/src/entity-idp.ts | samlify@v2.8.5

🔐 Node.js API for Single Sign On (SAML 2.0)
File
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146
/*** @file entity-idp.ts* @author tngan* @desc  Declares the actions taken by identity provider*/import Entity, { ESamlHttpRequest } from './entity';import {  ServiceProviderConstructor as ServiceProvider,  ServiceProviderMetadata,  IdentityProviderMetadata,  IdentityProviderSettings,} from './types';import libsaml from './libsaml';import { namespace } from './urn';import postBinding from './binding-post';import redirectBinding from './binding-redirect';import simpleSignBinding from './binding-simplesign';import { flow, FlowResult } from './flow';import { isString } from './utility';import { BindingContext } from './entity';
/** * Identity prvider can be configured using either metadata importing or idpSetting */export default function(props: IdentityProviderSettings) {  return new IdentityProvider(props);}
/** * Identity prvider can be configured using either metadata importing or idpSetting */export class IdentityProvider extends Entity {
  entityMeta: IdentityProviderMetadata;
  constructor(idpSetting: IdentityProviderSettings) {    const defaultIdpEntitySetting = {      wantAuthnRequestsSigned: false,      tagPrefix: {        encryptedAssertion: 'saml',      },    };    const entitySetting = Object.assign(defaultIdpEntitySetting, idpSetting);    // build attribute part    if (idpSetting.loginResponseTemplate) {      if (isString(idpSetting.loginResponseTemplate.context) && Array.isArray(idpSetting.loginResponseTemplate.attributes)) {        let attributeStatementTemplate;        let attributeTemplate;        if (!idpSetting.loginResponseTemplate.additionalTemplates || !idpSetting.loginResponseTemplate.additionalTemplates!.attributeStatementTemplate) {          attributeStatementTemplate = libsaml.defaultAttributeStatementTemplate;        } else {          attributeStatementTemplate = idpSetting.loginResponseTemplate.additionalTemplates!.attributeStatementTemplate!;        }        if (!idpSetting.loginResponseTemplate.additionalTemplates || !idpSetting.loginResponseTemplate.additionalTemplates!.attributeTemplate) {          attributeTemplate = libsaml.defaultAttributeTemplate;        } else {          attributeTemplate = idpSetting.loginResponseTemplate.additionalTemplates!.attributeTemplate!;        }        const replacement = {          AttributeStatement: libsaml.attributeStatementBuilder(idpSetting.loginResponseTemplate.attributes, attributeTemplate, attributeStatementTemplate),        };        entitySetting.loginResponseTemplate = {          ...entitySetting.loginResponseTemplate,          context: libsaml.replaceTagsByValue(entitySetting.loginResponseTemplate!.context, replacement),        };      } else {        console.warn('Invalid login response template');      }    }    super(entitySetting, 'idp');  }
  /**  * @desc  Generates the login response for developers to design their own method  * @param  sp                        object of service provider  * @param  requestInfo               corresponding request, used to obtain the id  * @param  binding                   protocol binding  * @param  user                      current logged user (e.g. req.user)  * @param  customTagReplacement      used when developers have their own login response template  * @param  encryptThenSign           whether or not to encrypt then sign first (if signing)  * @param  relayState             the relayState from corresponding request  */  public async createLoginResponse(    sp: ServiceProvider,    requestInfo: { [key: string]: any },    binding: string,    user: { [key: string]: any },    customTagReplacement?: (template: string) => BindingContext,    encryptThenSign?: boolean,    relayState?: string,  ) {    const protocol = namespace.binding[binding];    // can support post, redirect and post simple sign bindings for login response    let context: any = null;    switch (protocol) {      case namespace.binding.post:        context = await postBinding.base64LoginResponse(requestInfo, {          idp: this,          sp,        }, user, customTagReplacement, encryptThenSign);        break;
      case namespace.binding.simpleSign:        context = await simpleSignBinding.base64LoginResponse( requestInfo, {          idp: this, sp,        }, user, relayState, customTagReplacement);        break;
      case namespace.binding.redirect:        return redirectBinding.loginResponseRedirectURL(requestInfo, {          idp: this,          sp,        }, user, relayState, customTagReplacement);
      default:        throw new Error('ERR_CREATE_RESPONSE_UNDEFINED_BINDING');    }
    return {      ...context,      relayState,      entityEndpoint: (sp.entityMeta as ServiceProviderMetadata).getAssertionConsumerService(binding) as string,      type: 'SAMLResponse'    };  }
  /**   * Validation of the parsed URL parameters   * @param sp ServiceProvider instance   * @param binding Protocol binding   * @param req RequesmessageSigningOrderst   */  parseLoginRequest(sp: ServiceProvider, binding: string, req: ESamlHttpRequest) {    const self = this;    return flow({      from: sp,      self: self,      checkSignature: self.entityMeta.isWantAuthnRequestsSigned(),      parserType: 'SAMLRequest',      type: 'login',      binding: binding,      request: req    });  }}