 2.11.0 → 2.13.0

package/src/urn.ts

@@ -1,210 +0,0 @@
-/**
-* @file urn.ts
-* @author tngan
-* @desc  Includes all keywords need in samlify
-*/
-
-export enum BindingNamespace {
-  Redirect = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-  Post = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
-  SimpleSign = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
-  Artifact = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'
-}
-
-export enum MessageSignatureOrder {
-  STE = 'sign-then-encrypt',
-  ETS = 'encrypt-then-sign'
-}
-
-export enum StatusCode {
-  // top-tier
-  Success = 'urn:oasis:names:tc:SAML:2.0:status:Success',
-  Requester = 'urn:oasis:names:tc:SAML:2.0:status:Requester',
-  Responder = 'urn:oasis:names:tc:SAML:2.0:status:Responder',
-  VersionMismatch = 'urn:oasis:names:tc:SAML:2.0:status:VersionMismatch',
-  // second-tier to provide more information
-  AuthFailed = 'urn:oasis:names:tc:SAML:2.0:status:AuthnFailed',
-  InvalidAttrNameOrValue = 'urn:oasis:names:tc:SAML:2.0:status:InvalidAttrNameOrValue',
-  InvalidNameIDPolicy = 'urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy',
-  NoAuthnContext = 'urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext',
-  NoAvailableIDP = 'urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP',
-  NoPassive = 'urn:oasis:names:tc:SAML:2.0:status:NoPassive',
-  NoSupportedIDP = 'urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP',
-  PartialLogout = 'urn:oasis:names:tc:SAML:2.0:status:PartialLogout',
-  ProxyCountExceeded = 'urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded',
-  RequestDenied = 'urn:oasis:names:tc:SAML:2.0:status:RequestDenied',
-  RequestUnsupported = 'urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported',
-  RequestVersionDeprecated = 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionDeprecated',
-  RequestVersionTooHigh = 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh',
-  RequestVersionTooLow = 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow',
-  ResourceNotRecognized = 'urn:oasis:names:tc:SAML:2.0:status:ResourceNotRecognized',
-  TooManyResponses = 'urn:oasis:names:tc:SAML:2.0:status:TooManyResponses',
-  UnknownAttrProfile = 'urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile',
-  UnknownPrincipal = 'urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal',
-  UnsupportedBinding = 'urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding',
-}
-
-const namespace = {
-  binding: {
-    redirect: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-    post: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
-    simpleSign: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
-    artifact: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
-  },
-  names: {
-    protocol: 'urn:oasis:names:tc:SAML:2.0:protocol',
-    assertion: 'urn:oasis:names:tc:SAML:2.0:assertion',
-    metadata: 'urn:oasis:names:tc:SAML:2.0:metadata',
-    userLogout: 'urn:oasis:names:tc:SAML:2.0:logout:user',
-    adminLogout: 'urn:oasis:names:tc:SAML:2.0:logout:admin',
-  },
-  authnContextClassRef: {
-    password: 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password',
-    passwordProtectedTransport: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport',
-  },
-  format: {
-    emailAddress: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
-    persistent: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
-    transient: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
-    entity: 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity',
-    unspecified: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
-    kerberos: 'urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos',
-    windowsDomainQualifiedName: 'urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName',
-    x509SubjectName: 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName',
-  },
-  statusCode: {
-    // permissible top-level status codes
-    success: 'urn:oasis:names:tc:SAML:2.0:status:Success',
-    requester: 'urn:oasis:names:tc:SAML:2.0:status:Requester',
-    responder: 'urn:oasis:names:tc:SAML:2.0:status:Responder',
-    versionMismatch: 'urn:oasis:names:tc:SAML:2.0:status:VersionMismatch',
-    // second-level status codes
-    authFailed: 'urn:oasis:names:tc:SAML:2.0:status:AuthnFailed',
-    invalidAttrNameOrValue: 'urn:oasis:names:tc:SAML:2.0:status:InvalidAttrNameOrValue',
-    invalidNameIDPolicy: 'urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy',
-    noAuthnContext: 'urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext',
-    noAvailableIDP: 'urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP',
-    noPassive: 'urn:oasis:names:tc:SAML:2.0:status:NoPassive',
-    noSupportedIDP: 'urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP',
-    partialLogout: 'urn:oasis:names:tc:SAML:2.0:status:PartialLogout',
-    proxyCountExceeded: 'urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded',
-    requestDenied: 'urn:oasis:names:tc:SAML:2.0:status:RequestDenied',
-    requestUnsupported: 'urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported',
-    requestVersionDeprecated: 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionDeprecated',
-    requestVersionTooHigh: 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh',
-    requestVersionTooLow: 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow',
-    resourceNotRecognized: 'urn:oasis:names:tc:SAML:2.0:status:ResourceNotRecognized',
-    tooManyResponses: 'urn:oasis:names:tc:SAML:2.0:status:TooManyResponses',
-    unknownAttrProfile: 'urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile',
-    unknownPrincipal: 'urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal',
-    unsupportedBinding: 'urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding',
-  },
-};
-
-const tags = {
-  request: {
-    AllowCreate: '{AllowCreate}',
-    AssertionConsumerServiceURL: '{AssertionConsumerServiceURL}',
-    AuthnContextClassRef: '{AuthnContextClassRef}',
-    AssertionID: '{AssertionID}',
-    Audience: '{Audience}',
-    AuthnStatement: '{AuthnStatement}',
-    AttributeStatement: '{AttributeStatement}',
-    ConditionsNotBefore: '{ConditionsNotBefore}',
-    ConditionsNotOnOrAfter: '{ConditionsNotOnOrAfter}',
-    Destination: '{Destination}',
-    EntityID: '{EntityID}',
-    ID: '{ID}',
-    Issuer: '{Issuer}',
-    IssueInstant: '{IssueInstant}',
-    InResponseTo: '{InResponseTo}',
-    NameID: '{NameID}',
-    NameIDFormat: '{NameIDFormat}',
-    ProtocolBinding: '{ProtocolBinding}',
-    SessionIndex: '{SessionIndex}',
-    SubjectRecipient: '{SubjectRecipient}',
-    SubjectConfirmationDataNotOnOrAfter: '{SubjectConfirmationDataNotOnOrAfter}',
-    StatusCode: '{StatusCode}',
-  },
-  xmlTag: {
-    loginRequest: 'AuthnRequest',
-    logoutRequest: 'LogoutRequest',
-    loginResponse: 'Response',
-    logoutResponse: 'LogoutResponse',
-  },
-};
-
-const messageConfigurations = {
-  signingOrder: {
-    SIGN_THEN_ENCRYPT: 'sign-then-encrypt',
-    ENCRYPT_THEN_SIGN: 'encrypt-then-sign',
-  },
-};
-
-const algorithms = {
-  signature: {
-    RSA_SHA1: 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
-    RSA_SHA256: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
-    RSA_SHA512: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512',
-  },
-  encryption: {
-    data: {
-      AES_128: 'http://www.w3.org/2001/04/xmlenc#aes128-cbc',
-      AES_256: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc',
-      TRI_DEC: 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc',
-      AES_128_GCM: 'http://www.w3.org/2009/xmlenc11#aes128-gcm'
-    },
-    key: {
-      RSA_OAEP_MGF1P: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p',
-      RSA_1_5: 'http://www.w3.org/2001/04/xmlenc#rsa-1_5',
-    },
-  },
-  digest: {
-    'http://www.w3.org/2000/09/xmldsig#rsa-sha1': 'http://www.w3.org/2000/09/xmldsig#sha1',
-    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256': 'http://www.w3.org/2001/04/xmlenc#sha256',
-    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512': 'http://www.w3.org/2001/04/xmlenc#sha512', // support hashing algorithm sha512 in xml-crypto after 0.8.0
-  },
-};
-
-export enum ParserType {
-  SAMLRequest = 'SAMLRequest',
-  SAMLResponse = 'SAMLResponse',
-  LogoutRequest = 'LogoutRequest',
-  LogoutResponse = 'LogoutResponse'
-}
-
-const wording = {
-  urlParams: {
-    samlRequest: 'SAMLRequest',
-    samlResponse: 'SAMLResponse',
-    logoutRequest: 'LogoutRequest',
-    logoutResponse: 'LogoutResponse',
-    sigAlg: 'SigAlg',
-    signature: 'Signature',
-    relayState: 'RelayState',
-  },
-  binding: {
-    redirect: 'redirect',
-    post: 'post',
-    simpleSign: 'simpleSign',
-    artifact: 'artifact',
-  },
-  certUse: {
-    signing: 'signing',
-    encrypt: 'encryption',
-  },
-  metadata: {
-    sp: 'metadata-sp',
-    idp: 'metadata-idp',
-  },
-};
-
-// https://wiki.shibboleth.net/confluence/display/CONCEPT/MetadataForSP
-// some idps restrict the order of elements in entity descriptors
-const elementsOrder = {
-  default: ['KeyDescriptor', 'NameIDFormat', 'SingleLogoutService', 'AssertionConsumerService'],
-  onelogin: ['KeyDescriptor', 'NameIDFormat', 'SingleLogoutService', 'AssertionConsumerService'],
-  shibboleth: ['KeyDescriptor', 'SingleLogoutService', 'NameIDFormat', 'AssertionConsumerService', 'AttributeConsumingService'],
-};
-
-export { namespace, tags, algorithms, wording, elementsOrder, messageConfigurations };

package/src/utility.ts

@@ -1,231 +0,0 @@
-/**
-* @file utility.ts
-* @author tngan
-* @desc  Library for some common functions (e.g. de/inflation, en/decoding)
-*/
-import { X509Certificate, createPrivateKey } from 'crypto';
-import { deflateRawSync, inflateRawSync } from 'zlib';
-
-const BASE64_STR = 'base64';
-
-/**
- * @desc Mimic lodash.zipObject
- * @param arr1 {string[]}
- * @param arr2 {[]}
- */
-export function zipObject(arr1: string[], arr2: any[], skipDuplicated = true) {
-  return arr1.reduce((res, l, i) => {
-
-    if (skipDuplicated) {
-      res[l] = arr2[i];
-      return res;
-    }
-    // if key exists, aggregate with array in order to get rid of duplicate key
-    if (res[l] !== undefined) {
-      res[l] = Array.isArray(res[l])
-        ? res[l].concat(arr2[i])
-        : [res[l]].concat(arr2[i]);
-      return res;
-    }
-
-    res[l] = arr2[i];
-    return res;
-
-  }, {});
-}
-/**
- * @desc Alternative to lodash.flattenDeep
- * @reference https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#_flattendeep
- * @param input {[]}
- */
-export function flattenDeep(input: any[]) {
-  return Array.isArray(input)
-  ? input.reduce( (a, b) => a.concat(flattenDeep(b)) , [])
-  : [input];
-}
-/**
- * @desc Alternative to lodash.last
- * @reference https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#_last
- * @param input {[]}
- */
-export function last(input: any[]) {
-  return input.slice(-1)[0];
-}
-/**
- * @desc Alternative to lodash.uniq
- * @reference https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#_uniq
- * @param input {string[]}
- */
-export function uniq(input: string[]) {
-  const set = new Set(input);
-  return [... set];
-}
-/**
- * @desc Alternative to lodash.get
- * @reference https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#_get
- * @param obj
- * @param path
- * @param defaultValue
- */
-export function get(obj, path, defaultValue) {
-  return path.split('.')
-  .reduce((a, c) => (a && a[c] ? a[c] : (defaultValue || null)), obj);
-}
-/**
- * @desc Check if the input is string
- * @param {any} input
- */
-export function isString(input: any) {
-  return typeof input === 'string';
-}
-/**
-* @desc Encode string with base64 format
-* @param  {string} message                       plain-text message
-* @return {string} base64 encoded string
-*/
-function base64Encode(message: string | number[]) {
-  return Buffer.from(message as string).toString(BASE64_STR);
-}
-/**
-* @desc Decode string from base64 format
-* @param  {string} base64Message                 encoded string
-* @param  {boolean} isBytes                      determine the return value type (True: bytes False: string)
-* @return {bytes/string}  decoded bytes/string depends on isBytes, default is {string}
-*/
-export function base64Decode(base64Message: string, isBytes?: boolean): string | Buffer {
-  const bytes = Buffer.from(base64Message, BASE64_STR);
-  return Boolean(isBytes) ? bytes : bytes.toString();
-}
-/**
-* @desc Compress the string
-* @param  {string} message
-* @return {string} compressed string
-*/
-function deflateString(message: string): number[] {
-  const input = Buffer.from(message, 'utf8');
-  return Array.from(deflateRawSync(input));
-}
-/**
-* @desc Decompress the compressed string
-* @param  {string} compressedString
-* @return {string} decompressed string
-*/
-export function inflateString(compressedString: string): string {
-  const inputBuffer = Buffer.from(compressedString, BASE64_STR);
-  return inflateRawSync(inputBuffer).toString('utf8');
-}
-/**
-* @desc Abstract the normalizeCerString and normalizePemString
-* @param {buffer} File stream or string
-* @param {string} String for header and tail
-* @return {string} A formatted certificate string
-*/
-function _normalizeCerString(bin: string | Buffer, format: string) {
-  return bin.toString().replace(/\n/g, '').replace(/\r/g, '').replace(`-----BEGIN ${format}-----`, '').replace(`-----END ${format}-----`, '').replace(/ /g, '').replace(/\t/g, '');
-}
-/**
-* @desc Parse the .cer to string format without line break, header and footer
-* @param  {string} certString     declares the certificate contents
-* @return {string} certificiate in string format
-*/
-function normalizeCerString(certString: string | Buffer) {
-  return _normalizeCerString(certString, 'CERTIFICATE');
-}
-/**
-* @desc Normalize the string in .pem format without line break, header and footer
-* @param  {string} pemString
-* @return {string} private key in string format
-*/
-function normalizePemString(pemString: string | Buffer) {
-  return _normalizeCerString(pemString.toString(), 'RSA PRIVATE KEY');
-}
-/**
-* @desc Return the complete URL
-* @param  {object} req                   HTTP request
-* @return {string} URL
-*/
-function getFullURL(req) {
-  return `${req.protocol}://${req.get('host')}${req.originalUrl}`;
-}
-/**
-* @desc Parse input string, return default value if it is undefined
-* @param  {string/boolean}
-* @return {boolean}
-*/
-function parseString(str, defaultValue = '') {
-  return str || defaultValue;
-}
-/**
-* @desc Override the object by another object (rtl)
-* @param  {object} default object
-* @param  {object} object applied to the default object
-* @return {object} result object
-*/
-function applyDefault(obj1, obj2) {
-  return Object.assign({}, obj1, obj2);
-}
-/**
-* @desc Get public key in pem format from the certificate included in the metadata
-* @param {string} x509 certificate
-* @return {string} public key fetched from the certificate
-*/
-function getPublicKeyPemFromCertificate(x509Certificate: string) {
-  const der = Buffer.from(x509Certificate, 'base64');
-  const cert = new X509Certificate(der);
-  return cert.publicKey.export({ type: 'spki', format: 'pem' });
-}
-/**
-* @desc Read private key from pem-formatted string
-* @param {string | Buffer} keyString pem-formatted string
-* @param {string} protected passphrase of the key
-* @return {string} string in pem format
-* If passphrase is used to protect the .pem content (recommend)
-*/
-export function readPrivateKey(keyString: string | Buffer, passphrase: string | undefined, isOutputString?: boolean) {
-  if (isString(passphrase)) {
-    const key = createPrivateKey({ key: keyString, format: 'pem', passphrase });
-    const pem = key.export({ type: 'pkcs1', format: 'pem' });
-    return convertToString(pem, isOutputString);
-  }
-  return keyString;
-}
-/**
-* @desc Inline syntax sugar
-*/
-function convertToString(input, isOutputString) {
-  return Boolean(isOutputString) ? String(input) : input;
-}
-/**
- * @desc Check if the input is an array with non-zero size
- */
-export function isNonEmptyArray(a) {
-  return Array.isArray(a) && a.length > 0;
-}
-
-export function castArrayOpt<T>(a?: T | T[]): T[] {
-  if (a === undefined) return []
-  return Array.isArray(a) ? a : [a]
-}
-
-export function notEmpty<TValue>(value: TValue | null | undefined): value is TValue {
-  return value !== null && value !== undefined;
-}
-
-const utility = {
-  isString,
-  base64Encode,
-  base64Decode,
-  deflateString,
-  inflateString,
-  normalizeCerString,
-  normalizePemString,
-  getFullURL,
-  parseString,
-  applyDefault,
-  getPublicKeyPemFromCertificate,
-  readPrivateKey,
-  convertToString,
-  isNonEmptyArray,
-};
-
-export default utility;

package/src/validator.ts

@@ -1,44 +0,0 @@
-// unit is ms
-type DriftTolerance = [number, number];
-
-function verifyTime(
-  utcNotBefore: string | undefined,
-  utcNotOnOrAfter: string | undefined,
-  drift: DriftTolerance = [0, 0]
-): boolean {
-
-  const now = new Date();
-
-  if (!utcNotBefore && !utcNotOnOrAfter) {
-    // show warning because user intends to have time check but the document doesn't include corresponding information
-    console.warn('You intend to have time validation however the document doesn\'t include the valid range.');
-    return true; 
-  }
-
-  let notBeforeLocal: Date | null = null;
-  let notOnOrAfterLocal: Date | null = null;
-
-  const [notBeforeDrift, notOnOrAfterDrift] = drift;
-
-  if (utcNotBefore && !utcNotOnOrAfter) {
-    notBeforeLocal = new Date(utcNotBefore);
-    return +notBeforeLocal + notBeforeDrift <= +now;
-  }
-  if (!utcNotBefore && utcNotOnOrAfter) {
-    notOnOrAfterLocal = new Date(utcNotOnOrAfter);
-    return +now < +notOnOrAfterLocal + notOnOrAfterDrift;
-  }
-
-  notBeforeLocal = new Date(utcNotBefore!);
-  notOnOrAfterLocal = new Date(utcNotOnOrAfter!);
-
-  return (
-    +notBeforeLocal + notBeforeDrift <= +now &&
-    +now < +notOnOrAfterLocal + notOnOrAfterDrift
-  );
-
-}
-
-export {
-  verifyTime
-};

package/tsconfig.json

@@ -1,41 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "es5",
-    "module": "commonjs",
-    "moduleResolution": "node",
-    "declaration": true,
-    "declarationDir": "types",
-    "emitDecoratorMetadata": true,
-    "experimentalDecorators": true,
-    "downlevelIteration": true,
-    "sourceMap": true,
-    "outDir": "./build",
-    "baseUrl": "./",
-    "removeComments": false,
-    "strictNullChecks": true,
-    "esModuleInterop": true,
-    "skipLibCheck": true,
-    "paths": {},
-    "lib": [
-      "dom",
-      "es2015.core",
-      "es2015.promise",
-      "es2015.iterable",
-      "es5"
-    ]
-  },
-  "atom": { "rewriteTsconfig": false },
-  "include": [
-    "src/**/*.ts",
-    "index.ts"
-  ],
-  "exclude": [
-    "node_modules",
-    "types/**/*.ts",
-    "test/**/*.ts",
-    "build",
-    "docs"
-  ],
-  "compileOnSave": false,
-  "buildOnSave": false
-}

package/tslint.json

@@ -1,35 +0,0 @@
-{
-    "extends": "tslint:recommended",
-    "rulesDirectory": [],
-    "linterOptions": {
-      "exclude": [
-        "node_modules/**"
-      ]
-    },
-    "rules": {
-      "arrow-parens": [true, "ban-single-arg-parens"],
-      "comment-format": false,
-      "interface-name": [true, "never-prefix"],
-      "jsdoc-format": false,
-      "max-line-length": false,
-      "member-access": false,
-      "no-console": [false],
-      "no-consecutive-blank-lines": [true, 3],
-      "no-empty-interface": false,
-      "no-string-literal": false,
-      "object-literal-sort-keys": false,
-      "object-literal-key-quotes": false,
-      "object-literal-shorthand": false,
-      "trailing-comma": false,
-      "eofline": false,
-      "no-empty": false,
-      "align": false,
-      "no-trailing-whitespace": false,
-      "ordered-imports": false,
-      "quotemark": [true, "single", "avoid-escape", "avoid-template"],
-      "variable-name": [true, "ban-keywords", "check-format", "allow-leading-underscore", "allow-pascal-case"],
-      "interface-over-type-literal": false,
-      "no-var-requires": false
-    },
-    "jsRules": {}
-}

package/types.d.ts

@@ -1,2 +0,0 @@
-export * from './index'
-export * from './src/types'

package/vitest.config.ts

@@ -1,12 +0,0 @@
-import { defineConfig } from 'vitest/config'
-
-export default defineConfig({
-  test: {
-    include: ['test/**/*.ts'],
-    exclude: ['node_modules', 'build'],
-    globals: true,
-    environment: 'node',
-  },
-})
-
-