samlify 2.12.0 → 2.13.0

package/src/metadata-idp.ts

@@ -1,146 +0,0 @@
-/**
-* @file metadata-idp.ts
-* @author tngan
-* @desc  Metadata of identity provider
-*/
-import Metadata, { MetadataInterface } from './metadata';
-import { MetadataIdpOptions, MetadataIdpConstructor } from './types';
-import { namespace } from './urn';
-import libsaml from './libsaml';
-import { castArrayOpt, isNonEmptyArray, isString } from './utility';
-import xml from 'xml';
-
-export interface IdpMetadataInterface extends MetadataInterface {
-
-}
-
-/*
- * @desc interface function
- */
-export default function(meta: MetadataIdpConstructor) {
-  return new IdpMetadata(meta);
-}
-
-export class IdpMetadata extends Metadata {
-
-  constructor(meta: MetadataIdpConstructor) {
-
-    const isFile = isString(meta) || meta instanceof Buffer;
-
-    if (!isFile) {
-
-      const {
-        entityID,
-        signingCert,
-        encryptCert,
-        wantAuthnRequestsSigned = false,
-        nameIDFormat = [],
-        singleSignOnService = [],
-        singleLogoutService = [],
-      } = meta as MetadataIdpOptions;
-
-      const IDPSSODescriptor: any[] = [{
-        _attr: {
-          WantAuthnRequestsSigned: String(wantAuthnRequestsSigned),
-          protocolSupportEnumeration: namespace.names.protocol,
-        },
-      }];
-
-      for(const cert of castArrayOpt(signingCert)) {
-        IDPSSODescriptor.push(libsaml.createKeySection('signing', cert));
-      }
-
-      for(const cert of castArrayOpt(encryptCert)) {
-        IDPSSODescriptor.push(libsaml.createKeySection('encryption', cert));
-      }
-
-      if (isNonEmptyArray(nameIDFormat)) {
-        nameIDFormat.forEach(f => IDPSSODescriptor.push({ NameIDFormat: f }));
-      }
-
-      if (isNonEmptyArray(singleSignOnService)) {
-        singleSignOnService.forEach((a, indexCount) => {
-          const attr: any = {
-            Binding: a.Binding,
-            Location: a.Location,
-          };
-          if (a.isDefault) {
-            attr.isDefault = true;
-          }
-          IDPSSODescriptor.push({ SingleSignOnService: [{ _attr: attr }] });
-        });
-      } else {
-        throw new Error('ERR_IDP_METADATA_MISSING_SINGLE_SIGN_ON_SERVICE');
-      }
-
-      if (isNonEmptyArray(singleLogoutService)) {
-        singleLogoutService.forEach((a, indexCount) => {
-          const attr: any = {};
-          if (a.isDefault) {
-            attr.isDefault = true;
-          }
-          attr.Binding = a.Binding;
-          attr.Location = a.Location;
-          IDPSSODescriptor.push({ SingleLogoutService: [{ _attr: attr }] });
-        });
-      } else {
-        console.warn('Construct identity  provider - missing endpoint of SingleLogoutService');
-      }
-      // Create a new metadata by setting
-      meta = xml([{
-        EntityDescriptor: [{
-          _attr: {
-            'xmlns': namespace.names.metadata,
-            'xmlns:assertion': namespace.names.assertion,
-            'xmlns:ds': 'http://www.w3.org/2000/09/xmldsig#',
-            entityID,
-          },
-        }, { IDPSSODescriptor }],
-      }]);
-    }
-
-    super(meta as string | Buffer, [
-      {
-        key: 'wantAuthnRequestsSigned',
-        localPath: ['EntityDescriptor', 'IDPSSODescriptor'],
-        attributes: ['WantAuthnRequestsSigned'],
-      },
-      {
-        key: 'singleSignOnService',
-        localPath: ['EntityDescriptor', 'IDPSSODescriptor', 'SingleSignOnService'],
-        index: ['Binding'],
-        attributePath: [],
-        attributes: ['Location']
-      },
-    ]);
-
-  }
-
-  /**
-  * @desc Get the preference whether it wants a signed request
-  * @return {boolean} WantAuthnRequestsSigned
-  */
-  isWantAuthnRequestsSigned(): boolean {
-    const was = this.meta.wantAuthnRequestsSigned;
-    if (was === undefined) {
-      return false;
-    }
-    return String(was) === 'true';
-  }
-
-  /**
-  * @desc Get the entity endpoint for single sign on service
-  * @param  {string} binding      protocol binding (e.g. redirect, post)
-  * @return {string/object} location
-  */
-  getSingleSignOnService(binding: string): string | object {
-    if (isString(binding)) {
-      const bindName = namespace.binding[binding];
-      const service = this.meta.singleSignOnService[bindName];
-      if (service) {
-        return service;
-      }
-    }
-    return this.meta.singleSignOnService;
-  }
-}

package/src/metadata-sp.ts

@@ -1,203 +0,0 @@
-/**
-* @file metadata-sp.ts
-* @author tngan
-* @desc  Metadata of service provider
-*/
-import Metadata, { MetadataInterface } from './metadata';
-import { MetadataSpConstructor, MetadataSpOptions } from './types';
-import { namespace, elementsOrder as order } from './urn';
-import libsaml from './libsaml';
-import { castArrayOpt, isNonEmptyArray, isString } from './utility';
-import xml from 'xml';
-
-export interface SpMetadataInterface extends MetadataInterface {
-
-}
-
-// https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf (P.16, 18)
-interface MetaElement {
-  KeyDescriptor?: any[];
-  NameIDFormat?: any[];
-  SingleLogoutService?: any[];
-  AssertionConsumerService?: any[];
-  AttributeConsumingService?: any[];
-}
-
-/*
- * @desc interface function
- */
-export default function(meta: MetadataSpConstructor) {
-  return new SpMetadata(meta);
-}
-
-/**
-* @desc SP Metadata is for creating Service Provider, provides a set of API to manage the actions in SP.
-*/
-export class SpMetadata extends Metadata {
-
-  /**
-  * @param  {object/string} meta (either xml string or configuration in object)
-  * @return {object} prototypes including public functions
-  */
-  constructor(meta: MetadataSpConstructor) {
-
-    const isFile = isString(meta) || meta instanceof Buffer;
-
-    // use object configuration instead of importing metadata file directly
-    if (!isFile) {
-
-      const {
-        elementsOrder = order.default,
-        entityID,
-        signingCert,
-        encryptCert,
-        authnRequestsSigned = false,
-        wantAssertionsSigned = false,
-        wantMessageSigned = false,
-        signatureConfig,
-        nameIDFormat = [],
-        singleLogoutService = [],
-        assertionConsumerService = [],
-      } = meta as MetadataSpOptions;
-
-      const descriptors: MetaElement = {
-        KeyDescriptor: [],
-        NameIDFormat: [],
-        SingleLogoutService: [],
-        AssertionConsumerService: [],
-        AttributeConsumingService: [],
-      };
-
-      const SPSSODescriptor: any[] = [{
-        _attr: {
-          AuthnRequestsSigned: String(authnRequestsSigned),
-          WantAssertionsSigned: String(wantAssertionsSigned),
-          protocolSupportEnumeration: namespace.names.protocol,
-        },
-      }];
-
-      if (wantMessageSigned && signatureConfig === undefined) {
-        console.warn('Construct service provider - missing signatureConfig');
-      }
-
-      for(const cert of castArrayOpt(signingCert)) {
-        descriptors.KeyDescriptor!.push(libsaml.createKeySection('signing', cert).KeyDescriptor);
-      }
-
-      for(const cert of castArrayOpt(encryptCert)) {
-        descriptors.KeyDescriptor!.push(libsaml.createKeySection('encryption', cert).KeyDescriptor);
-      }
-
-      if (isNonEmptyArray(nameIDFormat)) {
-        nameIDFormat.forEach(f => descriptors.NameIDFormat!.push(f));
-      } else {
-        // default value
-        descriptors.NameIDFormat!.push(namespace.format.emailAddress);
-      }
-
-      if (isNonEmptyArray(singleLogoutService)) {
-        singleLogoutService.forEach(a => {
-          const attr: any = {
-            Binding: a.Binding,
-            Location: a.Location,
-          };
-          if (a.isDefault) {
-            attr.isDefault = true;
-          }
-          descriptors.SingleLogoutService!.push([{ _attr: attr }]);
-        });
-      }
-
-      if (isNonEmptyArray(assertionConsumerService)) {
-        let indexCount = 0;
-        assertionConsumerService.forEach(a => {
-          const attr: any = {
-            index: String(indexCount++),
-            Binding: a.Binding,
-            Location: a.Location,
-          };
-          if (a.isDefault) {
-            attr.isDefault = true;
-          }
-          descriptors.AssertionConsumerService!.push([{ _attr: attr }]);
-        });
-      } else {
-        // console.warn('Missing endpoint of AssertionConsumerService');
-      }
-
-      // handle element order
-      const existedElements = elementsOrder.filter(name => isNonEmptyArray(descriptors[name]));
-      existedElements.forEach(name => {
-        descriptors[name].forEach(e => SPSSODescriptor.push({ [name]: e }));
-      });
-
-      // Re-assign the meta reference as a XML string|Buffer for use with the parent constructor
-      meta = xml([{
-        EntityDescriptor: [{
-          _attr: {
-            entityID,
-            'xmlns': namespace.names.metadata,
-            'xmlns:assertion': namespace.names.assertion,
-            'xmlns:ds': 'http://www.w3.org/2000/09/xmldsig#',
-          },
-        }, { SPSSODescriptor }],
-      }]);
-
-    }
-
-    // Use the re-assigned meta object reference here
-    super(meta as string | Buffer, [
-      {
-        key: 'spSSODescriptor',
-        localPath: ['EntityDescriptor', 'SPSSODescriptor'],
-        attributes: ['WantAssertionsSigned', 'AuthnRequestsSigned'],
-      },
-      {
-        key: 'assertionConsumerService',
-        localPath: ['EntityDescriptor', 'SPSSODescriptor', 'AssertionConsumerService'],
-        attributes: ['Binding', 'Location', 'isDefault', 'index'],
-      }
-    ]);
-
-  }
-
-  /**
-  * @desc Get the preference whether it wants a signed assertion response
-  * @return {boolean} Wantassertionssigned
-  */
-  public isWantAssertionsSigned(): boolean {
-    return this.meta.spSSODescriptor.wantAssertionsSigned === 'true';
-  }
-  /**
-  * @desc Get the preference whether it signs request
-  * @return {boolean} Authnrequestssigned
-  */
-  public isAuthnRequestSigned(): boolean {
-    return this.meta.spSSODescriptor.authnRequestsSigned === 'true';
-  }
-  /**
-  * @desc Get the entity endpoint for assertion consumer service
-  * @param  {string} binding         protocol binding (e.g. redirect, post)
-  * @return {string/[string]} URL of endpoint(s)
-  */
-  public getAssertionConsumerService(binding: string): string | string[] {
-    if (isString(binding)) {
-      let location;
-      const bindName = namespace.binding[binding];
-      if (isNonEmptyArray(this.meta.assertionConsumerService)) {
-        this.meta.assertionConsumerService.forEach(obj => {
-          if (obj.binding === bindName) {
-            location = obj.location;
-            return;
-          }
-        });
-      } else {
-        if (this.meta.assertionConsumerService.binding === bindName) {
-          location = this.meta.assertionConsumerService.location;
-        }
-      }
-      return location;
-    }
-    return this.meta.assertionConsumerService;
-  }
-}

package/src/metadata.ts

@@ -1,166 +0,0 @@
-/**
-* @file metadata.ts
-* @author tngan
-* @desc An abstraction for metadata of identity provider and service provider
-*/
-import * as fs from 'fs';
-import { namespace } from './urn';
-import { extract } from './extractor';
-import { isString } from './utility';
-
-export interface MetadataInterface {
-  xmlString: string;
-  getMetadata: () => string;
-  exportMetadata: (exportFile: string) => void;
-  getEntityID: () => string;
-  getX509Certificate: (certType: string) => string | string[];
-  getNameIDFormat: () => any[];
-  getSingleLogoutService: (binding: string | undefined) => string | object;
-  getSupportBindings: (services: string[]) => string[];
-}
-
-export default class Metadata implements MetadataInterface {
-
-  xmlString: string;
-  meta: any;
-
-  /**
-  * @param  {string | Buffer} xml
-  * @param  {object} extraParse for custom metadata extractor
-  */
-  constructor(xml: string | Buffer, extraParse: any = []) {
-    this.xmlString = xml.toString();
-    this.meta = extract(this.xmlString, extraParse.concat([
-      {
-        key: 'entityDescriptor',
-        localPath: ['EntityDescriptor'],
-        attributes: [],
-        context: true
-      },
-      {
-        key: 'entityID',
-        localPath: ['EntityDescriptor'],
-        attributes: ['entityID']
-      },
-      {
-        // shared certificate for both encryption and signing
-        key: 'sharedCertificate',
-        localPath: ['EntityDescriptor', '~SSODescriptor', 'KeyDescriptor', 'KeyInfo', 'X509Data', 'X509Certificate'],
-        attributes: []
-      },
-      {
-        // explicit certificate declaration for encryption and signing
-        key: 'certificate',
-        localPath: ['EntityDescriptor', '~SSODescriptor', 'KeyDescriptor'],
-        index: ['use'],
-        attributePath: ['KeyInfo', 'X509Data', 'X509Certificate'],
-        attributes: []
-      },
-      {
-        key: 'singleLogoutService',
-        localPath: ['EntityDescriptor', '~SSODescriptor', 'SingleLogoutService'],
-        attributes: ['Binding', 'Location']
-      },
-      {
-        key: 'nameIDFormat',
-        localPath: ['EntityDescriptor', '~SSODescriptor', 'NameIDFormat'],
-        attributes: [],
-      }
-    ]));
-
-    // get shared certificate
-    const sharedCertificate = this.meta.sharedCertificate;
-    if (typeof sharedCertificate === 'string') {
-      this.meta.certificate = {
-        signing: sharedCertificate,
-        encryption: sharedCertificate
-      };
-      delete this.meta.sharedCertificate;
-    }
-
-    if (
-      Array.isArray(this.meta.entityDescriptor) &&
-      this.meta.entityDescriptor.length > 1
-    ) {
-      throw new Error('ERR_MULTIPLE_METADATA_ENTITYDESCRIPTOR');
-    }
-
-  }
-
-  /**
-  * @desc Get the metadata in xml format
-  * @return {string} metadata in xml format
-  */
-  public getMetadata(): string {
-    return this.xmlString;
-  }
-
-  /**
-  * @desc Export the metadata to specific file
-  * @param {string} exportFile is the output file path
-  */
-  public exportMetadata(exportFile: string): void {
-    fs.writeFileSync(exportFile, this.xmlString);
-  }
-
-  /**
-  * @desc Get the entityID in metadata
-  * @return {string} entityID
-  */
-  public getEntityID(): string {
-    return this.meta.entityID;
-  }
-
-  /**
-  * @desc Get the x509 certificate declared in entity metadata
-  * @param  {string} use declares the type of certificate
-  * @return {string} certificate in string format
-  */
-  public getX509Certificate(use: string) {
-    return this.meta.certificate[use] || null;
-  }
-
-  /**
-  * @desc Get the support NameID format declared in entity metadata
-  * @return {array} support NameID format
-  */
-  public getNameIDFormat(): any {
-    return this.meta.nameIDFormat;
-  }
-
-  /**
-  * @desc Get the entity endpoint for single logout service
-  * @param  {string} binding e.g. redirect, post
-  * @return {string/object} location
-  */
-  public getSingleLogoutService(binding: string | undefined): string | object {
-    if (binding && isString(binding)) {
-      const bindType = namespace.binding[binding];
-      let singleLogoutService = this.meta.singleLogoutService;
-      if (!(singleLogoutService instanceof Array)) {
-        singleLogoutService = [singleLogoutService];
-       }
-      const service = singleLogoutService.find(obj => obj.binding === bindType);
-      if (service) {
-        return service.location;
-      }
-    }
-    return this.meta.singleLogoutService;
-  }
-
-  /**
-  * @desc Get the support bindings
-  * @param  {[string]} services
-  * @return {[string]} support bindings
-  */
-  public getSupportBindings(services: string[]): string[] {
-    let supportBindings = [];
-    if (services) {
-      supportBindings = services.reduce((acc: any, service) => {
-        const supportBinding = Object.keys(service)[0];
-        return acc.push(supportBinding);
-      }, []);
-    }
-    return supportBindings;
-  }
-}

package/src/types.ts

@@ -1,127 +0,0 @@
-import { LoginResponseTemplate } from './libsaml';
-
-export { IdentityProvider as IdentityProviderConstructor } from './entity-idp';
-export { IdpMetadata as IdentityProviderMetadata } from './metadata-idp';
-
-export { ServiceProvider as ServiceProviderConstructor } from './entity-sp';
-export { SpMetadata as ServiceProviderMetadata } from './metadata-sp';
-
-export type MetadataFile = string | Buffer;
-
-type SSOService = {
-  isDefault?: boolean;
-  Binding: string;
-  Location: string;
-};
-
-export interface MetadataIdpOptions {
-  entityID?: string;
-  signingCert?: string | Buffer | (string | Buffer)[];
-  encryptCert?: string | Buffer | (string | Buffer)[];
-  wantAuthnRequestsSigned?: boolean;
-  nameIDFormat?: string[];
-  singleSignOnService?: SSOService[];
-  singleLogoutService?: SSOService[];
-  requestSignatureAlgorithm?: string;
-}
-
-export type MetadataIdpConstructor =
-  | MetadataIdpOptions
-  | MetadataFile;
-
-export interface MetadataSpOptions {
-  entityID?: string;
-  signingCert?: string | Buffer | (string | Buffer)[];
-  encryptCert?: string | Buffer | (string | Buffer)[];
-  authnRequestsSigned?: boolean;
-  wantAssertionsSigned?: boolean;
-  wantMessageSigned?: boolean;
-  signatureConfig?: { [key: string]: any };
-  nameIDFormat?: string[];
-  singleSignOnService?: SSOService[];
-  singleLogoutService?: SSOService[];
-  assertionConsumerService?: SSOService[];
-  elementsOrder?: string[];
-}
-
-export type MetadataSpConstructor =
-  | MetadataSpOptions
-  | MetadataFile;
-
-export type EntitySetting = ServiceProviderSettings & IdentityProviderSettings;
-
-export interface SignatureConfig {
-  prefix?: string;
-  location?: {
-    reference?: string;
-    action?: 'append' | 'prepend' | 'before' | 'after';
-  };
-}
-
-export interface SAMLDocumentTemplate {
-  context?: string;
-}
-
-export type ServiceProviderSettings = {
-  metadata?: string | Buffer;
-  entityID?: string;
-  authnRequestsSigned?: boolean;
-  wantAssertionsSigned?: boolean;
-  wantMessageSigned?: boolean;
-  wantLogoutResponseSigned?: boolean;
-  wantLogoutRequestSigned?: boolean;
-  privateKey?: string | Buffer;
-  privateKeyPass?: string;
-  isAssertionEncrypted?: boolean;
-  requestSignatureAlgorithm?: string;
-  encPrivateKey?: string | Buffer;
-  encPrivateKeyPass?: string | Buffer;
-  assertionConsumerService?: SSOService[];
-  singleLogoutService?: SSOService[];
-  signatureConfig?: SignatureConfig;
-  loginRequestTemplate?: SAMLDocumentTemplate;
-  logoutRequestTemplate?: SAMLDocumentTemplate;
-  signingCert?: string | Buffer | (string | Buffer)[];
-  encryptCert?: string | Buffer | (string | Buffer)[];
-  transformationAlgorithms?: string[];
-  nameIDFormat?: string[];
-  allowCreate?: boolean;
-  // will be deprecated soon
-  relayState?: string;
-  // https://github.com/tngan/samlify/issues/337
-  clockDrifts?: [number, number];
-};
-
-export type IdentityProviderSettings = {
-  metadata?: string | Buffer;
-
-  /** signature algorithm */
-  requestSignatureAlgorithm?: string;
-
-  /** template of login response */
-  loginResponseTemplate?: LoginResponseTemplate;
-
-  /** template of logout request */
-  logoutRequestTemplate?: SAMLDocumentTemplate;
-
-  /** customized function used for generating request ID */
-  generateID?: () => string;
-
-  entityID?: string;
-  privateKey?: string | Buffer;
-  privateKeyPass?: string;
-  signingCert?: string | Buffer | (string | Buffer)[];
-  encryptCert?: string | Buffer | (string | Buffer)[];
-  nameIDFormat?: string[];
-  singleSignOnService?: SSOService[];
-  singleLogoutService?: SSOService[];
-  isAssertionEncrypted?: boolean;
-  encPrivateKey?: string | Buffer;
-  encPrivateKeyPass?: string;
-  messageSigningOrder?: string;
-  wantLogoutRequestSigned?: boolean;
-  wantLogoutResponseSigned?: boolean;
-  wantAuthnRequestsSigned?: boolean;
-  wantLogoutRequestSignedResponseSigned?: boolean;
-  tagPrefix?: { [key: string]: string };
-};