Skip to main content
Module

x/samlify/src/binding-post.ts

πŸ” Node.js API for Single Sign On (SAML 2.0)
tngan/samlify
Go to Latest
File
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338
/*** @file binding-post.ts* @author tngan* @desc Binding-level API, declare the functions using POST binding*/
import { wording, namespace, StatusCode } from './urn';import { BindingContext } from './entity';import libsaml from './libsaml';import utility, { get } from './utility';import { LogoutResponseTemplate } from './libsaml';
const binding = wording.binding;
/*** @desc Generate a base64 encoded login request* @param  {string} referenceTagXPath           reference uri* @param  {object} entity                      object includes both idp and sp* @param  {function} customTagReplacement     used when developers have their own login response template*/function base64LoginRequest(referenceTagXPath: string, entity: any, customTagReplacement?: (template: string) => BindingContext): BindingContext {  const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta };  const spSetting = entity.sp.entitySetting;  let id: string = '';
  if (metadata && metadata.idp && metadata.sp) {    const base = metadata.idp.getSingleSignOnService(binding.post);    let rawSamlRequest: string;    if (spSetting.loginRequestTemplate && customTagReplacement) {      const info = customTagReplacement(spSetting.loginRequestTemplate.context);      id = get(info, 'id', null);      rawSamlRequest = get(info, 'context', null);    } else {      const nameIDFormat = spSetting.nameIDFormat;      const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;      id = spSetting.generateID();      rawSamlRequest = libsaml.replaceTagsByValue(libsaml.defaultLoginRequestTemplate.context, {        ID: id,        Destination: base,        Issuer: metadata.sp.getEntityID(),        IssueInstant: new Date().toISOString(),        AssertionConsumerServiceURL: metadata.sp.getAssertionConsumerService(binding.post),        EntityID: metadata.sp.getEntityID(),        AllowCreate: spSetting.allowCreate,        NameIDFormat: selectedNameIDFormat      } as any);    }    if (metadata.idp.isWantAuthnRequestsSigned()) {      const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;      return {        id,        context: libsaml.constructSAMLSignature({          referenceTagXPath,          privateKey,          privateKeyPass,          signatureAlgorithm,          transformationAlgorithms,          rawSamlMessage: rawSamlRequest,          signingCert: metadata.sp.getX509Certificate('signing'),          signatureConfig: spSetting.signatureConfig || {            prefix: 'ds',            location: { reference: "/*[local-name(.)='AuthnRequest']/*[local-name(.)='Issuer']", action: 'after' },          }        }),      };    }    // No need to embeded XML signature    return {      id,      context: utility.base64Encode(rawSamlRequest),    };  }  throw new Error('ERR_GENERATE_POST_LOGIN_REQUEST_MISSING_METADATA');}/*** @desc Generate a base64 encoded login response* @param  {object} requestInfo                 corresponding request, used to obtain the id* @param  {object} entity                      object includes both idp and sp* @param  {object} user                        current logged user (e.g. req.user)* @param  {function} customTagReplacement     used when developers have their own login response template* @param  {boolean}  encryptThenSign           whether or not to encrypt then sign first (if signing). Defaults to sign-then-encrypt*/async function base64LoginResponse(requestInfo: any = {}, entity: any, user: any = {}, customTagReplacement?: (template: string) => BindingContext, encryptThenSign: boolean = false): Promise<BindingContext> {  const idpSetting = entity.idp.entitySetting;  const spSetting = entity.sp.entitySetting;  const id = idpSetting.generateID();  const metadata = {    idp: entity.idp.entityMeta,    sp: entity.sp.entityMeta,  };  const nameIDFormat = idpSetting.nameIDFormat;  const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;  if (metadata && metadata.idp && metadata.sp) {    const base = metadata.sp.getAssertionConsumerService(binding.post);    let rawSamlResponse: string;    const nowTime = new Date();    const spEntityID = metadata.sp.getEntityID();    const fiveMinutesLaterTime = new Date(nowTime.getTime());    fiveMinutesLaterTime.setMinutes(fiveMinutesLaterTime.getMinutes() + 5);    const fiveMinutesLater = fiveMinutesLaterTime.toISOString();    const now = nowTime.toISOString();    const acl = metadata.sp.getAssertionConsumerService(binding.post);    const tvalue: any = {      ID: id,      AssertionID: idpSetting.generateID(),      Destination: base,      Audience: spEntityID,      EntityID: spEntityID,      SubjectRecipient: acl,      Issuer: metadata.idp.getEntityID(),      IssueInstant: now,      AssertionConsumerServiceURL: acl,      StatusCode: StatusCode.Success,      // can be customized      ConditionsNotBefore: now,      ConditionsNotOnOrAfter: fiveMinutesLater,      SubjectConfirmationDataNotOnOrAfter: fiveMinutesLater,      NameIDFormat: selectedNameIDFormat,      NameID: user.email || '',      InResponseTo: get(requestInfo, 'extract.request.id', ''),      AuthnStatement: '',      AttributeStatement: '',    };    if (idpSetting.loginResponseTemplate && customTagReplacement) {      const template = customTagReplacement(idpSetting.loginResponseTemplate.context);      rawSamlResponse = get(template, 'context', null);    } else {      if (requestInfo !== null) {        tvalue.InResponseTo = requestInfo.extract.request.id;      }      rawSamlResponse = libsaml.replaceTagsByValue(libsaml.defaultLoginResponseTemplate.context, tvalue);    }    const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm } = idpSetting;    const config = {      privateKey,      privateKeyPass,      signatureAlgorithm,      signingCert: metadata.idp.getX509Certificate('signing'),      isBase64Output: false,    };    // step: sign assertion ? -> encrypted ? -> sign message ?    if (metadata.sp.isWantAssertionsSigned()) {      // console.debug('sp wants assertion signed');      rawSamlResponse = libsaml.constructSAMLSignature({        ...config,        rawSamlMessage: rawSamlResponse,        transformationAlgorithms: spSetting.transformationAlgorithms,        referenceTagXPath: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']",         signatureConfig: {          prefix: 'ds',          location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']", action: 'after' },        },      });    }
    // console.debug('after assertion signed', rawSamlResponse);
    // SAML response must be signed sign message first, then encrypt    if (!encryptThenSign && (spSetting.wantMessageSigned || !metadata.sp.isWantAssertionsSigned())) {      // console.debug('sign then encrypt and sign entire message');      rawSamlResponse = libsaml.constructSAMLSignature({        ...config,        rawSamlMessage: rawSamlResponse,        isMessageSigned: true,        transformationAlgorithms: spSetting.transformationAlgorithms,        signatureConfig: spSetting.signatureConfig || {          prefix: 'ds',          location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Issuer']", action: 'after' },        },      });    }
    // console.debug('after message signed', rawSamlResponse);
    if (idpSetting.isAssertionEncrypted) {      // console.debug('idp is configured to do encryption');      const context = await libsaml.encryptAssertion(entity.idp, entity.sp, rawSamlResponse);      if (encryptThenSign) {        //need to decode it        rawSamlResponse = utility.base64Decode(context) as string;      } else {        return Promise.resolve({ id, context });      }    }
    //sign after encrypting    if (encryptThenSign && (spSetting.wantMessageSigned || !metadata.sp.isWantAssertionsSigned())) {      rawSamlResponse = libsaml.constructSAMLSignature({        ...config,        rawSamlMessage: rawSamlResponse,        isMessageSigned: true,        transformationAlgorithms: spSetting.transformationAlgorithms,        signatureConfig: spSetting.signatureConfig || {          prefix: 'ds',          location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Issuer']", action: 'after' },        },      });    }
    return Promise.resolve({      id,      context: utility.base64Encode(rawSamlResponse),    });
  }  throw new Error('ERR_GENERATE_POST_LOGIN_RESPONSE_MISSING_METADATA');}/*** @desc Generate a base64 encoded logout request* @param  {object} user                         current logged user (e.g. req.user)* @param  {string} referenceTagXPath            reference uri* @param  {object} entity                       object includes both idp and sp* @param  {function} customTagReplacement      used when developers have their own login response template* @return {string} base64 encoded request*/function base64LogoutRequest(user, referenceTagXPath, entity, customTagReplacement?: (template: string) => BindingContext): BindingContext {  const metadata = { init: entity.init.entityMeta, target: entity.target.entityMeta };  const initSetting = entity.init.entitySetting;  const nameIDFormat = initSetting.nameIDFormat;  const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;  let id: string = '';  if (metadata && metadata.init && metadata.target) {    let rawSamlRequest: string;    if (initSetting.logoutRequestTemplate && customTagReplacement) {      const template = customTagReplacement(initSetting.logoutRequestTemplate.context);      id = get(template, 'id', null);      rawSamlRequest = get(template, 'context', null);    } else {      id = initSetting.generateID();      const tvalue: any = {        ID: id,        Destination: metadata.target.getSingleLogoutService(binding.post),        Issuer: metadata.init.getEntityID(),        IssueInstant: new Date().toISOString(),        EntityID: metadata.init.getEntityID(),        NameIDFormat: selectedNameIDFormat,        NameID: user.logoutNameID,      };      rawSamlRequest = libsaml.replaceTagsByValue(libsaml.defaultLogoutRequestTemplate.context, tvalue);    }    if (entity.target.entitySetting.wantLogoutRequestSigned) {      // Need to embeded XML signature      const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms  } = initSetting;      return {        id,        context: libsaml.constructSAMLSignature({          referenceTagXPath,          privateKey,          privateKeyPass,          signatureAlgorithm,          transformationAlgorithms,          rawSamlMessage: rawSamlRequest,          signingCert: metadata.init.getX509Certificate('signing'),          signatureConfig: initSetting.signatureConfig || {            prefix: 'ds',            location: { reference: "/*[local-name(.)='LogoutRequest']/*[local-name(.)='Issuer']", action: 'after' },          }        }),      };    }    return {      id,      context: utility.base64Encode(rawSamlRequest),    };  }  throw new Error('ERR_GENERATE_POST_LOGOUT_REQUEST_MISSING_METADATA');}/*** @desc Generate a base64 encoded logout response* @param  {object} requestInfo                 corresponding request, used to obtain the id* @param  {string} referenceTagXPath           reference uri* @param  {object} entity                      object includes both idp and sp* @param  {function} customTagReplacement     used when developers have their own login response template*/function base64LogoutResponse(requestInfo: any, entity: any, customTagReplacement: (template: string) => BindingContext): BindingContext {  const metadata = {    init: entity.init.entityMeta,    target: entity.target.entityMeta,  };  let id: string = '';  const initSetting = entity.init.entitySetting;  if (metadata && metadata.init && metadata.target) {    let rawSamlResponse;    if (initSetting.logoutResponseTemplate) {      const template = customTagReplacement(initSetting.logoutResponseTemplate.context);      id = template.id;      rawSamlResponse = template.context;    } else {      id = initSetting.generateID();      const tvalue: any = {        ID: id,        Destination: metadata.target.getSingleLogoutService(binding.post),        EntityID: metadata.init.getEntityID(),        Issuer: metadata.init.getEntityID(),        IssueInstant: new Date().toISOString(),        StatusCode: StatusCode.Success,        InResponseTo: get(requestInfo, 'extract.request.id', null)      };      rawSamlResponse = libsaml.replaceTagsByValue(libsaml.defaultLogoutResponseTemplate.context, tvalue);    }    if (entity.target.entitySetting.wantLogoutResponseSigned) {      const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = initSetting;      return {        id,        context: libsaml.constructSAMLSignature({          isMessageSigned: true,          transformationAlgorithms: transformationAlgorithms,          privateKey,          privateKeyPass,          signatureAlgorithm,          rawSamlMessage: rawSamlResponse,          signingCert: metadata.init.getX509Certificate('signing'),          signatureConfig: {            prefix: 'ds',            location: {              reference: "/*[local-name(.)='LogoutResponse']/*[local-name(.)='Issuer']",              action: 'after'            }          }         }),      };    }    return {      id,      context: utility.base64Encode(rawSamlResponse),    };  }  throw new Error('ERR_GENERATE_POST_LOGOUT_RESPONSE_MISSING_METADATA');}
const postBinding = {  base64LoginRequest,  base64LoginResponse,  base64LogoutRequest,  base64LogoutResponse,};
export default postBinding;