From 49e25153dc2584461613ded9dfaf30f55e964ce4 Mon Sep 17 00:00:00 2001 From: yanbilik <83341068+yanbilik@users.noreply.github.com> Date: Mon, 12 Jul 2021 18:34:24 +0200 Subject: [PATCH] Enhance SAML protocol support (#433) * enhance-saml-support: enhance bindings This commit contains: - Support SAML response over HTTP-REDIRECT binding - Add Login Request/Response over HTTP-POST SimpleSign binding - Enable clock drifts parameters from IDP setting - Fix NameIDFormat extraction from IDP metadata - Add AttributeStatementTemplate, AttributeTemplate and LoginResponseAdditionalTemplates interfaces - Modify attributeStatementBuilder * enhance-saml-support: update tests * enhance-saml-support: update docs * fix(cert): #382 no cert in node response --- docs/idp-configuration.md | 2 +- src/binding-redirect.ts | 102 +++- src/binding-simplesign.ts | 225 ++++++++ src/entity-idp.ts | 65 ++- src/entity-sp.ts | 42 +- src/entity.ts | 11 + src/flow.ts | 223 +++++++- src/libsaml.ts | 79 ++- src/urn.ts | 3 + test/flow.ts | 693 +++++++++++++++++++++++-- test/misc/idpmeta.xml | 1 + test/misc/idpmeta_nosign.xml | 1 + test/misc/idpmeta_onelogoutservice.xml | 1 + test/misc/idpmeta_share_cert.xml | 1 + test/misc/spmeta.xml | 2 + test/misc/spmeta_noassertsign.xml | 12 +- test/misc/spmeta_noauthnsign.xml | 12 +- 17 files changed, 1369 insertions(+), 106 deletions(-) create mode 100644 src/binding-simplesign.ts diff --git a/docs/idp-configuration.md b/docs/idp-configuration.md index 5a5891c3..e6ec6dde 100644 --- a/docs/idp-configuration.md +++ b/docs/idp-configuration.md @@ -57,7 +57,7 @@ const idp = new IdentityProvider({ - **tagPrefix: {[key: TagPrefixKey]: string}**
Declare the tag of specific xml document node. `TagPrefixKey` currently supports `encryptedAssertion` only. (See more [#220](https://github.com/tngan/samlify/issues/220)) -- **loginResponseTemplate: {context: String, attributes: Attributes}**
+- **loginResponseTemplate: {context: String, attributes: Attributes, additionalTemplates: LoginResponseAdditionalTemplates}**
Customize the login response template, and user can reuse it in the callback function to do runtime interpolation. (See [more](/template)) - **wantLogoutResponseSigned: Boolean**
diff --git a/src/binding-redirect.ts b/src/binding-redirect.ts index 1ac37ac0..c4adc01b 100644 --- a/src/binding-redirect.ts +++ b/src/binding-redirect.ts @@ -114,6 +114,105 @@ function loginRequestRedirectURL(entity: { idp: Idp, sp: Sp }, customTagReplacem } throw new Error('ERR_GENERATE_REDIRECT_LOGIN_REQUEST_MISSING_METADATA'); } + +/** +* @desc Redirect URL for login response +* @param {object} requestInfo corresponding request, used to obtain the id +* @param {object} entity object includes both idp and sp +* @param {object} user current logged user (e.g. req.user) +* @param {String} relayState the relaystate sent by sp corresponding request +* @param {function} customTagReplacement used when developers have their own login response template +*/ +function loginResponseRedirectURL(requestInfo: any, entity: any, user: any = {}, relayState?: string, customTagReplacement?: (template: string) => BindingContext): BindingContext { + const idpSetting = entity.idp.entitySetting; + const spSetting = entity.sp.entitySetting; + const metadata = { + idp: entity.idp.entityMeta, + sp: entity.sp.entityMeta, + }; + + let id: string = idpSetting.generateID(); + if (metadata && metadata.idp && metadata.sp) { + const base = metadata.sp.getAssertionConsumerService(binding.redirect); + let rawSamlResponse: string; + // + const nameIDFormat = idpSetting.nameIDFormat; + const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat; + const nowTime = new Date(); + // Five minutes later : nowtime + 5 * 60 * 1000 (in milliseconds) + const fiveMinutesLaterTime = new Date(nowTime.getTime() + 300_000 ); + const tvalue: any = { + ID: id, + AssertionID: idpSetting.generateID(), + Destination: base, + SubjectRecipient: base, + Issuer: metadata.idp.getEntityID(), + Audience: metadata.sp.getEntityID(), + EntityID: metadata.sp.getEntityID(), + IssueInstant: nowTime.toISOString(), + AssertionConsumerServiceURL: base, + StatusCode: namespace.statusCode.success, + // can be customized + ConditionsNotBefore: nowTime.toISOString(), + ConditionsNotOnOrAfter: fiveMinutesLaterTime.toISOString(), + SubjectConfirmationDataNotOnOrAfter: fiveMinutesLaterTime.toISOString(), + NameIDFormat: selectedNameIDFormat, + NameID: user.email || '', + InResponseTo: get(requestInfo, 'extract.request.id', ''), + AuthnStatement: '', + AttributeStatement: '', + }; + + if (idpSetting.loginResponseTemplate && customTagReplacement) { + const template = customTagReplacement(idpSetting.loginResponseTemplate.context); + id = get(template, 'id', null); + rawSamlResponse = get(template, 'context', null); + } else { + + if (requestInfo !== null) { + tvalue.InResponseTo = requestInfo.extract.request.id; + } + rawSamlResponse = libsaml.replaceTagsByValue(libsaml.defaultLoginResponseTemplate.context, tvalue); + } + + const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm } = idpSetting; + const config = { + privateKey, + privateKeyPass, + signatureAlgorithm, + signingCert: metadata.idp.getX509Certificate('signing'), + isBase64Output: false, + }; + // step: sign assertion ? -> encrypted ? -> sign message ? + if (metadata.sp.isWantAssertionsSigned()) { + rawSamlResponse = libsaml.constructSAMLSignature({ + ...config, + rawSamlMessage: rawSamlResponse, + transformationAlgorithms: spSetting.transformationAlgorithms, + referenceTagXPath: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']", + signatureConfig: { + prefix: 'ds', + location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']", action: 'after' }, + }, + }); + } + + // Like in post binding, SAML response is always signed + return { + id, + context: buildRedirectURL({ + baseUrl: base, + type: urlParams.samlResponse, + isSigned: true, + context: rawSamlResponse, + entitySetting: idpSetting, + relayState, + }), + }; + } + throw new Error('ERR_GENERATE_REDIRECT_LOGIN_RESPONSE_MISSING_METADATA'); +} + /** * @desc Redirect URL for logout request * @param {object} user current logged user (e.g. req.user) @@ -127,7 +226,7 @@ function logoutRequestRedirectURL(user, entity, relayState?: string, customTagRe let id: string = initSetting.generateID(); const nameIDFormat = initSetting.nameIDFormat; const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat; - + if (metadata && metadata.init && metadata.target) { const base = metadata.target.getSingleLogoutService(binding.redirect); let rawSamlRequest: string = ''; @@ -213,6 +312,7 @@ function logoutResponseRedirectURL(requestInfo: any, entity: any, relayState?: s const redirectBinding = { loginRequestRedirectURL, + loginResponseRedirectURL, logoutRequestRedirectURL, logoutResponseRedirectURL, }; diff --git a/src/binding-simplesign.ts b/src/binding-simplesign.ts new file mode 100644 index 00000000..a5af5535 --- /dev/null +++ b/src/binding-simplesign.ts @@ -0,0 +1,225 @@ +/** +* @file binding-simplesign.ts +* @author Orange +* @desc Binding-level API, declare the functions using POST SimpleSign binding +*/ + +import { wording, StatusCode } from './urn'; +import { BindingContext, SimpleSignComputedContext } from './entity'; +import libsaml from './libsaml'; +import utility, { get } from './utility'; + +const binding = wording.binding; +const urlParams = wording.urlParams; + +export interface BuildSimpleSignConfig { + type: string; + context: string; + entitySetting: any; + relayState?: string; +} + +export interface BindingSimpleSignContext { + id: string; + context: string; + signature: any; + sigAlg: string; +} + +/** +* @private +* @desc Helper of generating URL param/value pair +* @param {string} param key +* @param {string} value value of key +* @param {boolean} first determine whether the param is the starting one in order to add query header '?' +* @return {string} +*/ +function pvPair(param: string, value: string, first?: boolean): string { + return (first === true ? '?' : '&') + param + '=' + value; +} +/** +* @private +* @desc Refractored part of simple signature generation for login/logout request +* @param {string} type +* @param {string} rawSamlRequest +* @param {object} entitySetting +* @return {string} +*/ +function buildSimpleSignature(opts: BuildSimpleSignConfig) : string { + const { + type, + context, + entitySetting, + } = opts; + let { relayState = '' } = opts; + const queryParam = libsaml.getQueryParamByType(type); + + if (relayState !== '') { + relayState = pvPair(urlParams.relayState, relayState); + } + + const sigAlg = pvPair(urlParams.sigAlg, entitySetting.requestSignatureAlgorithm); + const octetString = context + relayState + sigAlg; + return libsaml.constructMessageSignature(queryParam + '=' + octetString, entitySetting.privateKey, entitySetting.privateKeyPass, undefined, entitySetting.requestSignatureAlgorithm); +} + +/** +* @desc Generate a base64 encoded login request +* @param {string} referenceTagXPath reference uri +* @param {object} entity object includes both idp and sp +* @param {function} customTagReplacement used when developers have their own login response template +*/ +function base64LoginRequest(entity: any, customTagReplacement?: (template: string) => BindingContext): SimpleSignComputedContext { + const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta }; + const spSetting = entity.sp.entitySetting; + let id: string = ''; + + if (metadata && metadata.idp && metadata.sp) { + const base = metadata.idp.getSingleSignOnService(binding.simpleSign); + let rawSamlRequest: string; + if (spSetting.loginRequestTemplate && customTagReplacement) { + const info = customTagReplacement(spSetting.loginRequestTemplate.context); + id = get(info, 'id', null); + rawSamlRequest = get(info, 'context', null); + } else { + const nameIDFormat = spSetting.nameIDFormat; + const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat; + id = spSetting.generateID(); + rawSamlRequest = libsaml.replaceTagsByValue(libsaml.defaultLoginRequestTemplate.context, { + ID: id, + Destination: base, + Issuer: metadata.sp.getEntityID(), + IssueInstant: new Date().toISOString(), + AssertionConsumerServiceURL: metadata.sp.getAssertionConsumerService(binding.simpleSign), + EntityID: metadata.sp.getEntityID(), + AllowCreate: spSetting.allowCreate, + NameIDFormat: selectedNameIDFormat + } as any); + } + + let simpleSignatureContext : any = null; + if (metadata.idp.isWantAuthnRequestsSigned()) { + const simpleSignature = buildSimpleSignature({ + type: urlParams.samlRequest, + context: rawSamlRequest, + entitySetting: spSetting, + relayState: spSetting.relayState, + }); + + simpleSignatureContext = { + signature: simpleSignature, + sigAlg: spSetting.requestSignatureAlgorithm, + }; + } + // No need to embeded XML signature + return { + id, + context: utility.base64Encode(rawSamlRequest), + ...simpleSignatureContext, + }; + } + throw new Error('ERR_GENERATE_POST_SIMPLESIGN_LOGIN_REQUEST_MISSING_METADATA'); +} +/** +* @desc Generate a base64 encoded login response +* @param {object} requestInfo corresponding request, used to obtain the id +* @param {object} entity object includes both idp and sp +* @param {object} user current logged user (e.g. req.user) +* @param {string} relayState the relay state +* @param {function} customTagReplacement used when developers have their own login response template +*/ +async function base64LoginResponse(requestInfo: any = {}, entity: any, user: any = {}, relayState?: string, customTagReplacement?: (template: string) => BindingContext): Promise { + const idpSetting = entity.idp.entitySetting; + const spSetting = entity.sp.entitySetting; + const id = idpSetting.generateID(); + const metadata = { + idp: entity.idp.entityMeta, + sp: entity.sp.entityMeta, + }; + const nameIDFormat = idpSetting.nameIDFormat; + const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat; + if (metadata && metadata.idp && metadata.sp) { + const base = metadata.sp.getAssertionConsumerService(binding.simpleSign); + let rawSamlResponse: string; + const nowTime = new Date(); + // Five minutes later : nowtime + 5 * 60 * 1000 (in milliseconds) + const fiveMinutesLaterTime = new Date(nowTime.getTime() + 300_000 ); + const tvalue: any = { + ID: id, + AssertionID: idpSetting.generateID(), + Destination: base, + Audience: metadata.sp.getEntityID(), + EntityID: metadata.sp.getEntityID(), + SubjectRecipient: base, + Issuer: metadata.idp.getEntityID(), + IssueInstant: nowTime.toISOString(), + AssertionConsumerServiceURL: base, + StatusCode: StatusCode.Success, + // can be customized + ConditionsNotBefore: nowTime.toISOString(), + ConditionsNotOnOrAfter: fiveMinutesLaterTime.toISOString(), + SubjectConfirmationDataNotOnOrAfter: fiveMinutesLaterTime.toISOString(), + NameIDFormat: selectedNameIDFormat, + NameID: user.email || '', + InResponseTo: get(requestInfo, 'extract.request.id', ''), + AuthnStatement: '', + AttributeStatement: '', + }; + if (idpSetting.loginResponseTemplate && customTagReplacement) { + const template = customTagReplacement(idpSetting.loginResponseTemplate.context); + rawSamlResponse = get(template, 'context', null); + } else { + if (requestInfo !== null) { + tvalue.InResponseTo = requestInfo.extract.request.id; + } + rawSamlResponse = libsaml.replaceTagsByValue(libsaml.defaultLoginResponseTemplate.context, tvalue); + } + const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm } = idpSetting; + const config = { + privateKey, + privateKeyPass, + signatureAlgorithm, + signingCert: metadata.idp.getX509Certificate('signing'), + isBase64Output: false, + }; + // step: sign assertion ? -> encrypted ? -> sign message ? + if (metadata.sp.isWantAssertionsSigned()) { + rawSamlResponse = libsaml.constructSAMLSignature({ + ...config, + rawSamlMessage: rawSamlResponse, + transformationAlgorithms: spSetting.transformationAlgorithms, + referenceTagXPath: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']", + signatureConfig: { + prefix: 'ds', + location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']", action: 'after' }, + }, + }); + } + + // SAML response must be signed sign message first, then encrypt + let simpleSignature: string = ''; + // like in post and redirect bindings, login response is always signed. + simpleSignature = buildSimpleSignature({ + type: urlParams.samlResponse, + context: rawSamlResponse, + entitySetting: idpSetting, + relayState: relayState, + } ); + + return Promise.resolve({ + id, + context: utility.base64Encode(rawSamlResponse), + signature: simpleSignature, + sigAlg: idpSetting.requestSignatureAlgorithm, + }); + + } + throw new Error('ERR_GENERATE_POST_SIMPLESIGN_LOGIN_RESPONSE_MISSING_METADATA'); +} + +const simpleSignBinding = { + base64LoginRequest, + base64LoginResponse, + }; + +export default simpleSignBinding; diff --git a/src/entity-idp.ts b/src/entity-idp.ts index 01634caf..f4705939 100644 --- a/src/entity-idp.ts +++ b/src/entity-idp.ts @@ -13,6 +13,8 @@ import { import libsaml from './libsaml'; import { namespace } from './urn'; import postBinding from './binding-post'; +import redirectBinding from './binding-redirect'; +import simpleSignBinding from './binding-simplesign'; import { flow, FlowResult } from './flow'; import { isString } from './utility'; import { BindingContext } from './entity'; @@ -28,7 +30,7 @@ export default function(props: IdentityProviderSettings) { * Identity prvider can be configured using either metadata importing or idpSetting */ export class IdentityProvider extends Entity { - + entityMeta: IdentityProviderMetadata; constructor(idpSetting: IdentityProviderSettings) { @@ -42,8 +44,20 @@ export class IdentityProvider extends Entity { // build attribute part if (idpSetting.loginResponseTemplate) { if (isString(idpSetting.loginResponseTemplate.context) && Array.isArray(idpSetting.loginResponseTemplate.attributes)) { + let attributeStatementTemplate; + let attributeTemplate; + if (!idpSetting.loginResponseTemplate.additionalTemplates || !idpSetting.loginResponseTemplate.additionalTemplates!.attributeStatementTemplate) { + attributeStatementTemplate = libsaml.defaultAttributeStatementTemplate; + } else { + attributeStatementTemplate = idpSetting.loginResponseTemplate.additionalTemplates!.attributeStatementTemplate!; + } + if (!idpSetting.loginResponseTemplate.additionalTemplates || !idpSetting.loginResponseTemplate.additionalTemplates!.attributeTemplate) { + attributeTemplate = libsaml.defaultAttributeTemplate; + } else { + attributeTemplate = idpSetting.loginResponseTemplate.additionalTemplates!.attributeTemplate!; + } const replacement = { - AttributeStatement: libsaml.attributeStatementBuilder(idpSetting.loginResponseTemplate.attributes), + AttributeStatement: libsaml.attributeStatementBuilder(idpSetting.loginResponseTemplate.attributes, attributeTemplate, attributeStatementTemplate), }; entitySetting.loginResponseTemplate = { ...entitySetting.loginResponseTemplate, @@ -64,6 +78,7 @@ export class IdentityProvider extends Entity { * @param user current logged user (e.g. req.user) * @param customTagReplacement used when developers have their own login response template * @param encryptThenSign whether or not to encrypt then sign first (if signing) + * @param relayState the relayState from corresponding request */ public async createLoginResponse( sp: ServiceProvider, @@ -72,21 +87,41 @@ export class IdentityProvider extends Entity { user: { [key: string]: any }, customTagReplacement?: (template: string) => BindingContext, encryptThenSign?: boolean, + relayState?: string, ) { const protocol = namespace.binding[binding]; - // can only support post binding for login response - if (protocol === namespace.binding.post) { - const context = await postBinding.base64LoginResponse(requestInfo, { - idp: this, - sp, - }, user, customTagReplacement, encryptThenSign); - return { - ...context, - entityEndpoint: (sp.entityMeta as ServiceProviderMetadata).getAssertionConsumerService(binding), - type: 'SAMLResponse' - }; + // can support post, redirect and post simple sign bindings for login response + let context: any = null; + switch (protocol) { + case namespace.binding.post: + context = await postBinding.base64LoginResponse(requestInfo, { + idp: this, + sp, + }, user, customTagReplacement, encryptThenSign); + break; + + case namespace.binding.simpleSign: + context = await simpleSignBinding.base64LoginResponse( requestInfo, { + idp: this, sp, + }, user, relayState, customTagReplacement); + break; + + case namespace.binding.redirect: + return redirectBinding.loginResponseRedirectURL(requestInfo, { + idp: this, + sp, + }, user, relayState, customTagReplacement); + + default: + throw new Error('ERR_CREATE_RESPONSE_UNDEFINED_BINDING'); } - throw new Error('ERR_CREATE_RESPONSE_UNDEFINED_BINDING'); + + return { + ...context, + relayState, + entityEndpoint: (sp.entityMeta as ServiceProviderMetadata).getAssertionConsumerService(binding) as string, + type: 'SAMLResponse' + }; } /** @@ -104,7 +139,7 @@ export class IdentityProvider extends Entity { parserType: 'SAMLRequest', type: 'login', binding: binding, - request: req + request: req }); } } diff --git a/src/entity-sp.ts b/src/entity-sp.ts index c89e33bc..454d5664 100644 --- a/src/entity-sp.ts +++ b/src/entity-sp.ts @@ -7,6 +7,7 @@ import Entity, { BindingContext, PostBindingContext, ESamlHttpRequest, + SimpleSignBindingContext, } from './entity'; import { IdentityProviderConstructor as IdentityProvider, @@ -16,6 +17,7 @@ import { import { namespace } from './urn'; import redirectBinding from './binding-redirect'; import postBinding from './binding-post'; +import simpleSignBinding from './binding-simplesign'; import { flow, FlowResult } from './flow'; /* @@ -56,28 +58,38 @@ export class ServiceProvider extends Entity { idp: IdentityProvider, binding = 'redirect', customTagReplacement?: (template: string) => BindingContext, - ): BindingContext | PostBindingContext { + ): BindingContext | PostBindingContext| SimpleSignBindingContext { const nsBinding = namespace.binding; const protocol = nsBinding[binding]; if (this.entityMeta.isAuthnRequestSigned() !== idp.entityMeta.isWantAuthnRequestsSigned()) { throw new Error('ERR_METADATA_CONFLICT_REQUEST_SIGNED_FLAG'); } - if (protocol === nsBinding.redirect) { - return redirectBinding.loginRequestRedirectURL({ idp, sp: this }, customTagReplacement); - } + let context: any = null; + switch (protocol) { + case nsBinding.redirect: + return redirectBinding.loginRequestRedirectURL({ idp, sp: this }, customTagReplacement); - if (protocol === nsBinding.post) { - const context = postBinding.base64LoginRequest("/*[local-name(.)='AuthnRequest']", { idp, sp: this }, customTagReplacement); - return { - ...context, - relayState: this.entitySetting.relayState, - entityEndpoint: idp.entityMeta.getSingleSignOnService(binding) as string, - type: 'SAMLRequest', - }; - } - // Will support artifact in the next release - throw new Error('ERR_SP_LOGIN_REQUEST_UNDEFINED_BINDING'); + case nsBinding.post: + context = postBinding.base64LoginRequest("/*[local-name(.)='AuthnRequest']", { idp, sp: this }, customTagReplacement); + break; + + case nsBinding.simpleSign: + // Object context = {id, context, signature, sigAlg} + context = simpleSignBinding.base64LoginRequest( { idp, sp: this }, customTagReplacement); + break; + + default: + // Will support artifact in the next release + throw new Error('ERR_SP_LOGIN_REQUEST_UNDEFINED_BINDING'); + } + + return { + ...context, + relayState: this.entitySetting.relayState, + entityEndpoint: idp.entityMeta.getSingleSignOnService(binding) as string, + type: 'SAMLRequest', + }; } /** diff --git a/src/entity.ts b/src/entity.ts index 28da535f..5f7436ca 100644 --- a/src/entity.ts +++ b/src/entity.ts @@ -48,6 +48,17 @@ export interface PostBindingContext extends BindingContext { type: string; } +export interface SimpleSignBindingContext extends PostBindingContext { + sigAlg?: string; + signature?: string; + keyInfo?: string; +} + +export interface SimpleSignComputedContext extends BindingContext { + sigAlg?: string; + signature?: string; +} + export interface ParseResult { samlContent: string; extract: any; diff --git a/src/flow.ts b/src/flow.ts index 7750563b..4b016741 100644 --- a/src/flow.ts +++ b/src/flow.ts @@ -1,4 +1,4 @@ -import { inflateString, base64Decode } from './utility'; +import { inflateString, base64Decode, isNonEmptyArray } from './utility'; import { verifyTime } from './validator'; import libsaml from './libsaml'; import { @@ -19,6 +19,7 @@ import { MessageSignatureOrder, StatusCode } from './urn'; +import simpleSignBinding from './binding-simplesign'; const bindDict = wording.binding; const urlParams = wording.urlParams; @@ -26,6 +27,7 @@ const urlParams = wording.urlParams; export interface FlowResult { samlContent: string; extract: any; + sigAlg?: string|null ; } // get the default extractor fields based on the parserType @@ -49,9 +51,9 @@ function getDefaultExtractorFields(parserType: ParserType, assertion?: any): Ext } // proceed the redirect binding flow -async function redirectFlow(options) { +async function redirectFlow(options): Promise { - const { request, parserType, checkSignature = true, from } = options; + const { request, parserType, self, checkSignature = true, from } = options; const { query, octetString } = request; const { SigAlg: sigAlg, Signature: signature } = query; @@ -68,20 +70,32 @@ async function redirectFlow(options) { const xmlString = inflateString(decodeURIComponent(content)); - // validate the xml (remarks: login response must be gone through post flow) - if ( - parserType === urlParams.samlRequest || - parserType === urlParams.logoutRequest || - parserType === urlParams.logoutResponse - ) { - try { - await libsaml.isValidXml(xmlString); - } catch (e) { - return Promise.reject('ERR_INVALID_XML'); + // validate the xml + try { + await libsaml.isValidXml(xmlString); + } catch (e) { + return Promise.reject('ERR_INVALID_XML'); + } + + // check status based on different scenarios + await checkStatus(xmlString, parserType); + + let assertion: string = ''; + + if (parserType === urlParams.samlResponse){ + // Extract assertion shortcut + const verifiedDoc = extract(xmlString, [{ + key: 'assertion', + localPath: ['~Response', 'Assertion'], + attributes: [], + context: true + }]); + if (verifiedDoc && verifiedDoc.assertion){ + assertion = verifiedDoc.assertion as string; } } - const extractorFields = getDefaultExtractorFields(parserType); + const extractorFields = getDefaultExtractorFields(parserType, assertion.length > 0 ? assertion : null); const parseResult: { samlContent: string, extract: any, sigAlg: (string | null) } = { samlContent: xmlString, @@ -89,9 +103,6 @@ async function redirectFlow(options) { extract: extract(xmlString, extractorFields), }; - // check status based on different scenarios - await checkStatus(xmlString, parserType); - // see if signature check is required // only verify message signature is enough if (checkSignature) { @@ -113,6 +124,49 @@ async function redirectFlow(options) { parseResult.sigAlg = decodeSigAlg; } + /** + * Validation part: validate the context of response after signature is verified and decrpyted (optional) + */ + const issuer = targetEntityMetadata.getEntityID(); + const extractedProperties = parseResult.extract; + + // unmatched issuer + if ( + (parserType === 'LogoutResponse' || parserType === 'SAMLResponse') + && extractedProperties + && extractedProperties.issuer !== issuer + ) { + return Promise.reject('ERR_UNMATCH_ISSUER'); + } + + // invalid session time + // only run the verifyTime when `SessionNotOnOrAfter` exists + if ( + parserType === 'SAMLResponse' + && extractedProperties.sessionIndex.sessionNotOnOrAfter + && !verifyTime( + undefined, + extractedProperties.sessionIndex.sessionNotOnOrAfter, + self.entitySetting.clockDrifts + ) + ) { + return Promise.reject('ERR_EXPIRED_SESSION'); + } + + // invalid time + // 2.4.1.2 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf + if ( + parserType === 'SAMLResponse' + && extractedProperties.conditions + && !verifyTime( + extractedProperties.conditions.notBefore, + extractedProperties.conditions.notOnOrAfter, + self.entitySetting.clockDrifts + ) + ) { + return Promise.reject('ERR_SUBJECT_UNCONFIRMED'); + } + return Promise.resolve(parseResult); } @@ -149,7 +203,7 @@ async function postFlow(options): Promise { if (parserType !== urlParams.samlResponse) { extractorFields = getDefaultExtractorFields(parserType, null); } - + // check status based on different scenarios await checkStatus(samlContent, parserType); @@ -238,6 +292,129 @@ async function postFlow(options): Promise { return Promise.resolve(parseResult); } + +// proceed the post simple sign binding flow +async function postSimpleSignFlow(options): Promise { + + const { request, parserType, self, checkSignature = true, from } = options; + + const { body, octetString } = request; + + const targetEntityMetadata = from.entityMeta; + + // ?SAMLRequest= or ?SAMLResponse= + const direction = libsaml.getQueryParamByType(parserType); + const encodedRequest: string = body[direction]; + const sigAlg: string = body['SigAlg']; + const signature: string = body['Signature']; + + // query must contain the saml content + if (encodedRequest === undefined) { + return Promise.reject('ERR_SIMPLESIGN_FLOW_BAD_ARGS'); + } + + const xmlString = String(base64Decode(encodedRequest)); + + // validate the xml + try { + await libsaml.isValidXml(xmlString); + } catch (e) { + return Promise.reject('ERR_INVALID_XML'); + } + + // check status based on different scenarios + await checkStatus(xmlString, parserType); + + let assertion: string = ''; + + if (parserType === urlParams.samlResponse){ + // Extract assertion shortcut + const verifiedDoc = extract(xmlString, [{ + key: 'assertion', + localPath: ['~Response', 'Assertion'], + attributes: [], + context: true + }]); + if (verifiedDoc && verifiedDoc.assertion){ + assertion = verifiedDoc.assertion as string; + } + } + + const extractorFields = getDefaultExtractorFields(parserType, assertion.length > 0 ? assertion : null); + + const parseResult: { samlContent: string, extract: any, sigAlg: (string | null) } = { + samlContent: xmlString, + sigAlg: null, + extract: extract(xmlString, extractorFields), + }; + + // see if signature check is required + // only verify message signature is enough + if (checkSignature) { + if (!signature || !sigAlg) { + return Promise.reject('ERR_MISSING_SIG_ALG'); + } + + // put the below two assignemnts into verifyMessageSignature function + const base64Signature = Buffer.from(signature, 'base64'); + + const verified = libsaml.verifyMessageSignature(targetEntityMetadata, octetString, base64Signature, sigAlg); + + if (!verified) { + // Fail to verify message signature + return Promise.reject('ERR_FAILED_MESSAGE_SIGNATURE_VERIFICATION'); + } + + parseResult.sigAlg = sigAlg; + } + + /** + * Validation part: validate the context of response after signature is verified and decrpyted (optional) + */ + const issuer = targetEntityMetadata.getEntityID(); + const extractedProperties = parseResult.extract; + + // unmatched issuer + if ( + (parserType === 'LogoutResponse' || parserType === 'SAMLResponse') + && extractedProperties + && extractedProperties.issuer !== issuer + ) { + return Promise.reject('ERR_UNMATCH_ISSUER'); + } + + // invalid session time + // only run the verifyTime when `SessionNotOnOrAfter` exists + if ( + parserType === 'SAMLResponse' + && extractedProperties.sessionIndex.sessionNotOnOrAfter + && !verifyTime( + undefined, + extractedProperties.sessionIndex.sessionNotOnOrAfter, + self.entitySetting.clockDrifts + ) + ) { + return Promise.reject('ERR_EXPIRED_SESSION'); + } + + // invalid time + // 2.4.1.2 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf + if ( + parserType === 'SAMLResponse' + && extractedProperties.conditions + && !verifyTime( + extractedProperties.conditions.notBefore, + extractedProperties.conditions.notOnOrAfter, + self.entitySetting.clockDrifts + ) + ) { + return Promise.reject('ERR_SUBJECT_UNCONFIRMED'); + } + + return Promise.resolve(parseResult); +} + + function checkStatus(content: string, parserType: string): Promise { // only check response parser @@ -269,10 +446,10 @@ export function flow(options): Promise { const binding = options.binding; const parserType = options.parserType; - options.supportBindings = [BindingNamespace.Redirect, BindingNamespace.Post]; - // saml response only allows POST + options.supportBindings = [BindingNamespace.Redirect, BindingNamespace.Post, BindingNamespace.SimpleSign]; + // saml response allows POST, REDIRECT if (parserType === ParserType.SAMLResponse) { - options.supportBindings = [BindingNamespace.Post]; + options.supportBindings = [BindingNamespace.Post, BindingNamespace.Redirect, BindingNamespace.SimpleSign]; } if (binding === bindDict.post) { @@ -283,6 +460,10 @@ export function flow(options): Promise { return redirectFlow(options); } + if (binding === bindDict.simpleSign) { + return postSimpleSignFlow(options); + } + return Promise.reject('ERR_UNEXPECTED_FLOW'); } diff --git a/src/libsaml.ts b/src/libsaml.ts index 4159cbd2..2cf67cec 100644 --- a/src/libsaml.ts +++ b/src/libsaml.ts @@ -58,13 +58,23 @@ export interface LoginResponseAttribute { valueXmlnsXsi?: string; } +export interface LoginResponseAdditionalTemplates { + attributeStatementTemplate?: AttributeStatementTemplate; + attributeTemplate?:AttributeTemplate; +} + export interface BaseSamlTemplate { context: string; } export interface LoginResponseTemplate extends BaseSamlTemplate { attributes?: LoginResponseAttribute[]; + additionalTemplates?: LoginResponseAdditionalTemplates; } +export interface AttributeStatementTemplate extends BaseSamlTemplate { } + +export interface AttributeTemplate extends BaseSamlTemplate { } + export interface LoginRequestTemplate extends BaseSamlTemplate { } export interface LogoutRequestTemplate extends BaseSamlTemplate { } @@ -81,7 +91,7 @@ export interface LibSamlInterface { getQueryParamByType: (type: string) => string; createXPath: (local, isExtractAll?: boolean) => string; replaceTagsByValue: (rawXML: string, tagValues: any) => string; - attributeStatementBuilder: (attributes: LoginResponseAttribute[]) => string; + attributeStatementBuilder: (attributes: LoginResponseAttribute[], attributeTemplate : AttributeTemplate, attributeStatementTemplate : AttributeStatementTemplate) => string; constructSAMLSignature: (opts: SignatureConstructor) => string; verifySignature: (xml: string, opts) => [boolean, any]; createKeySection: (use: KeyUse, cert: string | Buffer) => {}; @@ -97,6 +107,8 @@ export interface LibSamlInterface { nrsaAliasMapping: any; defaultLoginRequestTemplate: LoginRequestTemplate; defaultLoginResponseTemplate: LoginResponseTemplate; + defaultAttributeStatementTemplate: AttributeStatementTemplate; + defaultAttributeTemplate: AttributeTemplate; defaultLogoutRequestTemplate: LogoutRequestTemplate; defaultLogoutResponseTemplate: LogoutResponseTemplate; } @@ -138,6 +150,23 @@ const libSaml = () => { const defaultLogoutRequestTemplate = { context: '{Issuer}{NameID}', }; + + /** + * @desc Default AttributeStatement template + * @type {AttributeStatementTemplate} + */ + const defaultAttributeStatementTemplate = { + context: '{Attributes}', + }; + + /** + * @desc Default Attribute template + * @type {AttributeTemplate} + */ + const defaultAttributeTemplate = { + context: '{Value}', + }; + /** * @desc Default login response template * @type {LoginResponseTemplate} @@ -145,6 +174,10 @@ const libSaml = () => { const defaultLoginResponseTemplate = { context: '{Issuer}{Issuer}{NameID}{Audience}{AuthnStatement}{AttributeStatement}', attributes: [], + additionalTemplates:{ + "attributeStatementTemplate": defaultAttributeStatementTemplate, + "attributeTemplate": defaultAttributeTemplate + } }; /** * @desc Default logout response template @@ -213,6 +246,8 @@ const libSaml = () => { getQueryParamByType, defaultLoginRequestTemplate, defaultLoginResponseTemplate, + defaultAttributeStatementTemplate, + defaultAttributeTemplate, defaultLogoutRequestTemplate, defaultLogoutResponseTemplate, @@ -231,16 +266,32 @@ const libSaml = () => { /** * @desc Helper function to build the AttributeStatement tag * @param {LoginResponseAttribute} attributes an array of attribute configuration + * @param {AttributeTemplate} attributeTemplate the attribut tag template to be used + * @param {AttributeStatementTemplate} attributeStatementTemplate the attributStatement tag template to be used * @return {string} */ - attributeStatementBuilder(attributes: LoginResponseAttribute[]): string { - const attr = attributes.map(({ name, nameFormat, valueTag, valueXsiType, valueXmlnsXs, valueXmlnsXsi }) => { - const defaultValueXmlnsXs = 'http://www.w3.org/2001/XMLSchema'; - const defaultValueXmlnsXsi = 'http://www.w3.org/2001/XMLSchema-instance'; - return `{${tagging('attr', valueTag)}}`; - }).join(''); - return `${attr}`; - }, + attributeStatementBuilder(attributes: LoginResponseAttribute[], attributeTemplate : AttributeTemplate, attributeStatementTemplate : AttributeStatementTemplate): string { + if (!attributeStatementTemplate){ + attributeStatementTemplate = defaultAttributeStatementTemplate; + } + if (!attributeTemplate){ + attributeTemplate = defaultAttributeTemplate; + } + const attr = attributes.map(({ name, nameFormat, valueTag, valueXsiType, valueXmlnsXs, valueXmlnsXsi }) => { + const defaultValueXmlnsXs = 'http://www.w3.org/2001/XMLSchema'; + const defaultValueXmlnsXsi = 'http://www.w3.org/2001/XMLSchema-instance'; + let attributeLine = attributeTemplate.context; + attributeLine = attributeLine.replace('{Name}',name); + attributeLine = attributeLine.replace('{NameFormat}',nameFormat); + attributeLine = attributeLine.replace('{ValueXmlnsXs}',valueXmlnsXs ? valueXmlnsXs : defaultValueXmlnsXs); + attributeLine = attributeLine.replace('{ValueXmlnsXsi}',valueXmlnsXsi ? valueXmlnsXsi : defaultValueXmlnsXsi); + attributeLine = attributeLine.replace('{ValueXsiType}',valueXsiType); + attributeLine = attributeLine.replace('{Value}',`{${tagging('attr', valueTag)}}`); + return attributeLine; + }).join(''); + return attributeStatementTemplate.context.replace('{Attributes}',attr); +}, + /** * @desc Construct the XML signature for POST binding * @param {string} rawSamlMessage request/response xml string @@ -366,11 +417,12 @@ const libSaml = () => { // normalise the certificate string metadataCert = metadataCert.map(utility.normalizeCerString); - if (certificateNode.length === 0) { + // no certificate in node response nor metadata + if (certificateNode.length === 0 && metadataCert.length === 0) { throw new Error('NO_SELECTED_CERTIFICATE'); } - // no certificate node in response + // certificate node in response if (certificateNode.length !== 0) { const x509CertificateData = certificateNode[0].firstChild.data; const x509Certificate = utility.normalizeCerString(x509CertificateData); @@ -386,9 +438,12 @@ const libSaml = () => { sig.keyInfoProvider = new this.getKeyInfo(x509Certificate); + } else { + // Select first one from metadata + sig.keyInfoProvider = new this.getKeyInfo(metadataCert[0]); } - } + } sig.loadSignature(signatureNode); diff --git a/src/urn.ts b/src/urn.ts index 7a15a25c..df71255a 100644 --- a/src/urn.ts +++ b/src/urn.ts @@ -7,6 +7,7 @@ export enum BindingNamespace { Redirect = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', Post = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', + SimpleSign = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign', Artifact = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact' } @@ -47,6 +48,7 @@ const namespace = { binding: { redirect: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', post: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', + simpleSign: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign', artifact: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact', }, names: { @@ -184,6 +186,7 @@ const wording = { binding: { redirect: 'redirect', post: 'post', + simpleSign: 'simpleSign', artifact: 'artifact', }, certUse: { diff --git a/test/flow.ts b/test/flow.ts index 70cfc55b..16f94670 100644 --- a/test/flow.ts +++ b/test/flow.ts @@ -1,7 +1,7 @@ import esaml2 = require('../index'); import { readFileSync, writeFileSync } from 'fs'; import test from 'ava'; -import { PostBindingContext } from '../src/entity'; +import { PostBindingContext, SimpleSignBindingContext } from '../src/entity'; import * as uuid from 'uuid'; import * as url from 'url'; import util from '../src/utility'; @@ -42,7 +42,7 @@ const loginResponseTemplate = { const failedResponse: string = String(readFileSync('./test/misc/failed_response.xml')); -const createTemplateCallback = (_idp, _sp, user) => template => { +const createTemplateCallback = (_idp, _sp, _binding, user) => template => { const _id = '_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6'; const now = new Date(); const spEntityID = _sp.entityMeta.getEntityID(); @@ -52,7 +52,7 @@ const createTemplateCallback = (_idp, _sp, user) => template => { const tvalue = { ID: _id, AssertionID: idpSetting.generateID ? idpSetting.generateID() : `${uuid.v4()}`, - Destination: _sp.entityMeta.getAssertionConsumerService(binding.post), + Destination: _sp.entityMeta.getAssertionConsumerService(_binding), Audience: spEntityID, SubjectRecipient: spEntityID, NameIDFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', @@ -62,7 +62,7 @@ const createTemplateCallback = (_idp, _sp, user) => template => { ConditionsNotBefore: now.toISOString(), ConditionsNotOnOrAfter: fiveMinutesLater.toISOString(), SubjectConfirmationDataNotOnOrAfter: fiveMinutesLater.toISOString(), - AssertionConsumerServiceURL: _sp.entityMeta.getAssertionConsumerService(binding.post), + AssertionConsumerServiceURL: _sp.entityMeta.getAssertionConsumerService(_binding), EntityID: spEntityID, InResponseTo: '_4606cc1f427fa981e6ffd653ee8d6972fc5ce398c4', StatusCode: 'urn:oasis:names:tc:SAML:2.0:status:Success', @@ -75,6 +75,38 @@ const createTemplateCallback = (_idp, _sp, user) => template => { }; }; +// Parse Redirect Url context + +const parseRedirectUrlContextCallBack = (_context) => { + const originalURL = url.parse(_context, true); + const _SAMLResponse = originalURL.query.SAMLResponse; + const _Signature = originalURL.query.Signature; + const _SigAlg = originalURL.query.SigAlg; + delete originalURL.query.Signature; + const _octetString = Object.keys(originalURL.query).map(q => q + '=' + encodeURIComponent(originalURL.query[q] as string)).join('&'); + + return { query: { + SAMLResponse: _SAMLResponse, + Signature: _Signature, + SigAlg: _SigAlg, }, + octetString: _octetString, + }; +}; + +// Build SimpleSign octetString +const buildSimpleSignOctetString = (type:string, context:string, sigAlg:string|undefined, relayState:string|undefined, signature: string|undefined) =>{ + const rawRequest = String(utility.base64Decode(context, true)); + let octetString:string = ''; + octetString += type + '=' + rawRequest; + if (relayState !== undefined && relayState.length > 0){ + octetString += '&RelayState=' + relayState; + } + if (signature !== undefined && signature.length >0 && sigAlg && sigAlg.length > 0){ + octetString += '&SigAlg=' + sigAlg; + } + return octetString; +}; + // Define of metadata const defaultIdpConfig = { @@ -149,6 +181,18 @@ test('create login request with redirect binding using default template and pars t.is(extract.nameIDPolicy.allowCreate, 'false'); }); +test('create login request with post simpleSign binding using default template and parse it', async t => { + const { relayState, id, context: SAMLRequest, type, sigAlg, signature } = sp.createLoginRequest(idp, 'simpleSign') as SimpleSignBindingContext; + t.is(typeof id, 'string'); + t.is(typeof SAMLRequest, 'string'); + const octetString = buildSimpleSignOctetString(type, SAMLRequest, sigAlg, relayState,signature); + const { samlContent, extract } = await idp.parseLoginRequest(sp, 'simpleSign', { body: { SAMLRequest, Signature: signature, SigAlg:sigAlg }, octetString}); + t.is(extract.issuer, 'https://sp.example.org/metadata'); + t.is(typeof extract.request.id, 'string'); + t.is(extract.nameIDPolicy.format, 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'); + t.is(extract.nameIDPolicy.allowCreate, 'false'); +}); + test('create login request with post binding using default template and parse it', async t => { const { relayState, type, entityEndpoint, id, context: SAMLRequest } = sp.createLoginRequest(idp, 'post') as PostBindingContext; t.is(typeof id, 'string'); @@ -183,6 +227,16 @@ test('signed in sp is not matched with the signed notation in idp with redirect } }); +test('signed in sp is not matched with the signed notation in idp with post simpleSign request', t => { + const _idp = identityProvider({ ...defaultIdpConfig, metadata: noSignedIdpMetadata }); + try { + const { id, context } = sp.createLoginRequest(_idp, 'simpleSign'); + t.fail(); + } catch (e) { + t.is(e.message, 'ERR_METADATA_CONFLICT_REQUEST_SIGNED_FLAG'); + } +}); + test('create login request with redirect binding using [custom template]', t => { const _sp = serviceProvider({ ...defaultSpConfig, loginRequestTemplate: { @@ -218,15 +272,53 @@ test('create login request with post binding using [custom template]', t => { ? t.pass() : t.fail(); }); +test('create login request with post simpleSign binding using [custom template]', t => { + const _sp = serviceProvider({ + ...defaultSpConfig, loginRequestTemplate: { + context: '{Issuer}', + }, + }); + const { id, context, entityEndpoint, type, relayState, signature, sigAlg } = _sp.createLoginRequest(idp, 'simpleSign', template => { + return { + id: 'exposed_testing_id', + context: template, // all the tags are supposed to be replaced + }; + }) as SimpleSignBindingContext; + id === 'exposed_testing_id' && + isString(context) && + isString(relayState) && + isString(entityEndpoint) && + isString(signature) && + isString(sigAlg) && + type === 'SAMLRequest' + ? t.pass() : t.fail(); +}); + test('create login response with undefined binding', async t => { const user = { email: 'user@esaml2.com' }; - const error = await t.throwsAsync(() => idp.createLoginResponse(sp, {}, 'undefined', user, createTemplateCallback(idp, sp, user))); + const error = await t.throwsAsync(() => idp.createLoginResponse(sp, {}, 'undefined', user, createTemplateCallback(idp, sp, binding.post, user))); t.is(error.message, 'ERR_CREATE_RESPONSE_UNDEFINED_BINDING'); }); +test('create redirect login response', async t => { + const user = { email: 'user@esaml2.com' }; + const { id, context } = await idp.createLoginResponse(sp, sampleRequestInfo, 'redirect', user, createTemplateCallback(idp, sp, binding.redirect, user), undefined, 'relaystate'); + isString(id) && isString(context) ? t.pass() : t.fail(); +}); + +test('create post simpleSign login response', async t => { + const user = { email: 'user@esaml2.com' }; + const { id, context, entityEndpoint, type, signature, sigAlg } = await idp.createLoginResponse(sp, sampleRequestInfo, 'simpleSign', user, createTemplateCallback(idp, sp, binding.simpleSign, user), undefined, 'relaystate') as SimpleSignBindingContext; + isString(id) && + isString(context) && + isString(entityEndpoint) && + isString(signature) && + isString(sigAlg) ? t.pass() : t.fail(); +}); + test('create post login response', async t => { const user = { email: 'user@esaml2.com' }; - const { id, context } = await idp.createLoginResponse(sp, sampleRequestInfo, 'post', user, createTemplateCallback(idp, sp, user)); + const { id, context } = await idp.createLoginResponse(sp, sampleRequestInfo, 'post', user, createTemplateCallback(idp, sp, binding.post, user)); isString(id) && isString(context) ? t.pass() : t.fail(); }); @@ -248,7 +340,7 @@ test('create logout request when idp only has one binding', t => { test('create logout response with undefined binding', t => { try { - const { id, context } = idp.createLogoutResponse(sp, {}, 'undefined', '', createTemplateCallback(idp, sp, {})); + const { id, context } = idp.createLogoutResponse(sp, {}, 'undefined', '', createTemplateCallback(idp, sp, binding.post, {})); t.fail(); } catch (e) { t.is(e.message, 'ERR_CREATE_LOGOUT_RESPONSE_UNDEFINED_BINDING'); @@ -256,12 +348,12 @@ test('create logout response with undefined binding', t => { }); test('create logout response with redirect binding', t => { - const { id, context } = idp.createLogoutResponse(sp, {}, 'redirect', '', createTemplateCallback(idp, sp, {})); + const { id, context } = idp.createLogoutResponse(sp, {}, 'redirect', '', createTemplateCallback(idp, sp, binding.post, {})); isString(id) && isString(context) ? t.pass() : t.fail(); }); test('create logout response with post binding', t => { - const { relayState, type, entityEndpoint, id, context } = idp.createLogoutResponse(sp, {}, 'post', '', createTemplateCallback(idp, sp, {})) as PostBindingContext; + const { relayState, type, entityEndpoint, id, context } = idp.createLogoutResponse(sp, {}, 'post', '', createTemplateCallback(idp, sp, binding.post, {})) as PostBindingContext; isString(id) && isString(context) && isString(entityEndpoint) && type === 'SAMLResponse' ? t.pass() : t.fail(); }); @@ -272,7 +364,7 @@ test('create logout response with post binding', t => { test('send response with signed assertion and parse it', async t => { // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) const user = { email: 'user@esaml2.com' }; - const { id, context: SAMLResponse } = await idpNoEncrypt.createLoginResponse(sp, sampleRequestInfo, 'post', user, createTemplateCallback(idpNoEncrypt, sp, user)); + const { id, context: SAMLResponse } = await idpNoEncrypt.createLoginResponse(sp, sampleRequestInfo, 'post', user, createTemplateCallback(idpNoEncrypt, sp, binding.post, user)); // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) const { samlContent, extract } = await sp.parseLoginResponse(idpNoEncrypt, 'post', { body: { SAMLResponse } }); t.is(typeof id, 'string'); @@ -282,6 +374,49 @@ test('send response with signed assertion and parse it', async t => { t.is(extract.response.inResponseTo, 'request_id'); }); +// + REDIRECT +test('send response with signed assertion by redirect and parse it', async t => { + // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) + const user = { email: 'user@esaml2.com' }; + const { id, context } = await idpNoEncrypt.createLoginResponse(sp, sampleRequestInfo, 'redirect', user, createTemplateCallback(idpNoEncrypt, sp, binding.redirect, user), undefined, 'relaystate'); + const query = url.parse(context).query; + t.is(query!.includes('SAMLResponse='), true); + t.is(query!.includes('SigAlg='), true); + t.is(query!.includes('Signature='), true); + t.is(typeof id, 'string'); + t.is(typeof context, 'string'); + // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) + const { samlContent, extract } = await sp.parseLoginResponse(idpNoEncrypt, 'redirect', parseRedirectUrlContextCallBack(context) ); + t.is(typeof id, 'string'); + t.is(samlContent.startsWith(''), true); + t.is(extract.nameID, 'user@esaml2.com'); + t.is(extract.response.inResponseTo, 'request_id'); +}); + +// SimpleSign +test('send response with signed assertion by post simplesign and parse it', async t => { + // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) + const user = { email: 'user@esaml2.com' }; + const { id, context: SAMLResponse, type, sigAlg, signature, relayState } = await idpNoEncrypt.createLoginResponse( + sp, + sampleRequestInfo, + 'simpleSign', + user, + createTemplateCallback(idpNoEncrypt, sp, binding.simpleSign, user), + undefined, + 'relaystate' + ) as SimpleSignBindingContext; + // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) + const octetString = buildSimpleSignOctetString(type, SAMLResponse, sigAlg, relayState, signature); + const { samlContent, extract } = await sp.parseLoginResponse(idpNoEncrypt, 'simpleSign', { body: { SAMLResponse, Signature: signature, SigAlg:sigAlg }, octetString }); + t.is(typeof id, 'string'); + t.is(samlContent.startsWith(''), true); + t.is(extract.nameID, 'user@esaml2.com'); + t.is(extract.response.inResponseTo, 'request_id'); +}); + test('send response with signed assertion + custom transformation algorithms and parse it', async t => { // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) const signedAssertionSp = serviceProvider( @@ -295,7 +430,7 @@ test('send response with signed assertion + custom transformation algorithms and ); const user = { email: 'user@esaml2.com' }; - const { id, context: SAMLResponse } = await idpNoEncrypt.createLoginResponse(signedAssertionSp, sampleRequestInfo, 'post', user, createTemplateCallback(idpNoEncrypt, sp, user)); + const { id, context: SAMLResponse } = await idpNoEncrypt.createLoginResponse(signedAssertionSp, sampleRequestInfo, 'post', user, createTemplateCallback(idpNoEncrypt, sp, binding.post, user)); // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) const { samlContent, extract } = await sp.parseLoginResponse(idpNoEncrypt, 'post', { body: { SAMLResponse } }); t.is(typeof id, 'string'); @@ -310,6 +445,76 @@ test('send response with signed assertion + custom transformation algorithms and } }); +test('send response with signed assertion + custom transformation algorithms by redirect and parse it', async t => { + // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) + const signedAssertionSp = serviceProvider( + { + ...defaultSpConfig, + transformationAlgorithms: [ + 'http://www.w3.org/2000/09/xmldsig#enveloped-signature', + 'http://www.w3.org/2001/10/xml-exc-c14n#' + ] + } + ); + const user = { email: 'user@esaml2.com' }; + const { id, context } = await idpNoEncrypt.createLoginResponse(signedAssertionSp, sampleRequestInfo, 'redirect', user, createTemplateCallback(idpNoEncrypt, signedAssertionSp, binding.redirect, user), undefined, 'relaystate'); + const query = url.parse(context).query; + t.is(query!.includes('SAMLResponse='), true); + t.is(query!.includes('SigAlg='), true); + t.is(query!.includes('Signature='), true); + t.is(typeof id, 'string'); + t.is(typeof context, 'string'); + // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) + const { samlContent, extract } = await signedAssertionSp.parseLoginResponse(idpNoEncrypt, 'redirect', parseRedirectUrlContextCallBack(context) ); + t.is(typeof id, 'string'); + t.is(samlContent.startsWith(''), true); + t.is(extract.nameID, 'user@esaml2.com'); + t.is(extract.response.inResponseTo, 'request_id'); + + // Verify xmldsig#enveloped-signature is included in the response + if (samlContent.indexOf('http://www.w3.org/2000/09/xmldsig#enveloped-signature') === -1) { + t.fail(); + } +}); + +test('send response with signed assertion + custom transformation algorithms by post simplesign and parse it', async t => { + // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) + const signedAssertionSp = serviceProvider( + { + ...defaultSpConfig, + transformationAlgorithms: [ + 'http://www.w3.org/2000/09/xmldsig#enveloped-signature', + 'http://www.w3.org/2001/10/xml-exc-c14n#' + ] + } + ); + + const user = { email: 'user@esaml2.com' } + const { id, context: SAMLResponse, type, sigAlg, signature, relayState } = await idpNoEncrypt.createLoginResponse( + signedAssertionSp, + sampleRequestInfo, + 'simpleSign', + user, + createTemplateCallback(idpNoEncrypt, sp, binding.simpleSign, user), + undefined, + 'relaystate' + ) as SimpleSignBindingContext; + // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) + const octetString = buildSimpleSignOctetString(type, SAMLResponse, sigAlg, relayState, signature); + const { samlContent, extract } = await sp.parseLoginResponse(idpNoEncrypt, 'simpleSign', { body: { SAMLResponse, Signature: signature, SigAlg:sigAlg }, octetString }); + t.is(typeof id, 'string'); + t.is(samlContent.startsWith(''), true); + t.is(extract.nameID, 'user@esaml2.com'); + t.is(extract.response.inResponseTo, 'request_id'); + + // Verify xmldsig#enveloped-signature is included in the response + if (samlContent.indexOf('http://www.w3.org/2000/09/xmldsig#enveloped-signature') === -1) { + t.fail(); + } +}); + test('send response with [custom template] signed assertion and parse it', async t => { // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) const requestInfo = { extract: { request: { id: 'request_id' } } }; @@ -320,7 +525,7 @@ test('send response with [custom template] signed assertion and parse it', async 'post', user, // declare the callback to do custom template replacement - createTemplateCallback(idpcustomNoEncrypt, sp, user), + createTemplateCallback(idpcustomNoEncrypt, sp, binding.post, user), ); // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) const { samlContent, extract } = await sp.parseLoginResponse(idpcustomNoEncrypt, 'post', { body: { SAMLResponse } }); @@ -333,10 +538,67 @@ test('send response with [custom template] signed assertion and parse it', async t.is(extract.response.inResponseTo, '_4606cc1f427fa981e6ffd653ee8d6972fc5ce398c4'); }); +test('send response with [custom template] signed assertion by redirect and parse it', async t => { + // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) + const requestInfo = { extract: { request: { id: 'request_id' } } }; + const user = { email: 'user@esaml2.com' }; + const { id, context } = await idpcustomNoEncrypt.createLoginResponse( + sp, + requestInfo, + 'redirect', + user, + createTemplateCallback(idpcustomNoEncrypt, sp, binding.redirect, user), + undefined, + 'relaystate' + ); + const query = url.parse(context).query; + t.is(query!.includes('SAMLResponse='), true); + t.is(query!.includes('SigAlg='), true); + t.is(query!.includes('Signature='), true); + t.is(typeof id, 'string'); + t.is(typeof context, 'string'); + // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) + const { samlContent, extract } = await sp.parseLoginResponse(idpcustomNoEncrypt, 'redirect', parseRedirectUrlContextCallBack(context)); + t.is(typeof id, 'string'); + t.is(samlContent.startsWith(''), true); + t.is(extract.nameID, 'user@esaml2.com'); + t.is(extract.attributes.name, 'mynameinsp'); + t.is(extract.attributes.mail, 'myemailassociatedwithsp@sp.com'); + t.is(extract.response.inResponseTo, '_4606cc1f427fa981e6ffd653ee8d6972fc5ce398c4'); +}); + +test('send response with [custom template] signed assertion by post simpleSign and parse it', async t => { + // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) + const requestInfo = { extract: { request: { id: 'request_id' } } }; + const user = { email: 'user@esaml2.com'}; + const { id, context: SAMLResponse, type, sigAlg, signature, entityEndpoint, relayState } = await idpcustomNoEncrypt.createLoginResponse( + sp, + requestInfo, + 'simpleSign', + user, + // declare the callback to do custom template replacement + createTemplateCallback(idpcustomNoEncrypt, sp, binding.simpleSign, user), + undefined, + 'relaystate' + ) as SimpleSignBindingContext; + // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) + const octetString = buildSimpleSignOctetString(type, SAMLResponse, sigAlg, relayState, signature); + const { samlContent, extract } = await sp.parseLoginResponse(idpcustomNoEncrypt, 'simpleSign', { body: { SAMLResponse, Signature: signature, SigAlg:sigAlg }, octetString }); + t.is(typeof id, 'string'); + t.is(samlContent.startsWith(''), true); + t.is(entityEndpoint, 'https://sp.example.org/sp/sso'); + t.is(extract.nameID, 'user@esaml2.com'); + t.is(extract.attributes.name, 'mynameinsp'); + t.is(extract.attributes.mail, 'myemailassociatedwithsp@sp.com'); + t.is(extract.response.inResponseTo, '_4606cc1f427fa981e6ffd653ee8d6972fc5ce398c4'); +}); + test('send response with signed message and parse it', async t => { // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) const user = { email: 'user@esaml2.com' }; - const { id, context: SAMLResponse } = await idpNoEncrypt.createLoginResponse(spNoAssertSign, sampleRequestInfo, 'post', user, createTemplateCallback(idpNoEncrypt, spNoAssertSign, user)); + const { id, context: SAMLResponse } = await idpNoEncrypt.createLoginResponse(spNoAssertSign, sampleRequestInfo, 'post', user, createTemplateCallback(idpNoEncrypt, spNoAssertSign, binding.post, user)); // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) const { samlContent, extract } = await spNoAssertSign.parseLoginResponse(idpNoEncrypt, 'post', { body: { SAMLResponse } }); t.is(typeof id, 'string'); @@ -346,6 +608,56 @@ test('send response with signed message and parse it', async t => { t.is(extract.response.inResponseTo, 'request_id'); }); +test('send response with signed message by redirect and parse it', async t => { + // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) + const requestInfo = { extract: { request: { id: 'request_id' } } }; + const user = { email: 'user@esaml2.com' }; + const { id, context } = await idpNoEncrypt.createLoginResponse( + spNoAssertSign, + requestInfo, + 'redirect', + user, + createTemplateCallback(idpNoEncrypt, spNoAssertSign, binding.redirect, user), + undefined, + 'relaystate' + ); + const query = url.parse(context).query; + t.is(query!.includes('SAMLResponse='), true); + t.is(query!.includes('SigAlg='), true); + t.is(query!.includes('Signature='), true); + t.is(typeof id, 'string'); + t.is(typeof context, 'string'); + // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) + const { samlContent, extract } = await spNoAssertSign.parseLoginResponse(idpNoEncrypt, 'redirect', parseRedirectUrlContextCallBack(context) ); + t.is(typeof id, 'string'); + t.is(samlContent.startsWith(''), true); + t.is(extract.nameID, 'user@esaml2.com'); + t.is(extract.response.inResponseTo, 'request_id'); +}); + +test('send response with signed message by post simplesign and parse it', async t => { + // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) + const user = { email: 'user@esaml2.com' }; + const { id, context: SAMLResponse, type, sigAlg, signature, relayState } = await idpNoEncrypt.createLoginResponse( + spNoAssertSign, + sampleRequestInfo, + 'simpleSign', + user, + createTemplateCallback(idpNoEncrypt, spNoAssertSign, binding.simpleSign, user), + undefined, + 'relaystate' + ) as SimpleSignBindingContext; + // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) + const octetString = buildSimpleSignOctetString(type, SAMLResponse, sigAlg, relayState, signature); + const { samlContent, extract } = await spNoAssertSign.parseLoginResponse(idpNoEncrypt, 'simpleSign', { body: { SAMLResponse, Signature: signature, SigAlg:sigAlg }, octetString }); + t.is(typeof id, 'string'); + t.is(samlContent.startsWith(''), true); + t.is(extract.nameID, 'user@esaml2.com'); + t.is(extract.response.inResponseTo, 'request_id'); +}); + test('send response with [custom template] and signed message and parse it', async t => { // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) const requestInfo = { extract: { authnrequest: { id: 'request_id' } } }; @@ -354,7 +666,7 @@ test('send response with [custom template] and signed message and parse it', asy spNoAssertSign, { extract: { authnrequest: { id: 'request_id' } } }, 'post', { email: 'user@esaml2.com' }, - createTemplateCallback(idpcustomNoEncrypt, spNoAssertSign, user), + createTemplateCallback(idpcustomNoEncrypt, spNoAssertSign, binding.post, user), ); // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) const { samlContent, extract } = await spNoAssertSign.parseLoginResponse(idpcustomNoEncrypt, 'post', { body: { SAMLResponse } }); @@ -367,13 +679,67 @@ test('send response with [custom template] and signed message and parse it', asy t.is(extract.response.inResponseTo, '_4606cc1f427fa981e6ffd653ee8d6972fc5ce398c4'); }); +test('send response with [custom template] and signed message by redirect and parse it', async t => { + // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) + const requestInfo = { extract: { request: { id: 'request_id' } } }; + const user = { email: 'user@esaml2.com' }; + const { id, context } = await idpcustomNoEncrypt.createLoginResponse( + spNoAssertSign, + requestInfo, + 'redirect', + user, + createTemplateCallback(idpcustomNoEncrypt, spNoAssertSign, binding.redirect, user), + undefined, + 'relaystate' + ); + const query = url.parse(context).query; + t.is(query!.includes('SAMLResponse='), true); + t.is(query!.includes('SigAlg='), true); + t.is(query!.includes('Signature='), true); + t.is(typeof id, 'string'); + t.is(typeof context, 'string'); + // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) + const { samlContent, extract } = await spNoAssertSign.parseLoginResponse(idpcustomNoEncrypt, 'redirect', parseRedirectUrlContextCallBack(context) ); + t.is(typeof id, 'string'); + t.is(samlContent.startsWith(''), true); + t.is(extract.nameID, 'user@esaml2.com'); + t.is(extract.attributes.name, 'mynameinsp'); + t.is(extract.attributes.mail, 'myemailassociatedwithsp@sp.com'); + t.is(extract.response.inResponseTo, '_4606cc1f427fa981e6ffd653ee8d6972fc5ce398c4'); +}); + +test('send response with [custom template] and signed message by post simplesign and parse it', async t => { + // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) + const requestInfo = { extract: { authnrequest: { id: 'request_id' } } }; + const user = { email: 'user@esaml2.com'}; + const { id, context: SAMLResponse, type, sigAlg, signature, relayState } = await idpcustomNoEncrypt.createLoginResponse( + spNoAssertSign, + { extract: { authnrequest: { id: 'request_id' } } }, 'simpleSign', + { email: 'user@esaml2.com' }, + createTemplateCallback(idpcustomNoEncrypt, spNoAssertSign, binding.simpleSign, user), + undefined, + 'relaystate' + ) as SimpleSignBindingContext; + // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) + const octetString = buildSimpleSignOctetString(type, SAMLResponse, sigAlg, relayState, signature); + const { samlContent, extract } = await spNoAssertSign.parseLoginResponse(idpcustomNoEncrypt, 'simpleSign', { body: { SAMLResponse, Signature: signature, SigAlg:sigAlg }, octetString }); + t.is(typeof id, 'string'); + t.is(samlContent.startsWith(''), true); + t.is(extract.nameID, 'user@esaml2.com'); + t.is(extract.attributes.name, 'mynameinsp'); + t.is(extract.attributes.mail, 'myemailassociatedwithsp@sp.com'); + t.is(extract.response.inResponseTo, '_4606cc1f427fa981e6ffd653ee8d6972fc5ce398c4'); +}); + test('send login response with signed assertion + signed message and parse it', async t => { const spWantMessageSign = serviceProvider({ ...defaultSpConfig, wantMessageSigned: true, }); const user = { email: 'user@esaml2.com' }; - const { id, context: SAMLResponse } = await idpNoEncrypt.createLoginResponse(spWantMessageSign, sampleRequestInfo, 'post', user, createTemplateCallback(idpNoEncrypt, spWantMessageSign, user)); + const { id, context: SAMLResponse } = await idpNoEncrypt.createLoginResponse(spWantMessageSign, sampleRequestInfo, 'post', user, createTemplateCallback(idpNoEncrypt, spWantMessageSign, binding.post, user)); // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) const { samlContent, extract } = await spWantMessageSign.parseLoginResponse (idpNoEncrypt, 'post', { body: { SAMLResponse } }); t.is(typeof id, 'string'); @@ -383,6 +749,60 @@ test('send login response with signed assertion + signed message and parse it', t.is(extract.response.inResponseTo, 'request_id'); }); +test('send response with signed assertion + signed message by redirect and parse it', async t => { + // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) + const spWantMessageSign = serviceProvider({ + ...defaultSpConfig, + wantMessageSigned: true, + }); + const requestInfo = { extract: { request: { id: 'request_id' } } }; + const user = { email: 'user@esaml2.com' }; + const { id, context } = await idpNoEncrypt.createLoginResponse( + spWantMessageSign, + requestInfo, + 'redirect', + user, + createTemplateCallback(idpNoEncrypt, spWantMessageSign, binding.redirect, user), + undefined, + 'relaystate' + ); + const query = url.parse(context).query; + t.is(query!.includes('SAMLResponse='), true); + t.is(query!.includes('SigAlg='), true); + t.is(query!.includes('Signature='), true); + t.is(typeof id, 'string'); + t.is(typeof context, 'string'); + // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) + const { samlContent, extract } = await spWantMessageSign.parseLoginResponse(idpNoEncrypt, 'redirect', parseRedirectUrlContextCallBack(context) ); + t.is(typeof id, 'string'); + t.is(samlContent.startsWith(''), true); + t.is(extract.nameID, 'user@esaml2.com'); + t.is(extract.response.inResponseTo, 'request_id'); +}); + +test('send login response with signed assertion + signed message by post simplesign and parse it', async t => { + const spWantMessageSign = serviceProvider({ + ...defaultSpConfig, + wantMessageSigned: true, + }); + const user = { email: 'user@esaml2.com' }; + const { id, context: SAMLResponse, type, sigAlg, signature, relayState } = await idpNoEncrypt.createLoginResponse(spWantMessageSign, sampleRequestInfo, + 'simpleSign', user, + createTemplateCallback(idpNoEncrypt, spWantMessageSign, binding.simpleSign, user), + undefined, + 'relaystate' + ) as SimpleSignBindingContext; + // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) + const octetString = buildSimpleSignOctetString(type, SAMLResponse, sigAlg, relayState, signature); + const { samlContent, extract } = await spWantMessageSign.parseLoginResponse (idpNoEncrypt, 'simpleSign', { body: { SAMLResponse, Signature: signature, SigAlg:sigAlg }, octetString }); + t.is(typeof id, 'string'); + t.is(samlContent.startsWith(''), true); + t.is(extract.nameID, 'user@esaml2.com'); + t.is(extract.response.inResponseTo, 'request_id'); +}); + test('send login response with [custom template] and signed assertion + signed message and parse it', async t => { const spWantMessageSign = serviceProvider({ ...defaultSpConfig, @@ -393,7 +813,7 @@ test('send login response with [custom template] and signed assertion + signed m spWantMessageSign, { extract: { authnrequest: { id: 'request_id' } } }, 'post', { email: 'user@esaml2.com' }, - createTemplateCallback(idpcustomNoEncrypt, spWantMessageSign, user), + createTemplateCallback(idpcustomNoEncrypt, spWantMessageSign, binding.post, user), ); // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) const { samlContent, extract } = await spWantMessageSign.parseLoginResponse(idpcustomNoEncrypt, 'post', { body: { SAMLResponse } }); @@ -406,9 +826,70 @@ test('send login response with [custom template] and signed assertion + signed m t.is(extract.response.inResponseTo, '_4606cc1f427fa981e6ffd653ee8d6972fc5ce398c4'); }); +test('send response with [custom template] and signed assertion + signed message by redirect and parse it', async t => { + // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) + const spWantMessageSign = serviceProvider({ + ...defaultSpConfig, + wantMessageSigned: true, + }); + const requestInfo = { extract: { request: { id: 'request_id' } } }; + const user = { email: 'user@esaml2.com' }; + const { id, context } = await idpcustomNoEncrypt.createLoginResponse( + spWantMessageSign, + requestInfo, + 'redirect', + user, + createTemplateCallback(idpcustomNoEncrypt, spWantMessageSign, binding.redirect, user), + undefined, + 'relaystate' + ); + const query = url.parse(context).query; + t.is(query!.includes('SAMLResponse='), true); + t.is(query!.includes('SigAlg='), true); + t.is(query!.includes('Signature='), true); + t.is(typeof id, 'string'); + t.is(typeof context, 'string'); + // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) + const { samlContent, extract } = await spWantMessageSign.parseLoginResponse(idpcustomNoEncrypt, 'redirect', parseRedirectUrlContextCallBack(context) ); + t.is(typeof id, 'string'); + t.is(samlContent.startsWith(''), true); + t.is(extract.nameID, 'user@esaml2.com'); + t.is(extract.attributes.name, 'mynameinsp'); + t.is(extract.attributes.mail, 'myemailassociatedwithsp@sp.com'); + t.is(extract.response.inResponseTo, '_4606cc1f427fa981e6ffd653ee8d6972fc5ce398c4'); +}); + +test('send login response with [custom template] and signed assertion + signed message by post simplesign and parse it', async t => { + const spWantMessageSign = serviceProvider({ + ...defaultSpConfig, + wantMessageSigned: true, + }); + const user = { email: 'user@esaml2.com'}; + const { id, context: SAMLResponse, type, sigAlg, signature, relayState } = await idpcustomNoEncrypt.createLoginResponse( + spWantMessageSign, + { extract: { authnrequest: { id: 'request_id' } } }, + 'simpleSign', + { email: 'user@esaml2.com' }, + createTemplateCallback(idpcustomNoEncrypt, spWantMessageSign, binding.simpleSign, user), + undefined, + 'relaystate' + ) as SimpleSignBindingContext; + // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) + const octetString = buildSimpleSignOctetString(type, SAMLResponse, sigAlg, relayState, signature); + const { samlContent, extract } = await spWantMessageSign.parseLoginResponse(idpcustomNoEncrypt, 'simpleSign', { body: { SAMLResponse, Signature: signature, SigAlg:sigAlg }, octetString }); + t.is(typeof id, 'string'); + t.is(samlContent.startsWith(''), true); + t.is(extract.nameID, 'user@esaml2.com'); + t.is(extract.attributes.name, 'mynameinsp'); + t.is(extract.attributes.mail, 'myemailassociatedwithsp@sp.com'); + t.is(extract.response.inResponseTo, '_4606cc1f427fa981e6ffd653ee8d6972fc5ce398c4'); +}); + test('send login response with encrypted non-signed assertion and parse it', async t => { const user = { email: 'user@esaml2.com' }; - const { id, context: SAMLResponse } = await idp.createLoginResponse(spNoAssertSign, sampleRequestInfo, 'post', user, createTemplateCallback(idp, spNoAssertSign, user)); + const { id, context: SAMLResponse } = await idp.createLoginResponse(spNoAssertSign, sampleRequestInfo, 'post', user, createTemplateCallback(idp, spNoAssertSign, binding.post, user)); // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) const { samlContent, extract } = await spNoAssertSign.parseLoginResponse(idp, 'post', { body: { SAMLResponse } }); t.is(typeof id, 'string'); @@ -420,7 +901,7 @@ test('send login response with encrypted non-signed assertion and parse it', asy test('send login response with encrypted signed assertion and parse it', async t => { const user = { email: 'user@esaml2.com' }; - const { id, context: SAMLResponse } = await idp.createLoginResponse(sp, sampleRequestInfo, 'post', user, createTemplateCallback(idp, sp, user)); + const { id, context: SAMLResponse } = await idp.createLoginResponse(sp, sampleRequestInfo, 'post', user, createTemplateCallback(idp, sp, binding.post, user)); // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) const { samlContent, extract } = await sp.parseLoginResponse(idp, 'post', { body: { SAMLResponse } }); t.is(typeof id, 'string'); @@ -436,7 +917,7 @@ test('send login response with [custom template] and encrypted signed assertion sp, { extract: { request: { id: 'request_id' } } }, 'post', { email: 'user@esaml2.com' }, - createTemplateCallback(idpcustom, sp, user), + createTemplateCallback(idpcustom, sp, binding.post, user), ); // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) const { samlContent, extract } = await sp.parseLoginResponse(idpcustom, 'post', { body: { SAMLResponse } }); @@ -455,7 +936,7 @@ test('send login response with encrypted signed assertion + signed message and p wantMessageSigned: true, }); const user = { email: 'user@esaml2.com' }; - const { id, context: SAMLResponse } = await idp.createLoginResponse(spWantMessageSign, sampleRequestInfo, 'post', user, createTemplateCallback(idp, spWantMessageSign, user)); + const { id, context: SAMLResponse } = await idp.createLoginResponse(spWantMessageSign, sampleRequestInfo, 'post', user, createTemplateCallback(idp, spWantMessageSign, binding.post, user)); // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) const { samlContent, extract } = await spWantMessageSign.parseLoginResponse(idp, 'post', { body: { SAMLResponse } }); @@ -477,7 +958,7 @@ test('send login response with [custom template] encrypted signed assertion + si spWantMessageSign, { extract: { authnrequest: { id: 'request_id' } } }, 'post', { email: 'user@esaml2.com' }, - createTemplateCallback(idpcustom, spWantMessageSign, user), + createTemplateCallback(idpcustom, spWantMessageSign, binding.post, user), ); // receiver (caution: only use metadata and public key when declare pair-up in oppoent entity) const { samlContent, extract } = await spWantMessageSign.parseLoginResponse(idpcustom, 'post', { body: { SAMLResponse } }); @@ -562,7 +1043,7 @@ test('idp sends a post logout request with signature and sp parses it', async t // simulate init-slo test('sp sends a post logout response without signature and parse', async t => { - const { context: SAMLResponse } = sp.createLogoutResponse(idp, null, 'post', '', createTemplateCallback(idp, sp, {})) as PostBindingContext; + const { context: SAMLResponse } = sp.createLogoutResponse(idp, null, 'post', '', createTemplateCallback(idp, sp, binding.post, {})) as PostBindingContext; const { samlContent, extract } = await idp.parseLogoutResponse(sp, 'post', { body: { SAMLResponse }}); t.is(extract.signature, null); t.is(extract.issuer, 'https://sp.example.org/metadata'); @@ -571,7 +1052,7 @@ test('sp sends a post logout response without signature and parse', async t => { }); test('sp sends a post logout response with signature and parse', async t => { - const { relayState, type, entityEndpoint, id, context: SAMLResponse } = sp.createLogoutResponse(idpWantLogoutResSign, sampleRequestInfo, 'post', '', createTemplateCallback(idpWantLogoutResSign, sp, {})) as PostBindingContext; + const { relayState, type, entityEndpoint, id, context: SAMLResponse } = sp.createLogoutResponse(idpWantLogoutResSign, sampleRequestInfo, 'post', '', createTemplateCallback(idpWantLogoutResSign, sp, binding.post, {})) as PostBindingContext; const { samlContent, extract } = await idpWantLogoutResSign.parseLogoutResponse(sp, 'post', { body: { SAMLResponse }}); t.is(typeof extract.signature, 'string'); t.is(extract.issuer, 'https://sp.example.org/metadata'); @@ -581,7 +1062,7 @@ test('sp sends a post logout response with signature and parse', async t => { test('send login response with encrypted non-signed assertion with EncryptThenSign and parse it', async t => { const user = { email: 'user@esaml2.com' }; - const { id, context: SAMLResponse } = await idpEncryptThenSign.createLoginResponse(spNoAssertSignCustomConfig, sampleRequestInfo, 'post', user, createTemplateCallback(idpEncryptThenSign, spNoAssertSignCustomConfig, user), true); + const { id, context: SAMLResponse } = await idpEncryptThenSign.createLoginResponse(spNoAssertSignCustomConfig, sampleRequestInfo, 'post', user, createTemplateCallback(idpEncryptThenSign, spNoAssertSignCustomConfig, binding.post, user), true); const { samlContent, extract } = await spNoAssertSignCustomConfig.parseLoginResponse(idpEncryptThenSign, 'post', { body: { SAMLResponse } }); t.is(typeof id, 'string'); t.is(samlContent.startsWith(' { const idpCustomizePfx = identityProvider(Object.assign(defaultIdpConfig, { tagPrefix: { encryptedAssertion: 'saml2', }})); - const { id, context: SAMLResponse } = await idpCustomizePfx.createLoginResponse(sp, sampleRequestInfo, 'post', user, createTemplateCallback(idpCustomizePfx, sp, user)); + const { id, context: SAMLResponse } = await idpCustomizePfx.createLoginResponse(sp, sampleRequestInfo, 'post', user, createTemplateCallback(idpCustomizePfx, sp, binding.post, user)); t.is((utility.base64Decode(SAMLResponse) as string).includes('saml2:EncryptedAssertion'), true); const { samlContent, extract } = await sp.parseLoginResponse(idpCustomizePfx, 'post', { body: { SAMLResponse } }); }); test('Customize prefix (default is saml) for encrypted assertion tag', async t => { const user = { email: 'test@email.com' }; - const { id, context: SAMLResponse } = await idp.createLoginResponse(sp, sampleRequestInfo, 'post', user, createTemplateCallback(idp, sp, user)); + const { id, context: SAMLResponse } = await idp.createLoginResponse(sp, sampleRequestInfo, 'post', user, createTemplateCallback(idp, sp, binding.post, user)); t.is((utility.base64Decode(SAMLResponse) as string).includes('saml:EncryptedAssertion'), true); const { samlContent, extract } = await sp.parseLoginResponse(idp, 'post', { body: { SAMLResponse } }); }); @@ -609,7 +1090,7 @@ test('Customize prefix (default is saml) for encrypted assertion tag', async t = test('avoid malformatted response', async t => { // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) const user = { email: 'user@email.com' }; - const { context: SAMLResponse } = await idpNoEncrypt.createLoginResponse(sp, sampleRequestInfo, 'post', user, createTemplateCallback(idpNoEncrypt, sp, user)); + const { context: SAMLResponse } = await idpNoEncrypt.createLoginResponse(sp, sampleRequestInfo, 'post', user, createTemplateCallback(idpNoEncrypt, sp, binding.post, user)); const rawResponse = String(utility.base64Decode(SAMLResponse, true)); const attackResponse = `evil@evil.com${rawResponse}`; try { @@ -620,10 +1101,46 @@ test('avoid malformatted response', async t => { } }); +test('avoid malformatted response with redirect binding', async t => { + // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) + const user = { email: 'user@email.com' }; + const { id, context } = await idpNoEncrypt.createLoginResponse(sp, sampleRequestInfo, 'redirect', user, createTemplateCallback(idpNoEncrypt, sp, binding.redirect, user), undefined, ''); + const originalURL = url.parse(context, true); + const SAMLResponse = originalURL.query.SAMLResponse; + const signature = originalURL.query.Signature; + const sigAlg = originalURL.query.SigAlg; + delete originalURL.query.Signature; + + const rawResponse = utility.inflateString(SAMLResponse as string); + const attackResponse = `evil@evil.com${rawResponse}`; + const octetString = "SAMLResponse=" + encodeURIComponent(utility.base64Encode(utility.deflateString(attackResponse))) + "&SigAlg=" + encodeURIComponent(sigAlg as string); + try { + await sp.parseLoginResponse(idpNoEncrypt, 'redirect', { query :{ SAMLResponse, SigAlg: sigAlg, Signature: signature}, octetString }); + } catch (e) { + // it must throw an error + t.is(true, true); + } +}); + +test('avoid malformatted response with simplesign binding', async t => { + // sender (caution: only use metadata and public key when declare pair-up in oppoent entity) + const user = { email: 'user@email.com' }; + const { context: SAMLResponse, type, sigAlg, signature, relayState } = await idpNoEncrypt.createLoginResponse(sp, sampleRequestInfo, 'simpleSign', user, createTemplateCallback(idpNoEncrypt, sp, binding.simpleSign, user), undefined, 'relaystate'); + const rawResponse = String(utility.base64Decode(SAMLResponse, true)); + const attackResponse = `evil@evil.com${rawResponse}`; + const octetString = buildSimpleSignOctetString(type, SAMLResponse, sigAlg, relayState, signature); + try { + await sp.parseLoginResponse(idpNoEncrypt, 'simpleSign', { body: { SAMLResponse: utility.base64Encode(attackResponse), Signature: signature, SigAlg:sigAlg }, octetString }); + } catch (e) { + // it must throw an error + t.is(true, true); + } +}); + test('should reject signature wrapped response - case 1', async t => { - // + // const user = { email: 'user@esaml2.com' }; - const { id, context: SAMLResponse } = await idpNoEncrypt.createLoginResponse(sp, sampleRequestInfo, 'post', user, createTemplateCallback(idpNoEncrypt, sp, user)); + const { id, context: SAMLResponse } = await idpNoEncrypt.createLoginResponse(sp, sampleRequestInfo, 'post', user, createTemplateCallback(idpNoEncrypt, sp, binding.post, user)); //Decode const buffer = Buffer.from(SAMLResponse, 'base64'); const xml = buffer.toString(); @@ -645,9 +1162,9 @@ test('should reject signature wrapped response - case 1', async t => { }); test('should reject signature wrapped response - case 2', async t => { - // + // const user = { email: 'user@esaml2.com' }; - const { id, context: SAMLResponse } = await idpNoEncrypt.createLoginResponse(sp, sampleRequestInfo, 'post', user, createTemplateCallback(idpNoEncrypt, sp, user)); + const { id, context: SAMLResponse } = await idpNoEncrypt.createLoginResponse(sp, sampleRequestInfo, 'post', user, createTemplateCallback(idpNoEncrypt, sp, binding.post, user)); //Decode const buffer = Buffer.from(SAMLResponse, 'base64'); const xml = buffer.toString(); @@ -676,6 +1193,26 @@ test('should throw two-tiers code error when the response does not return succes } }); +test('should throw two-tiers code error when the response by redirect does not return success status', async t => { + try { + const SAMLResponse = utility.base64Encode(utility.deflateString(failedResponse)); + const sigAlg = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"; + const encodedSigAlg = encodeURIComponent(sigAlg); + const octetString = "SAMLResponse=" + encodeURIComponent(SAMLResponse) + "&SigAlg=" + encodedSigAlg; + const _result = await sp.parseLoginResponse(idpNoEncrypt, 'redirect',{ query :{ SAMLResponse, SigAlg: encodedSigAlg} , octetString} ); + } catch (e) { + t.is(e.message, 'ERR_FAILED_STATUS with top tier code: urn:oasis:names:tc:SAML:2.0:status:Requester, second tier code: urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy'); + } +}); + +test('should throw two-tiers code error when the response over simpleSign does not return success status', async t => { + try { + const _result = await sp.parseLoginResponse(idpNoEncrypt, 'simpleSign', { body: { SAMLResponse: utility.base64Encode(failedResponse) } }); + } catch (e) { + t.is(e.message, 'ERR_FAILED_STATUS with top tier code: urn:oasis:names:tc:SAML:2.0:status:Requester, second tier code: urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy'); + } +}); + test.serial('should throw ERR_SUBJECT_UNCONFIRMED for the expired SAML response without clock drift setup', async t => { const now = new Date(); @@ -686,7 +1223,7 @@ test.serial('should throw ERR_SUBJECT_UNCONFIRMED for the expired SAML response const user = { email: 'user@esaml2.com' }; try { - const { context: SAMLResponse } = await idp.createLoginResponse(sp, sampleRequestInfo, 'post', user, createTemplateCallback(idp, sp, user)); + const { context: SAMLResponse } = await idp.createLoginResponse(sp, sampleRequestInfo, 'post', user, createTemplateCallback(idp, sp, binding.post, user)); // simulate the time on client side when response arrives after 5.1 sec tk.freeze(fiveMinutesOneSecLater); await sp.parseLoginResponse(idp, 'post', { body: { SAMLResponse } }); @@ -699,16 +1236,59 @@ test.serial('should throw ERR_SUBJECT_UNCONFIRMED for the expired SAML response } }); -test.serial('should not throw ERR_SUBJECT_UNCONFIRMED for the expired SAML response with clock drift setup', async t => { +test.serial('should throw ERR_SUBJECT_UNCONFIRMED for the expired SAML response by redirect without clock drift setup', async t => { const now = new Date(); const fiveMinutesOneSecLater = new Date(now.getTime()); fiveMinutesOneSecLater.setMinutes(fiveMinutesOneSecLater.getMinutes() + 5); fiveMinutesOneSecLater.setSeconds(fiveMinutesOneSecLater.getSeconds() + 1); + + const user = { email: 'user@esaml2.com' }; + + try { + const { context: SAMLResponse } = await idp.createLoginResponse(sp, sampleRequestInfo, 'redirect', user, createTemplateCallback(idp, sp, binding.redirect, user), undefined, 'relaystate'); + // simulate the time on client side when response arrives after 5.1 sec + tk.freeze(fiveMinutesOneSecLater); + await sp.parseLoginResponse(idp, 'redirect', parseRedirectUrlContextCallBack(SAMLResponse)); + // test failed, it shouldn't happen + t.is(true, false); + } catch (e) { + t.is(e, 'ERR_SUBJECT_UNCONFIRMED'); + } finally { + tk.reset(); + } +}); + +test.serial('should throw ERR_SUBJECT_UNCONFIRMED for the expired SAML response by simpleSign without clock drift setup', async t => { + + const now = new Date(); + const fiveMinutesOneSecLater = new Date(now.getTime() + 301_000); + const user = { email: 'user@esaml2.com' }; try { - const { context: SAMLResponse } = await idp.createLoginResponse(spWithClockDrift, sampleRequestInfo, 'post', user, createTemplateCallback(idp, spWithClockDrift, user)); + const { context: SAMLResponse, type, sigAlg, signature, relayState } = await idp.createLoginResponse(sp, sampleRequestInfo, 'simpleSign', user, createTemplateCallback(idp, sp, binding.simpleSign, user), undefined, 'relaystate'); + const octetString = buildSimpleSignOctetString(type, SAMLResponse, sigAlg, relayState, signature); + // simulate the time on client side when response arrives after 5.1 sec + tk.freeze(fiveMinutesOneSecLater); + await sp.parseLoginResponse(idp, 'simpleSign', { body: { SAMLResponse, Signature: signature, SigAlg:sigAlg }, octetString }); + // test failed, it shouldn't happen + t.is(true, false); + } catch (e) { + t.is(e, 'ERR_SUBJECT_UNCONFIRMED'); + } finally { + tk.reset(); + } +}); + +test.serial('should not throw ERR_SUBJECT_UNCONFIRMED for the expired SAML response with clock drift setup', async t => { + + const now = new Date(); + const fiveMinutesOneSecLater = new Date(now.getTime() + 301_000); + const user = { email: 'user@esaml2.com' }; + + try { + const { context: SAMLResponse } = await idp.createLoginResponse(spWithClockDrift, sampleRequestInfo, 'post', user, createTemplateCallback(idp, spWithClockDrift, binding.post, user)); // simulate the time on client side when response arrives after 5.1 sec tk.freeze(fiveMinutesOneSecLater); await spWithClockDrift.parseLoginResponse(idp, 'post', { body: { SAMLResponse } }); @@ -720,4 +1300,47 @@ test.serial('should not throw ERR_SUBJECT_UNCONFIRMED for the expired SAML respo tk.reset(); } -}); \ No newline at end of file +}); + +test.serial('should not throw ERR_SUBJECT_UNCONFIRMED for the expired SAML response by redirect with clock drift setup', async t => { + + const now = new Date(); + const fiveMinutesOneSecLater = new Date(now.getTime() + 301_000); + const user = { email: 'user@esaml2.com' }; + + try { + const { context: SAMLResponse } = await idp.createLoginResponse(spWithClockDrift, sampleRequestInfo, 'redirect', user, createTemplateCallback(idp, spWithClockDrift, binding.redirect, user), undefined, ''); + // simulate the time on client side when response arrives after 5.1 sec + tk.freeze(fiveMinutesOneSecLater); + await spWithClockDrift.parseLoginResponse(idp, 'redirect', parseRedirectUrlContextCallBack(SAMLResponse)); + t.is(true, true); + } catch (e) { + // test failed, it shouldn't happen + t.is(e, false); + } finally { + tk.reset(); + } + +}); + +test.serial('should not throw ERR_SUBJECT_UNCONFIRMED for the expired SAML response by simpleSign with clock drift setup', async t => { + + const now = new Date(); + const fiveMinutesOneSecLater = new Date(now.getTime() + 301_000); + const user = { email: 'user@esaml2.com' }; + + try { + const { context: SAMLResponse, type, signature, sigAlg, relayState } = await idp.createLoginResponse(spWithClockDrift, sampleRequestInfo, 'simpleSign', user, createTemplateCallback(idp, spWithClockDrift, binding.simpleSign, user), undefined, 'relaystate'); + const octetString = buildSimpleSignOctetString(type, SAMLResponse, sigAlg, relayState, signature); + // simulate the time on client side when response arrives after 5.1 sec + tk.freeze(fiveMinutesOneSecLater); + await spWithClockDrift.parseLoginResponse(idp, 'simpleSign', { body: { SAMLResponse, Signature: signature, SigAlg:sigAlg }, octetString }); + t.is(true, true); + } catch (e) { + // test failed, it shouldn't happen + t.is(e, false); + } finally { + tk.reset(); + } + +}); diff --git a/test/misc/idpmeta.xml b/test/misc/idpmeta.xml index e81c9889..af371416 100644 --- a/test/misc/idpmeta.xml +++ b/test/misc/idpmeta.xml @@ -28,6 +28,7 @@ urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName + diff --git a/test/misc/idpmeta_nosign.xml b/test/misc/idpmeta_nosign.xml index a30a4284..457d8b1f 100644 --- a/test/misc/idpmeta_nosign.xml +++ b/test/misc/idpmeta_nosign.xml @@ -21,6 +21,7 @@ urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName + diff --git a/test/misc/idpmeta_onelogoutservice.xml b/test/misc/idpmeta_onelogoutservice.xml index c6d3af95..8b9c18cd 100644 --- a/test/misc/idpmeta_onelogoutservice.xml +++ b/test/misc/idpmeta_onelogoutservice.xml @@ -28,6 +28,7 @@ urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName + diff --git a/test/misc/idpmeta_share_cert.xml b/test/misc/idpmeta_share_cert.xml index 33b0d5b3..74a466c2 100644 --- a/test/misc/idpmeta_share_cert.xml +++ b/test/misc/idpmeta_share_cert.xml @@ -21,6 +21,7 @@ urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName + diff --git a/test/misc/spmeta.xml b/test/misc/spmeta.xml index 81068842..13e7c6fc 100644 --- a/test/misc/spmeta.xml +++ b/test/misc/spmeta.xml @@ -23,5 +23,7 @@ + + diff --git a/test/misc/spmeta_noassertsign.xml b/test/misc/spmeta_noassertsign.xml index 984917ed..e917b87a 100644 --- a/test/misc/spmeta_noassertsign.xml +++ b/test/misc/spmeta_noassertsign.xml @@ -25,8 +25,14 @@ - + + + diff --git a/test/misc/spmeta_noauthnsign.xml b/test/misc/spmeta_noauthnsign.xml index 0fc8d2c6..44f88afd 100644 --- a/test/misc/spmeta_noauthnsign.xml +++ b/test/misc/spmeta_noauthnsign.xml @@ -18,8 +18,14 @@ - + + +